Distingush between whether or not a regex is matched against a full string

joefarebrother · joefarebrother · commit 5555985ad6fb · 2022-05-04T15:41:38.000+01:00
Also some fixes and additional tests
diff --git a/java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll b/java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll
@@ -13,16 +13,48 @@ private class RegexCompileFlowConf extends DataFlow2::Configuration {
 
   override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof StringLiteral }
 
-  override predicate isSink(DataFlow::Node node) { sinkNode(node, "regex-compile") }
+  override predicate isSink(DataFlow::Node node) {
+    sinkNode(node, ["regex-compile", "regex-compile-match", "regex-compile-find"])
+  }
 }
 
 /**
  * Holds if `s` is used as a regex, with the mode `mode` (if known).
  * If regex mode is not known, `mode` will be `"None"`.
  */
-predicate usedAsRegex(StringLiteral s, string mode) {
-  any(RegexCompileFlowConf c).hasFlow(DataFlow2::exprNode(s), _) and
-  mode = "None" // TODO: proper mode detection
+predicate usedAsRegex(StringLiteral s, string mode, boolean match_full_string) {
+  exists(DataFlow::Node sink |
+    any(RegexCompileFlowConf c).hasFlow(DataFlow2::exprNode(s), sink) and
+    mode = "None" and // TODO: proper mode detection
+    (if matchesFullString(sink) then match_full_string = true else match_full_string = false)
+  )
+}
+
+/**
+ * Holds if the regex that flows to `sink` is used to match against a full string,
+ * as though it was implicitly surrounded by ^ and $.
+ */
+private predicate matchesFullString(DataFlow::Node sink) {
+  sinkNode(sink, "regex-compile-match")
+  or
+  exists(DataFlow::Node matchSource, RegexCompileToMatchConf conf |
+    matchSource.asExpr().(MethodAccess).getAnArgument() = sink.asExpr() and
+    conf.hasFlow(matchSource, _)
+  )
+}
+
+private class RegexCompileToMatchConf extends DataFlow2::Configuration {
+  RegexCompileToMatchConf() { this = "RegexCompileToMatchConfig" }
+
+  override predicate isSource(DataFlow::Node node) { sourceNode(node, "regex-compile") }
+
+  override predicate isSink(DataFlow::Node node) { sinkNode(node, "regex-match") }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(MethodAccess ma | node2.asExpr() = ma and node1.asExpr() = ma.getQualifier() |
+      ma.getMethod().hasQualifiedName("java.util.regex", "Pattern", "matcher")
+    )
+  }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/regex/RegexFlowModels.qll b/java/ql/lib/semmle/code/java/regex/RegexFlowModels.qll
@@ -3,20 +3,33 @@
 import java
 import semmle.code.java.dataflow.ExternalFlow
 
+private class RegexSourceCsv extends SourceModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //"namespace;type;subtypes;name;signature;ext;output;kind"
+        "java.util.regex;Pattern;false;compile;(String);;ReturnValue;regex-compile",
+      ]
+  }
+}
+
 private class RegexSinkCsv extends SinkModelCsv {
   override predicate row(string row) {
     row =
       [
         //"namespace;type;subtypes;name;signature;ext;input;kind"
         "java.util.regex;Pattern;false;compile;(String);;Argument[0];regex-compile",
         "java.util.regex;Pattern;false;compile;(String,int);;Argument[0];regex-compile",
-        "java.util.regex;Pattern;false;matches;(String,CharSequence);;Argument[0];regex-compile",
-        "java.util;String;false;matches;(String);;Argument[0];regex-compile",
-        "java.util;String;false;split;(String);;Argument[0];regex-compile",
-        "java.util;String;false;split;(String,int);;Argument[0];regex-compile",
-        "java.util;String;false;replaceAll;(String,String);;Argument[0];regex-compile",
-        "java.util;String;false;replaceFirst;(String,String);;Argument[0];regex-compile",
-        "com.google.common.base;Splitter;false;onPattern;(String);;Argument[0];regex-compile"
+        "java.util.regex;Pattern;false;matches;(String,CharSequence);;Argument[0];regex-compile-match",
+        "java.lang;String;false;matches;(String);;Argument[0];regex-compile-match",
+        "java.lang;String;false;split;(String);;Argument[0];regex-compile-find",
+        "java.lang;String;false;split;(String,int);;Argument[0];regex-compile-find",
+        "java.lang;String;false;replaceAll;(String,String);;Argument[0];regex-compile-find",
+        "java.lang;String;false;replaceFirst;(String,String);;Argument[0];regex-compile-find",
+        "com.google.common.base;Splitter;false;onPattern;(String);;Argument[0];regex-compile-find",
+        // regex-match sinks
+        "java.util.regex;Pattern;false;asMatchPredicate;();;Argument[-1];regex-match",
+        "java.util.regex;Matcher;false;matches;();;Argument[-1];regex-match",
       ]
   }
 }
diff --git a/java/ql/lib/semmle/code/java/regex/regex.qll b/java/ql/lib/semmle/code/java/regex/regex.qll
@@ -892,7 +892,9 @@ abstract class RegexString extends StringLiteral {
 
 /** A string literal used as a regular expression */
 class Regex extends RegexString {
-  Regex() { usedAsRegex(this, _) }
+  boolean matches_full_string;
+
+  Regex() { usedAsRegex(this, _, matches_full_string) }
 
   /**
    * Gets a mode (if any) of this regular expression. Can be any of:
@@ -906,8 +908,14 @@ class Regex extends RegexString {
    */
   string getAMode() {
     result != "None" and
-    usedAsRegex(this, result)
+    usedAsRegex(this, result, _)
     or
     result = this.getModeFromPrefix()
   }
+
+  /**
+   *  Holds if this regex is used to match against a full string,
+   * as though it was implicitly surrounded by ^ and $.
+   */
+  predicate matchesFullString() { matches_full_string = true }
 }
diff --git a/java/ql/lib/semmle/code/java/security/performance/ReDoSUtil.qll b/java/ql/lib/semmle/code/java/security/performance/ReDoSUtil.qll
@@ -622,7 +622,9 @@ State after(RegExpTerm t) {
   or
   exists(EffectivelyQuestion opt | t = opt.getAChild() | result = after(opt))
   or
-  exists(RegExpRoot root | t = root | result = AcceptAnySuffix(root))
+  exists(RegExpRoot root | t = root |
+    if matchesAnySuffix(root) then result = AcceptAnySuffix(root) else result = Accept(root)
+  )
 }
 
 /**
@@ -693,7 +695,7 @@ predicate delta(State q1, EdgeLabel lbl, State q2) {
     lbl = Epsilon() and q2 = Accept(root)
   )
   or
-  exists(RegExpRoot root | q1 = Match(root, 0) | lbl = Any() and q2 = q1)
+  exists(RegExpRoot root | q1 = Match(root, 0) | matchesAnyPrefix(root) and lbl = Any() and q2 = q1)
   or
   exists(RegExpDollar dollar | q1 = before(dollar) |
     lbl = Epsilon() and q2 = Accept(getRoot(dollar))
diff --git a/java/ql/lib/semmle/code/java/security/performance/RegExpTreeView.qll b/java/ql/lib/semmle/code/java/security/performance/RegExpTreeView.qll
@@ -21,6 +21,16 @@ predicate isEscapeClass(RegExpTerm term, string clazz) {
  */
 predicate isPossessive(RegExpQuantifier term) { term.isPossessive() }
 
+/**
+ * Holds if the regex that `term` is part of is used in a way that ignores any leading prefix of the input it's matched against.
+ */
+predicate matchesAnyPrefix(RegExpTerm term) { not term.getRegex().matchesFullString() }
+
+/**
+ * Holds if the regex that `term` is part of is used in a way that ignores any trailing suffix of the input it's matched against.
+ */
+predicate matchesAnySuffix(RegExpTerm term) { not term.getRegex().matchesFullString() }
+
 /**
  * Holds if the regular expression should not be considered.
  *
diff --git a/java/ql/test/query-tests/security/CWE-730/PolyRedosTest.java b/java/ql/test/query-tests/security/CWE-730/PolyRedosTest.java
@@ -34,4 +34,42 @@ void test(HttpServletRequest request) {
         Splitter.on(";").withKeyValueSeparator(Splitter.onPattern(reg)).split(tainted); // $ hasPolyRedos
 
     }
+
+    void test2(HttpServletRequest request) {
+        String tainted = request.getParameter("inp");
+
+        Pattern p1 = Pattern.compile(".*a");
+        Pattern p2 = Pattern.compile(".*b");
+
+        p1.matcher(tainted).matches(); 
+        p2.matcher(tainted).find(); // $ hasPolyRedos
+    }
+
+    void test3(HttpServletRequest request) {
+        String tainted = request.getParameter("inp");
+
+        Pattern p1 = Pattern.compile("ab*b*");
+        Pattern p2 = Pattern.compile("cd*d*");
+
+        p1.matcher(tainted).matches(); // $ hasPolyRedos
+        p2.matcher(tainted).find(); 
+    }
+
+    void test4(HttpServletRequest request) {
+        String tainted = request.getParameter("inp");
+
+        tainted.matches(".*a");
+        tainted.replaceAll(".*b", "c"); // $ hasPolyRedos
+    }
+
+    static Pattern p3 = Pattern.compile(".*a");
+    static Pattern p4 = Pattern.compile(".*b");
+    
+
+    void test5(HttpServletRequest request) {
+        String tainted = request.getParameter("inp");
+
+        p3.asMatchPredicate().test(tainted); 
+        p4.asPredicate().test(tainted); // $ hasPolyRedos
+    }
 }
