Merge pull request #256 from github/syncRedos

sync ReDoSUtil.qll with python/JS
2026-04-27 17:55:19 +02:00 · 2021-08-23 10:11:16 +01:00
parent a2115f41e8 5e63b0b132
commit 9c17e00645
2 changed files with 56 additions and 0 deletions
--- a/ql/src/codeql_ruby/regexp/ReDoSUtil.qll
+++ b/ql/src/codeql_ruby/regexp/ReDoSUtil.qll
@@ -72,6 +72,49 @@ private int ascii(string char) {
    )
 }

+/**
+ * Holds if `t` matches at least an epsilon symbol.
+ *
+ * That is, this term does not restrict the language of the enclosing regular expression.
+ *
+ * This is implemented as an under-approximation, and this predicate does not hold for sub-patterns in particular.
+ */
+predicate matchesEpsilon(RegExpTerm t) {
+  t instanceof RegExpStar
+  or
+  t instanceof RegExpOpt
+  or
+  t.(RegExpRange).getLowerBound() = 0
+  or
+  exists(RegExpTerm child |
+    child = t.getAChild() and
+    matchesEpsilon(child)
+  |
+    t instanceof RegExpAlt or
+    t instanceof RegExpGroup or
+    t instanceof RegExpPlus or
+    t instanceof RegExpRange
+  )
+  or
+  matchesEpsilon(t.(RegExpBackRef).getGroup())
+  or
+  forex(RegExpTerm child | child = t.(RegExpSequence).getAChild() | matchesEpsilon(child))
+}
+
+/**
+ * A lookahead/lookbehind that matches the empty string.
+ */
+class EmptyPositiveSubPatttern extends RegExpSubPattern {
+  EmptyPositiveSubPatttern() {
+    (
+      this instanceof RegExpPositiveLookahead
+      or
+      this instanceof RegExpPositiveLookbehind
+    ) and
+    matchesEpsilon(this.getOperand())
+  }
+}
+
 /**
 * A branch in a disjunction that is the root node in a literal, or a literal
 * whose root node is not a disjunction.
@@ -659,6 +702,10 @@ predicate delta(State q1, EdgeLabel lbl, State q2) {
  exists(RegExpDollar dollar | q1 = before(dollar) |
    lbl = Epsilon() and q2 = Accept(getRoot(dollar))
  )
+  or
+  exists(EmptyPositiveSubPatttern empty | q1 = before(empty) |
+    lbl = Epsilon() and q2 = after(empty)
+  )
 }

 /**
--- a/ql/src/codeql_ruby/regexp/RegExpTreeView.qll
+++ b/ql/src/codeql_ruby/regexp/RegExpTreeView.qll
@@ -624,6 +624,15 @@ class RegExpZeroWidthMatch extends RegExpGroup {
 */
 class RegExpSubPattern extends RegExpZeroWidthMatch {
  RegExpSubPattern() { not re.emptyGroup(start, end) }
+
+  /** Gets the lookahead term. */
+  RegExpTerm getOperand() {
+    exists(int in_start, int in_end | re.groupContents(start, end, in_start, in_end) |
+      result.getRegExp() = re and
+      result.getStart() = in_start and
+      result.getEnd() = in_end
+    )
+  }
 }

 abstract class RegExpLookahead extends RegExpSubPattern { }