switch sink to use csv models

Author: Jami Cogswell

java/ql/lib/semmle/code/java/frameworks/Regex.qll

@@ -11,13 +11,13 @@ class TypeRegexPattern extends Class {
 class PatternQuoteMethod extends Method {
   PatternQuoteMethod() {
     this.getDeclaringType() instanceof TypeRegexPattern and
-    this.hasName(["quote"])
+    this.hasName("quote")
   }
 }
 
 /** The `LITERAL` field of the `java.util.regex.Pattern` class. */
-class PatternLiteral extends Field {
-  PatternLiteral() {
+class PatternLiteralField extends Field {
+  PatternLiteralField() {
     this.getDeclaringType() instanceof TypeRegexPattern and
     this.hasName("LITERAL")
   }

java/ql/lib/semmle/code/java/frameworks/apache/Lang.qll

@@ -46,8 +46,3 @@ class TypeApacheSystemUtils extends Class {
     this.hasQualifiedName(["org.apache.commons.lang", "org.apache.commons.lang3"], "SystemUtils")
   }
 }
-
-/** The class `org.apache.commons.lang3.RegExUtils`. */
-class TypeApacheRegExUtils extends Class {
-  TypeApacheRegExUtils() { this.hasQualifiedName("org.apache.commons.lang3", "RegExUtils") }
-}

java/ql/lib/semmle/code/java/regex/RegexFlowModels.qll

@@ -27,6 +27,12 @@ private class RegexSinkCsv extends SinkModelCsv {
         "com.google.common.base;Splitter;false;split;(CharSequence);;Argument[-1];regex-use[0];manual",
         "com.google.common.base;Splitter;false;splitToList;(CharSequence);;Argument[-1];regex-use[0];manual",
         "com.google.common.base;Splitter$MapSplitter;false;split;(CharSequence);;Argument[-1];regex-use[0];manual",
+        "org.apache.commons.lang3;RegExUtils;false;removeAll;(String,String);;Argument[1];regex-use[0];manual",
+        "org.apache.commons.lang3;RegExUtils;false;removeFirst;(String,String);;Argument[1];regex-use[0];manual",
+        "org.apache.commons.lang3;RegExUtils;false;removePattern;(String,String);;Argument[1];regex-use[0];manual",
+        "org.apache.commons.lang3;RegExUtils;false;replaceAll;(String,String,String);;Argument[1];regex-use[0];manual",
+        "org.apache.commons.lang3;RegExUtils;false;replaceFirst;(String,String,String);;Argument[1];regex-use[0];manual",
+        "org.apache.commons.lang3;RegExUtils;false;replacePattern;(String,String,String);;Argument[1];regex-use[0];manual",
       ]
   }
 }

java/ql/lib/semmle/code/java/security/RegexInjection.qll

@@ -3,7 +3,8 @@
 import java
 private import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.frameworks.Regex
-private import semmle.code.java.frameworks.apache.Lang
+//private import semmle.code.java.frameworks.apache.Lang
+private import semmle.code.java.regex.RegexFlowModels
 
 /** A data flow sink for untrusted user input used to construct regular expressions. */
 abstract class RegexInjectionSink extends DataFlow::ExprNode { }
@@ -14,36 +15,41 @@ abstract class RegexInjectionSanitizer extends DataFlow::ExprNode { }
 /** A method call that takes a regular expression as an argument. */
 private class DefaultRegexInjectionSink extends RegexInjectionSink {
   DefaultRegexInjectionSink() {
-    exists(MethodAccess ma, Method m | m = ma.getMethod() |
-      ma.getArgument(0) = this.asExpr() and
-      (
-        m instanceof StringRegexMethod or
-        m instanceof PatternRegexMethod
-      )
-      or
-      ma.getArgument(1) = this.asExpr() and
-      m instanceof ApacheRegExUtilsMethod
+    exists(string kind |
+      kind.matches([
+          "regex-use[]", "regex-use[f1]", "regex-use[f-1]", "regex-use[-1]", "regex-use[0]"
+        ]) and
+      sinkNode(this, kind)
     )
   }
 }
 
 /** A call to a function whose name suggests that it escapes regular expression meta-characters. */
 private class RegexSanitizationCall extends RegexInjectionSanitizer {
   RegexSanitizationCall() {
-    exists(string calleeName, string sanitize, string regexp |
+    // original
+    // exists(string calleeName, string sanitize, string regexp |
+    //   calleeName = this.asExpr().(Call).getCallee().getName() and
+    //   sanitize = "(?:escape|saniti[sz]e)" and
+    //   regexp = "regexp?"
+    // |
+    //   calleeName
+    //       .regexpMatch("(?i)(" + sanitize + ".*" + regexp + ".*)" + "|(" + regexp + ".*" + sanitize +
+    //           ".*)")
+    // )
+    // without regexp
+    exists(string calleeName, string sanitize |
       calleeName = this.asExpr().(Call).getCallee().getName() and
-      sanitize = "(?:escape|saniti[sz]e)" and
-      regexp = "regexp?"
+      sanitize = "(?:escape|saniti[sz]e)"
     |
-      calleeName
-          .regexpMatch("(?i)(" + sanitize + ".*" + regexp + ".*)" + "|(" + regexp + ".*" + sanitize +
-              ".*)")
+      calleeName.regexpMatch("(?i)(.*" + sanitize + ".*)")
+      //calleeName.matches("handleEscapes")
     )
   }
 }
 
 /**
- * A call to the `Pattern.quote` method, which gives meta-characters or escape sequences
+ * A call to the `Pattern.quote` method, which gives metacharacters or escape sequences
  * no special meaning.
  */
 private class PatternQuoteCall extends RegexInjectionSanitizer {
@@ -56,54 +62,17 @@ private class PatternQuoteCall extends RegexInjectionSanitizer {
 }
 
 /**
- * Use of the `Pattern.LITERAL` flag with `Pattern.compile`, which gives meta-characters
+ * Use of the `Pattern.LITERAL` flag with `Pattern.compile`, which gives metacharacters
  * or escape sequences no special meaning.
  */
 private class PatternLiteralFlag extends RegexInjectionSanitizer {
   PatternLiteralFlag() {
     exists(MethodAccess ma, Method m, Field field | m = ma.getMethod() |
       ma.getArgument(0) = this.asExpr() and
-      m instanceof PatternRegexMethod and
+      m.getDeclaringType() instanceof TypeRegexPattern and
       m.hasName("compile") and
-      field instanceof PatternLiteral and
+      field instanceof PatternLiteralField and
       ma.getArgument(1) = field.getAnAccess()
     )
   }
 }
-
-/**
- * A method of the class `java.lang.String` that takes a regular expression
- * as a parameter.
- */
-private class StringRegexMethod extends Method {
-  StringRegexMethod() {
-    this.getDeclaringType() instanceof TypeString and
-    this.hasName(["matches", "split", "replaceFirst", "replaceAll"])
-  }
-}
-
-/**
- * A method of the class `java.util.regex.Pattern` that takes a regular
- * expression as a parameter.
- */
-private class PatternRegexMethod extends Method {
-  PatternRegexMethod() {
-    this.getDeclaringType() instanceof TypeRegexPattern and
-    this.hasName(["compile", "matches"])
-  }
-}
-
-/**
- * A methods of the class `org.apache.commons.lang3.RegExUtils` that takes
- * a regular expression of type `String` as a parameter.
- */
-private class ApacheRegExUtilsMethod extends Method {
-  ApacheRegExUtilsMethod() {
-    this.getDeclaringType() instanceof TypeApacheRegExUtils and
-    // only handles String param here because the other param option, Pattern, is already handled by `java.util.regex.Pattern`
-    this.getParameterType(1) instanceof TypeString and
-    this.hasName([
-        "removeAll", "removeFirst", "removePattern", "replaceAll", "replaceFirst", "replacePattern"
-      ])
-  }
-}