Add test for polynomial ReDoS query

2026-04-26 09:15:12 +02:00 · 2021-09-02 16:41:20 +01:00
parent cbe23661ed
commit 47e5a8fd09
3 changed files with 101 additions and 0 deletions
--- a/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.expected
+++ b/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.expected
@@ -0,0 +1,61 @@
+edges
+| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:10:5:10:8 | name |
+| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:11:5:11:8 | name |
+| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:12:5:12:8 | name |
+| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:13:5:13:8 | name |
+| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:14:5:14:8 | name |
+| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:15:5:15:8 | name |
+| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:16:5:16:8 | name |
+| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:17:5:17:8 | name |
+| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:18:5:18:8 | name |
+| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:19:5:19:8 | name |
+| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:20:5:20:8 | name |
+| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:21:5:21:8 | name |
+| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:22:5:22:8 | name |
+| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:23:17:23:20 | name |
+| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:24:18:24:21 | name |
+| PolynomialReDoS.rb:27:9:27:14 | call to params :  | PolynomialReDoS.rb:28:5:28:5 | a |
+| PolynomialReDoS.rb:29:9:29:14 | call to params :  | PolynomialReDoS.rb:30:5:30:5 | b |
+| PolynomialReDoS.rb:31:9:31:14 | call to params :  | PolynomialReDoS.rb:32:5:32:5 | c |
+nodes
+| PolynomialReDoS.rb:4:12:4:17 | call to params :  | semmle.label | call to params :  |
+| PolynomialReDoS.rb:10:5:10:8 | name | semmle.label | name |
+| PolynomialReDoS.rb:11:5:11:8 | name | semmle.label | name |
+| PolynomialReDoS.rb:12:5:12:8 | name | semmle.label | name |
+| PolynomialReDoS.rb:13:5:13:8 | name | semmle.label | name |
+| PolynomialReDoS.rb:14:5:14:8 | name | semmle.label | name |
+| PolynomialReDoS.rb:15:5:15:8 | name | semmle.label | name |
+| PolynomialReDoS.rb:16:5:16:8 | name | semmle.label | name |
+| PolynomialReDoS.rb:17:5:17:8 | name | semmle.label | name |
+| PolynomialReDoS.rb:18:5:18:8 | name | semmle.label | name |
+| PolynomialReDoS.rb:19:5:19:8 | name | semmle.label | name |
+| PolynomialReDoS.rb:20:5:20:8 | name | semmle.label | name |
+| PolynomialReDoS.rb:21:5:21:8 | name | semmle.label | name |
+| PolynomialReDoS.rb:22:5:22:8 | name | semmle.label | name |
+| PolynomialReDoS.rb:23:17:23:20 | name | semmle.label | name |
+| PolynomialReDoS.rb:24:18:24:21 | name | semmle.label | name |
+| PolynomialReDoS.rb:27:9:27:14 | call to params :  | semmle.label | call to params :  |
+| PolynomialReDoS.rb:28:5:28:5 | a | semmle.label | a |
+| PolynomialReDoS.rb:29:9:29:14 | call to params :  | semmle.label | call to params :  |
+| PolynomialReDoS.rb:30:5:30:5 | b | semmle.label | b |
+| PolynomialReDoS.rb:31:9:31:14 | call to params :  | semmle.label | call to params :  |
+| PolynomialReDoS.rb:32:5:32:5 | c | semmle.label | c |
+#select
+| PolynomialReDoS.rb:10:5:10:17 | ... =~ ... | PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:10:5:10:8 | name | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | a user-provided value |
+| PolynomialReDoS.rb:11:5:11:17 | ... !~ ... | PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:11:5:11:8 | name | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | a user-provided value |
+| PolynomialReDoS.rb:12:5:12:15 | ...[...] | PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:12:5:12:8 | name | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | a user-provided value |
+| PolynomialReDoS.rb:13:5:13:23 | call to gsub | PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:13:5:13:8 | name | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | a user-provided value |
+| PolynomialReDoS.rb:14:5:14:20 | call to index | PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:14:5:14:8 | name | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | a user-provided value |
+| PolynomialReDoS.rb:15:5:15:20 | call to match | PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:15:5:15:8 | name | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | a user-provided value |
+| PolynomialReDoS.rb:16:5:16:21 | call to match? | PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:16:5:16:8 | name | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | a user-provided value |
+| PolynomialReDoS.rb:17:5:17:24 | call to partition | PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:17:5:17:8 | name | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | a user-provided value |
+| PolynomialReDoS.rb:18:5:18:21 | call to rindex | PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:18:5:18:8 | name | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | a user-provided value |
+| PolynomialReDoS.rb:19:5:19:25 | call to rpartition | PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:19:5:19:8 | name | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | a user-provided value |
+| PolynomialReDoS.rb:20:5:20:19 | call to scan | PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:20:5:20:8 | name | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | a user-provided value |
+| PolynomialReDoS.rb:21:5:21:20 | call to split | PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:21:5:21:8 | name | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | a user-provided value |
+| PolynomialReDoS.rb:22:5:22:22 | call to sub | PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:22:5:22:8 | name | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | a user-provided value |
+| PolynomialReDoS.rb:23:5:23:20 | call to match | PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:23:17:23:20 | name | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | a user-provided value |
+| PolynomialReDoS.rb:24:5:24:21 | call to match? | PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:24:18:24:21 | name | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | a user-provided value |
+| PolynomialReDoS.rb:28:5:28:21 | call to gsub! | PolynomialReDoS.rb:27:9:27:14 | call to params :  | PolynomialReDoS.rb:28:5:28:5 | a | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:27:9:27:14 | call to params | a user-provided value |
+| PolynomialReDoS.rb:30:5:30:18 | call to slice! | PolynomialReDoS.rb:29:9:29:14 | call to params :  | PolynomialReDoS.rb:30:5:30:5 | b | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:29:9:29:14 | call to params | a user-provided value |
+| PolynomialReDoS.rb:32:5:32:20 | call to sub! | PolynomialReDoS.rb:31:9:31:14 | call to params :  | PolynomialReDoS.rb:32:5:32:5 | c | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:31:9:31:14 | call to params | a user-provided value |
--- a/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.qlref
+++ b/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.qlref
@@ -0,0 +1 @@
+queries/security/cwe-1333/PolynomialReDoS.ql
--- a/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.rb
+++ b/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.rb
@@ -0,0 +1,39 @@
+class FooController < ActionController::Base
+  def some_request_handler
+    # A source for the data-flow query (i.e. a remote flow source)
+    name = params[:name]
+
+    # A vulnerable regex
+    regex = /^\s+|\s+$/
+
+    # Various sinks that match the source against the regex
+    name =~ regex         # NOT GOOD
+    name !~ regex         # NOT GOOD
+    name[regex]           # NOT GOOD
+    name.gsub regex, ''   # NOT GOOD
+    name.index regex      # NOT GOOD
+    name.match regex      # NOT GOOD
+    name.match? regex     # NOT GOOD
+    name.partition regex  # NOT GOOD
+    name.rindex regex     # NOT GOOD
+    name.rpartition regex # NOT GOOD
+    name.scan regex       # NOT GOOD
+    name.split regex      # NOT GOOD
+    name.sub regex, ''    # NOT GOOD
+    regex.match name      # NOT GOOD
+    regex.match? name     # NOT GOOD
+
+    # Destructive variants
+    a = params[:b]
+    a.gsub! regex, ''     # NOT GOOD
+    b = params[:a]
+    b.slice! regex        # NOT GOOD
+    c = params[:c]
+    c.sub! regex, ''      # NOT GOOD
+
+    # GOOD - guarded by a string length check
+    if name.length < 1024
+	name.gsub regex, ''
+    end
+  end
+end
				`@@ -0,0 +1 @@`
				`queries/security/cwe-1333/PolynomialReDoS.ql`