Skip to content

Commit 08bc14f

Browse files
erik-krogherik-krogh
committed
add failing test
1 parent f623ea0 commit 08bc14f

File tree

3 files changed

+19
-1
lines changed

3 files changed

+19
-1
lines changed

javascript/ql/test/query-tests/Security/CWE-400/ReDoS/PolynomialBackTracking.expected

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,8 @@
3333
| lib/lib.js:8:3:8:4 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |
3434
| lib/lib.js:28:3:28:4 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |
3535
| lib/lib.js:36:3:36:4 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |
36+
| lib/lib.js:42:29:42:30 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |
37+
| lib/lib.js:45:29:45:30 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |
3638
| lib/moduleLib/moduleLib.js:2:3:2:4 | a* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding a*b |
3739
| lib/otherLib/js/src/index.js:2:3:2:4 | a* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding a*b |
3840
| lib/snapdragon.js:7:28:7:29 | a* | Strings starting with 'a' and with many repetitions of 'a' can start matching anywhere after the start of the preceeding aa*$ |

javascript/ql/test/query-tests/Security/CWE-400/ReDoS/PolynomialReDoS.expected

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,10 @@ nodes
2828
| lib/lib.js:35:28:35:31 | name |
2929
| lib/lib.js:36:13:36:16 | name |
3030
| lib/lib.js:36:13:36:16 | name |
31+
| lib/lib.js:41:32:41:35 | name |
32+
| lib/lib.js:41:32:41:35 | name |
33+
| lib/lib.js:42:17:42:20 | name |
34+
| lib/lib.js:42:17:42:20 | name |
3135
| lib/moduleLib/moduleLib.js:1:28:1:31 | name |
3236
| lib/moduleLib/moduleLib.js:1:28:1:31 | name |
3337
| lib/moduleLib/moduleLib.js:2:13:2:16 | name |
@@ -249,6 +253,10 @@ edges
249253
| lib/lib.js:35:1:37:1 | 'arguments' object of function usedWithArguments | lib/lib.js:35:28:35:31 | name |
250254
| lib/lib.js:35:28:35:31 | name | lib/lib.js:36:13:36:16 | name |
251255
| lib/lib.js:35:28:35:31 | name | lib/lib.js:36:13:36:16 | name |
256+
| lib/lib.js:41:32:41:35 | name | lib/lib.js:42:17:42:20 | name |
257+
| lib/lib.js:41:32:41:35 | name | lib/lib.js:42:17:42:20 | name |
258+
| lib/lib.js:41:32:41:35 | name | lib/lib.js:42:17:42:20 | name |
259+
| lib/lib.js:41:32:41:35 | name | lib/lib.js:42:17:42:20 | name |
252260
| lib/moduleLib/moduleLib.js:1:28:1:31 | name | lib/moduleLib/moduleLib.js:2:13:2:16 | name |
253261
| lib/moduleLib/moduleLib.js:1:28:1:31 | name | lib/moduleLib/moduleLib.js:2:13:2:16 | name |
254262
| lib/moduleLib/moduleLib.js:1:28:1:31 | name | lib/moduleLib/moduleLib.js:2:13:2:16 | name |
@@ -440,6 +448,7 @@ edges
440448
| lib/lib.js:4:2:4:18 | regexp.test(name) | lib/lib.js:3:28:3:31 | name | lib/lib.js:4:14:4:17 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'a'. | lib/lib.js:1:15:1:16 | a* | regular expression | lib/lib.js:3:28:3:31 | name | library input |
441449
| lib/lib.js:8:2:8:17 | /f*g/.test(name) | lib/lib.js:7:19:7:22 | name | lib/lib.js:8:13:8:16 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'f'. | lib/lib.js:8:3:8:4 | f* | regular expression | lib/lib.js:7:19:7:22 | name | library input |
442450
| lib/lib.js:36:2:36:17 | /f*g/.test(name) | lib/lib.js:32:32:32:40 | arguments | lib/lib.js:36:13:36:16 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'f'. | lib/lib.js:36:3:36:4 | f* | regular expression | lib/lib.js:32:32:32:40 | arguments | library input |
451+
| lib/lib.js:42:17:42:33 | name.match(/f*g/) | lib/lib.js:41:32:41:35 | name | lib/lib.js:42:17:42:20 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'f'. | lib/lib.js:42:29:42:30 | f* | regular expression | lib/lib.js:41:32:41:35 | name | library input |
443452
| lib/moduleLib/moduleLib.js:2:2:2:17 | /a*b/.test(name) | lib/moduleLib/moduleLib.js:1:28:1:31 | name | lib/moduleLib/moduleLib.js:2:13:2:16 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'a'. | lib/moduleLib/moduleLib.js:2:3:2:4 | a* | regular expression | lib/moduleLib/moduleLib.js:1:28:1:31 | name | library input |
444453
| lib/otherLib/js/src/index.js:2:2:2:17 | /a*b/.test(name) | lib/otherLib/js/src/index.js:1:28:1:31 | name | lib/otherLib/js/src/index.js:2:13:2:16 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'a'. | lib/otherLib/js/src/index.js:2:3:2:4 | a* | regular expression | lib/otherLib/js/src/index.js:1:28:1:31 | name | library input |
445454
| lib/snapdragon.js:7:15:7:32 | this.match(/aa*$/) | lib/snapdragon.js:3:34:3:38 | input | lib/snapdragon.js:7:15:7:18 | this | This $@ that depends on $@ may run slow on strings starting with 'a' and with many repetitions of 'a'. | lib/snapdragon.js:7:28:7:29 | a* | regular expression | lib/snapdragon.js:3:34:3:38 | input | library input |

javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/lib.js

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,4 +36,11 @@ function usedWithArguments(name) {
3636
/f*g/.test(name); // NOT OK
3737
}
3838

39-
module.exports.snapdragon = require("./snapdragon")
39+
module.exports.snapdragon = require("./snapdragon")
40+
41+
module.exports.foo = function (name) {
42+
var data1 = name.match(/f*g/); // NOT OK
43+
44+
name = name.substr(1);
45+
var data2 = name.match(/f*g/); // NOT OK - but not flagged
46+
}

0 commit comments

Comments
 (0)