SONARPY-893 Rule S5843 Regular expressions should not be too complicated (#973)

nils-werner-sonarsource · web-flow · commit 83d078c35896 · 2021-11-02T12:00:02.000+01:00
* SONARPY-893 Rule S5843 Regular expressions should not be too complicated * Update ITs
diff --git a/its/ruling/src/test/resources/expected/python-S5843.json b/its/ruling/src/test/resources/expected/python-S5843.json
@@ -0,0 +1,34 @@
+{
+'project:buildbot-0.8.6p1/buildbot/steps/shell.py':[
+382,
+],
+'project:django-2.2.3/django/core/management/commands/runserver.py':[
+15,
+],
+'project:django-2.2.3/django/utils/text.py':[
+307,
+],
+'project:django-2.2.3/django/utils/translation/template.py':[
+29,
+],
+'project:numpy-1.16.4/numpy/f2py/crackfortran.py':[
+874,
+878,
+880,
+1488,
+1492,
+1494,
+],
+'project:numpy-1.16.4/numpy/linalg/lapack_lite/clapack_scrub.py':[
+232,
+],
+'project:tensorflow/python/debug/cli/tensor_format_test.py':[
+48,
+],
+'project:tornado-2.3/demos/appengine/markdown.py':[
+717,
+],
+'project:tornado-2.3/demos/blog/markdown.py':[
+717,
+],
+}
diff --git a/python-checks/src/main/java/org/sonar/python/checks/CheckList.java b/python-checks/src/main/java/org/sonar/python/checks/CheckList.java
@@ -52,6 +52,7 @@
 import org.sonar.python.checks.regex.AnchorPrecedenceCheck;
 import org.sonar.python.checks.regex.EmptyStringRepetitionCheck;
 import org.sonar.python.checks.regex.GraphemeClustersInClassesCheck;
+import org.sonar.python.checks.regex.RegexComplexityCheck;
 import org.sonar.python.checks.regex.SingleCharacterAlternationCheck;
 import org.sonar.python.checks.regex.RedundantRegexAlternativesCheck;
 import org.sonar.python.checks.regex.ReluctantQuantifierCheck;
@@ -224,6 +225,7 @@ public static Iterable<Class> getChecks() {
       TrailingCommentCheck.class,
       TrailingWhitespaceCheck.class,
       ReferencedBeforeAssignmentCheck.class,
+      RegexComplexityCheck.class,
       RegexLookaheadCheck.class,
       UndefinedNameAllPropertyCheck.class,
       UnreachableExceptCheck.class,
diff --git a/python-checks/src/main/java/org/sonar/python/checks/regex/RegexComplexityCheck.java b/python-checks/src/main/java/org/sonar/python/checks/regex/RegexComplexityCheck.java
@@ -0,0 +1,43 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2021 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks.regex;
+
+import org.sonar.check.Rule;
+import org.sonar.check.RuleProperty;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonarsource.analyzer.commons.regex.RegexParseResult;
+import org.sonarsource.analyzer.commons.regex.finders.ComplexRegexFinder;
+
+@Rule(key = "S5843")
+public class RegexComplexityCheck extends AbstractRegexCheck {
+
+  private static final int DEFAULT_MAX = 20;
+
+  @RuleProperty(
+    key = "maxComplexity",
+    description = "The maximum authorized complexity.",
+    defaultValue = "" + DEFAULT_MAX)
+  public int max = DEFAULT_MAX;
+
+  @Override
+  public void checkRegex(RegexParseResult regex, CallExpression methodInvocation) {
+    new ComplexRegexFinder(this::addIssue, max).visit(regex);
+  }
+}
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5843.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5843.html
@@ -0,0 +1,34 @@
+<p>Overly complicated regular expressions are hard to read and to maintain and can easily cause hard-to-find bugs. If a regex is too complicated, you
+should consider replacing it or parts of it with regular code or splitting it apart into multiple patterns at least.</p>
+<p>The complexity of a regular expression is determined as follows:</p>
+<p>Each of the following operators increases the complexity by an amount equal to the current nesting level and also increases the current nesting
+level by one for its arguments:</p>
+<ul>
+  <li> <code>|</code> - when multiple <code>|</code> operators are used together, the subsequent ones only increase the complexity by 1 </li>
+  <li> Quantifiers (<code>*</code>, <code>+</code>, <code>?</code>, <code>{n,m}</code>, <code>{n,}</code> or <code>{n}</code>) </li>
+  <li> Non-capturing groups that set flags (such as <code>(?i:some_pattern)</code> or <code>(?i)some_pattern</code>) </li>
+  <li> Lookahead and lookbehind assertions </li>
+</ul>
+<p>Additionally, each use of the following features increase the complexity by 1 regardless of nesting:</p>
+<ul>
+  <li> character classes </li>
+  <li> back references </li>
+</ul>
+<h2>Noncompliant Code Example</h2>
+<pre>
+p = re.compile(r"^(?:(?:31(\/|-|\.)(?:0?[13578]|1[02]))\1|(?:(?:29|30)(\/|-|\.)(?:0?[13-9]|1[0-2])\2))(?:(?:1[6-9]|[2-9]\d)?\d{2})$|^(?:29(\/|-|\.)0?2\3(?:(?:(?:1[6-9]|[2-9]\d)?(?:0[48]|[2468][048]|[13579][26])|(?:(?:16|[2468][048]|[3579][26])00))))$|^(?:0?[1-9]|1\d|2[0-8])(\/|-|\.)(?:(?:0?[1-9])|(?:1[0-2]))\4(?:(?:1[6-9]|[2-9]\d)?\d{2})$")
+
+if p.match($dateString):
+    handleDate($dateString)
+</pre>
+<h2>Compliant Solution</h2>
+<pre>
+p = re.compile("^\d{1,2}([-/.])\d{1,2}\1\d{1,4}$")
+if p.match($dateString):
+    dateParts = re.split(r"[-/.]", dateString)
+    day = intval(dateParts[0])
+    month = intval(dateParts[1])
+    year = intval($dateParts[2])
+    // Put logic to validate and process the date based on its integer parts here
+</pre>
+
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5843.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5843.json
@@ -0,0 +1,19 @@
+{
+  "title": "Regular expressions should not be too complicated",
+  "type": "CODE_SMELL",
+  "status": "ready",
+  "remediation": {
+    "func": "Linear with offset",
+    "linearDesc": "number of complexity points over the configurable limit",
+    "linearOffset": "8min",
+    "linearFactor": "2min"
+  },
+  "tags": [
+    "regex"
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-5843",
+  "sqKey": "S5843",
+  "scope": "Main",
+  "quickfix": "unknown"
+}
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json
@@ -134,6 +134,7 @@
     "S5807",
     "S5828",
     "S5842",
+    "S5843",
     "S5850",
     "S5855",
     "S5857",
diff --git a/python-checks/src/test/java/org/sonar/python/checks/regex/RegexComplexityCheckTest.java b/python-checks/src/test/java/org/sonar/python/checks/regex/RegexComplexityCheckTest.java
@@ -0,0 +1,39 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2021 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks.regex;
+
+import org.junit.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+public class RegexComplexityCheckTest {
+
+  @Test
+  public void test() {
+    PythonCheckVerifier.verify("src/test/resources/checks/regex/regexComplexityCheck.py", new RegexComplexityCheck());
+  }
+
+  @Test
+  public void test_max_parameter() {
+    RegexComplexityCheck check = new RegexComplexityCheck();
+    check.max = 21;
+    PythonCheckVerifier.verify("src/test/resources/checks/regex/regexComplexityCheck-21.py", check);
+  }
+
+}
diff --git a/python-checks/src/test/resources/checks/regex/regexComplexityCheck-21.py b/python-checks/src/test/resources/checks/regex/regexComplexityCheck-21.py
@@ -0,0 +1,7 @@
+import re
+
+
+def character_classes(input):
+    re.match(r'[a][b][c][d][e][f][g][h][i][j][k][l][m][n][o][p][q][r][s][t][u]', input)
+    # Noncompliant@+1 {{Simplify this regular expression to reduce its complexity from 22 to the 21 allowed.}}
+    re.match(r'[a][b][c][d][e][f][g][h][i][j][k][l][m][n][o][p][q][r][s][t][u][v]', input)
diff --git a/python-checks/src/test/resources/checks/regex/regexComplexityCheck.py b/python-checks/src/test/resources/checks/regex/regexComplexityCheck.py
@@ -0,0 +1,49 @@
+import re
+
+
+def character_classes(input):
+    re.match(r'[a][b][c][d][e][f][g][h][i][j][k][l][m][n][o][p][q][r][s][t]', input)
+    # Noncompliant@+1 {{Simplify this regular expression to reduce its complexity from 21 to the 20 allowed.}}
+    re.match(r'[a][b][c][d][e][f][g][h][i][j][k][l][m][n][o][p][q][r][s][t][u]', input)
+
+
+def disjunction(input):
+    # Noncompliant@+1 {{Simplify this regular expression to reduce its complexity from 21 to the 20 allowed.}}
+    re.match(r'(a|(b|(c|(d|(e|(f|(gh)))))))', input)  # 1+2+3+4+5+6=21
+    # Noncompliant@+1 {{Simplify this regular expression to reduce its complexity from 21 to the 20 allowed.}}
+    re.match(r'(a|(b|(c|(d|(e|(((f|(gh)))))))))', input)  # 1+2+3+4+5+6=21
+    # Noncompliant@+1 {{Simplify this regular expression to reduce its complexity from 23 to the 20 allowed.}}
+    re.match(r'(a|(b|(c|(d|(e|(f|g|h|i))))))', input)  # 1+2+3+4+5+8=23
+    # Noncompliant@+1 {{Simplify this regular expression to reduce its complexity from 28 to the 20 allowed.}}
+    re.match(r'(a|(b|(c|(d|(e|(f|(g|(hi))))))))', input)  # 1+2+3+4+5+6+7=28
+
+
+def repetition(input):
+    # Noncompliant@+1 {{Simplify this regular expression to reduce its complexity from 21 to the 20 allowed.}}
+    re.match(r'(a(b(c(d(ef+)+)+)+)+)+', input)  # 6+5+4+3+2+1=21
+    # Noncompliant@+1 {{Simplify this regular expression to reduce its complexity from 21 to the 20 allowed.}}
+    re.match(r'(a(b(c(d(ef*)*)*)*)*)*', input)  # 6+5+4+3+2+1=21
+
+
+def non_capturing_group(input):
+    re.match(r'(?:a(?:b(?:c(?:d(?:e(?:f))))))', input)  # 0
+    # Noncompliant@+1 {{Simplify this regular expression to reduce its complexity from 21 to the 20 allowed.}}
+    re.match(r'(?i:a(?i:b(?i:c(?i:d(?i:e(?i:f))))))', input)  # 1+2+3+4+5+6=21
+    # Noncompliant@+1 {{Simplify this regular expression to reduce its complexity from 21 to the 20 allowed.}}
+    re.match(r'(?i:a(?i:b(?i:c(?i:d(?i:e((?i)f))))))', input)  # 1+2+3+4+5+6=21
+    # Noncompliant@+1 {{Simplify this regular expression to reduce its complexity from 21 to the 20 allowed.}}
+    re.match(r'(?-i:a(?-i:b(?-i:c(?-i:d(?-i:e(?-i:f))))))', input)  # 1+2+3+4+5+6=21
+
+
+def back_reference(input):
+    # Noncompliant@+1 {{Simplify this regular expression to reduce its complexity from 21 to the 20 allowed.}}
+    re.match(r'(abc)(a|(b|(c|(d|(e|(f|gh))))))', input)  # 1+2+3+4+5+6=21
+    # Noncompliant@+1 {{Simplify this regular expression to reduce its complexity from 22 to the 20 allowed.}}
+    re.match(r'(abc)(a|(b|(c|(d|(e|(f|\1))))))', input)  # 1+2+3+4+5+6+1=22
+
+
+def look_around(input):
+    # Noncompliant@+1 {{Simplify this regular expression to reduce its complexity from 21 to the 20 allowed.}}
+    re.match(r'(a|(b|(c|(d|(e|(f(?!g)))))))', input)  # 1+2+3+4+5+6=21
+    # Noncompliant@+1 {{Simplify this regular expression to reduce its complexity from 21 to the 20 allowed.}}
+    re.match(r'(a|(b|(c|(d|(e(?!(f|g)))))))', input)  # 1+2+3+4+5+6=21
