Sync shared files

hvitved · hvitved · commit 0fb28f4bc9f3 · 2022-03-31T12:52:42.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/performance/ExponentialBackTracking.qll b/javascript/ql/lib/semmle/javascript/security/performance/ExponentialBackTracking.qll
@@ -277,17 +277,17 @@ private class Trace extends TTrace {
       result = "Step(" + s1 + ", " + s2 + ", " + t + ")"
     )
   }
-}
 
-/**
- * Gets a string corresponding to the trace `t`.
- */
-private string concretise(Trace t) {
-  t = Nil() and result = ""
-  or
-  exists(InputSymbol s1, InputSymbol s2, Trace rest | t = Step(s1, s2, rest) |
-    result = concretise(rest) + intersect(s1, s2)
-  )
+  /** Holds if the `i`th pair of this trace is `(s1, s2)`. */
+  predicate hasPair(int i, InputSymbol s1, InputSymbol s2) {
+    this = Step(s1, s2, _) and
+    i = 0
+    or
+    exists(Trace t |
+      this = Step(_, _, t) and
+      t.hasPair(i - 1, s1, s2)
+    )
+  }
 }
 
 /**
@@ -321,14 +321,36 @@ private StatePair getAForkPair(State fork) {
   result = MkStatePair(epsilonPred*(fork), epsilonPred*(fork))
 }
 
+private class RelevantTrace extends Trace {
+  RelevantTrace() {
+    exists(State fork, StatePair q |
+      isReachableFromFork(fork, q, this, _) and
+      q = getAForkPair(fork)
+    )
+  }
+
+  /** Gets a string corresponding to this trace. */
+  // the pragma is needed for the case where `intersect(s1, s2)` has multiple values,
+  // not for recursion
+  language[monotonicAggregates]
+  string concretise() {
+    result =
+      concat(int i, InputSymbol s1, InputSymbol s2 |
+        this.hasPair(i, s1, s2)
+      |
+        intersect(s1, s2) order by i desc
+      )
+  }
+}
+
 /**
  * Holds if `fork` is a pumpable fork with word `w`.
  */
 private predicate isPumpable(State fork, string w) {
-  exists(StatePair q, Trace t |
+  exists(StatePair q, RelevantTrace t |
     isReachableFromFork(fork, q, t, _) and
     q = getAForkPair(fork) and
-    w = concretise(t)
+    w = t.concretise()
   )
 }
 
diff --git a/javascript/ql/lib/semmle/javascript/security/performance/ReDoSUtil.qll b/javascript/ql/lib/semmle/javascript/security/performance/ReDoSUtil.qll
@@ -32,7 +32,7 @@ abstract class ReDoSConfiguration extends string {
 }
 
 /**
- * Holds if repeating `pump' starting at `state` is a candidate for causing backtracking.
+ * Holds if repeating `pump` starting at `state` is a candidate for causing backtracking.
  * No check whether a rejected suffix exists has been made.
  */
 private predicate isReDoSCandidate(State state, string pump) {
diff --git a/python/ql/lib/semmle/python/security/performance/ExponentialBackTracking.qll b/python/ql/lib/semmle/python/security/performance/ExponentialBackTracking.qll
@@ -277,17 +277,17 @@ private class Trace extends TTrace {
       result = "Step(" + s1 + ", " + s2 + ", " + t + ")"
     )
   }
-}
 
-/**
- * Gets a string corresponding to the trace `t`.
- */
-private string concretise(Trace t) {
-  t = Nil() and result = ""
-  or
-  exists(InputSymbol s1, InputSymbol s2, Trace rest | t = Step(s1, s2, rest) |
-    result = concretise(rest) + intersect(s1, s2)
-  )
+  /** Holds if the `i`th pair of this trace is `(s1, s2)`. */
+  predicate hasPair(int i, InputSymbol s1, InputSymbol s2) {
+    this = Step(s1, s2, _) and
+    i = 0
+    or
+    exists(Trace t |
+      this = Step(_, _, t) and
+      t.hasPair(i - 1, s1, s2)
+    )
+  }
 }
 
 /**
@@ -321,14 +321,36 @@ private StatePair getAForkPair(State fork) {
   result = MkStatePair(epsilonPred*(fork), epsilonPred*(fork))
 }
 
+private class RelevantTrace extends Trace {
+  RelevantTrace() {
+    exists(State fork, StatePair q |
+      isReachableFromFork(fork, q, this, _) and
+      q = getAForkPair(fork)
+    )
+  }
+
+  /** Gets a string corresponding to this trace. */
+  // the pragma is needed for the case where `intersect(s1, s2)` has multiple values,
+  // not for recursion
+  language[monotonicAggregates]
+  string concretise() {
+    result =
+      concat(int i, InputSymbol s1, InputSymbol s2 |
+        this.hasPair(i, s1, s2)
+      |
+        intersect(s1, s2) order by i desc
+      )
+  }
+}
+
 /**
  * Holds if `fork` is a pumpable fork with word `w`.
  */
 private predicate isPumpable(State fork, string w) {
-  exists(StatePair q, Trace t |
+  exists(StatePair q, RelevantTrace t |
     isReachableFromFork(fork, q, t, _) and
     q = getAForkPair(fork) and
-    w = concretise(t)
+    w = t.concretise()
   )
 }
 
diff --git a/python/ql/lib/semmle/python/security/performance/ReDoSUtil.qll b/python/ql/lib/semmle/python/security/performance/ReDoSUtil.qll
@@ -32,7 +32,7 @@ abstract class ReDoSConfiguration extends string {
 }
 
 /**
- * Holds if repeating `pump' starting at `state` is a candidate for causing backtracking.
+ * Holds if repeating `pump` starting at `state` is a candidate for causing backtracking.
  * No check whether a rejected suffix exists has been made.
  */
 private predicate isReDoSCandidate(State state, string pump) {

Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ abstract class ReDoSConfiguration extends string {`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`/**`
`35`		- * Holds if repeating `pump' starting at `state` is a candidate for causing backtracking.
	`35`	+ * Holds if repeating `pump` starting at `state` is a candidate for causing backtracking.
`36`	`36`	`* No check whether a rejected suffix exists has been made.`
`37`	`37`	`*/`
`38`	`38`	`private predicate isReDoSCandidate(State state, string pump) {`