Add test cases for PolynomialRedos dataflow logic; make fixes

joefarebrother · joefarebrother · commit e23162d91bc4 · 2022-05-04T15:41:35.000+01:00
diff --git a/java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll b/java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll
@@ -37,7 +37,7 @@ abstract class RegexMatchMethodAccess extends MethodAccess {
   Method m;
 
   RegexMatchMethodAccess() {
-    this.getMethod().overrides*(m) and
+    this.getMethod().getSourceDeclaration().overrides*(m) and
     m.hasQualifiedName(package, type, name) and
     regexArg in [-1 .. m.getNumberOfParameters() - 1] and
     stringArg in [-1 .. m.getNumberOfParameters() - 1]
@@ -79,9 +79,9 @@ private class JdkRegexMatchMethodAccess extends RegexMatchMethodAccess {
       or
       name = "matches" and regexArg = 0 and stringArg = 1
       or
-      name = "split" and regexArg = 0 and stringArg = 1
+      name = "split" and regexArg = -1 and stringArg = 0
       or
-      name = "splitAsStream" and regexArg = 0 and stringArg = 1
+      name = "splitAsStream" and regexArg = -1 and stringArg = 0
     )
     or
     package = "java.lang" and
@@ -90,7 +90,7 @@ private class JdkRegexMatchMethodAccess extends RegexMatchMethodAccess {
     regexArg = 0 and
     stringArg = -1
     or
-    package = "java.util" and
+    package = "java.util.function" and
     type = "Predicate" and
     name = "test" and
     regexArg = -1 and
@@ -101,7 +101,7 @@ private class JdkRegexMatchMethodAccess extends RegexMatchMethodAccess {
 private class JdkRegexFlowStep extends RegexAdditionalFlowStep {
   override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
     exists(MethodAccess ma, Method m, string package, string type, string name, int arg |
-      ma.getMethod().overrides*(m) and
+      ma.getMethod().getSourceDeclaration().overrides*(m) and
       m.hasQualifiedName(package, type, name) and
       node1.asExpr() = argOf(ma, arg) and
       node2.asExpr() = ma
@@ -116,7 +116,7 @@ private class JdkRegexFlowStep extends RegexAdditionalFlowStep {
         arg = 0
       )
       or
-      package = "java.util" and
+      package = "java.util.function" and
       type = "Predicate" and
       name = ["and", "or", "not", "negate"] and
       arg = [-1, 0]
@@ -126,7 +126,7 @@ private class JdkRegexFlowStep extends RegexAdditionalFlowStep {
 
 private class GuavaRegexMatchMethodAccess extends RegexMatchMethodAccess {
   GuavaRegexMatchMethodAccess() {
-    package = "com.google.common.collect" and
+    package = "com.google.common.base" and
     regexArg = -1 and
     stringArg = 0 and
     type = ["Splitter", "Splitter$MapSplitter"] and
@@ -137,7 +137,7 @@ private class GuavaRegexMatchMethodAccess extends RegexMatchMethodAccess {
 private class GuavaRegexFlowStep extends RegexAdditionalFlowStep {
   override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
     exists(MethodAccess ma, Method m, string package, string type, string name, int arg |
-      ma.getMethod().overrides*(m) and
+      ma.getMethod().getSourceDeclaration().overrides*(m) and
       m.hasQualifiedName(package, type, name) and
       node1.asExpr() = argOf(ma, arg) and
       node2.asExpr() = ma
diff --git a/java/ql/test/query-tests/security/CWE-730/ExpRedosTest.java b/java/ql/test/query-tests/security/CWE-730/ExpRedosTest.java
@@ -1,7 +1,6 @@
-
 import java.util.regex.Pattern;
 
-class Test {
+class ExpRedosTest {
     static String[] regs = {
 
         // NOT GOOD; attack: "_" + "__".repeat(100)
diff --git a/java/ql/test/query-tests/security/CWE-730/PolyRedosTest.java b/java/ql/test/query-tests/security/CWE-730/PolyRedosTest.java
@@ -0,0 +1,35 @@
+import java.util.regex.Pattern;
+import java.util.function.Predicate;
+import javax.servlet.http.HttpServletRequest;
+import com.google.common.base.Splitter;
+
+class PolyRedosTest {
+    void test(HttpServletRequest request) {
+        String tainted = request.getParameter("inp");
+        String reg = "a\\.\\d+E?\\d+b";
+        Predicate<String> dummyPred = (s -> s.length() % 7 == 0);
+        
+        tainted.matches(reg); // $ hasTaintFlow
+        tainted.split(reg); // $ hasTaintFlow
+        tainted.split(reg, 7); // $ hasTaintFlow
+        Pattern.matches(reg, tainted); // $ hasTaintFlow
+        Pattern.compile(reg).matcher(tainted).matches(); // $ hasTaintFlow
+        Pattern.compile(reg).split(tainted); // $ hasTaintFlow
+        Pattern.compile(reg, Pattern.DOTALL).split(tainted); // $ hasTaintFlow
+        Pattern.compile(reg).split(tainted, 7); // $ hasTaintFlow
+        Pattern.compile(reg).splitAsStream(tainted); // $ hasTaintFlow
+        Pattern.compile(reg).asPredicate().test(tainted); // $ hasTaintFlow
+        Pattern.compile(reg).asMatchPredicate().negate().and(dummyPred).or(dummyPred).test(tainted); // $ hasTaintFlow
+        Predicate.not(dummyPred.and(dummyPred.or(Pattern.compile(reg).asPredicate()))).test(tainted); // $ hasTaintFlow
+
+        Splitter.on(Pattern.compile(reg)).split(tainted); // $ hasTaintFlow
+        Splitter.on(reg).split(tainted); 
+        Splitter.onPattern(reg).split(tainted); // $ hasTaintFlow
+        Splitter.onPattern(reg).splitToList(tainted); // $ hasTaintFlow
+        Splitter.onPattern(reg).limit(7).omitEmptyStrings().trimResults().split(tainted); // $ hasTaintFlow
+        Splitter.onPattern(reg).withKeyValueSeparator(" => ").split(tainted); // $ hasTaintFlow
+        Splitter.on(";").withKeyValueSeparator(reg).split(tainted);
+        Splitter.on(";").withKeyValueSeparator(Splitter.onPattern(reg)).split(tainted); // $ hasTaintFlow
+
+    }
+}
diff --git a/java/ql/test/query-tests/security/CWE-730/options b/java/ql/test/query-tests/security/CWE-730/options
@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/guava-30.0
diff --git a/java/ql/test/stubs/guava-30.0/com/google/common/base/CharMatcher.java b/java/ql/test/stubs/guava-30.0/com/google/common/base/CharMatcher.java
diff --git a/java/ql/test/stubs/guava-30.0/com/google/common/base/Splitter.java b/java/ql/test/stubs/guava-30.0/com/google/common/base/Splitter.java

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/guava-30.0`