hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

rename ReDoSUtil to NfaUtils, and rename the "performance" folder to "regexp"

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2022-05-25 14:51:20 +02:00
parent bbc8cb32be
commit 13482fc97b
44 changed files with 78 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
javascript/ql/lib/semmle/javascript/security/BadTagFilterQuery.qll
View File

@@ -2,7 +2,7 @@
* Provides precicates for reasoning about bad tag filter vulnerabilities.
*/
import performance.RegexpMatching
import regexp.RegexpMatching
/**
* Holds if the regexp `root` should be tested against `str`.

2
javascript/ql/lib/semmle/javascript/security/performance/ExponentialBackTracking.qll → javascript/ql/lib/semmle/javascript/security/regexp/ExponentialBackTracking.qll
View File

@@ -62,7 +62,7 @@
* a suffix `x` (possible empty) that is most likely __not__ accepted.
*/
import ReDoSUtil
import NfaUtils
/**
* Holds if state `s` might be inside a backtracking repetition.

17
javascript/ql/lib/semmle/javascript/security/performance/ReDoSUtil.qll → javascript/ql/lib/semmle/javascript/security/regexp/NfaUtils.qll
View File

@@ -1,18 +1,13 @@
/**
* Provides classes for working with regular expressions that can
* perform backtracking in superlinear/exponential time.
* Provides classes and predicates for constructing an NFA from
* a regular expression, and various utilities for reasoning about
* the resulting NFA.
*
* This module contains a number of utility predicates for compiling a regular expression into a NFA and reasoning about this NFA.
*
* The `ReDoSConfiguration` contains a `isReDoSCandidate` predicate that is used to
* to determine which states the prefix/suffix search should happen on.
* There is only meant to exist one `ReDoSConfiguration` at a time.
*
* The predicate `hasReDoSResult` outputs a de-duplicated set of
* states that will cause backtracking (a rejecting suffix exists).
* These utilities are used both by the ReDoS queries and by
* other queries that benefit from reasoning about NFAs.
*/
import ReDoSUtilSpecific
import NfaUtilsSpecific
/**
* Gets the char after `c` (from a simplified ASCII table).

2
javascript/ql/lib/semmle/javascript/security/performance/ReDoSUtilSpecific.qll → javascript/ql/lib/semmle/javascript/security/regexp/NfaUtilsSpecific.qll
View File

@@ -1,5 +1,5 @@
/**
* Provides JavaScript-specific definitions for use in the ReDoSUtil module.
* Provides JavaScript-specific definitions for use in the NfaUtils module.
*/
import javascript

0
javascript/ql/lib/semmle/javascript/security/performance/PolynomialReDoS.qll → javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoS.qll
View File

0
javascript/ql/lib/semmle/javascript/security/performance/PolynomialReDoSCustomizations.qll → javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSCustomizations.qll
View File

2
javascript/ql/lib/semmle/javascript/security/performance/RegexpMatching.qll → javascript/ql/lib/semmle/javascript/security/regexp/RegexpMatching.qll
View File

@@ -3,7 +3,7 @@
* and for testing which capture groups are filled when a particular regexp matches a string.
*/
import ReDoSUtil
import NfaUtils
/** A root term */
class RootTerm extends RegExpTerm {

2
javascript/ql/lib/semmle/javascript/security/performance/SuperlinearBackTracking.qll → javascript/ql/lib/semmle/javascript/security/regexp/SuperlinearBackTracking.qll
View File

@@ -3,7 +3,7 @@
* perform backtracking in superlinear time.
*/
import ReDoSUtil
import NfaUtils
/*
* This module implements the analysis described in the paper:

4
javascript/ql/src/Performance/PolynomialReDoS.ql
View File

@@ -14,8 +14,8 @@
*/
import javascript
import semmle.javascript.security.performance.PolynomialReDoS::PolynomialReDoS
import semmle.javascript.security.performance.SuperlinearBackTracking
import semmle.javascript.security.regexp.PolynomialReDoS::PolynomialReDoS
import semmle.javascript.security.regexp.SuperlinearBackTracking
import DataFlow::PathGraph
from

4
javascript/ql/src/Performance/ReDoS.ql
View File

@@ -15,8 +15,8 @@
*/
import javascript
import semmle.javascript.security.performance.ReDoSUtil
import semmle.javascript.security.performance.ExponentialBackTracking
import semmle.javascript.security.regexp.NfaUtils
import semmle.javascript.security.regexp.ExponentialBackTracking
from RegExpTerm t, string pump, State s, string prefixMsg
where hasReDoSResult(t, pump, s, prefixMsg)

6
javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql
View File

@@ -57,7 +57,7 @@ DangerousPrefix getADangerousMatchedPrefix(EmptyReplaceRegExpTerm t) {
not exists(EmptyReplaceRegExpTerm pred | pred = t.getPredecessor+() and not pred.isNullable())
}
private import semmle.javascript.security.performance.ReDoSUtil as ReDoSUtil
private import semmle.javascript.security.regexp.NfaUtils as NfaUtils
/**
* Gets a char from a dangerous prefix that is matched by `t`.
@@ -69,8 +69,8 @@ DangerousPrefixSubstring getADangerousMatchedChar(EmptyReplaceRegExpTerm t) {
t.getAMatchedString() = result
or
// A substring matched by some character class. This is only used to match the "word" part of a HTML tag (e.g. "iframe" in "<iframe").
exists(ReDoSUtil::CharacterClass cc |
cc = ReDoSUtil::getCanonicalCharClass(t) and
exists(NfaUtils::CharacterClass cc |
cc = NfaUtils::getCanonicalCharClass(t) and
cc.matches(result) and
result.regexpMatch("\\w") and
// excluding character classes that match ">" (e.g. /<[^<]*>/), as these might consume nested HTML tags, and thus prevent the dangerous pattern this query is looking for.

2
javascript/ql/test/query-tests/Performance/ReDoS/PolynomialBackTracking.ql
View File

@@ -1,4 +1,4 @@
import semmle.javascript.security.performance.SuperlinearBackTracking
import semmle.javascript.security.regexp.SuperlinearBackTracking
from PolynomialBackTrackingTerm t
select t, t.getReason()