Expand log injection sanitizer guards to non-annotation regex matches

owen-mc · owen-mc · commit 07dd90dd8945 · 2026-02-14T08:24:12.000Z
diff --git a/java/ql/lib/semmle/code/java/security/LogInjection.qll b/java/ql/lib/semmle/code/java/security/LogInjection.qll
@@ -105,24 +105,29 @@ private predicate logInjectionGuard(Guard g, Expr e, boolean branch) {
   or
   exists(RegexMatch rm, CompileTimeConstantExpr target |
     rm = g and
+    not rm instanceof Annotation and
     target = rm.getRegex() and
     e = rm.getString()
   |
-    // Allow anything except line breaks
-    (
-      not target.getStringValue().matches("%[^%]%") and
-      not target.getStringValue().matches("%" + ["\n", "\r", "\\n", "\\r", "\\R"] + "%")
-      or
-      target.getStringValue().matches("%[^%" + ["\n", "\r", "\\n", "\\r", "\\R"] + "%]%")
-    ) and
+    regexAllowsAnythingExceptLineBreaks(target.getStringValue()) and
     branch = true
     or
-    // Disallow line breaks
-    (
-      not target.getStringValue().matches("%[^%" + ["\n", "\r", "\\n", "\\r", "\\R"] + "%]%") and
-      // Assuming a regex containing line breaks is correctly matching line breaks in a string
-      target.getStringValue().matches("%" + ["\n", "\r", "\\n", "\\r", "\\R"] + "%")
-    ) and
+    regexDisallowsLineBreaks(target.getStringValue()) and
     branch = false
   )
 }
+
+bindingset[regex]
+predicate regexAllowsAnythingExceptLineBreaks(string regex) {
+  not regex.matches("%[^%]%") and
+  not regex.matches("%" + ["\n", "\r", "\\n", "\\r", "\\R"] + "%")
+  or
+  regex.matches("%[^%" + ["\n", "\r", "\\n", "\\r", "\\R"] + "%]%")
+}
+
+bindingset[regex]
+predicate regexDisallowsLineBreaks(string regex) {
+  not regex.matches("%[^%" + ["\n", "\r", "\\n", "\\r", "\\R"] + "%]%") and
+  // Assuming a regex containing line breaks is correctly matching line breaks in a string
+  regex.matches("%" + ["\n", "\r", "\\n", "\\r", "\\R"] + "%")
+}
