8000 Java: Add new quality query to detect `String#replaceAll` with non-regex first argument by owen-mc · Pull Request #19115 · github/codeql · GitHub
[go: up one dir, main page]
Skip to content

Java: Add new quality query to detect String#replaceAll with non-regex first argument #19115

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 15 commits into from
Apr 11, 2025
Merged

Java: Add new quality query to detect String#replaceAll with non-regex first argument #19115

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
041adcd
Java: Add initial version of string replaceAll with no regex query
owen-mc Mar 21, 2025
ff2947a
Adjust query name
owen-mc Mar 25, 2025
b5b252b
Convert test to inline expectations
owen-mc Mar 25, 2025
441c79e
Use existing class StringReplaceAllCall
owen-mc Mar 25, 2025
fea3d10
Update qhelp
owen-mc Mar 25, 2025
042fe07
Adjust alert message
owen-mc Mar 25, 2025
c4e56b1
Add quality and cwe tag to query
owen-mc Mar 25, 2025
626a7d5
Fix punctuation
8000 owen-mc Mar 26, 2025
04ec1d7
Update test expectations
owen-mc Mar 26, 2025
e1c5517
Keep COMPLIANT and NON_COMPLIANT comments in test
owen-mc Mar 27, 2025
3ea5cc1
Add query to code-quality query suite
owen-mc Mar 27, 2025
ad89e79
Tweak documentation
owen-mc Mar 31, 2025
576f4cf
Update tags
owen-mc Apr 10, 2025
acfcc6d
Sort ids in `java-code-quality.qls`
owen-mc Apr 10, 2025
4f5bdbb
Add new query to java-code-quality.qls.expected
owen-mc Apr 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Fix punctuation
  • Loading branch information
@owen-mc
owen-mc committed Apr 10, 2025
commit 626a7d50074befe1092981198c7ca7d8d67ac310
2 changes: 1 addition & 1 deletion java/ql/src/Performance/StringReplaceAllWithNonRegex.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,4 +26,4 @@ public class Test {
## References

- Java SE Documentation: [String.replaceAll](https://docs.oracle.com/en/java/javase/20/docs/api/java.base/java/lang/String.html#replaceAll(java.lang.String,java.lang.String)).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor. I don't see String.replaceAll mentioned at all in the link provided. This seems to link to the String class.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should go to the replaceAll method in the page on the String class. It seems to work for me.

- Common Weakness Enumeration: [CWE-1176](https://cwe.mitre.org/data/definitions/1176.html)
- Common Weakness Enumeration: [CWE-1176](https://cwe.mitre.org/data/definitions/1176.html).
2 changes: 1 addition & 1 deletion java/ql/src/Performance/StringReplaceAllWithNonRegex.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,5 @@ where
//only contains characters that could be a simple string
firstArg.getValue().regexpMatch("^[a-zA-Z0-9]+$")
select replaceAllCall,
"This call to 'replaceAll' should be a call `replace` as its $@ is not a regular expression.",
"This call to 'replaceAll' should be a call to 'replace' as its $@ is not a regular expression.",
firstArg, "first argument"
0