Skip to content

Commit e2e8798

Browse files
luchua-bcluchua-bc
committed
Move pattern check to MatchRegexConfiguration::isSink
1 parent 3e382fd commit e2e8798

File tree

3 files changed

+22
-67
lines changed

3 files changed

+22
-67
lines changed

java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegex.ql

Lines changed: 1 addition & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -17,24 +17,6 @@ import DataFlow::PathGraph
1717
import PermissiveDotRegexQuery
1818

1919
from DataFlow::PathNode source, DataFlow::PathNode sink, MatchRegexConfiguration conf
20-
where
21-
conf.hasFlowPath(source, sink) and
22-
exists(MethodAccess ma | any(PermissiveDotRegexConfig conf2).hasFlowToExpr(ma.getArgument(0)) |
23-
// input.matches(regexPattern)
24-
ma.getMethod() instanceof StringMatchMethod and
25-
ma.getQualifier() = sink.getNode().asExpr()
26-
or
27-
// p = Pattern.compile(regexPattern); p.matcher(input)
28-
ma.getMethod() instanceof PatternCompileMethod and
29-
exists(MethodAccess pma |
30-
pma.getMethod() instanceof PatternMatcherMethod and
31-
sink.getNode().asExpr() = pma.getArgument(0) and
32-
DataFlow::localExprFlow(ma, pma.getQualifier())
33-
)
34-
or
35-
// p = Pattern.matches(regexPattern, input)
36-
ma.getMethod() instanceof PatternMatchMethod and
37-
sink.getNode().asExpr() = ma.getArgument(1)
38-
)
20+
where conf.hasFlowPath(source, sink)
3921
select sink.getNode(), source, sink, "Potentially authentication bypass due to $@.",
4022
source.getNode(), "user-provided value"

java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll

Lines changed: 21 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -102,14 +102,14 @@ class CompileRegexSink extends DataFlow::ExprNode {
102102
/**
103103
* A flow configuration for permissive dot regex.
104104
*/
105-
class PermissiveDotRegexConfig extends DataFlow::Configuration {
105+
class PermissiveDotRegexConfig extends DataFlow2::Configuration {
106106
PermissiveDotRegexConfig() { this = "PermissiveDotRegex::PermissiveDotRegexConfig" }
107107

108-
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof PermissiveDotStr }
108+
override predicate isSource(DataFlow2::Node src) { src.asExpr() instanceof PermissiveDotStr }
109109

110-
override predicate isSink(DataFlow::Node sink) { sink instanceof CompileRegexSink }
110+
override predicate isSink(DataFlow2::Node sink) { sink instanceof CompileRegexSink }
111111

112-
override predicate isBarrier(DataFlow::Node node) {
112+
override predicate isBarrier(DataFlow2::Node node) {
113113
exists(
114114
MethodAccess ma, Field f // Pattern.compile(PATTERN, Pattern.DOTALL)
115115
|
@@ -152,6 +152,23 @@ class MatchRegexConfiguration extends TaintTracking::Configuration {
152152
DataFlow::exprNode(se) instanceof SpringUrlRedirectSink
153153
) and
154154
guard.controls(se.getBasicBlock(), true)
155+
) and
156+
exists(MethodAccess ma | any(PermissiveDotRegexConfig conf2).hasFlowToExpr(ma.getArgument(0)) |
157+
// input.matches(regexPattern)
158+
ma.getMethod() instanceof StringMatchMethod and
159+
ma.getQualifier() = sink.asExpr()
160+
or
161+
// p = Pattern.compile(regexPattern); p.matcher(input)
162+
ma.getMethod() instanceof PatternCompileMethod and
163+
exists(MethodAccess pma |
164+
pma.getMethod() instanceof PatternMatcherMethod and
165+
sink.asExpr() = pma.getArgument(0) and
166+
DataFlow::localExprFlow(ma, pma.getQualifier())
167+
)
168+
or
169+
// p = Pattern.matches(regexPattern, input)
170+
ma.getMethod() instanceof PatternMatchMethod and
171+
sink.asExpr() = ma.getArgument(1)
155172
)
156173
}
157174
}

java/ql/test/experimental/query-tests/security/CWE-625/PermissiveDotRegex.expected

Lines changed: 0 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -1,23 +1,9 @@
11
edges
2-
| DotRegexFilter.java:16:30:16:46 | PROTECTED_PATTERN : String | DotRegexFilter.java:31:31:31:47 | PROTECTED_PATTERN |
3-
| DotRegexFilter.java:16:50:16:64 | "/protected/.*" : String | DotRegexFilter.java:16:30:16:46 | PROTECTED_PATTERN : String |
42
| DotRegexFilter.java:29:19:29:43 | getPathInfo(...) : String | DotRegexFilter.java:32:25:32:30 | source |
5-
| DotRegexFilter.java:50:19:50:43 | getPathInfo(...) : String | DotRegexFilter.java:53:25:53:30 | source |
6-
| DotRegexServlet.java:12:30:12:46 | PROTECTED_PATTERN : String | DotRegexServlet.java:21:31:21:47 | PROTECTED_PATTERN |
7-
| DotRegexServlet.java:12:30:12:46 | PROTECTED_PATTERN : String | DotRegexServlet.java:59:36:59:52 | PROTECTED_PATTERN |
8-
| DotRegexServlet.java:12:30:12:46 | PROTECTED_PATTERN : String | DotRegexServlet.java:77:37:77:53 | PROTECTED_PATTERN |
9-
| DotRegexServlet.java:12:30:12:46 | PROTECTED_PATTERN : String | DotRegexServlet.java:114:31:114:47 | PROTECTED_PATTERN |
10-
| DotRegexServlet.java:12:50:12:64 | "/protected/.*" : String | DotRegexServlet.java:12:30:12:46 | PROTECTED_PATTERN : String |
113
| DotRegexServlet.java:19:19:19:39 | getPathInfo(...) : String | DotRegexServlet.java:22:25:22:30 | source |
12-
| DotRegexServlet.java:38:19:38:39 | getPathInfo(...) : String | DotRegexServlet.java:41:25:41:30 | source |
134
| DotRegexServlet.java:57:19:57:41 | getRequestURI(...) : String | DotRegexServlet.java:59:21:59:26 | source |
145
| DotRegexServlet.java:75:19:75:39 | getPathInfo(...) : String | DotRegexServlet.java:77:56:77:61 | source |
15-
| DotRegexServlet.java:93:19:93:39 | getPathInfo(...) : String | DotRegexServlet.java:96:25:96:30 | source |
166
| DotRegexServlet.java:112:19:112:39 | getPathInfo(...) : String | DotRegexServlet.java:115:25:115:30 | source |
17-
| DotRegexServlet.java:133:19:133:39 | getPathInfo(...) : String | DotRegexServlet.java:136:25:136:30 | source |
18-
| DotRegexSpring.java:15:30:15:46 | PROTECTED_PATTERN : String | DotRegexSpring.java:21:31:21:47 | PROTECTED_PATTERN |
19-
| DotRegexSpring.java:15:30:15:46 | PROTECTED_PATTERN : String | DotRegexSpring.java:38:31:38:47 | PROTECTED_PATTERN |
20-
| DotRegexSpring.java:15:50:15:64 | "/protected/.*" : String | DotRegexSpring.java:15:30:15:46 | PROTECTED_PATTERN : String |
217
| DotRegexSpring.java:20:26:20:50 | path : String | DotRegexSpring.java:22:21:22:24 | path : String |
228
| DotRegexSpring.java:22:10:22:25 | decodePath(...) : String | DotRegexSpring.java:23:25:23:28 | path |
239
| DotRegexSpring.java:22:21:22:24 | path : String | DotRegexSpring.java:22:10:22:25 | decodePath(...) : String |
@@ -26,67 +12,37 @@ edges
2612
| DotRegexSpring.java:39:10:39:25 | decodePath(...) : String | DotRegexSpring.java:40:25:40:28 | path |
2713
| DotRegexSpring.java:39:21:39:24 | path : String | DotRegexSpring.java:39:10:39:25 | decodePath(...) : String |
2814
| DotRegexSpring.java:39:21:39:24 | path : String | DotRegexSpring.java:69:28:69:38 | path : String |
29-
| DotRegexSpring.java:54:34:54:58 | path : String | DotRegexSpring.java:56:21:56:24 | path : String |
30-
| DotRegexSpring.java:56:10:56:25 | decodePath(...) : String | DotRegexSpring.java:57:25:57:28 | path |
31-
| DotRegexSpring.java:56:21:56:24 | path : String | DotRegexSpring.java:56:10:56:25 | decodePath(...) : String |
32-
| DotRegexSpring.java:56:21:56:24 | path : String | DotRegexSpring.java:69:28:69:38 | path : String |
3315
| DotRegexSpring.java:69:28:69:38 | path : String | DotRegexSpring.java:71:29:71:32 | path : String |
3416
| DotRegexSpring.java:69:28:69:38 | path : String | DotRegexSpring.java:73:10:73:13 | path : String |
3517
| DotRegexSpring.java:71:11:71:42 | decode(...) : String | DotRegexSpring.java:71:29:71:32 | path : String |
3618
| DotRegexSpring.java:71:11:71:42 | decode(...) : String | DotRegexSpring.java:73:10:73:13 | path : String |
3719
| DotRegexSpring.java:71:29:71:32 | path : String | DotRegexSpring.java:71:11:71:42 | decode(...) : String |
3820
nodes
39-
| DotRegexFilter.java:16:30:16:46 | PROTECTED_PATTERN : String | semmle.label | PROTECTED_PATTERN : String |
40-
| DotRegexFilter.java:16:50:16:64 | "/protected/.*" : String | semmle.label | "/protected/.*" : String |
4121
| DotRegexFilter.java:29:19:29:43 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
42-
| DotRegexFilter.java:31:31:31:47 | PROTECTED_PATTERN | semmle.label | PROTECTED_PATTERN |
4322
| DotRegexFilter.java:32:25:32:30 | source | semmle.label | source |
44-
| DotRegexFilter.java:50:19:50:43 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
45-
| DotRegexFilter.java:53:25:53:30 | source | semmle.label | source |
46-
| DotRegexServlet.java:12:30:12:46 | PROTECTED_PATTERN : String | semmle.label | PROTECTED_PATTERN : String |
47-
| DotRegexServlet.java:12:50:12:64 | "/protected/.*" : String | semmle.label | "/protected/.*" : String |
4823
| DotRegexServlet.java:19:19:19:39 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
49-
| DotRegexServlet.java:21:31:21:47 | PROTECTED_PATTERN | semmle.label | PROTECTED_PATTERN |
5024
| DotRegexServlet.java:22:25:22:30 | source | semmle.label | source |
51-
| DotRegexServlet.java:38:19:38:39 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
52-
| DotRegexServlet.java:41:25:41:30 | source | semmle.label | source |
5325
| DotRegexServlet.java:57:19:57:41 | getRequestURI(...) : String | semmle.label | getRequestURI(...) : String |
5426
| DotRegexServlet.java:59:21:59:26 | source | semmle.label | source |
55-
| DotRegexServlet.java:59:36:59:52 | PROTECTED_PATTERN | semmle.label | PROTECTED_PATTERN |
5627
| DotRegexServlet.java:75:19:75:39 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
57-
| DotRegexServlet.java:77:37:77:53 | PROTECTED_PATTERN | semmle.label | PROTECTED_PATTERN |
5828
| DotRegexServlet.java:77:56:77:61 | source | semmle.label | source |
59-
| DotRegexServlet.java:93:19:93:39 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
60-
| DotRegexServlet.java:96:25:96:30 | source | semmle.label | source |
6129
| DotRegexServlet.java:112:19:112:39 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
62-
| DotRegexServlet.java:114:31:114:47 | PROTECTED_PATTERN | semmle.label | PROTECTED_PATTERN |
6330
| DotRegexServlet.java:115:25:115:30 | source | semmle.label | source |
64-
| DotRegexServlet.java:133:19:133:39 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
65-
| DotRegexServlet.java:136:25:136:30 | source | semmle.label | source |
66-
| DotRegexSpring.java:15:30:15:46 | PROTECTED_PATTERN : String | semmle.label | PROTECTED_PATTERN : String |
67-
| DotRegexSpring.java:15:50:15:64 | "/protected/.*" : String | semmle.label | "/protected/.*" : String |
6831
| DotRegexSpring.java:20:26:20:50 | path : String | semmle.label | path : String |
69-
| DotRegexSpring.java:21:31:21:47 | PROTECTED_PATTERN | semmle.label | PROTECTED_PATTERN |
7032
| DotRegexSpring.java:22:10:22:25 | decodePath(...) : String | semmle.label | decodePath(...) : String |
7133
| DotRegexSpring.java:22:21:22:24 | path : String | semmle.label | path : String |
7234
| DotRegexSpring.java:23:25:23:28 | path | semmle.label | path |
7335
| DotRegexSpring.java:37:40:37:64 | path : String | semmle.label | path : String |
74-
| DotRegexSpring.java:38:31:38:47 | PROTECTED_PATTERN | semmle.label | PROTECTED_PATTERN |
7536
| DotRegexSpring.java:39:10:39:25 | decodePath(...) : String | semmle.label | decodePath(...) : String |
7637
| DotRegexSpring.java:39:21:39:24 | path : String | semmle.label | path : String |
7738
| DotRegexSpring.java:40:25:40:28 | path | semmle.label | path |
78-
| DotRegexSpring.java:54:34:54:58 | path : String | semmle.label | path : String |
79-
| DotRegexSpring.java:56:10:56:25 | decodePath(...) : String | semmle.label | decodePath(...) : String |
80-
| DotRegexSpring.java:56:21:56:24 | path : String | semmle.label | path : String |
81-
| DotRegexSpring.java:57:25:57:28 | path | semmle.label | path |
8239
| DotRegexSpring.java:69:28:69:38 | path : String | semmle.label | path : String |
8340
| DotRegexSpring.java:71:11:71:42 | decode(...) : String | semmle.label | decode(...) : String |
8441
| DotRegexSpring.java:71:29:71:32 | path : String | semmle.label | path : String |
8542
| DotRegexSpring.java:73:10:73:13 | path : String | semmle.label | path : String |
8643
subpaths
8744
| DotRegexSpring.java:22:21:22:24 | path : String | DotRegexSpring.java:69:28:69:38 | path : String | DotRegexSpring.java:73:10:73:13 | path : String | DotRegexSpring.java:22:10:22:25 | decodePath(...) : String |
8845
| DotRegexSpring.java:39:21:39:24 | path : String | DotRegexSpring.java:69:28:69:38 | path : String | DotRegexSpring.java:73:10:73:13 | path : String | DotRegexSpring.java:39:10:39:25 | decodePath(...) : String |
89-
| DotRegexSpring.java:56:21:56:24 | path : String | DotRegexSpring.java:69:28:69:38 | path : String | DotRegexSpring.java:73:10:73:13 | path : String | DotRegexSpring.java:56:10:56:25 | decodePath(...) : String |
9046
#select
9147
| DotRegexFilter.java:32:25:32:30 | source | DotRegexFilter.java:29:19:29:43 | getPathInfo(...) : String | DotRegexFilter.java:32:25:32:30 | source | Potentially authentication bypass due to $@. | DotRegexFilter.java:29:19:29:43 | getPathInfo(...) | user-provided value |
9248
| DotRegexServlet.java:22:25:22:30 | source | DotRegexServlet.java:19:19:19:39 | getPathInfo(...) : String | DotRegexServlet.java:22:25:22:30 | source | Potentially authentication bypass due to $@. | DotRegexServlet.java:19:19:19:39 | getPathInfo(...) | user-provided value |

0 commit comments

Comments
 (0)