Support possessive quantifiers, which cannot backtrack.

joefarebrother · joefarebrother · commit bb562643c6d0 · 2022-05-04T15:41:37.000+01:00
They are approximated by limiting them to up to one repetition (effectively making *+ like ? and ++ like a no-op).
diff --git a/java/ql/lib/semmle/code/java/regex/RegexTreeView.qll b/java/ql/lib/semmle/code/java/regex/RegexTreeView.qll
@@ -253,7 +253,12 @@ class RegExpQuantifier extends RegExpTerm, TRegExpQuantifier {
   predicate mayRepeatForever() { may_repeat_forever = true }
 
   /** Gets the quantifier for this term. That is e.g "?" for "a?". */
-  string getquantifier() { result = re.getText().substring(part_end, end) }
+  string getQuantifier() { result = re.getText().substring(part_end, end) }
+
+  /** Holds if this is a possessive quantifier, e.g. a*+. */
+  predicate isPossessive() {
+    exists(string q | q = this.getQuantifier() | q.length() > 1 and q.charAt(q.length() - 1) = "+")
+  }
 
   override string getPrimaryQLClass() { result = "RegExpQuantifier" }
 }
@@ -275,7 +280,7 @@ class InfiniteRepetitionQuantifier extends RegExpQuantifier {
  * ```
  */
 class RegExpStar extends InfiniteRepetitionQuantifier {
-  RegExpStar() { this.getquantifier().charAt(0) = "*" }
+  RegExpStar() { this.getQuantifier().charAt(0) = "*" }
 
   override string getPrimaryQLClass() { result = "RegExpStar" }
 }
@@ -290,7 +295,7 @@ class RegExpStar extends InfiniteRepetitionQuantifier {
  * ```
  */
 class RegExpPlus extends InfiniteRepetitionQuantifier {
-  RegExpPlus() { this.getquantifier().charAt(0) = "+" }
+  RegExpPlus() { this.getQuantifier().charAt(0) = "+" }
 
   override string getPrimaryQLClass() { result = "RegExpPlus" }
 }
@@ -305,7 +310,7 @@ class RegExpPlus extends InfiniteRepetitionQuantifier {
  * ```
  */
 class RegExpOpt extends RegExpQuantifier {
-  RegExpOpt() { this.getquantifier().charAt(0) = "?" }
+  RegExpOpt() { this.getQuantifier().charAt(0) = "?" }
 
   override string getPrimaryQLClass() { result = "RegExpOpt" }
 }
diff --git a/java/ql/lib/semmle/code/java/security/performance/ReDoSUtil.qll b/java/ql/lib/semmle/code/java/security/performance/ReDoSUtil.qll
@@ -608,10 +608,15 @@ State after(RegExpTerm t) {
   or
   exists(RegExpGroup grp | t = grp.getAChild() | result = after(grp))
   or
-  exists(EffectivelyStar star | t = star.getAChild() | result = before(star))
+  exists(EffectivelyStar star | t = star.getAChild() |
+    not isPossessive(star) and
+    result = before(star)
+  )
   or
   exists(EffectivelyPlus plus | t = plus.getAChild() |
-    result = before(plus) or
+    not isPossessive(plus) and
+    result = before(plus)
+    or
     result = after(plus)
   )
   or
diff --git a/java/ql/lib/semmle/code/java/security/performance/RegExpTreeView.qll b/java/ql/lib/semmle/code/java/security/performance/RegExpTreeView.qll
@@ -16,6 +16,11 @@ predicate isEscapeClass(RegExpTerm term, string clazz) {
   term.(RegExpNamedProperty).getBackslashEquivalent() = clazz
 }
 
+/**
+ * Holds if `term` is a possessive quantifier, e.g. `a*+`.
+ */
+predicate isPossessive(RegExpQuantifier term) { term.isPossessive() }
+
 /**
  * Holds if the regular expression should not be considered.
  *
diff --git a/java/ql/test/query-tests/security/CWE-730/ExpRedosTest.java b/java/ql/test/query-tests/security/CWE-730/ExpRedosTest.java
@@ -418,6 +418,17 @@ class ExpRedosTest {
         "\\A(\\d|0)*x", // $ hasExpRedos
         "(\\d|0)*\\Z", // $ hasExpRedos
         "\\b(\\d|0)*x", // $ hasExpRedos
+
+        // GOOD - possessive quantifiers don't backtrack
+        "(a*+)*+b",
+        "(a*)*+b",
+        "(a*+)*b",
+
+        // BAD
+        "(a*)*b", // $ hasExpRedos
+
+        // BAD - but not detected due to the way possessive quantifiers are approximated
+        "((aa|a*+)b)*c" // $ MISSING: hasExpRedos
     };
 
     void test() {

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,11 @@ predicate isEscapeClass(RegExpTerm term, string clazz) {`
`16`	`16`	`term.(RegExpNamedProperty).getBackslashEquivalent() = clazz`
`17`	`17`	`}`
`18`	`18`
	`19`	`+/**`
	`20`	+ * Holds if `term` is a possessive quantifier, e.g. `a*+`.
	`21`	`+ */`
	`22`	`+predicate isPossessive(RegExpQuantifier term) { term.isPossessive() }`
	`23`	`+`
`19`	`24`	`/**`
`20`	`25`	`* Holds if the regular expression should not be considered.`
`21`	`26`	`*`