Merge pull request #6693 from yoff/python/promote-regex-injection

Python: Promote `py/regex-injection`

python/ql/src/Security/CWE-730/RegexInjection.ql

@@ -5,25 +5,24 @@
  *              exponential time on certain inputs.
  * @kind path-problem
  * @problem.severity error
+ * @precision high
  * @id py/regex-injection
  * @tags security
  *       external/cwe/cwe-730
  *       external/cwe/cwe-400
  */
 
-// determine precision above
 import python
-import experimental.semmle.python.security.injection.RegexInjection
+private import semmle.python.Concepts
+import semmle.python.security.injection.RegexInjection
 import DataFlow::PathGraph
 
 from
-  RegexInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink,
-  RegexInjectionSink regexInjectionSink, Attribute methodAttribute
+  RegexInjection::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink,
+  RegexExecution regexExecution
 where
   config.hasFlowPath(source, sink) and
-  regexInjectionSink = sink.getNode() and
-  methodAttribute = regexInjectionSink.getRegexMethod()
+  regexExecution = sink.getNode().(RegexInjection::Sink).getRegexExecution()
 select sink.getNode(), source, sink,
   "$@ regular expression is constructed from a $@ and executed by $@.", sink.getNode(), "This",
-  source.getNode(), "user-provided value", methodAttribute,
-  regexInjectionSink.getRegexModule() + "." + methodAttribute.getName()
+  source.getNode(), "user-provided value", regexExecution, regexExecution.getName()

python/ql/src/experimental/semmle/python/Concepts.qll

@@ -44,73 +44,6 @@ class LogOutput extends DataFlow::Node {
   DataFlow::Node getAnInput() { result = range.getAnInput() }
 }
 
-/** Provides classes for modeling Regular Expression-related APIs. */
-module RegexExecution {
-  /**
-   * A data-flow node that executes a regular expression.
-   *
-   * Extend this class to model new APIs. If you want to refine existing API models,
-   * extend `RegexExecution` instead.
-   */
-  abstract class Range extends DataFlow::Node {
-    /**
-     * Gets the argument containing the executed expression.
-     */
-    abstract DataFlow::Node getRegexNode();
-
-    /**
-     * Gets the library used to execute the regular expression.
-     */
-    abstract string getRegexModule();
-  }
-}
-
-/**
- * A data-flow node that executes a regular expression.
- *
- * Extend this class to refine existing API models. If you want to model new APIs,
- * extend `RegexExecution::Range` instead.
- */
-class RegexExecution extends DataFlow::Node {
-  RegexExecution::Range range;
-
-  RegexExecution() { this = range }
-
-  DataFlow::Node getRegexNode() { result = range.getRegexNode() }
-
-  string getRegexModule() { result = range.getRegexModule() }
-}
-
-/** Provides classes for modeling Regular Expression escape-related APIs. */
-module RegexEscape {
-  /**
-   * A data-flow node that escapes a regular expression.
-   *
-   * Extend this class to model new APIs. If you want to refine existing API models,
-   * extend `RegexEscape` instead.
-   */
-  abstract class Range extends DataFlow::Node {
-    /**
-     * Gets the argument containing the escaped expression.
-     */
-    abstract DataFlow::Node getRegexNode();
-  }
-}
-
-/**
- * A data-flow node that escapes a regular expression.
- *
- * Extend this class to refine existing API models. If you want to model new APIs,
- * extend `RegexEscape::Range` instead.
- */
-class RegexEscape extends DataFlow::Node {
-  RegexEscape::Range range;
-
-  RegexEscape() { this = range }
-
-  DataFlow::Node getRegexNode() { result = range.getRegexNode() }
-}
-
 /** Provides classes for modeling LDAP query execution-related APIs. */
 module LDAPQuery {
   /**

python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll

@@ -9,91 +9,3 @@ private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import experimental.semmle.python.Concepts
 private import semmle.python.ApiGraphs
-
-/**
- * Provides models for Python's `re` library.
- *
- * See https://docs.python.org/3/library/re.html
- */
-private module Re {
-  /**
-   * List of `re` methods immediately executing an expression.
-   *
-   * See https://docs.python.org/3/library/re.html#module-contents
-   */
-  private class RegexExecutionMethods extends string {
-    RegexExecutionMethods() {
-      this in ["match", "fullmatch", "search", "split", "findall", "finditer", "sub", "subn"]
-    }
-  }
-
-  /**
-   * A class to find `re` methods immediately executing an expression.
-   *
-   * See `RegexExecutionMethods`
-   */
-  private class DirectRegex extends DataFlow::CallCfgNode, RegexExecution::Range {
-    DataFlow::Node regexNode;
-
-    DirectRegex() {
-      this = API::moduleImport("re").getMember(any(RegexExecutionMethods m)).getACall() and
-      regexNode = this.getArg(0)
-    }
-
-    override DataFlow::Node getRegexNode() { result = regexNode }
-
-    override string getRegexModule() { result = "re" }
-  }
-
-  /**
-   * A class to find `re` methods immediately executing a compiled expression by `re.compile`.
-   *
-   * Given the following example:
-   *
-   * ```py
-   * pattern = re.compile(input)
-   * pattern.match(s)
-   * ```
-   *
-   * This class will identify that `re.compile` compiles `input` and afterwards
-   * executes `re`'s `match`. As a result, `this` will refer to `pattern.match(s)`
-   * and `this.getRegexNode()` will return the node for `input` (`re.compile`'s first argument)
-   *
-   *
-   * See `RegexExecutionMethods`
-   *
-   * See https://docs.python.org/3/library/re.html#regular-expression-objects
-   */
-  private class CompiledRegex extends DataFlow::MethodCallNode, RegexExecution::Range {
-    DataFlow::Node regexNode;
-
-    CompiledRegex() {
-      exists(DataFlow::MethodCallNode patternCall |
-        patternCall = API::moduleImport("re").getMember("compile").getACall() and
-        patternCall.flowsTo(this.getObject()) and
-        this.getMethodName() instanceof RegexExecutionMethods and
-        regexNode = patternCall.getArg(0)
-      )
-    }
-
-    override DataFlow::Node getRegexNode() { result = regexNode }
-
-    override string getRegexModule() { result = "re" }
-  }
-
-  /**
-   * A class to find `re` methods escaping an expression.
-   *
-   * See https://docs.python.org/3/library/re.html#re.escape
-   */
-  class ReEscape extends DataFlow::CallCfgNode, RegexEscape::Range {
-    DataFlow::Node regexNode;
-
-    ReEscape() {
-      this = API::moduleImport("re").getMember("escape").getACall() and
-      regexNode = this.getArg(0)
-    }
-
-    override DataFlow::Node getRegexNode() { result = regexNode }
-  }
-}

python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll

@@ -1,53 +0,0 @@
-/**
- * Provides a taint-tracking configuration for detecting regular expression injection
- * vulnerabilities.
- */
-
-import python
-import experimental.semmle.python.Concepts
-import semmle.python.dataflow.new.DataFlow
-import semmle.python.dataflow.new.TaintTracking
-import semmle.python.dataflow.new.RemoteFlowSources
-
-/**
- * A class to find methods executing regular expressions.
- *
- * See `RegexExecution`
- */
-class RegexInjectionSink extends DataFlow::Node {
-  string regexModule;
-  Attribute regexMethod;
-
-  RegexInjectionSink() {
-    exists(RegexExecution reExec |
-      this = reExec.getRegexNode() and
-      regexModule = reExec.getRegexModule() and
-      regexMethod = reExec.(DataFlow::CallCfgNode).getFunction().asExpr().(Attribute)
-    )
-  }
-
-  /**
-   * Gets the argument containing the executed expression.
-   */
-  string getRegexModule() { result = regexModule }
-
-  /**
-   * Gets the method used to execute the regular expression.
-   */
-  Attribute getRegexMethod() { result = regexMethod }
-}
-
-/**
- * A taint-tracking configuration for detecting regular expression injections.
- */
-class RegexInjectionFlowConfig extends TaintTracking::Configuration {
-  RegexInjectionFlowConfig() { this = "RegexInjectionFlowConfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof RegexInjectionSink }
-
-  override predicate isSanitizer(DataFlow::Node sanitizer) {
-    sanitizer = any(RegexEscape reEscape).getRegexNode()
-  }
-}