diff --git a/java/ql/lib/semmle/code/java/security/regexp/NfaUtils.qll b/java/ql/lib/semmle/code/java/security/regexp/NfaUtils.qll index a78e65a981f..033b8aa8cfd 100644 --- a/java/ql/lib/semmle/code/java/security/regexp/NfaUtils.qll +++ b/java/ql/lib/semmle/code/java/security/regexp/NfaUtils.qll @@ -891,7 +891,7 @@ module PrefixConstruction { exists(RegExpRoot root | state = max(State s, Location l | - s = stateInPumpableRegexp() and + s = stateInRelevantRegexp() and isStartState(s) and getRoot(s.getRepr()) = root and l = s.getRepr().getLocation() @@ -963,9 +963,9 @@ module PrefixConstruction { min(string c | delta(prev, any(InputSymbol symbol | c = intersect(Any(), symbol)), next)) } - /** Gets a state within a regular expression that has a pumpable state. */ + /** Gets a state within a regular expression that contains a candidate state. */ pragma[noinline] - State stateInPumpableRegexp() { + State stateInRelevantRegexp() { exists(State s | isCandidate(s) | getRoot(s.getRepr()) = getRoot(result.getRepr())) } } @@ -1041,7 +1041,7 @@ module ReDoSPruning { */ pragma[noinline] private predicate isLikelyRejectable(State s) { - s = Prefix::stateInPumpableRegexp() and + s = Prefix::stateInRelevantRegexp() and ( // exists a reject edge with some char. hasRejectEdge(s) @@ -1057,7 +1057,7 @@ module ReDoSPruning { * Holds if `s` is not an accept state, and there is no epsilon transition to an accept state. */ predicate isRejectState(State s) { - s = Prefix::stateInPumpableRegexp() and not epsilonSucc*(s) = Accept(_) + s = Prefix::stateInRelevantRegexp() and not epsilonSucc*(s) = Accept(_) } /** @@ -1065,7 +1065,7 @@ module ReDoSPruning { */ pragma[noopt] predicate hasEdgeToLikelyRejectable(State s) { - s = Prefix::stateInPumpableRegexp() and + s = Prefix::stateInRelevantRegexp() and // all edges (at least one) with some char leads to another state that is rejectable. // the `next` states might not share a common suffix, which can cause FPs. exists(string char | char = hasEdgeToLikelyRejectableHelper(s) | @@ -1081,7 +1081,7 @@ module ReDoSPruning { */ pragma[noinline] private string hasEdgeToLikelyRejectableHelper(State s) { - s = Prefix::stateInPumpableRegexp() and + s = Prefix::stateInRelevantRegexp() and not hasRejectEdge(s) and not isRejectState(s) and deltaClosedChar(s, result, _) @@ -1093,8 +1093,8 @@ module ReDoSPruning { * `prev` to `next` that the character symbol `char`. */ predicate deltaClosedChar(State prev, string char, State next) { - prev = Prefix::stateInPumpableRegexp() and - next = Prefix::stateInPumpableRegexp() and + prev = Prefix::stateInRelevantRegexp() and + next = Prefix::stateInRelevantRegexp() and deltaClosed(prev, getAnInputSymbolMatchingRelevant(char), next) } diff --git a/javascript/ql/lib/semmle/javascript/security/regexp/NfaUtils.qll b/javascript/ql/lib/semmle/javascript/security/regexp/NfaUtils.qll index a78e65a981f..033b8aa8cfd 100644 --- a/javascript/ql/lib/semmle/javascript/security/regexp/NfaUtils.qll +++ b/javascript/ql/lib/semmle/javascript/security/regexp/NfaUtils.qll @@ -891,7 +891,7 @@ module PrefixConstruction { exists(RegExpRoot root | state = max(State s, Location l | - s = stateInPumpableRegexp() and + s = stateInRelevantRegexp() and isStartState(s) and getRoot(s.getRepr()) = root and l = s.getRepr().getLocation() @@ -963,9 +963,9 @@ module PrefixConstruction { min(string c | delta(prev, any(InputSymbol symbol | c = intersect(Any(), symbol)), next)) } - /** Gets a state within a regular expression that has a pumpable state. */ + /** Gets a state within a regular expression that contains a candidate state. */ pragma[noinline] - State stateInPumpableRegexp() { + State stateInRelevantRegexp() { exists(State s | isCandidate(s) | getRoot(s.getRepr()) = getRoot(result.getRepr())) } } @@ -1041,7 +1041,7 @@ module ReDoSPruning { */ pragma[noinline] private predicate isLikelyRejectable(State s) { - s = Prefix::stateInPumpableRegexp() and + s = Prefix::stateInRelevantRegexp() and ( // exists a reject edge with some char. hasRejectEdge(s) @@ -1057,7 +1057,7 @@ module ReDoSPruning { * Holds if `s` is not an accept state, and there is no epsilon transition to an accept state. */ predicate isRejectState(State s) { - s = Prefix::stateInPumpableRegexp() and not epsilonSucc*(s) = Accept(_) + s = Prefix::stateInRelevantRegexp() and not epsilonSucc*(s) = Accept(_) } /** @@ -1065,7 +1065,7 @@ module ReDoSPruning { */ pragma[noopt] predicate hasEdgeToLikelyRejectable(State s) { - s = Prefix::stateInPumpableRegexp() and + s = Prefix::stateInRelevantRegexp() and // all edges (at least one) with some char leads to another state that is rejectable. // the `next` states might not share a common suffix, which can cause FPs. exists(string char | char = hasEdgeToLikelyRejectableHelper(s) | @@ -1081,7 +1081,7 @@ module ReDoSPruning { */ pragma[noinline] private string hasEdgeToLikelyRejectableHelper(State s) { - s = Prefix::stateInPumpableRegexp() and + s = Prefix::stateInRelevantRegexp() and not hasRejectEdge(s) and not isRejectState(s) and deltaClosedChar(s, result, _) @@ -1093,8 +1093,8 @@ module ReDoSPruning { * `prev` to `next` that the character symbol `char`. */ predicate deltaClosedChar(State prev, string char, State next) { - prev = Prefix::stateInPumpableRegexp() and - next = Prefix::stateInPumpableRegexp() and + prev = Prefix::stateInRelevantRegexp() and + next = Prefix::stateInRelevantRegexp() and deltaClosed(prev, getAnInputSymbolMatchingRelevant(char), next) } diff --git a/python/ql/lib/semmle/python/security/regexp/NfaUtils.qll b/python/ql/lib/semmle/python/security/regexp/NfaUtils.qll index a78e65a981f..033b8aa8cfd 100644 --- a/python/ql/lib/semmle/python/security/regexp/NfaUtils.qll +++ b/python/ql/lib/semmle/python/security/regexp/NfaUtils.qll @@ -891,7 +891,7 @@ module PrefixConstruction { exists(RegExpRoot root | state = max(State s, Location l | - s = stateInPumpableRegexp() and + s = stateInRelevantRegexp() and isStartState(s) and getRoot(s.getRepr()) = root and l = s.getRepr().getLocation() @@ -963,9 +963,9 @@ module PrefixConstruction { min(string c | delta(prev, any(InputSymbol symbol | c = intersect(Any(), symbol)), next)) } - /** Gets a state within a regular expression that has a pumpable state. */ + /** Gets a state within a regular expression that contains a candidate state. */ pragma[noinline] - State stateInPumpableRegexp() { + State stateInRelevantRegexp() { exists(State s | isCandidate(s) | getRoot(s.getRepr()) = getRoot(result.getRepr())) } } @@ -1041,7 +1041,7 @@ module ReDoSPruning { */ pragma[noinline] private predicate isLikelyRejectable(State s) { - s = Prefix::stateInPumpableRegexp() and + s = Prefix::stateInRelevantRegexp() and ( // exists a reject edge with some char. hasRejectEdge(s) @@ -1057,7 +1057,7 @@ module ReDoSPruning { * Holds if `s` is not an accept state, and there is no epsilon transition to an accept state. */ predicate isRejectState(State s) { - s = Prefix::stateInPumpableRegexp() and not epsilonSucc*(s) = Accept(_) + s = Prefix::stateInRelevantRegexp() and not epsilonSucc*(s) = Accept(_) } /** @@ -1065,7 +1065,7 @@ module ReDoSPruning { */ pragma[noopt] predicate hasEdgeToLikelyRejectable(State s) { - s = Prefix::stateInPumpableRegexp() and + s = Prefix::stateInRelevantRegexp() and // all edges (at least one) with some char leads to another state that is rejectable. // the `next` states might not share a common suffix, which can cause FPs. exists(string char | char = hasEdgeToLikelyRejectableHelper(s) | @@ -1081,7 +1081,7 @@ module ReDoSPruning { */ pragma[noinline] private string hasEdgeToLikelyRejectableHelper(State s) { - s = Prefix::stateInPumpableRegexp() and + s = Prefix::stateInRelevantRegexp() and not hasRejectEdge(s) and not isRejectState(s) and deltaClosedChar(s, result, _) @@ -1093,8 +1093,8 @@ module ReDoSPruning { * `prev` to `next` that the character symbol `char`. */ predicate deltaClosedChar(State prev, string char, State next) { - prev = Prefix::stateInPumpableRegexp() and - next = Prefix::stateInPumpableRegexp() and + prev = Prefix::stateInRelevantRegexp() and + next = Prefix::stateInRelevantRegexp() and deltaClosed(prev, getAnInputSymbolMatchingRelevant(char), next) } diff --git a/ruby/ql/lib/codeql/ruby/security/regexp/NfaUtils.qll b/ruby/ql/lib/codeql/ruby/security/regexp/NfaUtils.qll index a78e65a981f..033b8aa8cfd 100644 --- a/ruby/ql/lib/codeql/ruby/security/regexp/NfaUtils.qll +++ b/ruby/ql/lib/codeql/ruby/security/regexp/NfaUtils.qll @@ -891,7 +891,7 @@ module PrefixConstruction { exists(RegExpRoot root | state = max(State s, Location l | - s = stateInPumpableRegexp() and + s = stateInRelevantRegexp() and isStartState(s) and getRoot(s.getRepr()) = root and l = s.getRepr().getLocation() @@ -963,9 +963,9 @@ module PrefixConstruction { min(string c | delta(prev, any(InputSymbol symbol | c = intersect(Any(), symbol)), next)) } - /** Gets a state within a regular expression that has a pumpable state. */ + /** Gets a state within a regular expression that contains a candidate state. */ pragma[noinline] - State stateInPumpableRegexp() { + State stateInRelevantRegexp() { exists(State s | isCandidate(s) | getRoot(s.getRepr()) = getRoot(result.getRepr())) } } @@ -1041,7 +1041,7 @@ module ReDoSPruning { */ pragma[noinline] private predicate isLikelyRejectable(State s) { - s = Prefix::stateInPumpableRegexp() and + s = Prefix::stateInRelevantRegexp() and ( // exists a reject edge with some char. hasRejectEdge(s) @@ -1057,7 +1057,7 @@ module ReDoSPruning { * Holds if `s` is not an accept state, and there is no epsilon transition to an accept state. */ predicate isRejectState(State s) { - s = Prefix::stateInPumpableRegexp() and not epsilonSucc*(s) = Accept(_) + s = Prefix::stateInRelevantRegexp() and not epsilonSucc*(s) = Accept(_) } /** @@ -1065,7 +1065,7 @@ module ReDoSPruning { */ pragma[noopt] predicate hasEdgeToLikelyRejectable(State s) { - s = Prefix::stateInPumpableRegexp() and + s = Prefix::stateInRelevantRegexp() and // all edges (at least one) with some char leads to another state that is rejectable. // the `next` states might not share a common suffix, which can cause FPs. exists(string char | char = hasEdgeToLikelyRejectableHelper(s) | @@ -1081,7 +1081,7 @@ module ReDoSPruning { */ pragma[noinline] private string hasEdgeToLikelyRejectableHelper(State s) { - s = Prefix::stateInPumpableRegexp() and + s = Prefix::stateInRelevantRegexp() and not hasRejectEdge(s) and not isRejectState(s) and deltaClosedChar(s, result, _) @@ -1093,8 +1093,8 @@ module ReDoSPruning { * `prev` to `next` that the character symbol `char`. */ predicate deltaClosedChar(State prev, string char, State next) { - prev = Prefix::stateInPumpableRegexp() and - next = Prefix::stateInPumpableRegexp() and + prev = Prefix::stateInRelevantRegexp() and + next = Prefix::stateInRelevantRegexp() and deltaClosed(prev, getAnInputSymbolMatchingRelevant(char), next) }