SONARPY-885 Rule S5996 Regex boundaries should not be used in a way that can never be matched (#970)

* SONARPY-885 Rule S5996 Regex boundaries should not be used in a way that can never be matched

* Add missing licence headers

* Accept flags for re.compile

* Update flag check test cases

* Update ITs

Author: nils-werner-sonarsource

its/ruling/src/test/resources/expected/python-S5996.json

@@ -0,0 +1,5 @@
+{
+'project:numpy-1.16.4/numpy/linalg/lapack_lite/clapack_scrub.py':[
+232,
+],
+}

python-checks/src/main/java/org/sonar/python/checks/CheckList.java

@@ -52,6 +52,7 @@
 import org.sonar.python.checks.regex.AnchorPrecedenceCheck;
 import org.sonar.python.checks.regex.DuplicatesInCharacterClassCheck;
 import org.sonar.python.checks.regex.EmptyStringRepetitionCheck;
+import org.sonar.python.checks.regex.ImpossibleBoundariesCheck;
 import org.sonar.python.checks.regex.GraphemeClustersInClassesCheck;
 import org.sonar.python.checks.regex.RegexComplexityCheck;
 import org.sonar.python.checks.regex.SingleCharacterAlternationCheck;
@@ -147,6 +148,7 @@ public static Iterable<Class> getChecks() {
       IdentityComparisonWithNewObjectCheck.class,
       IgnoredPureOperationsCheck.class,
       ImplicitStringConcatenationCheck.class,
+      ImpossibleBoundariesCheck.class,
       IncompatibleOperandsCheck.class,
       InconsistentTypeHintCheck.class,
       IncorrectExceptionTypeCheck.class,

python-checks/src/main/java/org/sonar/python/checks/regex/AbstractRegexCheck.java

@@ -53,7 +53,7 @@ public abstract class AbstractRegexCheck extends PythonSubscriptionCheck {
   static {
     REGEX_FUNCTIONS_TO_FLAG_PARAM.put("re.sub", 4);
     REGEX_FUNCTIONS_TO_FLAG_PARAM.put("re.subn", 4);
-    REGEX_FUNCTIONS_TO_FLAG_PARAM.put("re.compile", null);
+    REGEX_FUNCTIONS_TO_FLAG_PARAM.put("re.compile", 1);
     REGEX_FUNCTIONS_TO_FLAG_PARAM.put("re.search", 2);
     REGEX_FUNCTIONS_TO_FLAG_PARAM.put("re.match", 2);
     REGEX_FUNCTIONS_TO_FLAG_PARAM.put("re.fullmatch", 2);

python-checks/src/main/java/org/sonar/python/checks/regex/ImpossibleBoundariesCheck.java

@@ -0,0 +1,34 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2021 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks.regex;
+
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonarsource.analyzer.commons.regex.RegexParseResult;
+import org.sonarsource.analyzer.commons.regex.finders.ImpossibleBoundaryFinder;
+
+@Rule(key = "S5996")
+public class ImpossibleBoundariesCheck extends AbstractRegexCheck {
+
+  @Override
+  public void checkRegex(RegexParseResult regexParseResult, CallExpression regexFunctionCall) {
+    new ImpossibleBoundaryFinder(this::addIssue).visit(regexParseResult);
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5996.html

@@ -0,0 +1,15 @@
+<p>In regular expressions the boundaries <code>^</code> and <code>\A</code> can only match at the beginning of the input (or, in case of
+<code>^</code> in combination with the <code>MULTILINE</code> flag, the beginning of the line) and <code>$</code>, <code>\Z</code> and <code>\z</code>
+only at the end.</p>
+<p>These patterns can be misused, by accidentally switching <code>^</code> and <code>$</code> for example, to create a pattern that can never
+match.</p>
+<h2>Noncompliant Code Example</h2>
+<pre>
+# This can never match because $ and ^ have been switched around
+r"$[a-z]+^" # Noncompliant
+</pre>
+<h2>Compliant Solution</h2>
+<pre>
+r"^[a-z]+$"
+</pre>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5996.json

@@ -0,0 +1,17 @@
+{
+  "title": "Regex boundaries should not be used in a way that can never be matched",
+  "type": "BUG",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "10min"
+  },
+  "tags": [
+    "regex"
+  ],
+  "defaultSeverity": "Critical",
+  "ruleSpecification": "RSPEC-5996",
+  "sqKey": "S5996",
+  "scope": "Main",
+  "quickfix": "unknown"
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -143,6 +143,7 @@
     "S5869",
     "S5886",
     "S5890",
+    "S5996",
     "S6002",
     "S6019",
     "S6035"

python-checks/src/test/java/org/sonar/python/checks/regex/ImpossibleBoundariesCheckTest.java

@@ -0,0 +1,33 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2021 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks.regex;
+
+import org.junit.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+
+public class ImpossibleBoundariesCheckTest {
+
+  @Test
+  public void test() {
+    PythonCheckVerifier.verify("src/test/resources/checks/regex/impossibleBoundariesCheck.py", new ImpossibleBoundariesCheck());
+  }
+
+}

python-checks/src/test/resources/checks/regex/abstractRegexCheckFlags.py

@@ -1,25 +1,34 @@
 import re
 
-re.match(r'.*', "foo", re.I); # Noncompliant {{CASE_INSENSITIVE|UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
-re.match(r'.*', "foo", re.IGNORECASE); # Noncompliant {{CASE_INSENSITIVE|UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
+re.match(r'.*', "foo", re.I)  # Noncompliant {{CASE_INSENSITIVE|UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
+re.match(r'.*', "foo", re.IGNORECASE)  # Noncompliant {{CASE_INSENSITIVE|UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
 
-re.match(r'.*', "foo", re.M); # Noncompliant {{MULTILINE|UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
-re.match(r'.*', "foo", re.MULTILINE); # Noncompliant {{MULTILINE|UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
+re.match(r'.*', "foo", re.M)  # Noncompliant {{MULTILINE|UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
+re.match(r'.*', "foo", re.MULTILINE)  # Noncompliant {{MULTILINE|UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
 
-re.match(r'.*', "foo", re.S); # Noncompliant {{UNICODE_CASE|UNICODE_CHARACTER_CLASS|DOTALL}}
-re.match(r'.*', "foo", re.DOTALL); # Noncompliant {{UNICODE_CASE|UNICODE_CHARACTER_CLASS|DOTALL}}
+re.match(r'.*', "foo", re.S)  # Noncompliant {{UNICODE_CASE|UNICODE_CHARACTER_CLASS|DOTALL}}
+re.match(r'.*', "foo", re.DOTALL)  # Noncompliant {{UNICODE_CASE|UNICODE_CHARACTER_CLASS|DOTALL}}
 
-re.match(r'.*', "foo", re.X); # Noncompliant {{UNICODE_CASE|UNICODE_CHARACTER_CLASS|VERBOSE}}
-re.match(r'.*', "foo", re.VERBOSE); # Noncompliant {{UNICODE_CASE|UNICODE_CHARACTER_CLASS|VERBOSE}}
+re.match(r'.*', "foo", re.X)  # Noncompliant {{UNICODE_CASE|UNICODE_CHARACTER_CLASS|VERBOSE}}
+re.match(r'.*', "foo", re.VERBOSE)  # Noncompliant {{UNICODE_CASE|UNICODE_CHARACTER_CLASS|VERBOSE}}
 
-re.match(r'.*', "foo", re.U); # Noncompliant {{UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
-re.match(r'.*', "foo", re.UNICODE); # Noncompliant {{UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
+re.match(r'.*', "foo", re.U)  # Noncompliant {{UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
+re.match(r'.*', "foo", re.UNICODE)  # Noncompliant {{UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
 
-re.match(r'.*', "foo", re.A); # Noncompliant {{ASCII}}
-re.match(r'.*', "foo", re.ASCII); # Noncompliant {{ASCII}}
+re.match(r'.*', "foo", re.A)  # Noncompliant {{ASCII}}
+re.match(r'.*', "foo", re.ASCII)  # Noncompliant {{ASCII}}
 
-re.match(r'.*', "foo", re.UNKNOWN); # Noncompliant {{UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
-re.match(r'.*', "foo", not_re.UNKNOWN); # Noncompliant {{UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
-re.match(r'.*', "foo", re.I|UNKNOWN); # Noncompliant {{CASE_INSENSITIVE|UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
+re.match(r'.*', "foo", re.UNKNOWN)  # Noncompliant {{UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
+re.match(r'.*', "foo", not_re.UNKNOWN)  # Noncompliant {{UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
+re.match(r'.*', "foo", re.I | UNKNOWN)  # Noncompliant {{CASE_INSENSITIVE|UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
 
-re.match(r'.*', "foo", re.I|re.M); # Noncompliant {{CASE_INSENSITIVE|MULTILINE|UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
+re.match(r'.*', "foo", re.I | re.M)  # Noncompliant {{CASE_INSENSITIVE|MULTILINE|UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
+
+re.sub(r'.*', '', '', '', re.M)  # Noncompliant {{MULTILINE|UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
+re.subn(r'.*', '', '', '', re.M)  # Noncompliant {{MULTILINE|UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
+re.compile(r'.*', re.M)  # Noncompliant {{MULTILINE|UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
+re.search(r'.*', '', re.M)  # Noncompliant {{MULTILINE|UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
+re.fullmatch(r'.*', '', re.M)  # Noncompliant {{MULTILINE|UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
+re.split(r'.*', '', '', re.M)  # Noncompliant {{MULTILINE|UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
+re.findall(r'.*', '', re.M)  # Noncompliant {{MULTILINE|UNICODE_CASE|UNICODE_CHARACTER_CLASS}}
+re.finditer(r'.*', '', re.M)  # Noncompliant {{MULTILINE|UNICODE_CASE|UNICODE_CHARACTER_CLASS}}

python-checks/src/test/resources/checks/regex/impossibleBoundariesCheck.py

@@ -0,0 +1,80 @@
+import re
+
+
+def non_compliant(input):
+    re.match(r'$[a-z]^', input)  # Noncompliant 2
+    #          ^0
+    re.match(r'$[a-z]', input)  # Noncompliant {{Remove or replace this boundary that will never match because it appears before mandatory input.}}
+    re.match(r'$(abc)', input)  # Noncompliant
+    re.match(r'[a-z]^', input)  # Noncompliant
+    re.match(r'\Z[a-z]', input)  # Noncompliant
+    re.match(r'\z[a-z]', input)  # Noncompliant
+    re.match(r'[a-z]\A', input)  # Noncompliant
+    re.match(r'($)a', input)  # Noncompliant
+    re.match(r'a$|$a', input)  # Noncompliant
+    re.match(r'^a|a^', input)  # Noncompliant
+    re.match(r'a(b|^)', input)  # Noncompliant
+    re.match(r'(?=abc^)', input)  # Noncompliant
+    re.match(r'(?!abc^)', input)  # Noncompliant
+    re.match(r'abc(?=^abc)', input)  # Noncompliant
+    re.match(r'abc(?<=$abc)', input)  # Noncompliant
+    re.match(r'abc(?<=abc$)def', input)  # Noncompliant
+    re.match(r'(?:abc(X|^))*Y?', input)  # Noncompliant
+
+    re.match(r'a\Z\nb', input, re.MULTILINE)  # Noncompliant
+    re.match(r'a\zb', input, re.MULTILINE)  # Noncompliant
+    re.match(r'a\n\Ab', input, re.MULTILINE)  # Noncompliant
+
+    # False positives because the end delimiter does not capture the newlines (SONARPHP-1238)
+    re.match(r'a$(\n)', input)  # Noncompliant
+    re.match(r'a$./s', input)  # Noncompliant
+    re.match(r'a\Z(\n)', input)  # Noncompliant
+
+
+def probably_non_compliant(input):
+    re.match(r'$.*', input)  # Noncompliant {{Remove or replace this boundary that can only match if the previous part matched the empty string because it appears before mandatory input.}}
+    re.match(r'$.?', input)  # Noncompliant
+
+    re.match(r'$a*', input)  # Noncompliant
+    re.match(r'$a?', input)  # Noncompliant
+    re.match(r'$[abc]*', input)  # Noncompliant
+    re.match(r'$[abc]?', input)  # Noncompliant
+
+    re.match(r'.*^', input)  # Noncompliant {{Remove or replace this boundary that can only match if the previous part matched the empty string because it appears after mandatory input.}}
+    re.match(r'.?^', input)  # Noncompliant
+
+    re.match(r'a*^', input)  # Noncompliant
+    re.match(r'a?^', input)  # Noncompliant
+    re.match(r'[abc]*^', input)  # Noncompliant
+    re.match(r'[abc]?^', input)  # Noncompliant
+
+    re.match(r'$.*^', input)  # Noncompliant 2
+    re.match(r'$.?^', input)  # Noncompliant 2
+    re.match(r'$a*^', input)  # Noncompliant 2
+    re.match(r'$a?^', input)  # Noncompliant 2
+    re.match(r'$[abc]*^', input)  # Noncompliant 2
+    re.match(r'$[abc]?^', input)  # Noncompliant 2
+
+
+def compliant(input):
+    re.match(r'^[a-z]$', input)
+    re.match(r'^$', input)
+    re.match(r'^(?i)$', input)
+    re.match(r'^$(?i)', input)
+    re.match(r'^abc$|^def$', input)
+    re.match(r'(?i)^abc$', input)
+    re.match(r'()^abc$', input)
+    re.match(r'^abc$()', input)
+    re.match(r'^abc$\b', input)
+    re.match(r'(?=abc)^abc$', input)
+    re.match(r'(?=^abc$)abc', input)
+    re.match(r'(?!^abc$)abc', input)
+    re.match(r'abc(?<=^abc$)', input)
+    re.match(r'^\d$(?<!3)', input)
+    re.match(r'(?=$)', input)
+    re.match(r"(?i)(true)(?=(?:[^']|'[^']*')*$)", input)
+    re.match(r'(?:abc(X|$))*Y?', input)
+    re.match(r'(?:x*(Xab|^)abc)*Y?', input)
+    re.match(r'a$\nb', input, re.MULTILINE)
+    re.match(r'a\n^b', input, re.MULTILINE)
+    re.compile(r"(\d+)(\s+.*)$                         # score, vulgar components", re.VERBOSE)