Sync shared library changes across languages.

joefarebrother · joefarebrother · commit 0a5268aeb4e1 · 2022-05-04T15:41:38.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/security/performance/ReDoSUtil.qll b/javascript/ql/lib/semmle/javascript/security/performance/ReDoSUtil.qll
@@ -610,10 +610,15 @@ State after(RegExpTerm t) {
   or
   exists(RegExpGroup grp | t = grp.getAChild() | result = after(grp))
   or
-  exists(EffectivelyStar star | t = star.getAChild() | result = before(star))
+  exists(EffectivelyStar star | t = star.getAChild() |
+    not isPossessive(star) and
+    result = before(star)
+  )
   or
   exists(EffectivelyPlus plus | t = plus.getAChild() |
-    result = before(plus) or
+    not isPossessive(plus) and
+    result = before(plus)
+    or
     result = after(plus)
   )
   or
diff --git a/javascript/ql/lib/semmle/javascript/security/performance/ReDoSUtilSpecific.qll b/javascript/ql/lib/semmle/javascript/security/performance/ReDoSUtilSpecific.qll
@@ -12,6 +12,12 @@ predicate isEscapeClass(RegExpTerm term, string clazz) {
   exists(RegExpCharacterClassEscape escape | term = escape | escape.getValue() = clazz)
 }
 
+/**
+ * Holds if `term` is a possessive quantifier.
+ * As javascript's regexes do not support possessive quantifiers, this never holds, but is used by the shared library.
+ */
+predicate isPossessive(RegExpQuantifier term) { none() }
+
 /**
  * Holds if the regular expression should not be considered.
  *
diff --git a/python/ql/lib/semmle/python/security/performance/ReDoSUtil.qll b/python/ql/lib/semmle/python/security/performance/ReDoSUtil.qll
@@ -610,10 +610,15 @@ State after(RegExpTerm t) {
   or
   exists(RegExpGroup grp | t = grp.getAChild() | result = after(grp))
   or
-  exists(EffectivelyStar star | t = star.getAChild() | result = before(star))
+  exists(EffectivelyStar star | t = star.getAChild() |
+    not isPossessive(star) and
+    result = before(star)
+  )
   or
   exists(EffectivelyPlus plus | t = plus.getAChild() |
-    result = before(plus) or
+    not isPossessive(plus) and
+    result = before(plus)
+    or
     result = after(plus)
   )
   or
diff --git a/python/ql/lib/semmle/python/security/performance/ReDoSUtilSpecific.qll b/python/ql/lib/semmle/python/security/performance/ReDoSUtilSpecific.qll
@@ -13,6 +13,12 @@ predicate isEscapeClass(RegExpTerm term, string clazz) {
   exists(RegExpCharacterClassEscape escape | term = escape | escape.getValue() = clazz)
 }
 
+/**
+ * Holds if `term` is a possessive quantifier.
+ * As python's regexes do not support possessive quantifiers, this never holds, but is used by the shared library.
+ */
+predicate isPossessive(RegExpQuantifier term) { none() }
+
 /**
  * Holds if the regular expression should not be considered.
  *
diff --git a/ruby/ql/lib/codeql/ruby/security/performance/ReDoSUtil.qll b/ruby/ql/lib/codeql/ruby/security/performance/ReDoSUtil.qll
@@ -610,10 +610,15 @@ State after(RegExpTerm t) {
   or
   exists(RegExpGroup grp | t = grp.getAChild() | result = after(grp))
   or
-  exists(EffectivelyStar star | t = star.getAChild() | result = before(star))
+  exists(EffectivelyStar star | t = star.getAChild() |
+    not isPossessive(star) and
+    result = before(star)
+  )
   or
   exists(EffectivelyPlus plus | t = plus.getAChild() |
-    result = before(plus) or
+    not isPossessive(plus) and
+    result = before(plus)
+    or
     result = after(plus)
   )
   or
diff --git a/ruby/ql/lib/codeql/ruby/security/performance/ReDoSUtilSpecific.qll b/ruby/ql/lib/codeql/ruby/security/performance/ReDoSUtilSpecific.qll
@@ -33,6 +33,12 @@ predicate isExcluded(RegExpParent parent) {
   parent.(RegExpTerm).getRegExp().(AST::RegExpLiteral).hasFreeSpacingFlag() // exclude free-spacing mode regexes
 }
 
+/**
+ * Holds if `term` is a possessive quantifier.
+ * Not currently implemented, but is used by the shared library.
+ */
+predicate isPossessive(RegExpQuantifier term) { none() }
+
 /**
  * A module containing predicates for determining which flags a regular expression have.
  */

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,12 @@ predicate isEscapeClass(RegExpTerm term, string clazz) {`
`12`	`12`	`exists(RegExpCharacterClassEscape escape \| term = escape \| escape.getValue() = clazz)`
`13`	`13`	`}`
`14`	`14`
	`15`	`+/**`
	`16`	+ * Holds if `term` is a possessive quantifier.
	`17`	`+ * As javascript's regexes do not support possessive quantifiers, this never holds, but is used by the shared library.`
	`18`	`+ */`
	`19`	`+predicate isPossessive(RegExpQuantifier term) { none() }`
	`20`	`+`
`15`	`21`	`/**`
`16`	`22`	`* Holds if the regular expression should not be considered.`
`17`	`23`	`*`
Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,12 @@ predicate isEscapeClass(RegExpTerm term, string clazz) {`
`13`	`13`	`exists(RegExpCharacterClassEscape escape \| term = escape \| escape.getValue() = clazz)`
`14`	`14`	`}`
`15`	`15`
	`16`	`+/**`
	`17`	+ * Holds if `term` is a possessive quantifier.
	`18`	`+ * As python's regexes do not support possessive quantifiers, this never holds, but is used by the shared library.`
	`19`	`+ */`
	`20`	`+predicate isPossessive(RegExpQuantifier term) { none() }`
	`21`	`+`
`16`	`22`	`/**`
`17`	`23`	`* Holds if the regular expression should not be considered.`
`18`	`24`	`*`