Java: Add RegexMatch concept and recognise @Pattern annotation as sanitizer

[owen-mc]

• Make Concepts.qll for java. (I was a bit surprised it doesn't have one.)
• Add an abstract class called RegexExecution which is a copy of this concept from python (and ruby).
  • Note that there is also this concept in go, which is less flexible because it only works for function calls. I may update it as a follow-up to match the others languages.
  • It's possible other languages have something similar - I haven't checked in detail.
    • The shared libraries have a file of shared concepts (synced using the script at the moment). I think this is a candidate for going in there and being shared between languages in future. But I don't propose to do that as part of this work.
• Instantiate the abstract class with direct regex executions like String.matches  and compiled regex executions like Pattern.compile followed by Pattern.matches, all of which are currently modelled.
• Update code that uses regex matches to use the concept and check that all tests pass.
• Instantiate the abstract class with the @pattern annotation from the issue. Add a test that checks that this works as a sanitizer for SSRF.

I expect some reduction in FPs due to the final commit expanded the scope of some sanitizers to include more regex execution methods. I plan to run QA to quantify that.

I welcome discussion about how to best deal with the fact that I want the concept to be the same as other languages, which use data flow nodes, but actually java mostly works at the levels of expressions. I've kind of done both for now. I think as we spread the use of shared libraries this difference in approach will eventually go away, or at least become easier to fix.

[Copilot]

Pull request overview

This PR introduces a shared “RegexExecution” concept for Java CodeQL libraries and migrates existing regex-related models/queries to use it, aiming to unify regex execution modeling across languages and reduce false positives.

Changes:

• Added semmle.code.java.Concepts with RegexExecution / RegexExecutionExpr concepts and wired it into java.qll.
• Extended existing Java regex API models (String.matches, Pattern.compile, Pattern.matches, Matcher.matches) to implement the new concept.
• Updated experimental and security libraries to use the new concept types instead of bespoke regex helpers.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
java/ql/src/experimental/Security/CWE/CWE-625/Regex.qll	Removes the (deprecated) local regex helper module.
java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll	Switches to framework regex models/concepts for sinks and matching logic.
java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll	Updates sanitizer modeling to use the new PatternCompileCall abstraction.
java/ql/lib/semmle/code/java/security/Sanitizers.qll	Reworks regexp-guard matching to use RegexExecutionExpr::Range.
java/ql/lib/semmle/code/java/security/PathSanitizer.qll	Updates directory-character matching guard logic to use the new regex execution concept.
java/ql/lib/semmle/code/java/frameworks/Regex.qll	Adds call/model classes (e.g., PatternCompileCall, PatternMatchesCall, MatcherMatchesCall) implementing RegexExecutionExpr::Range.
java/ql/lib/semmle/code/java/JDK.qll	Updates StringMatchesCall to implement RegexExecutionExpr::Range.
java/ql/lib/semmle/code/java/Concepts.qll	New Java Concepts library including RegexExecution and related modeling modules.
java/ql/lib/java.qll	Exports the new Concepts library by importing it.

Comments suppressed due to low confidence (1)

java/ql/lib/semmle/code/java/frameworks/Regex.qll:96

• Doc comment punctuation: this comment is missing a trailing period, unlike most other doc comments in this file.

/** A call to the `matches` method of `java.util.regex.Matcher` */
class MatcherMatchesCall extends MethodCall, RegexExecutionExpr::Range {

[Copilot]

Pull request overview

Copilot reviewed 18 out of 18 changed files in this pull request and generated 2 comments.

[aschackmull]

Some comments. At a high-level I think we should stick to defining the concept in terms of expressions and not data flow nodes.
Also, I think it would be good to clarify the relationship between the "regex execution" concept and the "regex match-or-not execution" sub-concept and its implicit reliance on returning boolean true to signify match-success. Is there prior art for distinctions like this in other languages?

[owen-mc]

@aschackmull It seems like having one concept which uses Exprs would be best then. That makes sharing between languages harder, but we can cross that bridge in future. Also, it sounds like it should be RegexMatch instead of RegexExecution. That is closer to RegexMatchFunction in the go library, which was my original reference point. (Though go doesn't have annotations, so it only considers function calls.)

[owen-mc]

The QA results were fine except for one thing: I saw several repos where we had gained SSRF results, which was not what I expected. On investigation I found that more care was needed around the following kind of code:

Matcher matcher = Pattern.compile(regexp).matcher(taintedInput);
if (matcher.matches()) {
    sink(matcher.group(1));
}

If matcher.matches() is just a sanitizer guard for its getString(), which is taintedInput, then taint still flows to matcher.group(1), which is a substring of taintedInput. So in this case we also want to sanitize matcher. This was previously caught because there was a blanket rule that any method called matches was a sanitizer guard for the qualifier.

I have added a fix for this, and a test to confirm that it works. I've also started a DCA run with all the repos that showed any change in SSRF alerts to see if this fixes the unexpectedly gained alerts.