update help file

Author: Jami Cogswell

java/ql/lib/semmle/code/java/security/RegexInjection.qll

@@ -11,6 +11,7 @@ abstract class RegexInjectionSink extends DataFlow::ExprNode { }
 /** A sanitizer for untrusted user input used to construct regular expressions. */
 abstract class RegexInjectionSanitizer extends DataFlow::ExprNode { }
 
+/** A method call that takes a regular expression as an argument. */
 private class DefaultRegexInjectionSink extends RegexInjectionSink {
   DefaultRegexInjectionSink() {
     exists(MethodAccess ma, Method m | m = ma.getMethod() |

java/ql/src/Security/CWE/CWE-730/RegexInjection.java

@@ -1,38 +1,22 @@
-package com.example.demo;
-
-import java.util.regex.Matcher;
 import java.util.regex.Pattern;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
 
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.RestController;
-
-@RestController
-public class DemoApplication {
-
-    @GetMapping("/string1")
-    public String string1(@RequestParam(value = "input", defaultValue = "test") String input,
-                          @RequestParam(value = "pattern", defaultValue = ".*") String pattern) {
-        // BAD: Unsanitized user input is used to construct a regular expression
-        if (input.matches("^" + pattern + "=.*$"))
-            return "match!";
-
-        return "doesn't match!";
-    }
+public class RegexInjectionDemo extends HttpServlet {
 
-    @GetMapping("/string2")
-    public String string2(@RequestParam(value = "input", defaultValue = "test") String input,
-                          @RequestParam(value = "pattern", defaultValue = ".*") String pattern) {
-        // GOOD: User input is sanitized before constructing the regex
-        if (input.matches("^" + escapeSpecialRegexChars(pattern) + "=.*$"))
-            return "match!";
+  public boolean badExample(javax.servlet.http.HttpServletRequest request) {
+    String regex = request.getParameter("regex");
+    String input = request.getParameter("input");
 
-        return "doesn't match!";
-    }
+    // BAD: Unsanitized user input is used to construct a regular expression
+    return input.matches(regex);
+  }
 
-    Pattern SPECIAL_REGEX_CHARS = Pattern.compile("[{}()\\[\\]><-=!.+*?^$\\\\|]");
+  public boolean goodExample(javax.servlet.http.HttpServletRequest request) {
+    String regex = request.getParameter("regex");
+    String input = request.getParameter("input");
 
-    String escapeSpecialRegexChars(String str) {
-        return SPECIAL_REGEX_CHARS.matcher(str).replaceAll("\\\\$0");
-    }
+    // GOOD: User input is sanitized before constructing the regex
+    return input.matches(Pattern.quote(regex));
+  }
 }

java/ql/src/Security/CWE/CWE-730/RegexInjection.qhelp

@@ -15,25 +15,25 @@ perform a Denial of Service attack.
 <recommendation>
 <p>
 Before embedding user input into a regular expression, use a sanitization function
-to escape meta-characters that have special meaning.
+such as <code>Pattern.quote</code> to escape meta-characters that have special meaning.
 </p>
 </recommendation>
 
 <example>
 <p>
-The following example shows a HTTP request parameter that is used to construct a regular expression:
+The following example shows an HTTP request parameter that is used to construct a regular expression.
 </p>
-<sample src="RegexInjection.java" />
 <p>
 In the first case the user-provided regex is not escaped.
 If a malicious user provides a regex that has exponential worst case performance,
 then this could lead to a Denial of Service.
 </p>
 <p>
-In the second case, the user input is escaped using <code>escapeSpecialRegexChars</code> before being included
+In the second case, the user input is escaped using <code>Pattern.quote</code> before being included
 in the regular expression. This ensures that the user cannot insert characters which have a special
 meaning in regular expressions.
 </p>
+<sample src="RegexInjection.java" />
 </example>
 
 <references>
@@ -44,5 +44,8 @@ OWASP:
 <li>
 Wikipedia: <a href="https://en.wikipedia.org/wiki/ReDoS">ReDoS</a>.
 </li>
+<li>
+Java API Specification: <a href="https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/regex/Pattern.html#quote(java.lang.String)">Pattern.quote</a>.
+</li>
 </references>
 </qhelp>