Merge pull request #13759 from geoffw0/parsemode2

Swift: Refactor regex library

Author: geoffw0

swift/ql/lib/codeql/swift/regex/Regex.qll

@@ -6,51 +6,58 @@ import swift
 import codeql.swift.regex.RegexTreeView
 private import codeql.swift.dataflow.DataFlow
 private import internal.ParseRegex
+private import internal.RegexTracking
 
 /**
- * A data flow configuration for tracking string literals that are used as
- * regular expressions.
+ * A string literal that is used as a regular expression. For example
+ * the string literal `"(a|b).*"` in:
+ * ```
+ * Regex("(a|b).*").firstMatch(in: myString)
+ * ```
  */
-private module RegexUseConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node node) { node.asExpr() instanceof StringLiteralExpr }
+private class ParsedStringRegex extends RegExp, StringLiteralExpr {
+  DataFlow::Node use;
+
+  ParsedStringRegex() { StringLiteralUseFlow::flow(DataFlow::exprNode(this), use) }
+
+  /**
+   * Gets a dataflow node where this string literal is used as a regular
+   * expression.
+   */
+  DataFlow::Node getUse() { result = use }
+}
 
-  predicate isSink(DataFlow::Node node) { node.asExpr() = any(RegexEval eval).getRegexInput() }
+/**
+ * A data-flow node where a regular expression object is created.
+ */
+abstract class RegexCreation extends DataFlow::Node {
+  /**
+   * Gets a dataflow node for the string that the regular expression object is
+   * created from.
+   */
+  abstract DataFlow::Node getStringInput();
+}
+
+/**
+ * A data-flow node where a `Regex` or `NSRegularExpression` object is created.
+ */
+private class StandardRegexCreation extends RegexCreation {
+  DataFlow::Node input;
 
-  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    // flow through `Regex` initializer, i.e. from a string to a `Regex` object.
+  StandardRegexCreation() {
     exists(CallExpr call |
       (
         call.getStaticTarget().(Method).hasQualifiedName("Regex", ["init(_:)", "init(_:as:)"]) or
         call.getStaticTarget()
             .(Method)
             .hasQualifiedName("NSRegularExpression", "init(pattern:options:)")
       ) and
-      nodeFrom.asExpr() = call.getArgument(0).getExpr() and
-      nodeTo.asExpr() = call
+      input.asExpr() = call.getArgument(0).getExpr() and
+      this.asExpr() = call
     )
   }
-}
-
-private module RegexUseFlow = DataFlow::Global<RegexUseConfig>;
-
-/**
- * A string literal that is used as a regular expression in a regular
- * expression evaluation. For example the string literal `"(a|b).*"` in:
- * ```
- * Regex("(a|b).*").firstMatch(in: myString)
- * ```
- */
-private class ParsedStringRegex extends RegExp, StringLiteralExpr {
-  RegexEval eval;
-
-  ParsedStringRegex() {
-    RegexUseFlow::flow(DataFlow::exprNode(this), DataFlow::exprNode(eval.getRegexInput()))
-  }
 
-  /**
-   * Gets a call that evaluates this regular expression.
-   */
-  RegexEval getEval() { result = eval }
+  override DataFlow::Node getStringInput() { result = input }
 }
 
 /**
@@ -61,7 +68,8 @@ private class ParsedStringRegex extends RegExp, StringLiteralExpr {
  */
 abstract class RegexEval extends CallExpr {
   /**
-   * Gets the input to this call that is the regular expression being evaluated.
+   * Gets the input to this call that is the regular expression being evaluated. This may
+   * be a regular expression object or a string literal.
    */
   abstract Expr getRegexInput();
 
@@ -73,7 +81,16 @@ abstract class RegexEval extends CallExpr {
   /**
    * Gets a regular expression value that is evaluated here (if any can be identified).
    */
-  RegExp getARegex() { result.(ParsedStringRegex).getEval() = this }
+  RegExp getARegex() {
+    // string literal used directly as a regex
+    result.(ParsedStringRegex).getUse().asExpr() = this.getRegexInput()
+    or
+    // string literal -> regex object -> use
+    exists(RegexCreation regexCreation |
+      result.(ParsedStringRegex).getUse() = regexCreation.getStringInput() and
+      RegexUseFlow::flow(regexCreation, DataFlow::exprNode(this.getRegexInput()))
+    )
+  }
 }
 
 /**

swift/ql/lib/codeql/swift/regex/internal/RegexTracking.qll

@@ -0,0 +1,54 @@
+/**
+ * Provides classes and predicates that track strings and regular expressions
+ * to where they are used, along with properties of the regex such as parse
+ * mode flags that have been set.
+ */
+
+import swift
+import codeql.swift.regex.RegexTreeView
+private import codeql.swift.dataflow.DataFlow
+private import ParseRegex
+private import codeql.swift.regex.Regex
+
+/**
+ * A data flow configuration for tracking string literals that are used to
+ * create regular expression objects, or are evaluated directly as regular
+ * expressions.
+ */
+private module StringLiteralUseConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node.asExpr() instanceof StringLiteralExpr }
+
+  predicate isSink(DataFlow::Node node) {
+    // evaluated directly as a regular expression
+    node.asExpr() = any(RegexEval eval).getRegexInput()
+    or
+    // used to create a regular expression object
+    node = any(RegexCreation regexCreation).getStringInput()
+  }
+}
+
+module StringLiteralUseFlow = DataFlow::Global<StringLiteralUseConfig>;
+
+/**
+ * A data flow configuration for tracking regular expression objects from
+ * creation to the point of use.
+ */
+private module RegexUseConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
+    // creation of the regex
+    node instanceof RegexCreation
+    // TODO: track parse mode flags.
+  }
+
+  predicate isSink(DataFlow::Node node) {
+    // evaluation of the regex
+    node.asExpr() = any(RegexEval eval).getRegexInput()
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    // TODO: flow through regex methods that return a modified regex.
+    none()
+  }
+}
+
+module RegexUseFlow = DataFlow::Global<RegexUseConfig>;

swift/ql/test/query-tests/Security/CWE-1333/ReDoS.expected

@@ -1,5 +1,7 @@
+| ReDoS.swift:64:22:64:22 | a* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
 | ReDoS.swift:65:22:65:22 | a* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
 | ReDoS.swift:66:22:66:22 | a* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
 | ReDoS.swift:69:18:69:18 | a* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
+| ReDoS.swift:75:46:75:46 | a* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
 | ReDoS.swift:77:57:77:57 | a* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
 | ReDoS.swift:80:57:80:57 | a* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |

swift/ql/test/query-tests/Security/CWE-1333/ReDoS.swift

@@ -61,7 +61,7 @@ func myRegexpTests(myUrl: URL) throws {
     // Regex
 
     _ = "((a*)*b)" // GOOD (never used)
-    _ = try Regex("((a*)*b)") // DUBIOUS (never used)
+    _ = try Regex("((a*)*b)") // DUBIOUS (never used) [FLAGGED]
     _ = try Regex("((a*)*b)").firstMatch(in: untainted) // DUBIOUS (never used on tainted input) [FLAGGED]
     _ = try Regex("((a*)*b)").firstMatch(in: tainted) // BAD
     _ = try Regex(".*").firstMatch(in: tainted) // GOOD (safe regex)
@@ -72,7 +72,7 @@ func myRegexpTests(myUrl: URL) throws {
 
     // NSRegularExpression
 
-    _ = try? NSRegularExpression(pattern: "((a*)*b)") // DUBIOUS (never used)
+    _ = try? NSRegularExpression(pattern: "((a*)*b)") // DUBIOUS (never used) [FLAGGED]
 
     let nsregex1 = try? NSRegularExpression(pattern: "((a*)*b)") // DUBIOUS (never used on tainted input) [FLAGGED]
     _ = nsregex1?.stringByReplacingMatches(in: untainted, range: NSRange(location: 0, length: untainted.utf16.count), withTemplate: "")