79 Commits

Author	SHA1	Message	Date
Erik Krogh Kristensen	3bea7df45d	add deprecated aliases in the old locations, and use the Query.qll pattern for js/polynomial-redos	2022-06-23 14:36:25 +02:00
Erik Krogh Kristensen	13482fc97b	rename ReDoSUtil to NfaUtils, and rename the "performance" folder to "regexp"	2022-06-23 14:36:25 +02:00
Erik Krogh Kristensen	3be4a86acd	make ReDoSPruning into a parameterized module	2022-06-23 14:36:25 +02:00
Erik Krogh Kristensen	dc06e9df02	move predicates that depend on isReDoSCandidate into a ReDoSPruning module	2022-06-23 14:36:24 +02:00
Erik Krogh Kristensen	fef87db739	use syntactically correct JS in poly-redos example	2022-05-27 10:08:30 +02:00
Rasmus Lerchedahl Petersen	d2eeaff441	JS: Refactor ReDoS to make files sharable ... the extra ordering conditions in ReDoSUtil will be needed for the Python implementation.	2021-06-28 17:04:48 +02:00
Erik Krogh Kristensen	a4303bc81d	add CWE-1333 to the JS ReDoS queries	2021-06-22 10:24:56 +02:00
Calum Grant	771e686946	Update security-severity scores	2021-06-15 13:25:17 +01:00
Calum Grant	a594afb828	Add security-severity metadata	2021-06-10 20:11:08 +01:00
Marcono1234	5a8ffa5a85	Use .inc.qhelp extension for included help files	2021-03-04 22:04:48 +01:00
Erik Krogh Kristensen	c5595f4cbd	improve alert message for js/polynomial-redos	2021-01-14 13:48:26 +01:00
Erik Krogh Kristensen	a520a51d42	highlight the use of the regular expression, instead of the sink for user input	2021-01-14 11:22:20 +01:00
Erik Krogh Kristensen	e8ea720650	adjust description to not mention user-provided values	2021-01-14 10:36:10 +01:00
Erik Krogh Kristensen	eaee5c2d87	add library input as source for js/polynomial-redos	2021-01-12 20:21:33 +01:00
Erik Krogh Kristensen	7e21081b70	add comment about regexp detected by js/polynomial-redos	2021-01-07 12:06:12 +01:00
Erik Krogh Kristensen	28cffa1e07	add comment in isFork about /(a*)*/ regular expressions	2021-01-06 10:44:13 +01:00
Erik Krogh Kristensen	c58f67b189	reintroduce performance improvement - but sound this time	2021-01-06 10:44:13 +01:00
Erik Krogh Kristensen	4392f0270c	autoformat	2021-01-06 10:37:36 +01:00
Erik Krogh Kristensen	3d98732136	support nested stars in js/ReDoS	2021-01-06 10:37:35 +01:00
Erik Krogh Kristensen	77967c3e63	undo unsound optimization in js/ReDoS	2021-01-06 10:36:21 +01:00
Erik Krogh Kristensen	34dda6d38b	refactor to share predicates between regular expression queries	2020-12-18 16:15:56 +01:00
Erik Krogh Kristensen	cc98c41dd6	revert marking repetitions with possibly empty body as forks	2020-12-03 20:08:07 +01:00
Erik Krogh Kristensen	33b2701551	refine isFork to remove false positive when a state has epsilon transition to itself	2020-11-29 21:42:50 +01:00
Erik Krogh Kristensen	729073fb43	detect ReDoS when the choices are "match some string" or "match Epsilon"	2020-11-27 20:15:23 +01:00
Erik Krogh Kristensen	46ca56458a	introduce a printable state class	2020-11-27 13:45:41 +01:00
Erik Krogh Kristensen	8a3e87fe42	remove unnecessary one-step inline	2020-11-27 13:45:41 +01:00
Erik Krogh Kristensen	36b9f0254e	performance improvements for suffix check in js/redos	2020-11-27 13:45:41 +01:00
Erik Krogh Kristensen	f576144ec6	more pruning based on states being inside a repetition	2020-11-26 17:30:37 +01:00
Erik Krogh Kristensen	11d878b413	adjust comments to reflect the precission of the suffix search	2020-11-25 14:40:33 +01:00
Erik Krogh Kristensen	500b94b50e	rename witness to pump	2020-11-25 13:57:21 +01:00
Erik Krogh Kristensen	e03c19b7fc	only search prefixes/suffixes from the candidates that are used in the end	2020-11-25 13:57:20 +01:00
Erik Krogh Kristensen	b8fabfa24e	only construct prefix/suffix for regular expressions that has a pumpable state	2020-11-25 13:57:20 +01:00
Erik Krogh Kristensen	a8944c8953	model accept states more accurately by adding an AcceptAny state, modelling $, and checking the existence of rejecting suffixes	2020-11-25 13:57:20 +01:00
Erik Krogh Kristensen	d9ebb7b20e	escape tabs	2020-11-25 13:57:20 +01:00
Erik Krogh Kristensen	bcb2f2768d	search for a prefix to the state that causes exponential backtracking	2020-11-25 13:57:20 +01:00
Erik Krogh Kristensen	94aa162f8d	prune state-pairs that are outside a backtracking repetition	2020-11-24 20:18:45 +01:00
Erik Krogh Kristensen	f3c3b82827	move condition inside parens	2020-11-24 20:16:40 +01:00
Erik Krogh Kristensen	d1706e8048	reuse InfiniteRepetitionQuantifier from SuperLiniearBacktracking	2020-11-24 20:16:36 +01:00
Erik Krogh Kristensen	a3b21ad43b	Apply suggestions from code review ... Co-authored-by: Asger F <asgerf@github.com>	2020-11-19 11:42:12 +01:00
Erik Krogh Kristensen	cc1d797cef	adjust top comment to reflect what the query does, and add comment about which kind of accepting state is assumed.	2020-11-18 21:32:31 +01:00
Erik Krogh Kristensen	58c31f0eca	prune more regexps initially in the ReDoS query	2020-11-18 15:14:46 +01:00
Erik Krogh Kristensen	c4153a617e	remove duplicated test cases from ReDoS, and adjust variables names to match test output	2020-11-18 14:49:09 +01:00
Erik Krogh Kristensen	8270bf5bb9	make the character search skip unencodable characters	2020-11-18 11:55:49 +01:00
Erik Krogh Kristensen	55f2f86a26	limit the search of state-pairs to the ones that are reachable within the given length	2020-11-18 09:23:35 +01:00
Erik Krogh Kristensen	97acf1fd87	fix FP related to inverted character classes choosing a char that was not matched by the char class	2020-11-17 17:34:43 +01:00
Erik Krogh Kristensen	a49b99b18c	autoformat	2020-11-13 20:06:17 +01:00
Erik Krogh Kristensen	affb11b0e3	changes based on review	2020-11-13 19:46:37 +01:00
Erik Krogh Kristensen	2f4fcc2f5e	Apply suggestions from code review ... Co-authored-by: Asger F <asgerf@github.com>	2020-11-13 18:03:07 +01:00
Erik Krogh Kristensen	17a687b344	testing many possible intersections, instead of a single intersection	2020-11-08 23:24:36 +01:00
Erik Krogh Kristensen	34fd0d89f5	finding the minimum that is not an FP - instead of finding the minimum and then checking if it was an FP. And detecting more FPs by finding when a witness pass through the accept state	2020-11-08 23:24:27 +01:00