Refine polynomial redos sources to exclude length limited methods

2026-04-26 09:15:12 +02:00 · 2022-03-16 15:59:41 +00:00
parent 04edc10f1e
commit 1605d36ddf
4 changed files with 38 additions and 6 deletions
--- a/java/ql/test/query-tests/security/CWE-730/PolyRedosTest.java
+++ b/java/ql/test/query-tests/security/CWE-730/PolyRedosTest.java
@@ -72,4 +72,13 @@ class PolyRedosTest {
        p3.asMatchPredicate().test(tainted); 
        p4.asPredicate().test(tainted); // $ hasPolyRedos
    }
+
+    void test6(HttpServletRequest request) {
+        Pattern p = Pattern.compile("^a*a*$");
+
+        p.matcher(request.getParameter("inp")).matches(); // $ hasPolyRedos
+        p.matcher(request.getHeader("If-None-Match")).matches();
+        p.matcher(request.getRequestURI()).matches();
+        p.matcher(request.getCookies()[0].getName()).matches();
+    }
 }
--- a/java/ql/test/query-tests/security/CWE-730/PolynomialReDoS.ql
+++ b/java/ql/test/query-tests/security/CWE-730/PolynomialReDoS.ql
@@ -1,6 +1,6 @@
 import java
 import TestUtilities.InlineExpectationsTest
-import semmle.code.java.security.performance.PolynomialReDosQuery
+import semmle.code.java.security.performance.PolynomialReDoSQuery

 class HasPolyRedos extends InlineExpectationsTest {
  HasPolyRedos() { this = "HasPolyRedos" }
@@ -10,7 +10,7 @@ class HasPolyRedos extends InlineExpectationsTest {
  override predicate hasActualResult(Location location, string element, string tag, string value) {
    tag = "hasPolyRedos" and
    exists(DataFlow::PathNode source, DataFlow::PathNode sink, PolynomialBackTrackingTerm regexp |
-      hasPolynomialReDosResult(source, sink, regexp) and
+      hasPolynomialReDoSResult(source, sink, regexp) and
      location = sink.getNode().getLocation() and
      element = sink.getNode().toString() and
      value = ""