Add @pattern annotation test case and javax-validation-constraints stub

MarkLee131 · MarkLee131 · commit b49c6dcbd4f0 · 2026-04-04T22:04:05.000+08:00
Adds a dedicated test verifying that fields annotated with
@javax.validation.constraints.Pattern are recognized as sanitized
by RegexpCheckBarrier, in addition to the existing String.matches()
guard test.
diff --git a/java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java b/java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java
@@ -38,4 +38,12 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) {
             request.getSession().setAttribute("input4", input4);
         }
     }
+
+    @javax.validation.constraints.Pattern(regexp = "^[a-zA-Z0-9]+$")
+    String validatedField;
+
+    public void doPost(HttpServletRequest request, HttpServletResponse response) {
+        // GOOD: The field is constrained by a @Pattern annotation.
+        request.getSession().setAttribute("validated", validatedField);
+    }
 }
diff --git a/java/ql/test/query-tests/security/CWE-501/options b/java/ql/test/query-tests/security/CWE-501/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/esapi-2.0.1:${testdir}/../../../stubs/javax-servlet-2.5
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/esapi-2.0.1:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/javax-validation-constraints

Original file line number	Diff line number	Diff line change
`@@ -38,4 +38,12 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) {`
`38`	`38`	`request.getSession().setAttribute("input4", input4);`
`39`	`39`	`}`
`40`	`40`	`}`
	`41`	`+`
	`42`	`+ @javax.validation.constraints.Pattern(regexp = "^[a-zA-Z0-9]+$")`
	`43`	`+ String validatedField;`
	`44`	`+`
	`45`	`+ public void doPost(HttpServletRequest request, HttpServletResponse response) {`
	`46`	`+ // GOOD: The field is constrained by a @Pattern annotation.`
	`47`	`+ request.getSession().setAttribute("validated", validatedField);`
	`48`	`+ }`
`41`	`49`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/esapi-2.0.1:${testdir}/../../../stubs/javax-servlet-2.5`
	`1`	`+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/esapi-2.0.1:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/javax-validation-constraints`