From 09a2aeead6b1ef97bf114b501149fc9eafff4a64 Mon Sep 17 00:00:00 2001 From: Tamas Vajk Date: Wed, 25 Jun 2025 13:34:17 +0200 Subject: [PATCH 1/7] Java: Add query to detect special characters in string literals --- .../java-code-quality-extended.qls.expected | 1 + ...icitControlAndWhitespaceCharsInLiterals.md | 111 +++++++++++ ...icitControlAndWhitespaceCharsInLiterals.ql | 50 +++++ .../CharTest.java | 184 ++++++++++++++++++ ...ntrolAndWhitespaceCharsInLiterals.expected | 7 + ...tControlAndWhitespaceCharsInLiterals.qlref | 1 + .../options | 1 + 7 files changed, 355 insertions(+) create mode 100644 java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.md create mode 100644 java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql create mode 100644 java/ql/test/query-tests/NonExplicitControlAndWhitespaceCharsInLiterals/CharTest.java create mode 100644 java/ql/test/query-tests/NonExplicitControlAndWhitespaceCharsInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.expected create mode 100644 java/ql/test/query-tests/NonExplicitControlAndWhitespaceCharsInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.qlref create mode 100644 java/ql/test/query-tests/NonExplicitControlAndWhitespaceCharsInLiterals/options diff --git a/java/ql/integration-tests/java/query-suite/java-code-quality-extended.qls.expected b/java/ql/integration-tests/java/query-suite/java-code-quality-extended.qls.expected index 7a76c4ad9117..aed5d91d5a3b 100644 --- a/java/ql/integration-tests/java/query-suite/java-code-quality-extended.qls.expected +++ b/java/ql/integration-tests/java/query-suite/java-code-quality-extended.qls.expected @@ -78,6 +78,7 @@ ql/java/ql/src/Violations of Best Practice/Naming Conventions/ConfusingOverloadi ql/java/ql/src/Violations of Best Practice/Naming Conventions/LocalShadowsFieldConfusing.ql ql/java/ql/src/Violations of Best Practice/Naming Conventions/SameNameAsSuper.ql ql/java/ql/src/Violations of Best Practice/Records/IgnoredSerializationMembersOfRecordClass.ql +ql/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql ql/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToStringToString.ql ql/java/ql/src/Violations of Best Practice/Undesirable Calls/DefaultToString.ql ql/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql diff --git a/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.md b/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.md new file mode 100644 index 000000000000..f922aff2f8fe --- /dev/null +++ b/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.md @@ -0,0 +1,111 @@ +## Overview + +This query detects non-explicit control and whitespace characters in java literals. +Such characters are often introduced accidentally and can be invisible or hard to recognize, leading to bugs when the actual contents of the string contain control characters. + +## Recommendation + +To avoid issues, use the encoded versions of control characters (e.g., ASCII `\n`, `\t`, or Unicode `U+000D`, `U+0009`). +This makes the literals (e.g., string literals) more readable, and also helps to make the surrounding code less error-prone and more maintainable. + +## Example + +The following examples illustrate `NON_COMPLIANT` and `COMPLIANT` code: + +`NON_COMPLIANT`: + +```java +char tabulationChar = ' '; // NON_COMPLIANT +String tabulationCharInsideString = "A B"; // NON_COMPLIANT +String fooZeroWidthSpacebar = "foo​bar"; // NON_COMPLIANT +``` + +`COMPLIANT`: + +```java +char escapedTabulationChar = '\t'; +String escapedTabulationCharInsideString = "A\tB"; // COMPLIANT +String fooUnicodeSpacebar = "foo\u0020bar"; // COMPLIANT +String foo2Spacebar = "foo bar"; // COMPLIANT +String foo3Spacebar = "foo bar"; // COMPLIANT +``` + +## Implementation Notes + +This query detects java literals that contain reserved control characters and/or non-printable whitespace characters, such as: + +- Decimal and hexidecimal representations of ASCII control characters (code points 0-8, 11, 14-31, and 127). +- Invisible characters (e.g., zero-width space, zero-width joiner). +- Unicode C0 control codes, plus the delete character (U+007F), such as: + + | Escaped Unicode | ASCII Decimal | Description | + | --------------- | ------------- | ------------------------- | + | `\u0000` | 0 | null character | + | `\u0001` | 1 | start of heading | + | `\u0002` | 2 | start of text | + | `\u0003` | 3 | end of text | + | `\u0004` | 4 | end of transmission | + | `\u0005` | 5 | enquiry | + | `\u0006` | 6 | acknowledge | + | `\u0007` | 7 | bell | + | `\u0008` | 8 | backspace | + | `\u000B` | 11 | vertical tab | + | `\u000E` | 14 | shift out | + | `\u000F` | 15 | shift in | + | `\u0010` | 16 | data link escape | + | `\u0011` | 17 | device control 1 | + | `\u0012` | 18 | device control 2 | + | `\u0013` | 19 | device control 3 | + | `\u0014` | 20 | device control 4 | + | `\u0015` | 21 | negative acknowledge | + | `\u0016` | 22 | synchronous idle | + | `\u0017` | 23 | end of transmission block | + | `\u0018` | 24 | cancel | + | `\u0019` | 25 | end of medium | + | `\u001A` | 26 | substitute | + | `\u001B` | 27 | escape | + | `\u001C` | 28 | file separator | + | `\u001D` | 29 | group separator | + | `\u001E` | 30 | record separator | + | `\u001F` | 31 | unit separator | + | `\u007F` | 127 | delete | + +- Zero-width Unicode characters (e.g., zero-width space, zero-width joiner), such as: + + | Escaped Unicode | Description | + | --------------- | ------------------------- | + | `\u200B` | zero-width space | + | `\u200C` | zero-width non-joiner | + | `\u200D` | zero-width joiner | + | `\u2028` | line separator | + | `\u2029` | paragraph separator | + | `\u2060` | word joiner | + | `\uFEFF` | zero-width no-break space | + +The following list outlines the _**explicit exclusions from query scope**_: + +- any number of simple space characters (`U+0020`, ASCII 32). +- an escape character sequence (e.g., `\t`), or the Unicode equivalent (e.g., `\u0009`), for printable whitespace characters: + + | Character Sequence | Escaped Unicode | ASCII Decimal | Description | + | ------------------ | --------------- | ------------- | --------------- | + | `\t` | \u0009 | 9 | horizontal tab | + | `\n` | \u000A | 10 | line feed | + | `\f` | \u000C | 12 | form feed | + | `\r` | \u000D | 13 | carriage return | + | | \u0020 | 32 | space | + +- character literals (i.e. single quotes) containing control characters. +- literals defined within "likely" test methods, such as: + - JUnit test methods + - methods annotated with `@Test` + - methods of a class annotated with `@Test` + - methods with names containing "test" + +## References + +- [Unicode Control Characters](https://www.unicode.org/charts/PDF/U0000.pdf). +- [Unicode C0 control codes](https://en.wikipedia.org/wiki/C0_and_C1_control_codes). +- [Unicode characters with property "WSpace=yes" or "White_Space=yes"](https://en.wikipedia.org/wiki/Unicode_character_property#Whitespace). +- [Java String Literals](https://docs.oracle.com/javase/tutorial/java/data/characters.html). +- [Java Class Charset](https://docs.oracle.com/javase/8/docs/api///?java/nio/charset/Charset.html). diff --git a/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql b/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql new file mode 100644 index 000000000000..60c3ad0cb17e --- /dev/null +++ b/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql @@ -0,0 +1,50 @@ +/** + * @id java/non-explicit-control-and-whitespace-chars-in-literals + * @name Non-explicit control and whitespace characters + * @description Non-explicit control and whitespace characters in literals make code more difficult + * to read and may lead to incorrect program behavior. + * @kind problem + * @precision medium + * @problem.severity warning + * @tags quality + * correctness + * maintainability + * readability + */ + +import java + +/** + * A `Literal` that has a Unicode control character within its + * literal value (as returned by `getLiteral()` member predicate). + */ +class ReservedUnicodeInLiteral extends Literal { + private int indexStart; + + ReservedUnicodeInLiteral() { + not this instanceof CharacterLiteral and + exists(int codePoint | + this.getLiteral().codePointAt(indexStart) = codePoint and + ( + // Unicode C0 control characters + codePoint < 32 and not codePoint in [9, 10, 12, 13] + or + codePoint = 127 // delete control character + or + codePoint = 8203 // zero-width space + ) + ) + } + + /** Gets the starting index of the Unicode control sequence. */ + int getIndexStart() { result = indexStart } +} + +from ReservedUnicodeInLiteral literal, int charIndex, int codePoint +where + literal.getIndexStart() = charIndex and + literal.getLiteral().codePointAt(charIndex) = codePoint and + not literal.getEnclosingCallable() instanceof LikelyTestMethod +select literal, + "Literal value contains control or non-printable whitespace character(s) starting with Unicode code point " + + codePoint + " at index " + charIndex + "." diff --git a/java/ql/test/query-tests/NonExplicitControlAndWhitespaceCharsInLiterals/CharTest.java b/java/ql/test/query-tests/NonExplicitControlAndWhitespaceCharsInLiterals/CharTest.java new file mode 100644 index 000000000000..799932a24fbb --- /dev/null +++ b/java/ql/test/query-tests/NonExplicitControlAndWhitespaceCharsInLiterals/CharTest.java @@ -0,0 +1,184 @@ +import java.util.List; +import java.util.ArrayList; + +public class CharTest { + + public static void main(String[] args) { + CharTest charTest = new CharTest(); + NonCompliantStringLiterals nonCompliant = charTest.new NonCompliantStringLiterals(); + CompliantStringLiterals compliant = charTest.new CompliantStringLiterals(); + CompliantCharLiterals compliantChar = charTest.new CompliantCharLiterals(); + + List nonCompliantStrings = nonCompliant.getNonCompliantStrings(); + List compliantStrings = compliant.getCompliantStrings(); + List compliantChars = compliantChar.getCompliantChars(); + + System.out.println(""); + System.out.println("Non-compliant strings:"); + for (String s : nonCompliantStrings) { + System.out.println(s); + System.out.println(""); + } + + System.out.println(""); + System.out.println("Compliant strings:"); + for (String s : compliantStrings) { + System.out.println(s); + System.out.println(""); + } + System.out.println(""); + + System.out.println(""); + System.out.println("Compliant character literals:"); + System.out.println(""); + for (Character c : compliantChars) { + System.out.println("\\u" + String.format("%04X", (int) c)); + } + System.out.println(""); + } + + class CompliantCharLiterals { + private List compliantChars; + + public CompliantCharLiterals() { + compliantChars = new ArrayList<>(); + compliantChars.add('A'); // COMPLIANT + compliantChars.add('a'); // COMPLIANT + compliantChars.add('\b'); // COMPLIANT + compliantChars.add('\t'); // COMPLIANT + compliantChars.add('\n'); // COMPLIANT + compliantChars.add('\f'); // COMPLIANT + compliantChars.add('\r'); // COMPLIANT + compliantChars.add('\u0000'); // COMPLIANT + compliantChars.add('\u0007'); // COMPLIANT + compliantChars.add('\u001B'); // COMPLIANT + compliantChars.add(' '); // COMPLIANT + compliantChars.add('\u0020'); // COMPLIANT + compliantChars.add('\u200B'); // COMPLIANT + compliantChars.add('\u200C'); // COMPLIANT + compliantChars.add('\u200D'); // COMPLIANT + compliantChars.add('\u2028'); // COMPLIANT + compliantChars.add('\u2029'); // COMPLIANT + compliantChars.add('\u2060'); // COMPLIANT + compliantChars.add('\uFEFF'); // COMPLIANT + } + + public List getCompliantChars() { + return compliantChars; + } + } + + class CompliantStringLiterals { + private List compliantStrings; + + public CompliantStringLiterals() { + compliantStrings = new ArrayList<>(); + compliantStrings.add(""); // COMPLIANT + compliantStrings.add("X__Y"); // COMPLIANT + compliantStrings.add("X_ _Y"); // COMPLIANT + compliantStrings.add("X_\u0020_Y"); // COMPLIANT + compliantStrings.add("X_ _Y"); // COMPLIANT + compliantStrings.add("X_\u0020\u0020_Y"); // COMPLIANT + compliantStrings.add("X_ _Y"); // COMPLIANT + compliantStrings.add("X_ _Y"); // COMPLIANT + compliantStrings.add("X_ _Y"); // COMPLIANT + compliantStrings.add("X_ _Y"); // COMPLIANT + compliantStrings.add("X_\b_Y"); // COMPLIANT + compliantStrings.add("X_\u0000_Y"); // COMPLIANT + compliantStrings.add("X_\u0001_Y"); // COMPLIANT + compliantStrings.add("X_\u0002_Y"); // COMPLIANT + compliantStrings.add("X_\u0003_Y"); // COMPLIANT + compliantStrings.add("X_\u0004_Y"); // COMPLIANT + compliantStrings.add("X_\u0005_Y"); // COMPLIANT + compliantStrings.add("X_\u0006_Y"); // COMPLIANT + compliantStrings.add("X_\u0007_Y"); // COMPLIANT + compliantStrings.add("X_\u0008_Y"); // COMPLIANT + compliantStrings.add("X_\u0009_Y"); // COMPLIANT + compliantStrings.add("X_\u0010_Y"); // COMPLIANT + compliantStrings.add("X_\u0011_Y"); // COMPLIANT + compliantStrings.add("X_\u0012_Y"); // COMPLIANT + compliantStrings.add("X_\u0013_Y"); // COMPLIANT + compliantStrings.add("X_\u0014_Y"); // COMPLIANT + compliantStrings.add("X_\u0015_Y"); // COMPLIANT + compliantStrings.add("X_\u0016_Y"); // COMPLIANT + compliantStrings.add("X_\u0017_Y"); // COMPLIANT + compliantStrings.add("X_\u0018_Y"); // COMPLIANT + compliantStrings.add("X_\u0019_Y"); // COMPLIANT + compliantStrings.add("X_\u001A_Y"); // COMPLIANT + compliantStrings.add("X_\u001B_Y"); // COMPLIANT + compliantStrings.add("X_\u001C_Y"); // COMPLIANT + compliantStrings.add("X_\u001D_Y"); // COMPLIANT + compliantStrings.add("X_\u001E_Y"); // COMPLIANT + compliantStrings.add("X_\u001F_Y"); // COMPLIANT + compliantStrings.add("X_\u007F_Y"); // COMPLIANT + compliantStrings.add("X_\u200B_Y"); // COMPLIANT + compliantStrings.add("X_\u200C_Y"); // COMPLIANT + compliantStrings.add("X_\u200D_Y"); // COMPLIANT + compliantStrings.add("X_\u2028_Y"); // COMPLIANT + compliantStrings.add("X_\u2029_Y"); // COMPLIANT + compliantStrings.add("X_\u2060_Y"); // COMPLIANT + compliantStrings.add("X_\uFEFF_Y"); // COMPLIANT + compliantStrings.add("X_\uFEFF_Y_\u0020_Z"); // COMPLIANT + compliantStrings.add("X_\uFEFF_Y_\uFEFF_Z"); // COMPLIANT + compliantStrings.add("X_\u0020_Y_\uFEFF_Z"); // COMPLIANT + compliantStrings.add("X_\t_Y"); // COMPLIANT + compliantStrings.add("X_\t\t_Y"); // COMPLIANT + compliantStrings.add("X_\\b_Y"); // COMPLIANT + compliantStrings.add("X_\f_Y"); // COMPLIANT + compliantStrings.add("X_\\f_Y"); // COMPLIANT + compliantStrings.add("X_\n_Y"); // COMPLIANT + compliantStrings.add("X_\n\t_Y"); // COMPLIANT + compliantStrings.add("X_\\n_Y"); // COMPLIANT + compliantStrings.add("X_\r_Y"); // COMPLIANT + compliantStrings.add("X_\\r_Y"); // COMPLIANT + compliantStrings.add("X_\t_Y"); // COMPLIANT + compliantStrings.add("X_\\t_Y"); // COMPLIANT + compliantStrings.add("X_\\u0000_Y"); // COMPLIANT + compliantStrings.add("X_\\u0007_Y"); // COMPLIANT + compliantStrings.add("X_\\u001B_Y"); // COMPLIANT + compliantStrings.add("X_\\u200B_Y"); // COMPLIANT + compliantStrings.add("X_\\u200C_Y"); // COMPLIANT + compliantStrings.add("X_\\u200D_Y"); // COMPLIANT + compliantStrings.add("X_\\u2028_Y"); // COMPLIANT + compliantStrings.add("X_\\u2029_Y"); // COMPLIANT + compliantStrings.add("X_\\u2060_Y"); // COMPLIANT + compliantStrings.add("X_\\uFEFF_Y"); // COMPLIANT + compliantStrings.add("lorem ipsum dolor "+"sit amet"); // COMPLIANT + compliantStrings.add("lorem ipsum dolor " + "sit amet"); // COMPLIANT + compliantStrings.add("lorem ipsum dolor sit amet, consectetur adipiscing elit, " + // COMPLIANT + "sed do eiusmod tempor incididunt ut labore et dolore magna aliqua."); + compliantStrings.add("lorem ipsum dolor sit amet, consectetur adipiscing elit, " + // COMPLIANT + "sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad " + + "minim veniam, quis nostrud exercitation ullamco "+"laboris nisi ut aliquip ex " + + "ea commodo consequat."); + compliantStrings.add(""" + lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. + Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. + """); // COMPLIANT + } + + public List getCompliantStrings() { + return compliantStrings; + } + } + + class NonCompliantStringLiterals { + private List nonCompliantStrings; + + public NonCompliantStringLiterals() { + nonCompliantStrings = new ArrayList<>(); + nonCompliantStrings.add("X_​_Y"); // NON_COMPLIANT + nonCompliantStrings.add("X_​_Y_​_Z"); // NON_COMPLIANT + nonCompliantStrings.add("lorem​ipsum dolor sit amet,​consectetur adipiscing elit, " + // NON_COMPLIANT + "sed do eiusmod tempor incididunt ut labore et dolore magna aliqua."); + nonCompliantStrings.add(""" + lorem​ipsum dolor sit amet,​consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. + Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. + """); // NON_COMPLIANT + } + + public List getNonCompliantStrings() { + return nonCompliantStrings; + } + } +} diff --git a/java/ql/test/query-tests/NonExplicitControlAndWhitespaceCharsInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.expected b/java/ql/test/query-tests/NonExplicitControlAndWhitespaceCharsInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.expected new file mode 100644 index 000000000000..24e925b85cd6 --- /dev/null +++ b/java/ql/test/query-tests/NonExplicitControlAndWhitespaceCharsInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.expected @@ -0,0 +1,7 @@ +| CharTest.java:170:37:170:43 | "X_\u200b_Y" | Literal value contains control or non-printable whitespace character(s) starting with Unicode code point 8203 at index 3. | +| CharTest.java:171:37:171:47 | "X_\u200b_Y_\u200b_Z" | Literal value contains control or non-printable whitespace character(s) starting with Unicode code point 8203 at index 3. | +| CharTest.java:171:37:171:47 | "X_\u200b_Y_\u200b_Z" | Literal value contains control or non-printable whitespace character(s) starting with Unicode code point 8203 at index 7. | +| CharTest.java:172:37:173:80 | "lorem\u200bipsum dolor sit amet,\u200bconsectetur adipiscing elit, " + // NON_COMPLIANT\n "sed do eiusmod tempor incididunt ut labore et dolore magna aliqua." | Literal value contains control or non-printable whitespace character(s) starting with Unicode code point 8203 at index 6. | +| CharTest.java:172:37:173:80 | "lorem\u200bipsum dolor sit amet,\u200bconsectetur adipiscing elit, " + // NON_COMPLIANT\n "sed do eiusmod tempor incididunt ut labore et dolore magna aliqua." | Literal value contains control or non-printable whitespace character(s) starting with Unicode code point 8203 at index 28. | +| CharTest.java:174:37:177:15 | """\n lorem\u200bipsum dolor sit amet,\u200bconsectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.\n Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.\n """ | Literal value contains control or non-printable whitespace character(s) starting with Unicode code point 8203 at index 25. | +| CharTest.java:174:37:177:15 | """\n lorem\u200bipsum dolor sit amet,\u200bconsectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.\n Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.\n """ | Literal value contains control or non-printable whitespace character(s) starting with Unicode code point 8203 at index 47. | diff --git a/java/ql/test/query-tests/NonExplicitControlAndWhitespaceCharsInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.qlref b/java/ql/test/query-tests/NonExplicitControlAndWhitespaceCharsInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.qlref new file mode 100644 index 000000000000..66b354b5cb2b --- /dev/null +++ b/java/ql/test/query-tests/NonExplicitControlAndWhitespaceCharsInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.qlref @@ -0,0 +1 @@ +Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql diff --git a/java/ql/test/query-tests/NonExplicitControlAndWhitespaceCharsInLiterals/options b/java/ql/test/query-tests/NonExplicitControlAndWhitespaceCharsInLiterals/options new file mode 100644 index 000000000000..d3b26c956b6f --- /dev/null +++ b/java/ql/test/query-tests/NonExplicitControlAndWhitespaceCharsInLiterals/options @@ -0,0 +1 @@ +semmle-extractor-options: --javac-args -source 15 -target 15 From fd8b37cc289602364ed95a895b06d7518ed829ae Mon Sep 17 00:00:00 2001 From: Tamas Vajk Date: Tue, 1 Jul 2025 11:38:13 +0200 Subject: [PATCH 2/7] Exclude Kotlin files --- .../NonExplicitControlAndWhitespaceCharsInLiterals.ql | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql b/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql index 60c3ad0cb17e..bc2c007cf0fa 100644 --- a/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql +++ b/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql @@ -44,7 +44,8 @@ from ReservedUnicodeInLiteral literal, int charIndex, int codePoint where literal.getIndexStart() = charIndex and literal.getLiteral().codePointAt(charIndex) = codePoint and - not literal.getEnclosingCallable() instanceof LikelyTestMethod + not literal.getEnclosingCallable() instanceof LikelyTestMethod and + not literal.getFile().isKotlinSourceFile() select literal, "Literal value contains control or non-printable whitespace character(s) starting with Unicode code point " + codePoint + " at index " + charIndex + "." From a0c9c983738deb98c66e31b8f64a6ac69cd1c83e Mon Sep 17 00:00:00 2001 From: Tamas Vajk Date: Thu, 3 Jul 2025 09:30:05 +0200 Subject: [PATCH 3/7] Adjust references in query doc --- .../NonExplicitControlAndWhitespaceCharsInLiterals.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.md b/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.md index f922aff2f8fe..de3dce3ffb9e 100644 --- a/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.md +++ b/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.md @@ -104,8 +104,8 @@ The following list outlines the _**explicit exclusions from query scope**_: ## References -- [Unicode Control Characters](https://www.unicode.org/charts/PDF/U0000.pdf). -- [Unicode C0 control codes](https://en.wikipedia.org/wiki/C0_and_C1_control_codes). -- [Unicode characters with property "WSpace=yes" or "White_Space=yes"](https://en.wikipedia.org/wiki/Unicode_character_property#Whitespace). -- [Java String Literals](https://docs.oracle.com/javase/tutorial/java/data/characters.html). -- [Java Class Charset](https://docs.oracle.com/javase/8/docs/api///?java/nio/charset/Charset.html). +- Unicode: [Unicode Control Characters](https://www.unicode.org/charts/PDF/U0000.pdf). +- Wikipedia: [Unicode C0 control codes](https://en.wikipedia.org/wiki/C0_and_C1_control_codes). +- Wikipedia: [Unicode characters with property "WSpace=yes" or "White_Space=yes"](https://en.wikipedia.org/wiki/Unicode_character_property#Whitespace). +- Java API Specification: [Java String Literals](https://docs.oracle.com/javase/tutorial/java/data/characters.html). +- Java API Specification: [Java Class Charset](https://docs.oracle.com/javase/8/docs/api///?java/nio/charset/Charset.html). From 15de3988063e0680228b772326acf45da788c23f Mon Sep 17 00:00:00 2001 From: Tamas Vajk Date: Thu, 3 Jul 2025 09:30:21 +0200 Subject: [PATCH 4/7] Adjust query tags --- .../NonExplicitControlAndWhitespaceCharsInLiterals.ql | 1 - 1 file changed, 1 deletion(-) diff --git a/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql b/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql index bc2c007cf0fa..0d68e968ffc4 100644 --- a/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql +++ b/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql @@ -7,7 +7,6 @@ * @precision medium * @problem.severity warning * @tags quality - * correctness * maintainability * readability */ From c4def103f7f8372093b0d25279858fa7551ff51c Mon Sep 17 00:00:00 2001 From: Tamas Vajk Date: Thu, 3 Jul 2025 11:15:42 +0200 Subject: [PATCH 5/7] Improve query documentation --- ...icitControlAndWhitespaceCharsInLiterals.md | 36 +++++++++---------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.md b/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.md index de3dce3ffb9e..827cf8a59f77 100644 --- a/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.md +++ b/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.md @@ -1,41 +1,41 @@ ## Overview -This query detects non-explicit control and whitespace characters in java literals. +This query detects non-explicit control and whitespace characters in Java literals. Such characters are often introduced accidentally and can be invisible or hard to recognize, leading to bugs when the actual contents of the string contain control characters. ## Recommendation -To avoid issues, use the encoded versions of control characters (e.g., ASCII `\n`, `\t`, or Unicode `U+000D`, `U+0009`). -This makes the literals (e.g., string literals) more readable, and also helps to make the surrounding code less error-prone and more maintainable. +To avoid issues, use the encoded versions of control characters (e.g. ASCII `\n`, `\t`, or Unicode `U+000D`, `U+0009`). +This makes the literals (e.g. string literals) more readable, and also helps to make the surrounding code less error-prone and more maintainable. ## Example -The following examples illustrate `NON_COMPLIANT` and `COMPLIANT` code: +The following examples illustrate good and bad code: -`NON_COMPLIANT`: +Bad: ```java -char tabulationChar = ' '; // NON_COMPLIANT -String tabulationCharInsideString = "A B"; // NON_COMPLIANT -String fooZeroWidthSpacebar = "foo​bar"; // NON_COMPLIANT +char tabulationChar = ' '; // Non compliant +String tabulationCharInsideString = "A B"; // Non compliant +String fooZeroWidthSpacebar = "foo​bar"; // Non compliant ``` -`COMPLIANT`: +Good: ```java char escapedTabulationChar = '\t'; -String escapedTabulationCharInsideString = "A\tB"; // COMPLIANT -String fooUnicodeSpacebar = "foo\u0020bar"; // COMPLIANT -String foo2Spacebar = "foo bar"; // COMPLIANT -String foo3Spacebar = "foo bar"; // COMPLIANT +String escapedTabulationCharInsideString = "A\tB"; // Compliant +String fooUnicodeSpacebar = "foo\u0020bar"; // Compliant +String foo2Spacebar = "foo bar"; // Compliant +String foo3Spacebar = "foo bar"; // Compliant ``` -## Implementation Notes +## Implementation notes -This query detects java literals that contain reserved control characters and/or non-printable whitespace characters, such as: +This query detects Java literals that contain reserved control characters and/or non-printable whitespace characters, such as: - Decimal and hexidecimal representations of ASCII control characters (code points 0-8, 11, 14-31, and 127). -- Invisible characters (e.g., zero-width space, zero-width joiner). +- Invisible characters (e.g. zero-width space, zero-width joiner). - Unicode C0 control codes, plus the delete character (U+007F), such as: | Escaped Unicode | ASCII Decimal | Description | @@ -70,7 +70,7 @@ This query detects java literals that contain reserved control characters and/or | `\u001F` | 31 | unit separator | | `\u007F` | 127 | delete | -- Zero-width Unicode characters (e.g., zero-width space, zero-width joiner), such as: +- Zero-width Unicode characters (e.g. zero-width space, zero-width joiner), such as: | Escaped Unicode | Description | | --------------- | ------------------------- | @@ -85,7 +85,7 @@ This query detects java literals that contain reserved control characters and/or The following list outlines the _**explicit exclusions from query scope**_: - any number of simple space characters (`U+0020`, ASCII 32). -- an escape character sequence (e.g., `\t`), or the Unicode equivalent (e.g., `\u0009`), for printable whitespace characters: +- an escape character sequence (e.g. `\t`), or the Unicode equivalent (e.g. `\u0009`), for printable whitespace characters: | Character Sequence | Escaped Unicode | ASCII Decimal | Description | | ------------------ | --------------- | ------------- | --------------- | From d16570b05e1e4345c7242febae40b1814feb7bdd Mon Sep 17 00:00:00 2001 From: Tamas Vajk Date: Thu, 3 Jul 2025 11:37:50 +0200 Subject: [PATCH 6/7] Revert "Adjust query tags" This reverts commit 92685e6c2de69898d556706b04e6c562e54b26b8. --- .../NonExplicitControlAndWhitespaceCharsInLiterals.ql | 1 + 1 file changed, 1 insertion(+) diff --git a/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql b/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql index 0d68e968ffc4..bc2c007cf0fa 100644 --- a/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql +++ b/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql @@ -7,6 +7,7 @@ * @precision medium * @problem.severity warning * @tags quality + * correctness * maintainability * readability */ From ccbf7055f18febf5edfc2356851430ab49b208c5 Mon Sep 17 00:00:00 2001 From: Tamas Vajk Date: Tue, 8 Jul 2025 13:11:14 +0200 Subject: [PATCH 7/7] Adjust query precision --- .../java/query-suite/java-code-quality.qls.expected | 1 + .../NonExplicitControlAndWhitespaceCharsInLiterals.ql | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/java/ql/integration-tests/java/query-suite/java-code-quality.qls.expected b/java/ql/integration-tests/java/query-suite/java-code-quality.qls.expected index c9a36f8fe134..1f2ebbfe7aa9 100644 --- a/java/ql/integration-tests/java/query-suite/java-code-quality.qls.expected +++ b/java/ql/integration-tests/java/query-suite/java-code-quality.qls.expected @@ -76,6 +76,7 @@ ql/java/ql/src/Violations of Best Practice/Naming Conventions/ConfusingOverloadi ql/java/ql/src/Violations of Best Practice/Naming Conventions/LocalShadowsFieldConfusing.ql ql/java/ql/src/Violations of Best Practice/Naming Conventions/SameNameAsSuper.ql ql/java/ql/src/Violations of Best Practice/Records/IgnoredSerializationMembersOfRecordClass.ql +ql/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql ql/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToStringToString.ql ql/java/ql/src/Violations of Best Practice/Undesirable Calls/DefaultToString.ql ql/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql diff --git a/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql b/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql index bc2c007cf0fa..0ff14bc8f2d3 100644 --- a/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql +++ b/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql @@ -4,7 +4,7 @@ * @description Non-explicit control and whitespace characters in literals make code more difficult * to read and may lead to incorrect program behavior. * @kind problem - * @precision medium + * @precision very-high * @problem.severity warning * @tags quality * correctness