diff --git a/java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll b/java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll index 944ffca803a..a14a07e0446 100644 --- a/java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll +++ b/java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll @@ -31,11 +31,9 @@ private class ExternalRegexInjectionSanitizer extends RegexInjectionSanitizer { */ private class PatternLiteralFlag extends RegexInjectionSanitizer { PatternLiteralFlag() { - exists(MethodCall ma, Method m, PatternLiteralField field | m = ma.getMethod() | - ma.getArgument(0) = this.asExpr() and - m.getDeclaringType() instanceof TypeRegexPattern and - m.hasName("compile") and - ma.getArgument(1) = field.getAnAccess() + exists(PatternCompileCall pcc, PatternLiteralField field | + pcc.getArgument(0) = this.asExpr() and + pcc.getArgument(1) = field.getAnAccess() ) } } diff --git a/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll b/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll index f8e32890250..027e4f931cb 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll @@ -7,7 +7,7 @@ private import semmle.code.java.dataflow.FlowSources import experimental.semmle.code.java.security.SpringUrlRedirect import semmle.code.java.controlflow.Guards import semmle.code.java.security.UrlRedirect -import Regex +private import semmle.code.java.frameworks.Regex overlay[local?] private class ActivateModels extends ActiveExperimentalModels { @@ -81,11 +81,11 @@ private class CompileRegexSink extends DataFlow::ExprNode { ( ma.getArgument(0) = this.asExpr() and ( - m instanceof StringMatchMethod // input.matches(regexPattern) + ma instanceof StringMatchesCall // input.matches(regexPattern) or - m instanceof PatternCompileMethod // p = Pattern.compile(regexPattern) + ma instanceof PatternCompileCall // p = Pattern.compile(regexPattern) or - m instanceof PatternMatchMethod // p = Pattern.matches(regexPattern, input) + ma instanceof PatternMatchesCall // p = Pattern.matches(regexPattern, input) ) ) ) @@ -107,7 +107,7 @@ private module PermissiveDotRegexConfig implements DataFlow::ConfigSig { ma.getMethod() instanceof PatternCompileMethod and ma.getArgument(1) = f.getAnAccess() and f.hasName("DOTALL") and - f.getDeclaringType() instanceof Pattern and + f.getDeclaringType() instanceof TypeRegexPattern and node.asExpr() = ma.getArgument(0) ) } @@ -147,11 +147,11 @@ module MatchRegexConfig implements DataFlow::ConfigSig { ) and exists(MethodCall ma | PermissiveDotRegexFlow::flowToExpr(ma.getArgument(0)) | // input.matches(regexPattern) - ma.getMethod() instanceof StringMatchMethod and + ma instanceof StringMatchesCall and ma.getQualifier() = sink.asExpr() or // p = Pattern.compile(regexPattern); p.matcher(input) - ma.getMethod() instanceof PatternCompileMethod and + ma instanceof PatternCompileCall and exists(MethodCall pma | pma.getMethod() instanceof PatternMatcherMethod and sink.asExpr() = pma.getArgument(0) and @@ -159,7 +159,7 @@ module MatchRegexConfig implements DataFlow::ConfigSig { ) or // p = Pattern.matches(regexPattern, input) - ma.getMethod() instanceof PatternMatchMethod and + ma instanceof PatternMatchesCall and sink.asExpr() = ma.getArgument(1) ) } @@ -176,28 +176,14 @@ abstract class MatchRegexSink extends DataFlow::ExprNode { } * A string being matched against a regular expression. */ private class StringMatchRegexSink extends MatchRegexSink { - StringMatchRegexSink() { - exists(MethodCall ma, Method m | m = ma.getMethod() | - ( - m instanceof StringMatchMethod and - ma.getQualifier() = this.asExpr() - ) - ) - } + StringMatchRegexSink() { any(StringMatchesCall mc).getQualifier() = this.asExpr() } } /** * A string being matched against a regular expression using a pattern. */ private class PatternMatchRegexSink extends MatchRegexSink { - PatternMatchRegexSink() { - exists(MethodCall ma, Method m | m = ma.getMethod() | - ( - m instanceof PatternMatchMethod and - ma.getArgument(1) = this.asExpr() - ) - ) - } + PatternMatchRegexSink() { any(PatternMatchesCall mc).getArgument(1) = this.asExpr() } } /** diff --git a/java/ql/src/experimental/Security/CWE/CWE-625/Regex.qll b/java/ql/src/experimental/Security/CWE/CWE-625/Regex.qll deleted file mode 100644 index e605f31a0b3..00000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-625/Regex.qll +++ /dev/null @@ -1,51 +0,0 @@ -/** Provides methods related to regular expression matching. */ -deprecated module; - -import java - -/** - * The class `java.util.regex.Pattern`. - */ -class Pattern extends RefType { - Pattern() { this.hasQualifiedName("java.util.regex", "Pattern") } -} - -/** - * The method `compile` of `java.util.regex.Pattern`. - */ -class PatternCompileMethod extends Method { - PatternCompileMethod() { - this.getDeclaringType().getASupertype*() instanceof Pattern and - this.hasName("compile") - } -} - -/** - * The method `matches` of `java.util.regex.Pattern`. - */ -class PatternMatchMethod extends Method { - PatternMatchMethod() { - this.getDeclaringType().getASupertype*() instanceof Pattern and - this.hasName("matches") - } -} - -/** - * The method `matcher` of `java.util.regex.Pattern`. - */ -class PatternMatcherMethod extends Method { - PatternMatcherMethod() { - this.getDeclaringType().getASupertype*() instanceof Pattern and - this.hasName("matcher") - } -} - -/** - * The method `matches` of `java.lang.String`. - */ -class StringMatchMethod extends Method { - StringMatchMethod() { - this.getDeclaringType().getASupertype*() instanceof TypeString and - this.hasName("matches") - } -}