Merge pull request github#6507 from tausbn/python-prevent-polynomial-redos-explosion

yoff · web-flow · commit 467aa647da6c · 2021-08-23T11:48:14.000+02:00
Python: Prevent explosion in poly-ReDoS query
diff --git a/python/ql/src/semmle/python/security/performance/RegExpTreeView.qll b/python/ql/src/semmle/python/security/performance/RegExpTreeView.qll
@@ -12,4 +12,8 @@ import semmle.python.RegexTreeView
  */
 predicate isExcluded(RegExpParent parent) {
   not exists(parent.getRegex().getLocation().getFile().getRelativePath())
+  or
+  // Regexes with many occurrences of ".*" may cause the polynomial ReDoS computation to explode, so
+  // we explicitly exclude these.
+  count(int i | exists(parent.getRegex().getText().regexpFind("\\.\\*", i, _)) | i) > 10
 }

Original file line number	Diff line number	Diff line change
`@@ -12,4 +12,8 @@ import semmle.python.RegexTreeView`
`12`	`12`	`*/`
`13`	`13`	`predicate isExcluded(RegExpParent parent) {`
`14`	`14`	`not exists(parent.getRegex().getLocation().getFile().getRelativePath())`
	`15`	`+ or`
	`16`	`+ // Regexes with many occurrences of ".*" may cause the polynomial ReDoS computation to explode, so`
	`17`	`+ // we explicitly exclude these.`
	`18`	`+ count(int i \| exists(parent.getRegex().getText().regexpFind("\\.\\*", i, _)) \| i) > 10`
`15`	`19`	`}`