comments

2026-04-29 18:55:14 +02:00 · 2021-04-21 13:12:53 +03:00
parent 13655b5d80
commit 452ec8c43f
1 changed files with 10 additions and 0 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql
@@ -17,6 +17,9 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 import DataFlow::PathGraph

+/**
+ * A data flow sink for untrusted user input used to construct regular expressions.
+ */
 class RegexSink extends DataFlow::ExprNode {
  RegexSink() {
    exists(MethodAccess ma, Method m | m = ma.getMethod() |
@@ -61,6 +64,10 @@ class RegexSink extends DataFlow::ExprNode {

 abstract class Sanitizer extends DataFlow::ExprNode { }

+/**
+ * A call to a function whose name suggests that it escapes regular
+ * expression meta-characters.
+ */
 class RegExpSanitizationCall extends Sanitizer {
  RegExpSanitizationCall() {
    exists(string calleeName, string sanitize, string regexp |
@@ -75,6 +82,9 @@ class RegExpSanitizationCall extends Sanitizer {
  }
 }

+/**
+ * A taint-tracking configuration for untrusted user input used to construct regular expressions.
+ */
 class RegexInjectionConfiguration extends TaintTracking::Configuration {
  RegexInjectionConfiguration() { this = "RegexInjectionConfiguration" }