Fix to PolynomialRedos not finding results and to test cases not finding that

2026-04-25 08:45:14 +02:00 · 2022-02-16 16:31:50 +00:00
parent 91887ab229
commit 5143585080
4 changed files with 44 additions and 27 deletions
--- a/java/ql/test/query-tests/security/CWE-730/PolyRedosTest.java
+++ b/java/ql/test/query-tests/security/CWE-730/PolyRedosTest.java
@@ -6,30 +6,30 @@ import com.google.common.base.Splitter;
 class PolyRedosTest {
    void test(HttpServletRequest request) {
        String tainted = request.getParameter("inp");
-        String reg = "a\\.\\d+E?\\d+b";
+        String reg = "0\\.\\d+E?\\d+!";
        Predicate<String> dummyPred = (s -> s.length() % 7 == 0);
        
-        tainted.matches(reg); // $ hasTaintFlow
-        tainted.split(reg); // $ hasTaintFlow
-        tainted.split(reg, 7); // $ hasTaintFlow
-        Pattern.matches(reg, tainted); // $ hasTaintFlow
-        Pattern.compile(reg).matcher(tainted).matches(); // $ hasTaintFlow
-        Pattern.compile(reg).split(tainted); // $ hasTaintFlow
-        Pattern.compile(reg, Pattern.DOTALL).split(tainted); // $ hasTaintFlow
-        Pattern.compile(reg).split(tainted, 7); // $ hasTaintFlow
-        Pattern.compile(reg).splitAsStream(tainted); // $ hasTaintFlow
-        Pattern.compile(reg).asPredicate().test(tainted); // $ hasTaintFlow
-        Pattern.compile(reg).asMatchPredicate().negate().and(dummyPred).or(dummyPred).test(tainted); // $ hasTaintFlow
-        Predicate.not(dummyPred.and(dummyPred.or(Pattern.compile(reg).asPredicate()))).test(tainted); // $ hasTaintFlow
+        tainted.matches(reg); // $ hasPolyRedos
+        tainted.split(reg); // $ hasPolyRedos
+        tainted.split(reg, 7); // $ hasPolyRedos
+        Pattern.matches(reg, tainted); // $ hasPolyRedos
+        Pattern.compile(reg).matcher(tainted).matches(); // $ hasPolyRedos
+        Pattern.compile(reg).split(tainted); // $ hasPolyRedos
+        Pattern.compile(reg, Pattern.DOTALL).split(tainted); // $ hasPolyRedos
+        Pattern.compile(reg).split(tainted, 7); // $ hasPolyRedos
+        Pattern.compile(reg).splitAsStream(tainted); // $ hasPolyRedos
+        Pattern.compile(reg).asPredicate().test(tainted); // $ hasPolyRedos
+        Pattern.compile(reg).asMatchPredicate().negate().and(dummyPred).or(dummyPred).test(tainted); // $ hasPolyRedos
+        Predicate.not(dummyPred.and(dummyPred.or(Pattern.compile(reg).asPredicate()))).test(tainted); // $ hasPolyRedos

-        Splitter.on(Pattern.compile(reg)).split(tainted); // $ hasTaintFlow
+        Splitter.on(Pattern.compile(reg)).split(tainted); // $ hasPolyRedos
        Splitter.on(reg).split(tainted); 
-        Splitter.onPattern(reg).split(tainted); // $ hasTaintFlow
-        Splitter.onPattern(reg).splitToList(tainted); // $ hasTaintFlow
-        Splitter.onPattern(reg).limit(7).omitEmptyStrings().trimResults().split(tainted); // $ hasTaintFlow
-        Splitter.onPattern(reg).withKeyValueSeparator(" => ").split(tainted); // $ hasTaintFlow
+        Splitter.onPattern(reg).split(tainted); // $ hasPolyRedos
+        Splitter.onPattern(reg).splitToList(tainted); // $ hasPolyRedos
+        Splitter.onPattern(reg).limit(7).omitEmptyStrings().trimResults().split(tainted); // $ hasPolyRedos
+        Splitter.onPattern(reg).withKeyValueSeparator(" => ").split(tainted); // $ hasPolyRedos
        Splitter.on(";").withKeyValueSeparator(reg).split(tainted);
-        Splitter.on(";").withKeyValueSeparator(Splitter.onPattern(reg)).split(tainted); // $ hasTaintFlow
+        Splitter.on(";").withKeyValueSeparator(Splitter.onPattern(reg)).split(tainted); // $ hasPolyRedos

    }
 }
--- a/java/ql/test/query-tests/security/CWE-730/PolynomialReDoS.ql
+++ b/java/ql/test/query-tests/security/CWE-730/PolynomialReDoS.ql
@@ -1,6 +1,5 @@
 import java
 import TestUtilities.InlineExpectationsTest
-import TestUtilities.InlineFlowTest
 import semmle.code.java.security.performance.SuperlinearBackTracking
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.regex.RegexTreeView
@@ -11,19 +10,35 @@ class PolynomialRedosSink extends DataFlow::Node {
  RegExpLiteral reg;

  PolynomialRedosSink() { regexMatchedAgainst(reg.getRegex(), this.asExpr()) }
-  // RegExpTerm getRegExp() { result = reg }
+
+  RegExpTerm getRegExp() { result.getParent() = reg }
 }

 class PolynomialRedosConfig extends TaintTracking::Configuration {
-  PolynomialRedosConfig() { this = "PolynomialRodisConfig" }
+  PolynomialRedosConfig() { this = "PolynomialRedosConfig" }

  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }

  override predicate isSink(DataFlow::Node sink) { sink instanceof PolynomialRedosSink }
 }

-class HasFlowTest extends InlineFlowTest {
-  override DataFlow::Configuration getTaintFlowConfig() { result = any(PolynomialRedosConfig c) }
+class HasPolyRedos extends InlineExpectationsTest {
+  HasPolyRedos() { this = "HasPolyRedos" }

-  override DataFlow::Configuration getValueFlowConfig() { none() }
+  override string getARelevantTag() { result = ["hasPolyRedos"] }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasPolyRedos" and
+    exists(
+      PolynomialRedosConfig config, DataFlow::PathNode source, DataFlow::PathNode sink,
+      PolynomialRedosSink sinkNode, PolynomialBackTrackingTerm regexp
+    |
+      config.hasFlowPath(source, sink) and
+      sinkNode = sink.getNode() and
+      regexp.getRootTerm() = sinkNode.getRegExp() and
+      location = sinkNode.getLocation() and
+      element = sinkNode.toString() and
+      value = ""
+    )
+  }
 }