Ruby: configsig rb/polynomial-redos

2026-04-25 16:55:19 +02:00 · 2023-09-03 16:11:12 +01:00
parent 04d3d04317
commit 494b7b3fdf
2 changed files with 29 additions and 11 deletions
--- a/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll
@@ -2,9 +2,9 @@
 * Provides a taint tracking configuration for reasoning about polynomial
 * regular expression denial-of-service attacks.
 *
- * Note, for performance reasons: only import this file if `Configuration` is
- * needed. Otherwise, `PolynomialReDoSCustomizations` should be imported
- * instead.
+ * Note, for performance reasons: only import this file if
+ * `PolynomialReDoSFlow` is needed. Otherwise,
+ * `PolynomialReDoSCustomizations` should be imported instead.
 */

 private import codeql.ruby.DataFlow
@@ -13,15 +13,17 @@ private import codeql.ruby.TaintTracking
 /**
 * Provides a taint-tracking configuration for detecting polynomial regular
 * expression denial of service vulnerabilities.
+ * DEPRECATED: Use `PolynomialReDoSFlow`
 */
-module PolynomialReDoS {
+deprecated module PolynomialReDoS {
  import PolynomialReDoSCustomizations::PolynomialReDoS

  /**
   * A taint-tracking configuration for detecting polynomial regular expression
   * denial of service vulnerabilities.
+   * DEPRECATED: Use `PolynomialReDoSFlow`
   */
-  class Configuration extends TaintTracking::Configuration {
+  deprecated class Configuration extends TaintTracking::Configuration {
    Configuration() { this = "PolynomialReDoS" }

    override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -35,3 +37,19 @@ module PolynomialReDoS {
    }
  }
 }
+
+private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
+  private import PolynomialReDoSCustomizations::PolynomialReDoS
+
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/**
+ * Taint-tracking for detecting polynomial regular
+ * expression denial of service vulnerabilities.
+ */
+module PolynomialReDoSFlow = TaintTracking::Global<PolynomialReDoSConfig>;
--- a/ruby/ql/src/queries/security/cwe-1333/PolynomialReDoS.ql
+++ b/ruby/ql/src/queries/security/cwe-1333/PolynomialReDoS.ql
@@ -13,18 +13,18 @@
 *       external/cwe/cwe-400
 */

-import DataFlow::PathGraph
-import codeql.ruby.DataFlow
+import codeql.ruby.security.regexp.PolynomialReDoSCustomizations::PolynomialReDoS as PR
 import codeql.ruby.security.regexp.PolynomialReDoSQuery
+import PolynomialReDoSFlow::PathGraph

 from
-  PolynomialReDoS::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink,
-  PolynomialReDoS::Sink sinkNode, PolynomialReDoS::PolynomialBackTrackingTerm regexp
+  PolynomialReDoSFlow::PathNode source, PolynomialReDoSFlow::PathNode sink, PR::Sink sinkNode,
+  PR::PolynomialBackTrackingTerm regexp
 where
-  config.hasFlowPath(source, sink) and
+  PolynomialReDoSFlow::flowPath(source, sink) and
  sinkNode = sink.getNode() and
  regexp = sinkNode.getRegExp()
 select sinkNode.getHighlight(), source, sink,
  "This $@ that depends on a $@ may run slow on strings " + regexp.getPrefixMessage() +
    "with many repetitions of '" + regexp.getPumpString() + "'.", regexp, "regular expression",
-  source.getNode(), source.getNode().(PolynomialReDoS::Source).describe()
+  source.getNode(), source.getNode().(PR::Source).describe()