Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 566aa8f

Browse files
owen-mcowen-mc
committed
Refactor regex sanitizer
Move it to Sanitizers.qll and rename it to be more general (mostly following Go).
1 parent e52f819 commit 566aa8f

2 files changed

Lines changed: 32 additions & 18 deletions

File tree

java/ql/lib/semmle/code/java/security/RequestForgery.qll

Lines changed: 3 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -166,22 +166,7 @@ private class HostComparisonSanitizer extends RequestForgerySanitizer {
166166
}
167167

168168
/**
169-
* A qualifier in a call to a `.matches()` method that is a sanitizer for URL redirects.
170-
*
171-
* Matches any method call where the method is named `matches`.
172-
*/
173-
private predicate isMatchesSanitizer(Guard guard, Expr e, boolean branch) {
174-
guard =
175-
any(MethodCall method |
176-
method.getMethod().getName() = "matches" and
177-
e = method.getQualifier() and
178-
branch = true
179-
)
180-
}
181-
182-
/**
183-
* A qualifier in a call to `.matches()` that is a sanitizer for URL redirects.
169+
* A comparison with a regular expression that is a sanitizer for URL redirects.
184170
*/
185-
private class MatchesSanitizer extends RequestForgerySanitizer {
186-
MatchesSanitizer() { this = DataFlow::BarrierGuard<isMatchesSanitizer/3>::getABarrierNode() }
187-
}
171+
private class RegexpCheckRequestForgerySanitizer extends RequestForgerySanitizer instanceof RegexpCheckBarrier
172+
{ }

java/ql/lib/semmle/code/java/security/Sanitizers.qll

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ overlay[local?]
33
module;
44

55
import java
6+
private import semmle.code.java.controlflow.Guards
67
private import semmle.code.java.dataflow.DataFlow
78

89
/**
@@ -29,3 +30,31 @@ class SimpleTypeSanitizer extends DataFlow::Node {
2930
this.getType() instanceof EnumType
3031
}
3132
}
33+
34+
/**
35+
* Holds if `guard` holds with branch `branch` if `e` matches a regular expression.
36+
*
37+
* This is overapproximate: we do not attempt to reason about the correctness of the regexp.
38+
*
39+
* Use this if you want to define a derived `DataFlow::BarrierGuard` without
40+
* make the type recursive. Otherwise use `RegexpCheckBarrier`.
41+
*/
42+
predicate regexpMatchGuardChecks(Guard guard, Expr e, boolean branch) {
43+
guard =
44+
any(MethodCall method |
45+
method.getMethod().getName() = "matches" and
46+
e = method.getQualifier() and
47+
branch = true
48+
)
49+
}
50+
51+
/**
52+
* A check against a regular expression, considered as a barrier guard.
53+
*
54+
* This is overapproximate: we do not attempt to reason about the correctness of the regexp.
55+
*/
56+
class RegexpCheckBarrier extends DataFlow::Node {
57+
RegexpCheckBarrier() {
58+
this = DataFlow::BarrierGuard<regexpMatchGuardChecks/3>::getABarrierNode()
59+
}
60+
}

0 commit comments

Comments
 (0)