Add regex-dot-wildcard-instead-of-literal.ql

Author: Marcono1234

codeql-custom-queries-java/not-working-queries/regex-misleading-character-class.ql

@@ -4,6 +4,8 @@
 
 import java
 
+// TODO: Consider using `semmle.code.java.regex.RegexTreeView` library, see existing queries
+
 // TODO: These are already declared in `regex-wrong-alphabetic-range.ql`, reduce code duplication
 abstract class RegexMethod extends Method {
     abstract int regexParamIndex();

codeql-custom-queries-java/queries/likely-bugs/regex-dot-wildcard-instead-of-literal.ql

@@ -0,0 +1,24 @@
+/**
+ * Finds a single non-escaped `.` in a Regex pattern without any qualifier.
+ * In that case the `.` is treated as 'any character' instead of being matched literally.
+ *
+ * Consider this pattern:
+ * ```
+ * \d{4}.\d{2}.\d{2}
+ * ```
+ * The intention might have been to match dates such as `2024.01.01`, but it also matches
+ * malformed dates such as `2024&01(01`.\
+ * The pattern should have escaped the `.` as `\.` instead.
+ *
+ * @kind problem
+ */
+
+import java
+// Uses alias `re` to avoid conflicting declarations
+import semmle.code.java.regex.RegexTreeView as re
+
+// Note: This does not match all Regex patterns, see
+// https://github.com/github/codeql/blob/codeql-cli/v2.15.5/java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll#L161-L162
+from re::RegExpDot dot
+where not dot.getParent() instanceof re::RegExpQuantifier
+select dot, "This `.` should probably be escaped to match it literally"

codeql-custom-queries-java/queries/likely-bugs/regex-wrong-alphabetic-range.ql

@@ -6,6 +6,10 @@
 
 import java
 
+// TODO: Consider using `semmle.code.java.regex.RegexTreeView` library, see existing queries;
+//       though this implementation here is simpler and more efficient?
+// TODO: Might overlap with standard CodeQL `java/overly-large-range` query (https://github.com/github/codeql/blob/codeql-cli/v2.15.5/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql)
+
 abstract class RegexMethod extends Method {
     abstract int regexParamIndex();
 }