Merge pull request #18552 from aschackmull/java/xss-regex-perf

Java: Improve performance of XSS regex.
github · Jan 22, 2025 · 5bfd22e · 5bfd22e
2 parents 7fa9167 + 0f96e79
commit 5bfd22e
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 13 deletions.
diff --git a/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll b/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll
@@ -426,18 +426,33 @@ private class JaxRSXssSink extends XssSink {
     |
       not exists(resourceMethod.getProducesAnnotation())
       or
-      isXssVulnerableContentType(getContentTypeString(resourceMethod
-              .getProducesAnnotation()
-              .getADeclaredContentTypeExpr()))
+      isXssVulnerableContentTypeExpr(resourceMethod
+            .getProducesAnnotation()
+            .getADeclaredContentTypeExpr())
     )
   }
 }
 
+pragma[nomagic]
+private predicate contentTypeString(string s) { s = getContentTypeString(_) }
+
+pragma[nomagic]
+private predicate isXssVulnerableContentTypeString(string s) {
+  contentTypeString(s) and isXssVulnerableContentType(s)
+}
+
+pragma[nomagic]
+private predicate isXssSafeContentTypeString(string s) {
+  contentTypeString(s) and isXssSafeContentType(s)
+}
+
 private predicate isXssVulnerableContentTypeExpr(Expr e) {
-  isXssVulnerableContentType(getContentTypeString(e))
+  isXssVulnerableContentTypeString(getContentTypeString(e))
 }
 
-private predicate isXssSafeContentTypeExpr(Expr e) { isXssSafeContentType(getContentTypeString(e)) }
+private predicate isXssSafeContentTypeExpr(Expr e) {
+  isXssSafeContentTypeString(getContentTypeString(e))
+}
 
 /**
  * Gets a builder expression or related type that is configured to use the given `contentType`.

diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringHttp.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringHttp.qll
@@ -152,14 +152,30 @@ private string getSpringConstantContentType(FieldAccess e) {
   )
 }
 
+private string getContentTypeString(Expr e) {
+  result = e.(CompileTimeConstantExpr).getStringValue() or
+  result = getSpringConstantContentType(e)
+}
+
+pragma[nomagic]
+private predicate contentTypeString(string s) { s = getContentTypeString(_) }
+
+pragma[nomagic]
+private predicate isXssVulnerableContentTypeString(string s) {
+  contentTypeString(s) and XSS::isXssVulnerableContentType(s)
+}
+
+pragma[nomagic]
+private predicate isXssSafeContentTypeString(string s) {
+  contentTypeString(s) and XSS::isXssSafeContentType(s)
+}
+
 private predicate isXssVulnerableContentTypeExpr(Expr e) {
-  XSS::isXssVulnerableContentType(e.(CompileTimeConstantExpr).getStringValue()) or
-  XSS::isXssVulnerableContentType(getSpringConstantContentType(e))
+  isXssVulnerableContentTypeString(getContentTypeString(e))
 }
 
 private predicate isXssSafeContentTypeExpr(Expr e) {
-  XSS::isXssSafeContentType(e.(CompileTimeConstantExpr).getStringValue()) or
-  XSS::isXssSafeContentType(getSpringConstantContentType(e))
+  isXssSafeContentTypeString(getContentTypeString(e))
 }
 
 private DataFlow::Node getABodyBuilderWithExplicitContentType(Expr contentType) {

diff --git a/java/ql/lib/semmle/code/java/security/XSS.qll b/java/ql/lib/semmle/code/java/security/XSS.qll
@@ -118,10 +118,15 @@ class XssVulnerableWriterSourceNode extends ApiSourceNode {
  */
 bindingset[s]
 predicate isXssVulnerableContentType(string s) {
-  s.regexpMatch("(?i)text/(html|xml|xsl|rdf|vtt|cache-manifest).*") or
-  s.regexpMatch("(?i)application/(.*\\+)?xml.*") or
-  s.regexpMatch("(?i)cache-manifest.*") or
-  s.regexpMatch("(?i)image/svg\\+xml.*")
+  s.regexpMatch("(?i)(" +
+      //
+      "text/(html|xml|xsl|rdf|vtt|cache-manifest).*" + "|" +
+      //
+      "application/(.*\\+)?xml.*" + "|" +
+      //
+      "cache-manifest.*" + "|" +
+      //
+      "image/svg\\+xml.*" + ")")
 }
 
 /**