track regular expressions that gets compiled with Regexp.compile

erik-krogh · erik-krogh · commit 2fceee4e353e · 2023-01-18T09:31:04.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/regexp/internal/RegExpConfiguration.qll b/ruby/ql/lib/codeql/ruby/regexp/internal/RegExpConfiguration.qll
@@ -53,6 +53,14 @@ class RegExpConfiguration extends Configuration {
     DataFlow::Node nodeFrom, DataFlow::FlowState stateFrom, DataFlow::Node nodeTo,
     DataFlow::FlowState stateTo
   ) {
+    stateFrom = "string" and
+    stateTo = "reg" and
+    exists(DataFlow::CallNode call |
+      call = API::getTopLevelMember("Regexp").getAMethodCall(["compile", "new"]) and
+      nodeFrom = call.getArgument(0) and
+      nodeTo = call
+    )
+    or
     stateFrom = stateTo and
     stateFrom = "string" and
     (
diff --git a/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.expected b/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.expected
@@ -30,6 +30,10 @@ edges
 | PolynomialReDoS.rb:58:37:58:40 | name :  | PolynomialReDoS.rb:65:42:65:46 | input :  |
 | PolynomialReDoS.rb:61:33:61:37 | input :  | PolynomialReDoS.rb:62:5:62:9 | input |
 | PolynomialReDoS.rb:65:42:65:46 | input :  | PolynomialReDoS.rb:66:5:66:9 | input |
+| PolynomialReDoS.rb:70:12:70:17 | call to params :  | PolynomialReDoS.rb:70:12:70:24 | ...[...] :  |
+| PolynomialReDoS.rb:70:12:70:24 | ...[...] :  | PolynomialReDoS.rb:73:32:73:35 | name :  |
+| PolynomialReDoS.rb:73:32:73:35 | name :  | PolynomialReDoS.rb:76:35:76:39 | input :  |
+| PolynomialReDoS.rb:76:35:76:39 | input :  | PolynomialReDoS.rb:77:5:77:9 | input |
 nodes
 | PolynomialReDoS.rb:4:12:4:17 | call to params :  | semmle.label | call to params :  |
 | PolynomialReDoS.rb:4:12:4:24 | ...[...] :  | semmle.label | ...[...] :  |
@@ -67,6 +71,11 @@ nodes
 | PolynomialReDoS.rb:62:5:62:9 | input | semmle.label | input |
 | PolynomialReDoS.rb:65:42:65:46 | input :  | semmle.label | input :  |
 | PolynomialReDoS.rb:66:5:66:9 | input | semmle.label | input |
+| PolynomialReDoS.rb:70:12:70:17 | call to params :  | semmle.label | call to params :  |
+| PolynomialReDoS.rb:70:12:70:24 | ...[...] :  | semmle.label | ...[...] :  |
+| PolynomialReDoS.rb:73:32:73:35 | name :  | semmle.label | name :  |
+| PolynomialReDoS.rb:76:35:76:39 | input :  | semmle.label | input :  |
+| PolynomialReDoS.rb:77:5:77:9 | input | semmle.label | input |
 subpaths
 #select
 | PolynomialReDoS.rb:10:5:10:17 | ... =~ ... | PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:10:5:10:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
@@ -91,3 +100,4 @@ subpaths
 | PolynomialReDoS.rb:47:5:50:7 | case ... | PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:47:10:47:13 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:48:14:48:16 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
 | PolynomialReDoS.rb:62:5:62:22 | call to gsub | PolynomialReDoS.rb:54:12:54:17 | call to params :  | PolynomialReDoS.rb:62:5:62:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:56:31:56:33 | \\s+ | regular expression | PolynomialReDoS.rb:54:12:54:17 | call to params | user-provided value |
 | PolynomialReDoS.rb:66:5:66:34 | call to match? | PolynomialReDoS.rb:54:12:54:17 | call to params :  | PolynomialReDoS.rb:66:5:66:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:58:30:58:32 | \\s+ | regular expression | PolynomialReDoS.rb:54:12:54:17 | call to params | user-provided value |
+| PolynomialReDoS.rb:77:5:77:22 | call to gsub | PolynomialReDoS.rb:70:12:70:17 | call to params :  | PolynomialReDoS.rb:77:5:77:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:72:28:72:30 | \\s+ | regular expression | PolynomialReDoS.rb:70:12:70:17 | call to params | user-provided value |
diff --git a/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.rb b/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.rb
@@ -65,4 +65,15 @@ def indirect_use_of_reg (reg, input)
   def as_string_indirect (reg_as_string, input)
     input.match? reg_as_string, '' # NOT GOOD
   end
+
+  def re_compile_indirect 
+    name = params[:name] # source
+
+    reg = Regexp.new '^\s+|\s+$'
+    re_compile_indirect_2 reg, name
+  end
+
+  def re_compile_indirect_2 (reg, input)
+    input.gsub reg, '' # NOT GOOD
+  end
 end
