Fix to PolynomialRedos not finding results and to test cases not finding that

joefarebrother · joefarebrother · commit 51435850803f · 2022-05-04T15:41:36.000+01:00
diff --git a/java/ql/lib/semmle/code/java/regex/RegexTreeView.qll b/java/ql/lib/semmle/code/java/regex/RegexTreeView.qll
@@ -73,6 +73,8 @@ class RegExpLiteral extends TRegExpLiteral, RegExpParent {
 
   RegExpLiteral() { this = TRegExpLiteral(re) }
 
+  override string toString() { result = re.toString() }
+
   override RegExpTerm getChild(int i) { i = 0 and result.getRegex() = re and result.isRootTerm() }
 
   /** Holds if dot, `.`, matches all characters, including newlines. */
diff --git a/java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.ql b/java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.ql
@@ -24,11 +24,11 @@ class PolynomialRedosSink extends DataFlow::Node {
 
   PolynomialRedosSink() { regexMatchedAgainst(reg.getRegex(), this.asExpr()) }
 
-  RegExpTerm getRegExp() { result = reg }
+  RegExpTerm getRegExp() { result.getParent() = reg }
 }
 
 class PolynomialRedosConfig extends TaintTracking::Configuration {
-  PolynomialRedosConfig() { this = "PolynomialRodisConfig" }
+  PolynomialRedosConfig() { this = "PolynomialRedosConfig" }
 
   override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
 
diff --git a/java/ql/test/query-tests/security/CWE-730/PolyRedosTest.java b/java/ql/test/query-tests/security/CWE-730/PolyRedosTest.java
@@ -6,30 +6,30 @@
 class PolyRedosTest {
     void test(HttpServletRequest request) {
         String tainted = request.getParameter("inp");
-        String reg = "a\\.\\d+E?\\d+b";
+        String reg = "0\\.\\d+E?\\d+!";
         Predicate<String> dummyPred = (s -> s.length() % 7 == 0);
         
-        tainted.matches(reg); // $ hasTaintFlow
-        tainted.split(reg); // $ hasTaintFlow
-        tainted.split(reg, 7); // $ hasTaintFlow
-        Pattern.matches(reg, tainted); // $ hasTaintFlow
-        Pattern.compile(reg).matcher(tainted).matches(); // $ hasTaintFlow
-        Pattern.compile(reg).split(tainted); // $ hasTaintFlow
-        Pattern.compile(reg, Pattern.DOTALL).split(tainted); // $ hasTaintFlow
-        Pattern.compile(reg).split(tainted, 7); // $ hasTaintFlow
-        Pattern.compile(reg).splitAsStream(tainted); // $ hasTaintFlow
-        Pattern.compile(reg).asPredicate().test(tainted); // $ hasTaintFlow
-        Pattern.compile(reg).asMatchPredicate().negate().and(dummyPred).or(dummyPred).test(tainted); // $ hasTaintFlow
-        Predicate.not(dummyPred.and(dummyPred.or(Pattern.compile(reg).asPredicate()))).test(tainted); // $ hasTaintFlow
+        tainted.matches(reg); // $ hasPolyRedos
+        tainted.split(reg); // $ hasPolyRedos
+        tainted.split(reg, 7); // $ hasPolyRedos
+        Pattern.matches(reg, tainted); // $ hasPolyRedos
+        Pattern.compile(reg).matcher(tainted).matches(); // $ hasPolyRedos
+        Pattern.compile(reg).split(tainted); // $ hasPolyRedos
+        Pattern.compile(reg, Pattern.DOTALL).split(tainted); // $ hasPolyRedos
+        Pattern.compile(reg).split(tainted, 7); // $ hasPolyRedos
+        Pattern.compile(reg).splitAsStream(tainted); // $ hasPolyRedos
+        Pattern.compile(reg).asPredicate().test(tainted); // $ hasPolyRedos
+        Pattern.compile(reg).asMatchPredicate().negate().and(dummyPred).or(dummyPred).test(tainted); // $ hasPolyRedos
+        Predicate.not(dummyPred.and(dummyPred.or(Pattern.compile(reg).asPredicate()))).test(tainted); // $ hasPolyRedos
 
-        Splitter.on(Pattern.compile(reg)).split(tainted); // $ hasTaintFlow
+        Splitter.on(Pattern.compile(reg)).split(tainted); // $ hasPolyRedos
         Splitter.on(reg).split(tainted); 
-        Splitter.onPattern(reg).split(tainted); // $ hasTaintFlow
-        Splitter.onPattern(reg).splitToList(tainted); // $ hasTaintFlow
-        Splitter.onPattern(reg).limit(7).omitEmptyStrings().trimResults().split(tainted); // $ hasTaintFlow
-        Splitter.onPattern(reg).withKeyValueSeparator(" => ").split(tainted); // $ hasTaintFlow
+        Splitter.onPattern(reg).split(tainted); // $ hasPolyRedos
+        Splitter.onPattern(reg).splitToList(tainted); // $ hasPolyRedos
+        Splitter.onPattern(reg).limit(7).omitEmptyStrings().trimResults().split(tainted); // $ hasPolyRedos
+        Splitter.onPattern(reg).withKeyValueSeparator(" => ").split(tainted); // $ hasPolyRedos
         Splitter.on(";").withKeyValueSeparator(reg).split(tainted);
-        Splitter.on(";").withKeyValueSeparator(Splitter.onPattern(reg)).split(tainted); // $ hasTaintFlow
+        Splitter.on(";").withKeyValueSeparator(Splitter.onPattern(reg)).split(tainted); // $ hasPolyRedos
 
     }
 }
diff --git a/java/ql/test/query-tests/security/CWE-730/PolynomialReDoS.ql b/java/ql/test/query-tests/security/CWE-730/PolynomialReDoS.ql
@@ -1,6 +1,5 @@
 import java
 import TestUtilities.InlineExpectationsTest
-import TestUtilities.InlineFlowTest
 import semmle.code.java.security.performance.SuperlinearBackTracking
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.regex.RegexTreeView
@@ -11,19 +10,35 @@ class PolynomialRedosSink extends DataFlow::Node {
   RegExpLiteral reg;
 
   PolynomialRedosSink() { regexMatchedAgainst(reg.getRegex(), this.asExpr()) }
-  // RegExpTerm getRegExp() { result = reg }
+
+  RegExpTerm getRegExp() { result.getParent() = reg }
 }
 
 class PolynomialRedosConfig extends TaintTracking::Configuration {
-  PolynomialRedosConfig() { this = "PolynomialRodisConfig" }
+  PolynomialRedosConfig() { this = "PolynomialRedosConfig" }
 
   override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof PolynomialRedosSink }
 }
 
-class HasFlowTest extends InlineFlowTest {
-  override DataFlow::Configuration getTaintFlowConfig() { result = any(PolynomialRedosConfig c) }
+class HasPolyRedos extends InlineExpectationsTest {
+  HasPolyRedos() { this = "HasPolyRedos" }
+
+  override string getARelevantTag() { result = ["hasPolyRedos"] }
 
-  override DataFlow::Configuration getValueFlowConfig() { none() }
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasPolyRedos" and
+    exists(
+      PolynomialRedosConfig config, DataFlow::PathNode source, DataFlow::PathNode sink,
+      PolynomialRedosSink sinkNode, PolynomialBackTrackingTerm regexp
+    |
+      config.hasFlowPath(source, sink) and
+      sinkNode = sink.getNode() and
+      regexp.getRootTerm() = sinkNode.getRegExp() and
+      location = sinkNode.getLocation() and
+      element = sinkNode.toString() and
+      value = ""
+    )
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -24,11 +24,11 @@ class PolynomialRedosSink extends DataFlow::Node {`
`24`	`24`
`25`	`25`	`PolynomialRedosSink() { regexMatchedAgainst(reg.getRegex(), this.asExpr()) }`
`26`	`26`
`27`		`- RegExpTerm getRegExp() { result = reg }`
	`27`	`+ RegExpTerm getRegExp() { result.getParent() = reg }`
`28`	`28`	`}`
`29`	`29`
`30`	`30`	`class PolynomialRedosConfig extends TaintTracking::Configuration {`
`31`		`- PolynomialRedosConfig() { this = "PolynomialRodisConfig" }`
	`31`	`+ PolynomialRedosConfig() { this = "PolynomialRedosConfig" }`
`32`	`32`
`33`	`33`	`override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }`
`34`	`34`