From 2ad28ab4db31cd4f265f727d606f0af1bbb3eb0d Mon Sep 17 00:00:00 2001
From: erik-krogh <erik-krogh@github.com>
Date: Tue, 11 Oct 2022 21:16:46 +0200
Subject: [PATCH] add library inputs as a source to poly-redos

---
 .../regexp/PolynomialReDoSCustomizations.qll    | 17 ++++++++++++++++-
 .../change-notes/2022-10-11-poly-redos-lib.md   |  4 ++++
 .../security/cwe-1333/PolynomialReDoS.ql        |  2 +-
 .../PolynomialReDoS.expected                    |  4 ++++
 .../cwe-1333-polynomial-redos/lib/index.rb      |  6 ++++++
 .../poly-redos.gemspec                          |  5 +++++
 6 files changed, 36 insertions(+), 2 deletions(-)
 create mode 100644 ruby/ql/src/change-notes/2022-10-11-poly-redos-lib.md
 create mode 100644 ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/lib/index.rb
 create mode 100644 ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/poly-redos.gemspec

diff --git a/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSCustomizations.qll
index 0429d00da1a..02b395e9920 100644
--- a/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSCustomizations.qll
@@ -22,7 +22,13 @@ module PolynomialReDoS {
   /**
    * A data flow source node for polynomial regular expression denial-of-service vulnerabilities.
    */
-  abstract class Source extends DataFlow::Node { }
+  abstract class Source extends DataFlow::Node {
+    /**
+     * Gets a string that describes the source.
+     * For use in the alert message.
+     */
+    string describe() { result = "user-provided value" }
+  }
 
   /**
    * A data flow sink node for polynomial regular expression denial-of-service vulnerabilities.
@@ -53,6 +59,15 @@ module PolynomialReDoS {
    */
   class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
 
+  import codeql.ruby.frameworks.core.Gem::Gem as Gem
+
+  /** A library input, considered as a flow source. */
+  class LibraryInputAsSource extends Source {
+    LibraryInputAsSource() { this = Gem::getALibraryInput() }
+
+    override string describe() { result = "library input" }
+  }
+
   /**
    * Gets the AST of a regular expression object that can flow to `node`.
    */
diff --git a/ruby/ql/src/change-notes/2022-10-11-poly-redos-lib.md b/ruby/ql/src/change-notes/2022-10-11-poly-redos-lib.md
new file mode 100644
index 00000000000..125f87378af
--- /dev/null
+++ b/ruby/ql/src/change-notes/2022-10-11-poly-redos-lib.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `rb/polynomial-redos` query now considers the entrypoints of the API of a gem as sources.
diff --git a/ruby/ql/src/queries/security/cwe-1333/PolynomialReDoS.ql b/ruby/ql/src/queries/security/cwe-1333/PolynomialReDoS.ql
index 7a78c9d9f25..a75cfdb786d 100644
--- a/ruby/ql/src/queries/security/cwe-1333/PolynomialReDoS.ql
+++ b/ruby/ql/src/queries/security/cwe-1333/PolynomialReDoS.ql
@@ -27,4 +27,4 @@ where
 select sinkNode.getHighlight(), source, sink,
   "This $@ that depends on a $@ may run slow on strings " + regexp.getPrefixMessage() +
     "with many repetitions of '" + regexp.getPumpString() + "'.", regexp, "regular expression",
-  source.getNode(), "user-provided value"
+  source.getNode(), source.getNode().(PolynomialReDoS::Source).describe()
diff --git a/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.expected b/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.expected
index 975b3f9ce39..e61fd3997c3 100644
--- a/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.expected
+++ b/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.expected
@@ -23,6 +23,7 @@ edges
 | PolynomialReDoS.rb:29:9:29:18 | ...[...] :  | PolynomialReDoS.rb:30:5:30:5 | b |
 | PolynomialReDoS.rb:31:9:31:14 | call to params :  | PolynomialReDoS.rb:31:9:31:18 | ...[...] :  |
 | PolynomialReDoS.rb:31:9:31:18 | ...[...] :  | PolynomialReDoS.rb:32:5:32:5 | c |
+| lib/index.rb:2:11:2:11 | x :  | lib/index.rb:4:13:4:13 | x |
 nodes
 | PolynomialReDoS.rb:4:12:4:17 | call to params :  | semmle.label | call to params :  |
 | PolynomialReDoS.rb:4:12:4:24 | ...[...] :  | semmle.label | ...[...] :  |
@@ -52,6 +53,8 @@ nodes
 | PolynomialReDoS.rb:32:5:32:5 | c | semmle.label | c |
 | PolynomialReDoS.rb:42:10:42:13 | name | semmle.label | name |
 | PolynomialReDoS.rb:47:10:47:13 | name | semmle.label | name |
+| lib/index.rb:2:11:2:11 | x :  | semmle.label | x :  |
+| lib/index.rb:4:13:4:13 | x | semmle.label | x |
 subpaths
 #select
 | PolynomialReDoS.rb:10:5:10:17 | ... =~ ... | PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:10:5:10:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
@@ -74,3 +77,4 @@ subpaths
 | PolynomialReDoS.rb:32:5:32:20 | call to sub! | PolynomialReDoS.rb:31:9:31:14 | call to params :  | PolynomialReDoS.rb:32:5:32:5 | c | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:31:9:31:14 | call to params | user-provided value |
 | PolynomialReDoS.rb:42:5:45:7 | case ... | PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:42:10:42:13 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
 | PolynomialReDoS.rb:47:5:50:7 | case ... | PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:47:10:47:13 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:48:14:48:16 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
+| lib/index.rb:4:13:4:26 | call to match | lib/index.rb:2:11:2:11 | x :  | lib/index.rb:4:13:4:13 | x | This $@ that depends on a $@ may run slow on strings with many repetitions of 'a'. | lib/index.rb:4:22:4:23 | a+ | regular expression | lib/index.rb:2:11:2:11 | x | library input |
diff --git a/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/lib/index.rb b/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/lib/index.rb
new file mode 100644
index 00000000000..d2dfaa2cb9f
--- /dev/null
+++ b/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/lib/index.rb
@@ -0,0 +1,6 @@
+module Foo 
+  def bar(x) 
+    # Run the /a+$/ regex on the input x.
+    match = x.match(/a+$/)
+  end
+end
\ No newline at end of file
diff --git a/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/poly-redos.gemspec b/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/poly-redos.gemspec
new file mode 100644
index 00000000000..68c9bc18f4d
--- /dev/null
+++ b/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/poly-redos.gemspec
@@ -0,0 +1,5 @@
+Gem::Specification.new do |s|
+    s.name = 'poly-redos'
+    s.require_path = "lib"
+  end
+  
\ No newline at end of file