github
diff --git a/‎javascript/change-notes/2021-01-14-polynomial-redos.md‎
Lines changed: 2 additions & 0 deletions b/‎javascript/change-notes/2021-01-14-polynomial-redos.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎javascript/ql/src/Performance/PolynomialReDoS.ql‎
Lines changed: 11 additions & 6 deletions b/‎javascript/ql/src/Performance/PolynomialReDoS.ql‎
Lines changed: 11 additions & 6 deletions
diff --git a/‎javascript/ql/src/semmle/javascript/PackageExports.qll‎
Lines changed: 19 additions & 9 deletions b/‎javascript/ql/src/semmle/javascript/PackageExports.qll‎
Lines changed: 19 additions & 9 deletions
diff --git a/‎javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll‎
Lines changed: 1 addition & 6 deletions b/‎javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll‎
Lines changed: 1 addition & 6 deletions
diff --git a/‎javascript/ql/src/semmle/javascript/security/performance/PolynomialReDoSCustomizations.qll‎
Lines changed: 38 additions & 4 deletions b/‎javascript/ql/src/semmle/javascript/security/performance/PolynomialReDoSCustomizations.qll‎
Lines changed: 38 additions & 4 deletions
diff --git a/‎javascript/ql/src/semmle/javascript/security/performance/ReDoSUtil.qll‎
Lines changed: 5 additions & 1 deletion b/‎javascript/ql/src/semmle/javascript/security/performance/ReDoSUtil.qll‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎javascript/ql/src/semmle/javascript/security/performance/SuperlinearBackTracking.qll‎
Lines changed: 47 additions & 14 deletions b/‎javascript/ql/src/semmle/javascript/security/performance/SuperlinearBackTracking.qll‎
Lines changed: 47 additions & 14 deletions
diff --git a/‎javascript/ql/test/library-tests/PackageExports/absent_main/package.json‎
Lines changed: 1 addition & 0 deletions b/‎javascript/ql/test/library-tests/PackageExports/absent_main/package.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎javascript/ql/test/library-tests/PackageExports/lib1/foo.js‎
Lines changed: 1 addition & 1 deletion b/‎javascript/ql/test/library-tests/PackageExports/lib1/foo.js‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎javascript/ql/test/library-tests/PackageExports/lib1/main.js‎
Lines changed: 3 additions & 3 deletions b/‎javascript/ql/test/library-tests/PackageExports/lib1/main.js‎
Lines changed: 3 additions & 3 deletions
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The `js/polynomial-redos` query now flags uses of expensive regular expressions where the source is library input.
@@ -1,8 +1,7 @@
 /**
  * @name Polynomial regular expression used on uncontrolled data
  * @description A regular expression that can require polynomial time
- *              to match user-provided values may be
- *              vulnerable to denial-of-service attacks.
+ *              to match may be vulnerable to denial-of-service attacks.
  * @kind path-problem
  * @problem.severity warning
  * @precision high
@@ -17,12 +16,18 @@ import semmle.javascript.security.performance.PolynomialReDoS::PolynomialReDoS
 import semmle.javascript.security.performance.SuperlinearBackTracking
 import DataFlow::PathGraph
 
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+from
+  Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, Sink sinkNode,
+  PolynomialBackTrackingTerm regexp
 where
   cfg.hasFlowPath(source, sink) and
+  sinkNode = sink.getNode() and
+  regexp = sinkNode.getRegExp() and
   not (
     source.getNode().(Source).getKind() = "url" and
-    sink.getNode().(Sink).getRegExp().(PolynomialBackTrackingTerm).isAtEndLine()
+    regexp.isAtEndLine()
   )
-select sink.getNode(), source, sink, "This expensive $@ use depends on $@.",
-  sink.getNode().(Sink).getRegExp(), "regular expression", source.getNode(), "a user-provided value"
+select sinkNode.getHighlight(), source, sink,
+  "This $@ that depends on $@ may run slow on strings " + regexp.getPrefixMessage() +
+    "with many repetitions of '" + regexp.getPumpString() + "'.", regexp, "regular expression",
+  source.getNode(), source.getNode().(Source).describe()
@@ -6,6 +6,16 @@
 
 import javascript
 
+/**
+ * Gets a parameter that is a library input to a top-level package.
+ */
+DataFlow::ParameterNode getALibraryInputParameter() {
+  exists(int bound, DataFlow::FunctionNode func |
+    func = getAValueExportedByPackage().getABoundFunctionValue(bound) and
+    result = func.getParameter(any(int arg | arg >= bound))
+  )
+}
+
 /**
  * Gets the number of occurrences of "/" in `path`.
  */
@@ -29,33 +39,33 @@ PackageJSON getTopmostPackageJSON() {
 }
 
 /**
- * Gets a value exported by the main module from the package.json `packageJSON`.
+ * Gets a value exported by the main module from one of the topmost `package.json` files (see `getTopmostPackageJSON`).
  * The value is either directly the `module.exports` value, a nested property of `module.exports`, or a method on an exported class.
  */
-DataFlow::Node getAValueExportedBy(PackageJSON packageJSON) {
-  result = getAnExportFromModule(packageJSON.getMainModule())
+private DataFlow::Node getAValueExportedByPackage() {
+  result = getAnExportFromModule(getTopmostPackageJSON().getMainModule())
   or
-  result = getAValueExportedBy(packageJSON).(DataFlow::PropWrite).getRhs()
+  result = getAValueExportedByPackage().(DataFlow::PropWrite).getRhs()
   or
   exists(DataFlow::SourceNode callee |
-    callee = getAValueExportedBy(packageJSON).(DataFlow::NewNode).getCalleeNode().getALocalSource()
+    callee = getAValueExportedByPackage().(DataFlow::NewNode).getCalleeNode().getALocalSource()
   |
     result = callee.getAPropertyRead("prototype").getAPropertyWrite().getRhs()
     or
     result = callee.(DataFlow::ClassNode).getAnInstanceMethod()
   )
   or
-  result = getAValueExportedBy(packageJSON).getALocalSource()
+  result = getAValueExportedByPackage().getALocalSource()
   or
-  result = getAValueExportedBy(packageJSON).(DataFlow::SourceNode).getAPropertyReference()
+  result = getAValueExportedByPackage().(DataFlow::SourceNode).getAPropertyReference()
   or
   exists(Module mod |
-    mod = getAValueExportedBy(packageJSON).getEnclosingExpr().(Import).getImportedModule()
+    mod = getAValueExportedByPackage().getEnclosingExpr().(Import).getImportedModule()
   |
     result = getAnExportFromModule(mod)
   )
   or
-  exists(DataFlow::ClassNode cla | cla = getAValueExportedBy(packageJSON) |
+  exists(DataFlow::ClassNode cla | cla = getAValueExportedByPackage() |
     result = cla.getAnInstanceMethod() or
     result = cla.getAStaticMethod() or
     result = cla.getConstructor()
 
@@ -52,12 +52,7 @@ module UnsafeShellCommandConstruction {
    */
   class ExternalInputSource extends Source, DataFlow::ParameterNode {
     ExternalInputSource() {
-      exists(int bound, DataFlow::FunctionNode func |
-        func =
-          Exports::getAValueExportedBy(Exports::getTopmostPackageJSON())
-              .getABoundFunctionValue(bound) and
-        this = func.getParameter(any(int arg | arg >= bound))
-      ) and
+      this = Exports::getALibraryInputParameter() and
       not this.getName() = ["cmd", "command"] // looks to be on purpose.
     }
   }
 
@@ -13,17 +13,29 @@ module PolynomialReDoS {
    */
   abstract class Source extends DataFlow::Node {
     /**
-     * Gets the kind of source that is being accesed. See `HTTP::RequestInputAccess::getKind()`.
-     * Can be one of "parameter", "header", "body", "url", "cookie".
+     * Gets the kind of source that is being accesed.
+     *
+     * Is either a kind from `HTTP::RequestInputAccess::getKind()`, or "library".
      */
     abstract string getKind();
+
+    /**
+     * Gets a string that describes the source.
+     * For use in the alert message.
+     */
+    string describe() { result = "a user-provided value" }
   }
 
   /**
    * A data flow sink node for polynomial regular expression denial-of-service vulnerabilities.
    */
   abstract class Sink extends DataFlow::Node {
     abstract RegExpTerm getRegExp();
+
+    /**
+     * Gets the node to highlight in the alert message.
+     */
+    DataFlow::Node getHighlight() { result = this }
   }
 
   /**
@@ -47,9 +59,10 @@ module PolynomialReDoS {
    */
   class PolynomialBackTrackingTermUse extends Sink {
     PolynomialBackTrackingTerm term;
+    DataFlow::MethodCallNode mcn;
 
     PolynomialBackTrackingTermUse() {
-      exists(DataFlow::MethodCallNode mcn, DataFlow::Node regexp, string name |
+      exists(DataFlow::Node regexp, string name |
         term.getRootTerm() = RegExp::getRegExpFromNode(regexp)
       |
         this = mcn.getArgument(0) and
@@ -70,14 +83,22 @@ module PolynomialReDoS {
     }
 
     override RegExpTerm getRegExp() { result = term }
+
+    override DataFlow::Node getHighlight() { result = mcn }
   }
 
   /**
    * An operation that limits the length of a string, seen as a sanitizer.
    */
   class StringLengthLimiter extends Sanitizer {
     StringLengthLimiter() {
-      this.(StringReplaceCall).isGlobal()
+      this.(StringReplaceCall).isGlobal() and
+      // not lone char classes - they don't remove any repeated pattern.
+      not exists(RegExpTerm root | root = this.(StringReplaceCall).getRegExp().getRoot() |
+        root instanceof RegExpCharacterClass
+        or
+        root instanceof RegExpCharacterClassEscape
+      )
       or
       exists(string name | name = "slice" or name = "substring" or name = "substr" |
         this.(DataFlow::MethodCallNode).getMethodName() = name
@@ -108,4 +129,17 @@ module PolynomialReDoS {
       e = input.asExpr()
     }
   }
+
+  private import semmle.javascript.PackageExports as Exports
+
+  /**
+   * A parameter of an exported function, seen as a source for polynomial-redos.
+   */
+  class ExternalInputSource extends Source, DataFlow::ParameterNode {
+    ExternalInputSource() { this = Exports::getALibraryInputParameter() }
+
+    override string getKind() { result = "library" }
+
+    override string describe() { result = "library input" }
+  }
 }
@@ -905,6 +905,10 @@ private module SuffixConstruction {
     exists(ascii(result))
     or
     exists(InputSymbol s | belongsTo(s, root) | result = intersect(s, _))
+    or
+    // The characters from `hasSimpleRejectEdge`. Only `\n` is really needed (as `\n` is not in the `ascii` relation).
+    // The three chars must be kept in sync with `hasSimpleRejectEdge`.
+    result = ["|", "\n", "Z"]
   }
 
   /**
@@ -923,7 +927,7 @@ private module SuffixConstruction {
    * This predicate is used as a cheap pre-processing to speed up `hasRejectEdge`.
    */
   private predicate hasSimpleRejectEdge(State s) {
-    // The three chars were chosen arbitrarily.
+    // The three chars were chosen arbitrarily. The three chars must be kept in sync with `relevant`.
     exists(string char | char = ["|", "\n", "Z"] | not deltaClosedChar(s, char, _))
   }
 
 
@@ -209,11 +209,20 @@ predicate step(
  */
 pragma[noinline]
 string getAThreewayIntersect(InputSymbol s1, InputSymbol s2, InputSymbol s3) {
-  result = intersect(s1, s2) and result = [intersect(s2, s3), intersect(s1, s3)]
+  result = minAndMaxIntersect(s1, s2) and result = [intersect(s2, s3), intersect(s1, s3)]
   or
-  result = intersect(s1, s3) and result = [intersect(s2, s3), intersect(s1, s2)]
+  result = minAndMaxIntersect(s1, s3) and result = [intersect(s2, s3), intersect(s1, s2)]
   or
-  result = intersect(s2, s3) and result = [intersect(s1, s2), intersect(s1, s3)]
+  result = minAndMaxIntersect(s2, s3) and result = [intersect(s1, s2), intersect(s1, s3)]
+}
+
+/**
+ * Gets the minimum and maximum characters that intersect between `a` and `b`.
+ * This predicate is used to limit the size of `getAThreewayIntersect`.
+ */
+pragma[noinline]
+string minAndMaxIntersect(InputSymbol a, InputSymbol b) {
+  result = [min(intersect(a, b)), max(intersect(a, b))]
 }
 
 private newtype TTrace =
@@ -347,15 +356,11 @@ predicate isPumpable(State pivot, State succ, string pump) {
 /**
  * Holds if repetitions of `pump` at `t` will cause polynomial backtracking.
  */
-predicate polynimalReDoS(RegExpTerm t, string msg) {
-  exists(string pump, State s, string prefixMsg |
+predicate polynimalReDoS(RegExpTerm t, string pump, string prefixMsg, RegExpTerm prev) {
+  exists(State s, State pivot |
     hasReDoSResult(t, pump, s, prefixMsg) and
-    exists(State pivot |
-      isPumpable(pivot, s, _) and
-      msg =
-        "Strings " + prefixMsg + "with many repetitions of '" + pump +
-          "' can start matching anywhere after the start of the preceeding " + pivot.getRepr()
-    )
+    isPumpable(pivot, s, _) and
+    prev = pivot.getRepr()
   )
 }
 
@@ -388,17 +393,30 @@ private predicate matchesEpsilon(RegExpTerm t) {
   forex(RegExpTerm child | child = t.(RegExpSequence).getAChild() | matchesEpsilon(child))
 }
 
+/**
+ * Gets a message for why `term` can cause polynomial backtracking.
+ */
+string getReasonString(RegExpTerm term, string pump, string prefixMsg, RegExpTerm prev) {
+  polynimalReDoS(term, pump, prefixMsg, prev) and
+  result =
+    "Strings " + prefixMsg + "with many repetitions of '" + pump +
+      "' can start matching anywhere after the start of the preceeding " + prev
+}
+
 /**
  * A term that may cause a regular expression engine to perform a
  * polynomial number of match attempts, relative to the input length.
  */
 class PolynomialBackTrackingTerm extends InfiniteRepetitionQuantifier {
   string reason;
+  string pump;
+  string prefixMsg;
+  RegExpTerm prev;
 
   PolynomialBackTrackingTerm() {
-    polynimalReDoS(this, _) and
-    // there might be many reasons for this term to have polynomial backtracking - we pick an arbitary one.
-    reason = min(string msg | polynimalReDoS(this, msg))
+    reason = getReasonString(this, pump, prefixMsg, prev) and
+    // there might be many reasons for this term to have polynomial backtracking - we pick the shortest one.
+    reason = min(string msg | msg = getReasonString(this, _, _, _) | msg order by msg.length(), msg)
   }
 
   /**
@@ -410,6 +428,21 @@ class PolynomialBackTrackingTerm extends InfiniteRepetitionQuantifier {
     )
   }
 
+  /**
+   * Gets the string that should be repeated to cause this regular expression to perform polynomially.
+   */
+  string getPumpString() { result = pump }
+
+  /**
+   * Gets a message for which prefix a matching string must start with for this term to cause polynomial backtracking.
+   */
+  string getPrefixMessage() { result = prefixMsg }
+
+  /**
+   * Gets a predecessor to `this`, which also loops on the pump string, and thereby causes polynomial backtracking.
+   */
+  RegExpTerm getPreviousLoop() { result = prev }
+
   /**
    * Gets the reason for the number of match attempts.
    */
 
@@ -1,3 +1,4 @@
 {
+    "name": "foo",
     "main": "dist/does-not-exist.js"
 }
@@ -1,3 +1,3 @@
 module.exports = function thisIsRequiredFromMain() {}
 
-module.exports.foo = function alsoExported() {}
+module.exports.foo = function alsoExported(d) {}
@@ -3,9 +3,9 @@ module.exports = function isExported() {}
 module.exports.foo = require("./foo.js")
 
 module.exports.bar = class Bar {
-    constructor() {} // all are exported
-    static staticMethod() {}
-    instanceMethod() {}
+    constructor(a) {} // all are exported
+    static staticMethod(b) {}
+    instanceMethod(c) {}
 }
 
 class Baz {
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+lgtm,codescanning`
	`2`	+* The `js/polynomial-redos` query now flags uses of expensive regular expressions where the source is library input.
Original file line number	Diff line number	Diff line change
`@@ -52,12 +52,7 @@ module UnsafeShellCommandConstruction {`
`52`	`52`	`*/`
`53`	`53`	`class ExternalInputSource extends Source, DataFlow::ParameterNode {`
`54`	`54`	`ExternalInputSource() {`
`55`		`- exists(int bound, DataFlow::FunctionNode func \|`
`56`		`- func =`
`57`		`- Exports::getAValueExportedBy(Exports::getTopmostPackageJSON())`
`58`		`- .getABoundFunctionValue(bound) and`
`59`		`- this = func.getParameter(any(int arg \| arg >= bound))`
`60`		`- ) and`
	`55`	`+ this = Exports::getALibraryInputParameter() and`
`61`	`56`	`not this.getName() = ["cmd", "command"] // looks to be on purpose.`
`62`	`57`	`}`
`63`	`58`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
`1`	`1`	`{`
	`2`	`+ "name": "foo",`
`2`	`3`	`"main": "dist/does-not-exist.js"`
`3`	`4`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`	`1`	`module.exports = function thisIsRequiredFromMain() {}`
`2`	`2`
`3`		`-module.exports.foo = function alsoExported() {}`
	`3`	`+module.exports.foo = function alsoExported(d) {}`