Merge branch 'main' into setliterals

python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSCustomizations.qll

@@ -60,8 +60,8 @@ module PolynomialReDoS {
     RegExpTerm t;
 
     RegexExecutionAsSink() {
-      exists(CompiledRegexes::RegexExecution re |
-        re.getRegexNode().asExpr() = t.getRegex() and
+      exists(RegexExecution re |
+        re.getRegex().asExpr() = t.getRegex() and
         this = re.getString()
       ) and
       t.isRootTerm()
@@ -76,137 +76,3 @@ module PolynomialReDoS {
    */
   class StringConstCompareAsSanitizerGuard extends SanitizerGuard, StringConstCompare { }
 }
-
-/** Helper module for tracking compiled regexes. */
-private module CompiledRegexes {
-  // TODO: This module should be refactored and merged with the experimental work done on detecting
-  // regex injections, such that this can be expressed from just using a concept.
-  /** A configuration for finding uses of compiled regexes. */
-  class RegexDefinitionConfiguration extends DataFlow2::Configuration {
-    RegexDefinitionConfiguration() { this = "RegexDefinitionConfiguration" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof RegexDefinitonSource }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof RegexDefinitionSink }
-  }
-
-  /** A regex compilation. */
-  class RegexDefinitonSource extends DataFlow::CallCfgNode {
-    DataFlow::Node regexNode;
-
-    RegexDefinitonSource() {
-      this = API::moduleImport("re").getMember("compile").getACall() and
-      regexNode in [this.getArg(0), this.getArgByName("pattern")]
-    }
-
-    /** Gets the regex that is being compiled by this node. */
-    RegExpTerm getRegExp() { result.getRegex() = regexNode.asExpr() and result.isRootTerm() }
-
-    /** Gets the data flow node for the regex being compiled by this node. */
-    DataFlow::Node getRegexNode() { result = regexNode }
-  }
-
-  /** A use of a compiled regex. */
-  class RegexDefinitionSink extends DataFlow::Node {
-    RegexExecutionMethod method;
-    DataFlow::CallCfgNode executingCall;
-
-    RegexDefinitionSink() {
-      exists(DataFlow::AttrRead reMethod |
-        executingCall.getFunction() = reMethod and
-        reMethod.getAttributeName() = method and
-        this = reMethod.getObject()
-      )
-    }
-
-    /** Gets the method used to execute the regex. */
-    RegexExecutionMethod getMethod() { result = method }
-
-    /** Gets the data flow node for the executing call. */
-    DataFlow::CallCfgNode getExecutingCall() { result = executingCall }
-  }
-
-  /** A data flow node executing a regex. */
-  abstract class RegexExecution extends DataFlow::Node {
-    /** Gets the data flow node for the regex being compiled by this node. */
-    abstract DataFlow::Node getRegexNode();
-
-    /** Gets a dataflow node for the string to be searched or matched against. */
-    abstract DataFlow::Node getString();
-  }
-
-  private class RegexExecutionMethod extends string {
-    RegexExecutionMethod() {
-      this in ["match", "fullmatch", "search", "split", "findall", "finditer", "sub", "subn"]
-    }
-  }
-
-  /** Gets the index of the argument representing the string to be searched by a regex. */
-  int stringArg(RegexExecutionMethod method) {
-    method in ["match", "fullmatch", "search", "split", "findall", "finditer"] and
-    result = 1
-    or
-    method in ["sub", "subn"] and
-    result = 2
-  }
-
-  /**
-   * A class to find `re` methods immediately executing an expression.
-   *
-   * See `RegexExecutionMethods`
-   */
-  class DirectRegex extends DataFlow::CallCfgNode, RegexExecution {
-    RegexExecutionMethod method;
-
-    DirectRegex() { this = API::moduleImport("re").getMember(method).getACall() }
-
-    override DataFlow::Node getRegexNode() {
-      result in [this.getArg(0), this.getArgByName("pattern")]
-    }
-
-    override DataFlow::Node getString() {
-      result in [this.getArg(stringArg(method)), this.getArgByName("string")]
-    }
-  }
-
-  /**
-   * A class to find `re` methods immediately executing a compiled expression by `re.compile`.
-   *
-   * Given the following example:
-   *
-   * ```py
-   * pattern = re.compile(input)
-   * pattern.match(s)
-   * ```
-   *
-   * This class will identify that `re.compile` compiles `input` and afterwards
-   * executes `re`'s `match`. As a result, `this` will refer to `pattern.match(s)`
-   * and `this.getRegexNode()` will return the node for `input` (`re.compile`'s first argument)
-   *
-   *
-   * See `RegexExecutionMethods`
-   *
-   * See https://docs.python.org/3/library/re.html#regular-expression-objects
-   */
-  private class CompiledRegex extends DataFlow::CallCfgNode, RegexExecution {
-    DataFlow::Node regexNode;
-    RegexExecutionMethod method;
-
-    CompiledRegex() {
-      exists(
-        RegexDefinitionConfiguration conf, RegexDefinitonSource source, RegexDefinitionSink sink
-      |
-        conf.hasFlow(source, sink) and
-        regexNode = source.getRegexNode() and
-        method = sink.getMethod() and
-        this = sink.getExecutingCall()
-      )
-    }
-
-    override DataFlow::Node getRegexNode() { result = regexNode }
-
-    override DataFlow::Node getString() {
-      result in [this.getArg(stringArg(method) - 1), this.getArgByName("string")]
-    }
-  }
-}

python/ql/lib/semmle/python/security/dataflow/ReflectedXSSCustomizations.qll

@@ -59,7 +59,7 @@ module ReflectedXSS {
   class HtmlEscapingAsSanitizer extends Sanitizer {
     HtmlEscapingAsSanitizer() {
       // TODO: For now, since there is not an `isSanitizingStep` member-predicate part of a
-      // `TaintTracking::Configuration`, we use treat the output is a taint-sanitizer. This
+      // `TaintTracking::Configuration`, we treat the output as a taint-sanitizer. This
       // is slightly imprecise, which you can see in the `m_unsafe + SAFE` test-case in
       // python/ql/test/library-tests/frameworks/markupsafe/taint_test.py
       //

python/ql/lib/semmle/python/security/injection/RegexInjection.qll

@@ -0,0 +1,37 @@
+/**
+ * Provides a taint-tracking configuration for detecting regular expression injection
+ * vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `RegexInjection::Configuration` is needed, otherwise
+ * `RegexInjectionCustomizations` should be imported instead.
+ */
+
+private import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+
+/**
+ * Provides a taint-tracking configuration for detecting regular expression injection
+ * vulnerabilities.
+ */
+module RegexInjection {
+  import RegexInjectionCustomizations::RegexInjection
+
+  /**
+   * A taint-tracking configuration for detecting "reflected server-side cross-site scripting" vulnerabilities.
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "RegexInjection" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+      guard instanceof SanitizerGuard
+    }
+  }
+}

python/ql/lib/semmle/python/security/injection/RegexInjectionCustomizations.qll

@@ -0,0 +1,62 @@
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "regular expression injection"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+
+private import python
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.dataflow.new.RemoteFlowSources
+
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "regular expression injection"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+module RegexInjection {
+  /**
+   * A data flow source for "regular expression injection" vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A sink for "regular expression injection" vulnerabilities is the execution of a regular expression.
+   * If you have a custom way to execute regular expressions, you can extend `RegexExecution::Range`.
+   */
+  class Sink extends DataFlow::Node {
+    RegexExecution regexExecution;
+
+    Sink() { this = regexExecution.getRegex() }
+
+    /** Gets the call that executes the regular expression marked by this sink. */
+    RegexExecution getRegexExecution() { result = regexExecution }
+  }
+
+  /**
+   * A sanitizer for "regular expression injection" vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A sanitizer guard for "regular expression injection" vulnerabilities.
+   */
+  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+
+  /**
+   * A source of remote user input, considered as a flow source.
+   */
+  class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
+
+  /**
+   * A regex escaping, considered as a sanitizer.
+   */
+  class RegexEscapingAsSanitizer extends Sanitizer {
+    RegexEscapingAsSanitizer() {
+      // Due to use-use flow, we want the output rather than an input
+      // (so the input can still flow to other sinks).
+      this = any(RegexEscaping esc).getOutput()
+    }
+  }
+}

python/ql/lib/semmle/python/security/performance/ReDoSUtil.qll

@@ -477,7 +477,7 @@ private module CharacterClasses {
       result = ["0", "9"]
       or
       cc.getValue() = "s" and
-      result = [" "]
+      result = " "
       or
       cc.getValue() = "w" and
       result = ["a", "Z", "_", "0", "9"]
@@ -490,7 +490,7 @@ private module CharacterClasses {
       result = "9"
       or
       cc.getValue() = "s" and
-      result = [" "]
+      result = " "
       or
       cc.getValue() = "w" and
       result = "a"