Merge pull request github#14027 from erik-krogh/py-reg-app

erik-krogh · web-flow · commit 59de92ce64af · 2023-08-24T12:57:42.000+02:00
ReDoS: limit concretize to strings of at most length 100
diff --git a/shared/regex/codeql/regex/nfa/NfaUtils.qll b/shared/regex/codeql/regex/nfa/NfaUtils.qll
@@ -1457,7 +1457,8 @@ module Make<RegexTreeViewSig TreeImpl> {
         result = getChar(ancestor) and
         ancestor = getAnAncestor(n) and
         i = nodeDepth(ancestor)
-      )
+      ) and
+      nodeDepth(n) < 100
     }
 
     /** Gets a string corresponding to `node`. */

Original file line number	Diff line number	Diff line change
`@@ -1457,7 +1457,8 @@ module Make<RegexTreeViewSig TreeImpl> {`
`1457`	`1457`	`result = getChar(ancestor) and`
`1458`	`1458`	`ancestor = getAnAncestor(n) and`
`1459`	`1459`	`i = nodeDepth(ancestor)`
`1460`		`- )`
	`1460`	`+ ) and`
	`1461`	`+ nodeDepth(n) < 100`
`1461`	`1462`	`}`
`1462`	`1463`
`1463`	`1464`	/** Gets a string corresponding to `node`. */