filter out potential misparses from java/suspicious-regexp-range

erik-krogh · erik-krogh · commit 9ecc3a26712e · 2022-06-29T13:16:40.000+02:00
diff --git a/java/ql/src/Security/CWE/CWE-020/SuspiciousRegexpRange.ql b/java/ql/src/Security/CWE/CWE-020/SuspiciousRegexpRange.ql
@@ -13,6 +13,13 @@
 
 import semmle.code.java.security.SuspiciousRegexpRangeQuery
 
+RegExpCharacterClass potentialMisparsedCharClass() {
+  // nested char classes are currently misparsed
+  result.getAChild().(RegExpNormalChar).getValue() = "["
+}
+
 from RegExpCharacterRange range, string reason
-where problem(range, reason)
+where
+  problem(range, reason) and
+  not range.getParent() = potentialMisparsedCharClass()
 select range, "Suspicious character range that " + reason + "."
diff --git a/java/ql/test/query-tests/security/CWE-020/SuspiciousRegexpRange.java b/java/ql/test/query-tests/security/CWE-020/SuspiciousRegexpRange.java
@@ -29,5 +29,9 @@ void test() {
         Pattern overlapsWithClass1 = Pattern.compile("[0-9\\d]*"); // NOT OK
         
         Pattern overlapsWithClass2 = Pattern.compile("[\\w,.-?:*+]*"); // NOT OK
+
+        Pattern nested = Pattern.compile("[[A-Za-z_][A-Za-z0-9._-]]*"); // OK, the dash it at the end
+
+        Pattern octal = Pattern.compile("[\000-\037\040-\045]*"); // OK
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -29,5 +29,9 @@ void test() {`
`29`	`29`	`Pattern overlapsWithClass1 = Pattern.compile("[0-9\\d]*"); // NOT OK`
`30`	`30`
`31`	`31`	`Pattern overlapsWithClass2 = Pattern.compile("[\\w,.-?:+]"); // NOT OK`
	`32`	`+`
	`33`	`+ Pattern nested = Pattern.compile("[[A-Za-z_][A-Za-z0-9._-]]*"); // OK, the dash it at the end`
	`34`	`+`
	`35`	`+ Pattern octal = Pattern.compile("[\000-\037\040-\045]*"); // OK`
`32`	`36`	`}`
`33`	`37`	`}`