Java: fix 'regex-use' comments

2026-02-28 04:43:42 +01:00 · 2024-07-25 10:39:03 -04:00
parent 9d75782c44
commit eea3e82cca
2 changed files with 7 additions and 3 deletions
--- a/java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll
+++ b/java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll
@@ -20,8 +20,10 @@ private class ExploitableStringLiteral extends StringLiteral {
 * if no such argument exists.
 *
 * Note that `regex-use` is deliberately not a possible value for `kind` here,
- * as it is used for regular expression injection sinks that should not be used
- * as polynomial ReDoS sinks.
+ * as it is used for regular expression injection sinks that need to be selected
+ * separately from existing `regex-use[0]` sinks.
+ * TODO: refactor the `regex-use%` sink kind so that the polynomial ReDoS query
+ * can also use the `regex-use` sinks.
 */
 private predicate regexSinkKindInfo(string kind, boolean full, int strArg) {
  sinkModel(_, _, _, _, _, _, _, kind, _, _) and