add more tests for polynomial/exponential redos

2026-04-29 10:45:15 +02:00 · 2020-12-14 22:28:32 +01:00
parent fd7dec7f20
commit b2116dc5b4
5 changed files with 120 additions and 3 deletions
--- a/javascript/ql/test/query-tests/Performance/ReDoS/PolynomialBackTracking.expected
+++ b/javascript/ql/test/query-tests/Performance/ReDoS/PolynomialBackTracking.expected
@@ -52,6 +52,20 @@
 | polynomial-redos.js:67:8:67:9 | .* | it can start matching anywhere after the start of the preceeding '[^Y]' |
 | polynomial-redos.js:68:8:68:9 | .* | it can start matching anywhere after the start of the preceeding '[^Y]' |
 | polynomial-redos.js:69:8:69:9 | .* | it can start matching anywhere after the start of the preceeding '[^Y]' |
+| polynomial-redos.js:75:18:75:19 | .* | it can start matching anywhere after the start of the preceeding '<' |
+| polynomial-redos.js:77:18:77:19 | .* | it can start matching anywhere after the start of the preceeding 'Y' |
+| polynomial-redos.js:78:25:78:31 | (YH\|J)* | it can start matching anywhere after the start of the preceeding '(YH\|K)' |
+| polynomial-redos.js:78:25:78:31 | (YH\|J)* | it can start matching anywhere after the start of the preceeding 'YH\|K' |
+| polynomial-redos.js:80:17:80:18 | a* | it can start matching anywhere |
+| polynomial-redos.js:89:20:89:21 | a* | it can start matching anywhere after the start of the preceeding 'a*' |
+| polynomial-redos.js:101:17:101:18 | a+ | it can start matching anywhere |
+| polynomial-redos.js:102:20:102:21 | a+ | it can start matching anywhere after the start of the preceeding 'a+' |
+| polynomial-redos.js:104:17:104:18 | a+ | it can start matching anywhere |
+| polynomial-redos.js:105:17:105:18 | a+ | it can start matching anywhere |
+| polynomial-redos.js:105:19:105:20 | a+ | it can start matching anywhere after the start of the preceeding 'a+' |
+| polynomial-redos.js:105:21:105:22 | a+ | it can start matching anywhere after the start of the preceeding 'a+' |
+| polynomial-redos.js:111:17:111:19 | \\s* | it can start matching anywhere |
+| polynomial-redos.js:112:17:112:19 | \\s+ | it can start matching anywhere |
 | regexplib/address.js:18:26:18:31 | [ \\w]* | it can start matching anywhere after the start of the preceeding '[ \\w]{3,}' |
 | regexplib/address.js:20:144:20:147 | [ ]+ | it can start matching anywhere after the start of the preceeding '[a-zA-Z0-9 \\-.]{6,}' |
 | regexplib/address.js:24:26:24:31 | [ \\w]* | it can start matching anywhere after the start of the preceeding '[ \\w]{3,}' |
--- a/javascript/ql/test/query-tests/Performance/ReDoS/PolynomialReDoS.expected
+++ b/javascript/ql/test/query-tests/Performance/ReDoS/PolynomialReDoS.expected
@@ -72,6 +72,26 @@ nodes
 | polynomial-redos.js:69:18:69:25 | req.body |
 | polynomial-redos.js:69:18:69:25 | req.body |
 | polynomial-redos.js:69:18:69:25 | req.body |
+| polynomial-redos.js:75:2:75:8 | tainted |
+| polynomial-redos.js:75:2:75:8 | tainted |
+| polynomial-redos.js:77:2:77:8 | tainted |
+| polynomial-redos.js:77:2:77:8 | tainted |
+| polynomial-redos.js:80:2:80:8 | tainted |
+| polynomial-redos.js:80:2:80:8 | tainted |
+| polynomial-redos.js:89:2:89:8 | tainted |
+| polynomial-redos.js:89:2:89:8 | tainted |
+| polynomial-redos.js:101:2:101:8 | tainted |
+| polynomial-redos.js:101:2:101:8 | tainted |
+| polynomial-redos.js:102:2:102:8 | tainted |
+| polynomial-redos.js:102:2:102:8 | tainted |
+| polynomial-redos.js:104:2:104:8 | tainted |
+| polynomial-redos.js:104:2:104:8 | tainted |
+| polynomial-redos.js:105:2:105:8 | tainted |
+| polynomial-redos.js:105:2:105:8 | tainted |
+| polynomial-redos.js:111:2:111:8 | tainted |
+| polynomial-redos.js:111:2:111:8 | tainted |
+| polynomial-redos.js:112:2:112:8 | tainted |
+| polynomial-redos.js:112:2:112:8 | tainted |
 edges
 | polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:7:2:7:8 | tainted |
 | polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:7:2:7:8 | tainted |
@@ -137,6 +157,26 @@ edges
 | polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:66:19:66:25 | tainted |
 | polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:67:18:67:24 | tainted |
 | polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:67:18:67:24 | tainted |
+| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:75:2:75:8 | tainted |
+| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:75:2:75:8 | tainted |
+| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:77:2:77:8 | tainted |
+| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:77:2:77:8 | tainted |
+| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:80:2:80:8 | tainted |
+| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:80:2:80:8 | tainted |
+| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:89:2:89:8 | tainted |
+| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:89:2:89:8 | tainted |
+| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:101:2:101:8 | tainted |
+| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:101:2:101:8 | tainted |
+| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:102:2:102:8 | tainted |
+| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:102:2:102:8 | tainted |
+| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:104:2:104:8 | tainted |
+| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:104:2:104:8 | tainted |
+| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:105:2:105:8 | tainted |
+| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:105:2:105:8 | tainted |
+| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:111:2:111:8 | tainted |
+| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:111:2:111:8 | tainted |
+| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:112:2:112:8 | tainted |
+| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:112:2:112:8 | tainted |
 | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:5:6:5:32 | tainted |
 | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:5:6:5:32 | tainted |
 | polynomial-redos.js:68:18:68:24 | req.url | polynomial-redos.js:68:18:68:24 | req.url |
@@ -179,3 +219,15 @@ edges
 | polynomial-redos.js:66:19:66:25 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:66:19:66:25 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:66:9:66:10 | .* | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
 | polynomial-redos.js:67:18:67:24 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:67:18:67:24 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:67:8:67:9 | .* | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
 | polynomial-redos.js:69:18:69:25 | req.body | polynomial-redos.js:69:18:69:25 | req.body | polynomial-redos.js:69:18:69:25 | req.body | This expensive $@ use depends on $@. | polynomial-redos.js:69:8:69:9 | .* | regular expression | polynomial-redos.js:69:18:69:25 | req.body | a user-provided value |
+| polynomial-redos.js:75:2:75:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:75:2:75:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:75:18:75:19 | .* | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
+| polynomial-redos.js:77:2:77:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:77:2:77:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:77:18:77:19 | .* | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
+| polynomial-redos.js:80:2:80:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:80:2:80:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:80:17:80:18 | a* | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
+| polynomial-redos.js:89:2:89:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:89:2:89:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:89:20:89:21 | a* | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
+| polynomial-redos.js:101:2:101:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:101:2:101:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:101:17:101:18 | a+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
+| polynomial-redos.js:102:2:102:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:102:2:102:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:102:20:102:21 | a+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
+| polynomial-redos.js:104:2:104:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:104:2:104:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:104:17:104:18 | a+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
+| polynomial-redos.js:105:2:105:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:105:2:105:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:105:17:105:18 | a+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
+| polynomial-redos.js:105:2:105:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:105:2:105:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:105:19:105:20 | a+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
+| polynomial-redos.js:105:2:105:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:105:2:105:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:105:21:105:22 | a+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
+| polynomial-redos.js:111:2:111:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:111:2:111:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:111:17:111:19 | \\s* | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
+| polynomial-redos.js:112:2:112:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:112:2:112:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:112:17:112:19 | \\s+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
--- a/javascript/ql/test/query-tests/Performance/ReDoS/ReDoS.expected
+++ b/javascript/ql/test/query-tests/Performance/ReDoS/ReDoS.expected
@@ -125,3 +125,4 @@
 | tst.js:311:20:311:24 | [^Y]+ | This part of the regular expression may cause exponential backtracking on strings starting with 'x' and containing many repetitions of 'Xx'. |
 | tst.js:323:14:323:20 | (a?a?)* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
 | tst.js:332:14:332:22 | (?:a\|a?)+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
+| tst.js:338:17:338:45 | (([a-c]\|[c-d])T(e?e?e?e?\|X))+ | This part of the regular expression may cause exponential backtracking on strings starting with 'PRE' and containing many repetitions of 'cTX'. |
--- a/javascript/ql/test/query-tests/Performance/ReDoS/polynomial-redos.js
+++ b/javascript/ql/test/query-tests/Performance/ReDoS/polynomial-redos.js
@@ -12,8 +12,8 @@ app.use(function(req, res) {
 	tainted.replace(/.*\./, ''); // NOT OK
 	tainted.replace(/^.*[/\\]/, ''); // OK
 	tainted.replace(/^.*\./, ''); // OK
-	tainted.replace(/^(`+)\s*([\s\S]*?[^`])\s*\1(?!`)/); // NOT OK
-	tainted.replace(/^(`+)([\s\S]*?[^`])\1(?!`)/); // OK
+	tainted.replace(/^(`+)\s*([\s\S]*?[^`])\s*\1(?!`)/); // NOT OK - but not detected
+	tainted.replace(/^(`+)([\s\S]*?[^`])\1(?!`)/); // NOT OK - but not detected
 	/^(.*,)+(.+)?$/.test(tainted); // NOT OK - but only flagged by js/redos
 	tainted.match(/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]+|[\u0600-\u06FF\/]+(\s*?[\u0600-\u06FF]+){1,2}/i); // NOT OK
 	tainted.match(/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]{1,256}|[\u0600-\u06FF\/]{1,256}(\s*?[\u0600-\u06FF]{1,256}){1,2}/i); // NOT OK (even though it is a proposed fix for the above)
@@ -67,4 +67,51 @@ app.use(function(req, res) {
 	(/[^Y].*X/.test(tainted)); // NOT OK
 	(/[^Y].*$/.test(req.url)); // OK - the input cannot contain newlines.
 	(/[^Y].*$/.test(req.body)); // NOT OK
+
+	tainted.match(/^([^-]+)-([A-Za-z0-9+/]+(?:=?=?))([?\x21-\x7E]*)$/); // NOT OK - but not detected
+
+	tainted.match(new RegExp("(MSIE) (\\d+)\\.(\\d+).*XBLWP7")); // NOT OK - but not detected
+
+	tainted.match(/<.*class="([^"]+)".*>/); // NOT OK - but not detected
+
+	tainted.match(/Y.*X/); // NOT OK
+	tatined.match(/B?(YH|K)(YH|J)*X/); // NOT OK - but not detected
+
+	tainted.match(/a*b/); // NOT OK - the initial repetition can start matching anywhere.
+	tainted.match(/cc*D/); // NOT OK - but flagged
+	tainted.match(/^ee*F/); // OK 
+	tainted.match(/^g*g*/); // OK
+	tainted.match(/^h*i*/); // OK
+
+	tainted.match(/^(ab)*ab(ab)*X/); // NOT OK - but not flagged
+
+	tainted.match(/aa*X/); // NOT OK - but not flagged
+	tainted.match(/^a*a*X/); // NOT OK
+	tainted.match(/\wa*X/); // NOT OK - but not flagged
+	tainted.match(/a*b*c*/); // OK
+	tainted.match(/a*a*a*a*/); // OK
+
+	tainted.match(/^([3-7]|A)*([2-5]|B)*X/); // NOT OK - but not flagged
+	tainted.match(/^\d*([2-5]|B)*X/); // NOT OK - but not flagged
+	tainted.match(/^([3-7]|A)*\d*X/); // NOT OK - but not flagged
+
+	tainted.match(/^(ab)+ab(ab)+X/); // NOT OK - but not flagged
+
+	tainted.match(/aa+X/); // NOT OK - but not flagged
+	tainted.match(/a+X/); // NOT OK
+	tainted.match(/^a+a+X/); // NOT OK
+	tainted.match(/\wa+X/); // NOT OK - but not flagged
+	tainted.match(/a+b+c+/); //NOT  OK
+	tainted.match(/a+a+a+a+/); // OK - but is flagged
+
+	tainted.match(/^([3-7]|A)+([2-5]|B)+X/); // NOT OK - but not flagged
+	tainted.match(/^\d+([2-5]|B)+X/); // NOT OK - but not flagged
+	tainted.match(/^([3-7]|A)+\d+X/); // NOT OK - but not flagged
+
+	tainted.match(/\s*$/); // NOT OK
+	tainted.match(/\s+$/); // NOT OK
+
+	tainted.match(/^\d*5\w*$/); // NOT OK - but not flagged
+
+	tainted.match(/\/\*[\d\D]*?\*\//g); // NOT OK - but not flagged
 });
--- a/javascript/ql/test/query-tests/Performance/ReDoS/tst.js
+++ b/javascript/ql/test/query-tests/Performance/ReDoS/tst.js
@@ -332,4 +332,7 @@ var bad72 = /(c?a?)*b/;
 var bad73 = /(?:a|a?)+b/;

 // NOT GOOD - but not detected. 
-var bad74 = /(a?b?)*$/;
+var bad74 = /(a?b?)*$/;
+
+// NOT GOOD
+var bad75 = /PRE(([a-c]|[c-d])T(e?e?e?e?|X))+(cTcT|cTXcTX$)/;