Fix ReDOS in cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql

hmakholm · hmakholm · commit 2d615ef503e7 · 2021-04-06T20:10:57.000+02:00
The sub-regex `(\s|.)*` aims to capture arbitrary string content
(in contrast to `.*` which doesn't match newlines), but it is
unsafe, since non-newline whitespace can match both alternatives.

This caused an evaluator crash in the wild.

Replace with `[\s\S]*`, which matches everything in a safe way.
diff --git a/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql b/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
@@ -93,7 +93,7 @@ class QuotedCommandInCreateProcessFunctionConfiguration extends DataFlow2::Confi
 
 bindingset[s]
 predicate isQuotedOrNoSpaceApplicationNameOnCmd(string s) {
-  s.regexpMatch("\"([^\"])*\"(\\s|.)*") // The first element (path) is quoted
+  s.regexpMatch("\"([^\"])*\"[\\s\\S]*") // The first element (path) is quoted
   or
   s.regexpMatch("[^\\s]+") // There are no spaces in the string
 }

Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ class QuotedCommandInCreateProcessFunctionConfiguration extends DataFlow2::Confi`
`93`	`93`
`94`	`94`	`bindingset[s]`
`95`	`95`	`predicate isQuotedOrNoSpaceApplicationNameOnCmd(string s) {`
`96`		`- s.regexpMatch("\"([^\"])\"(\\s\|.)") // The first element (path) is quoted`
	`96`	`+ s.regexpMatch("\"([^\"])\"[\\s\\S]") // The first element (path) is quoted`
`97`	`97`	`or`
`98`	`98`	`s.regexpMatch("[^\\s]+") // There are no spaces in the string`
`99`	`99`	`}`