Convert regex injection barrier to MaD

2025-12-16 16:53:25 +01:00 · 2025-12-09 16:41:13 +00:00
parent 44295e4c7d
commit 87f58fe51a
2 changed files with 7 additions and 11 deletions
--- a/java/ql/lib/ext/java.util.regex.model.yml
+++ b/java/ql/lib/ext/java.util.regex.model.yml
@@ -12,6 +12,11 @@ extensions:
      - ["java.util.regex", "Pattern", False, "split", "(CharSequence)", "", "Argument[this]", "regex-use[0]", "manual"]
      - ["java.util.regex", "Pattern", False, "split", "(CharSequence,int)", "", "Argument[this]", "regex-use[0]", "manual"]
      - ["java.util.regex", "Pattern", False, "splitAsStream", "(CharSequence)", "", "Argument[this]", "regex-use[0]", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: barrierModel
+    data:
+      - ["java.util.regex", "Pattern", False, "quote", "(String)", "", "ReturnValue", "regex-use", "manual"]
  - addsTo:
      pack: codeql/java-all
      extensible: summaryModel
--- a/java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll
+++ b/java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll
@@ -21,17 +21,8 @@ private class DefaultRegexInjectionSink extends RegexInjectionSink {
  }
 }

-/**
- * A call to the `Pattern.quote` method, which gives metacharacters or escape sequences
- * no special meaning.
- */
-private class PatternQuoteCall extends RegexInjectionSanitizer {
-  PatternQuoteCall() {
-    exists(MethodCall ma, Method m | m = ma.getMethod() |
-      ma.getArgument(0) = this.asExpr() and
-      m instanceof PatternQuoteMethod
-    )
-  }
+private class DefaultRegexInjectionSanitizer extends RegexInjectionSanitizer {
+  DefaultRegexInjectionSanitizer() { barrierNode(this, "regex-use") }
 }

 /**