Swift: Copy qhelp from Ruby.

Author: geoffw0

swift/ql/src/queries/Security/CWE-1333/ReDoS.qhelp

@@ -0,0 +1,26 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+  <include src="ReDoSIntroduction.inc.qhelp" />
+  <example>
+    <p>Consider this regular expression:</p>
+    <sample language="ruby">
+/^_(__|.)+_$/</sample>
+    <p>
+      Its sub-expression <code>"(__|.)+?"</code> can match the string
+      <code>"__"</code> either by the first alternative <code>"__"</code> to the
+      left of the <code>"|"</code> operator, or by two repetitions of the second
+      alternative <code>"."</code> to the right. Thus, a string consisting of an
+      odd number of underscores followed by some other character will cause the
+      regular expression engine to run for an exponential amount of time before
+      rejecting the input.
+    </p>
+    <p>
+      This problem can be avoided by rewriting the regular expression to remove
+      the ambiguity between the two branches of the alternative inside the
+      repetition:
+    </p>
+    <sample language="ruby">
+/^_(__|[^_])+_$/</sample>
+  </example>
+  <include src="ReDoSReferences.inc.qhelp"/>
+</qhelp>

swift/ql/src/queries/Security/CWE-1333/ReDoSIntroduction.inc.qhelp

@@ -0,0 +1,43 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      Some regular expressions take a long time to match certain input strings
+      to the point where the time it takes to match a string of length <i>n</i>
+      is proportional to <i>n<sup>k</sup></i> or even <i>2<sup>n</sup></i>.
+      Such regular expressions can negatively affect performance, or even allow
+      a malicious user to perform a Denial of Service ("DoS") attack by crafting
+      an expensive input string for the regular expression to match.
+    </p>
+    <p>
+      The regular expression engine used by the Ruby interpreter (MRI) uses
+      backtracking non-deterministic finite automata to implement regular
+      expression matching. While this approach is space-efficient and allows
+      supporting advanced features like capture groups, it is not time-efficient
+      in general. The worst-case time complexity of such an automaton can be
+      polynomial or even exponential, meaning that for strings of a certain
+      shape, increasing the input length by ten characters may make the
+      automaton about 1000 times slower.
+    </p>
+    <p>
+      Note that Ruby 3.2 and later have implemented a caching mechanism that
+      completely eliminates the worst-case time complexity for the regular
+      expressions flagged by this query. The regular expressions flagged by this
+      query are therefore only problematic for Ruby versions prior to 3.2.
+    </p>
+    <p>
+      Typically, a regular expression is affected by this problem if it contains
+      a repetition of the form <code>r*</code> or <code>r+</code> where the
+      sub-expression <code>r</code> is ambiguous in the sense that it can match
+      some string in multiple ways. More information about the precise
+      circumstances can be found in the references.
+    </p>
+  </overview>
+  <recommendation>
+    <p>
+      Modify the regular expression to remove the ambiguity, or ensure that the
+      strings matched with the regular expression are short enough that the
+      time-complexity does not matter.
+    </p>
+  </recommendation>
+</qhelp>

swift/ql/src/queries/Security/CWE-1333/ReDoSReferences.inc.qhelp

@@ -0,0 +1,13 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+  <references>
+    <li> OWASP:
+      <a href="https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS">Regular expression Denial of Service - ReDoS</a>.
+    </li>
+    <li>Wikipedia: <a href="https://en.wikipedia.org/wiki/ReDoS">ReDoS</a>.</li>
+    <li>Wikipedia: <a href="https://en.wikipedia.org/wiki/Time_complexity">Time complexity</a>.</li>
+    <li>James Kirrage, Asiri Rathnayake, Hayo Thielecke:
+      <a href="http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf">Static Analysis for Regular Expression Denial-of-Service Attack</a>.
+    </li>
+  </references>
+</qhelp>