SONARPY-891 Rule S5857 Character classes should be preferred over reluctant quantifiers in regular expressions (#971)

nils-werner-sonarsource · web-flow · commit c1b1ac7388e2 · 2021-11-02T11:31:49.000+01:00
* SONARPY-891 Rule S5857 Character classes should be preferred over reluctant quantifiers in regular expressions * Update test case * Update ITs
diff --git a/its/ruling/src/test/resources/expected/python-S5857.json b/its/ruling/src/test/resources/expected/python-S5857.json
@@ -0,0 +1,32 @@
+{
+'project:buildbot-0.8.6p1/buildbot/monkeypatches/sqlalchemy2189.py':[
+41,
+87,
+],
+'project:buildbot-0.8.6p1/buildbot/status/web/console.py':[
+208,
+],
+'project:django-2.2.3/django/utils/text.py':[
+18,
+18,
+19,
+],
+'project:django-2.2.3/django/utils/translation/template.py':[
+32,
+32,
+],
+'project:numpy-1.16.4/numpy/linalg/lapack_lite/clapack_scrub.py':[
+104,
+],
+'project:tensorflow/python/debug/cli/evaluator.py':[
+26,
+],
+'project:tornado-2.3/demos/appengine/markdown.py':[
+722,
+722,
+],
+'project:tornado-2.3/demos/blog/markdown.py':[
+722,
+722,
+],
+}
diff --git a/pom.xml b/pom.xml
@@ -91,7 +91,7 @@
     <mockito.version>3.9.0</mockito.version>
     <sonar.version>8.9.0.43852</sonar.version>
     <sonar.orchestrator.version>3.35.1.2719</sonar.orchestrator.version>
-    <sonar-analyzer-commons.version>1.21.0.805</sonar-analyzer-commons.version>
+    <sonar-analyzer-commons.version>1.21.0.807</sonar-analyzer-commons.version>
     <sonarlint-core.version>6.0.0.32513</sonarlint-core.version>
     <sslr.version>1.23</sslr.version>
     <protobuf.version>3.17.3</protobuf.version>
diff --git a/python-checks/src/main/java/org/sonar/python/checks/CheckList.java b/python-checks/src/main/java/org/sonar/python/checks/CheckList.java
@@ -54,6 +54,7 @@
 import org.sonar.python.checks.regex.GraphemeClustersInClassesCheck;
 import org.sonar.python.checks.regex.SingleCharacterAlternationCheck;
 import org.sonar.python.checks.regex.RedundantRegexAlternativesCheck;
+import org.sonar.python.checks.regex.ReluctantQuantifierCheck;
 import org.sonar.python.checks.regex.RegexLookaheadCheck;
 import org.sonar.python.checks.regex.ReluctantQuantifierWithEmptyContinuationCheck;
 import org.sonar.python.checks.regex.StringReplaceCheck;
@@ -193,6 +194,7 @@ public static Iterable<Class> getChecks() {
       RaiseOutsideExceptCheck.class,
       RedundantJumpCheck.class,
       RedundantRegexAlternativesCheck.class,
+      ReluctantQuantifierCheck.class,
       RegexCheck.class,
       ReluctantQuantifierWithEmptyContinuationCheck.class,
       ReturnAndYieldInOneFunctionCheck.class,
diff --git a/python-checks/src/main/java/org/sonar/python/checks/regex/ReluctantQuantifierCheck.java b/python-checks/src/main/java/org/sonar/python/checks/regex/ReluctantQuantifierCheck.java
@@ -0,0 +1,35 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2021 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks.regex;
+
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonarsource.analyzer.commons.regex.RegexParseResult;
+import org.sonarsource.analyzer.commons.regex.finders.ReluctantQuantifierFinder;
+
+@Rule(key = "S5857")
+public class ReluctantQuantifierCheck extends AbstractRegexCheck {
+
+  @Override
+  public void checkRegex(RegexParseResult regexParseResult, CallExpression regexFunctionCall) {
+    new ReluctantQuantifierFinder(this::addIssue).visit(regexParseResult);
+  }
+}
+
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5857.html b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5857.html
@@ -0,0 +1,29 @@
+<p>Using reluctant quantifiers (also known as lazy or non-greedy quantifiers) in patterns can often lead to needless backtracking, making the regex
+needlessly inefficient and potentially vulnerable to <a href="https://www.regular-expressions.info/catastrophic.html">catastrophic backtracking</a>.
+Particularly when using <code>.*?</code> or <code>.+?</code> to match anything up to some terminating character, it is usually a better idea to
+instead use a greedily or possessively quantified negated character class containing the terminating character. For example <code>&lt;.+?&gt;</code>
+should be replaced with <code>&lt;[^&gt;]++&gt;</code>.</p>
+<h2>Noncompliant Code Example</h2>
+<pre>
+r'&lt;.+?&gt;'
+r'".*?"'
+</pre>
+<h2>Compliant Solution</h2>
+<pre>
+r'&lt;[^&gt;]++&gt;'
+r'"[^"]*+"'
+</pre>
+<p>or</p>
+<pre>
+r'&lt;[^&gt;]+&gt;'
+r'"[^"]*"'
+</pre>
+<h2>Exceptions</h2>
+<p>This rule only applies in cases where the reluctant quantifier can easily be replaced with a negated character class. That means the repetition has
+to be terminated by a single character or character class. Patterns such as the following, where the alternatives without reluctant quantifiers are
+more complicated, are therefore not subject to this rule:</p>
+<pre>
+/&lt;!--.*?--&gt;/
+-/\*.*?\*/-
+</pre>
+
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5857.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S5857.json
@@ -0,0 +1,17 @@
+{
+  "title": "Character classes should be preferred over reluctant quantifiers in regular expressions",
+  "type": "CODE_SMELL",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "3min"
+  },
+  "tags": [
+    "regex"
+  ],
+  "defaultSeverity": "Minor",
+  "ruleSpecification": "RSPEC-5857",
+  "sqKey": "S5857",
+  "scope": "All",
+  "quickfix": "unknown"
+}
diff --git a/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json b/python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json
@@ -136,6 +136,7 @@
     "S5842",
     "S5850",
     "S5855",
+    "S5857",
     "S5864",
     "S5868",
     "S5886",
diff --git a/python-checks/src/test/java/org/sonar/python/checks/regex/ReluctantQuantifierCheckTest.java b/python-checks/src/test/java/org/sonar/python/checks/regex/ReluctantQuantifierCheckTest.java
@@ -0,0 +1,32 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2021 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks.regex;
+
+import org.junit.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+
+public class ReluctantQuantifierCheckTest {
+
+  @Test
+  public void test() {
+    PythonCheckVerifier.verify("src/test/resources/checks/regex/reluctantQuantifierCheck.py", new ReluctantQuantifierCheck());
+  }
+}
diff --git a/python-checks/src/test/resources/checks/regex/reluctantQuantifierCheck.py b/python-checks/src/test/resources/checks/regex/reluctantQuantifierCheck.py
@@ -0,0 +1,90 @@
+import re
+
+
+def non_compliant(input):
+    re.match(r"<.+?>", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "[^>]++".}}
+    re.match(r"<\S+?>", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "[^>\s]++".}}
+    re.match(r"<\D+?>", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "[^>\d]++".}}
+    re.match(r"<\W+?>", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "[^>\w]++".}}
+
+    re.match(r"<.{2,5}?>", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "[^>]{2,5}+".}}
+    re.match(r"<\S{2,5}?>", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "[^>\s]{2,5}+".}}
+    re.match(r"<\D{2,5}?>", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "[^>\d]{2,5}+".}}
+    re.match(r"<\W{2,5}?>", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "[^>\w]{2,5}+".}}
+
+    re.match(r"<.{2,}?>", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "[^>]{2,}+".}}
+    re.match(r"\".*?\"", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "[^\"]*+".}}
+    re.match(r".*?\w", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "\W*+".}}
+    re.match(r".*?\W", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "\w*+".}}
+    re.match(r".*?\p{L}", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "\P{L}*+".}}
+    re.match(r".*?\P{L}", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "\p{L}*+".}}
+    re.match(r"\[.*?\]", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "[^\]]*+".}}
+    re.match(r".+?[abc]", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "[^abc]++".}}
+    re.match(r"(?-U:\s)*?\S", input)
+    re.match(r"(?U:\s)*?\S", input, re.ASCII)  # Noncompliant {{Replace this use of a reluctant quantifier with "[\s\S]*+".}}
+    re.match(r"(?U:a|\s)*?\S", input)
+    re.match(r"\S*?\s", input)
+    re.match(r"\S*?(?-U:\s)", input)
+    re.match(r"\S*?(?U:\s)", input, re.ASCII)  # Noncompliant {{Replace this use of a reluctant quantifier with "[\S\s]*+".}}
+    re.match(r"\S*?(?U)\s", input, re.ASCII)  # Noncompliant {{Replace this use of a reluctant quantifier with "[\S\s]*+".}}
+
+    # coverage
+    re.match(r"(?:(?m))*?a", input)
+    re.match(r"(?:(?m:.))*?(?:(?m))", input)
+
+    # This replacement might not be equivalent in case of full match, but is equivalent in case of split
+    re.match(r".+?[^abc]", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "[abc]++".}}
+
+    re.match(r".+?\x{1F4A9}", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "[^\x{1F4A9}]++".}}
+    re.match(r"<abc.*?>", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "[^>]*+".}}
+    re.match(r"<.+?>|otherstuff", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "[^>]++".}}
+    re.match(r"(<.+?>)*", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "[^>]++".}}
+
+    re.match(r"\S+?[abc]", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "[^abc\s]++".}}
+    re.match(r"\D+?[abc]", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "[^abc\d]++".}}
+    re.match(r"\w+?[abc]", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "[^abc\W]++".}}
+
+    re.match(r"\S*?[abc]", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "[^abc\s]*+".}}
+    re.match(r"\D*?[abc]", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "[^abc\d]*+".}}
+    re.match(r"\w*?[abc]", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "[^abc\W]*+".}}
+
+    re.match(r"\S+?[^abc]", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "[abc\S]++".}}
+    re.match(r"\s+?[^abc]", input)  # Noncompliant {{Replace this use of a reluctant quantifier with "[abc\s]++".}}
+
+
+def compliant(input):
+    re.match(r"<[^>]++>", input)
+    re.match(r"<[^>]+>", input)
+    re.match(r"<[^>]+?>", input)
+    re.match(r"<.{42}?>", input)  # Adding a ? to a fixed quantifier is pointless, but also doesn't cause any backtracking issues
+    re.match(r"<.+>", input)
+    re.match(r"<.++>", input)
+    re.match(r"<--.?-->", input)
+    re.match(r"<--.+?-->", input)
+    re.match(r"<--.*?-->", input)
+    re.match(r"/\*.?\*/", input)
+    re.match(r"<[^>]+>?", input)
+    re.match(r"", input)
+    re.match(r".*?(?:a|b|c)", input)  # Alternatives are currently not covered even if they contain only single characters
+
+    # UNICODE flag is enabled by default
+    re.match(r"(?U:\s)*?\S", input)
+    re.match(r"\S*?(?U:\s)", input)
+    re.match(r"\S*?(?U)\s", input)
+
+def no_intersection(input):
+    re.match(r"<\d+?>", input)
+    re.match(r"<\s+?>", input)
+    re.match(r"<\w+?>", input)
+
+    re.match(r"<\s{2,5}?>", input)
+    re.match(r"<\d{2,5}?>", input)
+    re.match(r"<\w{2,5}?>", input)
+
+    re.match(r"\d+?[abc]", input)
+    re.match(r"\s+?[abc]", input)
+    re.match(r"\W+?[abc]", input)
+
+    re.match(r"\W*?[abc]", input)
+    re.match(r"\s*?[abc]", input)
+    re.match(r"\d*?[abc]", input)
