add java.util.regex models and tests

2026-04-30 11:15:13 +02:00 · 2022-01-25 10:50:39 +01:00
parent 82ad79f55f
commit c49c7903a8
5 changed files with 122 additions and 0 deletions
--- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -99,6 +99,7 @@ private module Frameworks {
  private import semmle.code.java.frameworks.Logging
  private import semmle.code.java.frameworks.Objects
  private import semmle.code.java.frameworks.Optional
+  private import semmle.code.java.frameworks.Regex
  private import semmle.code.java.frameworks.Stream
  private import semmle.code.java.frameworks.Strings
  private import semmle.code.java.frameworks.ratpack.Ratpack
--- a/java/ql/lib/semmle/code/java/frameworks/Regex.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/Regex.qll
@@ -0,0 +1,20 @@
+/** Definitions related to `java.util.regex`. */
+
+import semmle.code.java.dataflow.ExternalFlow
+
+private class RegexModel extends SummaryModelCsv {
+  override predicate row(string s) {
+    s =
+      [
+        //`namespace; type; subtypes; name; signature; ext; input; output; kind`
+        "java.util.regex;Matcher;false;group;;;Argument[-1];ReturnValue;taint",
+        "java.util.regex;Matcher;false;replaceAll;;;Argument[-1];ReturnValue;taint",
+        "java.util.regex;Matcher;false;replaceAll;;;Argument[0];ReturnValue;taint",
+        "java.util.regex;Matcher;false;replaceFirst;;;Argument[-1];ReturnValue;taint",
+        "java.util.regex;Matcher;false;replaceFirst;;;Argument[0];ReturnValue;taint",
+        "java.util.regex;Pattern;false;matcher;;;Argument[0];ReturnValue;taint",
+        "java.util.regex;Pattern;false;quote;;;Argument[0];ReturnValue;taint",
+        "java.util.regex;Pattern;false;split;;;Argument[0];ReturnValue;taint",
+      ]
+  }
+}
--- a/java/ql/test/library-tests/regex/Test.java
+++ b/java/ql/test/library-tests/regex/Test.java
@@ -0,0 +1,99 @@
+package generatedtest;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+// Test case generated by GenerateFlowTestCase.ql
+public class Test {
+
+	Object source() { return null; }
+	void sink(Object o) { }
+
+	public void test() throws Exception {
+
+		{
+			// "java.util.regex;Matcher;false;group;;;Argument[-1];ReturnValue;taint"
+			String out = null;
+			Matcher in = (Matcher)source();
+			out = in.group((String)null);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.util.regex;Matcher;false;group;;;Argument[-1];ReturnValue;taint"
+			String out = null;
+			Matcher in = (Matcher)source();
+			out = in.group();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.util.regex;Matcher;false;group;;;Argument[-1];ReturnValue;taint"
+			String out = null;
+			Matcher in = (Matcher)source();
+			out = in.group(0);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.util.regex;Matcher;false;replaceAll;;;Argument[-1];ReturnValue;taint"
+			String out = null;
+			Matcher in = (Matcher)source();
+			out = in.replaceAll(null);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.util.regex;Matcher;false;replaceAll;;;Argument[0];ReturnValue;taint"
+			String out = null;
+			String in = (String)source();
+			Matcher instance = null;
+			out = instance.replaceAll(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.util.regex;Matcher;false;replaceFirst;;;Argument[-1];ReturnValue;taint"
+			String out = null;
+			Matcher in = (Matcher)source();
+			out = in.replaceFirst(null);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.util.regex;Matcher;false;replaceFirst;;;Argument[0];ReturnValue;taint"
+			String out = null;
+			String in = (String)source();
+			Matcher instance = null;
+			out = instance.replaceFirst(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.util.regex;Pattern;false;matcher;;;Argument[0];ReturnValue;taint"
+			Matcher out = null;
+			CharSequence in = (CharSequence)source();
+			Pattern instance = null;
+			out = instance.matcher(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.util.regex;Pattern;false;quote;;;Argument[0];ReturnValue;taint"
+			String out = null;
+			String in = (String)source();
+			out = Pattern.quote(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.util.regex;Pattern;false;split;;;Argument[0];ReturnValue;taint"
+			String[] out = null;
+			CharSequence in = (CharSequence)source();
+			Pattern instance = null;
+			out = instance.split(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.util.regex;Pattern;false;split;;;Argument[0];ReturnValue;taint"
+			String[] out = null;
+			CharSequence in = (CharSequence)source();
+			Pattern instance = null;
+			out = instance.split(in, 0);
+			sink(out); // $ hasTaintFlow
+		}
+
+	}
+
+}
--- a/java/ql/test/library-tests/regex/test.expected
+++ b/java/ql/test/library-tests/regex/test.expected
--- a/java/ql/test/library-tests/regex/test.ql
+++ b/java/ql/test/library-tests/regex/test.ql
@@ -0,0 +1,2 @@
+import java
+import TestUtilities.InlineFlowTest