Merge pull request #12543 from erik-krogh/reg-perf

ReDoS: restrict the edges considered in polynomial-redos for complex regular expressions
2026-05-04 13:15:21 +02:00 · 2023-03-20 15:48:35 +01:00
parent c56c1cbb62 2270d6fa61
commit 0f813ce2e8
5 changed files with 72 additions and 39 deletions
--- a/python/ql/lib/semmle/python/regex.qll
+++ b/python/ql/lib/semmle/python/regex.qll
@@ -140,7 +140,11 @@ string mode_from_node(DataFlow::Node node) { node = re_flag_tracker(result) }

 /** A StrConst used as a regular expression */
 abstract class RegexString extends Expr {
-  RegexString() { (this instanceof Bytes or this instanceof Unicode) }
+  RegexString() {
+    (this instanceof Bytes or this instanceof Unicode) and
+    // is part of the user code
+    exists(this.getLocation().getFile().getRelativePath())
+  }

  /**
   * Helper predicate for `char_set_start(int start, int end)`.