Python: Add ReDoS as identical files from JS

The library specific file is `RegExpTreeView`. The files are recorded as identical via the mapping in `identical-files.json`.
2026-01-09 04:30:21 +01:00 · 2021-06-28 16:56:49 +02:00
parent d2eeaff441
commit 591b6ef69c
9 changed files with 2093 additions and 0 deletions
--- a/python/ql/src/Security/CWE-730/PolynomialBackTracking.ql
+++ b/python/ql/src/Security/CWE-730/PolynomialBackTracking.ql
@@ -0,0 +1,6 @@
+import python
+import semmle.python.regex.SuperlinearBackTracking
+
+from PolynomialBackTrackingTerm t
+where t.getLocation().getFile().getBaseName() = "KnownCVEs.py"
+select t.getRegex(), t, t.getReason()
--- a/python/ql/src/Security/CWE-730/PolynomialReDoS.ql
+++ b/python/ql/src/Security/CWE-730/PolynomialReDoS.ql
@@ -0,0 +1,33 @@
+/**
+ * @name Polynomial regular expression used on uncontrolled data
+ * @description A regular expression that can require polynomial time
+ *              to match may be vulnerable to denial-of-service attacks.
+ * @kind path-problem
+ * @problem.severity warning
+ * @precision high
+ * @id py/polynomial-redos
+ * @tags security
+ *       external/cwe/cwe-730
+ *       external/cwe/cwe-400
+ */
+
+import python
+import semmle.python.regex.SuperlinearBackTracking
+import semmle.python.security.dataflow.PolynomialReDoS
+import DataFlow::PathGraph
+
+from
+  PolynomialReDoSConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink,
+  PolynomialReDoSSink sinkNode, PolynomialBackTrackingTerm regexp
+where
+  config.hasFlowPath(source, sink) and
+  sinkNode = sink.getNode() and
+  regexp.getRootTerm() = sinkNode.getRegExp()
+//   not (
+//     source.getNode().(Source).getKind() = "url" and
+//     regexp.isAtEndLine()
+//   )
+select sinkNode.getHighlight(), source, sink,
+  "This $@ that depends on $@ may run slow on strings " + regexp.getPrefixMessage() +
+    "with many repetitions of '" + regexp.getPumpString() + "'.", regexp, "regular expression",
+  source.getNode(), "a user-provided value"
--- a/python/ql/src/Security/CWE-730/ReDoS.ql
+++ b/python/ql/src/Security/CWE-730/ReDoS.ql
@@ -0,0 +1,25 @@
+/**
+ * @name Inefficient regular expression
+ * @description A regular expression that requires exponential time to match certain inputs
+ *              can be a performance bottleneck, and may be vulnerable to denial-of-service
+ *              attacks.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id py/redos
+ * @tags security
+ *       external/cwe/cwe-730
+ *       external/cwe/cwe-400
+ */
+
+import python
+import semmle.python.regex.ExponentialBackTracking
+
+from RegExpTerm t, string pump, State s, string prefixMsg
+where
+  hasReDoSResult(t, pump, s, prefixMsg) and
+  // exclude verbose mode regexes for now
+  not t.getRegex().getAMode() = "VERBOSE"
+select t,
+  "This part of the regular expression may cause exponential backtracking on strings " + prefixMsg +
+    "containing many repetitions of '" + pump + "'."