Skip to content

Commit 07dd90d

Browse files
committed
Expand log injection sanitizer guards to non-annotation regex matches
1 parent c2024fb commit 07dd90d

File tree

1 file changed

+18
-13
lines changed

1 file changed

+18
-13
lines changed

java/ql/lib/semmle/code/java/security/LogInjection.qll

Lines changed: 18 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -105,24 +105,29 @@ private predicate logInjectionGuard(Guard g, Expr e, boolean branch) {
105105
or
106106
exists(RegexMatch rm, CompileTimeConstantExpr target |
107107
rm = g and
108+
not rm instanceof Annotation and
108109
target = rm.getRegex() and
109110
e = rm.getString()
110111
|
111-
// Allow anything except line breaks
112-
(
113-
not target.getStringValue().matches("%[^%]%") and
114-
not target.getStringValue().matches("%" + ["\n", "\r", "\\n", "\\r", "\\R"] + "%")
115-
or
116-
target.getStringValue().matches("%[^%" + ["\n", "\r", "\\n", "\\r", "\\R"] + "%]%")
117-
) and
112+
regexAllowsAnythingExceptLineBreaks(target.getStringValue()) and
118113
branch = true
119114
or
120-
// Disallow line breaks
121-
(
122-
not target.getStringValue().matches("%[^%" + ["\n", "\r", "\\n", "\\r", "\\R"] + "%]%") and
123-
// Assuming a regex containing line breaks is correctly matching line breaks in a string
124-
target.getStringValue().matches("%" + ["\n", "\r", "\\n", "\\r", "\\R"] + "%")
125-
) and
115+
regexDisallowsLineBreaks(target.getStringValue()) and
126116
branch = false
127117
)
128118
}
119+
120+
bindingset[regex]
121+
predicate regexAllowsAnythingExceptLineBreaks(string regex) {
122+
not regex.matches("%[^%]%") and
123+
not regex.matches("%" + ["\n", "\r", "\\n", "\\r", "\\R"] + "%")
124+
or
125+
regex.matches("%[^%" + ["\n", "\r", "\\n", "\\r", "\\R"] + "%]%")
126+
}
127+
128+
bindingset[regex]
129+
predicate regexDisallowsLineBreaks(string regex) {
130+
not regex.matches("%[^%" + ["\n", "\r", "\\n", "\\r", "\\R"] + "%]%") and
131+
// Assuming a regex containing line breaks is correctly matching line breaks in a string
132+
regex.matches("%" + ["\n", "\r", "\\n", "\\r", "\\R"] + "%")
133+
}

0 commit comments

Comments
 (0)