github
diff --git a/‎java/ql/lib/semmle/code/java/security/RegexInjectionQuery.qll‎
Lines changed: 75 additions & 0 deletions b/‎java/ql/lib/semmle/code/java/security/RegexInjectionQuery.qll‎
Lines changed: 75 additions & 0 deletions
diff --git a/‎java/ql/src/Security/CWE/CWE-730/RegexInjection.ql‎
Lines changed: 1 addition & 84 deletions b/‎java/ql/src/Security/CWE/CWE-730/RegexInjection.ql‎
Lines changed: 1 addition & 84 deletions
diff --git a/‎java/ql/test/query-tests/security/CWE-730/RegexInjection.expected‎
Lines changed: 0 additions & 73 deletions b/‎java/ql/test/query-tests/security/CWE-730/RegexInjection.expected‎
Lines changed: 0 additions & 73 deletions
diff --git a/‎java/ql/test/query-tests/security/CWE-730/RegexInjection.qlref‎
Lines changed: 0 additions & 1 deletion b/‎java/ql/test/query-tests/security/CWE-730/RegexInjection.qlref‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎java/ql/test/query-tests/security/CWE-730/RegexInjectionTest.expected‎ b/‎java/ql/test/query-tests/security/CWE-730/RegexInjectionTest.expected‎
@@ -0,0 +1,75 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
+
+/**
+ * A data flow sink for untrusted user input used to construct regular expressions.
+ */
+class RegexSink extends DataFlow::ExprNode {
+  RegexSink() {
+    exists(MethodAccess ma, Method m | m = ma.getMethod() |
+      (
+        m.getDeclaringType() instanceof TypeString and
+        (
+          ma.getArgument(0) = this.asExpr() and
+          // TODO: confirm if more/less than the below need to be handled
+          m.hasName(["matches", "split", "replaceFirst", "replaceAll"])
+        )
+        or
+        // TODO: review Java Pattern API
+        m.getDeclaringType().hasQualifiedName("java.util.regex", "Pattern") and
+        (
+          ma.getArgument(0) = this.asExpr() and
+          // TODO: confirm if more/less than the below need to be handled
+          m.hasName(["compile", "matches"])
+        )
+        or
+        // TODO: read docs about regex APIs in Java
+        m.getDeclaringType().hasQualifiedName("org.apache.commons.lang3", "RegExUtils") and
+        (
+          ma.getArgument(1) = this.asExpr() and
+          m.getParameterType(1) instanceof TypeString and
+          // TODO: confirm if more/less than the below need to be handled
+          m.hasName([
+              "removeAll", "removeFirst", "removePattern", "replaceAll", "replaceFirst",
+              "replacePattern"
+            ])
+        )
+      )
+    )
+  }
+}
+
+// TODO: is this abstract class needed? Are there pre-existing sanitizer classes that can be used instead?
+abstract class Sanitizer extends DataFlow::ExprNode { }
+
+/**
+ * A call to a function whose name suggests that it escapes regular
+ * expression meta-characters.
+ */
+class RegExpSanitizationCall extends Sanitizer {
+  RegExpSanitizationCall() {
+    exists(string calleeName, string sanitize, string regexp |
+      calleeName = this.asExpr().(Call).getCallee().getName() and
+      sanitize = "(?:escape|saniti[sz]e)" and // TODO: confirm this is sufficient
+      regexp = "regexp?" // TODO: confirm this is sufficient
+    |
+      calleeName
+          .regexpMatch("(?i)(" + sanitize + ".*" + regexp + ".*)" + "|(" + regexp + ".*" + sanitize +
+              ".*)") // TODO: confirm this is sufficient
+    )
+  }
+}
+
+/**
+ * A taint-tracking configuration for untrusted user input used to construct regular expressions.
+ */
+class RegexInjectionConfiguration extends TaintTracking::Configuration {
+  RegexInjectionConfiguration() { this = "RegexInjectionConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof RegexSink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+}
@@ -13,93 +13,10 @@
  */
 
 import java
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.security.RegexInjectionQuery
 import DataFlow::PathGraph
 
-/**
- * A data flow sink for untrusted user input used to construct regular expressions.
- */
-class RegexSink extends DataFlow::ExprNode {
-  RegexSink() {
-    exists(MethodAccess ma, Method m | m = ma.getMethod() |
-      (
-        m.getDeclaringType() instanceof TypeString and
-        (
-          ma.getArgument(0) = this.asExpr() and
-          // TODO: confirm if more/less than the below need to be handled
-          m.hasName(["matches", "split", "replaceFirst", "replaceAll"])
-        )
-        or
-        // TODO: review Java Pattern API
-        m.getDeclaringType().hasQualifiedName("java.util.regex", "Pattern") and
-        (
-          ma.getArgument(0) = this.asExpr() and
-          // TODO: confirm if more/less than the below need to be handled
-          m.hasName(["compile", "matches"])
-        )
-        or
-        // TODO: read docs about regex APIs in Java
-        m.getDeclaringType().hasQualifiedName("org.apache.commons.lang3", "RegExUtils") and
-        (
-          ma.getArgument(1) = this.asExpr() and
-          m.getParameterType(1) instanceof TypeString and
-          // TODO: confirm if more/less than the below need to be handled
-          m.hasName([
-              "removeAll", "removeFirst", "removePattern", "replaceAll", "replaceFirst",
-              "replacePattern"
-            ])
-        )
-      )
-    )
-  }
-}
-
-// TODO: is this abstract class needed? Are there pre-existing sanitizer classes that can be used instead?
-abstract class Sanitizer extends DataFlow::ExprNode { }
-
-/**
- * A call to a function whose name suggests that it escapes regular
- * expression meta-characters.
- */
-class RegExpSanitizationCall extends Sanitizer {
-  RegExpSanitizationCall() {
-    exists(string calleeName, string sanitize, string regexp |
-      calleeName = this.asExpr().(Call).getCallee().getName() and
-      sanitize = "(?:escape|saniti[sz]e)" and // TODO: confirm this is sufficient
-      regexp = "regexp?" // TODO: confirm this is sufficient
-    |
-      calleeName
-          .regexpMatch("(?i)(" + sanitize + ".*" + regexp + ".*)" + "|(" + regexp + ".*" + sanitize +
-              ".*)") // TODO: confirm this is sufficient
-    )
-  }
-}
-
-/**
- * A taint-tracking configuration for untrusted user input used to construct regular expressions.
- */
-class RegexInjectionConfiguration extends TaintTracking::Configuration {
-  RegexInjectionConfiguration() { this = "RegexInjectionConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof RegexSink }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-}
-
 from DataFlow::PathNode source, DataFlow::PathNode sink, RegexInjectionConfiguration c
 where c.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "This regular expression is constructed from a $@.",
   source.getNode(), "user-provided value"
-// from MethodAccess ma
-// where
-//   // ma.getMethod().hasName("startsWith") and // graphhopper
-//   // ma.getFile().getBaseName() = "NavigateResource.java" // graphhopper
-//   // ma.getMethod().hasName("substring") and // jfinal
-//   // ma.getFile().getBaseName() = "FileManager.java" // jfinal
-//   ma.getMethod().hasName("startsWith") and // roller
-//   ma.getFile().getBaseName() = "PageServlet.java" // roller (or RegexUtil.java)
-// ProteinArraySignificanceTestJSON.java or MockRKeys.java for cbioportal
-// select ma, "method access"