hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 10:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

remove original sanitizer

Browse Source
This commit is contained in:
Jami Cogswell
2022-11-03 13:25:08 -04:00
parent be548c13e1
commit 5402001362
2 changed files with 0 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
java/ql/lib/semmle/code/java/security/RegexInjection.qll
View File

@@ -3,7 +3,6 @@
import java
private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.frameworks.Regex
//private import semmle.code.java.frameworks.apache.Lang
private import semmle.code.java.regex.RegexFlowModels
/** A data flow sink for untrusted user input used to construct regular expressions. */
@@ -24,30 +23,6 @@ private class DefaultRegexInjectionSink extends RegexInjectionSink {
}
}
/** A call to a function whose name suggests that it escapes regular expression meta-characters. */
private class RegexSanitizationCall extends RegexInjectionSanitizer {
RegexSanitizationCall() {
// original
// exists(string calleeName, string sanitize, string regexp |
// calleeName = this.asExpr().(Call).getCallee().getName() and
// sanitize = "(?:escape|saniti[sz]e)" and
// regexp = "regexp?"
// |
// calleeName
// .regexpMatch("(?i)(" + sanitize + ".*" + regexp + ".*)" + "|(" + regexp + ".*" + sanitize +
// ".*)")
// )
// without regexp
exists(string calleeName, string sanitize |
calleeName = this.asExpr().(Call).getCallee().getName() and
sanitize = "(?:escape|saniti[sz]e)"
|
calleeName.regexpMatch("(?i)(.*" + sanitize + ".*)")
//calleeName.matches("handleEscapes")
)
}
}
/**
* A call to the `Pattern.quote` method, which gives metacharacters or escape sequences
* no special meaning.

61
java/ql/test/query-tests/security/CWE-730/RegexInjectionTest.java
View File

@@ -72,67 +72,6 @@ public class RegexInjectionTest extends HttpServlet {
return str;
}
public boolean pattern5(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
// Safe: User input is sanitized before constructing the regex
return input.matches("^" + escapeSpecialRegexChars(pattern) + "=.*$");
}
public boolean pattern6(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
escapeSpecialRegexChars(pattern);
// BAD: the pattern is not really sanitized
return input.matches("^" + pattern + "=.*$"); // $ hasRegexInjection
}
public boolean pattern7(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
String escapedPattern = escapeSpecialRegexChars(pattern);
// Safe: User input is sanitized before constructing the regex
return input.matches("^" + escapedPattern + "=.*$");
}
public boolean pattern8(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
// Safe: User input is sanitized before constructing the regex
return input.matches("^" + sanitizeSpecialRegexChars(pattern) + "=.*$");
}
public boolean pattern9(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
// Safe: User input is sanitized before constructing the regex
return input.matches("^" + sanitiseSpecialRegexChars(pattern) + "=.*$");
}
Pattern SPECIAL_REGEX_CHARS = Pattern.compile("[{}()\\[\\]><-=!.+*?^$\\\\|]");
// test `escape...regex`
String escapeSpecialRegexChars(String str) {
return SPECIAL_REGEX_CHARS.matcher(str).replaceAll("\\\\$0");
}
// test `sanitize...regex`
String sanitizeSpecialRegexChars(String str) {
return SPECIAL_REGEX_CHARS.matcher(str).replaceAll("\\\\$0");
}
// test `sanitise...regex`
String sanitiseSpecialRegexChars(String str) {
return SPECIAL_REGEX_CHARS.matcher(str).replaceAll("\\\\$0");
}
public boolean apache1(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");