SONARPY-977 Rule S6323: Alternation in regular expressions should not… (#1104)

Author: andrea-guarino-sonarsource

its/ruling/src/test/java/org/sonar/python/it/RulingHelper.java

@@ -90,6 +90,7 @@ static List<String> bugRuleKeys() {
       "S5868",
       "S5996",
       "S6002",
+      "S6323",
       "S905",
       "S930"
     );

its/ruling/src/test/resources/expected_extended/nltk/python-S6323.json

@@ -0,0 +1,8 @@
+{
+'nltk:nltk/corpus/reader/api.py':[
+75,
+],
+'nltk:nltk/data.py':[
+516,
+],
+}

python-checks/src/main/java/org/sonar/python/checks/CheckList.java

@@ -52,6 +52,7 @@
 import org.sonar.python.checks.regex.AnchorPrecedenceCheck;
 import org.sonar.python.checks.regex.DuplicatesInCharacterClassCheck;
 import org.sonar.python.checks.regex.EmptyGroupCheck;
+import org.sonar.python.checks.regex.EmptyAlternativeCheck;
 import org.sonar.python.checks.regex.EmptyStringRepetitionCheck;
 import org.sonar.python.checks.regex.GraphemeClustersInClassesCheck;
 import org.sonar.python.checks.regex.ImpossibleBoundariesCheck;
@@ -121,6 +122,7 @@ public static Iterable<Class> getChecks() {
       DynamicCodeExecutionCheck.class,
       ElseAfterLoopsWithoutBreakCheck.class,
       EmailSendingCheck.class,
+      EmptyAlternativeCheck.class,
       EmptyGroupCheck.class,
       EmptyFunctionCheck.class,
       EmptyNestedBlockCheck.class,

python-checks/src/main/java/org/sonar/python/checks/regex/EmptyAlternativeCheck.java

@@ -0,0 +1,34 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2022 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks.regex;
+
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonarsource.analyzer.commons.regex.RegexParseResult;
+import org.sonarsource.analyzer.commons.regex.finders.EmptyAlternativeFinder;
+
+@Rule(key = "S6323")
+public class EmptyAlternativeCheck extends AbstractRegexCheck{
+
+  @Override
+  public void checkRegex(RegexParseResult regexParseResult, CallExpression regexFunctionCall) {
+    new EmptyAlternativeFinder(this::addIssue).visit(regexParseResult);
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6323.html

@@ -0,0 +1,22 @@
+<p>Alternation is used to match a single regular expression out of several possible regular expressions. If one of the alternatives is empty it would
+match any input, which is most probably a mistake.</p>
+<h2>Noncompliant Code Example</h2>
+<pre>
+re.search(r"Jack|Peter|", "John") # Noncompliant - will match an empty string
+re.search(r"Jack||Peter", "John") # Noncompliant - will match an empty string
+</pre>
+<h2>Compliant Solution</h2>
+<pre>
+re.search(r"Jack|Peter", "John") # returns false
+</pre>
+<h2>Exceptions</h2>
+<p>One could use an empty alternation to make a regular expression group optional. Rule will not report on such cases.</p>
+<pre>
+re.search(r"mandatory(-optional|)", "mandatory")
+re.search(r"mandatory(-optional|)", "mandatory-optional")
+</pre>
+<p>However, if there is a quantifier after the group the issue will be reported as using both <code>|</code> and quantifier is redundant.</p>
+<pre>
+re.search(r"mandatory(-optional|)?", "mandatory-optional") # Noncompliant - using both `|` inside the group and `?` for the group.
+</pre>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6323.json

@@ -0,0 +1,17 @@
+{
+  "title": "Alternation in regular expressions should not contain empty alternatives",
+  "type": "BUG",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+    "regex"
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-6323",
+  "sqKey": "S6323",
+  "scope": "Main",
+  "quickfix": "unknown"
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -152,6 +152,7 @@
     "S6002",
     "S6019",
     "S6035",
+    "S6323",
     "S6331"
   ]
 }

python-checks/src/test/java/org/sonar/python/checks/regex/EmptyAlternativeCheckTest.java

@@ -0,0 +1,31 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2022 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks.regex;
+
+import org.junit.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+public class EmptyAlternativeCheckTest {
+
+  @Test
+  public void test() {
+    PythonCheckVerifier.verify("src/test/resources/checks/regex/emptyAlternativeCheck.py", new EmptyAlternativeCheck());
+  }
+}

python-checks/src/test/resources/checks/regex/emptyAlternativeCheck.py

@@ -0,0 +1,33 @@
+import re
+
+
+def non_compliant(input):
+    re.match("(mandatory||optional)", input)             # Noncompliant {{Remove this empty alternative.}}
+#                        ^
+    re.match("|mandatory|-optional", input)              # Noncompliant
+#             ^
+
+    re.match("mandatory|-optional|", input)              # Noncompliant
+#                                ^
+    # Noncompliant@+3
+    re.match('''(
+    \'[^\']*(\'|$)|     # - a string that starts with a quote, up until the next quote or the end of the string
+    |                   # or
+    \S                  # - a non-whitespace character
+    )''', input, re.X)
+
+    re.match("|mandatory|-optional", input)              # Noncompliant
+    re.match("(mandatory|(|O|o|)ptional|)", input)       # Noncompliant
+    re.match("(|mandatory|optional)?", input)            # Noncompliant {{Remove this empty alternative.}}
+#              ^
+    re.match("mandatory(-optional|){2}", input)          # Noncompliant
+#                                ^
+
+
+def compliant(input):
+    re.match("(mandatory|optional|)", input)
+    re.match("mandatory(-optional|)", input)
+    re.match("mandatory(|-optional)", input)
+    re.match("mandatory(|-optional)", input)
+    re.match("mandatory(-optional|)", input)
+    re.match("(mandatory(|-optional))?", input)