add tracking of strings to compile-sites for poly-redos, in the style of Ruby

2026-04-29 02:35:15 +02:00 · 2023-02-02 19:26:51 +01:00
parent 52959d7c0a
commit 6e712b293a
4 changed files with 23 additions and 4 deletions
--- a/python/ql/lib/semmle/python/regex.qll
+++ b/python/ql/lib/semmle/python/regex.qll
@@ -85,6 +85,17 @@ predicate used_as_regex(Expr s, string mode) {
  )
 }

+private import semmle.python.Concepts
+private import semmle.python.RegexTreeView
+
+/** Gets a parsed regular expression term that is executed at `exec`. */
+RegExpTerm getTermForExecution(RegexExecution exec) {
+  exists(RegexTracking t, DataFlow::Node source | t.hasFlow(source, exec.getRegex()) |
+    result.getRegex() = source.asExpr() and
+    result.isRootTerm()
+  )
+}
+
 /**
 * Gets the canonical name for the API graph node corresponding to the `re` flag `flag`. For flags
 * that have multiple names, we pick the long-form name as a canonical representative.