filter out potential misparses from java/suspicious-regexp-range

2026-04-30 11:15:13 +02:00 · 2022-06-29 13:16:40 +02:00
parent 2e295e4a04
commit 9ecc3a2671
2 changed files with 12 additions and 1 deletions
--- a/java/ql/src/Security/CWE/CWE-020/SuspiciousRegexpRange.ql
+++ b/java/ql/src/Security/CWE/CWE-020/SuspiciousRegexpRange.ql
@@ -13,6 +13,13 @@

 import semmle.code.java.security.SuspiciousRegexpRangeQuery

+RegExpCharacterClass potentialMisparsedCharClass() {
+  // nested char classes are currently misparsed
+  result.getAChild().(RegExpNormalChar).getValue() = "["
+}
+
 from RegExpCharacterRange range, string reason
-where problem(range, reason)
+where
+  problem(range, reason) and
+  not range.getParent() = potentialMisparsedCharClass()
 select range, "Suspicious character range that " + reason + "."
--- a/java/ql/test/query-tests/security/CWE-020/SuspiciousRegexpRange.java
+++ b/java/ql/test/query-tests/security/CWE-020/SuspiciousRegexpRange.java
@@ -29,5 +29,9 @@ class SuspiciousRegexpRange {
        Pattern overlapsWithClass1 = Pattern.compile("[0-9\\d]*"); // NOT OK
        
        Pattern overlapsWithClass2 = Pattern.compile("[\\w,.-?:*+]*"); // NOT OK
+
+        Pattern nested = Pattern.compile("[[A-Za-z_][A-Za-z0-9._-]]*"); // OK, the dash it at the end
+
+        Pattern octal = Pattern.compile("[\000-\037\040-\045]*"); // OK
    }
 }