Java: Expose parts of the vquery message in the test.

java/ql/test/query-tests/security/CWE-730/ExpRedosTest.java

@@ -431,7 +431,10 @@ class ExpRedosTest {
         "(a*)*b", // $ hasExpRedos
 
         // BAD - but not detected due to the way possessive quantifiers are approximated
-        "((aa|a*+)b)*c" // $ MISSING: hasExpRedos
+        "((aa|a*+)b)*c", // $ MISSING: hasExpRedos
+
+        // BAD - testsing
+        "(?is)(a|aa?)*b" // $ hasExpRedos hasPrefixMsg="starting with 'is' and " hasPump=a
     };
 
     void test() {

java/ql/test/query-tests/security/CWE-730/ReDoS.ql

@@ -4,8 +4,13 @@ private import semmle.code.java.regex.RegexTreeView::RegexTreeView as TreeView
 import codeql.regex.nfa.ExponentialBackTracking::Make<TreeView> as ExponentialBackTracking
 import semmle.code.java.regex.regex
 
+bindingset[s]
+string quote(string s) { if s.matches("% %") then result = "\"" + s + "\"" else result = s }
+
 module HasExpRedos implements TestSig {
-  string getARelevantTag() { result = ["hasExpRedos", "hasParseFailure"] }
+  string getARelevantTag() {
+    result = ["hasExpRedos", "hasParseFailure", "hasPump", "hasPrefixMsg"]
+  }
 
   predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "hasExpRedos" and
@@ -25,6 +30,22 @@ module HasExpRedos implements TestSig {
       element = r.toString()
     )
   }
+
+  predicate hasOptionalResult(Location location, string element, string tag, string value) {
+    exists(TreeView::RegExpTerm t, Regex r, string pump, string prefixMsg |
+      ExponentialBackTracking::hasReDoSResult(t, pump, _, prefixMsg) and
+      t.occursInRegex(r, _, _) and
+      (
+        tag = "hasPrefixMsg" and
+        value = quote(prefixMsg)
+        or
+        tag = "hasPump" and
+        value = pump
+      ) and
+      location = r.getLocation() and
+      element = r.toString()
+    )
+  }
 }
 
 import MakeTest<HasExpRedos>