mebigfatguy
Detector idea: assembling Pattern from unescaped inputs
I came across an error recently that would be nice to have a detector for, although it would need to be pretty restricted, because false positives would be easy.
I compiled a java.util.regex.Pattern from a mixture of literal strings and a parameter - without calling Pattern.quote on the parameter first. So, any special characters, like dots, would affect the pattern, whereas I wanted them to be literals.
There might, of course, be cases where you actually want to pass valid regex syntax to a method and compile it, but in the majority of cases, I think, if you concatenate literal/constant strings with parameter(s) - or use String.format to achieve the same thing - and then compile the result, you should have quoted the parameter(s) first.
