Java: fix handling of '^' and '.' in replace cases

github · Feb 27, 2025 · 80c4f1a · 80c4f1a
1 parent ca19531
commit 80c4f1a
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 5 deletions.
diff --git a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
@@ -418,13 +418,13 @@ private class ReplaceDirectoryCharactersSanitizer extends MethodCall {
       mc.getArgument(1).(CompileTimeConstantExpr).getStringValue() = ["", "_", "-"] and
       (
         // replaceAll with single call
-        target.getStringValue().matches("[%]") and
-        target.getStringValue().matches("[%\\.%]%") and
-        target.getStringValue().matches("[%/%]%") and
-        target.getStringValue().matches("[%\\\\%]%")
+        not target.getStringValue().matches("%[^%]%") and
+        target.getStringValue().matches("[%.%]") and
+        target.getStringValue().matches("[%/%]") and
+        target.getStringValue().matches("[%\\\\%]")
         or
         target.getStringValue().matches("%|%") and
-        target.getStringValue().matches("%" + ["\\.\\.", "[\\.][\\.]", "\\."] + "%") and
+        target.getStringValue().matches("%" + ["\\.\\.", "[.][.]", "\\."] + "%") and
         target.getStringValue().matches("%/%") and
         target.getStringValue().matches("%\\\\%")
         or

diff --git a/java/ql/test/library-tests/pathsanitizer/Test.java b/java/ql/test/library-tests/pathsanitizer/Test.java
@@ -686,6 +686,11 @@ public void directoryCharsSanitizer() throws Exception {
             source = source.replaceAll("[\\./\\\\]", "");
             sink(source); // Safe
         }
+        {
+            String source = (String) source();
+            source = source.replaceAll("[^\\.\\\\/]", "");
+            sink(source); // $ hasTaintFlow
+        }
         // `replaceAll` with regex
         {
             String source = (String) source();