hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

remove paths without unmatched returns from polynomial-redos

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2021-12-01 15:31:25 +01:00
parent 55c17f453f
commit 6327fced6f
4 changed files with 34 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
javascript/ql/lib/semmle/javascript/security/performance/PolynomialReDoS.qll
View File

@@ -28,5 +28,15 @@ module PolynomialReDoS {
super.isSanitizer(node) or
node instanceof Sanitizer
}
override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {
super.hasFlowPath(source, sink) and
// require that there is a path without unmatched return steps
DataFlow::hasPathWithoutUnmatchedReturn(source, sink)
}
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
DataFlow::localFieldStep(pred, succ)
}
}
}

1
javascript/ql/test/query-tests/Performance/ReDoS/PolynomialBackTracking.expected
View File

@@ -31,6 +31,7 @@
| lib/indirect.js:2:6:2:7 | k* | Strings with many repetitions of 'k' can start matching anywhere after the start of the preceeding k*h |
| lib/lib.js:1:15:1:16 | a* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding a*b |
| lib/lib.js:8:3:8:4 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |
| lib/lib.js:28:3:28:4 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |
| lib/moduleLib/moduleLib.js:2:3:2:4 | a* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding a*b |
| lib/otherLib/js/src/index.js:2:3:2:4 | a* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding a*b |
| lib/sublib/factory.js:13:14:13:15 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |

13
javascript/ql/test/query-tests/Performance/ReDoS/PolynomialReDoS.expected
View File

@@ -15,6 +15,13 @@ nodes
| lib/lib.js:7:19:7:22 | name |
| lib/lib.js:8:13:8:16 | name |
| lib/lib.js:8:13:8:16 | name |
| lib/lib.js:21:14:21:14 | x |
| lib/lib.js:21:14:21:14 | x |
| lib/lib.js:22:9:22:9 | x |
| lib/lib.js:27:6:27:19 | y |
| lib/lib.js:27:10:27:19 | id("safe") |
| lib/lib.js:28:13:28:13 | y |
| lib/lib.js:28:13:28:13 | y |
| lib/moduleLib/moduleLib.js:1:28:1:31 | name |
| lib/moduleLib/moduleLib.js:1:28:1:31 | name |
| lib/moduleLib/moduleLib.js:2:13:2:16 | name |
@@ -186,6 +193,12 @@ edges
| lib/lib.js:7:19:7:22 | name | lib/lib.js:8:13:8:16 | name |
| lib/lib.js:7:19:7:22 | name | lib/lib.js:8:13:8:16 | name |
| lib/lib.js:7:19:7:22 | name | lib/lib.js:8:13:8:16 | name |
| lib/lib.js:21:14:21:14 | x | lib/lib.js:22:9:22:9 | x |
| lib/lib.js:21:14:21:14 | x | lib/lib.js:22:9:22:9 | x |
| lib/lib.js:22:9:22:9 | x | lib/lib.js:27:10:27:19 | id("safe") |
| lib/lib.js:27:6:27:19 | y | lib/lib.js:28:13:28:13 | y |
| lib/lib.js:27:6:27:19 | y | lib/lib.js:28:13:28:13 | y |
| lib/lib.js:27:10:27:19 | id("safe") | lib/lib.js:27:6:27:19 | y |
| lib/moduleLib/moduleLib.js:1:28:1:31 | name | lib/moduleLib/moduleLib.js:2:13:2:16 | name |
| lib/moduleLib/moduleLib.js:1:28:1:31 | name | lib/moduleLib/moduleLib.js:2:13:2:16 | name |
| lib/moduleLib/moduleLib.js:1:28:1:31 | name | lib/moduleLib/moduleLib.js:2:13:2:16 | name |

10
javascript/ql/test/query-tests/Performance/ReDoS/lib/lib.js
View File

@@ -16,4 +16,14 @@ module.exports.closure = require("./closure")
module.exports.func = function (conf) {
return require("./indirect")
}
function id (x) {
return x;
}
module.exports.id = id;
module.exports.safe = function (x) {
var y = id("safe");
/f*g/.test(y); // OK
}