From 345b842edcadec51e32b9bc637ba7ed4f733bc80 Mon Sep 17 00:00:00 2001
From: MarkLee131 <kaixuan.li@ntu.edu.sg>
Date: Sat, 4 Apr 2026 20:57:24 +0800
Subject: [PATCH 1/3] Java: add RegexpCheckBarrier to trust-boundary-violation
 sanitizers

The trust-boundary-violation query only recognized OWASP ESAPI validators
as sanitizers. ESAPI is rarely used in modern Java projects, while regex
validation via String.matches() and @javax.validation.constraints.Pattern
is the standard approach in Spring/Jakarta applications.

RegexpCheckBarrier already exists in Sanitizers.qll and is used by other
queries (e.g., RequestForgery). This wires it into TrustBoundaryConfig,
so patterns like input.matches("[a-zA-Z0-9]+") and @Pattern annotations
are recognized as sanitizers, consistent with the existing ESAPI treatment.
---
 .../2026-04-04-trust-boundary-regexp-barrier.md             | 4 ++++
 .../code/java/security/TrustBoundaryViolationQuery.qll      | 3 ++-
 .../security/CWE-501/TrustBoundaryViolations.java           | 6 ++++++
 3 files changed, 12 insertions(+), 1 deletion(-)
 create mode 100644 java/ql/lib/change-notes/2026-04-04-trust-boundary-regexp-barrier.md

diff --git a/java/ql/lib/change-notes/2026-04-04-trust-boundary-regexp-barrier.md b/java/ql/lib/change-notes/2026-04-04-trust-boundary-regexp-barrier.md
new file mode 100644
index 000000000000..b80c0611b6de
--- /dev/null
+++ b/java/ql/lib/change-notes/2026-04-04-trust-boundary-regexp-barrier.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `java/trust-boundary-violation` query now recognizes regular expression checks (including `String.matches()` guards and `@javax.validation.constraints.Pattern` annotations) as sanitizers, consistent with the existing treatment of ESAPI validators. This reduces false positives when input is validated against a pattern before being stored in a session.
diff --git a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll
index d234f3df20ce..91e9b18cc9ba 100644
--- a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll
@@ -40,7 +40,8 @@ module TrustBoundaryConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node instanceof TrustBoundaryValidationSanitizer or
     node.getType() instanceof HttpServletSession or
-    node instanceof SimpleTypeSanitizer
+    node instanceof SimpleTypeSanitizer or
+    node instanceof RegexpCheckBarrier
   }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof TrustBoundaryViolationSink }
diff --git a/java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java b/java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java
index d676e3e96783..1934e7f55983 100644
--- a/java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java
+++ b/java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java
@@ -31,5 +31,11 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) {
             }
         } catch (Exception e) {
         }
+
+        // GOOD: Bean Validation @Pattern annotation constrains the input via regex.
+        String input4 = request.getParameter("input4");
+        if (input4.matches("[a-zA-Z0-9]+")) {
+            request.getSession().setAttribute("input4", input4);
+        }
     }
 }

From 258a53e146c7d3ad2fd007c154935e5477e2c13a Mon Sep 17 00:00:00 2001
From: Kaixuan Li <kaixuan.li@ntu.edu.sg>
Date: Sat, 4 Apr 2026 22:02:00 +0800
Subject: [PATCH 2/3] Update
 java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .../query-tests/security/CWE-501/TrustBoundaryViolations.java   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java b/java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java
index 1934e7f55983..f81da8ac8cfb 100644
--- a/java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java
+++ b/java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java
@@ -32,7 +32,7 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) {
         } catch (Exception e) {
         }
 
-        // GOOD: Bean Validation @Pattern annotation constrains the input via regex.
+        // GOOD: A direct String.matches(...) regex check constrains the input before it is written to the session.
         String input4 = request.getParameter("input4");
         if (input4.matches("[a-zA-Z0-9]+")) {
             request.getSession().setAttribute("input4", input4);

From b49c6dcbd4f0ed053b04530ea345068172c5db98 Mon Sep 17 00:00:00 2001
From: MarkLee131 <kaixuan.li@ntu.edu.sg>
Date: Sat, 4 Apr 2026 22:04:05 +0800
Subject: [PATCH 3/3] Add @Pattern annotation test case and
 javax-validation-constraints stub

Adds a dedicated test verifying that fields annotated with
@javax.validation.constraints.Pattern are recognized as sanitized
by RegexpCheckBarrier, in addition to the existing String.matches()
guard test.
---
 .../security/CWE-501/TrustBoundaryViolations.java         | 8 ++++++++
 java/ql/test/query-tests/security/CWE-501/options         | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java b/java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java
index f81da8ac8cfb..06e9c6cc929f 100644
--- a/java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java
+++ b/java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java
@@ -38,4 +38,12 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) {
             request.getSession().setAttribute("input4", input4);
         }
     }
+
+    @javax.validation.constraints.Pattern(regexp = "^[a-zA-Z0-9]+$")
+    String validatedField;
+
+    public void doPost(HttpServletRequest request, HttpServletResponse response) {
+        // GOOD: The field is constrained by a @Pattern annotation.
+        request.getSession().setAttribute("validated", validatedField);
+    }
 }
diff --git a/java/ql/test/query-tests/security/CWE-501/options b/java/ql/test/query-tests/security/CWE-501/options
index 37d627da7e82..15ba67d18321 100644
--- a/java/ql/test/query-tests/security/CWE-501/options
+++ b/java/ql/test/query-tests/security/CWE-501/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/esapi-2.0.1:${testdir}/../../../stubs/javax-servlet-2.5
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/esapi-2.0.1:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/javax-validation-constraints