Java: regexpMatch back to matches for readability

Jami Cogswell · Jami Cogswell · commit 6b5cce05f34d · 2025-03-09T18:44:20.000-04:00
diff --git a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
@@ -427,7 +427,6 @@ private predicate isSingleReplaceAll(StringReplaceAllCall replaceAllCall) {
     or
     targetValue.matches("%|%") and
     target.getStringValue().matches("%" + ["\\.\\.", "[.][.]", "\\."] + "%") and
-    //targetValue.regexpMatch(".*(\\\\\\.\\\\\\.|\\[.\\]\\[.\\]|\\\\\\.).*") and
     targetValue.matches("%/%") and
     targetValue.matches("%\\\\\\\\%")
   )
@@ -492,13 +491,12 @@ private predicate isMatchesCall(StringMatchesCall matchesCall, Expr checkedExpr,
     target.getStringValue() = targetValue and
     checkedExpr = matchesCall.getQualifier()
   |
-    targetValue.regexpMatch("\\[(.*)\\]([*+]|\\{.*\\})") and
+    target.getStringValue().matches(["[%]*", "[%]+", "[%]{%}"]) and
     (
       // Allow anything except `.`, '/', '\'
       (
         // Note: we do not account for when '.', '/', '\' are inside a character range
-        // not targetValue.matches("[%" + [".", "/", "\\\\"] + "%]%") and
-        not targetValue.regexpMatch("\\[.*(\\.|\\\\|/).*\\].*") and
+        not targetValue.matches("[%" + [".", "/", "\\\\"] + "%]%") and
         not targetValue.matches("%[^%]%")
         or
         targetValue.matches("[^%.%]%") and

Original file line number	Diff line number	Diff line change
`@@ -427,7 +427,6 @@ private predicate isSingleReplaceAll(StringReplaceAllCall replaceAllCall) {`
`427`	`427`	`or`
`428`	`428`	`targetValue.matches("%\|%") and`
`429`	`429`	`target.getStringValue().matches("%" + ["\\.\\.", "[.][.]", "\\."] + "%") and`
`430`		`- //targetValue.regexpMatch(".(\\\\\\.\\\\\\.\|\\[.\\]\\[.\\]\|\\\\\\.).") and`
`431`	`430`	`targetValue.matches("%/%") and`
`432`	`431`	`targetValue.matches("%\\\\\\\\%")`
`433`	`432`	`)`
`@@ -492,13 +491,12 @@ private predicate isMatchesCall(StringMatchesCall matchesCall, Expr checkedExpr,`
`492`	`491`	`target.getStringValue() = targetValue and`
`493`	`492`	`checkedExpr = matchesCall.getQualifier()`
`494`	`493`	`\|`
`495`		`- targetValue.regexpMatch("\\[(.)\\]([+]\|\\{.*\\})") and`
	`494`	`+ target.getStringValue().matches(["[%]*", "[%]+", "[%]{%}"]) and`
`496`	`495`	`(`
`497`	`496`	// Allow anything except `.`, '/', '\'
`498`	`497`	`(`
`499`	`498`	`// Note: we do not account for when '.', '/', '\' are inside a character range`
`500`		`- // not targetValue.matches("[%" + [".", "/", "\\\\"] + "%]%") and`
`501`		`- not targetValue.regexpMatch("\\[.(\\.\|\\\\\|/).\\].*") and`
	`499`	`+ not targetValue.matches("[%" + [".", "/", "\\\\"] + "%]%") and`
`502`	`500`	`not targetValue.matches("%[^%]%")`
`503`	`501`	`or`
`504`	`502`	`targetValue.matches("[^%.%]%") and`