Java: Treat x.matches(regexp) as a sanitizer for request forgery

2026-02-16 15:03:41 +01:00 · 2025-10-24 09:06:57 +02:00
parent c84cec9d29
commit 7a9cb64e2e
2 changed files with 43 additions and 0 deletions
--- a/java/ql/lib/semmle/code/java/security/RequestForgery.qll
+++ b/java/ql/lib/semmle/code/java/security/RequestForgery.qll
@@ -164,3 +164,24 @@ private class HostComparisonSanitizer extends RequestForgerySanitizer {
    this = DataFlow::BarrierGuard<isHostComparisonSanitizer/3>::getABarrierNode()
  }
 }
+
+/**
+ * A qualifier in a call to a `.matches()` method that is a sanitizer for URL redirects.
+ *
+ * Matches any method call where the method is named `matches`.
+ */
+private predicate isMatchesSanitizer(Guard guard, Expr e, boolean branch) {
+  guard =
+    any(MethodCall method |
+      method.getMethod().getName() = "matches" and
+      e = method.getQualifier() and
+      branch = true
+    )
+}
+
+/**
+ * A qualifier in a call to `.matches()` that is a sanitizer for URL redirects.
+ */
+private class MatchesSanitizer extends RequestForgerySanitizer {
+  MatchesSanitizer() { this = DataFlow::BarrierGuard<isMatchesSanitizer/3>::getABarrierNode() }
+}