Skip to content

Commit 0e93e71

Browse files
Jami CogswellJami Cogswell
Jami Cogswell
authored and
Jami Cogswell
committed
update tests
1 parent 695d6f0 commit 0e93e71

File tree

2 files changed

+17
-3
lines changed

2 files changed

+17
-3
lines changed

java/ql/test/query-tests/security/CWE-730/RegexInjectionTest.java

Lines changed: 16 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,13 +27,20 @@ public boolean string3(javax.servlet.http.HttpServletRequest request) {
2727
String pattern = request.getParameter("pattern");
2828
String input = request.getParameter("input");
2929

30-
return input.replaceFirst(pattern, "").length() > 0; // $ hasRegexInjection
30+
return input.split(pattern, 0).length > 0; // $ hasRegexInjection
3131
}
3232

3333
public boolean string4(javax.servlet.http.HttpServletRequest request) {
3434
String pattern = request.getParameter("pattern");
3535
String input = request.getParameter("input");
3636

37+
return input.replaceFirst(pattern, "").length() > 0; // $ hasRegexInjection
38+
}
39+
40+
public boolean string5(javax.servlet.http.HttpServletRequest request) {
41+
String pattern = request.getParameter("pattern");
42+
String input = request.getParameter("input");
43+
3744
return input.replaceAll(pattern, "").length() > 0; // $ hasRegexInjection
3845
}
3946

@@ -58,13 +65,20 @@ public boolean pattern3(javax.servlet.http.HttpServletRequest request) {
5865
String pattern = request.getParameter("pattern");
5966
String input = request.getParameter("input");
6067

61-
return Pattern.matches(pattern, input); // $ hasRegexInjection
68+
return Pattern.compile(pattern, 0).matcher(input).matches(); // $ hasRegexInjection
6269
}
6370

6471
public boolean pattern4(javax.servlet.http.HttpServletRequest request) {
6572
String pattern = request.getParameter("pattern");
6673
String input = request.getParameter("input");
6774

75+
return Pattern.matches(pattern, input); // $ hasRegexInjection
76+
}
77+
78+
public boolean pattern5(javax.servlet.http.HttpServletRequest request) {
79+
String pattern = request.getParameter("pattern");
80+
String input = request.getParameter("input");
81+
6882
return input.matches("^" + foo(pattern) + "=.*$"); // $ hasRegexInjection
6983
}
7084

java/ql/test/query-tests/security/CWE-730/RegexInjectionTest.ql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
import java
22
import TestUtilities.InlineExpectationsTest
3-
import semmle.code.java.security.RegexInjectionQuery
3+
import semmle.code.java.security.regexp.RegexInjectionQuery
44

55
//import semmle.code.java.security.regexp.PolynomialReDoSQuery
66
class RegexInjectionTest extends InlineExpectationsTest {

0 commit comments

Comments
 (0)