Merge pull request #13778 from geoffw0/javaparsemode

Java: Understand multiple parse mode flags specified in a regular expression string
2026-04-29 18:55:14 +02:00 · 2023-09-18 14:22:59 +02:00
parent dc299fc9fa af3d8c88bb
commit 4a37c2fc3a
5 changed files with 80 additions and 9 deletions
--- a/java/ql/test/query-tests/security/CWE-730/ExpRedosTest.java
+++ b/java/ql/test/query-tests/security/CWE-730/ExpRedosTest.java
@@ -86,6 +86,9 @@ class ExpRedosTest {
        // NOT GOOD; attack: "\n".repeat(100) + "."
        "(?s)(.|\\n)*!", // $ hasExpRedos

+        // NOT GOOD; attack: "\n".repeat(100) + "."
+        "(?is)(.|\\n)*!", // $ hasExpRedos
+
        // GOOD
        "([\\w.]+)*",

@@ -120,7 +123,7 @@ class ExpRedosTest {
        "\"((?:\\\\[\\x00-\\x7f]|[^\\x00-\\x08\\x0a-\\x1f\\x7f\"])*)\"", // $ MISSING: hasExpRedos

        // GOOD
-        "\"((?:\\\\[\\x00-\\x7f]|[^\\x00-\\x08\\x0a-\\x1f\\x7f\"\\\\])*)\"", 
+        "\"((?:\\\\[\\x00-\\x7f]|[^\\x00-\\x08\\x0a-\\x1f\\x7f\"\\\\])*)\"",

        // NOT GOOD
        "(([a-z]|[d-h])*)\"", // $ hasExpRedos
@@ -428,7 +431,10 @@ class ExpRedosTest {
        "(a*)*b", // $ hasExpRedos

        // BAD - but not detected due to the way possessive quantifiers are approximated
-        "((aa|a*+)b)*c" // $ MISSING: hasExpRedos
+        "((aa|a*+)b)*c", // $ MISSING: hasExpRedos
+
+        // BAD - testing mode flag groups
+        "(?is)(a|aa?)*b" // $ hasExpRedos hasPrefixMsg= hasPump=a
    };

    void test() {
--- a/java/ql/test/query-tests/security/CWE-730/ReDoS.ql
+++ b/java/ql/test/query-tests/security/CWE-730/ReDoS.ql
@@ -4,8 +4,13 @@ private import semmle.code.java.regex.RegexTreeView::RegexTreeView as TreeView
 import codeql.regex.nfa.ExponentialBackTracking::Make<TreeView> as ExponentialBackTracking
 import semmle.code.java.regex.regex

+bindingset[s]
+string quote(string s) { if s.matches("% %") then result = "\"" + s + "\"" else result = s }
+
 module HasExpRedos implements TestSig {
-  string getARelevantTag() { result = ["hasExpRedos", "hasParseFailure"] }
+  string getARelevantTag() {
+    result = ["hasExpRedos", "hasParseFailure", "hasPump", "hasPrefixMsg"]
+  }

  predicate hasActualResult(Location location, string element, string tag, string value) {
    tag = "hasExpRedos" and
@@ -25,6 +30,22 @@ module HasExpRedos implements TestSig {
      element = r.toString()
    )
  }
+
+  predicate hasOptionalResult(Location location, string element, string tag, string value) {
+    exists(TreeView::RegExpTerm t, Regex r, string pump, string prefixMsg |
+      ExponentialBackTracking::hasReDoSResult(t, pump, _, prefixMsg) and
+      t.occursInRegex(r, _, _) and
+      (
+        tag = "hasPrefixMsg" and
+        value = quote(prefixMsg)
+        or
+        tag = "hasPump" and
+        value = pump
+      ) and
+      location = r.getLocation() and
+      element = r.toString()
+    )
+  }
 }

 import MakeTest<HasExpRedos>