Add sanitizers for compiled regexes

2026-04-25 16:55:19 +02:00 · 2024-06-11 15:44:16 +01:00
parent 6ff7fb2a70
commit 93f10fcf14
2 changed files with 19 additions and 0 deletions
--- a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll
@@ -157,6 +157,15 @@ module ServerSideRequestForgery {
      branch = true and
      call = API::moduleImport("re").getMember(["match", "fullmatch"]).getACall() and
      strNode = [call.getArg(1), call.getArgByName("string")]
+      or
+      branch = true and
+      call =
+        API::moduleImport("re")
+            .getMember("compile")
+            .getReturn()
+            .getMember(["match", "fullmatch"])
+            .getACall() and
+      strNode = [call.getArg(0), call.getArgByName("string")]
    )
  }
 }
--- a/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/full_partial_test.py
+++ b/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/full_partial_test.py
@@ -164,3 +164,13 @@ def partial_ssrf_7():
    if re.match(r'[a-zA-Z0-9]+', user_input):
        url = f"https://example.com/foo#{user_input}"
        requests.get(url) # NOT OK, but NOT FOUND - user input can contain arbitrary character as a suffix.
+
+    reg = re.compile(r'^[a-zA-Z0-9]+$')
+
+    if reg.match(user_input):
+       url = f"https://example.com/foo#{user_input}"
+       requests.get(url) # OK - user input can only contain alphanumerical characters
+
+    if reg.fullmatch(user_input):
+       url = f"https://example.com/foo#{user_input}"
+       requests.get(url) # OK - user input can only contain alphanumerical characters