Python: implement for polynomial redos

Author: asgerf

python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSCustomizations.qll

@@ -35,6 +35,11 @@ module PolynomialReDoS {
     /** Gets the regex that is being executed by this node. */
     abstract RegExpTerm getRegExp();
 
+    /** Gets a term within the regexp that may perform polynomial back-tracking. */
+    final PolynomialBackTrackingTerm getABacktrackingTerm() {
+      result.getRootTerm() = this.getRegExp()
+    }
+
     /**
      * Gets the node to highlight in the alert message.
      */

python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll

@@ -18,11 +18,12 @@ private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
-  predicate observeDiffInformedIncrementalMode() {
-    // TODO(diff-informed): Manually verify if config can be diff-informed.
-    // ql/src/Security/CWE-730/PolynomialReDoS.ql:31: Column 1 selects sink.getHighlight
-    // ql/src/Security/CWE-730/PolynomialReDoS.ql:33: Column 5 does not select a source or sink originating from the flow call on line 24
-    none()
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.(Sink).getHighlight().getLocation()
+    or
+    result = sink.(Sink).getABacktrackingTerm().getLocation()
   }
 }
 

python/ql/src/Security/CWE-730/PolynomialReDoS.ql

@@ -23,7 +23,7 @@ from
 where
   PolynomialReDoSFlow::flowPath(source, sink) and
   sinkNode = sink.getNode() and
-  regexp.getRootTerm() = sinkNode.getRegExp()
+  regexp = sinkNode.getABacktrackingTerm()
 //   not (
 //     source.getNode().(Source).getKind() = "url" and
 //     regexp.isAtEndLine()