Merge pull request github#11248 from erik-krogh/js-redosMod

JS: use the shared regex pack

Author: erik-krogh

javascript/ql/lib/change-notes/2022-10-31-shared-redos-pack.md

@@ -0,0 +1,4 @@
+---
+ category: minorAnalysis
+---
+ * The ReDoS libraries in `semmle.code.javascript.security.regexp` has been moved to a shared pack inside the `shared/` folder, and the previous location has been deprecated.

javascript/ql/lib/qlpack.yml

@@ -5,3 +5,5 @@ dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript
 library: true
 upgrades: upgrades
+dependencies:
+  codeql/regex: ${workspace}

javascript/ql/lib/semmle/javascript/Regexp.qll

@@ -176,6 +176,13 @@ class RegExpTerm extends Locatable, @regexpterm {
    * Gets a string that is matched by this regular-expression term.
    */
   string getAMatchedString() { result = this.getConstantValue() }
+
+  /** Holds if this term has the specified location. */
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
 }
 
 /**

javascript/ql/lib/semmle/javascript/security/BadTagFilterQuery.qll

@@ -2,155 +2,7 @@
  * Provides predicates for reasoning about bad tag filter vulnerabilities.
  */
 
-import regexp.RegexpMatching
-
-/**
- * Holds if the regexp `root` should be tested against `str`.
- * Implements the `isRegexpMatchingCandidateSig` signature from `RegexpMatching`.
- * `ignorePrefix` toggles whether the regular expression should be treated as accepting any prefix if it's unanchored.
- * `testWithGroups` toggles whether it's tested which groups are filled by a given input string.
- */
-private predicate isBadTagFilterCandidate(
-  RootTerm root, string str, boolean ignorePrefix, boolean testWithGroups
-) {
-  // the regexp must mention "<" and ">" explicitly.
-  forall(string angleBracket | angleBracket = ["<", ">"] |
-    any(RegExpConstant term | term.getValue().matches("%" + angleBracket + "%")).getRootTerm() =
-      root
-  ) and
-  ignorePrefix = true and
-  (
-    str = ["<!-- foo -->", "<!-- foo --!>", "<!- foo ->", "<foo>", "<script>"] and
-    testWithGroups = true
-    or
-    str =
-      [
-        "<!-- foo -->", "<!- foo ->", "<!-- foo --!>", "<!-- foo\n -->", "<script>foo</script>",
-        "<script \n>foo</script>", "<script >foo\n</script>", "<foo ></foo>", "<foo>",
-        "<foo src=\"foo\"></foo>", "<script>", "<script src=\"foo\"></script>",
-        "<script src='foo'></script>", "<SCRIPT>foo</SCRIPT>", "<script\tsrc=\"foo\"/>",
-        "<script\tsrc='foo'></script>", "<sCrIpT>foo</ScRiPt>", "<script src=\"foo\">foo</script >",
-        "<script src=\"foo\">foo</script foo=\"bar\">", "<script src=\"foo\">foo</script\t\n bar>"
-      ] and
-    testWithGroups = false
-  )
-}
-
-/**
- * A regexp that matches some string from the `isBadTagFilterCandidate` predicate.
- */
-class HtmlMatchingRegExp extends RootTerm {
-  HtmlMatchingRegExp() { RegexpMatching<isBadTagFilterCandidate/4>::matches(this, _) }
-
-  /** Holds if this regexp matched `str`, where `str` is one of the string from `isBadTagFilterCandidate`. */
-  predicate matches(string str) { RegexpMatching<isBadTagFilterCandidate/4>::matches(this, str) }
-
-  /** Holds if this regexp fills capture group `g' when matching `str', where `str` is one of the string from `isBadTagFilterCandidate`. */
-  predicate fillsCaptureGroup(string str, int g) {
-    RegexpMatching<isBadTagFilterCandidate/4>::fillsCaptureGroup(this, str, g)
-  }
-}
-
-/** DEPRECATED: Alias for HtmlMatchingRegExp */
-deprecated class HTMLMatchingRegExp = HtmlMatchingRegExp;
-
-/**
- * Holds if `regexp` matches some HTML tags, but misses some HTML tags that it should match.
- *
- * When adding a new case to this predicate, make sure the test string used in `matches(..)` calls are present in `HTMLMatchingRegExp::test` / `HTMLMatchingRegExp::testWithGroups`.
- */
-predicate isBadRegexpFilter(HtmlMatchingRegExp regexp, string msg) {
-  // CVE-2021-33829 - matching both "<!-- foo -->" and "<!-- foo --!>", but in different capture groups
-  regexp.matches("<!-- foo -->") and
-  regexp.matches("<!-- foo --!>") and
-  exists(int a, int b | a != b |
-    regexp.fillsCaptureGroup("<!-- foo -->", a) and
-    // <!-- foo --> might be ambiguously parsed (matching both capture groups), and that is ok here.
-    regexp.fillsCaptureGroup("<!-- foo --!>", b) and
-    not regexp.fillsCaptureGroup("<!-- foo --!>", a) and
-    msg =
-      "Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group "
-        + a + " and comments ending with --!> are matched with capture group " +
-        strictconcat(int i | regexp.fillsCaptureGroup("<!-- foo --!>", i) | i.toString(), ", ") +
-        "."
-  )
-  or
-  // CVE-2020-17480 - matching "<!-- foo -->" and other tags, but not "<!-- foo --!>".
-  exists(int group, int other |
-    group != other and
-    regexp.fillsCaptureGroup("<!-- foo -->", group) and
-    regexp.fillsCaptureGroup("<foo>", other) and
-    not regexp.matches("<!-- foo --!>") and
-    not regexp.fillsCaptureGroup("<!-- foo -->", any(int i | i != group)) and
-    not regexp.fillsCaptureGroup("<!- foo ->", group) and
-    not regexp.fillsCaptureGroup("<foo>", group) and
-    not regexp.fillsCaptureGroup("<script>", group) and
-    msg =
-      "This regular expression only parses --> (capture group " + group +
-        ") and not --!> as an HTML comment end tag."
-  )
-  or
-  regexp.matches("<!-- foo -->") and
-  not regexp.matches("<!-- foo\n -->") and
-  not regexp.matches("<!- foo ->") and
-  not regexp.matches("<foo>") and
-  not regexp.matches("<script>") and
-  msg = "This regular expression does not match comments containing newlines."
-  or
-  regexp.matches("<script>foo</script>") and
-  regexp.matches("<script src=\"foo\"></script>") and
-  not regexp.matches("<foo ></foo>") and
-  (
-    not regexp.matches("<script \n>foo</script>") and
-    msg = "This regular expression matches <script></script>, but not <script \\n></script>"
-    or
-    not regexp.matches("<script >foo\n</script>") and
-    msg = "This regular expression matches <script>...</script>, but not <script >...\\n</script>"
-  )
-  or
-  regexp.matches("<script>foo</script>") and
-  regexp.matches("<script src=\"foo\"></script>") and
-  not regexp.matches("<script src='foo'></script>") and
-  not regexp.matches("<foo>") and
-  msg = "This regular expression does not match script tags where the attribute uses single-quotes."
-  or
-  regexp.matches("<script>foo</script>") and
-  regexp.matches("<script src='foo'></script>") and
-  not regexp.matches("<script src=\"foo\"></script>") and
-  not regexp.matches("<foo>") and
-  msg = "This regular expression does not match script tags where the attribute uses double-quotes."
-  or
-  regexp.matches("<script>foo</script>") and
-  regexp.matches("<script src='foo'></script>") and
-  not regexp.matches("<script\tsrc='foo'></script>") and
-  not regexp.matches("<foo>") and
-  not regexp.matches("<foo src=\"foo\"></foo>") and
-  msg = "This regular expression does not match script tags where tabs are used between attributes."
-  or
-  regexp.matches("<script>foo</script>") and
-  not RegExpFlags::isIgnoreCase(regexp) and
-  not regexp.matches("<foo>") and
-  not regexp.matches("<foo ></foo>") and
-  (
-    not regexp.matches("<SCRIPT>foo</SCRIPT>") and
-    msg = "This regular expression does not match upper case <SCRIPT> tags."
-    or
-    not regexp.matches("<sCrIpT>foo</ScRiPt>") and
-    regexp.matches("<SCRIPT>foo</SCRIPT>") and
-    msg = "This regular expression does not match mixed case <sCrIpT> tags."
-  )
-  or
-  regexp.matches("<script src=\"foo\"></script>") and
-  not regexp.matches("<foo>") and
-  not regexp.matches("<foo ></foo>") and
-  (
-    not regexp.matches("<script src=\"foo\">foo</script >") and
-    msg = "This regular expression does not match script end tags like </script >."
-    or
-    not regexp.matches("<script src=\"foo\">foo</script foo=\"bar\">") and
-    msg = "This regular expression does not match script end tags like </script foo=\"bar\">."
-    or
-    not regexp.matches("<script src=\"foo\">foo</script\t\n bar>") and
-    msg = "This regular expression does not match script end tags like </script\\t\\n bar>."
-  )
-}
+private import regexp.RegExpTreeView::RegExpTreeView as TreeView
+// BadTagFilterQuery should be used directly from the shared pack, and not from this file.
+deprecated private import codeql.regex.nfa.BadTagFilterQuery::Make<TreeView> as Dep
+import Dep

javascript/ql/lib/semmle/javascript/security/IncompleteMultiCharacterSanitizationSpecific.qll

@@ -3,7 +3,8 @@
  */
 
 import javascript
-import semmle.javascript.security.regexp.NfaUtils as NfaUtils
+private import semmle.javascript.security.regexp.RegExpTreeView::RegExpTreeView as TreeView
+import codeql.regex.nfa.NfaUtils::Make<TreeView> as NfaUtils
 
 class StringSubstitutionCall = StringReplaceCall;