Add sanitizers for compiled regexes

Author: joefarebrother

python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll

@@ -157,6 +157,15 @@ module ServerSideRequestForgery {
       branch = true and
       call = API::moduleImport("re").getMember(["match", "fullmatch"]).getACall() and
       strNode = [call.getArg(1), call.getArgByName("string")]
+      or
+      branch = true and
+      call =
+        API::moduleImport("re")
+            .getMember("compile")
+            .getReturn()
+            .getMember(["match", "fullmatch"])
+            .getACall() and
+      strNode = [call.getArg(0), call.getArgByName("string")]
     )
   }
 }

python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/full_partial_test.py

@@ -164,3 +164,13 @@ def partial_ssrf_7():
     if re.match(r'[a-zA-Z0-9]+', user_input):
         url = f"https://example.com/foo#{user_input}"
         requests.get(url) # NOT OK, but NOT FOUND - user input can contain arbitrary character as a suffix.
+
+    reg = re.compile(r'^[a-zA-Z0-9]+$')
+
+    if reg.match(user_input):
+       url = f"https://example.com/foo#{user_input}"
+       requests.get(url) # OK - user input can only contain alphanumerical characters
+
+    if reg.fullmatch(user_input):
+       url = f"https://example.com/foo#{user_input}"
+       requests.get(url) # OK - user input can only contain alphanumerical characters