Java: fix 'matches' false branch

Jami Cogswell · Jami Cogswell · commit 0d2e9ae4691c · 2025-03-17T18:48:44.000-04:00
diff --git a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
@@ -497,9 +497,9 @@ private predicate isMatchesCall(StringMatchesCall matchesCall, Expr checkedExpr,
     target.getStringValue() = targetValue and
     checkedExpr = matchesCall.getQualifier()
   |
-    targetValue.matches(["[%]*", "[%]+", "[%]{%}"]) and
     (
       // Allow anything except `.`, '/', '\'
+      targetValue.matches(["[%]*", "[%]+", "[%]{%}"]) and
       (
         // Note: we do not account for when '.', '/', '\' are inside a character range
         not targetValue.matches("[%" + [".", "/", "\\\\\\\\"] + "%]%") and
@@ -512,9 +512,10 @@ private predicate isMatchesCall(StringMatchesCall matchesCall, Expr checkedExpr,
       branch = true
       or
       // Disallow `.`, '/', '\'
-      targetValue.matches("[%.%]%") and
-      targetValue.matches("[%/%]%") and
-      targetValue.matches("[%\\\\\\\\%]%") and
+      targetValue.matches([".*[%].*", ".+[%].+"]) and
+      targetValue.matches("%[%.%]%") and
+      targetValue.matches("%[%/%]%") and
+      targetValue.matches("%[%\\\\\\\\%]%") and
       not targetValue.matches("%[^%]%") and
       branch = false
     )
diff --git a/java/ql/test/library-tests/pathsanitizer/Test.java b/java/ql/test/library-tests/pathsanitizer/Test.java
@@ -684,16 +684,33 @@ public void directoryCharsSanitizer() throws Exception {
         // branch = false
         {
             String source = (String) source();
+            if (source.matches(".*[\\./\\\\].*")) {
+                sink(source); // $ hasTaintFlow
+            } else {
+                sink(source); // Safe
+            }
+        }
+        {
+            String source = (String) source();
+            if (source.matches(".+[\\./\\\\].+")) {
+                sink(source); // $ hasTaintFlow
+            } else {
+                sink(source); // Safe
+            }
+        }
+        {
+            String source = (String) source();
+            // does not match whole string
             if (source.matches("[\\./\\\\]+")) {
                 sink(source); // $ hasTaintFlow
             } else {
-                sink(source); // $ Safe
+                sink(source); // $ hasTaintFlow
             }
         }
         {
             String source = (String) source();
             // not a complete sanitizer since it doesn't protect against absolute path injection
-            if (source.matches("[\\.]+")) {
+            if (source.matches(".+[\\.].+")) {
                 sink(source); // $ hasTaintFlow
             } else {
                 sink(source); // $ hasTaintFlow

Original file line number	Diff line number	Diff line change
`@@ -497,9 +497,9 @@ private predicate isMatchesCall(StringMatchesCall matchesCall, Expr checkedExpr,`
`497`	`497`	`target.getStringValue() = targetValue and`
`498`	`498`	`checkedExpr = matchesCall.getQualifier()`
`499`	`499`	`\|`
`500`		`- targetValue.matches(["[%]*", "[%]+", "[%]{%}"]) and`
`501`	`500`	`(`
`502`	`501`	// Allow anything except `.`, '/', '\'
	`502`	`+ targetValue.matches(["[%]*", "[%]+", "[%]{%}"]) and`
`503`	`503`	`(`
`504`	`504`	`// Note: we do not account for when '.', '/', '\' are inside a character range`
`505`	`505`	`not targetValue.matches("[%" + [".", "/", "\\\\\\\\"] + "%]%") and`
`@@ -512,9 +512,10 @@ private predicate isMatchesCall(StringMatchesCall matchesCall, Expr checkedExpr,`
`512`	`512`	`branch = true`
`513`	`513`	`or`
`514`	`514`	// Disallow `.`, '/', '\'
`515`		`- targetValue.matches("[%.%]%") and`
`516`		`- targetValue.matches("[%/%]%") and`
`517`		`- targetValue.matches("[%\\\\\\\\%]%") and`
	`515`	`+ targetValue.matches([".[%].", ".+[%].+"]) and`
	`516`	`+ targetValue.matches("%[%.%]%") and`
	`517`	`+ targetValue.matches("%[%/%]%") and`
	`518`	`+ targetValue.matches("%[%\\\\\\\\%]%") and`
`518`	`519`	`not targetValue.matches("%[^%]%") and`
`519`	`520`	`branch = false`
`520`	`521`	`)`