Merge pull request #6288 from erik-krogh/emptyRedos

JS/Python: Fix FP in redos related to empty lookaheads

Author: erik-krogh

javascript/ql/src/semmle/javascript/security/performance/ReDoSUtil.qll

@@ -71,6 +71,49 @@ private int ascii(string char) {
     )
 }
 
+/**
+ * Holds if `t` matches at least an epsilon symbol.
+ *
+ * That is, this term does not restrict the language of the enclosing regular expression.
+ *
+ * This is implemented as an under-approximation, and this predicate does not hold for sub-patterns in particular.
+ */
+predicate matchesEpsilon(RegExpTerm t) {
+  t instanceof RegExpStar
+  or
+  t instanceof RegExpOpt
+  or
+  t.(RegExpRange).getLowerBound() = 0
+  or
+  exists(RegExpTerm child |
+    child = t.getAChild() and
+    matchesEpsilon(child)
+  |
+    t instanceof RegExpAlt or
+    t instanceof RegExpGroup or
+    t instanceof RegExpPlus or
+    t instanceof RegExpRange
+  )
+  or
+  matchesEpsilon(t.(RegExpBackRef).getGroup())
+  or
+  forex(RegExpTerm child | child = t.(RegExpSequence).getAChild() | matchesEpsilon(child))
+}
+
+/**
+ * A lookahead/lookbehind that matches the empty string.
+ */
+class EmptyPositiveSubPatttern extends RegExpSubPattern {
+  EmptyPositiveSubPatttern() {
+    (
+      this instanceof RegExpPositiveLookahead
+      or
+      this instanceof RegExpPositiveLookbehind
+    ) and
+    matchesEpsilon(this.getOperand())
+  }
+}
+
 /**
  * A branch in a disjunction that is the root node in a literal, or a literal
  * whose root node is not a disjunction.
@@ -550,6 +593,10 @@ predicate delta(State q1, EdgeLabel lbl, State q2) {
   exists(RegExpDollar dollar | q1 = before(dollar) |
     lbl = Epsilon() and q2 = Accept(getRoot(dollar))
   )
+  or
+  exists(EmptyPositiveSubPatttern empty | q1 = before(empty) |
+    lbl = Epsilon() and q2 = after(empty)
+  )
 }
 
 /**

javascript/ql/src/semmle/javascript/security/performance/SuperlinearBackTracking.qll

@@ -363,35 +363,6 @@ predicate polynimalReDoS(RegExpTerm t, string pump, string prefixMsg, RegExpTerm
   )
 }
 
-/**
- * Holds if `t` matches at least an epsilon symbol.
- *
- * That is, this term does not restrict the language of the enclosing regular expression.
- *
- * This is implemented as an under-approximation, and this predicate does not hold for sub-patterns in particular.
- */
-private predicate matchesEpsilon(RegExpTerm t) {
-  t instanceof RegExpStar
-  or
-  t instanceof RegExpOpt
-  or
-  t.(RegExpRange).getLowerBound() = 0
-  or
-  exists(RegExpTerm child |
-    child = t.getAChild() and
-    matchesEpsilon(child)
-  |
-    t instanceof RegExpAlt or
-    t instanceof RegExpGroup or
-    t instanceof RegExpPlus or
-    t instanceof RegExpRange
-  )
-  or
-  matchesEpsilon(t.(RegExpBackRef).getGroup())
-  or
-  forex(RegExpTerm child | child = t.(RegExpSequence).getAChild() | matchesEpsilon(child))
-}
-
 /**
  * Gets a message for why `term` can cause polynomial backtracking.
  */

javascript/ql/test/query-tests/Performance/ReDoS/PolynomialBackTracking.expected

@@ -493,3 +493,11 @@
 | tst.js:351:15:351:16 | a+ | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding (a+)* |
 | tst.js:352:15:352:16 | a* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding (a*)+b |
 | tst.js:353:15:353:16 | a+ | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding (a+)+ |
+| tst.js:372:16:372:21 | [^"]*? | Strings starting with '"' and with many repetitions of '""' can start matching anywhere after the start of the preceeding ("[^"]*?"\|[^"\\s]+)+(?=\\s*\|\\s*$)X |
+| tst.js:372:24:372:30 | [^"\\s]+ | Strings with many repetitions of '!' can start matching anywhere after the start of the preceeding ("[^"]*?"\|[^"\\s]+)+ |
+| tst.js:373:16:373:21 | [^"]*? | Strings starting with '"' and with many repetitions of '""' can start matching anywhere after the start of the preceeding ("[^"]*?"\|[^"\\s]+)+(?=X) |
+| tst.js:373:24:373:30 | [^"\\s]+ | Strings with many repetitions of '!' can start matching anywhere after the start of the preceeding ("[^"]*?"\|[^"\\s]+)+ |
+| tst.js:374:15:374:16 | x* | Strings with many repetitions of 'x' can start matching anywhere after the start of the preceeding (x*)+(?=$) |
+| tst.js:375:15:375:16 | x* | Strings with many repetitions of 'x' can start matching anywhere after the start of the preceeding (x*)+(?=$\|y) |
+| tst.js:378:16:378:22 | [\\s\\S]* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding ([\\s\\S]*)+(?=$) |
+| tst.js:379:16:379:22 | [\\s\\S]* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding ([\\s\\S]*)+(?=$\|y) |

javascript/ql/test/query-tests/Performance/ReDoS/ReDoS.expected

@@ -172,3 +172,9 @@
 | tst.js:361:15:361:33 | ((?:a{0\|-)\|\\w\\{\\d)+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a{0'. |
 | tst.js:362:15:362:35 | ((?:a{0,\|-)\|\\w\\{\\d,)+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a{0,'. |
 | tst.js:363:15:363:38 | ((?:a{0,2\|-)\|\\w\\{\\d,\\d)+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a{0,2'. |
+| tst.js:372:24:372:30 | [^"\\s]+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '!'. |
+| tst.js:373:24:373:30 | [^"\\s]+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '!'. |
+| tst.js:374:15:374:16 | x* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'x'. |
+| tst.js:375:15:375:16 | x* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'x'. |
+| tst.js:378:16:378:22 | [\\s\\S]* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
+| tst.js:379:16:379:22 | [\\s\\S]* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |

javascript/ql/test/query-tests/Performance/ReDoS/tst.js

@@ -363,4 +363,17 @@ var bad85 = /^((?:a{0,|-)|\w\{\d,)+X$/;
 var bad86 = /^((?:a{0,2|-)|\w\{\d,\d)+X$/; 
 
 // GOOD: 
-var good42 = /^((?:a{0,2}|-)|\w\{\d,\d\})+X$/; 
+var good42 = /^((?:a{0,2}|-)|\w\{\d,\d\})+X$/; 
+
+// GOOD
+var good43 = /("[^"]*?"|[^"\s]+)+(?=\s*|\s*$)/g;
+
+// BAD
+var bad87 = /("[^"]*?"|[^"\s]+)+(?=\s*|\s*$)X/g;
+var bad88 = /("[^"]*?"|[^"\s]+)+(?=X)/g;
+var bad89 = /(x*)+(?=$)/
+var bad90 = /(x*)+(?=$|y)/
+
+// GOOD - but we spuriously conclude that a rejecting suffix exists.
+var good44 = /([\s\S]*)+(?=$)/;
+var good45 = /([\s\S]*)+(?=$|y)/;

python/ql/src/semmle/python/RegexTreeView.qll

@@ -836,6 +836,15 @@ class RegExpZeroWidthMatch extends RegExpGroup {
  */
 class RegExpSubPattern extends RegExpZeroWidthMatch {
   RegExpSubPattern() { not re.emptyGroup(start, end) }
+
+  /** Gets the lookahead term. */
+  RegExpTerm getOperand() {
+    exists(int in_start, int in_end | re.groupContents(start, end, in_start, in_end) |
+      result.getRegex() = re and
+      result.getStart() = in_start and
+      result.getEnd() = in_end
+    )
+  }
 }
 
 /**

python/ql/src/semmle/python/security/performance/ReDoSUtil.qll

@@ -71,6 +71,49 @@ private int ascii(string char) {
     )
 }
 
+/**
+ * Holds if `t` matches at least an epsilon symbol.
+ *
+ * That is, this term does not restrict the language of the enclosing regular expression.
+ *
+ * This is implemented as an under-approximation, and this predicate does not hold for sub-patterns in particular.
+ */
+predicate matchesEpsilon(RegExpTerm t) {
+  t instanceof RegExpStar
+  or
+  t instanceof RegExpOpt
+  or
+  t.(RegExpRange).getLowerBound() = 0
+  or
+  exists(RegExpTerm child |
+    child = t.getAChild() and
+    matchesEpsilon(child)
+  |
+    t instanceof RegExpAlt or
+    t instanceof RegExpGroup or
+    t instanceof RegExpPlus or
+    t instanceof RegExpRange
+  )
+  or
+  matchesEpsilon(t.(RegExpBackRef).getGroup())
+  or
+  forex(RegExpTerm child | child = t.(RegExpSequence).getAChild() | matchesEpsilon(child))
+}
+
+/**
+ * A lookahead/lookbehind that matches the empty string.
+ */
+class EmptyPositiveSubPatttern extends RegExpSubPattern {
+  EmptyPositiveSubPatttern() {
+    (
+      this instanceof RegExpPositiveLookahead
+      or
+      this instanceof RegExpPositiveLookbehind
+    ) and
+    matchesEpsilon(this.getOperand())
+  }
+}
+
 /**
  * A branch in a disjunction that is the root node in a literal, or a literal
  * whose root node is not a disjunction.
@@ -550,6 +593,10 @@ predicate delta(State q1, EdgeLabel lbl, State q2) {
   exists(RegExpDollar dollar | q1 = before(dollar) |
     lbl = Epsilon() and q2 = Accept(getRoot(dollar))
   )
+  or
+  exists(EmptyPositiveSubPatttern empty | q1 = before(empty) |
+    lbl = Epsilon() and q2 = after(empty)
+  )
 }
 
 /**

python/ql/src/semmle/python/security/performance/SuperlinearBackTracking.qll

@@ -363,35 +363,6 @@ predicate polynimalReDoS(RegExpTerm t, string pump, string prefixMsg, RegExpTerm
   )
 }
 
-/**
- * Holds if `t` matches at least an epsilon symbol.
- *
- * That is, this term does not restrict the language of the enclosing regular expression.
- *
- * This is implemented as an under-approximation, and this predicate does not hold for sub-patterns in particular.
- */
-private predicate matchesEpsilon(RegExpTerm t) {
-  t instanceof RegExpStar
-  or
-  t instanceof RegExpOpt
-  or
-  t.(RegExpRange).getLowerBound() = 0
-  or
-  exists(RegExpTerm child |
-    child = t.getAChild() and
-    matchesEpsilon(child)
-  |
-    t instanceof RegExpAlt or
-    t instanceof RegExpGroup or
-    t instanceof RegExpPlus or
-    t instanceof RegExpRange
-  )
-  or
-  matchesEpsilon(t.(RegExpBackRef).getGroup())
-  or
-  forex(RegExpTerm child | child = t.(RegExpSequence).getAChild() | matchesEpsilon(child))
-}
-
 /**
  * Gets a message for why `term` can cause polynomial backtracking.
  */

python/ql/test/query-tests/Security/CWE-730-ReDoS/ReDoS.expected

@@ -93,5 +93,7 @@
 | redos.py:364:25:364:45 | ((?:a{0,\|-)\|\\w\\{\\d,)+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a{0,'. |
 | redos.py:365:25:365:48 | ((?:a{0,2\|-)\|\\w\\{\\d,\\d)+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a{0,2'. |
 | redos.py:371:25:371:35 | (\\u0061\|a)* | This part of the regular expression may cause exponential backtracking on strings starting with 'X' and containing many repetitions of 'a'. |
+| redos.py:380:35:380:41 | [^"\\s]+ | This part of the regular expression may cause exponential backtracking on strings starting with '/' and containing many repetitions of '!'. |
+| redos.py:381:35:381:41 | [^"\\s]+ | This part of the regular expression may cause exponential backtracking on strings starting with '/' and containing many repetitions of '!'. |
 | unittests.py:5:17:5:23 | (\u00c6\|\\\u00c6)+ | This part of the regular expression may cause exponential backtracking on strings starting with 'X' and containing many repetitions of '\u00c6'. |
 | unittests.py:9:16:9:24 | (?:.\|\\n)* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\\n'. |

python/ql/test/query-tests/Security/CWE-730-ReDoS/redos.py

@@ -371,4 +371,11 @@
 bad87 = re.compile(r'X(\u0061|a)*Y')
 
 # GOOD
-good43 = re.compile(r'X(\u0061|b)+Y')
+good43 = re.compile(r'X(\u0061|b)+Y')
+
+# GOOD
+good44 = re.compile(r'("[^"]*?"|[^"\s]+)+(?=\s*|\s*$)')
+
+# BAD
+bad88 = re.compile(r'/("[^"]*?"|[^"\s]+)+(?=\s*|\s*$)X')
+bad89 = re.compile(r'/("[^"]*?"|[^"\s]+)+(?=X)')