matching a inverted char class with a char

erik-krogh · erik-krogh · commit 16473fc2a4cc · 2020-11-06T10:18:57.000+01:00
diff --git a/javascript/ql/src/Performance/ReDoS.ql b/javascript/ql/src/Performance/ReDoS.ql
@@ -429,6 +429,20 @@ newtype Trace =
     t = Nil() and isFork(_, s1, s2, _, _)
   }
 
+/**
+ * Holds if the character class `cc` has a child (constant or range) that matches `char`.
+ */
+bindingset[char]
+predicate charClassMatchesChar(RegExpCharacterClass cc, string char) {
+  exists(RegExpTerm child | child = cc.getAChild() |
+    char = child.(RegExpConstant).getValue()
+    or
+    exists(string lo, string hi | child.(RegExpCharacterRange).isRange(lo, hi) |
+      lo <= char and char <= hi
+    )
+  )
+}
+
 /**
  * Gets a character that is represented by both `c` and `d`.
  */
@@ -437,14 +451,10 @@ string intersect(InputSymbol c, InputSymbol d) {
   (
     d = Char(result)
     or
-    exists(RegExpCharacterClass cc | d = CharClass(cc) |
-      exists(RegExpTerm child | child = cc.getAChild() |
-        result = child.(RegExpConstant).getValue()
-        or
-        exists(string lo, string hi | child.(RegExpCharacterRange).isRange(lo, hi) |
-          lo <= result and result <= hi
-        )
-      )
+    exists(RegExpCharacterClass cc | d = CharClass(cc) | charClassMatchesChar(cc, result))
+    or
+    exists(RegExpCharacterClass cc | d = InvertedCharClass(cc) |
+      not charClassMatchesChar(cc, result)
     )
     or
     d = Dot() and
diff --git a/javascript/ql/test/query-tests/Performance/ReDoS/ReDoS.expected b/javascript/ql/test/query-tests/Performance/ReDoS/ReDoS.expected
@@ -27,6 +27,8 @@
 | regexplib/markup.js:13:14:13:16 | .+? | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a"'. |
 | regexplib/markup.js:37:29:37:56 | [a-zA-Z0-9\|:\|\\/\|=\|-\|.\|\\?\|&]* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '='. |
 | regexplib/markup.js:53:29:53:56 | [a-zA-Z0-9\|:\|\\/\|=\|-\|.\|\\?\|&]* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '='. |
+| regexplib/misc.js:79:3:79:25 | (\\/w\|\\/W\|[^<>+?$%{}&])+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '/W'. |
+| regexplib/misc.js:142:3:142:25 | (\\/w\|\\/W\|[^<>+?$%{}&])+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '/W'. |
 | regexplib/strings.js:19:31:19:57 | [a-z&#230;&#248;&#229;0-9]+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '#'. |
 | regexplib/uri.js:3:128:3:129 | .* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '/'. |
 | regexplib/uri.js:38:35:38:40 | [a-z]+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
@@ -54,5 +56,6 @@
 | tst.js:83:14:83:20 | (.\|\\n)* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\\n'. |
 | tst.js:89:25:89:32 | (a\|aa?)* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
 | tst.js:95:15:95:25 | ([^]\|[^a])* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'b'. |
-| tst.js:98:15:98:20 | [^"']+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '('. |
 | tst.js:101:15:101:23 | (.\|[^a])* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'b'. |
+| tst.js:107:15:107:23 | (b\|[^a])* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'b'. |
+| tst.js:110:15:110:23 | (G\|[^a])* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'G'. |
diff --git a/javascript/ql/test/query-tests/Performance/ReDoS/tst.js b/javascript/ql/test/query-tests/Performance/ReDoS/tst.js
@@ -94,8 +94,17 @@ var good9 = '(a|aa?)*b';
 // NOT GOOD
 var bad18 = /(([^]|[^a])*)"/;
 
-// NOT GOOD
+// NOT GOOD - but not flagged
 var bad19 = /([^"']+)*/g;
 
 // NOT GOOD
 var bad20 = /((.|[^a])*)"/;
+
+// GOOD
+var good10 = /((a|[^a])*)"/;
+
+// NOT GOOD
+var bad21 = /((b|[^a])*)"/;
+
+// NOT GOOD
+var bad22 = /((G|[^a])*)"/;
