Skip to content

Java: Add models for java.util.regex.Pattern and Matcher #7733

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
smowton merged 3 commits into from
Jan 26, 2022
Merged

Java: Add models for java.util.regex.Pattern and Matcher #7733

smowton merged 3 commits into from
Jan 26, 2022

Conversation

@pwntester
Copy link
Contributor

@pwntester pwntester commented Jan 25, 2022

This PR adds summaries for java.util.regex Pattern and Matcher so that taint can flow in cases such as:

import java.util.regex.Matcher;
import java.util.regex.Pattern;

class Main {  

  public static void main(String args[]) { 
    String pattern = "\\$\\{(.*)\\}";
    Pattern r = Pattern.compile(pattern);
    String tainted = "${foo}";
    Matcher m = r.matcher(tainted);
    if (m.find( )) {
      sink(m.group(1));
    }
  } 
}

@pwntester pwntester requested a review from a team as a code owner January 25, 2022 09:51
@github-actions github-actions bot added the Java label Jan 25, 2022
@github-actions
Copy link
Contributor

github-actions bot commented Jan 25, 2022

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    Java Standard Library,``java.*``,3,533,111,28,,,7,,,10
+    Java Standard Library,``java.*``,3,541,111,28,,,7,,,10
-    Totals,,182,6212,1424,106,6,10,107,33,1,81
+    Totals,,182,6220,1424,106,6,10,107,33,1,81
  • Changes to framework-coverage-java.csv:
- java.util,34,,430,,,,,,,,,,34,,,,,,,,,,,,,,,16,414
+ java.util,34,,438,,,,,,,,,,34,,,,,,,,,,,,,,,24,414

@owen-mc owen-mc changed the title Add models for java.util.regex.Pattern and Matcher Java: Add models for java.util.regex.Pattern and Matcher Jan 25, 2022
@smowton
Copy link
Contributor

smowton commented Jan 25, 2022

The test doesn't compile:

Blah.java:39: error: reference to replaceAll is ambiguous
			out = in.replaceAll(null);
			        ^
  both method replaceAll(String) in Matcher and method replaceAll(Function<MatchResult,String>) in Matcher match
Blah.java:54: error: reference to replaceFirst is ambiguous
			out = in.replaceFirst(null);
			        ^
  both method replaceFirst(String) in Matcher and method replaceFirst(Function<MatchResult,String>) in Matcher match
2 errors

Otherwise this looks good to me. I imagine this will expose FPs because people are using regexes to sanitize things and we've previously by default assumed that any regex is sanitizing, but I'd be in favour of accepting these models and selectively introducing regex sanitizer steps as required.

@github-actions
Copy link
Contributor

github-actions bot commented Jan 25, 2022

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    Java Standard Library,``java.*``,3,533,111,28,,,7,,,10
+    Java Standard Library,``java.*``,3,541,111,28,,,7,,,10
-    Totals,,182,6212,1424,106,6,10,107,33,1,81
+    Totals,,182,6220,1424,106,6,10,107,33,1,81
  • Changes to framework-coverage-java.csv:
- java.util,34,,430,,,,,,,,,,34,,,,,,,,,,,,,,,16,414
+ java.util,34,,438,,,,,,,,,,34,,,,,,,,,,,,,,,24,414

@pwntester
Copy link
Contributor Author

pwntester commented Jan 25, 2022

Thanks @smowton I updated the test file and made it more meaningful

@smowton
Copy link
Contributor

smowton commented Jan 25, 2022

Might want to clear up the tabs/spaces situation. Otherwise LGTM

@pwntester
Copy link
Contributor Author

pwntester commented Jan 26, 2022

ready for review @smowton

@github-actions
Copy link
Contributor

github-actions bot commented Jan 26, 2022

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    Java Standard Library,``java.*``,3,533,111,28,,,7,,,10
+    Java Standard Library,``java.*``,3,541,111,28,,,7,,,10
-    Totals,,182,6212,1424,106,6,10,107,33,1,81
+    Totals,,182,6220,1424,106,6,10,107,33,1,81
  • Changes to framework-coverage-java.csv:
- java.util,34,,430,,,,,,,,,,34,,,,,,,,,,,,,,,16,414
+ java.util,34,,438,,,,,,,,,,34,,,,,,,,,,,,,,,24,414

@smowton smowton merged commit df87297 into github:main Jan 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smowton smowton smowton approved these changes

Assignees

No one assigned

Labels

Java

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pwntester @smowton