hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-14 11:19:27 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
6574f1761542cd787d6b56d8eedadaa2c7a63fe6
codeql/java/ql/test/query-tests/security/CWE-730/PolyRedos/PolyRedosTest.java
copilot-swe-agent[bot] 6574f17615 Refactor regex-use sink kind to support polynomial ReDoS query 
- Extended regexSinkKindInfo to handle plain "regex-use" sink kind
- Plain "regex-use" defaults to non-full-string matching with string arg at index 0
- Updated comment in org.apache.commons.lang3.model.yml
- Added test cases for RegExUtils methods in polynomial ReDoS test

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
2026-01-07 11:41:05 +00:00

98 lines
3.8 KiB
Java
Raw Blame History

import java.util.regex.Pattern;
import java.util.function.Predicate;
import javax.servlet.http.HttpServletRequest;
import com.google.common.base.Splitter;
import org.apache.commons.lang3.RegExUtils;
class PolyRedosTest {
void test(HttpServletRequest request) {
String tainted = request.getParameter("inp"); // $ Source
String reg = "0\\.\\d+E?\\d+!";
Predicate<String> dummyPred = (s -> s.length() % 7 == 0);
tainted.matches(reg); // $ Alert
tainted.split(reg); // $ Alert
tainted.split(reg, 7); // $ Alert
tainted.replaceAll(reg, "a"); // $ Alert
tainted.replaceFirst(reg, "a"); // $ Alert
Pattern.matches(reg, tainted); // $ Alert
Pattern.compile(reg).matcher(tainted).matches(); // $ Alert
Pattern.compile(reg).split(tainted); // $ Alert
Pattern.compile(reg, Pattern.DOTALL).split(tainted); // $ Alert
Pattern.compile(reg).split(tainted, 7); // $ Alert
Pattern.compile(reg).splitAsStream(tainted); // $ Alert
Pattern.compile(reg).asPredicate().test(tainted); // $ Alert
Pattern.compile(reg).asMatchPredicate().negate().and(dummyPred).or(dummyPred).test(tainted); // $ Alert
Predicate.not(dummyPred.and(dummyPred.or(Pattern.compile(reg).asPredicate()))).test(tainted); // $ Alert
Splitter.on(Pattern.compile(reg)).split(tainted); // $ Alert
Splitter.on(reg).split(tainted);
Splitter.onPattern(reg).split(tainted); // $ Alert
Splitter.onPattern(reg).splitToList(tainted); // $ Alert
Splitter.onPattern(reg).limit(7).omitEmptyStrings().trimResults().split(tainted); // $ Alert
Splitter.onPattern(reg).withKeyValueSeparator(" => ").split(tainted); // $ Alert
Splitter.on(";").withKeyValueSeparator(reg).split(tainted);
Splitter.on(";").withKeyValueSeparator(Splitter.onPattern(reg)).split(tainted); // $ Alert
}
void test2(HttpServletRequest request) {
String tainted = request.getParameter("inp"); // $ Source
Pattern p1 = Pattern.compile(".*a");
Pattern p2 = Pattern.compile(".*b");
p1.matcher(tainted).matches();
p2.matcher(tainted).find(); // $ Alert
}
void test3(HttpServletRequest request) {
String tainted = request.getParameter("inp"); // $ Source
Pattern p1 = Pattern.compile("ab*b*");
Pattern p2 = Pattern.compile("cd*d*");
p1.matcher(tainted).matches(); // $ Alert
p2.matcher(tainted).find();
}
void test4(HttpServletRequest request) {
String tainted = request.getParameter("inp"); // $ Source
tainted.matches(".*a");
tainted.replaceAll(".*b", "c"); // $ Alert
}
static Pattern p3 = Pattern.compile(".*a");
static Pattern p4 = Pattern.compile(".*b");
void test5(HttpServletRequest request) {
String tainted = request.getParameter("inp"); // $ Source
p3.asMatchPredicate().test(tainted);
p4.asPredicate().test(tainted); // $ Alert
}
void test6(HttpServletRequest request) {
Pattern p = Pattern.compile("^a*a*$");
p.matcher(request.getParameter("inp")).matches(); // $ Alert
p.matcher(request.getHeader("If-None-Match")).matches();
p.matcher(request.getRequestURI()).matches();
p.matcher(request.getCookies()[0].getName()).matches();
}
void test7(HttpServletRequest request) {
String tainted = request.getParameter("inp"); // $ Source
String reg = "0\\.\\d+E?\\d+!";
RegExUtils.removeAll(tainted, reg); // $ Alert
RegExUtils.removeFirst(tainted, reg); // $ Alert
RegExUtils.removePattern(tainted, reg); // $ Alert
RegExUtils.replaceAll(tainted, reg, "replacement"); // $ Alert
RegExUtils.replaceFirst(tainted, reg, "replacement"); // $ Alert
RegExUtils.replacePattern(tainted, reg, "replacement"); // $ Alert
}
}
Reference in New Issue View Git Blame Copy Permalink