Skip to content

Commit 597949d

Browse files
egregius313egregius313
committed
Refactor PermissiveDotRegexQuery
1 parent 157b7ce commit 597949d

File tree

1 file changed

+12
-12
lines changed

1 file changed

+12
-12
lines changed

java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -93,14 +93,12 @@ private class CompileRegexSink extends DataFlow::ExprNode {
9393
/**
9494
* A data flow configuration for regular expressions that include permissive dots.
9595
*/
96-
private class PermissiveDotRegexConfig extends DataFlow2::Configuration {
97-
PermissiveDotRegexConfig() { this = "PermissiveDotRegex::PermissiveDotRegexConfig" }
96+
private module PermissiveDotRegexConfig implements DataFlow::ConfigSig {
97+
predicate isSource(DataFlow2::Node src) { src.asExpr() instanceof PermissiveDotStr }
9898

99-
override predicate isSource(DataFlow2::Node src) { src.asExpr() instanceof PermissiveDotStr }
99+
predicate isSink(DataFlow2::Node sink) { sink instanceof CompileRegexSink }
100100

101-
override predicate isSink(DataFlow2::Node sink) { sink instanceof CompileRegexSink }
102-
103-
override predicate isBarrier(DataFlow2::Node node) {
101+
predicate isBarrier(DataFlow2::Node node) {
104102
exists(
105103
MethodAccess ma, Field f // Pattern.compile(PATTERN, Pattern.DOTALL)
106104
|
@@ -113,19 +111,19 @@ private class PermissiveDotRegexConfig extends DataFlow2::Configuration {
113111
}
114112
}
115113

114+
private module PermissiveDotRegexFlow = DataFlow::Global<PermissiveDotRegexConfig>;
115+
116116
/**
117117
* A taint-tracking configuration for untrusted user input used to match regular expressions
118118
* that include permissive dots.
119119
*/
120-
class MatchRegexConfiguration extends TaintTracking::Configuration {
121-
MatchRegexConfiguration() { this = "PermissiveDotRegex::MatchRegexConfiguration" }
122-
123-
override predicate isSource(DataFlow::Node source) {
120+
module MatchRegexConfig implements DataFlow::ConfigSig {
121+
predicate isSource(DataFlow::Node source) {
124122
sourceNode(source, "uri-path") or // Servlet uri source
125123
source instanceof SpringUriInputParameterSource // Spring uri source
126124
}
127125

128-
override predicate isSink(DataFlow::Node sink) {
126+
predicate isSink(DataFlow::Node sink) {
129127
sink instanceof MatchRegexSink and
130128
exists(
131129
Guard guard, Expr se, Expr ce // used in a condition to control url redirect, which is a typical security enforcement
@@ -145,7 +143,7 @@ class MatchRegexConfiguration extends TaintTracking::Configuration {
145143
) and
146144
guard.controls(se.getBasicBlock(), true)
147145
) and
148-
exists(MethodAccess ma | any(PermissiveDotRegexConfig conf2).hasFlowToExpr(ma.getArgument(0)) |
146+
exists(MethodAccess ma | PermissiveDotRegexFlow::flowToExpr(ma.getArgument(0)) |
149147
// input.matches(regexPattern)
150148
ma.getMethod() instanceof StringMatchMethod and
151149
ma.getQualifier() = sink.asExpr()
@@ -165,6 +163,8 @@ class MatchRegexConfiguration extends TaintTracking::Configuration {
165163
}
166164
}
167165

166+
module MatchRegexFlow = TaintTracking::Global<MatchRegexConfig>;
167+
168168
/**
169169
* A data flow sink representing a string being matched against a regular expression.
170170
*/

0 commit comments

Comments
 (0)