Merge pull request #13097 from egregius313/egregius313/java/webgoat/ssrf-regex-fix

Java: Add constraint to `HostnameSanitizingPrefix` to prevent false negatives in SSRF queries
2026-05-04 05:05:12 +02:00 · 2023-05-23 10:50:43 -04:00
parent ee36d32ef0 2d69f81d85
commit 52340802bb
3 changed files with 9 additions and 4 deletions
--- a/java/ql/lib/change-notes/2023-05-17-change-hostnamesanitizingprefix-regex.md
+++ b/java/ql/lib/change-notes/2023-05-17-change-hostnamesanitizingprefix-regex.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Updated the regular expression in the `HostnameSanitizer` sanitizer in the `semmle.code.java.security.RequestForgery` library to better detect strings prefixed with a hostname.
+
--- a/java/ql/lib/semmle/code/java/security/RequestForgery.qll
+++ b/java/ql/lib/semmle/code/java/security/RequestForgery.qll
@@ -79,10 +79,7 @@ private class HostnameSanitizingPrefix extends InterestingPrefix {
    // the host or entity addressed: for example, anything containing `?` or `#`, or a slash that
    // doesn't appear to be a protocol specifier (e.g. `http://` is not sanitizing), or specifically
    // the string "/".
-    exists(
-      this.getStringValue()
-          .regexpFind(".*([?#]|[^?#:/\\\\][/\\\\]).*|[/\\\\][^/\\\\].*|^/$", 0, offset)
-    )
+    exists(this.getStringValue().regexpFind("([?#]|[^?#:/\\\\][/\\\\])|^/$", 0, offset))
  }

  override int getOffset() { result = offset }