hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-23 04:06:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

Refactor PermissiveDotRegexQuery

Browse Source
This commit is contained in:
Ed Minnix
2023-04-12 13:12:28 -04:00
parent 157b7ceaff
commit 597949dbfe
1 changed files with 12 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll
View File

@@ -93,14 +93,12 @@ private class CompileRegexSink extends DataFlow::ExprNode {
/** /**
* A data flow configuration for regular expressions that include permissive dots. * A data flow configuration for regular expressions that include permissive dots.
*/ */
private class PermissiveDotRegexConfig extends DataFlow2::Configuration { private module PermissiveDotRegexConfig implements DataFlow::ConfigSig {
PermissiveDotRegexConfig() { this = "PermissiveDotRegex::PermissiveDotRegexConfig" } predicate isSource(DataFlow2::Node src) { src.asExpr() instanceof PermissiveDotStr }
override predicate isSource(DataFlow2::Node src) { src.asExpr() instanceof PermissiveDotStr } predicate isSink(DataFlow2::Node sink) { sink instanceof CompileRegexSink }
override predicate isSink(DataFlow2::Node sink) { sink instanceof CompileRegexSink } predicate isBarrier(DataFlow2::Node node) {
override predicate isBarrier(DataFlow2::Node node) {
exists( exists(
MethodAccess ma, Field f // Pattern.compile(PATTERN, Pattern.DOTALL) MethodAccess ma, Field f // Pattern.compile(PATTERN, Pattern.DOTALL)
| |
@@ -113,19 +111,19 @@ private class PermissiveDotRegexConfig extends DataFlow2::Configuration {
} }
} }
private module PermissiveDotRegexFlow = DataFlow::Global<PermissiveDotRegexConfig>;
/** /**
* A taint-tracking configuration for untrusted user input used to match regular expressions * A taint-tracking configuration for untrusted user input used to match regular expressions
* that include permissive dots. * that include permissive dots.
*/ */
class MatchRegexConfiguration extends TaintTracking::Configuration { module MatchRegexConfig implements DataFlow::ConfigSig {
MatchRegexConfiguration() { this = "PermissiveDotRegex::MatchRegexConfiguration" } predicate isSource(DataFlow::Node source) {
override predicate isSource(DataFlow::Node source) {
sourceNode(source, "uri-path") or // Servlet uri source sourceNode(source, "uri-path") or // Servlet uri source
source instanceof SpringUriInputParameterSource // Spring uri source source instanceof SpringUriInputParameterSource // Spring uri source
} }
override predicate isSink(DataFlow::Node sink) { predicate isSink(DataFlow::Node sink) {
sink instanceof MatchRegexSink and sink instanceof MatchRegexSink and
exists( exists(
Guard guard, Expr se, Expr ce // used in a condition to control url redirect, which is a typical security enforcement Guard guard, Expr se, Expr ce // used in a condition to control url redirect, which is a typical security enforcement
@@ -145,7 +143,7 @@ class MatchRegexConfiguration extends TaintTracking::Configuration {
) and ) and
guard.controls(se.getBasicBlock(), true) guard.controls(se.getBasicBlock(), true)
) and ) and
exists(MethodAccess ma | any(PermissiveDotRegexConfig conf2).hasFlowToExpr(ma.getArgument(0)) | exists(MethodAccess ma | PermissiveDotRegexFlow::flowToExpr(ma.getArgument(0)) |
// input.matches(regexPattern) // input.matches(regexPattern)
ma.getMethod() instanceof StringMatchMethod and ma.getMethod() instanceof StringMatchMethod and
ma.getQualifier() = sink.asExpr() ma.getQualifier() = sink.asExpr()
@@ -165,6 +163,8 @@ class MatchRegexConfiguration extends TaintTracking::Configuration {
} }
} }
module MatchRegexFlow = TaintTracking::Global<MatchRegexConfig>;
/** /**
* A data flow sink representing a string being matched against a regular expression. * A data flow sink representing a string being matched against a regular expression.
*/ */