Add RegExUtils

edvraa · edvraa · commit 13655b5d80cd · 2021-04-21T13:08:35.000+03:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql
@@ -21,22 +21,39 @@ class RegexSink extends DataFlow::ExprNode {
   RegexSink() {
     exists(MethodAccess ma, Method m | m = ma.getMethod() |
       (
-        ma.getArgument(0) = this.asExpr() and
+        m.getDeclaringType().hasQualifiedName("java.lang", "String") and
         (
-          m.getDeclaringType().hasQualifiedName("java.lang", "String") and
+          ma.getArgument(0) = this.asExpr() and
           (
             m.hasName("matches") or
             m.hasName("split") or
             m.hasName("replaceFirst") or
             m.hasName("replaceAll")
           )
-          or
-          m.getDeclaringType().hasQualifiedName("java.util.regex", "Pattern") and
+        )
+        or
+        m.getDeclaringType().hasQualifiedName("java.util.regex", "Pattern") and
+        (
+          ma.getArgument(0) = this.asExpr() and
           (
             m.hasName("compile") or
             m.hasName("matches")
           )
         )
+        or
+        m.getDeclaringType().hasQualifiedName("org.apache.commons.lang3", "RegExUtils") and
+        (
+          ma.getArgument(1) = this.asExpr() and
+          m.getParameterType(1).(Class).hasQualifiedName("java.lang", "String") and
+          (
+            m.hasName("removeAll") or
+            m.hasName("removeFirst") or
+            m.hasName("removePattern") or
+            m.hasName("replaceAll") or
+            m.hasName("replaceFirst") or
+            m.hasName("replacePattern")
+          )
+        )
       )
     )
   }
@@ -51,7 +68,9 @@ class RegExpSanitizationCall extends Sanitizer {
       sanitize = "(?:escape|saniti[sz]e)" and
       regexp = "regexp?"
     |
-      calleeName.regexpMatch("(?i)(" + sanitize + ".*" + regexp + ".*)" + "|(" + regexp + ".*" + sanitize + ".*)")
+      calleeName
+          .regexpMatch("(?i)(" + sanitize + ".*" + regexp + ".*)" + "|(" + regexp + ".*" + sanitize +
+              ".*)")
     )
   }
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.expected
@@ -1,39 +1,63 @@
 edges
-| RegexInjection.java:11:22:11:52 | getParameter(...) : String | RegexInjection.java:14:26:14:47 | ... + ... |
-| RegexInjection.java:18:22:18:52 | getParameter(...) : String | RegexInjection.java:21:24:21:30 | pattern |
-| RegexInjection.java:25:22:25:52 | getParameter(...) : String | RegexInjection.java:28:31:28:37 | pattern |
-| RegexInjection.java:32:22:32:52 | getParameter(...) : String | RegexInjection.java:35:29:35:35 | pattern |
-| RegexInjection.java:39:22:39:52 | getParameter(...) : String | RegexInjection.java:42:34:42:40 | pattern |
-| RegexInjection.java:49:22:49:52 | getParameter(...) : String | RegexInjection.java:52:28:52:34 | pattern |
-| RegexInjection.java:56:22:56:52 | getParameter(...) : String | RegexInjection.java:59:28:59:34 | pattern |
-| RegexInjection.java:63:22:63:52 | getParameter(...) : String | RegexInjection.java:66:36:66:42 | pattern : String |
-| RegexInjection.java:66:32:66:43 | foo(...) : String | RegexInjection.java:66:26:66:52 | ... + ... |
-| RegexInjection.java:66:36:66:42 | pattern : String | RegexInjection.java:66:32:66:43 | foo(...) : String |
+| RegexInjection.java:13:22:13:52 | getParameter(...) : String | RegexInjection.java:16:26:16:47 | ... + ... |
+| RegexInjection.java:20:22:20:52 | getParameter(...) : String | RegexInjection.java:23:24:23:30 | pattern |
+| RegexInjection.java:27:22:27:52 | getParameter(...) : String | RegexInjection.java:30:31:30:37 | pattern |
+| RegexInjection.java:34:22:34:52 | getParameter(...) : String | RegexInjection.java:37:29:37:35 | pattern |
+| RegexInjection.java:41:22:41:52 | getParameter(...) : String | RegexInjection.java:44:34:44:40 | pattern |
+| RegexInjection.java:51:22:51:52 | getParameter(...) : String | RegexInjection.java:54:28:54:34 | pattern |
+| RegexInjection.java:58:22:58:52 | getParameter(...) : String | RegexInjection.java:61:28:61:34 | pattern |
+| RegexInjection.java:65:22:65:52 | getParameter(...) : String | RegexInjection.java:68:36:68:42 | pattern : String |
+| RegexInjection.java:68:32:68:43 | foo(...) : String | RegexInjection.java:68:26:68:52 | ... + ... |
+| RegexInjection.java:68:36:68:42 | pattern : String | RegexInjection.java:68:32:68:43 | foo(...) : String |
+| RegexInjection.java:90:22:90:52 | getParameter(...) : String | RegexInjection.java:93:40:93:46 | pattern |
+| RegexInjection.java:97:22:97:52 | getParameter(...) : String | RegexInjection.java:100:42:100:48 | pattern |
+| RegexInjection.java:104:22:104:52 | getParameter(...) : String | RegexInjection.java:107:44:107:50 | pattern |
+| RegexInjection.java:111:22:111:52 | getParameter(...) : String | RegexInjection.java:114:41:114:47 | pattern |
+| RegexInjection.java:118:22:118:52 | getParameter(...) : String | RegexInjection.java:121:43:121:49 | pattern |
+| RegexInjection.java:133:22:133:52 | getParameter(...) : String | RegexInjection.java:136:45:136:51 | pattern |
 nodes
-| RegexInjection.java:11:22:11:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RegexInjection.java:14:26:14:47 | ... + ... | semmle.label | ... + ... |
-| RegexInjection.java:18:22:18:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RegexInjection.java:21:24:21:30 | pattern | semmle.label | pattern |
-| RegexInjection.java:25:22:25:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RegexInjection.java:28:31:28:37 | pattern | semmle.label | pattern |
-| RegexInjection.java:32:22:32:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RegexInjection.java:35:29:35:35 | pattern | semmle.label | pattern |
-| RegexInjection.java:39:22:39:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RegexInjection.java:42:34:42:40 | pattern | semmle.label | pattern |
-| RegexInjection.java:49:22:49:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RegexInjection.java:52:28:52:34 | pattern | semmle.label | pattern |
-| RegexInjection.java:56:22:56:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RegexInjection.java:59:28:59:34 | pattern | semmle.label | pattern |
-| RegexInjection.java:63:22:63:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RegexInjection.java:66:26:66:52 | ... + ... | semmle.label | ... + ... |
-| RegexInjection.java:66:32:66:43 | foo(...) : String | semmle.label | foo(...) : String |
-| RegexInjection.java:66:36:66:42 | pattern : String | semmle.label | pattern : String |
+| RegexInjection.java:13:22:13:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:16:26:16:47 | ... + ... | semmle.label | ... + ... |
+| RegexInjection.java:20:22:20:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:23:24:23:30 | pattern | semmle.label | pattern |
+| RegexInjection.java:27:22:27:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:30:31:30:37 | pattern | semmle.label | pattern |
+| RegexInjection.java:34:22:34:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:37:29:37:35 | pattern | semmle.label | pattern |
+| RegexInjection.java:41:22:41:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:44:34:44:40 | pattern | semmle.label | pattern |
+| RegexInjection.java:51:22:51:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:54:28:54:34 | pattern | semmle.label | pattern |
+| RegexInjection.java:58:22:58:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:61:28:61:34 | pattern | semmle.label | pattern |
+| RegexInjection.java:65:22:65:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:68:26:68:52 | ... + ... | semmle.label | ... + ... |
+| RegexInjection.java:68:32:68:43 | foo(...) : String | semmle.label | foo(...) : String |
+| RegexInjection.java:68:36:68:42 | pattern : String | semmle.label | pattern : String |
+| RegexInjection.java:90:22:90:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:93:40:93:46 | pattern | semmle.label | pattern |
+| RegexInjection.java:97:22:97:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:100:42:100:48 | pattern | semmle.label | pattern |
+| RegexInjection.java:104:22:104:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:107:44:107:50 | pattern | semmle.label | pattern |
+| RegexInjection.java:111:22:111:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:114:41:114:47 | pattern | semmle.label | pattern |
+| RegexInjection.java:118:22:118:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:121:43:121:49 | pattern | semmle.label | pattern |
+| RegexInjection.java:133:22:133:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:136:45:136:51 | pattern | semmle.label | pattern |
 #select
-| RegexInjection.java:14:26:14:47 | ... + ... | RegexInjection.java:11:22:11:52 | getParameter(...) : String | RegexInjection.java:14:26:14:47 | ... + ... | $@ is user controlled. | RegexInjection.java:11:22:11:52 | getParameter(...) | This regular expression pattern |
-| RegexInjection.java:21:24:21:30 | pattern | RegexInjection.java:18:22:18:52 | getParameter(...) : String | RegexInjection.java:21:24:21:30 | pattern | $@ is user controlled. | RegexInjection.java:18:22:18:52 | getParameter(...) | This regular expression pattern |
-| RegexInjection.java:28:31:28:37 | pattern | RegexInjection.java:25:22:25:52 | getParameter(...) : String | RegexInjection.java:28:31:28:37 | pattern | $@ is user controlled. | RegexInjection.java:25:22:25:52 | getParameter(...) | This regular expression pattern |
-| RegexInjection.java:35:29:35:35 | pattern | RegexInjection.java:32:22:32:52 | getParameter(...) : String | RegexInjection.java:35:29:35:35 | pattern | $@ is user controlled. | RegexInjection.java:32:22:32:52 | getParameter(...) | This regular expression pattern |
-| RegexInjection.java:42:34:42:40 | pattern | RegexInjection.java:39:22:39:52 | getParameter(...) : String | RegexInjection.java:42:34:42:40 | pattern | $@ is user controlled. | RegexInjection.java:39:22:39:52 | getParameter(...) | This regular expression pattern |
-| RegexInjection.java:52:28:52:34 | pattern | RegexInjection.java:49:22:49:52 | getParameter(...) : String | RegexInjection.java:52:28:52:34 | pattern | $@ is user controlled. | RegexInjection.java:49:22:49:52 | getParameter(...) | This regular expression pattern |
-| RegexInjection.java:59:28:59:34 | pattern | RegexInjection.java:56:22:56:52 | getParameter(...) : String | RegexInjection.java:59:28:59:34 | pattern | $@ is user controlled. | RegexInjection.java:56:22:56:52 | getParameter(...) | This regular expression pattern |
-| RegexInjection.java:66:26:66:52 | ... + ... | RegexInjection.java:63:22:63:52 | getParameter(...) : String | RegexInjection.java:66:26:66:52 | ... + ... | $@ is user controlled. | RegexInjection.java:63:22:63:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:16:26:16:47 | ... + ... | RegexInjection.java:13:22:13:52 | getParameter(...) : String | RegexInjection.java:16:26:16:47 | ... + ... | $@ is user controlled. | RegexInjection.java:13:22:13:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:23:24:23:30 | pattern | RegexInjection.java:20:22:20:52 | getParameter(...) : String | RegexInjection.java:23:24:23:30 | pattern | $@ is user controlled. | RegexInjection.java:20:22:20:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:30:31:30:37 | pattern | RegexInjection.java:27:22:27:52 | getParameter(...) : String | RegexInjection.java:30:31:30:37 | pattern | $@ is user controlled. | RegexInjection.java:27:22:27:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:37:29:37:35 | pattern | RegexInjection.java:34:22:34:52 | getParameter(...) : String | RegexInjection.java:37:29:37:35 | pattern | $@ is user controlled. | RegexInjection.java:34:22:34:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:44:34:44:40 | pattern | RegexInjection.java:41:22:41:52 | getParameter(...) : String | RegexInjection.java:44:34:44:40 | pattern | $@ is user controlled. | RegexInjection.java:41:22:41:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:54:28:54:34 | pattern | RegexInjection.java:51:22:51:52 | getParameter(...) : String | RegexInjection.java:54:28:54:34 | pattern | $@ is user controlled. | RegexInjection.java:51:22:51:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:61:28:61:34 | pattern | RegexInjection.java:58:22:58:52 | getParameter(...) : String | RegexInjection.java:61:28:61:34 | pattern | $@ is user controlled. | RegexInjection.java:58:22:58:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:68:26:68:52 | ... + ... | RegexInjection.java:65:22:65:52 | getParameter(...) : String | RegexInjection.java:68:26:68:52 | ... + ... | $@ is user controlled. | RegexInjection.java:65:22:65:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:93:40:93:46 | pattern | RegexInjection.java:90:22:90:52 | getParameter(...) : String | RegexInjection.java:93:40:93:46 | pattern | $@ is user controlled. | RegexInjection.java:90:22:90:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:100:42:100:48 | pattern | RegexInjection.java:97:22:97:52 | getParameter(...) : String | RegexInjection.java:100:42:100:48 | pattern | $@ is user controlled. | RegexInjection.java:97:22:97:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:107:44:107:50 | pattern | RegexInjection.java:104:22:104:52 | getParameter(...) : String | RegexInjection.java:107:44:107:50 | pattern | $@ is user controlled. | RegexInjection.java:104:22:104:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:114:41:114:47 | pattern | RegexInjection.java:111:22:111:52 | getParameter(...) : String | RegexInjection.java:114:41:114:47 | pattern | $@ is user controlled. | RegexInjection.java:111:22:111:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:121:43:121:49 | pattern | RegexInjection.java:118:22:118:52 | getParameter(...) : String | RegexInjection.java:121:43:121:49 | pattern | $@ is user controlled. | RegexInjection.java:118:22:118:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:136:45:136:51 | pattern | RegexInjection.java:133:22:133:52 | getParameter(...) : String | RegexInjection.java:136:45:136:51 | pattern | $@ is user controlled. | RegexInjection.java:133:22:133:52 | getParameter(...) | This regular expression pattern |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.java b/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.java
@@ -6,6 +6,8 @@
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.ServletException;
 
+import org.apache.commons.lang3.RegExUtils;
+
 public class RegexInjection extends HttpServlet {
   public boolean string1(javax.servlet.http.HttpServletRequest request) {
     String pattern = request.getParameter("pattern");
@@ -83,4 +85,54 @@ public boolean pattern5(javax.servlet.http.HttpServletRequest request) {
   String escapeSpecialRegexChars(String str) {
     return SPECIAL_REGEX_CHARS.matcher(str).replaceAll("\\\\$0");
   }
-}
+
+  public boolean apache1(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    String input = request.getParameter("input");
+
+    return RegExUtils.removeAll(input, pattern).length() > 0;  // BAD
+  }
+
+  public boolean apache2(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    String input = request.getParameter("input");
+
+    return RegExUtils.removeFirst(input, pattern).length() > 0;  // BAD
+  }
+
+  public boolean apache3(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    String input = request.getParameter("input");
+
+    return RegExUtils.removePattern(input, pattern).length() > 0;  // BAD
+  }
+
+  public boolean apache4(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    String input = request.getParameter("input");
+
+    return RegExUtils.replaceAll(input, pattern, "").length() > 0;  // BAD
+  }
+
+  public boolean apache5(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    String input = request.getParameter("input");
+
+    return RegExUtils.replaceFirst(input, pattern, "").length() > 0;  // BAD
+  }
+
+  public boolean apache6(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    String input = request.getParameter("input");
+
+    Pattern pt = (Pattern)(Object) pattern;
+    return RegExUtils.replaceFirst(input, pt, "").length() > 0;  // GOOD, Pattern compile is the sink instead
+  }
+
+  public boolean apache7(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    String input = request.getParameter("input");
+
+    return RegExUtils.replacePattern(input, pattern, "").length() > 0;  // BAD
+  }
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-730/options b/java/ql/test/experimental/query-tests/security/CWE-730/options
@@ -1 +1 @@
-// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/apache-commons-lang3-3.7

Original file line number	Diff line number	Diff line change
`@@ -21,22 +21,39 @@ class RegexSink extends DataFlow::ExprNode {`
`21`	`21`	`RegexSink() {`
`22`	`22`	`exists(MethodAccess ma, Method m \| m = ma.getMethod() \|`
`23`	`23`	`(`
`24`		`- ma.getArgument(0) = this.asExpr() and`
	`24`	`+ m.getDeclaringType().hasQualifiedName("java.lang", "String") and`
`25`	`25`	`(`
`26`		`- m.getDeclaringType().hasQualifiedName("java.lang", "String") and`
	`26`	`+ ma.getArgument(0) = this.asExpr() and`
`27`	`27`	`(`
`28`	`28`	`m.hasName("matches") or`
`29`	`29`	`m.hasName("split") or`
`30`	`30`	`m.hasName("replaceFirst") or`
`31`	`31`	`m.hasName("replaceAll")`
`32`	`32`	`)`
`33`		`- or`
`34`		`- m.getDeclaringType().hasQualifiedName("java.util.regex", "Pattern") and`
	`33`	`+ )`
	`34`	`+ or`
	`35`	`+ m.getDeclaringType().hasQualifiedName("java.util.regex", "Pattern") and`
	`36`	`+ (`
	`37`	`+ ma.getArgument(0) = this.asExpr() and`
`35`	`38`	`(`
`36`	`39`	`m.hasName("compile") or`
`37`	`40`	`m.hasName("matches")`
`38`	`41`	`)`
`39`	`42`	`)`
	`43`	`+ or`
	`44`	`+ m.getDeclaringType().hasQualifiedName("org.apache.commons.lang3", "RegExUtils") and`
	`45`	`+ (`
	`46`	`+ ma.getArgument(1) = this.asExpr() and`
	`47`	`+ m.getParameterType(1).(Class).hasQualifiedName("java.lang", "String") and`
	`48`	`+ (`
	`49`	`+ m.hasName("removeAll") or`
	`50`	`+ m.hasName("removeFirst") or`
	`51`	`+ m.hasName("removePattern") or`
	`52`	`+ m.hasName("replaceAll") or`
	`53`	`+ m.hasName("replaceFirst") or`
	`54`	`+ m.hasName("replacePattern")`
	`55`	`+ )`
	`56`	`+ )`
`40`	`57`	`)`
`41`	`58`	`)`
`42`	`59`	`}`
`@@ -51,7 +68,9 @@ class RegExpSanitizationCall extends Sanitizer {`
`51`	`68`	`sanitize = "(?:escape\|saniti[sz]e)" and`
`52`	`69`	`regexp = "regexp?"`
`53`	`70`	`\|`
`54`		`- calleeName.regexpMatch("(?i)(" + sanitize + "." + regexp + ".)" + "\|(" + regexp + "." + sanitize + ".)")`
	`71`	`+ calleeName`
	`72`	`+ .regexpMatch("(?i)(" + sanitize + "." + regexp + ".)" + "\|(" + regexp + ".*" + sanitize +`
	`73`	`+ ".*)")`
`55`	`74`	`)`
`56`	`75`	`}`
`57`	`76`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4`
	`1`	`+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/apache-commons-lang3-3.7`