remove paths without unmatched returns from polynomial-redos

Author: erik-krogh

javascript/ql/lib/semmle/javascript/security/performance/PolynomialReDoS.qll

@@ -28,5 +28,15 @@ module PolynomialReDoS {
       super.isSanitizer(node) or
       node instanceof Sanitizer
     }
+
+    override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {
+      super.hasFlowPath(source, sink) and
+      // require that there is a path without unmatched return steps
+      DataFlow::hasPathWithoutUnmatchedReturn(source, sink)
+    }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+      DataFlow::localFieldStep(pred, succ)
+    }
   }
 }

javascript/ql/test/query-tests/Performance/ReDoS/PolynomialBackTracking.expected

@@ -31,6 +31,7 @@
 | lib/indirect.js:2:6:2:7 | k* | Strings with many repetitions of 'k' can start matching anywhere after the start of the preceeding k*h |
 | lib/lib.js:1:15:1:16 | a* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding a*b |
 | lib/lib.js:8:3:8:4 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |
+| lib/lib.js:28:3:28:4 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |
 | lib/moduleLib/moduleLib.js:2:3:2:4 | a* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding a*b |
 | lib/otherLib/js/src/index.js:2:3:2:4 | a* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding a*b |
 | lib/sublib/factory.js:13:14:13:15 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |

javascript/ql/test/query-tests/Performance/ReDoS/PolynomialReDoS.expected

@@ -15,6 +15,13 @@ nodes
 | lib/lib.js:7:19:7:22 | name |
 | lib/lib.js:8:13:8:16 | name |
 | lib/lib.js:8:13:8:16 | name |
+| lib/lib.js:21:14:21:14 | x |
+| lib/lib.js:21:14:21:14 | x |
+| lib/lib.js:22:9:22:9 | x |
+| lib/lib.js:27:6:27:19 | y |
+| lib/lib.js:27:10:27:19 | id("safe") |
+| lib/lib.js:28:13:28:13 | y |
+| lib/lib.js:28:13:28:13 | y |
 | lib/moduleLib/moduleLib.js:1:28:1:31 | name |
 | lib/moduleLib/moduleLib.js:1:28:1:31 | name |
 | lib/moduleLib/moduleLib.js:2:13:2:16 | name |
@@ -186,6 +193,12 @@ edges
 | lib/lib.js:7:19:7:22 | name | lib/lib.js:8:13:8:16 | name |
 | lib/lib.js:7:19:7:22 | name | lib/lib.js:8:13:8:16 | name |
 | lib/lib.js:7:19:7:22 | name | lib/lib.js:8:13:8:16 | name |
+| lib/lib.js:21:14:21:14 | x | lib/lib.js:22:9:22:9 | x |
+| lib/lib.js:21:14:21:14 | x | lib/lib.js:22:9:22:9 | x |
+| lib/lib.js:22:9:22:9 | x | lib/lib.js:27:10:27:19 | id("safe") |
+| lib/lib.js:27:6:27:19 | y | lib/lib.js:28:13:28:13 | y |
+| lib/lib.js:27:6:27:19 | y | lib/lib.js:28:13:28:13 | y |
+| lib/lib.js:27:10:27:19 | id("safe") | lib/lib.js:27:6:27:19 | y |
 | lib/moduleLib/moduleLib.js:1:28:1:31 | name | lib/moduleLib/moduleLib.js:2:13:2:16 | name |
 | lib/moduleLib/moduleLib.js:1:28:1:31 | name | lib/moduleLib/moduleLib.js:2:13:2:16 | name |
 | lib/moduleLib/moduleLib.js:1:28:1:31 | name | lib/moduleLib/moduleLib.js:2:13:2:16 | name |

javascript/ql/test/query-tests/Performance/ReDoS/lib/lib.js

@@ -16,4 +16,14 @@ module.exports.closure = require("./closure")
 
 module.exports.func = function (conf) {
 	return require("./indirect")
+}
+
+function id (x) {
+	return x;
+}
+module.exports.id = id;
+
+module.exports.safe = function (x) {
+	var y = id("safe");
+	/f*g/.test(y); // OK
 }