Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll

haby0 · smowton · web-flow · commit 0691cac5ab24 · 2021-04-30T16:54:41.000+08:00
Co-authored-by: Chris Smowton &lt;smowton@github.com&gt;
diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
@@ -58,7 +58,7 @@ private class CompareSink extends UseOfLessTrustedSink {
       ma.getAnArgument()
           .(CompileTimeConstantExpr)
           .getStringValue()
-          .regexpMatch("^((10\\.((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?)|(192\\.168\\.)|172\\.(1[6789]|2[0-9]|3[01])\\.)((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)$")
+          .regexpMatch("^((10\\.((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?)|(192\\.168\\.)|172\\.(1[6789]|2[0-9]|3[01])\\.)((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)$") // Matches IP-address-like strings
     )
     or
     exists(MethodAccess ma |

Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,7 @@ private class CompareSink extends UseOfLessTrustedSink {`
`58`	`58`	`ma.getAnArgument()`
`59`	`59`	`.(CompileTimeConstantExpr)`
`60`	`60`	`.getStringValue()`
`61`		`- .regexpMatch("^((10\\.((1\\d{2})?\|(2[0-4]\\d)?\|(25[0-5])?\|([1-9]\\d\|[0-9])?)(\\.)?)\|(192\\.168\\.)\|172\\.(1[6789]\|2[0-9]\|3[01])\\.)((1\\d{2})?\|(2[0-4]\\d)?\|(25[0-5])?\|([1-9]\\d\|[0-9])?)(\\.)?((1\\d{2})?\|(2[0-4]\\d)?\|(25[0-5])?\|([1-9]\\d\|[0-9])?)$")`
	`61`	`+ .regexpMatch("^((10\\.((1\\d{2})?\|(2[0-4]\\d)?\|(25[0-5])?\|([1-9]\\d\|[0-9])?)(\\.)?)\|(192\\.168\\.)\|172\\.(1[6789]\|2[0-9]\|3[01])\\.)((1\\d{2})?\|(2[0-4]\\d)?\|(25[0-5])?\|([1-9]\\d\|[0-9])?)(\\.)?((1\\d{2})?\|(2[0-4]\\d)?\|(25[0-5])?\|([1-9]\\d\|[0-9])?)$") // Matches IP-address-like strings`
`62`	`62`	`)`
`63`	`63`	`or`
`64`	`64`	`exists(MethodAccess ma \|`