update sink and tests

Author: Jami Cogswell

java/ql/lib/semmle/code/java/regex/RegexFlowModels.qll

@@ -27,12 +27,12 @@ private class RegexSinkCsv extends SinkModelCsv {
         "com.google.common.base;Splitter;false;split;(CharSequence);;Argument[-1];regex-use[0];manual",
         "com.google.common.base;Splitter;false;splitToList;(CharSequence);;Argument[-1];regex-use[0];manual",
         "com.google.common.base;Splitter$MapSplitter;false;split;(CharSequence);;Argument[-1];regex-use[0];manual",
-        "org.apache.commons.lang3;RegExUtils;false;removeAll;(String,String);;Argument[1];regex-use[0];manual",
-        "org.apache.commons.lang3;RegExUtils;false;removeFirst;(String,String);;Argument[1];regex-use[0];manual",
-        "org.apache.commons.lang3;RegExUtils;false;removePattern;(String,String);;Argument[1];regex-use[0];manual",
-        "org.apache.commons.lang3;RegExUtils;false;replaceAll;(String,String,String);;Argument[1];regex-use[0];manual",
-        "org.apache.commons.lang3;RegExUtils;false;replaceFirst;(String,String,String);;Argument[1];regex-use[0];manual",
-        "org.apache.commons.lang3;RegExUtils;false;replacePattern;(String,String,String);;Argument[1];regex-use[0];manual",
+        "org.apache.commons.lang3;RegExUtils;false;removeAll;(String,String);;Argument[1];regex-use;manual",
+        "org.apache.commons.lang3;RegExUtils;false;removeFirst;(String,String);;Argument[1];regex-use;manual",
+        "org.apache.commons.lang3;RegExUtils;false;removePattern;(String,String);;Argument[1];regex-use;manual",
+        "org.apache.commons.lang3;RegExUtils;false;replaceAll;(String,String,String);;Argument[1];regex-use;manual",
+        "org.apache.commons.lang3;RegExUtils;false;replaceFirst;(String,String,String);;Argument[1];regex-use;manual",
+        "org.apache.commons.lang3;RegExUtils;false;replacePattern;(String,String,String);;Argument[1];regex-use;manual",
       ]
   }
 }

java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll

@@ -15,9 +15,7 @@ abstract class RegexInjectionSanitizer extends DataFlow::ExprNode { }
 private class DefaultRegexInjectionSink extends RegexInjectionSink {
   DefaultRegexInjectionSink() {
     exists(string kind |
-      kind.matches([
-          "regex-use[]", "regex-use[f1]", "regex-use[f-1]", "regex-use[-1]", "regex-use[0]"
-        ]) and
+      kind.matches(["regex-use[]", "regex-use[f1]", "regex-use[f-1]", "regex-use[-1]", "regex-use"]) and
       sinkNode(this, kind)
     )
   }

java/ql/test/query-tests/security/CWE-730/RegexInjectionTest.java

@@ -7,6 +7,7 @@
 import javax.servlet.ServletException;
 
 import org.apache.commons.lang3.RegExUtils;
+import com.google.common.base.Splitter;
 
 public class RegexInjectionTest extends HttpServlet {
   public boolean string1(javax.servlet.http.HttpServletRequest request) {
@@ -138,10 +139,10 @@ public boolean apache7(javax.servlet.http.HttpServletRequest request) {
 
   // test `Pattern.quote` sanitizer
   public boolean quoteTest(javax.servlet.http.HttpServletRequest request) {
-    String regex = request.getParameter("regex");
+    String pattern = request.getParameter("pattern");
     String input = request.getParameter("input");
 
-    return input.matches(Pattern.quote(regex));  // Safe
+    return input.matches(Pattern.quote(pattern));  // Safe
   }
 
   // test `Pattern.LITERAL` sanitizer
@@ -151,4 +152,15 @@ public boolean literalTest(javax.servlet.http.HttpServletRequest request) {
 
     return Pattern.compile(pattern, Pattern.LITERAL).matcher(input).matches();  // Safe
   }
+
+  public Splitter guava1(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    return Splitter.onPattern(pattern);  // $ hasRegexInjection
+  }
+
+  public Splitter guava2(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    // sink is `Pattern.compile`
+    return  Splitter.on(Pattern.compile(pattern));  // $ hasRegexInjection
+  }
 }