github · owen-mc · Apr 29, 2026 · Apr 4, 2026 · Apr 4, 2026 · Apr 4, 2026
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `java/trust-boundary-violation` query now recognizes regular expression checks (including `String.matches()` guards and `@javax.validation.constraints.Pattern` annotations) as sanitizers, consistent with the existing treatment of ESAPI validators. This reduces false positives when input is validated against a pattern before being stored in a session.
@@ -40,7 +40,8 @@ module TrustBoundaryConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node instanceof TrustBoundaryValidationSanitizer or
     node.getType() instanceof HttpServletSession or
-    node instanceof SimpleTypeSanitizer
+    node instanceof SimpleTypeSanitizer or
+    node instanceof RegexpCheckBarrier
-    node instanceof TrustBoundaryValidationSanitizer or
-    node.getType() instanceof HttpServletSession or
-    node instanceof SimpleTypeSanitizer
-    node instanceof SimpleTypeSanitizer or
-    node instanceof RegexpCheckBarrier
+    node instanceof TrustBoundaryValidationSanitizer
-    node instanceof TrustBoundaryValidationSanitizer or
-    node.getType() instanceof HttpServletSession or
-    node instanceof SimpleTypeSanitizer
-    node instanceof SimpleTypeSanitizer or
-    node instanceof RegexpCheckBarrier
+    node instanceof TrustBoundaryValidationSanitizer
   }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof TrustBoundaryViolationSink }

@@ -31,5 +31,19 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) {
             }
         } catch (Exception e) {
         }
+
+        // GOOD: A direct String.matches(...) regex check constrains the input before it is written to the session.
+        String input4 = request.getParameter("input4");
+        if (input4.matches("[a-zA-Z0-9]+")) {
+            request.getSession().setAttribute("input4", input4);
+        }
+    }
+
+    @javax.validation.constraints.Pattern(regexp = "^[a-zA-Z0-9]+$")
+    String validatedField;
+
+    public void doPost(HttpServletRequest request, HttpServletResponse response) {
+        // GOOD: The field is constrained by a @Pattern annotation.
+        request.getSession().setAttribute("validated", validatedField);
     }
 }
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/esapi-2.0.1:${testdir}/../../../stubs/javax-servlet-2.5
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/esapi-2.0.1:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/javax-validation-constraints
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/esapi-2.0.1:${testdir}/../../../stubs/javax-servlet-2.5
		//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/esapi-2.0.1:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/javax-validation-constraints