We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
There was an error while loading. Please reload this page.
1 parent 9d75782 commit eea3e82Copy full SHA for eea3e82
2 files changed
java/ql/lib/ext/org.apache.commons.lang3.model.yml
@@ -3,7 +3,9 @@ extensions:
3
pack: codeql/java-all
4
extensible: sinkModel
5
data:
6
- # Note these sinks do not use the sink kind `regex-use[0]` because they should be considered as sinks for regex injection but not polynomial ReDoS.
+ # Note these sinks do not use the sink kind `regex-use[0]` because the regex injection query needs to select them separately from
7
+ # other `regex-use[0]` sinks in order to avoid FPs. As a result, these sinks are currently not used in the polynomial ReDoS query.
8
+ # TODO: refactor the `regex-use%` sink kind so that the polynomial ReDoS query can also use these sinks.
9
- ["org.apache.commons.lang3", "RegExUtils", False, "removeAll", "(String,String)", "", "Argument[1]", "regex-use", "manual"]
10
- ["org.apache.commons.lang3", "RegExUtils", False, "removeFirst", "(String,String)", "", "Argument[1]", "regex-use", "manual"]
11
- ["org.apache.commons.lang3", "RegExUtils", False, "removePattern", "(String,String)", "", "Argument[1]", "regex-use", "manual"]
java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll
@@ -20,8 +20,10 @@ private class ExploitableStringLiteral extends StringLiteral {
20
* if no such argument exists.
21
*
22
* Note that `regex-use` is deliberately not a possible value for `kind` here,
23
- * as it is used for regular expression injection sinks that should not be used
24
- * as polynomial ReDoS sinks.
+ * as it is used for regular expression injection sinks that need to be selected
+ * separately from existing `regex-use[0]` sinks.
25
+ * TODO: refactor the `regex-use%` sink kind so that the polynomial ReDoS query
26
+ * can also use the `regex-use` sinks.
27
*/
28
private predicate regexSinkKindInfo(string kind, boolean full, int strArg) {
29
sinkModel(_, _, _, _, _, _, _, kind, _, _) and
0 commit comments