mirror of
https://github.com/github/codeql.git
synced 2026-04-19 14:04:09 +02:00
add tracking of strings to compile-sites for poly-redos, in the style of Ruby
This commit is contained in:
@@ -85,6 +85,17 @@ predicate used_as_regex(Expr s, string mode) {
|
||||
)
|
||||
}
|
||||
|
||||
private import semmle.python.Concepts
|
||||
private import semmle.python.RegexTreeView
|
||||
|
||||
/** Gets a parsed regular expression term that is executed at `exec`. */
|
||||
RegExpTerm getTermForExecution(RegexExecution exec) {
|
||||
exists(RegexTracking t, DataFlow::Node source | t.hasFlow(source, exec.getRegex()) |
|
||||
result.getRegex() = source.asExpr() and
|
||||
result.isRootTerm()
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the canonical name for the API graph node corresponding to the `re` flag `flag`. For flags
|
||||
* that have multiple names, we pick the long-form name as a canonical representative.
|
||||
|
||||
@@ -13,6 +13,7 @@ private import semmle.python.dataflow.new.RemoteFlowSources
|
||||
private import semmle.python.dataflow.new.BarrierGuards
|
||||
private import semmle.python.RegexTreeView::RegexTreeView as TreeView
|
||||
private import semmle.python.ApiGraphs
|
||||
private import semmle.python.regex
|
||||
|
||||
/**
|
||||
* Provides default sources, sinks and sanitizers for detecting
|
||||
@@ -66,7 +67,7 @@ module PolynomialReDoS {
|
||||
|
||||
RegexExecutionAsSink() {
|
||||
exists(RegexExecution re |
|
||||
re.getRegex().asExpr() = t.getRegex() and
|
||||
t = getTermForExecution(re) and
|
||||
this = re.getString()
|
||||
) and
|
||||
t.isRootTerm()
|
||||
|
||||
Reference in New Issue
Block a user