Add @Pattern annotation test case and javax-validation-constraints stub

Adds a dedicated test verifying that fields annotated with @javax.validation.constraints.Pattern are recognized as sanitized by RegexpCheckBarrier, in addition to the existing String.matches() guard test.
2026-05-14 11:19:27 +02:00 · 2026-04-04 22:04:05 +08:00
parent 258a53e146
commit b49c6dcbd4
2 changed files with 9 additions and 1 deletions
--- a/java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java
+++ b/java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java
@@ -38,4 +38,12 @@ public class TrustBoundaryViolations extends HttpServlet {
            request.getSession().setAttribute("input4", input4);
        }
    }
+
+    @javax.validation.constraints.Pattern(regexp = "^[a-zA-Z0-9]+$")
+    String validatedField;
+
+    public void doPost(HttpServletRequest request, HttpServletResponse response) {
+        // GOOD: The field is constrained by a @Pattern annotation.
+        request.getSession().setAttribute("validated", validatedField);
+    }
 }
--- a/java/ql/test/query-tests/security/CWE-501/options
+++ b/java/ql/test/query-tests/security/CWE-501/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/esapi-2.0.1:${testdir}/../../../stubs/javax-servlet-2.5
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/esapi-2.0.1:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/javax-validation-constraints