hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
66737402c20fc83b3d3a654dcccf4b26c901b100
codeql/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js
Asger F fd6a9c6144 JS: Accept an alert
2025-02-28 13:29:27 +01:00

346 lines
11 KiB
JavaScript
Raw Blame History

// Adapted from marked (https://github.com/markedjs/marked), which is licensed
// under the MIT license; see file marked-LICENSE.
var bad1 = /^\b_((?:__|[\s\S])+?)_\b|^\*((?:\*\*|[\s\S])+?)\*(?!\*)/; // $ Alert[js/redos] - attack: "_" + "__".repeat(100)
// Adapted from marked (https://github.com/markedjs/marked), which is licensed
// under the MIT license; see file marked-LICENSE.
var good1 = /^\b_((?:__|[^_])+?)_\b|^\*((?:\*\*|[^*])+?)\*(?!\*)/;
// OK - there is no witness in the end that could cause the regexp to not match
// Adapted from brace-expansion (https://github.com/juliangruber/brace-expansion),
// which is licensed under the MIT license; see file brace-expansion-LICENSE.
var good2 = /(.*,)+.+/;
// Adapted from CodeMirror (https://github.com/codemirror/codemirror),
// which is licensed under the MIT license; see file CodeMirror-LICENSE.
var bad2 = /^(?:\s+(?:"(?:[^"\\]|\\\\|\\.)+"|'(?:[^'\\]|\\\\|\\.)+'|\((?:[^)\\]|\\\\|\\.)+\)))?/; // $ Alert[js/redos] - attack: " '" + "\\\\".repeat(100)
// Adapted from lulucms2 (https://github.com/yiifans/lulucms2).
var good2 = /\(\*(?:[\s\S]*?\(\*[\s\S]*?\*\))*[\s\S]*?\*\)/;
// Adapted from jest (https://github.com/facebook/jest), which is licensed
// under the MIT license; see file jest-LICENSE.
var good3 = /^ *(\S.*\|.*)\n *([-:]+ *\|[-| :]*)\n((?:.*\|.*(?:\n|$))*)\n*/;
var bad4 = /^ *(\S.*\|.*)\n *([-:]+ *\|[-| :]*)\n((?:.*\|.*(?:\n|$))*)a/; // $ Alert[js/redos] - variant of good3; attack: "a|\n:|\n" + "||\n".repeat(100)
// Adapted from ANodeBlog (https://github.com/gefangshuai/ANodeBlog),
// which is licensed under the Apache License 2.0; see file ANodeBlog-LICENSE.
var bad5 = /\/(?![ *])(\\\/|.)*?\/[gim]*(?=\W|$)/; // $ Alert[js/redos] - attack: "/" + "\\/a".repeat(100)
// Adapted from CodeMirror (https://github.com/codemirror/codemirror),
// which is licensed under the MIT license; see file CodeMirror-LICENSE.
var bad6 = /^([\s\[\{\(]|#.*)*$/; // $ Alert[js/redos] - attack: "##".repeat(100) + "\na"
var good4 = /(\r\n|\r|\n)+/;
// BAD - PoC: `node -e "/((?:[^\"\']|\".*?\"|\'.*?\')*?)([(,)]|$)/.test(\"'''''''''''''''''''''''''''''''''''''''''''''\\\"\");"`. It's complicated though, because the regexp still matches something, it just matches the empty-string after the attack string.
var actuallyBad = /((?:[^"']|".*?"|'.*?')*?)([(,)]|$)/; // $ Alert[js/redos]
// Adapted from Knockout (https://github.com/knockout/knockout), which is
// licensed under the MIT license; see file knockout-LICENSE
var bad6 = /^[\_$a-z][\_$a-z0-9]*(\[.*?\])*(\.[\_$a-z][\_$a-z0-9]*(\[.*?\])*)*$/i; // $ Alert[js/redos] - attack: "a" + "[]".repeat(100) + ".b\n"
var good6 = /(a|.)*/;
// Testing the NFA - only some of the below are detected.
var bad7 = /^([a-z]+)+$/; // $ Alert[js/redos]
var bad8 = /^([a-z]*)*$/; // $ Alert[js/redos]
var bad9 = /^([a-zA-Z0-9])(([\\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/; // $ Alert[js/redos]
var bad10 = /^(([a-z])+.)+[A-Z]([a-z])+$/; // $ Alert[js/redos]
// Adapted from Prototype.js (https://github.com/prototypejs/prototype), which
// is licensed under the MIT license; see file Prototype.js-LICENSE.
var bad11 = /(([\w#:.~>+()\s-]+|\*|\[.*?\])+)\s*(,|$)/; // $ Alert[js/redos] - attack: "[" + "][".repeat(100) + "]!"
// Adapted from Prism (https://github.com/PrismJS/prism), which is licensed
// under the MIT license; see file Prism-LICENSE.
var bad12 = /("|')(\\?.)*?\1/g; // $ Alert[js/redos] - attack: "'" + "\\a".repeat(100) + '"'
var bad13 = /(b|a?b)*c/; // $ Alert[js/redos]
var bad15 = /(a|aa?)*b/; // $ Alert[js/redos]
var good7 = /(.|\n)*!/;
var bad16 = /(.|\n)*!/s; // $ Alert[js/redos] - attack: "\n".repeat(100) + "."
var good8 = /([\w.]+)*/;
var bad17 = new RegExp('(a|aa?)*b'); // $ Alert[js/redos]
// OK - not used as regexp
var good9 = '(a|aa?)*b';
var bad18 = /(([^]|[^a])*)"/; // $ Alert[js/redos]
// OK - there is no witness in the end that could cause the regexp to not match
var good10 = /([^"']+)*/g;
var bad20 = /((.|[^a])*)"/; // $ Alert[js/redos]
var good10 = /((a|[^a])*)"/;
var bad21 = /((b|[^a])*)"/; // $ Alert[js/redos]
var bad22 = /((G|[^a])*)"/; // $ Alert[js/redos]
var bad23 = /(([0-9]|[^a])*)"/; // $ Alert[js/redos]
var bad24 = /(?:=(?:([!#\$%&'\*\+\-\.\^_`\|~0-9A-Za-z]+)|"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"))?/; // $ Alert[js/redos]
var bad25 = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"/; // $ Alert[js/redos]
var fix25 = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"\\])*)"/; // OK - fixed version of bad25
var bad27 = /(([a-z]|[d-h])*)"/; // $ Alert[js/redos]
var bad27 = /(([^a-z]|[^0-9])*)"/; // $ Alert[js/redos]
var bad28 = /((\d|[0-9])*)"/; // $ Alert[js/redos]
var bad29 = /((\s|\s)*)"/; // $ Alert[js/redos]
var bad30 = /((\w|G)*)"/; // $ Alert[js/redos]
var good11 = /((\s|\d)*)"/;
var bad31 = /((\d|\w)*)"/; // $ Alert[js/redos]
var bad32 = /((\d|5)*)"/; // $ Alert[js/redos]
var bad33 = /((\s|[\f])*)"/; // $ Alert[js/redos]
var bad34 = /((\s|[\v]|\\v)*)"/; // $ Alert[js/redos]
var bad35 = /((\f|[\f])*)"/; // $ Alert[js/redos]
var bad36 = /((\W|\D)*)"/; // $ Alert[js/redos]
var bad37 = /((\S|\w)*)"/; // $ Alert[js/redos]
var bad38 = /((\S|[\w])*)"/; // $ Alert[js/redos]
var bad39 = /((1s|[\da-z])*)"/; // $ Alert[js/redos]
var bad40 = /((0|[\d])*)"/; // $ Alert[js/redos]
var bad41 = /(([\d]+)*)"/; // $ Alert[js/redos]
// OK - there is no witness in the end that could cause the regexp to not match
var good12 = /(\d+(X\d+)?)+/;
// OK - there is no witness in the end that could cause the regexp to not match
var good13 = /([0-9]+(X[0-9]*)?)*/;
var good15 = /^([^>]+)*(>|$)/;
var bad43 = /^([^>a]+)*(>|$)/; // $ Alert[js/redos]
var bad44 = /(\n\s*)+$/; // $ Alert[js/redos]
var bad45 = /^(?:\s+|#.*|\(\?#[^)]*\))*(?:[?*+]|{\d+(?:,\d*)?})/; // $ Alert[js/redos]
var bad46 = /\{\[\s*([a-zA-Z]+)\(([a-zA-Z]+)\)((\s*([a-zA-Z]+)\: ?([ a-zA-Z{}]+),?)+)*\s*\]\}/; // $ Alert[js/redos]
var bad47 = /(a+|b+|c+)*c/; // $ Alert[js/redos]
var bad48 = /(((a+a?)*)+b+)/; // $ Alert[js/redos]
var bad49 = /(a+)+bbbb/; // $ Alert[js/redos]
var good16 = /(a+)+aaaaa*a+/;
var bad50 = /(a+)+aaaaa$/; // $ Alert[js/redos]
var good17 = /(\n+)+\n\n/;
var bad51 = /(\n+)+\n\n$/; // $ Alert[js/redos]
var bad52 = /([^X]+)*$/; // $ Alert[js/redos]
var bad53 = /(([^X]b)+)*$/; // $ Alert[js/redos]
var good18 = /(([^X]b)+)*($|[^X]b)/;
var bad54 = /(([^X]b)+)*($|[^X]c)/; // $ Alert[js/redos]
var good20 = /((ab)+)*ababab/;
var good21 = /((ab)+)*abab(ab)*(ab)+/;
var good22 = /((ab)+)*/;
var bad55 = /((ab)+)*$/; // $ Alert[js/redos]
var good23 = /((ab)+)*[a1][b1][a2][b2][a3][b3]/;
var bad56 = /([\n\s]+)*(.)/; // $ Alert[js/redos]
// OK - any witness passes through the accept state.
var good24 = /(A*A*X)*/;
var good26 = /([^\\\]]+)*/
var bad59 = /(\w*foobarbaz\w*foobarbaz\w*foobarbaz\w*foobarbaz\s*foobarbaz\d*foobarbaz\w*)+-/; // $ Alert[js/redos]
var bad60 = /(.thisisagoddamnlongstringforstresstestingthequery|\sthisisagoddamnlongstringforstresstestingthequery)*-/ // $ Alert[js/redos]
var bad61 = /(thisisagoddamnlongstringforstresstestingthequery|this\w+query)*-/ // $ Alert[js/redos]
var good27 = /(thisisagoddamnlongstringforstresstestingthequery|imanotherbutunrelatedstringcomparedtotheotherstring)*-/
var good28 = /foo([\uDC66\uDC67]|[\uDC68\uDC69])*foo/
var good29 = /foo((\uDC66|\uDC67)|(\uDC68|\uDC69))*foo/
var bad62 = /a{2,3}(b+)+X/; // $ Alert[js/redos]
var bad63 = /^<(\w+)((?:\s+\w+(?:\s*=\s*(?:(?:"[^"]*")|(?:'[^']*')|[^>\s]+))?)*)\s*(\/?)>/; // $ Alert[js/redos] - and a good prefix test
var good30 = /(a+)*[^][^][^]?/;
// GOOD - but we fail to see that repeating the attack string ends in the "accept any" state (due to not parsing the range `[^]{2,3}`).
var good31 = /(a+)*[^]{2,3}/; // $ Alert[js/redos]
// GOOD - but we spuriously conclude that a rejecting suffix exists (due to not parsing the range `[^]{2,}` when constructing the NFA).
var good32 = /(a+)*([^]{2,}|X)$/; // $ Alert[js/redos]
var good33 = /(a+)*([^]*|X)$/;
var bad64 = /((a+)*$|[^]+)/; // $ Alert[js/redos]
var good34 = /([^]+|(a+)*$)/; // $ SPURIOUS: Alert[js/redos] - The only change compared to the above is the order of alternatives, which we don't model.
var good35 = /((;|^)a+)+$/;
var bad65 = /(^|;)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(e+)+f/; // $ Alert[js/redos] - a good prefix test
var bad66 = /^ab(c+)+$/; // $ Alert[js/redos]
var bad67 = /(\d(\s+)*){20}/; // $ Alert[js/redos]
// OK - but we spuriously conclude that a rejecting suffix exists.
var good36 = /(([^/]|X)+)(\/[^]*)*$/; // $ Alert[js/redos]
// OK - but we spuriously conclude that a rejecting suffix exists.
var good37 = /^((x([^Y]+)?)*(Y|$))/; // $ Alert[js/redos]
var bad68 = /(a*)+b/; // $ Alert[js/redos]
var bad69 = /foo([\w-]*)+bar/; // $ Alert[js/redos]
var bad70 = /((ab)*)+c/; // $ Alert[js/redos]
var bad71 = /(a?a?)*b/; // $ Alert[js/redos]
var good38 = /(a?)*b/;
var bad72 = /(c?a?)*b/; // $ MISSING: Alert
var bad73 = /(?:a|a?)+b/; // $ Alert[js/redos]
var bad74 = /(a?b?)*$/; // $ MISSING: Alert
var bad76 = /PRE(([a-c]|[c-d])T(e?e?e?e?|X))+(cTcT|cTXcTX$)/; // $ Alert[js/redos]
var bad77 = /^((a)+\w)+$/; // $ Alert[js/redos]
var bad78 = /^(b+.)+$/; // $ Alert[js/redos]
var good39 = /a*b/;
// All 4 bad combinations of nested * and +)
var bad79 = /(a*)*b/; // $ Alert[js/redos]
var bad80 = /(a+)*b/; // $ Alert[js/redos]
var bad81 = /(a*)+b/; // $ Alert[js/redos]
var bad82 = /(a+)+b/; // $ Alert[js/redos]
var good40 = /(a|b)+/;
var good41 = /(?:[\s;,"'<>(){}|[\]@=+*]|:(?![/\\]))+/;
var bad83 = /^((?:a{|-)|\w\{)+X$/; // $ Alert[js/redos]
var bad84 = /^((?:a{0|-)|\w\{\d)+X$/; // $ Alert[js/redos]
var bad85 = /^((?:a{0,|-)|\w\{\d,)+X$/; // $ Alert[js/redos]
var bad86 = /^((?:a{0,2|-)|\w\{\d,\d)+X$/; // $ Alert[js/redos]
var bad86AndAHalf = /^((?:a{0,2}|-)|\w\{\d,\d\})+X$/; // $ MISSING: Alert
var good43 = /("[^"]*?"|[^"\s]+)+(?=\s*|\s*$)/g;
var bad87 = /("[^"]*?"|[^"\s]+)+(?=\s*|\s*$)X/g; // $ Alert[js/redos]
var bad88 = /("[^"]*?"|[^"\s]+)+(?=X)/g; // $ Alert[js/redos]
var bad89 = /(x*)+(?=$)/ // $ Alert[js/redos]
var bad90 = /(x*)+(?=$|y)/ // $ Alert[js/redos]
// OK - but we spuriously conclude that a rejecting suffix exists.
var good44 = /([\s\S]*)+(?=$)/; // $ Alert[js/redos]
var good45 = /([\s\S]*)+(?=$|y)/; // $ Alert[js/redos]
var good46 = /(foo|FOO)*bar/;
var bad91 = /(foo|FOO)*bar/i; // $ Alert[js/redos]
var good47 = /([AB]|[ab])*C/;
var bad92 = /([DE]|[de])*F/i; // $ Alert[js/redos]
var bad93 = /(?<=^v?|\sv?)(a|aa)*$/; // $ Alert[js/redos]
var bad94 = /(a|aa)*$/; // $ Alert[js/redos]
var bad95 = new RegExp(
"(a" +
"|" +
"aa)*" +
"b$" // $ Alert[js/redos]
);
var bad96 = new RegExp("(" +
"(c|cc)*|" + // $ Alert[js/redos]
"(d|dd)*|" + // $ Alert[js/redos]
"(e|ee)*" +
")f$"); // $ Alert[js/redos]
var bad97 = new RegExp(
"(g|gg" +
")*h$"); // $ Alert[js/redos]
var bad98 = /^(?:\*\/\*|[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}\/(?:\*|[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126})(?:\s* *; *[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}(?:="?[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}"?)?\s*)*)$/; // $ Alert[js/redos]
var good48 = /(\/(?:\/[\w.-]*)*){0,1}:([\w.-]+)/;
var bad99 = /(a{1,})*b/; // $ Alert[js/redos]
var unicode = /^\n\u0000(\u0000|.)+$/; // $ Alert[js/redos]
var largeUnicode = new RegExp("^\n\u{1F680}(\u{1F680}|.)+X$"); // $ Alert[js/redos]
var unicodeSets = /(aa?)*b/v; // $ Alert[js/redos]
Reference in New Issue View Git Blame Copy Permalink