Refactor RegexInjectionQuery

2026-04-30 11:15:13 +02:00 · 2023-03-20 17:21:38 -04:00
parent c44254e2e0
commit 7ee6c06f7f
3 changed files with 23 additions and 6 deletions
--- a/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll
@@ -5,8 +5,12 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.regexp.RegexInjection

-/** A taint-tracking configuration for untrusted user input used to construct regular expressions. */
-class RegexInjectionConfiguration extends TaintTracking::Configuration {
+/**
+ * DEPRECATED: Use `RegexInjectionFlow` instead.
+ *
+ * A taint-tracking configuration for untrusted user input used to construct regular expressions.
+ */
+deprecated class RegexInjectionConfiguration extends TaintTracking::Configuration {
  RegexInjectionConfiguration() { this = "RegexInjection" }

  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -15,3 +19,16 @@ class RegexInjectionConfiguration extends TaintTracking::Configuration {

  override predicate isSanitizer(DataFlow::Node node) { node instanceof RegexInjectionSanitizer }
 }
+
+/**
+ * A taint-tracking configuration for untrusted user input used to construct regular expressions.
+ */
+private module RegexInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof RegexInjectionSink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof RegexInjectionSanitizer }
+}
+
+module RegexInjectionFlow = TaintTracking::Make<RegexInjectionConfig>;
--- a/java/ql/src/Security/CWE/CWE-730/RegexInjection.ql
+++ b/java/ql/src/Security/CWE/CWE-730/RegexInjection.ql
@@ -15,9 +15,9 @@

 import java
 import semmle.code.java.security.regexp.RegexInjectionQuery
-import DataFlow::PathGraph
+import RegexInjectionFlow::PathGraph

-from DataFlow::PathNode source, DataFlow::PathNode sink, RegexInjectionConfiguration c
-where c.hasFlowPath(source, sink)
+from RegexInjectionFlow::PathNode source, RegexInjectionFlow::PathNode sink
+where RegexInjectionFlow::hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "This regular expression is constructed from a $@.",
  source.getNode(), "user-provided value"
--- a/java/ql/test/query-tests/security/CWE-730/RegexInjectionTest.ql
+++ b/java/ql/test/query-tests/security/CWE-730/RegexInjectionTest.ql
@@ -9,7 +9,7 @@ class RegexInjectionTest extends InlineExpectationsTest {

  override predicate hasActualResult(Location location, string element, string tag, string value) {
    tag = "hasRegexInjection" and
-    exists(DataFlow::PathNode sink, RegexInjectionConfiguration c | c.hasFlowPath(_, sink) |
+    exists(RegexInjectionFlow::PathNode sink | RegexInjectionFlow::hasFlowPath(_, sink) |
      location = sink.getNode().getLocation() and
      element = sink.getNode().toString() and
      value = ""