SONARPY-892 Rule S6002 Regex lookahead assertions should not be contradictory (#965)

Author: nils-werner-sonarsource

python-checks/src/main/java/org/sonar/python/checks/CheckList.java

@@ -51,6 +51,7 @@
 import org.sonar.python.checks.hotspots.UnverifiedHostnameCheck;
 import org.sonar.python.checks.regex.EmptyStringRepetitionCheck;
 import org.sonar.python.checks.regex.RedundantRegexAlternativesCheck;
+import org.sonar.python.checks.regex.RegexLookaheadCheck;
 import org.sonar.python.checks.regex.ReluctantQuantifierWithEmptyContinuationCheck;
 import org.sonar.python.checks.regex.StringReplaceCheck;
 
@@ -215,6 +216,7 @@ public static Iterable<Class> getChecks() {
       TrailingCommentCheck.class,
       TrailingWhitespaceCheck.class,
       ReferencedBeforeAssignmentCheck.class,
+      RegexLookaheadCheck.class,
       UndefinedNameAllPropertyCheck.class,
       UnreachableExceptCheck.class,
       UnreadPrivateAttributesCheck.class,

python-checks/src/main/java/org/sonar/python/checks/regex/RegexLookaheadCheck.java

@@ -0,0 +1,34 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2021 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks.regex;
+
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonarsource.analyzer.commons.regex.RegexParseResult;
+import org.sonarsource.analyzer.commons.regex.finders.FailingLookaheadFinder;
+
+@Rule(key = "S6002")
+public class RegexLookaheadCheck extends AbstractRegexCheck{
+
+  @Override
+  public void checkRegex(RegexParseResult regexParseResult, CallExpression regexFunctionCall) {
+    new FailingLookaheadFinder(this::addIssue, regexParseResult.getFinalState()).visit(regexParseResult);
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6002.html

@@ -0,0 +1,15 @@
+<p>Lookahead assertions are a regex feature that makes it possible to look ahead in the input without consuming it. It is often used at the end of
+regular expressions to make sure that substrings only match when they are followed by a specific pattern.</p>
+<p>However, they can also be used in the middle (or at the beginning) of a regex. In that case there is the possibility that what comes after the
+lookahead does not match the pattern inside the lookahead. This makes the lookahead impossible to match and is a sign that there’s a mistake in the
+regular expression that should be fixed.</p>
+<h2>Noncompliant Code Example</h2>
+<pre>
+r"(?=a)b" # Noncompliant, the same character can't be equal to 'a' and 'b' at the same time
+</pre>
+<h2>Compliant Solution</h2>
+<pre>
+r"(?&lt;=a)b"
+r"a(?=b)"
+</pre>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6002.json

@@ -0,0 +1,17 @@
+{
+  "title": "Regex lookahead assertions should not be contradictory",
+  "type": "BUG",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "20min"
+  },
+  "tags": [
+    "regex"
+  ],
+  "defaultSeverity": "Critical",
+  "ruleSpecification": "RSPEC-6002",
+  "sqKey": "S6002",
+  "scope": "All",
+  "quickfix": "unknown"
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -138,6 +138,7 @@
     "S5864",
     "S5886",
     "S5890",
+    "S6002"
     "S6019"
   ]
 }

python-checks/src/test/java/org/sonar/python/checks/regex/RegexLookaheadCheckTest.java

@@ -0,0 +1,31 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2021 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks.regex;
+
+import org.junit.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+public class RegexLookaheadCheckTest {
+
+  @Test
+  public void test() {
+    PythonCheckVerifier.verify("src/test/resources/checks/regex/regexLookaheadCheck.py", new RegexLookaheadCheck());
+  }
+}

python-checks/src/test/resources/checks/regex/regexLookaheadCheck.py

@@ -0,0 +1,22 @@
+import re
+
+
+def non_compliant(input):
+   re.match(r"(?=a)b", input)  # Noncompliant {{Remove or fix this lookahead assertion that can never be true.}}
+   #          ^^^^^
+   re.match(r"(?=ac)ab", input)  # Noncompliant
+   re.match(r"(?=a)bc", input)  # Noncompliant
+   re.match(r"(?!a)a", input)  # Noncompliant
+   re.match(r"(?!ab)ab", input)  # Noncompliant
+   re.match(r"(?=a)[^ba]", input)  # Noncompliant
+   re.match(r"(?!.)ab", input)  # Noncompliant
+
+
+def compliant(input):
+   re.match(r"(?=a)a", input)
+   re.match(r"(?=a)..", input)
+   re.match(r"(?=a)ab", input)
+   re.match(r"(?!ab)..", input)
+   re.match(r"(?<=a)b", input)
+   re.match(r"a(?=b)", input)
+   re.match(r"(?=abc)ab", input)