mirror of
https://github.com/github/codeql.git
synced 2026-04-21 15:05:56 +02:00
Java: convert PolynomialReDoS and RegexInjection tests to .qlref
Leaves ReDoS.ql unmodified since it's not a dataflow query; just moves it to its own directory.
This commit is contained in:
Nora Dimitrijević
@@ -0,0 +1 @@
|
||||
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/guava-30.0:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/apache-commons-lang3-3.7
|
||||
@@ -0,0 +1,84 @@
|
||||
import java.util.regex.Pattern;
|
||||
import java.util.function.Predicate;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import com.google.common.base.Splitter;
|
||||
|
||||
class PolyRedosTest {
|
||||
void test(HttpServletRequest request) {
|
||||
String tainted = request.getParameter("inp"); // $ Source
|
||||
String reg = "0\\.\\d+E?\\d+!";
|
||||
Predicate<String> dummyPred = (s -> s.length() % 7 == 0);
|
||||
|
||||
tainted.matches(reg); // $ Alert
|
||||
tainted.split(reg); // $ Alert
|
||||
tainted.split(reg, 7); // $ Alert
|
||||
tainted.replaceAll(reg, "a"); // $ Alert
|
||||
tainted.replaceFirst(reg, "a"); // $ Alert
|
||||
Pattern.matches(reg, tainted); // $ Alert
|
||||
Pattern.compile(reg).matcher(tainted).matches(); // $ Alert
|
||||
Pattern.compile(reg).split(tainted); // $ Alert
|
||||
Pattern.compile(reg, Pattern.DOTALL).split(tainted); // $ Alert
|
||||
Pattern.compile(reg).split(tainted, 7); // $ Alert
|
||||
Pattern.compile(reg).splitAsStream(tainted); // $ Alert
|
||||
Pattern.compile(reg).asPredicate().test(tainted); // $ Alert
|
||||
Pattern.compile(reg).asMatchPredicate().negate().and(dummyPred).or(dummyPred).test(tainted); // $ Alert
|
||||
Predicate.not(dummyPred.and(dummyPred.or(Pattern.compile(reg).asPredicate()))).test(tainted); // $ Alert
|
||||
|
||||
Splitter.on(Pattern.compile(reg)).split(tainted); // $ Alert
|
||||
Splitter.on(reg).split(tainted);
|
||||
Splitter.onPattern(reg).split(tainted); // $ Alert
|
||||
Splitter.onPattern(reg).splitToList(tainted); // $ Alert
|
||||
Splitter.onPattern(reg).limit(7).omitEmptyStrings().trimResults().split(tainted); // $ Alert
|
||||
Splitter.onPattern(reg).withKeyValueSeparator(" => ").split(tainted); // $ Alert
|
||||
Splitter.on(";").withKeyValueSeparator(reg).split(tainted);
|
||||
Splitter.on(";").withKeyValueSeparator(Splitter.onPattern(reg)).split(tainted); // $ Alert
|
||||
|
||||
}
|
||||
|
||||
void test2(HttpServletRequest request) {
|
||||
String tainted = request.getParameter("inp"); // $ Source
|
||||
|
||||
Pattern p1 = Pattern.compile(".*a");
|
||||
Pattern p2 = Pattern.compile(".*b");
|
||||
|
||||
p1.matcher(tainted).matches();
|
||||
p2.matcher(tainted).find(); // $ Alert
|
||||
}
|
||||
|
||||
void test3(HttpServletRequest request) {
|
||||
String tainted = request.getParameter("inp"); // $ Source
|
||||
|
||||
Pattern p1 = Pattern.compile("ab*b*");
|
||||
Pattern p2 = Pattern.compile("cd*d*");
|
||||
|
||||
p1.matcher(tainted).matches(); // $ Alert
|
||||
p2.matcher(tainted).find();
|
||||
}
|
||||
|
||||
void test4(HttpServletRequest request) {
|
||||
String tainted = request.getParameter("inp"); // $ Source
|
||||
|
||||
tainted.matches(".*a");
|
||||
tainted.replaceAll(".*b", "c"); // $ Alert
|
||||
}
|
||||
|
||||
static Pattern p3 = Pattern.compile(".*a");
|
||||
static Pattern p4 = Pattern.compile(".*b");
|
||||
|
||||
|
||||
void test5(HttpServletRequest request) {
|
||||
String tainted = request.getParameter("inp"); // $ Source
|
||||
|
||||
p3.asMatchPredicate().test(tainted);
|
||||
p4.asPredicate().test(tainted); // $ Alert
|
||||
}
|
||||
|
||||
void test6(HttpServletRequest request) {
|
||||
Pattern p = Pattern.compile("^a*a*$");
|
||||
|
||||
p.matcher(request.getParameter("inp")).matches(); // $ Alert
|
||||
p.matcher(request.getHeader("If-None-Match")).matches();
|
||||
p.matcher(request.getRequestURI()).matches();
|
||||
p.matcher(request.getCookies()[0].getName()).matches();
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,85 @@
|
||||
#select
|
||||
| PolyRedosTest.java:12:9:12:15 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:12:9:12:15 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value |
|
||||
| PolyRedosTest.java:13:9:13:15 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:13:9:13:15 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value |
|
||||
| PolyRedosTest.java:14:9:14:15 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:14:9:14:15 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value |
|
||||
| PolyRedosTest.java:15:9:15:15 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:15:9:15:15 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value |
|
||||
| PolyRedosTest.java:16:9:16:15 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:16:9:16:15 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value |
|
||||
| PolyRedosTest.java:17:30:17:36 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:17:30:17:36 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value |
|
||||
| PolyRedosTest.java:18:38:18:44 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:18:38:18:44 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value |
|
||||
| PolyRedosTest.java:19:36:19:42 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:19:36:19:42 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value |
|
||||
| PolyRedosTest.java:20:52:20:58 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:20:52:20:58 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value |
|
||||
| PolyRedosTest.java:21:36:21:42 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:21:36:21:42 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value |
|
||||
| PolyRedosTest.java:22:44:22:50 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:22:44:22:50 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value |
|
||||
| PolyRedosTest.java:23:49:23:55 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:23:49:23:55 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value |
|
||||
| PolyRedosTest.java:24:92:24:98 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:24:92:24:98 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value |
|
||||
| PolyRedosTest.java:25:93:25:99 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:25:93:25:99 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value |
|
||||
| PolyRedosTest.java:27:49:27:55 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:27:49:27:55 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value |
|
||||
| PolyRedosTest.java:29:39:29:45 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:29:39:29:45 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value |
|
||||
| PolyRedosTest.java:30:45:30:51 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:30:45:30:51 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value |
|
||||
| PolyRedosTest.java:31:81:31:87 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:31:81:31:87 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value |
|
||||
| PolyRedosTest.java:32:69:32:75 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:32:69:32:75 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value |
|
||||
| PolyRedosTest.java:34:79:34:85 | tainted | PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:34:79:34:85 | tainted | This $@ that depends on a $@ may run slow on strings starting with '0.9' and with many repetitions of '99'. | PolyRedosTest.java:9:33:9:36 | \\d+ | regular expression | PolyRedosTest.java:8:26:8:52 | getParameter(...) | user-provided value |
|
||||
| PolyRedosTest.java:45:20:45:26 | tainted | PolyRedosTest.java:39:26:39:52 | getParameter(...) : String | PolyRedosTest.java:45:20:45:26 | tainted | This $@ that depends on a $@ may run slow on strings with many repetitions of 'a'. | PolyRedosTest.java:42:39:42:40 | .* | regular expression | PolyRedosTest.java:39:26:39:52 | getParameter(...) | user-provided value |
|
||||
| PolyRedosTest.java:54:20:54:26 | tainted | PolyRedosTest.java:49:26:49:52 | getParameter(...) : String | PolyRedosTest.java:54:20:54:26 | tainted | This $@ that depends on a $@ may run slow on strings starting with 'a' and with many repetitions of 'b'. | PolyRedosTest.java:51:42:51:43 | b* | regular expression | PolyRedosTest.java:49:26:49:52 | getParameter(...) | user-provided value |
|
||||
| PolyRedosTest.java:62:9:62:15 | tainted | PolyRedosTest.java:59:26:59:52 | getParameter(...) : String | PolyRedosTest.java:62:9:62:15 | tainted | This $@ that depends on a $@ may run slow on strings with many repetitions of 'a'. | PolyRedosTest.java:62:29:62:30 | .* | regular expression | PolyRedosTest.java:59:26:59:52 | getParameter(...) | user-provided value |
|
||||
| PolyRedosTest.java:73:31:73:37 | tainted | PolyRedosTest.java:70:26:70:52 | getParameter(...) : String | PolyRedosTest.java:73:31:73:37 | tainted | This $@ that depends on a $@ may run slow on strings with many repetitions of 'a'. | PolyRedosTest.java:66:42:66:43 | .* | regular expression | PolyRedosTest.java:70:26:70:52 | getParameter(...) | user-provided value |
|
||||
| PolyRedosTest.java:79:19:79:45 | getParameter(...) | PolyRedosTest.java:79:19:79:45 | getParameter(...) | PolyRedosTest.java:79:19:79:45 | getParameter(...) | This $@ that depends on a $@ may run slow on strings with many repetitions of 'a'. | PolyRedosTest.java:77:41:77:42 | a* | regular expression | PolyRedosTest.java:79:19:79:45 | getParameter(...) | user-provided value |
|
||||
edges
|
||||
| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:12:9:12:15 | tainted | provenance | Src:MaD:1 |
|
||||
| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:13:9:13:15 | tainted | provenance | Src:MaD:1 |
|
||||
| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:14:9:14:15 | tainted | provenance | Src:MaD:1 |
|
||||
| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:15:9:15:15 | tainted | provenance | Src:MaD:1 |
|
||||
| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:16:9:16:15 | tainted | provenance | Src:MaD:1 |
|
||||
| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:17:30:17:36 | tainted | provenance | Src:MaD:1 |
|
||||
| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:18:38:18:44 | tainted | provenance | Src:MaD:1 |
|
||||
| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:19:36:19:42 | tainted | provenance | Src:MaD:1 |
|
||||
| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:20:52:20:58 | tainted | provenance | Src:MaD:1 |
|
||||
| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:21:36:21:42 | tainted | provenance | Src:MaD:1 |
|
||||
| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:22:44:22:50 | tainted | provenance | Src:MaD:1 |
|
||||
| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:23:49:23:55 | tainted | provenance | Src:MaD:1 |
|
||||
| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:24:92:24:98 | tainted | provenance | Src:MaD:1 |
|
||||
| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:25:93:25:99 | tainted | provenance | Src:MaD:1 |
|
||||
| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:27:49:27:55 | tainted | provenance | Src:MaD:1 |
|
||||
| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:29:39:29:45 | tainted | provenance | Src:MaD:1 |
|
||||
| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:30:45:30:51 | tainted | provenance | Src:MaD:1 |
|
||||
| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:31:81:31:87 | tainted | provenance | Src:MaD:1 |
|
||||
| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:32:69:32:75 | tainted | provenance | Src:MaD:1 |
|
||||
| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | PolyRedosTest.java:34:79:34:85 | tainted | provenance | Src:MaD:1 |
|
||||
| PolyRedosTest.java:39:26:39:52 | getParameter(...) : String | PolyRedosTest.java:45:20:45:26 | tainted | provenance | Src:MaD:1 |
|
||||
| PolyRedosTest.java:49:26:49:52 | getParameter(...) : String | PolyRedosTest.java:54:20:54:26 | tainted | provenance | Src:MaD:1 |
|
||||
| PolyRedosTest.java:59:26:59:52 | getParameter(...) : String | PolyRedosTest.java:62:9:62:15 | tainted | provenance | Src:MaD:1 |
|
||||
| PolyRedosTest.java:70:26:70:52 | getParameter(...) : String | PolyRedosTest.java:73:31:73:37 | tainted | provenance | Src:MaD:1 |
|
||||
models
|
||||
| 1 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
|
||||
nodes
|
||||
| PolyRedosTest.java:8:26:8:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| PolyRedosTest.java:12:9:12:15 | tainted | semmle.label | tainted |
|
||||
| PolyRedosTest.java:13:9:13:15 | tainted | semmle.label | tainted |
|
||||
| PolyRedosTest.java:14:9:14:15 | tainted | semmle.label | tainted |
|
||||
| PolyRedosTest.java:15:9:15:15 | tainted | semmle.label | tainted |
|
||||
| PolyRedosTest.java:16:9:16:15 | tainted | semmle.label | tainted |
|
||||
| PolyRedosTest.java:17:30:17:36 | tainted | semmle.label | tainted |
|
||||
| PolyRedosTest.java:18:38:18:44 | tainted | semmle.label | tainted |
|
||||
| PolyRedosTest.java:19:36:19:42 | tainted | semmle.label | tainted |
|
||||
| PolyRedosTest.java:20:52:20:58 | tainted | semmle.label | tainted |
|
||||
| PolyRedosTest.java:21:36:21:42 | tainted | semmle.label | tainted |
|
||||
| PolyRedosTest.java:22:44:22:50 | tainted | semmle.label | tainted |
|
||||
| PolyRedosTest.java:23:49:23:55 | tainted | semmle.label | tainted |
|
||||
| PolyRedosTest.java:24:92:24:98 | tainted | semmle.label | tainted |
|
||||
| PolyRedosTest.java:25:93:25:99 | tainted | semmle.label | tainted |
|
||||
| PolyRedosTest.java:27:49:27:55 | tainted | semmle.label | tainted |
|
||||
| PolyRedosTest.java:29:39:29:45 | tainted | semmle.label | tainted |
|
||||
| PolyRedosTest.java:30:45:30:51 | tainted | semmle.label | tainted |
|
||||
| PolyRedosTest.java:31:81:31:87 | tainted | semmle.label | tainted |
|
||||
| PolyRedosTest.java:32:69:32:75 | tainted | semmle.label | tainted |
|
||||
| PolyRedosTest.java:34:79:34:85 | tainted | semmle.label | tainted |
|
||||
| PolyRedosTest.java:39:26:39:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| PolyRedosTest.java:45:20:45:26 | tainted | semmle.label | tainted |
|
||||
| PolyRedosTest.java:49:26:49:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| PolyRedosTest.java:54:20:54:26 | tainted | semmle.label | tainted |
|
||||
| PolyRedosTest.java:59:26:59:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| PolyRedosTest.java:62:9:62:15 | tainted | semmle.label | tainted |
|
||||
| PolyRedosTest.java:70:26:70:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| PolyRedosTest.java:73:31:73:37 | tainted | semmle.label | tainted |
|
||||
| PolyRedosTest.java:79:19:79:45 | getParameter(...) | semmle.label | getParameter(...) |
|
||||
subpaths
|
||||
@@ -0,0 +1,4 @@
|
||||
query: Security/CWE/CWE-730/PolynomialReDoS.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
@@ -0,0 +1 @@
|
||||
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/guava-30.0:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/apache-commons-lang3-3.7
|
||||
@@ -1,84 +0,0 @@
|
||||
import java.util.regex.Pattern;
|
||||
import java.util.function.Predicate;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import com.google.common.base.Splitter;
|
||||
|
||||
class PolyRedosTest {
|
||||
void test(HttpServletRequest request) {
|
||||
String tainted = request.getParameter("inp");
|
||||
String reg = "0\\.\\d+E?\\d+!";
|
||||
Predicate<String> dummyPred = (s -> s.length() % 7 == 0);
|
||||
|
||||
tainted.matches(reg); // $ hasPolyRedos
|
||||
tainted.split(reg); // $ hasPolyRedos
|
||||
tainted.split(reg, 7); // $ hasPolyRedos
|
||||
tainted.replaceAll(reg, "a"); // $ hasPolyRedos
|
||||
tainted.replaceFirst(reg, "a"); // $ hasPolyRedos
|
||||
Pattern.matches(reg, tainted); // $ hasPolyRedos
|
||||
Pattern.compile(reg).matcher(tainted).matches(); // $ hasPolyRedos
|
||||
Pattern.compile(reg).split(tainted); // $ hasPolyRedos
|
||||
Pattern.compile(reg, Pattern.DOTALL).split(tainted); // $ hasPolyRedos
|
||||
Pattern.compile(reg).split(tainted, 7); // $ hasPolyRedos
|
||||
Pattern.compile(reg).splitAsStream(tainted); // $ hasPolyRedos
|
||||
Pattern.compile(reg).asPredicate().test(tainted); // $ hasPolyRedos
|
||||
Pattern.compile(reg).asMatchPredicate().negate().and(dummyPred).or(dummyPred).test(tainted); // $ hasPolyRedos
|
||||
Predicate.not(dummyPred.and(dummyPred.or(Pattern.compile(reg).asPredicate()))).test(tainted); // $ hasPolyRedos
|
||||
|
||||
Splitter.on(Pattern.compile(reg)).split(tainted); // $ hasPolyRedos
|
||||
Splitter.on(reg).split(tainted);
|
||||
Splitter.onPattern(reg).split(tainted); // $ hasPolyRedos
|
||||
Splitter.onPattern(reg).splitToList(tainted); // $ hasPolyRedos
|
||||
Splitter.onPattern(reg).limit(7).omitEmptyStrings().trimResults().split(tainted); // $ hasPolyRedos
|
||||
Splitter.onPattern(reg).withKeyValueSeparator(" => ").split(tainted); // $ hasPolyRedos
|
||||
Splitter.on(";").withKeyValueSeparator(reg).split(tainted);
|
||||
Splitter.on(";").withKeyValueSeparator(Splitter.onPattern(reg)).split(tainted); // $ hasPolyRedos
|
||||
|
||||
}
|
||||
|
||||
void test2(HttpServletRequest request) {
|
||||
String tainted = request.getParameter("inp");
|
||||
|
||||
Pattern p1 = Pattern.compile(".*a");
|
||||
Pattern p2 = Pattern.compile(".*b");
|
||||
|
||||
p1.matcher(tainted).matches();
|
||||
p2.matcher(tainted).find(); // $ hasPolyRedos
|
||||
}
|
||||
|
||||
void test3(HttpServletRequest request) {
|
||||
String tainted = request.getParameter("inp");
|
||||
|
||||
Pattern p1 = Pattern.compile("ab*b*");
|
||||
Pattern p2 = Pattern.compile("cd*d*");
|
||||
|
||||
p1.matcher(tainted).matches(); // $ hasPolyRedos
|
||||
p2.matcher(tainted).find();
|
||||
}
|
||||
|
||||
void test4(HttpServletRequest request) {
|
||||
String tainted = request.getParameter("inp");
|
||||
|
||||
tainted.matches(".*a");
|
||||
tainted.replaceAll(".*b", "c"); // $ hasPolyRedos
|
||||
}
|
||||
|
||||
static Pattern p3 = Pattern.compile(".*a");
|
||||
static Pattern p4 = Pattern.compile(".*b");
|
||||
|
||||
|
||||
void test5(HttpServletRequest request) {
|
||||
String tainted = request.getParameter("inp");
|
||||
|
||||
p3.asMatchPredicate().test(tainted);
|
||||
p4.asPredicate().test(tainted); // $ hasPolyRedos
|
||||
}
|
||||
|
||||
void test6(HttpServletRequest request) {
|
||||
Pattern p = Pattern.compile("^a*a*$");
|
||||
|
||||
p.matcher(request.getParameter("inp")).matches(); // $ hasPolyRedos
|
||||
p.matcher(request.getHeader("If-None-Match")).matches();
|
||||
p.matcher(request.getRequestURI()).matches();
|
||||
p.matcher(request.getCookies()[0].getName()).matches();
|
||||
}
|
||||
}
|
||||
@@ -1,18 +0,0 @@
|
||||
import utils.test.InlineExpectationsTest
|
||||
import semmle.code.java.security.regexp.PolynomialReDoSQuery
|
||||
|
||||
module HasPolyRedos implements TestSig {
|
||||
string getARelevantTag() { result = "hasPolyRedos" }
|
||||
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "hasPolyRedos" and
|
||||
exists(DataFlow::Node sink |
|
||||
PolynomialRedosFlow::flowTo(sink) and
|
||||
location = sink.getLocation() and
|
||||
element = sink.toString() and
|
||||
value = ""
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
import MakeTest<HasPolyRedos>
|
||||
@@ -0,0 +1,102 @@
|
||||
#select
|
||||
| RegexInjectionTest.java:17:26:17:47 | ... + ... | RegexInjectionTest.java:14:22:14:52 | getParameter(...) : String | RegexInjectionTest.java:17:26:17:47 | ... + ... | This regular expression is constructed from a $@. | RegexInjectionTest.java:14:22:14:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjectionTest.java:24:24:24:30 | pattern | RegexInjectionTest.java:21:22:21:52 | getParameter(...) : String | RegexInjectionTest.java:24:24:24:30 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:21:22:21:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjectionTest.java:31:24:31:30 | pattern | RegexInjectionTest.java:28:22:28:52 | getParameter(...) : String | RegexInjectionTest.java:31:24:31:30 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:28:22:28:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjectionTest.java:38:31:38:37 | pattern | RegexInjectionTest.java:35:22:35:52 | getParameter(...) : String | RegexInjectionTest.java:38:31:38:37 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:35:22:35:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjectionTest.java:45:29:45:35 | pattern | RegexInjectionTest.java:42:22:42:52 | getParameter(...) : String | RegexInjectionTest.java:45:29:45:35 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:42:22:42:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjectionTest.java:52:34:52:40 | pattern | RegexInjectionTest.java:49:22:49:52 | getParameter(...) : String | RegexInjectionTest.java:52:34:52:40 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:49:22:49:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjectionTest.java:62:28:62:34 | pattern | RegexInjectionTest.java:59:22:59:52 | getParameter(...) : String | RegexInjectionTest.java:62:28:62:34 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:59:22:59:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjectionTest.java:69:28:69:34 | pattern | RegexInjectionTest.java:66:22:66:52 | getParameter(...) : String | RegexInjectionTest.java:69:28:69:34 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:66:22:66:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjectionTest.java:76:28:76:34 | pattern | RegexInjectionTest.java:73:22:73:52 | getParameter(...) : String | RegexInjectionTest.java:76:28:76:34 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:73:22:73:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjectionTest.java:83:26:83:52 | ... + ... | RegexInjectionTest.java:80:22:80:52 | getParameter(...) : String | RegexInjectionTest.java:83:26:83:52 | ... + ... | This regular expression is constructed from a $@. | RegexInjectionTest.java:80:22:80:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjectionTest.java:94:40:94:46 | pattern | RegexInjectionTest.java:91:22:91:52 | getParameter(...) : String | RegexInjectionTest.java:94:40:94:46 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:91:22:91:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjectionTest.java:101:42:101:48 | pattern | RegexInjectionTest.java:98:22:98:52 | getParameter(...) : String | RegexInjectionTest.java:101:42:101:48 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:98:22:98:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjectionTest.java:108:44:108:50 | pattern | RegexInjectionTest.java:105:22:105:52 | getParameter(...) : String | RegexInjectionTest.java:108:44:108:50 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:105:22:105:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjectionTest.java:115:41:115:47 | pattern | RegexInjectionTest.java:112:22:112:52 | getParameter(...) : String | RegexInjectionTest.java:115:41:115:47 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:112:22:112:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjectionTest.java:122:43:122:49 | pattern | RegexInjectionTest.java:119:22:119:52 | getParameter(...) : String | RegexInjectionTest.java:122:43:122:49 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:119:22:119:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjectionTest.java:137:45:137:51 | pattern | RegexInjectionTest.java:134:22:134:52 | getParameter(...) : String | RegexInjectionTest.java:137:45:137:51 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:134:22:134:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjectionTest.java:158:31:158:37 | pattern | RegexInjectionTest.java:157:22:157:52 | getParameter(...) : String | RegexInjectionTest.java:158:31:158:37 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:157:22:157:52 | getParameter(...) | user-provided value |
|
||||
| RegexInjectionTest.java:164:41:164:47 | pattern | RegexInjectionTest.java:162:22:162:52 | getParameter(...) : String | RegexInjectionTest.java:164:41:164:47 | pattern | This regular expression is constructed from a $@. | RegexInjectionTest.java:162:22:162:52 | getParameter(...) | user-provided value |
|
||||
edges
|
||||
| RegexInjectionTest.java:14:22:14:52 | getParameter(...) : String | RegexInjectionTest.java:17:26:17:47 | ... + ... | provenance | Src:MaD:16 Sink:MaD:2 |
|
||||
| RegexInjectionTest.java:21:22:21:52 | getParameter(...) : String | RegexInjectionTest.java:24:24:24:30 | pattern | provenance | Src:MaD:16 Sink:MaD:5 |
|
||||
| RegexInjectionTest.java:28:22:28:52 | getParameter(...) : String | RegexInjectionTest.java:31:24:31:30 | pattern | provenance | Src:MaD:16 Sink:MaD:6 |
|
||||
| RegexInjectionTest.java:35:22:35:52 | getParameter(...) : String | RegexInjectionTest.java:38:31:38:37 | pattern | provenance | Src:MaD:16 Sink:MaD:4 |
|
||||
| RegexInjectionTest.java:42:22:42:52 | getParameter(...) : String | RegexInjectionTest.java:45:29:45:35 | pattern | provenance | Src:MaD:16 Sink:MaD:3 |
|
||||
| RegexInjectionTest.java:49:22:49:52 | getParameter(...) : String | RegexInjectionTest.java:52:34:52:40 | pattern | provenance | Src:MaD:16 Sink:MaD:7 |
|
||||
| RegexInjectionTest.java:59:22:59:52 | getParameter(...) : String | RegexInjectionTest.java:62:28:62:34 | pattern | provenance | Src:MaD:16 Sink:MaD:7 |
|
||||
| RegexInjectionTest.java:66:22:66:52 | getParameter(...) : String | RegexInjectionTest.java:69:28:69:34 | pattern | provenance | Src:MaD:16 Sink:MaD:8 |
|
||||
| RegexInjectionTest.java:73:22:73:52 | getParameter(...) : String | RegexInjectionTest.java:76:28:76:34 | pattern | provenance | Src:MaD:16 Sink:MaD:9 |
|
||||
| RegexInjectionTest.java:80:22:80:52 | getParameter(...) : String | RegexInjectionTest.java:83:36:83:42 | pattern : String | provenance | Src:MaD:16 |
|
||||
| RegexInjectionTest.java:83:32:83:43 | foo(...) : String | RegexInjectionTest.java:83:26:83:52 | ... + ... | provenance | Sink:MaD:2 |
|
||||
| RegexInjectionTest.java:83:36:83:42 | pattern : String | RegexInjectionTest.java:83:32:83:43 | foo(...) : String | provenance | |
|
||||
| RegexInjectionTest.java:83:36:83:42 | pattern : String | RegexInjectionTest.java:86:14:86:23 | str : String | provenance | |
|
||||
| RegexInjectionTest.java:86:14:86:23 | str : String | RegexInjectionTest.java:87:12:87:14 | str : String | provenance | |
|
||||
| RegexInjectionTest.java:91:22:91:52 | getParameter(...) : String | RegexInjectionTest.java:94:40:94:46 | pattern | provenance | Src:MaD:16 Sink:MaD:10 |
|
||||
| RegexInjectionTest.java:98:22:98:52 | getParameter(...) : String | RegexInjectionTest.java:101:42:101:48 | pattern | provenance | Src:MaD:16 Sink:MaD:11 |
|
||||
| RegexInjectionTest.java:105:22:105:52 | getParameter(...) : String | RegexInjectionTest.java:108:44:108:50 | pattern | provenance | Src:MaD:16 Sink:MaD:12 |
|
||||
| RegexInjectionTest.java:112:22:112:52 | getParameter(...) : String | RegexInjectionTest.java:115:41:115:47 | pattern | provenance | Src:MaD:16 Sink:MaD:13 |
|
||||
| RegexInjectionTest.java:119:22:119:52 | getParameter(...) : String | RegexInjectionTest.java:122:43:122:49 | pattern | provenance | Src:MaD:16 Sink:MaD:14 |
|
||||
| RegexInjectionTest.java:134:22:134:52 | getParameter(...) : String | RegexInjectionTest.java:137:45:137:51 | pattern | provenance | Src:MaD:16 Sink:MaD:15 |
|
||||
| RegexInjectionTest.java:157:22:157:52 | getParameter(...) : String | RegexInjectionTest.java:158:31:158:37 | pattern | provenance | Src:MaD:16 Sink:MaD:1 |
|
||||
| RegexInjectionTest.java:162:22:162:52 | getParameter(...) : String | RegexInjectionTest.java:164:41:164:47 | pattern | provenance | Src:MaD:16 Sink:MaD:7 |
|
||||
models
|
||||
| 1 | Sink: com.google.common.base; Splitter; false; onPattern; (String); ; Argument[0]; regex-use[]; manual |
|
||||
| 2 | Sink: java.lang; String; false; matches; (String); ; Argument[0]; regex-use[f-1]; manual |
|
||||
| 3 | Sink: java.lang; String; false; replaceAll; (String,String); ; Argument[0]; regex-use[-1]; manual |
|
||||
| 4 | Sink: java.lang; String; false; replaceFirst; (String,String); ; Argument[0]; regex-use[-1]; manual |
|
||||
| 5 | Sink: java.lang; String; false; split; (String); ; Argument[0]; regex-use[-1]; manual |
|
||||
| 6 | Sink: java.lang; String; false; split; (String,int); ; Argument[0]; regex-use[-1]; manual |
|
||||
| 7 | Sink: java.util.regex; Pattern; false; compile; (String); ; Argument[0]; regex-use[]; manual |
|
||||
| 8 | Sink: java.util.regex; Pattern; false; compile; (String,int); ; Argument[0]; regex-use[]; manual |
|
||||
| 9 | Sink: java.util.regex; Pattern; false; matches; (String,CharSequence); ; Argument[0]; regex-use[f1]; manual |
|
||||
| 10 | Sink: org.apache.commons.lang3; RegExUtils; false; removeAll; (String,String); ; Argument[1]; regex-use; manual |
|
||||
| 11 | Sink: org.apache.commons.lang3; RegExUtils; false; removeFirst; (String,String); ; Argument[1]; regex-use; manual |
|
||||
| 12 | Sink: org.apache.commons.lang3; RegExUtils; false; removePattern; (String,String); ; Argument[1]; regex-use; manual |
|
||||
| 13 | Sink: org.apache.commons.lang3; RegExUtils; false; replaceAll; (String,String,String); ; Argument[1]; regex-use; manual |
|
||||
| 14 | Sink: org.apache.commons.lang3; RegExUtils; false; replaceFirst; (String,String,String); ; Argument[1]; regex-use; manual |
|
||||
| 15 | Sink: org.apache.commons.lang3; RegExUtils; false; replacePattern; (String,String,String); ; Argument[1]; regex-use; manual |
|
||||
| 16 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
|
||||
nodes
|
||||
| RegexInjectionTest.java:14:22:14:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjectionTest.java:17:26:17:47 | ... + ... | semmle.label | ... + ... |
|
||||
| RegexInjectionTest.java:21:22:21:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjectionTest.java:24:24:24:30 | pattern | semmle.label | pattern |
|
||||
| RegexInjectionTest.java:28:22:28:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjectionTest.java:31:24:31:30 | pattern | semmle.label | pattern |
|
||||
| RegexInjectionTest.java:35:22:35:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjectionTest.java:38:31:38:37 | pattern | semmle.label | pattern |
|
||||
| RegexInjectionTest.java:42:22:42:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjectionTest.java:45:29:45:35 | pattern | semmle.label | pattern |
|
||||
| RegexInjectionTest.java:49:22:49:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjectionTest.java:52:34:52:40 | pattern | semmle.label | pattern |
|
||||
| RegexInjectionTest.java:59:22:59:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjectionTest.java:62:28:62:34 | pattern | semmle.label | pattern |
|
||||
| RegexInjectionTest.java:66:22:66:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjectionTest.java:69:28:69:34 | pattern | semmle.label | pattern |
|
||||
| RegexInjectionTest.java:73:22:73:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjectionTest.java:76:28:76:34 | pattern | semmle.label | pattern |
|
||||
| RegexInjectionTest.java:80:22:80:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjectionTest.java:83:26:83:52 | ... + ... | semmle.label | ... + ... |
|
||||
| RegexInjectionTest.java:83:32:83:43 | foo(...) : String | semmle.label | foo(...) : String |
|
||||
| RegexInjectionTest.java:83:36:83:42 | pattern : String | semmle.label | pattern : String |
|
||||
| RegexInjectionTest.java:86:14:86:23 | str : String | semmle.label | str : String |
|
||||
| RegexInjectionTest.java:87:12:87:14 | str : String | semmle.label | str : String |
|
||||
| RegexInjectionTest.java:91:22:91:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjectionTest.java:94:40:94:46 | pattern | semmle.label | pattern |
|
||||
| RegexInjectionTest.java:98:22:98:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjectionTest.java:101:42:101:48 | pattern | semmle.label | pattern |
|
||||
| RegexInjectionTest.java:105:22:105:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjectionTest.java:108:44:108:50 | pattern | semmle.label | pattern |
|
||||
| RegexInjectionTest.java:112:22:112:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjectionTest.java:115:41:115:47 | pattern | semmle.label | pattern |
|
||||
| RegexInjectionTest.java:119:22:119:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjectionTest.java:122:43:122:49 | pattern | semmle.label | pattern |
|
||||
| RegexInjectionTest.java:134:22:134:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjectionTest.java:137:45:137:51 | pattern | semmle.label | pattern |
|
||||
| RegexInjectionTest.java:157:22:157:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjectionTest.java:158:31:158:37 | pattern | semmle.label | pattern |
|
||||
| RegexInjectionTest.java:162:22:162:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| RegexInjectionTest.java:164:41:164:47 | pattern | semmle.label | pattern |
|
||||
subpaths
|
||||
| RegexInjectionTest.java:83:36:83:42 | pattern : String | RegexInjectionTest.java:86:14:86:23 | str : String | RegexInjectionTest.java:87:12:87:14 | str : String | RegexInjectionTest.java:83:32:83:43 | foo(...) : String |
|
||||
@@ -11,76 +11,76 @@ import com.google.common.base.Splitter;
|
||||
|
||||
public class RegexInjectionTest extends HttpServlet {
|
||||
public boolean string1(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String pattern = request.getParameter("pattern"); // $ Source
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return input.matches("^" + pattern + "=.*$"); // $ hasRegexInjection
|
||||
return input.matches("^" + pattern + "=.*$"); // $ Alert
|
||||
}
|
||||
|
||||
public boolean string2(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String pattern = request.getParameter("pattern"); // $ Source
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return input.split(pattern).length > 0; // $ hasRegexInjection
|
||||
return input.split(pattern).length > 0; // $ Alert
|
||||
}
|
||||
|
||||
public boolean string3(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String pattern = request.getParameter("pattern"); // $ Source
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return input.split(pattern, 0).length > 0; // $ hasRegexInjection
|
||||
return input.split(pattern, 0).length > 0; // $ Alert
|
||||
}
|
||||
|
||||
public boolean string4(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String pattern = request.getParameter("pattern"); // $ Source
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return input.replaceFirst(pattern, "").length() > 0; // $ hasRegexInjection
|
||||
return input.replaceFirst(pattern, "").length() > 0; // $ Alert
|
||||
}
|
||||
|
||||
public boolean string5(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String pattern = request.getParameter("pattern"); // $ Source
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return input.replaceAll(pattern, "").length() > 0; // $ hasRegexInjection
|
||||
return input.replaceAll(pattern, "").length() > 0; // $ Alert
|
||||
}
|
||||
|
||||
public boolean pattern1(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String pattern = request.getParameter("pattern"); // $ Source
|
||||
String input = request.getParameter("input");
|
||||
|
||||
Pattern pt = Pattern.compile(pattern); // $ hasRegexInjection
|
||||
Pattern pt = Pattern.compile(pattern); // $ Alert
|
||||
Matcher matcher = pt.matcher(input);
|
||||
|
||||
return matcher.find();
|
||||
}
|
||||
|
||||
public boolean pattern2(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String pattern = request.getParameter("pattern"); // $ Source
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return Pattern.compile(pattern).matcher(input).matches(); // $ hasRegexInjection
|
||||
return Pattern.compile(pattern).matcher(input).matches(); // $ Alert
|
||||
}
|
||||
|
||||
public boolean pattern3(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String pattern = request.getParameter("pattern"); // $ Source
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return Pattern.compile(pattern, 0).matcher(input).matches(); // $ hasRegexInjection
|
||||
return Pattern.compile(pattern, 0).matcher(input).matches(); // $ Alert
|
||||
}
|
||||
|
||||
public boolean pattern4(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String pattern = request.getParameter("pattern"); // $ Source
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return Pattern.matches(pattern, input); // $ hasRegexInjection
|
||||
return Pattern.matches(pattern, input); // $ Alert
|
||||
}
|
||||
|
||||
public boolean pattern5(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String pattern = request.getParameter("pattern"); // $ Source
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return input.matches("^" + foo(pattern) + "=.*$"); // $ hasRegexInjection
|
||||
return input.matches("^" + foo(pattern) + "=.*$"); // $ Alert
|
||||
}
|
||||
|
||||
String foo(String str) {
|
||||
@@ -88,38 +88,38 @@ public class RegexInjectionTest extends HttpServlet {
|
||||
}
|
||||
|
||||
public boolean apache1(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String pattern = request.getParameter("pattern"); // $ Source
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return RegExUtils.removeAll(input, pattern).length() > 0; // $ hasRegexInjection
|
||||
return RegExUtils.removeAll(input, pattern).length() > 0; // $ Alert
|
||||
}
|
||||
|
||||
public boolean apache2(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String pattern = request.getParameter("pattern"); // $ Source
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return RegExUtils.removeFirst(input, pattern).length() > 0; // $ hasRegexInjection
|
||||
return RegExUtils.removeFirst(input, pattern).length() > 0; // $ Alert
|
||||
}
|
||||
|
||||
public boolean apache3(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String pattern = request.getParameter("pattern"); // $ Source
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return RegExUtils.removePattern(input, pattern).length() > 0; // $ hasRegexInjection
|
||||
return RegExUtils.removePattern(input, pattern).length() > 0; // $ Alert
|
||||
}
|
||||
|
||||
public boolean apache4(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String pattern = request.getParameter("pattern"); // $ Source
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return RegExUtils.replaceAll(input, pattern, "").length() > 0; // $ hasRegexInjection
|
||||
return RegExUtils.replaceAll(input, pattern, "").length() > 0; // $ Alert
|
||||
}
|
||||
|
||||
public boolean apache5(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String pattern = request.getParameter("pattern"); // $ Source
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return RegExUtils.replaceFirst(input, pattern, "").length() > 0; // $ hasRegexInjection
|
||||
return RegExUtils.replaceFirst(input, pattern, "").length() > 0; // $ Alert
|
||||
}
|
||||
|
||||
public boolean apache6(javax.servlet.http.HttpServletRequest request) {
|
||||
@@ -131,10 +131,10 @@ public class RegexInjectionTest extends HttpServlet {
|
||||
}
|
||||
|
||||
public boolean apache7(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String pattern = request.getParameter("pattern"); // $ Source
|
||||
String input = request.getParameter("input");
|
||||
|
||||
return RegExUtils.replacePattern(input, pattern, "").length() > 0; // $ hasRegexInjection
|
||||
return RegExUtils.replacePattern(input, pattern, "").length() > 0; // $ Alert
|
||||
}
|
||||
|
||||
// test `Pattern.quote` sanitizer
|
||||
@@ -154,13 +154,13 @@ public class RegexInjectionTest extends HttpServlet {
|
||||
}
|
||||
|
||||
public Splitter guava1(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
return Splitter.onPattern(pattern); // $ hasRegexInjection
|
||||
String pattern = request.getParameter("pattern"); // $ Source
|
||||
return Splitter.onPattern(pattern); // $ Alert
|
||||
}
|
||||
|
||||
public Splitter guava2(javax.servlet.http.HttpServletRequest request) {
|
||||
String pattern = request.getParameter("pattern");
|
||||
String pattern = request.getParameter("pattern"); // $ Source
|
||||
// sink is `Pattern.compile`
|
||||
return Splitter.on(Pattern.compile(pattern)); // $ hasRegexInjection
|
||||
return Splitter.on(Pattern.compile(pattern)); // $ Alert
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,4 @@
|
||||
query: Security/CWE/CWE-730/RegexInjection.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
@@ -0,0 +1 @@
|
||||
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/guava-30.0:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/apache-commons-lang3-3.7
|
||||
@@ -1,18 +0,0 @@
|
||||
import java
|
||||
import utils.test.InlineExpectationsTest
|
||||
import semmle.code.java.security.regexp.RegexInjectionQuery
|
||||
|
||||
module RegexInjectionTest implements TestSig {
|
||||
string getARelevantTag() { result = "hasRegexInjection" }
|
||||
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "hasRegexInjection" and
|
||||
exists(RegexInjectionFlow::PathNode sink | RegexInjectionFlow::flowPath(_, sink) |
|
||||
location = sink.getNode().getLocation() and
|
||||
element = sink.getNode().toString() and
|
||||
value = ""
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
import MakeTest<RegexInjectionTest>
|
||||
@@ -1 +0,0 @@
|
||||
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/guava-30.0:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/apache-commons-lang3-3.7
|
||||
Reference in New Issue
Block a user