also support regular expressions without repetitions

2025-12-17 01:03:14 +01:00 · 2022-08-19 19:19:17 +02:00
parent 26fcf6b25b
commit d052b1e3c9
7 changed files with 17 additions and 30 deletions
--- a/java/ql/lib/semmle/code/java/security/regexp/NfaUtils.qll
+++ b/java/ql/lib/semmle/code/java/security/regexp/NfaUtils.qll
@@ -93,8 +93,6 @@ class RegExpRoot extends RegExpTerm {
   * Holds if this root term is relevant to the ReDoS analysis.
   */
  predicate isRelevant() {
-    // there is at least one repetition
-    getRoot(any(InfiniteRepetitionQuantifier q)) = this and
    // is actually used as a RegExp
    this.isUsedAsRegExp() and
    // not excluded for library specific reasons
--- a/javascript/ql/lib/semmle/javascript/security/regexp/NfaUtils.qll
+++ b/javascript/ql/lib/semmle/javascript/security/regexp/NfaUtils.qll
@@ -93,8 +93,6 @@ class RegExpRoot extends RegExpTerm {
   * Holds if this root term is relevant to the ReDoS analysis.
   */
  predicate isRelevant() {
-    // there is at least one repetition
-    getRoot(any(InfiniteRepetitionQuantifier q)) = this and
    // is actually used as a RegExp
    this.isUsedAsRegExp() and
    // not excluded for library specific reasons
--- a/javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.ql
+++ b/javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.ql
@@ -20,27 +20,6 @@ string toOtherCase(string s) {
  if s.regexpMatch(".*[a-z].*") then result = s.toUpperCase() else result = s.toLowerCase()
 }

-RegExpCharacterClass getEnclosingClass(RegExpTerm term) {
-  term = result.getAChild()
-  or
-  term = result.getAChild().(RegExpRange).getAChild()
-}
-
-/**
- * Holds if `term` seems to distinguish between upper and lower case letters, assuming the `i` flag is not present.
- */
-pragma[inline]
-predicate isLikelyCaseSensitiveRegExp(RegExpTerm term) {
-  exists(RegExpConstant const |
-    const = term.getAChild*() and
-    const.getValue().regexpMatch(".*[a-zA-Z].*") and
-    not getEnclosingClass(const).getAChild().(RegExpConstant).getValue() =
-      toOtherCase(const.getValue()) and
-    not const.getParent*() instanceof RegExpNegativeLookahead and
-    not const.getParent*() instanceof RegExpNegativeLookbehind
-  )
-}
-
 import semmle.javascript.security.regexp.NfaUtils as NfaUtils

 /** Holds if `s` is a relevant regexp term were we want to compute a string that matches the term (for `getCaseSensitiveBypassExample`). */
@@ -84,7 +63,6 @@ predicate isCaseSensitiveMiddleware(
    ) and
    arg = call.getArgument(0) and
    regexp.getAReference().flowsTo(arg) and
-    isLikelyCaseSensitiveRegExp(regexp.getRoot()) and
    exists(string flags |
      flags = regexp.getFlags() and
      not RegExp::isIgnoreCase(flags)
--- a/javascript/ql/test/query-tests/Security/CWE-178/CaseSensitiveMiddlewarePath.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-178/CaseSensitiveMiddlewarePath.expected
@@ -2,3 +2,5 @@
 | tst.js:14:5:14:28 | new Reg ... (.*)?') | This route uses a case-sensitive path $@, but is guarding a case-insensitive path $@. A path such as '/FOO' will bypass the middleware. | tst.js:14:5:14:28 | new Reg ... (.*)?') | pattern | tst.js:60:1:61:2 | app.get ... ware\\n}) | here |
 | tst.js:41:9:41:25 | /\\/foo\\/([0-9]+)/ | This route uses a case-sensitive path $@, but is guarding a case-insensitive path $@. A path such as '/FOO/0' will bypass the middleware. | tst.js:41:9:41:25 | /\\/foo\\/([0-9]+)/ | pattern | tst.js:60:1:61:2 | app.get ... ware\\n}) | here |
 | tst.js:64:5:64:28 | new Reg ... (.*)?') | This route uses a case-sensitive path $@, but is guarding a case-insensitive path $@. A path such as '/BAR' will bypass the middleware. | tst.js:64:5:64:28 | new Reg ... (.*)?') | pattern | tst.js:73:1:74:2 | app.get ... ware\\n}) | here |
+| tst.js:76:9:76:20 | /\\/baz\\/bla/ | This route uses a case-sensitive path $@, but is guarding a case-insensitive path $@. A path such as '/BAZ/BLA' will bypass the middleware. | tst.js:76:9:76:20 | /\\/baz\\/bla/ | pattern | tst.js:77:1:79:2 | app.get ...  });\\n}) | here |
+| tst.js:86:9:86:30 | /\\/[Bb] ... 3\\/[a]/ | This route uses a case-sensitive path $@, but is guarding a case-insensitive path $@. A path such as '/BAZ3/A' will bypass the middleware. | tst.js:86:9:86:30 | /\\/[Bb] ... 3\\/[a]/ | pattern | tst.js:87:1:89:2 | app.get ...  });\\n}) | here |
--- a/javascript/ql/test/query-tests/Security/CWE-178/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-178/tst.js
@@ -72,3 +72,18 @@ app.get(

 app.get('/bar/*', (req, res) => { // OK - not a middleware
 });
+
+app.use(/\/baz\/bla/, unknown()); // NOT OK - case sensitive
+app.get('/baz/bla', (req, resp) => {
+  resp.send({ test: 123 });
+});
+
+app.use(/\/[Bb][Aa][Zz]2\/[aA]/, unknown()); // OK - not case sensitive
+app.get('/baz2/a', (req, resp) => {
+  resp.send({ test: 123 });
+});
+
+app.use(/\/[Bb][Aa][Zz]3\/[a]/, unknown()); // NOT OK - case sensitive
+app.get('/baz3/a', (req, resp) => {
+  resp.send({ test: 123 });
+});
--- a/python/ql/lib/semmle/python/security/regexp/NfaUtils.qll
+++ b/python/ql/lib/semmle/python/security/regexp/NfaUtils.qll
@@ -93,8 +93,6 @@ class RegExpRoot extends RegExpTerm {
   * Holds if this root term is relevant to the ReDoS analysis.
   */
  predicate isRelevant() {
-    // there is at least one repetition
-    getRoot(any(InfiniteRepetitionQuantifier q)) = this and
    // is actually used as a RegExp
    this.isUsedAsRegExp() and
    // not excluded for library specific reasons
--- a/ruby/ql/lib/codeql/ruby/security/regexp/NfaUtils.qll
+++ b/ruby/ql/lib/codeql/ruby/security/regexp/NfaUtils.qll
@@ -93,8 +93,6 @@ class RegExpRoot extends RegExpTerm {
   * Holds if this root term is relevant to the ReDoS analysis.
   */
  predicate isRelevant() {
-    // there is at least one repetition
-    getRoot(any(InfiniteRepetitionQuantifier q)) = this and
    // is actually used as a RegExp
    this.isUsedAsRegExp() and
    // not excluded for library specific reasons