Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java: Promote regex injection query from experimental #11070

Open
wants to merge 20 commits into
base: main
Choose a base branch
from
Open

Java: Promote regex injection query from experimental #11070

wants to merge 20 commits into from
+228 −244

Conversation

jcogs33
Copy link
Contributor

@jcogs33 jcogs33 commented Nov 1, 2022

This PR promotes #5704 from experimental.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 1, 2022

QHelp previews:

java/ql/src/Security/CWE/CWE-730/RegexInjection.qhelp

Regular expression injection

Constructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.

Recommendation

Before embedding user input into a regular expression, use a sanitization function such as Pattern.quote to escape meta-characters that have special meaning.

Example

The following example shows an HTTP request parameter that is used to construct a regular expression.

In the first case the user-provided regex is not escaped. If a malicious user provides a regex that has exponential worst case performance, then this could lead to a Denial of Service.

In the second case, the user input is escaped using Pattern.quote before being included in the regular expression. This ensures that the user cannot insert characters which have a special meaning in regular expressions.

import java.util.regex.Pattern;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;

public class RegexInjectionDemo extends HttpServlet {

  public boolean badExample(javax.servlet.http.HttpServletRequest request) {
    String regex = request.getParameter("regex");
    String input = request.getParameter("input");

    // BAD: Unsanitized user input is used to construct a regular expression
    return input.matches(regex);
  }

  public boolean goodExample(javax.servlet.http.HttpServletRequest request) {
    String regex = request.getParameter("regex");
    String input = request.getParameter("input");

    // GOOD: User input is sanitized before constructing the regex
    return input.matches(Pattern.quote(regex));
  }
}

References

@github-actions
Copy link
Contributor

github-actions bot commented Nov 3, 2022

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    `Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,424,,,,,,,,
+    `Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,424,6,,,,,,,
-    Totals,,217,8432,1524,129,6,10,107,33,1,86
+    Totals,,217,8432,1530,129,6,10,107,33,1,86
  • Changes to framework-coverage-java.csv:
- org.apache.commons.lang3,,,424,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,293,131
+ org.apache.commons.lang3,6,,424,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,293,131

@github-actions
Copy link
Contributor

github-actions bot commented Nov 3, 2022

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    `Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,424,,,,,,,,
+    `Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,424,6,,,,,,,
-    Totals,,217,8432,1524,129,6,10,107,33,1,86
+    Totals,,217,8432,1530,129,6,10,107,33,1,86
  • Changes to framework-coverage-java.csv:
- org.apache.commons.lang3,,,424,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,293,131
+ org.apache.commons.lang3,6,,424,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,293,131

@github-actions
Copy link
Contributor

github-actions bot commented Nov 3, 2022

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    `Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,424,,,,,,,,
+    `Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,424,6,,,,,,,
-    Totals,,217,8432,1524,129,6,10,107,33,1,86
+    Totals,,217,8432,1530,129,6,10,107,33,1,86
  • Changes to framework-coverage-java.csv:
- org.apache.commons.lang3,,,424,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,293,131
+ org.apache.commons.lang3,6,,424,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,293,131

@github-actions
Copy link
Contributor

github-actions bot commented Nov 4, 2022

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    `Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,424,,,,,,,,
+    `Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,424,6,,,,,,,
-    Totals,,217,8432,1524,129,6,10,107,33,1,86
+    Totals,,217,8432,1530,129,6,10,107,33,1,86
  • Changes to framework-coverage-java.csv:
- package,sink,source,summary,sink:bean-validation,sink:create-file,sink:groovy,sink:header-splitting,sink:information-leak,sink:intent-start,sink:jdbc-url,sink:jexl,sink:jndi-injection,sink:ldap,sink:logging,sink:mvel,sink:ognl-injection,sink:open-url,sink:pending-intent-sent,sink:regex-use[-1],sink:regex-use[0],sink:regex-use[],sink:regex-use[f-1],sink:regex-use[f1],sink:regex-use[f],sink:set-hostname-verifier,sink:sql,sink:ssti,sink:url-open-stream,sink:url-redirect,sink:write-file,sink:xpath,sink:xslt,sink:xss,source:android-external-storage-dir,source:android-widget,source:contentprovider,source:remote,summary:taint,summary:value
+ package,sink,source,summary,sink:bean-validation,sink:create-file,sink:groovy,sink:header-splitting,sink:information-leak,sink:intent-start,sink:jdbc-url,sink:jexl,sink:jndi-injection,sink:ldap,sink:logging,sink:mvel,sink:ognl-injection,sink:open-url,sink:pending-intent-sent,sink:regex-use,sink:regex-use[-1],sink:regex-use[0],sink:regex-use[],sink:regex-use[f-1],sink:regex-use[f1],sink:regex-use[f],sink:set-hostname-verifier,sink:sql,sink:ssti,sink:url-open-stream,sink:url-redirect,sink:write-file,sink:xpath,sink:xslt,sink:xss,source:android-external-storage-dir,source:android-widget,source:contentprovider,source:remote,summary:taint,summary:value
- android.app,24,,103,,,,,,7,,,,,,,,,17,,,,,,,,,,,,,,,,,,,,18,85
+ android.app,24,,103,,,,,,7,,,,,,,,,17,,,,,,,,,,,,,,,,,,,,,18,85
- android.content,24,31,154,,,,,,16,,,,,,,,,,,,,,,,,8,,,,,,,,4,,27,,63,91
+ android.content,24,31,154,,,,,,16,,,,,,,,,,,,,,,,,,8,,,,,,,,4,,27,,63,91
- android.database,59,,39,,,,,,,,,,,,,,,,,,,,,,,59,,,,,,,,,,,,39,
+ android.database,59,,39,,,,,,,,,,,,,,,,,,,,,,,,59,,,,,,,,,,,,39,
- android.net,,,60,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,45,15
+ android.net,,,60,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,45,15
- android.os,,2,122,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,41,81
+ android.os,,2,122,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,41,81
- android.util,6,16,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,16,,
+ android.util,6,16,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,16,,
- android.webkit,3,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,2,,
+ android.webkit,3,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,2,,
- android.widget,,1,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,1,
+ android.widget,,1,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,1,
- androidx.core.app,6,,95,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,12,83
+ androidx.core.app,6,,95,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,12,83
- androidx.slice,2,5,88,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,5,,27,61
+ androidx.slice,2,5,88,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,5,,27,61
- cn.hutool.core.codec,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
+ cn.hutool.core.codec,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
- com.esotericsoftware.kryo.io,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
+ com.esotericsoftware.kryo.io,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
- com.esotericsoftware.kryo5.io,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
+ com.esotericsoftware.kryo5.io,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
- com.fasterxml.jackson.core,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
+ com.fasterxml.jackson.core,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
- com.fasterxml.jackson.databind,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,
+ com.fasterxml.jackson.databind,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,
- com.google.common.base,4,,85,,,,,,,,,,,,,,,,,3,1,,,,,,,,,,,,,,,,,62,23
+ com.google.common.base,4,,85,,,,,,,,,,,,,,,,,,3,1,,,,,,,,,,,,,,,,,62,23
- com.google.common.cache,,,17,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17
+ com.google.common.cache,,,17,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17
- com.google.common.collect,,,553,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,551
+ com.google.common.collect,,,553,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,551
- com.google.common.flogger,29,,,,,,,,,,,,,29,,,,,,,,,,,,,,,,,,,,,,,,,
+ com.google.common.flogger,29,,,,,,,,,,,,,29,,,,,,,,,,,,,,,,,,,,,,,,,,
- com.google.common.io,6,,73,,,,,,,,,,,,,,,,,,,,,,,,,6,,,,,,,,,,72,1
+ com.google.common.io,6,,73,,,,,,,,,,,,,,,,,,,,,,,,,,6,,,,,,,,,,72,1
- com.hubspot.jinjava,2,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,
+ com.hubspot.jinjava,2,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,
- com.mitchellbosecke.pebble,2,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,
+ com.mitchellbosecke.pebble,2,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,
- com.opensymphony.xwork2.ognl,3,,,,,,,,,,,,,,,3,,,,,,,,,,,,,,,,,,,,,,,
+ com.opensymphony.xwork2.ognl,3,,,,,,,,,,,,,,,3,,,,,,,,,,,,,,,,,,,,,,,,
- com.rabbitmq.client,,21,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,21,7,
+ com.rabbitmq.client,,21,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,21,7,
- com.unboundid.ldap.sdk,17,,,,,,,,,,,,17,,,,,,,,,,,,,,,,,,,,,,,,,,
+ com.unboundid.ldap.sdk,17,,,,,,,,,,,,17,,,,,,,,,,,,,,,,,,,,,,,,,,,
- com.zaxxer.hikari,2,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
+ com.zaxxer.hikari,2,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
- flexjson,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1
+ flexjson,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1
- freemarker.cache,1,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,
+ freemarker.cache,1,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,
- freemarker.template,7,,,,,,,,,,,,,,,,,,,,,,,,,,7,,,,,,,,,,,,
+ freemarker.template,7,,,,,,,,,,,,,,,,,,,,,,,,,,,7,,,,,,,,,,,,
- groovy.lang,26,,,,,26,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
+ groovy.lang,26,,,,,26,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
- groovy.util,5,,,,,5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
+ groovy.util,5,,,,,5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
- jakarta.faces.context,2,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,7,,
+ jakarta.faces.context,2,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,7,,
- jakarta.json,,,123,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,23
+ jakarta.json,,,123,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,23
- jakarta.ws.rs.client,1,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,
+ jakarta.ws.rs.client,1,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,
- jakarta.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,,
+ jakarta.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,,
- jakarta.ws.rs.core,2,,149,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,94,55
+ jakarta.ws.rs.core,2,,149,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,94,55
- java.beans,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
+ java.beans,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
- java.io,37,,40,,15,,,,,,,,,,,,,,,,,,,,,,,,,22,,,,,,,,40,
+ java.io,37,,40,,15,,,,,,,,,,,,,,,,,,,,,,,,,,22,,,,,,,,40,
- java.lang,13,,66,,,,,,,,,,,8,,,,,4,,,1,,,,,,,,,,,,,,,,54,12
+ java.lang,13,,66,,,,,,,,,,,8,,,,,,4,,,1,,,,,,,,,,,,,,,,54,12
- java.net,10,3,7,,,,,,,,,,,,,,10,,,,,,,,,,,,,,,,,,,,3,7,
+ java.net,10,3,7,,,,,,,,,,,,,,10,,,,,,,,,,,,,,,,,,,,,3,7,
- java.nio,15,,14,,13,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,14,
+ java.nio,15,,14,,13,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,14,
- java.sql,11,,,,,,,,,4,,,,,,,,,,,,,,,,7,,,,,,,,,,,,,
+ java.sql,11,,,,,,,,,4,,,,,,,,,,,,,,,,,7,,,,,,,,,,,,,
- java.util,44,,461,,,,,,,,,,,34,,,,,,5,2,,1,2,,,,,,,,,,,,,,36,425
+ java.util,44,,461,,,,,,,,,,,34,,,,,,,5,2,,1,2,,,,,,,,,,,,,,36,425
- javax.faces.context,2,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,7,,
+ javax.faces.context,2,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,7,,
- javax.jms,,9,57,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,57,
+ javax.jms,,9,57,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,57,
- javax.json,,,123,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,23
+ javax.json,,,123,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,23
- javax.management.remote,2,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,
+ javax.management.remote,2,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,
- javax.naming,7,,,,,,,,,,,6,1,,,,,,,,,,,,,,,,,,,,,,,,,,
+ javax.naming,7,,,,,,,,,,,6,1,,,,,,,,,,,,,,,,,,,,,,,,,,,
- javax.net.ssl,2,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,
+ javax.net.ssl,2,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,
- javax.script,1,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,
+ javax.script,1,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,
- javax.servlet,4,21,2,,,,3,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,21,2,
+ javax.servlet,4,21,2,,,,3,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,21,2,
- javax.validation,1,1,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,
+ javax.validation,1,1,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,
- javax.ws.rs.client,1,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,
+ javax.ws.rs.client,1,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,
- javax.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,,
+ javax.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,,
- javax.ws.rs.core,3,,149,,,,1,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,94,55
+ javax.ws.rs.core,3,,149,,,,1,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,94,55
- javax.xml.transform,1,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,6,
+ javax.xml.transform,1,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,6,
- javax.xml.xpath,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,,,,,
+ javax.xml.xpath,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,,,,,
- jodd.json,,,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10
+ jodd.json,,,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10
- kotlin,12,,1835,,10,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,1828,7
+ kotlin,12,,1835,,10,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,1828,7
- net.sf.saxon.s9api,5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,5,,,,,,,
+ net.sf.saxon.s9api,5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,5,,,,,,,
- ognl,6,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,
+ ognl,6,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,
- okhttp3,2,,47,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,22,25
+ okhttp3,2,,47,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,22,25
- org.apache.commons.codec,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,
+ org.apache.commons.codec,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,
- org.apache.commons.collections,,,800,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17,783
+ org.apache.commons.collections,,,800,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17,783
- org.apache.commons.collections4,,,800,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17,783
+ org.apache.commons.collections4,,,800,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17,783
- org.apache.commons.io,106,,556,,91,,,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,,542,14
+ org.apache.commons.io,106,,556,,91,,,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,,,542,14
- org.apache.commons.jexl2,15,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,,,,,,,,,
+ org.apache.commons.jexl2,15,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
- org.apache.commons.jexl3,15,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,,,,,,,,,
+ org.apache.commons.jexl3,15,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
- org.apache.commons.lang3,,,424,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,293,131
+ org.apache.commons.lang3,6,,424,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,293,131
- org.apache.commons.logging,6,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,,
+ org.apache.commons.logging,6,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,
- org.apache.commons.ognl,6,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,
+ org.apache.commons.ognl,6,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,
- org.apache.commons.text,,,272,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,220,52
+ org.apache.commons.text,,,272,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,220,52
- org.apache.directory.ldap.client.api,1,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,
+ org.apache.directory.ldap.client.api,1,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,
- org.apache.hc.core5.function,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
+ org.apache.hc.core5.function,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
- org.apache.hc.core5.http,1,2,39,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,2,39,
+ org.apache.hc.core5.http,1,2,39,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,2,39,
- org.apache.hc.core5.net,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,
+ org.apache.hc.core5.net,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,
- org.apache.hc.core5.util,,,24,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,18,6
+ org.apache.hc.core5.util,,,24,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,18,6
- org.apache.http,27,3,70,,,,,,,,,,,,,,25,,,,,,,,,,,,,,,,2,,,,3,62,8
+ org.apache.http,27,3,70,,,,,,,,,,,,,,25,,,,,,,,,,,,,,,,,2,,,,3,62,8
- org.apache.ibatis.jdbc,6,,57,,,,,,,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,57,
+ org.apache.ibatis.jdbc,6,,57,,,,,,,,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,57,
- org.apache.log4j,11,,,,,,,,,,,,,11,,,,,,,,,,,,,,,,,,,,,,,,,
+ org.apache.log4j,11,,,,,,,,,,,,,11,,,,,,,,,,,,,,,,,,,,,,,,,,
- org.apache.logging.log4j,359,,8,,,,,,,,,,,359,,,,,,,,,,,,,,,,,,,,,,,,4,4
+ org.apache.logging.log4j,359,,8,,,,,,,,,,,359,,,,,,,,,,,,,,,,,,,,,,,,,4,4
- org.apache.shiro.codec,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
+ org.apache.shiro.codec,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
- org.apache.shiro.jndi,1,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,
+ org.apache.shiro.jndi,1,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,
- org.apache.velocity.app,4,,,,,,,,,,,,,,,,,,,,,,,,,,4,,,,,,,,,,,,
+ org.apache.velocity.app,4,,,,,,,,,,,,,,,,,,,,,,,,,,,4,,,,,,,,,,,,
- org.apache.velocity.runtime,4,,,,,,,,,,,,,,,,,,,,,,,,,,4,,,,,,,,,,,,
+ org.apache.velocity.runtime,4,,,,,,,,,,,,,,,,,,,,,,,,,,,4,,,,,,,,,,,,
- org.codehaus.groovy.control,1,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
+ org.codehaus.groovy.control,1,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
- org.dom4j,20,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,20,,,,,,,,
+ org.dom4j,20,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,20,,,,,,,,
- org.hibernate,7,,,,,,,,,,,,,,,,,,,,,,,,,7,,,,,,,,,,,,,
+ org.hibernate,7,,,,,,,,,,,,,,,,,,,,,,,,,,7,,,,,,,,,,,,,
- org.jboss.logging,324,,,,,,,,,,,,,324,,,,,,,,,,,,,,,,,,,,,,,,,
+ org.jboss.logging,324,,,,,,,,,,,,,324,,,,,,,,,,,,,,,,,,,,,,,,,,
- org.jdbi.v3.core,6,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
+ org.jdbi.v3.core,6,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
- org.jooq,1,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,
+ org.jooq,1,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,
- org.json,,,236,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,198,38
+ org.json,,,236,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,198,38
- org.mvel2,16,,,,,,,,,,,,,,16,,,,,,,,,,,,,,,,,,,,,,,,
+ org.mvel2,16,,,,,,,,,,,,,,16,,,,,,,,,,,,,,,,,,,,,,,,,
- org.scijava.log,13,,,,,,,,,,,,,13,,,,,,,,,,,,,,,,,,,,,,,,,
+ org.scijava.log,13,,,,,,,,,,,,,13,,,,,,,,,,,,,,,,,,,,,,,,,,
- org.slf4j,55,,6,,,,,,,,,,,55,,,,,,,,,,,,,,,,,,,,,,,,2,4
+ org.slf4j,55,,6,,,,,,,,,,,55,,,,,,,,,,,,,,,,,,,,,,,,,2,4
- org.springframework.beans,,,30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,30
+ org.springframework.beans,,,30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,30
- org.springframework.boot.jdbc,1,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
+ org.springframework.boot.jdbc,1,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
- org.springframework.cache,,,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,13
+ org.springframework.cache,,,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,13
- org.springframework.context,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,
+ org.springframework.context,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,
- org.springframework.data.repository,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1
+ org.springframework.data.repository,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1
- org.springframework.http,14,,70,,,,,,,,,,,,,,14,,,,,,,,,,,,,,,,,,,,,60,10
+ org.springframework.http,14,,70,,,,,,,,,,,,,,14,,,,,,,,,,,,,,,,,,,,,,60,10
- org.springframework.jdbc.core,10,,,,,,,,,,,,,,,,,,,,,,,,,10,,,,,,,,,,,,,
+ org.springframework.jdbc.core,10,,,,,,,,,,,,,,,,,,,,,,,,,,10,,,,,,,,,,,,,
- org.springframework.jdbc.datasource,4,,,,,,,,,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
+ org.springframework.jdbc.datasource,4,,,,,,,,,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
- org.springframework.jdbc.object,9,,,,,,,,,,,,,,,,,,,,,,,,,9,,,,,,,,,,,,,
+ org.springframework.jdbc.object,9,,,,,,,,,,,,,,,,,,,,,,,,,,9,,,,,,,,,,,,,
- org.springframework.jndi,1,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,
+ org.springframework.jndi,1,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,
- org.springframework.ldap,47,,,,,,,,,,,33,14,,,,,,,,,,,,,,,,,,,,,,,,,,
+ org.springframework.ldap,47,,,,,,,,,,,33,14,,,,,,,,,,,,,,,,,,,,,,,,,,,
- org.springframework.security.web.savedrequest,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,,
+ org.springframework.security.web.savedrequest,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,,
- org.springframework.ui,,,32,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,32
+ org.springframework.ui,,,32,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,32
- org.springframework.util,,,139,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,87,52
+ org.springframework.util,,,139,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,87,52
- org.springframework.validation,,,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,13,
+ org.springframework.validation,,,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,13,
- org.springframework.web.client,13,3,,,,,,,,,,,,,,,13,,,,,,,,,,,,,,,,,,,,3,,
+ org.springframework.web.client,13,3,,,,,,,,,,,,,,,13,,,,,,,,,,,,,,,,,,,,,3,,
- org.springframework.web.context.request,,8,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,8,,
+ org.springframework.web.context.request,,8,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,8,,
- org.springframework.web.multipart,,12,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,12,13,
+ org.springframework.web.multipart,,12,13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,12,13,
- org.springframework.web.reactive.function.client,2,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,
+ org.springframework.web.reactive.function.client,2,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,
- org.springframework.web.util,,,163,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,138,25
+ org.springframework.web.util,,,163,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,138,25
- org.thymeleaf,2,,2,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,2,
+ org.thymeleaf,2,,2,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,2,
- org.xml.sax,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
+ org.xml.sax,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
- org.xmlpull.v1,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,
+ org.xmlpull.v1,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,
- play.mvc,,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,4,,
+ play.mvc,,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,4,,
- ratpack.core.form,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,
+ ratpack.core.form,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,
- ratpack.core.handling,,6,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,4,
+ ratpack.core.handling,,6,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,4,
- ratpack.core.http,,10,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10,10,
+ ratpack.core.http,,10,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10,10,
- ratpack.exec,,,48,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,48
+ ratpack.exec,,,48,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,48
- ratpack.form,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,
+ ratpack.form,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,
- ratpack.func,,,35,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,35
+ ratpack.func,,,35,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,35
- ratpack.handling,,6,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,4,
+ ratpack.handling,,6,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,4,
- ratpack.http,,10,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10,10,
+ ratpack.http,,10,10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,10,10,
- ratpack.util,,,35,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,35
+ ratpack.util,,,35,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,35
- retrofit2,1,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,
+ retrofit2,1,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,

@jcogs33 jcogs33 marked this pull request as ready for review Nov 7, 2022
@jcogs33 jcogs33 requested a review from a team as a code owner Nov 7, 2022
atorralba
atorralba reviewed Nov 7, 2022
View changes
Copy link
Contributor

@atorralba atorralba left a comment

Mostly LGTM, with a couple of minor comments. Curious about why exactly we couldn't use the regex-use[*] format for the new sinks so that the existing ReDoS queries could benefit from them.

java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll
exists(string kind |
kind.matches(["regex-use[]", "regex-use[f1]", "regex-use[f-1]", "regex-use[-1]", "regex-use"]) and
sinkNode(this, kind)
)
Copy link
Contributor

@atorralba atorralba Nov 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I you're not using wildcards (still curious why regex-use% doesn't work), you don't need matches (and then the exists isn't really needed either):

Suggested change
exists(string kind |
kind.matches(["regex-use[]", "regex-use[f1]", "regex-use[f-1]", "regex-use[-1]", "regex-use"]) and
sinkNode(this, kind)
)
sinkNode(this, ["regex-use[]", "regex-use[f1]", "regex-use[f-1]", "regex-use[-1]", "regex-use"])

Copy link
Contributor

@joefarebrother joefarebrother Nov 7, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some of the regex-use sinks are specific to the ReDoS query; in particular the Predicate.test sink is likely to cause many false positives if included. Which is probably the reason regex-use[0] is being excluded here.

The best solution is probably to exclude that sink specifically - perhaps by giving it a seperate kind that only the ReDoS query checks for. (which it does so here)

Copy link
Contributor

@atorralba atorralba Nov 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, makes sense, thanks! I would be surprised if more queries used these sinks aside from ReDos and regex injection, but if you think it makes sense we can create a special sink kind for Predicate.test. Specially if regex-use[0] includes other sinks that are valid for this query.

java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll
exists(MethodAccess ma, Method m, Field field | m = ma.getMethod() |
ma.getArgument(0) = this.asExpr() and
m.getDeclaringType() instanceof TypeRegexPattern and
m.hasName("compile") and
field instanceof PatternLiteralField and
ma.getArgument(1) = field.getAnAccess()
Copy link
Contributor

@atorralba atorralba Nov 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can remove the instanceof by using the stricter type directly in exists:

Suggested change
exists(MethodAccess ma, Method m, Field field | m = ma.getMethod() |
ma.getArgument(0) = this.asExpr() and
m.getDeclaringType() instanceof TypeRegexPattern and
m.hasName("compile") and
field instanceof PatternLiteralField and
ma.getArgument(1) = field.getAnAccess()
exists(MethodAccess ma, Method m, PatternLiteralField field | m = ma.getMethod() |
ma.getArgument(0) = this.asExpr() and
m.getDeclaringType() instanceof TypeRegexPattern and
m.hasName("compile") and
ma.getArgument(1) = field.getAnAccess()

java/ql/test/query-tests/security/CWE-730/RegexInjectionTest.ql
import TestUtilities.InlineExpectationsTest
import semmle.code.java.security.regexp.RegexInjectionQuery

//import semmle.code.java.security.regexp.PolynomialReDoSQuery
Copy link
Contributor

@atorralba atorralba Nov 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be removed.

Suggested change
//import semmle.code.java.security.regexp.PolynomialReDoSQuery

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joefarebrother joefarebrother

@atorralba atorralba

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jcogs33 @joefarebrother @atorralba