add another example to the qhelp in poly-redos, showing how to just limit the length of the input

2026-05-01 03:35:13 +02:00 · 2023-05-15 14:38:09 +02:00
parent d8c0054ea9
commit d989359656
4 changed files with 114 additions and 0 deletions
--- a/java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.qhelp
+++ b/java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.qhelp
@@ -103,6 +103,35 @@

 	</example>

+    <example>
+        <p>
+            Sometimes it's unclear how a regular expression can be rewritten to
+            avoid the problem. In such cases, it often suffices to limit the
+            length of the input string. For instance, the following complicated 
+            regular expression is used to match numbers, and on some non-number 
+            inputs it can have quadratic time complexity:
+        </p>
+
+        <sample language="java">
+            Pattern.matches("^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$", str);
+        </sample>
+
+        <p>
+            It's not immediately obvious how to rewrite this regular expression 
+            to avoid the problem. However, it might be fine to limit the length
+            to 1000 characters, which will always finish in a reasonable amount
+            of time.
+        </p>
+
+        <sample language="java">
+            if (str.length() &gt; 1000) {
+                throw new IllegalArgumentException("Input too long");
+            }
+
+            Pattern.matches("^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$", str);
+        </sample>
+    </example>
+
 	<include src="ReDoSReferences.inc.qhelp"/>

 </qhelp>
--- a/javascript/ql/src/Performance/PolynomialReDoS.qhelp
+++ b/javascript/ql/src/Performance/PolynomialReDoS.qhelp
@@ -103,6 +103,34 @@

 	</example>

+    <example>
+        <p>
+            Sometimes it's unclear how a regular expression can be rewritten to
+            avoid the problem. In such cases, it often suffices to limit the
+            length of the input string. For instance, the following complicated 
+            regular expression is used to match numbers, and on some non-number 
+            inputs it can have quadratic time complexity:
+        </p>
+
+        <sample language="javascript">
+            /^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$/.test(str) // BAD
+        </sample>
+
+        <p>
+            It's not immediately obvious how to rewrite this regular expression 
+            to avoid the problem. However, it might be fine to limit the length
+            to 1000 characters, which will always finish in a reasonable amount
+            of time.
+        </p>
+
+        <sample language="javascript">
+            if (str.length &gt; 1000) {
+                throw new Error("Input too long");
+            }
+            /^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$/.test(str)
+        </sample>
+    </example>
+
 	<include src="ReDoSReferences.inc.qhelp"/>

 </qhelp>
--- a/python/ql/src/Security/CWE-730/PolynomialReDoS.qhelp
+++ b/python/ql/src/Security/CWE-730/PolynomialReDoS.qhelp
@@ -103,6 +103,34 @@

 	</example>

+    <example>
+        <p>
+            Sometimes it's unclear how a regular expression can be rewritten to
+            avoid the problem. In such cases, it often suffices to limit the
+            length of the input string. For instance, the following complicated 
+            regular expression is used to match numbers, and on some non-number 
+            inputs it can have quadratic time complexity:
+        </p>
+
+        <sample language="python">
+            match = re.search(r'^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$', str) 
+        </sample>
+
+        <p>
+            It's not immediately obvious how to rewrite this regular expression 
+            to avoid the problem. However, it might be fine to limit the length
+            to 1000 characters, which will always finish in a reasonable amount
+            of time.
+        </p>
+
+        <sample language="python">
+            if len(str) &gt; 1000:
+                raise ValueError("Input too long")
+
+            match = re.search(r'^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$', str) 
+        </sample>
+    </example>
+
 	<include src="ReDoSReferences.inc.qhelp"/>

 </qhelp>
--- a/ruby/ql/src/queries/security/cwe-1333/PolynomialReDoS.qhelp
+++ b/ruby/ql/src/queries/security/cwe-1333/PolynomialReDoS.qhelp
@@ -108,6 +108,35 @@

 	</example>

+    <example>
+        <p>
+            Sometimes it's unclear how a regular expression can be rewritten to
+            avoid the problem. In such cases, it often suffices to limit the
+            length of the input string. For instance, the following complicated 
+            regular expression is used to match numbers, and on some non-number 
+            inputs it can have quadratic time complexity:
+        </p>
+
+        <sample language="ruby">
+            is_matching = /^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$/.match?(str)
+        </sample>
+
+        <p>
+            It's not immediately obvious how to rewrite this regular expression 
+            to avoid the problem. However, it might be fine to limit the length
+            to 1000 characters, which will always finish in a reasonable amount
+            of time.
+        </p>
+
+        <sample language="ruby">
+            if str.length &gt; 1000
+                raise ArgumentError, "Input too long"
+            end
+
+            is_matching = /^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$/.match?(str)
+        </sample>
+    </example>
+
 	<include src="ReDoSReferences.inc.qhelp"/>

 </qhelp>