hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-24 16:25:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add test cases for PolynomialRedos dataflow logic; make fixes

Browse Source
This commit is contained in:
Joe Farebrother
2022-02-15 17:50:50 +00:00
parent 5a4316d945
commit e23162d91b
6 changed files with 125 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
java/ql/test/query-tests/security/CWE-730/Test.java → java/ql/test/query-tests/security/CWE-730/ExpRedosTest.java
View File

@@ -1,7 +1,6 @@
import java.util.regex.Pattern;
class Test {
class ExpRedosTest {
static String[] regs = {
// NOT GOOD; attack: "_" + "__".repeat(100)

35
java/ql/test/query-tests/security/CWE-730/PolyRedosTest.java Normal file
View File

@@ -0,0 +1,35 @@
import java.util.regex.Pattern;
import java.util.function.Predicate;
import javax.servlet.http.HttpServletRequest;
import com.google.common.base.Splitter;
class PolyRedosTest {
void test(HttpServletRequest request) {
String tainted = request.getParameter("inp");
String reg = "a\\.\\d+E?\\d+b";
Predicate<String> dummyPred = (s -> s.length() % 7 == 0);
tainted.matches(reg); // $ hasTaintFlow
tainted.split(reg); // $ hasTaintFlow
tainted.split(reg, 7); // $ hasTaintFlow
Pattern.matches(reg, tainted); // $ hasTaintFlow
Pattern.compile(reg).matcher(tainted).matches(); // $ hasTaintFlow
Pattern.compile(reg).split(tainted); // $ hasTaintFlow
Pattern.compile(reg, Pattern.DOTALL).split(tainted); // $ hasTaintFlow
Pattern.compile(reg).split(tainted, 7); // $ hasTaintFlow
Pattern.compile(reg).splitAsStream(tainted); // $ hasTaintFlow
Pattern.compile(reg).asPredicate().test(tainted); // $ hasTaintFlow
Pattern.compile(reg).asMatchPredicate().negate().and(dummyPred).or(dummyPred).test(tainted); // $ hasTaintFlow
Predicate.not(dummyPred.and(dummyPred.or(Pattern.compile(reg).asPredicate()))).test(tainted); // $ hasTaintFlow
Splitter.on(Pattern.compile(reg)).split(tainted); // $ hasTaintFlow
Splitter.on(reg).split(tainted);
Splitter.onPattern(reg).split(tainted); // $ hasTaintFlow
Splitter.onPattern(reg).splitToList(tainted); // $ hasTaintFlow
Splitter.onPattern(reg).limit(7).omitEmptyStrings().trimResults().split(tainted); // $ hasTaintFlow
Splitter.onPattern(reg).withKeyValueSeparator(" => ").split(tainted); // $ hasTaintFlow
Splitter.on(";").withKeyValueSeparator(reg).split(tainted);
Splitter.on(";").withKeyValueSeparator(Splitter.onPattern(reg)).split(tainted); // $ hasTaintFlow
}
}

1
java/ql/test/query-tests/security/CWE-730/options Normal file
View File

@@ -0,0 +1 @@
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/guava-30.0