add support for \W, \S, \D

erik-krogh · erik-krogh · commit 0063cb140c41 · 2020-11-08T23:16:56.000+01:00
diff --git a/javascript/ql/src/Performance/ReDoS.ql b/javascript/ql/src/Performance/ReDoS.ql
@@ -303,6 +303,25 @@ private module CharacterClasses {
     }
   }
 
+  /**
+   * Holds if the character class escape `clazz` (\d, \s, or \w) matches `char`.
+   */
+  private predicate classEscapeMatches(string clazz, string char) {
+    clazz = "d" and
+    char = "0123456789".charAt(_)
+    or
+    clazz = "s" and
+    (
+      char = [" ", "\t", "\r", "\n", "\\u000c", "\\u000b"]
+      or
+      exists(RegExpConstant constant | constant.getValue().charAt(_) = char) and
+      char.regexpMatch("\\u000b|\\u000c") // \v|\f (vertical tab | form feed)
+    )
+    or
+    clazz = "w" and
+    char = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_".charAt(_)
+  }
+
   /**
    * An implementation of `CharacterClass` for \d, \s, and \w.
    */
@@ -322,25 +341,37 @@ private module CharacterClasses {
       result = ["a", "Z", "_", "0", "9"]
     }
 
-    override predicate matches(string char) {
-      cc.getValue() = "d" and
-      char = "0123456789".charAt(_)
+    override predicate matches(string char) { classEscapeMatches(cc.getValue(), char) }
+
+    override string choose() { result = min(string c | c = getARelevantChar()) }
+  }
+
+  /**
+   * An implementation of `CharacterClass` for \D, \S, and \W.
+   */
+  private class NegativeCharacterClassEscape extends CharacterClass {
+    RegExpCharacterClassEscape cc;
+
+    NegativeCharacterClassEscape() { this = CharClass(cc) and cc.getValue() = ["D", "S", "W"] }
+
+    override string getARelevantChar() {
+      cc.getValue() = "D" and
+      result = ["a", "Z", "!"]
       or
-      cc.getValue() = "s" and
-      (
-        char = [" ", "\t", "\r", "\n", "\\u000c", "\\u000b"]
-        or
-        exists(RegExpConstant constant | constant.getValue().charAt(_) = char) and
-        char.regexpMatch("\\u000b|\\u000c") // \v|\f (vertical tab | form feed)
-      )
+      cc.getValue() = "S" and
+      result = ["a", "9", "!"]
       or
-      cc.getValue() = "w" and
-      char = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_".charAt(_)
+      cc.getValue() = "W" and
+      result = [" ", "!"]
+    }
+
+    bindingset[char]
+    override predicate matches(string char) {
+      not classEscapeMatches(cc.getValue().toLowerCase(), char)
     }
 
     override string choose() { result = min(string c | c = getARelevantChar()) }
   }
-  // TODO: Implementations for inversed RegExpCharacterClassEscape
 }
 
 newtype TState =
diff --git a/javascript/ql/test/query-tests/Performance/ReDoS/ReDoS.expected b/javascript/ql/test/query-tests/Performance/ReDoS/ReDoS.expected
@@ -100,3 +100,5 @@
 | tst.js:149:15:149:24 | (\\s\|[\\f])* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\u000c'. |
 | tst.js:152:15:152:28 | (\\s\|[\\v]\|\\\\v)* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\u000b'. |
 | tst.js:155:15:155:24 | (\\f\|[\\f])* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\u000c'. |
+| tst.js:158:15:158:22 | (\\W\|\\D)* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '!'. |
+| tst.js:161:15:161:22 | (\\S\|\\w)* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '0'. |
diff --git a/javascript/ql/test/query-tests/Performance/ReDoS/tst.js b/javascript/ql/test/query-tests/Performance/ReDoS/tst.js
@@ -152,4 +152,10 @@ var bad33 = /((\s|[\f])*)"/;
 var bad34 = /((\s|[\v]|\\v)*)"/;
 
 // NOT GOOD
-var bad35 = /((\f|[\f])*)"/;
+var bad35 = /((\f|[\f])*)"/;
+
+// NOT GOOD
+var bad36 = /((\W|\D)*)"/;
+
+// NOT GOOD
+var bad37 = /((\S|\w)*)"/;
