Merge pull request #7723 from joefarebrother/redos

Java: Add ReDoS queries
2026-04-29 18:55:14 +02:00 · 2022-05-12 13:50:38 +01:00
parent 4bef451156 64227c9109
commit 59e400d2e0
39 changed files with 5715 additions and 59 deletions
--- a/python/ql/lib/semmle/python/security/performance/ReDoSUtil.qll
+++ b/python/ql/lib/semmle/python/security/performance/ReDoSUtil.qll
@@ -610,16 +610,23 @@ State after(RegExpTerm t) {
  or
  exists(RegExpGroup grp | t = grp.getAChild() | result = after(grp))
  or
-  exists(EffectivelyStar star | t = star.getAChild() | result = before(star))
+  exists(EffectivelyStar star | t = star.getAChild() |
+    not isPossessive(star) and
+    result = before(star)
+  )
  or
  exists(EffectivelyPlus plus | t = plus.getAChild() |
-    result = before(plus) or
+    not isPossessive(plus) and
+    result = before(plus)
+    or
    result = after(plus)
  )
  or
  exists(EffectivelyQuestion opt | t = opt.getAChild() | result = after(opt))
  or
-  exists(RegExpRoot root | t = root | result = AcceptAnySuffix(root))
+  exists(RegExpRoot root | t = root |
+    if matchesAnySuffix(root) then result = AcceptAnySuffix(root) else result = Accept(root)
+  )
 }

 /**
@@ -690,7 +697,7 @@ predicate delta(State q1, EdgeLabel lbl, State q2) {
    lbl = Epsilon() and q2 = Accept(root)
  )
  or
-  exists(RegExpRoot root | q1 = Match(root, 0) | lbl = Any() and q2 = q1)
+  exists(RegExpRoot root | q1 = Match(root, 0) | matchesAnyPrefix(root) and lbl = Any() and q2 = q1)
  or
  exists(RegExpDollar dollar | q1 = before(dollar) |
    lbl = Epsilon() and q2 = Accept(getRoot(dollar))
--- a/python/ql/lib/semmle/python/security/performance/ReDoSUtilSpecific.qll
+++ b/python/ql/lib/semmle/python/security/performance/ReDoSUtilSpecific.qll
@@ -13,6 +13,24 @@ predicate isEscapeClass(RegExpTerm term, string clazz) {
  exists(RegExpCharacterClassEscape escape | term = escape | escape.getValue() = clazz)
 }

+/**
+ * Holds if `term` is a possessive quantifier.
+ * As python's regexes do not support possessive quantifiers, this never holds, but is used by the shared library.
+ */
+predicate isPossessive(RegExpQuantifier term) { none() }
+
+/**
+ * Holds if the regex that `term` is part of is used in a way that ignores any leading prefix of the input it's matched against.
+ * Not yet implemented for Python.
+ */
+predicate matchesAnyPrefix(RegExpTerm term) { any() }
+
+/**
+ * Holds if the regex that `term` is part of is used in a way that ignores any trailing suffix of the input it's matched against.
+ * Not yet implemented for Python.
+ */
+predicate matchesAnySuffix(RegExpTerm term) { any() }
+
 /**
 * Holds if the regular expression should not be considered.
 *