mirror of
https://github.com/github/codeql.git
synced 2026-04-30 11:15:13 +02:00
Java: fix replacement char check and add tests
This commit is contained in:
Jami Cogswell
@@ -716,14 +716,20 @@ public class Test {
|
||||
}
|
||||
{
|
||||
String source = (String) source();
|
||||
source = source.replaceAll("\\.|[/\\\\]", "");
|
||||
source = source.replaceAll("\\.|[/\\\\]", "-");
|
||||
sink(source); // Safe
|
||||
}
|
||||
{
|
||||
String source = (String) source();
|
||||
source = source.replaceAll("[.][.]|[/\\\\]", "");
|
||||
source = source.replaceAll("[.][.]|[/\\\\]", "_");
|
||||
sink(source); // Safe
|
||||
}
|
||||
{
|
||||
String source = (String) source();
|
||||
// test a not-accepted replacement character
|
||||
source = source.replaceAll("[.][.]|[/\\\\]", "/");
|
||||
sink(source); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
String source = (String) source();
|
||||
source = source.replaceAll(".|[/\\\\]", "");
|
||||
@@ -761,6 +767,24 @@ public class Test {
|
||||
source = source.replaceAll("\\.", "").replaceAll("/", "");
|
||||
sink(source); // Safe
|
||||
}
|
||||
{
|
||||
String source = (String) source();
|
||||
// test a not-accepted replacement character in each call
|
||||
source = source.replaceAll("\\.", "/").replaceAll("/", ".");
|
||||
sink(source); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
String source = (String) source();
|
||||
// test a not-accepted replacement character in first call
|
||||
source = source.replaceAll("\\.", "/").replaceAll("/", "-");
|
||||
sink(source); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
String source = (String) source();
|
||||
// test a not-accepted replacement character in second call
|
||||
source = source.replaceAll("\\.", "_").replaceAll("/", ".");
|
||||
sink(source); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
String source = (String) source();
|
||||
source = source.replaceAll("\\.", "").replaceAll("/", "").replaceAll("\\\\", "");
|
||||
|
||||
Reference in New Issue
Block a user