From 7ad1a21c2dafafc54ba82de5b37dc12b84dc2320 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Tue, 15 Aug 2023 21:23:50 +0200
Subject: [PATCH 1/6] Python: make mode characters not be characters

They are simply considered part of the group start.
---
 .../python/regexp/internal/ParseRegExp.qll    | 33 +++++++++++++++----
 .../Security/CWE-730-ReDoS/ReDoS.expected     |  4 +--
 2 files changed, 29 insertions(+), 8 deletions(-)

diff --git a/python/ql/lib/semmle/python/regexp/internal/ParseRegExp.qll b/python/ql/lib/semmle/python/regexp/internal/ParseRegExp.qll
index 52fa85ded56..b4383ff58ff 100644
--- a/python/ql/lib/semmle/python/regexp/internal/ParseRegExp.qll
+++ b/python/ql/lib/semmle/python/regexp/internal/ParseRegExp.qll
@@ -683,12 +683,34 @@ class RegExp extends Expr instanceof StrConst {
    * Holds if a parse mode starts between `start` and `end`.
    */
   private predicate flag_group_start(int start, int end) {
+    exists(int no_modes_end |
+      this.flag_group_start_no_modes(start, no_modes_end) and
+      end = max(int i | this.mode_character(start, i) | i + 1)
+    )
+  }
+
+  /**
+   * Holds if the initial part of a parse mode, not containing any
+   * mode characters is between `start` and `end`.
+   */
+  private predicate flag_group_start_no_modes(int start, int end) {
     this.isGroupStart(start) and
     this.getChar(start + 1) = "?" and
     this.getChar(start + 2) in ["i", "L", "m", "s", "u", "x"] and
     end = start + 2
   }
 
+  /**
+   * Holds if `pos` contains a mo character from the
+   * flag group starting at `start`.
+   */
+  private predicate mode_character(int start, int pos) {
+    this.flag_group_start_no_modes(start, pos)
+    or
+    this.mode_character(start, pos - 1) and
+    this.getChar(pos) in ["i", "L", "m", "s", "u", "x"]
+  }
+
   /**
    * Holds if a parse mode group is between `start` and `end`, and includes the
    * mode flag `c`. For example the following span, with mode flag `i`:
@@ -696,11 +718,10 @@ class RegExp extends Expr instanceof StrConst {
    * (?i)
    * ```
    */
-  private predicate flag_group(int start, int end, string c) {
-    exists(int inStart, int inEnd |
-      this.flag_group_start(start, inStart) and
-      this.groupContents(start, end, inStart, inEnd) and
-      this.getChar([inStart .. inEnd - 1]) = c
+  private predicate flag(string c) {
+    exists(int pos |
+      this.mode_character(_, pos) and
+      this.getChar(pos) = c
     )
   }
 
@@ -709,7 +730,7 @@ class RegExp extends Expr instanceof StrConst {
    * it is defined by a prefix.
    */
   string getModeFromPrefix() {
-    exists(string c | this.flag_group(_, _, c) |
+    exists(string c | this.flag(c) |
       c = "i" and result = "IGNORECASE"
       or
       c = "L" and result = "LOCALE"
diff --git a/python/ql/test/query-tests/Security/CWE-730-ReDoS/ReDoS.expected b/python/ql/test/query-tests/Security/CWE-730-ReDoS/ReDoS.expected
index 0c2dccbd2d4..051fd9ccc5f 100644
--- a/python/ql/test/query-tests/Security/CWE-730-ReDoS/ReDoS.expected
+++ b/python/ql/test/query-tests/Security/CWE-730-ReDoS/ReDoS.expected
@@ -105,5 +105,5 @@
 | redos.py:391:15:391:25 | (\\u0061\|a)* | This part of the regular expression may cause exponential backtracking on strings starting with 'X' and containing many repetitions of 'a'. |
 | unittests.py:5:17:5:23 | (\u00c6\|\\\u00c6)+ | This part of the regular expression may cause exponential backtracking on strings starting with 'X' and containing many repetitions of '\\u00c6'. |
 | unittests.py:9:16:9:24 | (?:.\|\\n)* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\\n'. |
-| unittests.py:11:20:11:28 | (?:.\|\\n)* | This part of the regular expression may cause exponential backtracking on strings starting with 's' and containing many repetitions of '\\n'. |
-| unittests.py:12:21:12:29 | (?:.\|\\n)* | This part of the regular expression may cause exponential backtracking on strings starting with 'is' and containing many repetitions of '\\n'. |
+| unittests.py:11:20:11:28 | (?:.\|\\n)* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\\n'. |
+| unittests.py:12:21:12:29 | (?:.\|\\n)* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\\n'. |

From 88fc96e8d74593c42934a12c284f27d2b65809c3 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Wed, 16 Aug 2023 10:56:32 +0200
Subject: [PATCH 2/6] Python: Add test with prefix

---
 python/ql/test/query-tests/Security/CWE-730-ReDoS/unittests.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/python/ql/test/query-tests/Security/CWE-730-ReDoS/unittests.py b/python/ql/test/query-tests/Security/CWE-730-ReDoS/unittests.py
index 0a49b8a52a9..4106a691558 100644
--- a/python/ql/test/query-tests/Security/CWE-730-ReDoS/unittests.py
+++ b/python/ql/test/query-tests/Security/CWE-730-ReDoS/unittests.py
@@ -10,3 +10,4 @@ re.compile(r'(?:.|\n)*b', re.DOTALL) # Has ReDoS.
 re.compile(r'(?i)(?:.|\n)*b') # No ReDoS.
 re.compile(r'(?s)(?:.|\n)*b') # Has ReDoS.
 re.compile(r'(?is)(?:.|\n)*b') # Has ReDoS.
+re.compile(r'(?is)X(?:.|\n)*Y') # Has ReDoS.

From e9e6bce80a7a33924742cc3f9373accb26ea0c4b Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Wed, 16 Aug 2023 11:49:23 +0200
Subject: [PATCH 3/6] shared: handle empty groups in delta

---
 shared/regex/codeql/regex/nfa/NfaUtils.qll | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/shared/regex/codeql/regex/nfa/NfaUtils.qll b/shared/regex/codeql/regex/nfa/NfaUtils.qll
index a951820bda1..2b14fe28aca 100644
--- a/shared/regex/codeql/regex/nfa/NfaUtils.qll
+++ b/shared/regex/codeql/regex/nfa/NfaUtils.qll
@@ -760,6 +760,12 @@ module Make<RegexTreeViewSig TreeImpl> {
     or
     exists(RegExpGroup grp | lbl = Epsilon() | q1 = before(grp) and q2 = before(grp.getChild(0)))
     or
+    exists(RegExpGroup grp | lbl = Epsilon() |
+      not exists(grp.getAChild()) and
+      q1 = before(grp) and
+      q2 = before(grp.getSuccessor())
+    )
+    or
     exists(EffectivelyStar star | lbl = Epsilon() |
       q1 = before(star) and q2 = before(star.getChild(0))
       or

From d3c24ba11093d89fa5bee293b63c9008cd939340 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Wed, 16 Aug 2023 13:38:10 +0200
Subject: [PATCH 4/6] =?UTF-8?q?Python=C3=86=20fix=20test=20expectations?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../Security/CWE-116-BadTagFilter/BadTagFilter.expected        | 1 +
 .../ql/test/query-tests/Security/CWE-730-ReDoS/ReDoS.expected  | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/python/ql/test/query-tests/Security/CWE-116-BadTagFilter/BadTagFilter.expected b/python/ql/test/query-tests/Security/CWE-116-BadTagFilter/BadTagFilter.expected
index cc9da9cfdc8..407a5490e8c 100644
--- a/python/ql/test/query-tests/Security/CWE-116-BadTagFilter/BadTagFilter.expected
+++ b/python/ql/test/query-tests/Security/CWE-116-BadTagFilter/BadTagFilter.expected
@@ -1,6 +1,7 @@
 | tst.py:4:20:4:43 | <script.*?>.*?<\\/script> | This regular expression does not match script end tags like </script >. |
 | tst.py:5:20:5:43 | <script.*?>.*?<\\/script> | This regular expression does not match script end tags like </script >. |
 | tst.py:9:20:9:30 | <!--.*--!?> | This regular expression does not match comments containing newlines. |
+| tst.py:11:20:11:34 | (?i)<!--.*--!?> | This regular expression does not match comments containing newlines. |
 | tst.py:12:20:12:53 | <script.*?>(.\|\\s)*?<\\/script[^>]*> | This regular expression matches <script></script>, but not <script \\n></script> |
 | tst.py:13:20:13:51 | <script[^>]*?>.*?<\\/script[^>]*> | This regular expression matches <script>...</script>, but not <script >...\\n</script> |
 | tst.py:14:20:14:58 | <script(\\s\|\\w\|=\|")*?>.*?<\\/script[^>]*> | This regular expression does not match script tags where the attribute uses single-quotes. |
diff --git a/python/ql/test/query-tests/Security/CWE-730-ReDoS/ReDoS.expected b/python/ql/test/query-tests/Security/CWE-730-ReDoS/ReDoS.expected
index 051fd9ccc5f..24a2142ff4a 100644
--- a/python/ql/test/query-tests/Security/CWE-730-ReDoS/ReDoS.expected
+++ b/python/ql/test/query-tests/Security/CWE-730-ReDoS/ReDoS.expected
@@ -7,7 +7,7 @@
 | redos.py:21:57:21:76 | (?:[^'\\\\]\|\\\\\\\\\|\\\\.)+ | This part of the regular expression may cause exponential backtracking on strings starting with '\\t'' and containing many repetitions of '\\\\\\\\'. |
 | redos.py:21:81:21:100 | (?:[^)\\\\]\|\\\\\\\\\|\\\\.)+ | This part of the regular expression may cause exponential backtracking on strings starting with '\\t(' and containing many repetitions of '\\\\\\\\'. |
 | redos.py:33:64:33:65 | .* | This part of the regular expression may cause exponential backtracking on strings starting with '!\|\\n-\|\\n' and containing many repetitions of '\|\|\\n'. |
-| redos.py:38:33:38:42 | (\\\\\\/\|.)*? | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\\\\/'. |
+| redos.py:38:33:38:42 | (\\\\\\/\|.)*? | This part of the regular expression may cause exponential backtracking on strings starting with '/' and containing many repetitions of '\\\\/'. |
 | redos.py:43:37:43:38 | .* | This part of the regular expression may cause exponential backtracking on strings starting with '#' and containing many repetitions of '#'. |
 | redos.py:49:41:49:43 | .*? | This part of the regular expression may cause exponential backtracking on strings starting with '"' and containing many repetitions of '""'. |
 | redos.py:49:47:49:49 | .*? | This part of the regular expression may cause exponential backtracking on strings starting with ''' and containing many repetitions of ''''. |
@@ -107,3 +107,4 @@
 | unittests.py:9:16:9:24 | (?:.\|\\n)* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\\n'. |
 | unittests.py:11:20:11:28 | (?:.\|\\n)* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\\n'. |
 | unittests.py:12:21:12:29 | (?:.\|\\n)* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\\n'. |
+| unittests.py:13:22:13:30 | (?:.\|\\n)* | This part of the regular expression may cause exponential backtracking on strings starting with 'x' and containing many repetitions of '\\n'. |

From 137f9e72342c48709bea01fd9681f510fbeefa8e Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Thu, 24 Aug 2023 21:28:07 +0200
Subject: [PATCH 5/6] Python: Adress review comments - make qldoc accurate -
 fix ql4ql alert

---
 .../lib/semmle/python/regexp/internal/ParseRegExp.qll  | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/python/ql/lib/semmle/python/regexp/internal/ParseRegExp.qll b/python/ql/lib/semmle/python/regexp/internal/ParseRegExp.qll
index b4383ff58ff..81eff018aff 100644
--- a/python/ql/lib/semmle/python/regexp/internal/ParseRegExp.qll
+++ b/python/ql/lib/semmle/python/regexp/internal/ParseRegExp.qll
@@ -683,10 +683,8 @@ class RegExp extends Expr instanceof StrConst {
    * Holds if a parse mode starts between `start` and `end`.
    */
   private predicate flag_group_start(int start, int end) {
-    exists(int no_modes_end |
-      this.flag_group_start_no_modes(start, no_modes_end) and
-      end = max(int i | this.mode_character(start, i) | i + 1)
-    )
+    this.flag_group_start_no_modes(start, _) and
+    end = max(int i | this.mode_character(start, i) | i + 1)
   }
 
   /**
@@ -712,8 +710,8 @@ class RegExp extends Expr instanceof StrConst {
   }
 
   /**
-   * Holds if a parse mode group is between `start` and `end`, and includes the
-   * mode flag `c`. For example the following span, with mode flag `i`:
+   * Holds if a parse mode group includes the mode flag `c`.
+   * For example the following parse mode group, with mode flag `i`:
    * ```
    * (?i)
    * ```

From 68cd42278827b1e1aedca791bd60071e44d077cc Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Fri, 25 Aug 2023 11:27:53 +0200
Subject: [PATCH 6/6] Python: Fix test expectations

---
 python/ql/test/library-tests/regex/Characters.expected    | 1 -
 python/ql/test/library-tests/regex/FirstLast.expected     | 3 ++-
 python/ql/test/library-tests/regex/GroupContents.expected | 1 -
 python/ql/test/library-tests/regex/Regex.expected         | 4 +---
 4 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/python/ql/test/library-tests/regex/Characters.expected b/python/ql/test/library-tests/regex/Characters.expected
index a1f036dce0d..7a1ca9c874f 100644
--- a/python/ql/test/library-tests/regex/Characters.expected
+++ b/python/ql/test/library-tests/regex/Characters.expected
@@ -36,7 +36,6 @@
 | (?:[^%]\|^)?%\\((\\w*)\\)[a-z] | 22 | 23 |
 | (?:[^%]\|^)?%\\((\\w*)\\)[a-z] | 24 | 25 |
 | (?P<name>[\\w]+)\| | 10 | 12 |
-| (?m)^(?!$) | 2 | 3 |
 | (?m)^(?!$) | 4 | 5 |
 | (?m)^(?!$) | 8 | 9 |
 | (\\033\|~{) | 1 | 5 |
diff --git a/python/ql/test/library-tests/regex/FirstLast.expected b/python/ql/test/library-tests/regex/FirstLast.expected
index eff70714449..e388e0d1fdf 100644
--- a/python/ql/test/library-tests/regex/FirstLast.expected
+++ b/python/ql/test/library-tests/regex/FirstLast.expected
@@ -22,7 +22,8 @@
 | (?P<name>[\\w]+)\| | first | 9 | 14 |
 | (?P<name>[\\w]+)\| | last | 9 | 13 |
 | (?P<name>[\\w]+)\| | last | 9 | 14 |
-| (?m)^(?!$) | first | 2 | 3 |
+| (?m)^(?!$) | first | 4 | 5 |
+| (?m)^(?!$) | first | 8 | 9 |
 | (?m)^(?!$) | last | 4 | 5 |
 | (?m)^(?!$) | last | 8 | 9 |
 | (\\033\|~{) | first | 1 | 5 |
diff --git a/python/ql/test/library-tests/regex/GroupContents.expected b/python/ql/test/library-tests/regex/GroupContents.expected
index 0174acb78b0..c7c4ac97a1e 100644
--- a/python/ql/test/library-tests/regex/GroupContents.expected
+++ b/python/ql/test/library-tests/regex/GroupContents.expected
@@ -8,7 +8,6 @@
 | (?:[^%]\|^)?%\\((\\w*)\\)[a-z] | 0 | 10 | (?:[^%]\|^) | 3 | 9 | [^%]\|^ |
 | (?:[^%]\|^)?%\\((\\w*)\\)[a-z] | 14 | 19 | (\\w*) | 15 | 18 | \\w* |
 | (?P<name>[\\w]+)\| | 0 | 15 | (?P<name>[\\w]+) | 9 | 14 | [\\w]+ |
-| (?m)^(?!$) | 0 | 4 | (?m) | 2 | 3 | m |
 | (?m)^(?!$) | 5 | 10 | (?!$) | 8 | 9 | $ |
 | (\\033\|~{) | 0 | 9 | (\\033\|~{) | 1 | 8 | \\033\|~{ |
 | \\[(?P<txt>[^[]*)\\]\\((?P<uri>[^)]*) | 2 | 16 | (?P<txt>[^[]*) | 10 | 15 | [^[]* |
diff --git a/python/ql/test/library-tests/regex/Regex.expected b/python/ql/test/library-tests/regex/Regex.expected
index b2ad03aa16a..e5e0ea1719e 100644
--- a/python/ql/test/library-tests/regex/Regex.expected
+++ b/python/ql/test/library-tests/regex/Regex.expected
@@ -77,11 +77,9 @@
 | (?P<name>[\\w]+)\| | sequence | 0 | 15 |
 | (?m)^(?!$) | $ | 8 | 9 |
 | (?m)^(?!$) | ^ | 4 | 5 |
-| (?m)^(?!$) | char | 2 | 3 |
+| (?m)^(?!$) | empty group | 0 | 4 |
 | (?m)^(?!$) | empty group | 5 | 10 |
-| (?m)^(?!$) | non-empty group | 0 | 4 |
 | (?m)^(?!$) | sequence | 0 | 10 |
-| (?m)^(?!$) | sequence | 2 | 3 |
 | (?m)^(?!$) | sequence | 8 | 9 |
 | (\\033\|~{) | char | 1 | 5 |
 | (\\033\|~{) | char | 6 | 7 |