Merge pull request #7733 from pwntester/java_util_regex_qll

Java: Add models for java.util.regex.Pattern and Matcher
2026-04-29 18:55:14 +02:00 · 2022-01-26 12:04:56 +00:00
parent 477f83cf9e ba90fecc98
commit df87297c59
5 changed files with 127 additions and 0 deletions
--- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -99,6 +99,7 @@ private module Frameworks {
  private import semmle.code.java.frameworks.Logging
  private import semmle.code.java.frameworks.Objects
  private import semmle.code.java.frameworks.Optional
+  private import semmle.code.java.frameworks.Regex
  private import semmle.code.java.frameworks.Stream
  private import semmle.code.java.frameworks.Strings
  private import semmle.code.java.frameworks.ratpack.Ratpack
--- a/java/ql/lib/semmle/code/java/frameworks/Regex.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/Regex.qll
@@ -0,0 +1,20 @@
+/** Definitions related to `java.util.regex`. */
+
+import semmle.code.java.dataflow.ExternalFlow
+
+private class RegexModel extends SummaryModelCsv {
+  override predicate row(string s) {
+    s =
+      [
+        //`namespace; type; subtypes; name; signature; ext; input; output; kind`
+        "java.util.regex;Matcher;false;group;;;Argument[-1];ReturnValue;taint",
+        "java.util.regex;Matcher;false;replaceAll;;;Argument[-1];ReturnValue;taint",
+        "java.util.regex;Matcher;false;replaceAll;;;Argument[0];ReturnValue;taint",
+        "java.util.regex;Matcher;false;replaceFirst;;;Argument[-1];ReturnValue;taint",
+        "java.util.regex;Matcher;false;replaceFirst;;;Argument[0];ReturnValue;taint",
+        "java.util.regex;Pattern;false;matcher;;;Argument[0];ReturnValue;taint",
+        "java.util.regex;Pattern;false;quote;;;Argument[0];ReturnValue;taint",
+        "java.util.regex;Pattern;false;split;;;Argument[0];ReturnValue;taint",
+      ]
+  }
+}
--- a/java/ql/test/library-tests/regex/Test.java
+++ b/java/ql/test/library-tests/regex/Test.java
@@ -0,0 +1,104 @@
+package generatedtest;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+// Test case generated by GenerateFlowTestCase.ql
+public class Test {
+
+  private final String str_pattern = "\\$\\{(.*)\\}";
+  private final Pattern pattern = Pattern.compile(str_pattern);
+
+  Object source() { return null; }
+  void sink(Object o) { }
+
+  public void test() throws Exception {
+
+    {
+      // "java.util.regex;Matcher;false;group;;;Argument[-1];ReturnValue;taint"
+      String out = null;
+      String in = (String) source();
+      Matcher m = pattern.matcher(in);
+      out = m.group("foo");
+      sink(out); // $ hasTaintFlow
+    }
+    {
+      // "java.util.regex;Matcher;false;group;;;Argument[-1];ReturnValue;taint"
+      String out = null;
+      String in = (String) source();
+      Matcher m = pattern.matcher(in);
+      out = m.group();
+      sink(out); // $ hasTaintFlow
+    }
+    {
+      // "java.util.regex;Matcher;false;group;;;Argument[-1];ReturnValue;taint"
+      String out = null;
+      String in = (String) source();
+      Matcher m = pattern.matcher(in);
+      out = m.group(0);
+      sink(out); // $ hasTaintFlow
+    }
+    {
+      // "java.util.regex;Matcher;false;replaceAll;;;Argument[-1];ReturnValue;taint"
+      String out = null;
+      String in = (String) source();
+      Matcher m = pattern.matcher(in);
+      out = m.replaceAll("foo");
+      sink(out); // $ hasTaintFlow
+    }
+    {
+      // "java.util.regex;Matcher;false;replaceAll;;;Argument[0];ReturnValue;taint"
+      String out = null;
+      String in = (String) source();
+      Matcher m = pattern.matcher("foo");
+      out = m.replaceAll(in);
+      sink(out); // $ hasTaintFlow
+    }
+    {
+      // "java.util.regex;Matcher;false;replaceFirst;;;Argument[-1];ReturnValue;taint"
+      String out = null;
+      String in = (String) source();
+      Matcher m = pattern.matcher(in);
+      out = m.replaceFirst("foo");
+      sink(out); // $ hasTaintFlow
+    }
+    {
+      // "java.util.regex;Matcher;false;replaceFirst;;;Argument[0];ReturnValue;taint"
+      String out = null;
+      String in = (String) source();
+      Matcher m = pattern.matcher("foo");
+      out = m.replaceFirst(in);
+      sink(out); // $ hasTaintFlow
+    }
+    {
+      // "java.util.regex;Pattern;false;matcher;;;Argument[0];ReturnValue;taint"
+      Matcher out = null;
+      CharSequence in = (CharSequence)source();
+      out = pattern.matcher(in);
+      sink(out); // $ hasTaintFlow
+    }
+    {
+      // "java.util.regex;Pattern;false;quote;;;Argument[0];ReturnValue;taint"
+      String out = null;
+      String in = (String)source();
+      out = Pattern.quote(in);
+      sink(out); // $ hasTaintFlow
+    }
+    {
+      // "java.util.regex;Pattern;false;split;;;Argument[0];ReturnValue;taint"
+      String[] out = null;
+      CharSequence in = (CharSequence)source();
+      out = pattern.split(in);
+      sink(out); // $ hasTaintFlow
+    }
+    {
+      // "java.util.regex;Pattern;false;split;;;Argument[0];ReturnValue;taint"
+      String[] out = null;
+      CharSequence in = (CharSequence)source();
+      out = pattern.split(in, 0);
+      sink(out); // $ hasTaintFlow
+    }
+
+  }
+
+}
--- a/java/ql/test/library-tests/regex/test.expected
+++ b/java/ql/test/library-tests/regex/test.expected
--- a/java/ql/test/library-tests/regex/test.ql
+++ b/java/ql/test/library-tests/regex/test.ql
@@ -0,0 +1,2 @@
+import java
+import TestUtilities.InlineFlowTest