add java.util.regex models and tests

pwntester · pwntester · commit c49c7903a89a · 2022-01-25T10:50:39.000+01:00
diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -99,6 +99,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.Logging
   private import semmle.code.java.frameworks.Objects
   private import semmle.code.java.frameworks.Optional
+  private import semmle.code.java.frameworks.Regex
   private import semmle.code.java.frameworks.Stream
   private import semmle.code.java.frameworks.Strings
   private import semmle.code.java.frameworks.ratpack.Ratpack
diff --git a/java/ql/lib/semmle/code/java/frameworks/Regex.qll b/java/ql/lib/semmle/code/java/frameworks/Regex.qll
@@ -0,0 +1,20 @@
+/** Definitions related to `java.util.regex`. */
+
+import semmle.code.java.dataflow.ExternalFlow
+
+private class RegexModel extends SummaryModelCsv {
+  override predicate row(string s) {
+    s =
+      [
+        //`namespace; type; subtypes; name; signature; ext; input; output; kind`
+        "java.util.regex;Matcher;false;group;;;Argument[-1];ReturnValue;taint",
+        "java.util.regex;Matcher;false;replaceAll;;;Argument[-1];ReturnValue;taint",
+        "java.util.regex;Matcher;false;replaceAll;;;Argument[0];ReturnValue;taint",
+        "java.util.regex;Matcher;false;replaceFirst;;;Argument[-1];ReturnValue;taint",
+        "java.util.regex;Matcher;false;replaceFirst;;;Argument[0];ReturnValue;taint",
+        "java.util.regex;Pattern;false;matcher;;;Argument[0];ReturnValue;taint",
+        "java.util.regex;Pattern;false;quote;;;Argument[0];ReturnValue;taint",
+        "java.util.regex;Pattern;false;split;;;Argument[0];ReturnValue;taint",
+      ]
+  }
+}
diff --git a/java/ql/test/library-tests/regex/Test.java b/java/ql/test/library-tests/regex/Test.java
@@ -0,0 +1,99 @@
+package generatedtest;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+// Test case generated by GenerateFlowTestCase.ql
+public class Test {
+
+	Object source() { return null; }
+	void sink(Object o) { }
+
+	public void test() throws Exception {
+
+		{
+			// "java.util.regex;Matcher;false;group;;;Argument[-1];ReturnValue;taint"
+			String out = null;
+			Matcher in = (Matcher)source();
+			out = in.group((String)null);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.util.regex;Matcher;false;group;;;Argument[-1];ReturnValue;taint"
+			String out = null;
+			Matcher in = (Matcher)source();
+			out = in.group();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.util.regex;Matcher;false;group;;;Argument[-1];ReturnValue;taint"
+			String out = null;
+			Matcher in = (Matcher)source();
+			out = in.group(0);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.util.regex;Matcher;false;replaceAll;;;Argument[-1];ReturnValue;taint"
+			String out = null;
+			Matcher in = (Matcher)source();
+			out = in.replaceAll(null);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.util.regex;Matcher;false;replaceAll;;;Argument[0];ReturnValue;taint"
+			String out = null;
+			String in = (String)source();
+			Matcher instance = null;
+			out = instance.replaceAll(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.util.regex;Matcher;false;replaceFirst;;;Argument[-1];ReturnValue;taint"
+			String out = null;
+			Matcher in = (Matcher)source();
+			out = in.replaceFirst(null);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.util.regex;Matcher;false;replaceFirst;;;Argument[0];ReturnValue;taint"
+			String out = null;
+			String in = (String)source();
+			Matcher instance = null;
+			out = instance.replaceFirst(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.util.regex;Pattern;false;matcher;;;Argument[0];ReturnValue;taint"
+			Matcher out = null;
+			CharSequence in = (CharSequence)source();
+			Pattern instance = null;
+			out = instance.matcher(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.util.regex;Pattern;false;quote;;;Argument[0];ReturnValue;taint"
+			String out = null;
+			String in = (String)source();
+			out = Pattern.quote(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.util.regex;Pattern;false;split;;;Argument[0];ReturnValue;taint"
+			String[] out = null;
+			CharSequence in = (CharSequence)source();
+			Pattern instance = null;
+			out = instance.split(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.util.regex;Pattern;false;split;;;Argument[0];ReturnValue;taint"
+			String[] out = null;
+			CharSequence in = (CharSequence)source();
+			Pattern instance = null;
+			out = instance.split(in, 0);
+			sink(out); // $ hasTaintFlow
+		}
+
+	}
+
+}
diff --git a/java/ql/test/library-tests/regex/test.expected b/java/ql/test/library-tests/regex/test.expected
diff --git a/java/ql/test/library-tests/regex/test.ql b/java/ql/test/library-tests/regex/test.ql
@@ -0,0 +1,2 @@
+import java
+import TestUtilities.InlineFlowTest

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+import java`
	`2`	`+import TestUtilities.InlineFlowTest`