github
diff --git a/‎…Security/CWE/CWE-730/RegexInjection.java‎ ‎…Security/CWE/CWE-730/RegexInjection.java‎java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.java renamed to java/ql/src/Security/CWE/CWE-730/RegexInjection.java
Lines changed: 1 addition & 1 deletion b/‎…Security/CWE/CWE-730/RegexInjection.java‎ ‎…Security/CWE/CWE-730/RegexInjection.java‎java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.java renamed to java/ql/src/Security/CWE/CWE-730/RegexInjection.java
Lines changed: 1 addition & 1 deletion
diff --git a/‎…ecurity/CWE/CWE-730/RegexInjection.qhelp‎ ‎…ecurity/CWE/CWE-730/RegexInjection.qhelp‎java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.qhelp renamed to java/ql/src/Security/CWE/CWE-730/RegexInjection.qhelp b/‎…ecurity/CWE/CWE-730/RegexInjection.qhelp‎ ‎…ecurity/CWE/CWE-730/RegexInjection.qhelp‎java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.qhelp renamed to java/ql/src/Security/CWE/CWE-730/RegexInjection.qhelp
diff --git a/‎…l/Security/CWE/CWE-730/RegexInjection.ql‎ ‎…c/Security/CWE/CWE-730/RegexInjection.ql‎java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql renamed to java/ql/src/Security/CWE/CWE-730/RegexInjection.ql
Lines changed: 19 additions & 3 deletions b/‎…l/Security/CWE/CWE-730/RegexInjection.ql‎ ‎…c/Security/CWE/CWE-730/RegexInjection.ql‎java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql renamed to java/ql/src/Security/CWE/CWE-730/RegexInjection.ql
Lines changed: 19 additions & 3 deletions
diff --git a/‎java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.qlref‎
Lines changed: 0 additions & 1 deletion b/‎java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.qlref‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎…security/CWE-730/RegexInjection.expected‎ ‎…security/CWE-730/RegexInjection.expected‎java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.expected renamed to java/ql/test/query-tests/security/CWE-730/RegexInjection.expected b/‎…security/CWE-730/RegexInjection.expected‎ ‎…security/CWE-730/RegexInjection.expected‎java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.expected renamed to java/ql/test/query-tests/security/CWE-730/RegexInjection.expected
diff --git a/‎…sts/security/CWE-730/RegexInjection.java‎ ‎…sts/security/CWE-730/RegexInjection.java‎java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.java renamed to java/ql/test/query-tests/security/CWE-730/RegexInjection.java b/‎…sts/security/CWE-730/RegexInjection.java‎ ‎…sts/security/CWE-730/RegexInjection.java‎java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.java renamed to java/ql/test/query-tests/security/CWE-730/RegexInjection.java
diff --git a/‎java/ql/test/query-tests/security/CWE-730/RegexInjection.qlref‎
Lines changed: 1 addition & 0 deletions b/‎java/ql/test/query-tests/security/CWE-730/RegexInjection.qlref‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎…tal/query-tests/security/CWE-730/options‎ ‎…/security/CWE-730/options-regexInjection‎java/ql/test/experimental/query-tests/security/CWE-730/options renamed to java/ql/test/query-tests/security/CWE-730/options-regexInjection b/‎…tal/query-tests/security/CWE-730/options‎ ‎…/security/CWE-730/options-regexInjection‎java/ql/test/experimental/query-tests/security/CWE-730/options renamed to java/ql/test/query-tests/security/CWE-730/options-regexInjection
@@ -35,4 +35,4 @@ public String string2(@RequestParam(value = "input", defaultValue = "test") Stri
     String escapeSpecialRegexChars(String str) {
         return SPECIAL_REGEX_CHARS.matcher(str).replaceAll("\\\\$0");
     }
-}
+}
@@ -27,19 +27,24 @@ class RegexSink extends DataFlow::ExprNode {
         m.getDeclaringType() instanceof TypeString and
         (
           ma.getArgument(0) = this.asExpr() and
+          // TODO: confirm if more/less than the below need to be handled
           m.hasName(["matches", "split", "replaceFirst", "replaceAll"])
         )
         or
+        // TODO: review Java Pattern API
         m.getDeclaringType().hasQualifiedName("java.util.regex", "Pattern") and
         (
           ma.getArgument(0) = this.asExpr() and
+          // TODO: confirm if more/less than the below need to be handled
           m.hasName(["compile", "matches"])
         )
         or
+        // TODO: read docs about regex APIs in Java
         m.getDeclaringType().hasQualifiedName("org.apache.commons.lang3", "RegExUtils") and
         (
           ma.getArgument(1) = this.asExpr() and
           m.getParameterType(1) instanceof TypeString and
+          // TODO: confirm if more/less than the below need to be handled
           m.hasName([
               "removeAll", "removeFirst", "removePattern", "replaceAll", "replaceFirst",
               "replacePattern"
@@ -50,6 +55,7 @@ class RegexSink extends DataFlow::ExprNode {
   }
 }
 
+// TODO: is this abstract class needed? Are there pre-existing sanitizer classes that can be used instead?
 abstract class Sanitizer extends DataFlow::ExprNode { }
 
 /**
@@ -60,12 +66,12 @@ class RegExpSanitizationCall extends Sanitizer {
   RegExpSanitizationCall() {
     exists(string calleeName, string sanitize, string regexp |
       calleeName = this.asExpr().(Call).getCallee().getName() and
-      sanitize = "(?:escape|saniti[sz]e)" and
-      regexp = "regexp?"
+      sanitize = "(?:escape|saniti[sz]e)" and // TODO: confirm this is sufficient
+      regexp = "regexp?" // TODO: confirm this is sufficient
     |
       calleeName
           .regexpMatch("(?i)(" + sanitize + ".*" + regexp + ".*)" + "|(" + regexp + ".*" + sanitize +
-              ".*)")
+              ".*)") // TODO: confirm this is sufficient
     )
   }
 }
@@ -87,3 +93,13 @@ from DataFlow::PathNode source, DataFlow::PathNode sink, RegexInjectionConfigura
 where c.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "This regular expression is constructed from a $@.",
   source.getNode(), "user-provided value"
+// from MethodAccess ma
+// where
+//   // ma.getMethod().hasName("startsWith") and // graphhopper
+//   // ma.getFile().getBaseName() = "NavigateResource.java" // graphhopper
+//   // ma.getMethod().hasName("substring") and // jfinal
+//   // ma.getFile().getBaseName() = "FileManager.java" // jfinal
+//   ma.getMethod().hasName("startsWith") and // roller
+//   ma.getFile().getBaseName() = "PageServlet.java" // roller (or RegexUtil.java)
+// ProteinArraySignificanceTestJSON.java or MockRKeys.java for cbioportal
+// select ma, "method access"
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-730/RegexInjection.ql
Original file line number	Diff line number	Diff line change
`@@ -35,4 +35,4 @@ public String string2(@RequestParam(value = "input", defaultValue = "test") Stri`
`35`	`35`	`String escapeSpecialRegexChars(String str) {`
`36`	`36`	`return SPECIAL_REGEX_CHARS.matcher(str).replaceAll("\\\\$0");`
`37`	`37`	`}`
`38`		`-}`
	`38`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -27,19 +27,24 @@ class RegexSink extends DataFlow::ExprNode {`
`27`	`27`	`m.getDeclaringType() instanceof TypeString and`
`28`	`28`	`(`
`29`	`29`	`ma.getArgument(0) = this.asExpr() and`
	`30`	`+ // TODO: confirm if more/less than the below need to be handled`
`30`	`31`	`m.hasName(["matches", "split", "replaceFirst", "replaceAll"])`
`31`	`32`	`)`
`32`	`33`	`or`
	`34`	`+ // TODO: review Java Pattern API`
`33`	`35`	`m.getDeclaringType().hasQualifiedName("java.util.regex", "Pattern") and`
`34`	`36`	`(`
`35`	`37`	`ma.getArgument(0) = this.asExpr() and`
	`38`	`+ // TODO: confirm if more/less than the below need to be handled`
`36`	`39`	`m.hasName(["compile", "matches"])`
`37`	`40`	`)`
`38`	`41`	`or`
	`42`	`+ // TODO: read docs about regex APIs in Java`
`39`	`43`	`m.getDeclaringType().hasQualifiedName("org.apache.commons.lang3", "RegExUtils") and`
`40`	`44`	`(`
`41`	`45`	`ma.getArgument(1) = this.asExpr() and`
`42`	`46`	`m.getParameterType(1) instanceof TypeString and`
	`47`	`+ // TODO: confirm if more/less than the below need to be handled`
`43`	`48`	`m.hasName([`
`44`	`49`	`"removeAll", "removeFirst", "removePattern", "replaceAll", "replaceFirst",`
`45`	`50`	`"replacePattern"`
`@@ -50,6 +55,7 @@ class RegexSink extends DataFlow::ExprNode {`
`50`	`55`	`}`
`51`	`56`	`}`
`52`	`57`
	`58`	`+// TODO: is this abstract class needed? Are there pre-existing sanitizer classes that can be used instead?`
`53`	`59`	`abstract class Sanitizer extends DataFlow::ExprNode { }`
`54`	`60`
`55`	`61`	`/**`
`@@ -60,12 +66,12 @@ class RegExpSanitizationCall extends Sanitizer {`
`60`	`66`	`RegExpSanitizationCall() {`
`61`	`67`	`exists(string calleeName, string sanitize, string regexp \|`
`62`	`68`	`calleeName = this.asExpr().(Call).getCallee().getName() and`
`63`		`- sanitize = "(?:escape\|saniti[sz]e)" and`
`64`		`- regexp = "regexp?"`
	`69`	`+ sanitize = "(?:escape\|saniti[sz]e)" and // TODO: confirm this is sufficient`
	`70`	`+ regexp = "regexp?" // TODO: confirm this is sufficient`
`65`	`71`	`\|`
`66`	`72`	`calleeName`
`67`	`73`	`.regexpMatch("(?i)(" + sanitize + "." + regexp + ".)" + "\|(" + regexp + ".*" + sanitize +`
`68`		`- ".*)")`
	`74`	`+ ".*)") // TODO: confirm this is sufficient`
`69`	`75`	`)`
`70`	`76`	`}`
`71`	`77`	`}`
`@@ -87,3 +93,13 @@ from DataFlow::PathNode source, DataFlow::PathNode sink, RegexInjectionConfigura`
`87`	`93`	`where c.hasFlowPath(source, sink)`
`88`	`94`	`select sink.getNode(), source, sink, "This regular expression is constructed from a $@.",`
`89`	`95`	`source.getNode(), "user-provided value"`
	`96`	`+// from MethodAccess ma`
	`97`	`+// where`
	`98`	`+// // ma.getMethod().hasName("startsWith") and // graphhopper`
	`99`	`+// // ma.getFile().getBaseName() = "NavigateResource.java" // graphhopper`
	`100`	`+// // ma.getMethod().hasName("substring") and // jfinal`
	`101`	`+// // ma.getFile().getBaseName() = "FileManager.java" // jfinal`
	`102`	`+// ma.getMethod().hasName("startsWith") and // roller`
	`103`	`+// ma.getFile().getBaseName() = "PageServlet.java" // roller (or RegexUtil.java)`
	`104`	`+// ProteinArraySignificanceTestJSON.java or MockRKeys.java for cbioportal`
	`105`	`+// select ma, "method access"`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+experimental/Security/CWE/CWE-730/RegexInjection.ql`