hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 11:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: add js/exploitable-polynomial-redos

Browse Source
This commit is contained in:
Esben Sparre Andreasen
2020-02-12 12:56:55 +01:00
parent 091c6c063c
commit 1b73cee692
15 changed files with 775 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

139
javascript/ql/test/query-tests/Performance/ReDoS/PolynomialBackTracking.expected Normal file
View File

@@ -0,0 +1,139 @@
| polynomial-redos.js:7:24:7:26 | \\s+ | it can start matching anywhere |
| polynomial-redos.js:8:17:8:18 | * | it can start matching anywhere |
| polynomial-redos.js:9:19:9:21 | \\s* | it can start matching anywhere |
| polynomial-redos.js:11:19:11:20 | .* | it can start matching anywhere |
| polynomial-redos.js:12:19:12:20 | .* | it can start matching anywhere |
| polynomial-redos.js:15:28:15:35 | [\\s\\S]*? | it can start matching anywhere after the start of the preceeding '\\s*' |
| polynomial-redos.js:18:17:18:22 | [0-9]* | it can start matching anywhere |
| polynomial-redos.js:18:83:18:100 | [\\u0600-\\u06FF\\/]+ | it can start matching anywhere |
| polynomial-redos.js:19:17:19:22 | [0-9]* | it can start matching anywhere |
| polynomial-redos.js:20:56:20:58 | \\d+ | it can start matching anywhere after the start of the preceeding '\\d*' |
| polynomial-redos.js:20:56:20:58 | \\d+ | it can start matching anywhere after the start of the preceeding '\\d+' |
| polynomial-redos.js:22:57:22:59 | \\d+ | it can start matching anywhere after the start of the preceeding '\\d*' |
| polynomial-redos.js:22:57:22:59 | \\d+ | it can start matching anywhere after the start of the preceeding '\\d+' |
| polynomial-redos.js:25:37:25:56 | [a-zA-Z0-9+\\/ \\t\\n]+ | it can start matching anywhere after the start of the preceeding '[ \\t]+' |
| polynomial-redos.js:27:14:27:22 | [A-Z]{2,} | it can start matching anywhere |
| polynomial-redos.js:30:19:30:22 | [?]+ | it can start matching anywhere |
| polynomial-redos.js:31:42:31:43 | -+ | it can start matching anywhere |
| polynomial-redos.js:32:45:32:47 | \\n* | it can start matching anywhere |
| polynomial-redos.js:33:17:33:20 | (.)* | it can start matching anywhere |
| regexplib/address.js:18:26:18:31 | [ \\w]* | it can start matching anywhere after the start of the preceeding '[ \\w]{3,}' |
| regexplib/address.js:20:144:20:147 | [ ]+ | it can start matching anywhere after the start of the preceeding '[a-zA-Z0-9 \\-.]{6,}' |
| regexplib/address.js:24:26:24:31 | [ \\w]* | it can start matching anywhere after the start of the preceeding '[ \\w]{3,}' |
| regexplib/address.js:27:3:27:5 | \\s* | it can start matching anywhere |
| regexplib/address.js:27:48:27:50 | \\s* | it can start matching anywhere |
| regexplib/address.js:27:93:27:95 | \\s* | it can start matching anywhere |
| regexplib/address.js:38:39:38:45 | [ 0-9]* | it can start matching anywhere after the start of the preceeding '[ \|\\.]*' |
| regexplib/address.js:51:235:51:239 | \\x20* | it can start matching anywhere after the start of the preceeding '\\x20*' |
| regexplib/address.js:51:631:51:635 | \\x20* | it can start matching anywhere after the start of the preceeding '\\x20*' |
| regexplib/address.js:51:796:51:798 | \\s+ | it can start matching anywhere after the start of the preceeding '\\s+' |
| regexplib/address.js:67:379:67:755 | [a-zA-Z0-9ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖØÙÚÛÜÝßàáâãäåæçèéêëìíîïñòóôõöøùúûüýÿ\\.\\,\\-\\/\\' ]+ | it can start matching anywhere after the start of the preceeding '[a-zA-Z0-9ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖØÙÚÛÜÝßàáâãäåæçèéêëìíîïñòóôõöøùúûüýÿ\\.\\,\\-\\/\\']+' |
| regexplib/address.js:69:3:69:5 | \\s* | it can start matching anywhere |
| regexplib/address.js:69:48:69:50 | \\s* | it can start matching anywhere |
| regexplib/address.js:69:93:69:95 | \\s* | it can start matching anywhere |
| regexplib/address.js:75:235:75:239 | \\x20* | it can start matching anywhere after the start of the preceeding '\\x20*' |
| regexplib/address.js:75:631:75:635 | \\x20* | it can start matching anywhere after the start of the preceeding '\\x20*' |
| regexplib/address.js:75:796:75:798 | \\s+ | it can start matching anywhere after the start of the preceeding '\\s+' |
| regexplib/address.js:85:15:85:49 | ([0-9]\|[ ]\|[-]\|[\\(]\|[\\)]\|ext.\|[,])+ | it can start matching anywhere |
| regexplib/address.js:85:51:85:67 | ([ ]\|[:]\|\\t\|[-])* | it can start matching anywhere after the start of the preceeding '([0-9]\|[ ]\|[-]\|[\\(]\|[\\)]\|ext.\|[,])+' |
| regexplib/address.js:93:3:93:5 | \\s* | it can start matching anywhere |
| regexplib/address.js:93:48:93:50 | \\s* | it can start matching anywhere |
| regexplib/address.js:93:93:93:95 | \\s* | it can start matching anywhere |
| regexplib/address.js:95:379:95:755 | [a-zA-Z0-9ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖØÙÚÛÜÝßàáâãäåæçèéêëìíîïñòóôõöøùúûüýÿ\\.\\,\\-\\/\\' ]+ | it can start matching anywhere after the start of the preceeding '[a-zA-Z0-9ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖØÙÚÛÜÝßàáâãäåæçèéêëìíîïñòóôõöøùúûüýÿ\\.\\,\\-\\/\\']+' |
| regexplib/email.js:8:16:8:49 | [^ \\t\\(\\)\\<\\>@,;\\:\\\\\\"\\.\\[\\]\\r\\n]+ | it can start matching anywhere |
| regexplib/email.js:12:2:12:4 | \\w+ | it can start matching anywhere |
| regexplib/email.js:15:28:15:30 | \\w* | it can start matching anywhere after the start of the preceeding '\\w+' |
| regexplib/email.js:20:3:20:6 | \\w+? | it can start matching anywhere |
| regexplib/email.js:28:2:28:4 | \\w+ | it can start matching anywhere |
| regexplib/email.js:28:27:28:29 | \\w* | it can start matching anywhere after the start of the preceeding '\\w+' |
| regexplib/email.js:28:73:28:87 | [0-9a-zA-Z'\\.]+ | it can start matching anywhere |
| regexplib/email.js:28:125:28:139 | [0-9a-zA-Z'\\.]+ | it can start matching anywhere |
| regexplib/email.js:29:2:29:7 | [\\w-]+ | it can start matching anywhere |
| regexplib/markup.js:6:99:6:113 | [\\s\\w\\d\\)\\(\\,]* | it can start matching anywhere after the start of the preceeding '[\\d\\w]+' |
| regexplib/markup.js:19:2:19:12 | (<meta\\s+)* | it can start matching anywhere |
| regexplib/markup.js:20:155:20:156 | '+ | it can start matching anywhere after the start of the preceeding ''+' |
| regexplib/markup.js:20:197:20:198 | "+ | it can start matching anywhere after the start of the preceeding '"+' |
| regexplib/markup.js:37:15:37:19 | [\\w]* | it can start matching anywhere after the start of the preceeding '\\w+' |
| regexplib/markup.js:53:15:53:19 | [\\w]* | it can start matching anywhere after the start of the preceeding '\\w+' |
| regexplib/markup.js:62:39:62:45 | [\\"\\']+ | it can start matching anywhere after the start of the preceeding '[\\s\\"\\']+' |
| regexplib/misc.js:76:2:76:27 | (AUX\|PRN\|NUL\|COM\\d\|LPT\\d)+ | it can start matching anywhere |
| regexplib/misc.js:83:15:83:17 | \\d* | it can start matching anywhere after the start of the preceeding '\\d*' |
| regexplib/misc.js:83:69:83:71 | \\d* | it can start matching anywhere after the start of the preceeding '\\d*' |
| regexplib/misc.js:93:3:93:4 | .* | it can start matching anywhere |
| regexplib/misc.js:112:3:112:5 | \\s* | it can start matching anywhere |
| regexplib/misc.js:112:32:112:34 | \\s* | it can start matching anywhere |
| regexplib/misc.js:119:9:119:11 | \\s* | it can start matching anywhere |
| regexplib/misc.js:119:12:119:14 | \\(* | it can start matching anywhere |
| regexplib/misc.js:119:16:119:18 | \\s* | it can start matching anywhere |
| regexplib/misc.js:119:16:119:18 | \\s* | it can start matching anywhere after the start of the preceeding '\\s*' |
| regexplib/misc.js:119:20:119:22 | \\w+ | it can start matching anywhere |
| regexplib/misc.js:162:15:162:17 | \\d* | it can start matching anywhere after the start of the preceeding '\\d*' |
| regexplib/misc.js:162:69:162:71 | \\d* | it can start matching anywhere after the start of the preceeding '\\d*' |
| regexplib/misc.js:163:41:163:43 | \\s* | it can start matching anywhere after the start of the preceeding '\\s*' |
| regexplib/misc.js:163:75:163:77 | \\s* | it can start matching anywhere after the start of the preceeding '\\s*' |
| regexplib/misc.js:168:3:168:4 | .* | it can start matching anywhere |
| regexplib/numbers.js:9:14:9:16 | \\d* | it can start matching anywhere after the start of the preceeding '\\d*' |
| regexplib/numbers.js:13:9:13:11 | \\d* | it can start matching anywhere after the start of the preceeding '\\d*' |
| regexplib/strings.js:2:2:2:3 | .* | it can start matching anywhere |
| regexplib/strings.js:14:35:14:37 | \\w* | it can start matching anywhere after the start of the preceeding '\\w*' |
| regexplib/strings.js:14:107:14:109 | \\w* | it can start matching anywhere after the start of the preceeding '\\w*' |
| regexplib/strings.js:19:69:19:95 | [a-z&#230;&#248;&#229;0-9]+ | it can start matching anywhere after the start of the preceeding '[a-z&#230;&#248;&#229;0-9]+' |
| regexplib/strings.js:26:6:26:17 | [a-zA-Z,\\s]+ | it can start matching anywhere after the start of the preceeding '\\s*' |
| regexplib/strings.js:26:18:26:20 | \\s* | it can start matching anywhere after the start of the preceeding '[a-zA-Z,\\s]+' |
| regexplib/strings.js:29:2:29:3 | .* | it can start matching anywhere |
| regexplib/strings.js:30:2:30:3 | .* | it can start matching anywhere |
| regexplib/strings.js:32:35:32:37 | \\w* | it can start matching anywhere after the start of the preceeding '\\w*' |
| regexplib/strings.js:32:119:32:121 | \\w* | it can start matching anywhere after the start of the preceeding '\\w+' |
| regexplib/strings.js:40:3:40:5 | \\w+ | it can start matching anywhere |
| regexplib/strings.js:47:2:47:7 | (\\S*)+ | it can start matching anywhere |
| regexplib/strings.js:47:3:47:5 | \\S* | it can start matching anywhere |
| regexplib/strings.js:48:3:48:12 | [^\\.\\?\\!]* | it can start matching anywhere |
| regexplib/strings.js:49:3:49:5 | \\S+ | it can start matching anywhere |
| regexplib/strings.js:54:9:54:11 | \\s* | it can start matching anywhere |
| regexplib/strings.js:54:12:54:14 | \\(* | it can start matching anywhere |
| regexplib/strings.js:54:16:54:18 | \\s* | it can start matching anywhere |
| regexplib/strings.js:54:16:54:18 | \\s* | it can start matching anywhere after the start of the preceeding '\\s*' |
| regexplib/strings.js:54:20:54:22 | \\w+ | it can start matching anywhere |
| regexplib/strings.js:64:3:64:5 | \\w+ | it can start matching anywhere |
| regexplib/strings.js:70:6:70:17 | [a-zA-Z,\\s]+ | it can start matching anywhere after the start of the preceeding '\\s*' |
| regexplib/strings.js:70:18:70:20 | \\s* | it can start matching anywhere after the start of the preceeding '[a-zA-Z,\\s]+' |
| regexplib/strings.js:72:35:72:37 | \\w* | it can start matching anywhere after the start of the preceeding '\\w*' |
| regexplib/strings.js:72:119:72:121 | \\w* | it can start matching anywhere after the start of the preceeding '\\w+' |
| regexplib/strings.js:73:2:73:3 | .* | it can start matching anywhere |
| regexplib/strings.js:74:2:74:3 | .* | it can start matching anywhere |
| regexplib/strings.js:75:2:75:3 | .* | it can start matching anywhere |
| regexplib/strings.js:76:2:76:3 | .* | it can start matching anywhere |
| regexplib/strings.js:82:9:82:11 | \\s* | it can start matching anywhere |
| regexplib/strings.js:82:12:82:14 | \\(* | it can start matching anywhere |
| regexplib/strings.js:82:16:82:18 | \\s* | it can start matching anywhere |
| regexplib/strings.js:82:16:82:18 | \\s* | it can start matching anywhere after the start of the preceeding '\\s*' |
| regexplib/strings.js:82:20:82:22 | \\w+ | it can start matching anywhere |
| regexplib/strings.js:88:3:88:12 | [^\\.\\?\\!]* | it can start matching anywhere |
| regexplib/strings.js:89:3:89:5 | \\S+ | it can start matching anywhere |
| regexplib/strings.js:91:2:91:7 | (\\S*)+ | it can start matching anywhere |
| regexplib/strings.js:91:3:91:5 | \\S* | it can start matching anywhere |
| regexplib/uri.js:2:45:2:66 | [\\w\\-\\.,@?^=%&:/~\\+#]* | it can start matching anywhere after the start of the preceeding '[\\w\\-_]+' |
| regexplib/uri.js:13:69:13:102 | [a-zA-Z0-9\\-\\.\\?\\,\\'\\/\\\\\\+&%\\$#_]* | it can start matching anywhere after the start of the preceeding '[a-zA-Z0-9\\-\\._]+' |
| regexplib/uri.js:18:47:18:96 | ([ A-Za-z0-9'~` !@#$%&^_+=\\(\\){},\\-\\[\\];]\|([.]))*? | it can start matching anywhere after the start of the preceeding '([A-Za-z0-9'~`!@#$%&^_+=\\(\\){},\\-\\[\\]\\;])+?' |
| regexplib/uri.js:18:148:18:189 | ([A-Za-z0-9'~`!@#$%&^_+=\\(\\){},\\-\\[ \\];])+ | it can start matching anywhere after the start of the preceeding '[ A-Za-z0-9'~`!@#$ %&^_+=\\(\\){},\\-\\[\\]\\;]*?' |
| regexplib/uri.js:23:2:23:74 | (((file\|gopher\|news\|nntp\|telnet\|http\|ftp\|https\|ftps\|sftp):\\/\\/)\|(www\\.))+ | it can start matching anywhere |
| regexplib/uri.js:28:2:28:13 | [a-zA-Z]{3,} | it can start matching anywhere |
| regexplib/uri.js:29:2:29:45 | ((http\\:\\/\\/\|https\\:\\/\\/\|ftp\\:\\/\\/)\|(www.))+ | it can start matching anywhere |
| regexplib/uri.js:34:3:34:9 | [^\\=&]+ | it can start matching anywhere |
| regexplib/uri.js:44:2:44:4 | .*? | it can start matching anywhere |
| regexplib/uri.js:53:3:53:9 | [^\\=&]+ | it can start matching anywhere |
| regexplib/uri.js:58:2:58:45 | ((http\\:\\/\\/\|https\\:\\/\\/\|ftp\\:\\/\\/)\|(www.))+ | it can start matching anywhere |
| regexplib/uri.js:59:2:59:13 | [a-zA-Z]{3,} | it can start matching anywhere |
| regexplib/uri.js:73:2:73:4 | .*? | it can start matching anywhere |
| tst.js:14:13:14:18 | (.*,)+ | it can start matching anywhere |
| tst.js:14:14:14:15 | .* | it can start matching anywhere |
| tst.js:47:15:47:37 | (?:[^"']\|".*?"\|'.*?')*? | it can start matching anywhere |
| tst.js:66:15:66:44 | ([\\w#:.~>+()\\s-]+\|\\*\|\\[.*?\\])+ | it can start matching anywhere |
| tst.js:66:16:66:31 | [\\w#:.~>+()\\s-]+ | it can start matching anywhere |
| tst.js:66:46:66:48 | \\s* | it can start matching anywhere after the start of the preceeding '[\\w#:.~>+()\\s-]+' |
| tst.js:74:14:74:21 | (b\|a?b)* | it can start matching anywhere |
| tst.js:77:14:77:21 | (a\|aa?)* | it can start matching anywhere |
| tst.js:80:14:80:20 | (.\|\\n)* | it can start matching anywhere |
| tst.js:83:14:83:20 | (.\|\\n)* | it can start matching anywhere |
| tst.js:89:25:89:32 | (a\|aa?)* | it can start matching anywhere |
| tst.js:92:14:92:21 | (a\|aa?)* | it can start matching anywhere |

4
javascript/ql/test/query-tests/Performance/ReDoS/PolynomialBackTracking.ql Normal file
View File

@@ -0,0 +1,4 @@
import semmle.javascript.security.performance.SuperlinearBackTracking
from PolynomialBackTrackingTerm t
select t, t.getReason()

74
javascript/ql/test/query-tests/Performance/ReDoS/PolynomialReDoS.expected Normal file
View File

@@ -0,0 +1,74 @@
nodes
| polynomial-redos.js:5:6:5:32 | tainted |
| polynomial-redos.js:5:16:5:32 | req.query.tainted |
| polynomial-redos.js:5:16:5:32 | req.query.tainted |
| polynomial-redos.js:7:2:7:8 | tainted |
| polynomial-redos.js:7:2:7:8 | tainted |
| polynomial-redos.js:8:2:8:8 | tainted |
| polynomial-redos.js:8:2:8:8 | tainted |
| polynomial-redos.js:9:2:9:8 | tainted |
| polynomial-redos.js:9:2:9:8 | tainted |
| polynomial-redos.js:11:2:11:8 | tainted |
| polynomial-redos.js:11:2:11:8 | tainted |
| polynomial-redos.js:12:2:12:8 | tainted |
| polynomial-redos.js:12:2:12:8 | tainted |
| polynomial-redos.js:15:2:15:8 | tainted |
| polynomial-redos.js:15:2:15:8 | tainted |
| polynomial-redos.js:18:2:18:8 | tainted |
| polynomial-redos.js:18:2:18:8 | tainted |
| polynomial-redos.js:19:2:19:8 | tainted |
| polynomial-redos.js:19:2:19:8 | tainted |
| polynomial-redos.js:20:2:20:8 | tainted |
| polynomial-redos.js:20:2:20:8 | tainted |
| polynomial-redos.js:25:2:25:8 | tainted |
| polynomial-redos.js:25:2:25:8 | tainted |
| polynomial-redos.js:27:77:27:83 | tainted |
| polynomial-redos.js:27:77:27:83 | tainted |
| polynomial-redos.js:30:2:30:8 | tainted |
| polynomial-redos.js:30:2:30:8 | tainted |
| polynomial-redos.js:33:2:33:8 | tainted |
| polynomial-redos.js:33:2:33:8 | tainted |
edges
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:7:2:7:8 | tainted |
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:7:2:7:8 | tainted |
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:8:2:8:8 | tainted |
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:8:2:8:8 | tainted |
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:9:2:9:8 | tainted |
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:9:2:9:8 | tainted |
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:11:2:11:8 | tainted |
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:11:2:11:8 | tainted |
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:12:2:12:8 | tainted |
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:12:2:12:8 | tainted |
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:15:2:15:8 | tainted |
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:15:2:15:8 | tainted |
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:18:2:18:8 | tainted |
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:18:2:18:8 | tainted |
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:19:2:19:8 | tainted |
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:19:2:19:8 | tainted |
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:20:2:20:8 | tainted |
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:20:2:20:8 | tainted |
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:25:2:25:8 | tainted |
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:25:2:25:8 | tainted |
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:27:77:27:83 | tainted |
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:27:77:27:83 | tainted |
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:30:2:30:8 | tainted |
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:30:2:30:8 | tainted |
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:33:2:33:8 | tainted |
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:33:2:33:8 | tainted |
| polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:5:6:5:32 | tainted |
| polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:5:6:5:32 | tainted |
#select
| polynomial-redos.js:7:2:7:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:7:2:7:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:7:24:7:26 | \\s+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
| polynomial-redos.js:8:2:8:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:8:2:8:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:8:17:8:18 | * | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
| polynomial-redos.js:9:2:9:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:9:2:9:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:9:19:9:21 | \\s* | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
| polynomial-redos.js:11:2:11:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:11:2:11:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:11:19:11:20 | .* | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
| polynomial-redos.js:12:2:12:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:12:2:12:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:12:19:12:20 | .* | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
| polynomial-redos.js:15:2:15:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:15:2:15:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:15:28:15:35 | [\\s\\S]*? | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
| polynomial-redos.js:18:2:18:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:18:2:18:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:18:17:18:22 | [0-9]* | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
| polynomial-redos.js:18:2:18:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:18:2:18:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:18:83:18:100 | [\\u0600-\\u06FF\\/]+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
| polynomial-redos.js:19:2:19:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:19:2:19:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:19:17:19:22 | [0-9]* | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
| polynomial-redos.js:20:2:20:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:20:2:20:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:20:56:20:58 | \\d+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
| polynomial-redos.js:25:2:25:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:25:2:25:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:25:37:25:56 | [a-zA-Z0-9+\\/ \\t\\n]+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
| polynomial-redos.js:27:77:27:83 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:27:77:27:83 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:27:14:27:22 | [A-Z]{2,} | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
| polynomial-redos.js:30:2:30:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:30:2:30:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:30:19:30:22 | [?]+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
| polynomial-redos.js:33:2:33:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:33:2:33:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:33:17:33:20 | (.)* | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |

1
javascript/ql/test/query-tests/Performance/ReDoS/PolynomialReDoS.qlref Normal file
View File

@@ -0,0 +1 @@
Performance/PolynomialReDoS.ql

2
javascript/ql/test/query-tests/Performance/ReDoS/ReDoS.expected
View File

@@ -1,3 +1,5 @@
| polynomial-redos.js:17:5:17:6 | .* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of ','. |
| polynomial-redos.js:41:52:41:63 | [\\x21-\\x7E]* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '?'. |
| regexplib/address.js:51:803:51:811 | [A-Za-z]+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'A'. |
| regexplib/address.js:75:803:75:811 | [A-Za-z]+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'A'. |
| regexplib/dates.js:66:133:66:139 | JANUARY | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'JANUARY'. |

49
javascript/ql/test/query-tests/Performance/ReDoS/polynomial-redos.js Normal file
View File

@@ -0,0 +1,49 @@
var express = require('express');
var app = express();
app.use(function(req, res) {
let tainted = req.query.tainted;
tainted.replace(/^\s+|\s+$/g, ''); // NOT OK
tainted.split(/ *, */); // NOT OK
tainted.replace(/\s*\n\s*/g, ' '); // NOT OK
tainted.split('\n'); // OK
tainted.replace(/.*[/\\]/, ''); // NOT OK
tainted.replace(/.*\./, ''); // NOT OK
tainted.replace(/^.*[/\\]/, ''); // OK
tainted.replace(/^.*\./, ''); // OK
tainted.replace(/^(`+)\s*([\s\S]*?[^`])\s*\1(?!`)/); // NOT OK
tainted.replace(/^(`+)([\s\S]*?[^`])\1(?!`)/); // OK
/^(.*,)+(.+)?$/.test(tainted); // NOT OK - but only flagged by js/redos
tainted.match(/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]+|[\u0600-\u06FF\/]+(\s*?[\u0600-\u06FF]+){1,2}/i); // NOT OK
tainted.match(/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]{1,256}|[\u0600-\u06FF\/]{1,256}(\s*?[\u0600-\u06FF]{1,256}){1,2}/i); // NOT OK (even though it is a proposed fix for the above)
tainted.match(/^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$/); // NOT OK
if (tainted.length < 7000) {
tainted.match(/^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$/); // OK - but flagged
}
tainted.match(/^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/ \t\n]+[=]*)(.*)$/); // NOT OK
tainted.match(/^([a-z0-9-]+)[ \t\n]+([a-zA-Z0-9+\/][a-zA-Z0-9+\/ \t\n=]*)([^a-zA-Z0-9+\/ \t\n=].*)?$/); // OK
/[a-z][A-Z]|[A-Z]{2,}[a-z]|[0-9][a-zA-Z]|[a-zA-Z][0-9]|[^a-zA-Z0-9 ]/.test(tainted); // NOT OK
/[a-z][A-Z]|[A-Z]{2}[a-z]|[0-9][a-zA-Z]|[a-zA-Z][0-9]|[^a-zA-Z0-9 ]/.test(tainted); // OK
tainted.replace(/[?]+.*$/g, ""); // OK - can not fail - but still flagged
tainted.replace(/\-\-+/g, "-").replace(/-+$/, ""); // OK - indirectly sanitized
tainted.replace(/\n\n\n+/g, "\n").replace(/\n*$/g, ""); // OK - indirectly sanitized
tainted.match(/(.)*solve\/challenges\/server-side(.)*/); // NOT OK
tainted.match(/<head>(?![\s\S]*<head>)/i); // OK
tainted.match(/<.*class="([^"]+)".*>/); // NOT OK - but not flagged
tainted.match(/<.*style="([^"]+)".*>/); // NOT OK - but not flagged
tainted.match(/<.*href="([^"]+)".*>/); // NOT OK - but not flagged
tainted.match(/^([^-]+)-([A-Za-z0-9+/]+(?:=?=?))([?\x21-\x7E]*)$/); // NOT OK - but not flagged
tainted.match(/^([^-]+)-([A-Za-z0-9+/=]{44,88})(\?[\x21-\x7E]*)*$/); // NOT OK (it is a fix for the above, but it introduces exponential complexity elsewhere)
tainted.match(/^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([\n \t]+([^\n]+))?$/); // NOT OK - but not flagged due to lack of support for inverted character classes
tainted.match(/^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([ \t]+([^ \t][^\n]*[\n]*)?)?$/); // OK
tainted.match(/^(?:\.?[a-zA-Z_][a-zA-Z_0-9]*)+$/); // NOT OK - but not flagged
tainted.match(/^(?:\.?[a-zA-Z_][a-zA-Z_0-9]*)(?:\.[a-zA-Z_][a-zA-Z_0-9]*)*$/); // OK
});