Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 34fd0d8

Browse files
erik-krogherik-krogh
committed
finding the minimum that is not an FP - instead of finding the minimum and then checking if it was an FP. And detecting more FPs by finding when a witness pass through the accept state
1 parent ac514b1 commit 34fd0d8

3 files changed

Lines changed: 25 additions & 23 deletions

File tree

javascript/ql/src/Performance/ReDoS.ql

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -840,7 +840,6 @@ predicate isPumpable(State fork, string w) {
840840
*/
841841
State process(State fork, string w, int i) {
842842
isPumpable(fork, w) and
843-
min(string s | isPumpable(fork, s)).prefix(w.length()) = w and
844843
exists(State prev |
845844
i = 0 and prev = fork
846845
or
@@ -876,9 +875,12 @@ string rotate(string str, int i) {
876875

877876
from RegExpTerm t, string c, int i
878877
where
879-
c = min(string w | isPumpable(Match(t, i), w)) and
880-
not isPumpable(epsilonSucc+(Match(t, i)), _) and
881-
not epsilonSucc*(process(Match(t, i), c, [0 .. c.length() - 1])) = Accept(_)
878+
c =
879+
min(string w |
880+
isPumpable(Match(t, i), w) and
881+
not isPumpable(epsilonSucc+(Match(t, i)), _) and
882+
not epsilonSucc*(process(Match(t, i), w, [0 .. w.length() - 1])) = Accept(_)
883+
)
882884
select t,
883885
"This part of the regular expression may cause exponential backtracking on strings " +
884886
"containing many repetitions of '" + escape(rotate(c, i)) + "'."

javascript/ql/test/query-tests/Performance/ReDoS/ReDoS.expected

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -92,19 +92,19 @@
9292
| tst.js:167:15:167:27 | (1s\|[\\da-z])* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '1s'. |
9393
| tst.js:170:15:170:23 | (0\|[\\d])* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '0'. |
9494
| tst.js:173:16:173:20 | [\\d]+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '0'. |
95-
| tst.js:188:17:188:21 | [^>]+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '?'. |
96-
| tst.js:191:16:191:21 | [^>a]+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'b'. |
97-
| tst.js:194:17:194:19 | \\s* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\\n'. |
98-
| tst.js:197:18:197:20 | \\s+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of ' '. |
99-
| tst.js:200:68:200:79 | [ a-zA-Z{}]+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of ' A:'. |
100-
| tst.js:200:81:200:82 | ,? | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of ',A: '. |
95+
| tst.js:182:17:182:21 | [^>]+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '?'. |
96+
| tst.js:185:16:185:21 | [^>a]+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'b'. |
97+
| tst.js:188:17:188:19 | \\s* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\\n'. |
98+
| tst.js:191:18:191:20 | \\s+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of ' '. |
99+
| tst.js:194:68:194:79 | [ a-zA-Z{}]+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of ' A:'. |
100+
| tst.js:194:81:194:82 | ,? | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of ',A: '. |
101+
| tst.js:197:15:197:16 | a+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
102+
| tst.js:197:18:197:19 | b+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'b'. |
103+
| tst.js:200:17:200:18 | a+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
101104
| tst.js:203:15:203:16 | a+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
102-
| tst.js:203:18:203:19 | b+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'b'. |
103-
| tst.js:206:17:206:18 | a+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
104105
| tst.js:209:15:209:16 | a+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
105-
| tst.js:215:15:215:16 | a+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
106-
| tst.js:221:15:221:17 | \\n+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\\n'. |
107-
| tst.js:224:15:224:19 | [^X]+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'Y'. |
106+
| tst.js:215:15:215:17 | \\n+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\\n'. |
107+
| tst.js:218:15:218:19 | [^X]+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'Y'. |
108+
| tst.js:221:20:221:20 | b | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'bY'. |
108109
| tst.js:227:20:227:20 | b | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'bY'. |
109-
| tst.js:233:20:233:20 | b | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'bY'. |
110-
| tst.js:248:16:248:17 | ab | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'ab'. |
110+
| tst.js:242:16:242:17 | ab | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'ab'. |

javascript/ql/test/query-tests/Performance/ReDoS/tst.js

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -178,12 +178,6 @@ var good12 = /(\d+(X\d+)?)+/;
178178
// GOOD - there is no witness in the end that could cause the regexp to not match
179179
var good13 = /([0-9]+(X[0-9]*)?)*/;
180180

181-
// NOT GOOD
182-
var bad42 = /([\n\s]+)*(.)/;
183-
184-
// GOOD - any witness passes through the accept state.
185-
var good14 = /(A*A*X)*/;
186-
187181
// GOOD - but still flagged (always matches something)
188182
var good15 = /^([^>]+)*(>|$)/;
189183

@@ -249,3 +243,9 @@ var bad55 = /((ab)+)*$/;
249243

250244
// GOOD
251245
var good23 = /((ab)+)*[a1][b1][a2][b2][a3][b3]/;
246+
247+
// NOT GOOD - but not catched due to the analysis taking an unlucky guess when choosing an arbitary char from `[\n\s]`.
248+
var bad56 = /([\n\s]+)*(.)/;
249+
250+
// GOOD - any witness passes through the accept state.
251+
var good24 = /(A*A*X)*/;

0 commit comments

Comments
 (0)