model accept states more accurately by adding an AcceptAny state, modelling $, and checking the existence of rejecting suffixes

2026-05-01 19:55:15 +02:00 · 2020-11-19 18:42:49 +01:00
parent d9ebb7b20e
commit a8944c8953
3 changed files with 121 additions and 60 deletions
--- a/javascript/ql/test/query-tests/Performance/ReDoS/ReDoS.expected
+++ b/javascript/ql/test/query-tests/Performance/ReDoS/ReDoS.expected
@@ -57,8 +57,8 @@
 | tst.js:31:54:31:55 | .* | This part of the regular expression may cause exponential backtracking on strings starting with '!\|\\n-\|\\n' and containing many repetitions of '\|\|\\n'. |
 | tst.js:36:23:36:32 | (\\\\\\/\|.)*? | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\\\\/'. |
 | tst.js:41:27:41:28 | .* | This part of the regular expression may cause exponential backtracking on strings starting with '#' and containing many repetitions of '#'. |
-| tst.js:47:25:47:27 | .*? | This part of the regular expression may cause exponential backtracking on strings starting with '"' and containing many repetitions of '""'. |
-| tst.js:47:31:47:33 | .*? | This part of the regular expression may cause exponential backtracking on strings starting with ''' and containing many repetitions of ''''. |
+| tst.js:47:31:47:33 | .*? | This part of the regular expression may cause exponential backtracking on strings starting with '"' and containing many repetitions of '""'. |
+| tst.js:47:37:47:39 | .*? | This part of the regular expression may cause exponential backtracking on strings starting with ''' and containing many repetitions of ''''. |
 | tst.js:52:37:52:39 | .*? | This part of the regular expression may cause exponential backtracking on strings starting with '$[' and containing many repetitions of ']['. |
 | tst.js:52:70:52:72 | .*? | This part of the regular expression may cause exponential backtracking on strings starting with '$.$[' and containing many repetitions of ']['. |
 | tst.js:58:15:58:20 | [a-z]+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
@@ -93,7 +93,6 @@
 | tst.js:167:15:167:27 | (1s\|[\\da-z])* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '1s'. |
 | tst.js:170:15:170:23 | (0\|[\\d])* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '0'. |
 | tst.js:173:16:173:20 | [\\d]+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '0'. |
-| tst.js:182:17:182:21 | [^>]+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '='. |
 | tst.js:185:16:185:21 | [^>a]+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '='. |
 | tst.js:188:17:188:19 | \\s* | This part of the regular expression may cause exponential backtracking on strings starting with '\\n' and containing many repetitions of '\\n'. |
 | tst.js:191:18:191:20 | \\s+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of ' '. |
@@ -117,7 +116,6 @@
 | tst.js:275:38:275:40 | \\s* | This part of the regular expression may cause exponential backtracking on strings starting with '<a a=' and containing many repetitions of '"" a='. |
 | tst.js:281:16:281:17 | a+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
 | tst.js:284:16:284:17 | a+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
-| tst.js:287:16:287:17 | a+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
 | tst.js:290:16:290:17 | a+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
 | tst.js:293:17:293:18 | a+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
 | tst.js:299:90:299:91 | e+ | This part of the regular expression may cause exponential backtracking on strings starting with '00000000000000' and containing many repetitions of 'e'. |
--- a/javascript/ql/test/query-tests/Performance/ReDoS/tst.js
+++ b/javascript/ql/test/query-tests/Performance/ReDoS/tst.js
@@ -43,8 +43,8 @@ var bad6 = /^([\s\[\{\(]|#.*)*$/;
 // GOOD
 var good4 = /(\r\n|\r|\n)+/;

-// GOOD because it cannot be made to fail after the loop (but we can't tell that)
-var good5 = /((?:[^"']|".*?"|'.*?')*?)([(,)]|$)/;
+// BAD - PoC: `node -e "/((?:[^\"\']|\".*?\"|\'.*?\')*?)([(,)]|$)/.test(\"'''''''''''''''''''''''''''''''''''''''''''''\\\"\");"`. It's complicated though, because the regexp still matches something, it just matches the empty-string after the attack string.
+var actuallyBad = /((?:[^"']|".*?"|'.*?')*?)([(,)]|$)/;

 // NOT GOOD; attack: "a" + "[]".repeat(100) + ".b\n"
 // Adapted from Knockout (https://github.com/knockout/knockout), which is
@@ -178,7 +178,7 @@ var good12 = /(\d+(X\d+)?)+/;
 // GOOD - there is no witness in the end that could cause the regexp to not match
 var good13 = /([0-9]+(X[0-9]*)?)*/;

-// GOOD - but still flagged (always matches something)
+// GOOD
 var good15 = /^([^>]+)*(>|$)/;

 // NOT GOOD
@@ -283,7 +283,7 @@ var good31 = /(a+)*[^]{2,3}/;
 // GOOD - but we don't find that no suffix is rejected
 var good32 = /(a+)*([^]{2,}|X)$/;

-// GOOD - but still flagged
+// GOOD
 var good33 = /(a+)*([^]*|X)$/;

 // NOT GOOD