Convert regex injection barrier to MaD

2025-12-16 16:53:25 +01:00 · 2025-12-09 16:41:13 +00:00
parent 44295e4c7d
commit 87f58fe51a
2 changed files with 7 additions and 11 deletions
--- a/java/ql/lib/ext/java.util.regex.model.yml
+++ b/java/ql/lib/ext/java.util.regex.model.yml
@@ -12,6 +12,11 @@ extensions:
      - ["java.util.regex", "Pattern", False, "split", "(CharSequence)", "", "Argument[this]", "regex-use[0]", "manual"]
      - ["java.util.regex", "Pattern", False, "split", "(CharSequence,int)", "", "Argument[this]", "regex-use[0]", "manual"]
      - ["java.util.regex", "Pattern", False, "splitAsStream", "(CharSequence)", "", "Argument[this]", "regex-use[0]", "manual"]
  - addsTo:
      pack: codeql/java-all
      extensible: barrierModel
    data:
      - ["java.util.regex", "Pattern", False, "quote", "(String)", "", "ReturnValue", "regex-use", "manual"]
  - addsTo:
      pack: codeql/java-all
      extensible: summaryModel
--- a/java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll
+++ b/java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll
@@ -21,17 +21,8 @@ private class DefaultRegexInjectionSink extends RegexInjectionSink {
  }
 }
-/**
+private class DefaultRegexInjectionSanitizer extends RegexInjectionSanitizer {
- * A call to the `Pattern.quote` method, which gives metacharacters or escape sequences
+  DefaultRegexInjectionSanitizer() { barrierNode(this, "regex-use") }
 * no special meaning.
 */
 private class PatternQuoteCall extends RegexInjectionSanitizer {
  PatternQuoteCall() {
    exists(MethodCall ma, Method m | m = ma.getMethod() |
      ma.getArgument(0) = this.asExpr() and
      m instanceof PatternQuoteMethod
    )
  }
 }
 /**