hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 17:25:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Restrict polynomial ReDoS' strings-parsed-as-regexes search to those that could possibly be interesting

Browse Source 
In practice for polynomial ReDoS this means those regexes containing at least one potentially-infinite quantifier (* or +).
This commit is contained in:
Chris Smowton
2022-03-28 17:03:24 +01:00
committed by Joe Farebrother
parent 0f606d987d
commit 0d13864bc8
1 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll
View File

@@ -9,10 +9,16 @@ private import semmle.code.java.dataflow.DataFlow3
private import RegexFlowModels
private import semmle.code.java.security.SecurityTests
private class ExploitableStringLiteral extends StringLiteral {
ExploitableStringLiteral() { this.getValue().matches(["%+%", "%*%"]) }
}
private class RegexCompileFlowConf extends DataFlow2::Configuration {
RegexCompileFlowConf() { this = "RegexCompileFlowConfig" }
override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof StringLiteral }
override predicate isSource(DataFlow::Node node) {
node.asExpr() instanceof ExploitableStringLiteral
}
override predicate isSink(DataFlow::Node node) {
sinkNode(node, ["regex-compile", "regex-compile-match", "regex-compile-find"])
@@ -203,7 +209,9 @@ private class GuavaRegexFlowStep extends RegexAdditionalFlowStep {
private class RegexMatchFlowConf extends DataFlow2::Configuration {
RegexMatchFlowConf() { this = "RegexMatchFlowConf" }
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof StringLiteral }
override predicate isSource(DataFlow::Node src) {
src.asExpr() instanceof ExploitableStringLiteral
}
override predicate isSink(DataFlow::Node sink) {
exists(RegexMatchMethodAccess ma | sink.asExpr() = ma.getRegexArg())