From 89f958105a3ffba24eea6d24ac90669b0fa25dc8 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 23 Jul 2024 21:37:44 +0100 Subject: [PATCH 1/2] Mention `regex-use` sink kind in QLDoc for `regexSinkKindInfo` --- .../lib/semmle/code/java/regex/RegexFlowConfigs.qll | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll b/java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll index b5a195e748a6..39ee0cd27705 100644 --- a/java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll +++ b/java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll @@ -13,9 +13,15 @@ private class ExploitableStringLiteral extends StringLiteral { /** * Holds if `kind` is an external sink kind that is relevant for regex flow. - * `full` is true if sinks with this kind match against the full string of its input. - * `strArg` is the index of the argument to methods with this sink kind that contan the string to be matched against, - * where -1 is the qualifier; or -2 if no such argument exists. + * `full` is true if sinks with this kind match against the full string of its + * input. + * `strArg` is the index of the argument to methods with this sink kind that + * contain the string to be matched against, where -1 is the qualifier; or -2 + * if no such argument exists. + * + * Note that `regex-use` is deliberately not a possible value for `kind` here, + * as it is used for regular expression injection sinks that should not be used + * as polynomial ReDoS sinks. */ private predicate regexSinkKindInfo(string kind, boolean full, int strArg) { sinkModel(_, _, _, _, _, _, _, kind, _, _) and From 3edeb82d5b9b332f89eb4e9fd4bc55c2f78ebcca Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 23 Jul 2024 21:40:45 +0100 Subject: [PATCH 2/2] Add comment by models using `regex-use` sink kind --- java/ql/lib/ext/org.apache.commons.lang3.model.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/java/ql/lib/ext/org.apache.commons.lang3.model.yml b/java/ql/lib/ext/org.apache.commons.lang3.model.yml index 26cb6deec142..7f35d2d6240b 100644 --- a/java/ql/lib/ext/org.apache.commons.lang3.model.yml +++ b/java/ql/lib/ext/org.apache.commons.lang3.model.yml @@ -3,6 +3,7 @@ extensions: pack: codeql/java-all extensible: sinkModel data: + # Note these sinks do not use the sink kind `regex-use[0]` because they should be considered as sinks for regex injection but not polynomial ReDoS. - ["org.apache.commons.lang3", "RegExUtils", False, "removeAll", "(String,String)", "", "Argument[1]", "regex-use", "manual"] - ["org.apache.commons.lang3", "RegExUtils", False, "removeFirst", "(String,String)", "", "Argument[1]", "regex-use", "manual"] - ["org.apache.commons.lang3", "RegExUtils", False, "removePattern", "(String,String)", "", "Argument[1]", "regex-use", "manual"]