Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit d298d87

Browse files
asgerfasgerf
committed
JS: Accept some exponenital redos alerts in the polynomial redos test suite
1 parent 283b142 commit d298d87

1 file changed

Lines changed: 3 additions & 3 deletions

File tree

javascript/ql/test/query-tests/Security/CWE-400/ReDoS/polynomial-redos.js

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ app.use(function(req, res) {
1414
tainted.replace(/^.*\./, '');
1515
tainted.replace(/^(`+)\s*([\s\S]*?[^`])\s*\1(?!`)/); // $ Alert[js/polynomial-redos]
1616
tainted.replace(/^(`+)([\s\S]*?[^`])\1(?!`)/); // $ Alert[js/polynomial-redos]
17-
/^(.*,)+(.+)?$/.test(tainted); // $ Alert[js/polynomial-redos]
17+
/^(.*,)+(.+)?$/.test(tainted); // $ Alert[js/polynomial-redos] Alert[js/redos]
1818
tainted.match(/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]+|[\u0600-\u06FF\/]+(\s*?[\u0600-\u06FF]+){1,2}/i); // $ Alert[js/polynomial-redos]
1919
tainted.match(/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]{1,256}|[\u0600-\u06FF\/]{1,256}(\s*?[\u0600-\u06FF]{1,256}){1,2}/i); // $ Alert[js/polynomial-redos] - even though it is a proposed fix for the above
2020
tainted.match(/^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$/); // $ Alert[js/polynomial-redos]
@@ -38,12 +38,12 @@ app.use(function(req, res) {
3838
tainted.match(/<.*href="([^"]+)".*>/); // $ Alert[js/polynomial-redos]
3939

4040
tainted.match(/^([^-]+)-([A-Za-z0-9+/]+(?:=?=?))([?\x21-\x7E]*)$/); // $ Alert[js/polynomial-redos]
41-
tainted.match(/^([^-]+)-([A-Za-z0-9+/=]{44,88})(\?[\x21-\x7E]*)*$/); // $ Alert - it is a fix for the above, but it introduces exponential complexity elsewhere
41+
tainted.match(/^([^-]+)-([A-Za-z0-9+/=]{44,88})(\?[\x21-\x7E]*)*$/); // $ Alert[js/redos] - it is a fix for the above, but it introduces exponential complexity elsewhere
4242

4343
tainted.match(/^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([\n \t]+([^\n]+))?$/); // $ Alert[js/polynomial-redos]
4444
tainted.match(/^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([ \t]+([^ \t][^\n]*[\n]*)?)?$/);
4545

46-
tainted.match(/^(?:\.?[a-zA-Z_][a-zA-Z_0-9]*)+$/); // $ Alert - also flagged by js/redos
46+
tainted.match(/^(?:\.?[a-zA-Z_][a-zA-Z_0-9]*)+$/); // $ Alert[js/redos] - also flagged by js/redos
4747
tainted.match(/^(?:\.?[a-zA-Z_][a-zA-Z_0-9]*)(?:\.[a-zA-Z_][a-zA-Z_0-9]*)*$/);
4848
tainted.replaceAll(/\s*\n\s*/g, ' '); // $ Alert[js/polynomial-redos]
4949

0 commit comments

Comments
 (0)