Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit b2116dc

Browse files
erik-krogherik-krogh
committed
add more tests for polynomial/exponential redos
1 parent fd7dec7 commit b2116dc

5 files changed

Lines changed: 120 additions & 3 deletions

File tree

javascript/ql/test/query-tests/Performance/ReDoS/PolynomialBackTracking.expected

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,20 @@
5252
| polynomial-redos.js:67:8:67:9 | .* | it can start matching anywhere after the start of the preceeding '[^Y]' |
5353
| polynomial-redos.js:68:8:68:9 | .* | it can start matching anywhere after the start of the preceeding '[^Y]' |
5454
| polynomial-redos.js:69:8:69:9 | .* | it can start matching anywhere after the start of the preceeding '[^Y]' |
55+
| polynomial-redos.js:75:18:75:19 | .* | it can start matching anywhere after the start of the preceeding '<' |
56+
| polynomial-redos.js:77:18:77:19 | .* | it can start matching anywhere after the start of the preceeding 'Y' |
57+
| polynomial-redos.js:78:25:78:31 | (YH\|J)* | it can start matching anywhere after the start of the preceeding '(YH\|K)' |
58+
| polynomial-redos.js:78:25:78:31 | (YH\|J)* | it can start matching anywhere after the start of the preceeding 'YH\|K' |
59+
| polynomial-redos.js:80:17:80:18 | a* | it can start matching anywhere |
60+
| polynomial-redos.js:89:20:89:21 | a* | it can start matching anywhere after the start of the preceeding 'a*' |
61+
| polynomial-redos.js:101:17:101:18 | a+ | it can start matching anywhere |
62+
| polynomial-redos.js:102:20:102:21 | a+ | it can start matching anywhere after the start of the preceeding 'a+' |
63+
| polynomial-redos.js:104:17:104:18 | a+ | it can start matching anywhere |
64+
| polynomial-redos.js:105:17:105:18 | a+ | it can start matching anywhere |
65+
| polynomial-redos.js:105:19:105:20 | a+ | it can start matching anywhere after the start of the preceeding 'a+' |
66+
| polynomial-redos.js:105:21:105:22 | a+ | it can start matching anywhere after the start of the preceeding 'a+' |
67+
| polynomial-redos.js:111:17:111:19 | \\s* | it can start matching anywhere |
68+
| polynomial-redos.js:112:17:112:19 | \\s+ | it can start matching anywhere |
5569
| regexplib/address.js:18:26:18:31 | [ \\w]* | it can start matching anywhere after the start of the preceeding '[ \\w]{3,}' |
5670
| regexplib/address.js:20:144:20:147 | [ ]+ | it can start matching anywhere after the start of the preceeding '[a-zA-Z0-9 \\-.]{6,}' |
5771
| regexplib/address.js:24:26:24:31 | [ \\w]* | it can start matching anywhere after the start of the preceeding '[ \\w]{3,}' |

javascript/ql/test/query-tests/Performance/ReDoS/PolynomialReDoS.expected

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -72,6 +72,26 @@ nodes
7272
| polynomial-redos.js:69:18:69:25 | req.body |
7373
| polynomial-redos.js:69:18:69:25 | req.body |
7474
| polynomial-redos.js:69:18:69:25 | req.body |
75+
| polynomial-redos.js:75:2:75:8 | tainted |
76+
| polynomial-redos.js:75:2:75:8 | tainted |
77+
| polynomial-redos.js:77:2:77:8 | tainted |
78+
| polynomial-redos.js:77:2:77:8 | tainted |
79+
| polynomial-redos.js:80:2:80:8 | tainted |
80+
| polynomial-redos.js:80:2:80:8 | tainted |
81+
| polynomial-redos.js:89:2:89:8 | tainted |
82+
| polynomial-redos.js:89:2:89:8 | tainted |
83+
| polynomial-redos.js:101:2:101:8 | tainted |
84+
| polynomial-redos.js:101:2:101:8 | tainted |
85+
| polynomial-redos.js:102:2:102:8 | tainted |
86+
| polynomial-redos.js:102:2:102:8 | tainted |
87+
| polynomial-redos.js:104:2:104:8 | tainted |
88+
| polynomial-redos.js:104:2:104:8 | tainted |
89+
| polynomial-redos.js:105:2:105:8 | tainted |
90+
| polynomial-redos.js:105:2:105:8 | tainted |
91+
| polynomial-redos.js:111:2:111:8 | tainted |
92+
| polynomial-redos.js:111:2:111:8 | tainted |
93+
| polynomial-redos.js:112:2:112:8 | tainted |
94+
| polynomial-redos.js:112:2:112:8 | tainted |
7595
edges
7696
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:7:2:7:8 | tainted |
7797
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:7:2:7:8 | tainted |
@@ -137,6 +157,26 @@ edges
137157
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:66:19:66:25 | tainted |
138158
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:67:18:67:24 | tainted |
139159
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:67:18:67:24 | tainted |
160+
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:75:2:75:8 | tainted |
161+
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:75:2:75:8 | tainted |
162+
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:77:2:77:8 | tainted |
163+
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:77:2:77:8 | tainted |
164+
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:80:2:80:8 | tainted |
165+
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:80:2:80:8 | tainted |
166+
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:89:2:89:8 | tainted |
167+
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:89:2:89:8 | tainted |
168+
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:101:2:101:8 | tainted |
169+
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:101:2:101:8 | tainted |
170+
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:102:2:102:8 | tainted |
171+
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:102:2:102:8 | tainted |
172+
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:104:2:104:8 | tainted |
173+
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:104:2:104:8 | tainted |
174+
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:105:2:105:8 | tainted |
175+
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:105:2:105:8 | tainted |
176+
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:111:2:111:8 | tainted |
177+
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:111:2:111:8 | tainted |
178+
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:112:2:112:8 | tainted |
179+
| polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:112:2:112:8 | tainted |
140180
| polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:5:6:5:32 | tainted |
141181
| polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:5:6:5:32 | tainted |
142182
| polynomial-redos.js:68:18:68:24 | req.url | polynomial-redos.js:68:18:68:24 | req.url |
@@ -179,3 +219,15 @@ edges
179219
| polynomial-redos.js:66:19:66:25 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:66:19:66:25 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:66:9:66:10 | .* | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
180220
| polynomial-redos.js:67:18:67:24 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:67:18:67:24 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:67:8:67:9 | .* | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
181221
| polynomial-redos.js:69:18:69:25 | req.body | polynomial-redos.js:69:18:69:25 | req.body | polynomial-redos.js:69:18:69:25 | req.body | This expensive $@ use depends on $@. | polynomial-redos.js:69:8:69:9 | .* | regular expression | polynomial-redos.js:69:18:69:25 | req.body | a user-provided value |
222+
| polynomial-redos.js:75:2:75:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:75:2:75:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:75:18:75:19 | .* | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
223+
| polynomial-redos.js:77:2:77:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:77:2:77:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:77:18:77:19 | .* | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
224+
| polynomial-redos.js:80:2:80:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:80:2:80:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:80:17:80:18 | a* | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
225+
| polynomial-redos.js:89:2:89:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:89:2:89:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:89:20:89:21 | a* | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
226+
| polynomial-redos.js:101:2:101:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:101:2:101:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:101:17:101:18 | a+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
227+
| polynomial-redos.js:102:2:102:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:102:2:102:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:102:20:102:21 | a+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
228+
| polynomial-redos.js:104:2:104:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:104:2:104:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:104:17:104:18 | a+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
229+
| polynomial-redos.js:105:2:105:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:105:2:105:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:105:17:105:18 | a+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
230+
| polynomial-redos.js:105:2:105:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:105:2:105:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:105:19:105:20 | a+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
231+
| polynomial-redos.js:105:2:105:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:105:2:105:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:105:21:105:22 | a+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
232+
| polynomial-redos.js:111:2:111:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:111:2:111:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:111:17:111:19 | \\s* | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
233+
| polynomial-redos.js:112:2:112:8 | tainted | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:112:2:112:8 | tainted | This expensive $@ use depends on $@. | polynomial-redos.js:112:17:112:19 | \\s+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |

javascript/ql/test/query-tests/Performance/ReDoS/ReDoS.expected

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -125,3 +125,4 @@
125125
| tst.js:311:20:311:24 | [^Y]+ | This part of the regular expression may cause exponential backtracking on strings starting with 'x' and containing many repetitions of 'Xx'. |
126126
| tst.js:323:14:323:20 | (a?a?)* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
127127
| tst.js:332:14:332:22 | (?:a\|a?)+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
128+
| tst.js:338:17:338:45 | (([a-c]\|[c-d])T(e?e?e?e?\|X))+ | This part of the regular expression may cause exponential backtracking on strings starting with 'PRE' and containing many repetitions of 'cTX'. |

javascript/ql/test/query-tests/Performance/ReDoS/polynomial-redos.js

Lines changed: 49 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,8 +12,8 @@ app.use(function(req, res) {
1212
tainted.replace(/.*\./, ''); // NOT OK
1313
tainted.replace(/^.*[/\\]/, ''); // OK
1414
tainted.replace(/^.*\./, ''); // OK
15-
tainted.replace(/^(`+)\s*([\s\S]*?[^`])\s*\1(?!`)/); // NOT OK
16-
tainted.replace(/^(`+)([\s\S]*?[^`])\1(?!`)/); // OK
15+
tainted.replace(/^(`+)\s*([\s\S]*?[^`])\s*\1(?!`)/); // NOT OK - but not detected
16+
tainted.replace(/^(`+)([\s\S]*?[^`])\1(?!`)/); // NOT OK - but not detected
1717
/^(.*,)+(.+)?$/.test(tainted); // NOT OK - but only flagged by js/redos
1818
tainted.match(/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]+|[\u0600-\u06FF\/]+(\s*?[\u0600-\u06FF]+){1,2}/i); // NOT OK
1919
tainted.match(/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]{1,256}|[\u0600-\u06FF\/]{1,256}(\s*?[\u0600-\u06FF]{1,256}){1,2}/i); // NOT OK (even though it is a proposed fix for the above)
@@ -67,4 +67,51 @@ app.use(function(req, res) {
6767
(/[^Y].*X/.test(tainted)); // NOT OK
6868
(/[^Y].*$/.test(req.url)); // OK - the input cannot contain newlines.
6969
(/[^Y].*$/.test(req.body)); // NOT OK
70+
71+
tainted.match(/^([^-]+)-([A-Za-z0-9+/]+(?:=?=?))([?\x21-\x7E]*)$/); // NOT OK - but not detected
72+
73+
tainted.match(new RegExp("(MSIE) (\\d+)\\.(\\d+).*XBLWP7")); // NOT OK - but not detected
74+
75+
tainted.match(/<.*class="([^"]+)".*>/); // NOT OK - but not detected
76+
77+
tainted.match(/Y.*X/); // NOT OK
78+
tatined.match(/B?(YH|K)(YH|J)*X/); // NOT OK - but not detected
79+
80+
tainted.match(/a*b/); // NOT OK - the initial repetition can start matching anywhere.
81+
tainted.match(/cc*D/); // NOT OK - but flagged
82+
tainted.match(/^ee*F/); // OK
83+
tainted.match(/^g*g*/); // OK
84+
tainted.match(/^h*i*/); // OK
85+
86+
tainted.match(/^(ab)*ab(ab)*X/); // NOT OK - but not flagged
87+
88+
tainted.match(/aa*X/); // NOT OK - but not flagged
89+
tainted.match(/^a*a*X/); // NOT OK
90+
tainted.match(/\wa*X/); // NOT OK - but not flagged
91+
tainted.match(/a*b*c*/); // OK
92+
tainted.match(/a*a*a*a*/); // OK
93+
94+
tainted.match(/^([3-7]|A)*([2-5]|B)*X/); // NOT OK - but not flagged
95+
tainted.match(/^\d*([2-5]|B)*X/); // NOT OK - but not flagged
96+
tainted.match(/^([3-7]|A)*\d*X/); // NOT OK - but not flagged
97+
98+
tainted.match(/^(ab)+ab(ab)+X/); // NOT OK - but not flagged
99+
100+
tainted.match(/aa+X/); // NOT OK - but not flagged
101+
tainted.match(/a+X/); // NOT OK
102+
tainted.match(/^a+a+X/); // NOT OK
103+
tainted.match(/\wa+X/); // NOT OK - but not flagged
104+
tainted.match(/a+b+c+/); //NOT OK
105+
tainted.match(/a+a+a+a+/); // OK - but is flagged
106+
107+
tainted.match(/^([3-7]|A)+([2-5]|B)+X/); // NOT OK - but not flagged
108+
tainted.match(/^\d+([2-5]|B)+X/); // NOT OK - but not flagged
109+
tainted.match(/^([3-7]|A)+\d+X/); // NOT OK - but not flagged
110+
111+
tainted.match(/\s*$/); // NOT OK
112+
tainted.match(/\s+$/); // NOT OK
113+
114+
tainted.match(/^\d*5\w*$/); // NOT OK - but not flagged
115+
116+
tainted.match(/\/\*[\d\D]*?\*\//g); // NOT OK - but not flagged
70117
});

javascript/ql/test/query-tests/Performance/ReDoS/tst.js

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -332,4 +332,7 @@ var bad72 = /(c?a?)*b/;
332332
var bad73 = /(?:a|a?)+b/;
333333

334334
// NOT GOOD - but not detected.
335-
var bad74 = /(a?b?)*$/;
335+
var bad74 = /(a?b?)*$/;
336+
337+
// NOT GOOD
338+
var bad75 = /PRE(([a-c]|[c-d])T(e?e?e?e?|X))+(cTcT|cTXcTX$)/;

0 commit comments

Comments
 (0)