hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

matching a inverted char class with a char

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-10-31 18:14:10 +01:00
parent 804aaf36f0
commit 16473fc2a4
3 changed files with 32 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
javascript/ql/src/Performance/ReDoS.ql
View File

@@ -429,6 +429,20 @@ newtype Trace =
t = Nil() and isFork(_, s1, s2, _, _)
}
/**
* Holds if the character class `cc` has a child (constant or range) that matches `char`.
*/
bindingset[char]
predicate charClassMatchesChar(RegExpCharacterClass cc, string char) {
exists(RegExpTerm child | child = cc.getAChild() |
char = child.(RegExpConstant).getValue()
or
exists(string lo, string hi | child.(RegExpCharacterRange).isRange(lo, hi) |
lo <= char and char <= hi
)
)
}
/**
* Gets a character that is represented by both `c` and `d`.
*/
@@ -437,14 +451,10 @@ string intersect(InputSymbol c, InputSymbol d) {
(
d = Char(result)
or
exists(RegExpCharacterClass cc | d = CharClass(cc) |
exists(RegExpTerm child | child = cc.getAChild() |
result = child.(RegExpConstant).getValue()
or
exists(string lo, string hi | child.(RegExpCharacterRange).isRange(lo, hi) |
lo <= result and result <= hi
)
)
exists(RegExpCharacterClass cc | d = CharClass(cc) | charClassMatchesChar(cc, result))
or
exists(RegExpCharacterClass cc | d = InvertedCharClass(cc) |
not charClassMatchesChar(cc, result)
)
or
d = Dot() and

5
javascript/ql/test/query-tests/Performance/ReDoS/ReDoS.expected
View File

@@ -27,6 +27,8 @@
| regexplib/markup.js:13:14:13:16 | .+? | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a"'. |
| regexplib/markup.js:37:29:37:56 | [a-zA-Z0-9\|:\|\\/\|=\|-\|.\|\\?\|&]* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '='. |
| regexplib/markup.js:53:29:53:56 | [a-zA-Z0-9\|:\|\\/\|=\|-\|.\|\\?\|&]* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '='. |
| regexplib/misc.js:79:3:79:25 | (\\/w\|\\/W\|[^<>+?$%{}&])+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '/W'. |
| regexplib/misc.js:142:3:142:25 | (\\/w\|\\/W\|[^<>+?$%{}&])+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '/W'. |
| regexplib/strings.js:19:31:19:57 | [a-z&#230;&#248;&#229;0-9]+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '#'. |
| regexplib/uri.js:3:128:3:129 | .* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '/'. |
| regexplib/uri.js:38:35:38:40 | [a-z]+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
@@ -54,5 +56,6 @@
| tst.js:83:14:83:20 | (.\|\\n)* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\\n'. |
| tst.js:89:25:89:32 | (a\|aa?)* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
| tst.js:95:15:95:25 | ([^]\|[^a])* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'b'. |
| tst.js:98:15:98:20 | [^"']+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '('. |
| tst.js:101:15:101:23 | (.\|[^a])* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'b'. |
| tst.js:107:15:107:23 | (b\|[^a])* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'b'. |
| tst.js:110:15:110:23 | (G\|[^a])* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'G'. |

11
javascript/ql/test/query-tests/Performance/ReDoS/tst.js
View File

@@ -94,8 +94,17 @@ var good9 = '(a|aa?)*b';
// NOT GOOD
var bad18 = /(([^]|[^a])*)"/;
// NOT GOOD
// NOT GOOD - but not flagged
var bad19 = /([^"']+)*/g;
// NOT GOOD
var bad20 = /((.|[^a])*)"/;
// GOOD
var good10 = /((a|[^a])*)"/;
// NOT GOOD
var bad21 = /((b|[^a])*)"/;
// NOT GOOD
var bad22 = /((G|[^a])*)"/;