hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-23 12:16:33 +01:00
Code Issues Packages Projects Releases Wiki Activity

Refactor PermissiveDotRegexQuery

Browse Source
This commit is contained in:
Ed Minnix
2023-04-12 13:12:28 -04:00
parent 157b7ceaff
commit 597949dbfe
1 changed files with 12 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll
View File

@@ -93,14 +93,12 @@ private class CompileRegexSink extends DataFlow::ExprNode {
/**
* A data flow configuration for regular expressions that include permissive dots.
*/
private class PermissiveDotRegexConfig extends DataFlow2::Configuration {
PermissiveDotRegexConfig() { this = "PermissiveDotRegex::PermissiveDotRegexConfig" }
private module PermissiveDotRegexConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow2::Node src) { src.asExpr() instanceof PermissiveDotStr }
override predicate isSource(DataFlow2::Node src) { src.asExpr() instanceof PermissiveDotStr }
predicate isSink(DataFlow2::Node sink) { sink instanceof CompileRegexSink }
override predicate isSink(DataFlow2::Node sink) { sink instanceof CompileRegexSink }
override predicate isBarrier(DataFlow2::Node node) {
predicate isBarrier(DataFlow2::Node node) {
exists(
MethodAccess ma, Field f // Pattern.compile(PATTERN, Pattern.DOTALL)
|
@@ -113,19 +111,19 @@ private class PermissiveDotRegexConfig extends DataFlow2::Configuration {
}
}
private module PermissiveDotRegexFlow = DataFlow::Global<PermissiveDotRegexConfig>;
/**
* A taint-tracking configuration for untrusted user input used to match regular expressions
* that include permissive dots.
*/
class MatchRegexConfiguration extends TaintTracking::Configuration {
MatchRegexConfiguration() { this = "PermissiveDotRegex::MatchRegexConfiguration" }
override predicate isSource(DataFlow::Node source) {
module MatchRegexConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
sourceNode(source, "uri-path") or // Servlet uri source
source instanceof SpringUriInputParameterSource // Spring uri source
}
override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
sink instanceof MatchRegexSink and
exists(
Guard guard, Expr se, Expr ce // used in a condition to control url redirect, which is a typical security enforcement
@@ -145,7 +143,7 @@ class MatchRegexConfiguration extends TaintTracking::Configuration {
) and
guard.controls(se.getBasicBlock(), true)
) and
exists(MethodAccess ma | any(PermissiveDotRegexConfig conf2).hasFlowToExpr(ma.getArgument(0)) |
exists(MethodAccess ma | PermissiveDotRegexFlow::flowToExpr(ma.getArgument(0)) |
// input.matches(regexPattern)
ma.getMethod() instanceof StringMatchMethod and
ma.getQualifier() = sink.asExpr()
@@ -165,6 +163,8 @@ class MatchRegexConfiguration extends TaintTracking::Configuration {
}
}
module MatchRegexFlow = TaintTracking::Global<MatchRegexConfig>;
/**
* A data flow sink representing a string being matched against a regular expression.
*/