Merge pull request github#7733 from pwntester/java_util_regex_qll

smowton · web-flow · commit df87297c59d8 · 2022-01-26T12:04:56.000Z
Java: Add models for java.util.regex.Pattern and Matcher
diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -99,6 +99,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.Logging
   private import semmle.code.java.frameworks.Objects
   private import semmle.code.java.frameworks.Optional
+  private import semmle.code.java.frameworks.Regex
   private import semmle.code.java.frameworks.Stream
   private import semmle.code.java.frameworks.Strings
   private import semmle.code.java.frameworks.ratpack.Ratpack
diff --git a/java/ql/lib/semmle/code/java/frameworks/Regex.qll b/java/ql/lib/semmle/code/java/frameworks/Regex.qll
@@ -0,0 +1,20 @@
+/** Definitions related to `java.util.regex`. */
+
+import semmle.code.java.dataflow.ExternalFlow
+
+private class RegexModel extends SummaryModelCsv {
+  override predicate row(string s) {
+    s =
+      [
+        //`namespace; type; subtypes; name; signature; ext; input; output; kind`
+        "java.util.regex;Matcher;false;group;;;Argument[-1];ReturnValue;taint",
+        "java.util.regex;Matcher;false;replaceAll;;;Argument[-1];ReturnValue;taint",
+        "java.util.regex;Matcher;false;replaceAll;;;Argument[0];ReturnValue;taint",
+        "java.util.regex;Matcher;false;replaceFirst;;;Argument[-1];ReturnValue;taint",
+        "java.util.regex;Matcher;false;replaceFirst;;;Argument[0];ReturnValue;taint",
+        "java.util.regex;Pattern;false;matcher;;;Argument[0];ReturnValue;taint",
+        "java.util.regex;Pattern;false;quote;;;Argument[0];ReturnValue;taint",
+        "java.util.regex;Pattern;false;split;;;Argument[0];ReturnValue;taint",
+      ]
+  }
+}
diff --git a/java/ql/test/library-tests/regex/Test.java b/java/ql/test/library-tests/regex/Test.java
@@ -0,0 +1,104 @@
+package generatedtest;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+// Test case generated by GenerateFlowTestCase.ql
+public class Test {
+
+  private final String str_pattern = "\\$\\{(.*)\\}";
+  private final Pattern pattern = Pattern.compile(str_pattern);
+
+  Object source() { return null; }
+  void sink(Object o) { }
+
+  public void test() throws Exception {
+
+    {
+      // "java.util.regex;Matcher;false;group;;;Argument[-1];ReturnValue;taint"
+      String out = null;
+      String in = (String) source();
+      Matcher m = pattern.matcher(in);
+      out = m.group("foo");
+      sink(out); // $ hasTaintFlow
+    }
+    {
+      // "java.util.regex;Matcher;false;group;;;Argument[-1];ReturnValue;taint"
+      String out = null;
+      String in = (String) source();
+      Matcher m = pattern.matcher(in);
+      out = m.group();
+      sink(out); // $ hasTaintFlow
+    }
+    {
+      // "java.util.regex;Matcher;false;group;;;Argument[-1];ReturnValue;taint"
+      String out = null;
+      String in = (String) source();
+      Matcher m = pattern.matcher(in);
+      out = m.group(0);
+      sink(out); // $ hasTaintFlow
+    }
+    {
+      // "java.util.regex;Matcher;false;replaceAll;;;Argument[-1];ReturnValue;taint"
+      String out = null;
+      String in = (String) source();
+      Matcher m = pattern.matcher(in);
+      out = m.replaceAll("foo");
+      sink(out); // $ hasTaintFlow
+    }
+    {
+      // "java.util.regex;Matcher;false;replaceAll;;;Argument[0];ReturnValue;taint"
+      String out = null;
+      String in = (String) source();
+      Matcher m = pattern.matcher("foo");
+      out = m.replaceAll(in);
+      sink(out); // $ hasTaintFlow
+    }
+    {
+      // "java.util.regex;Matcher;false;replaceFirst;;;Argument[-1];ReturnValue;taint"
+      String out = null;
+      String in = (String) source();
+      Matcher m = pattern.matcher(in);
+      out = m.replaceFirst("foo");
+      sink(out); // $ hasTaintFlow
+    }
+    {
+      // "java.util.regex;Matcher;false;replaceFirst;;;Argument[0];ReturnValue;taint"
+      String out = null;
+      String in = (String) source();
+      Matcher m = pattern.matcher("foo");
+      out = m.replaceFirst(in);
+      sink(out); // $ hasTaintFlow
+    }
+    {
+      // "java.util.regex;Pattern;false;matcher;;;Argument[0];ReturnValue;taint"
+      Matcher out = null;
+      CharSequence in = (CharSequence)source();
+      out = pattern.matcher(in);
+      sink(out); // $ hasTaintFlow
+    }
+    {
+      // "java.util.regex;Pattern;false;quote;;;Argument[0];ReturnValue;taint"
+      String out = null;
+      String in = (String)source();
+      out = Pattern.quote(in);
+      sink(out); // $ hasTaintFlow
+    }
+    {
+      // "java.util.regex;Pattern;false;split;;;Argument[0];ReturnValue;taint"
+      String[] out = null;
+      CharSequence in = (CharSequence)source();
+      out = pattern.split(in);
+      sink(out); // $ hasTaintFlow
+    }
+    {
+      // "java.util.regex;Pattern;false;split;;;Argument[0];ReturnValue;taint"
+      String[] out = null;
+      CharSequence in = (CharSequence)source();
+      out = pattern.split(in, 0);
+      sink(out); // $ hasTaintFlow
+    }
+
+  }
+
+}
diff --git a/java/ql/test/library-tests/regex/test.expected b/java/ql/test/library-tests/regex/test.expected
diff --git a/java/ql/test/library-tests/regex/test.ql b/java/ql/test/library-tests/regex/test.ql
@@ -0,0 +1,2 @@
+import java
+import TestUtilities.InlineFlowTest

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+import java`
	`2`	`+import TestUtilities.InlineFlowTest`