Merge pull request github#13975 from yoff/python/parsemodechars-not-chars

yoff · web-flow · commit ae4c76c78844 · 2023-08-29T14:05:57.000+02:00
diff --git a/python/ql/lib/semmle/python/regexp/internal/ParseRegExp.qll b/python/ql/lib/semmle/python/regexp/internal/ParseRegExp.qll
@@ -683,24 +683,43 @@ class RegExp extends Expr instanceof StrConst {
    * Holds if a parse mode starts between `start` and `end`.
    */
   private predicate flag_group_start(int start, int end) {
+    this.flag_group_start_no_modes(start, _) and
+    end = max(int i | this.mode_character(start, i) | i + 1)
+  }
+
+  /**
+   * Holds if the initial part of a parse mode, not containing any
+   * mode characters is between `start` and `end`.
+   */
+  private predicate flag_group_start_no_modes(int start, int end) {
     this.isGroupStart(start) and
     this.getChar(start + 1) = "?" and
     this.getChar(start + 2) in ["i", "L", "m", "s", "u", "x"] and
     end = start + 2
   }
 
   /**
-   * Holds if a parse mode group is between `start` and `end`, and includes the
-   * mode flag `c`. For example the following span, with mode flag `i`:
+   * Holds if `pos` contains a mo character from the
+   * flag group starting at `start`.
+   */
+  private predicate mode_character(int start, int pos) {
+    this.flag_group_start_no_modes(start, pos)
+    or
+    this.mode_character(start, pos - 1) and
+    this.getChar(pos) in ["i", "L", "m", "s", "u", "x"]
+  }
+
+  /**
+   * Holds if a parse mode group includes the mode flag `c`.
+   * For example the following parse mode group, with mode flag `i`:
    * ```
    * (?i)
    * ```
    */
-  private predicate flag_group(int start, int end, string c) {
-    exists(int inStart, int inEnd |
-      this.flag_group_start(start, inStart) and
-      this.groupContents(start, end, inStart, inEnd) and
-      this.getChar([inStart .. inEnd - 1]) = c
+  private predicate flag(string c) {
+    exists(int pos |
+      this.mode_character(_, pos) and
+      this.getChar(pos) = c
     )
   }
 
@@ -709,7 +728,7 @@ class RegExp extends Expr instanceof StrConst {
    * it is defined by a prefix.
    */
   string getModeFromPrefix() {
-    exists(string c | this.flag_group(_, _, c) |
+    exists(string c | this.flag(c) |
       c = "i" and result = "IGNORECASE"
       or
       c = "L" and result = "LOCALE"
diff --git a/python/ql/test/library-tests/regex/Characters.expected b/python/ql/test/library-tests/regex/Characters.expected
@@ -36,7 +36,6 @@
 | (?:[^%]\|^)?%\\((\\w*)\\)[a-z] | 22 | 23 |
 | (?:[^%]\|^)?%\\((\\w*)\\)[a-z] | 24 | 25 |
 | (?P<name>[\\w]+)\| | 10 | 12 |
-| (?m)^(?!$) | 2 | 3 |
 | (?m)^(?!$) | 4 | 5 |
 | (?m)^(?!$) | 8 | 9 |
 | (\\033\|~{) | 1 | 5 |
diff --git a/python/ql/test/library-tests/regex/FirstLast.expected b/python/ql/test/library-tests/regex/FirstLast.expected
@@ -22,7 +22,8 @@
 | (?P<name>[\\w]+)\| | first | 9 | 14 |
 | (?P<name>[\\w]+)\| | last | 9 | 13 |
 | (?P<name>[\\w]+)\| | last | 9 | 14 |
-| (?m)^(?!$) | first | 2 | 3 |
+| (?m)^(?!$) | first | 4 | 5 |
+| (?m)^(?!$) | first | 8 | 9 |
 | (?m)^(?!$) | last | 4 | 5 |
 | (?m)^(?!$) | last | 8 | 9 |
 | (\\033\|~{) | first | 1 | 5 |
diff --git a/python/ql/test/library-tests/regex/GroupContents.expected b/python/ql/test/library-tests/regex/GroupContents.expected
@@ -8,7 +8,6 @@
 | (?:[^%]\|^)?%\\((\\w*)\\)[a-z] | 0 | 10 | (?:[^%]\|^) | 3 | 9 | [^%]\|^ |
 | (?:[^%]\|^)?%\\((\\w*)\\)[a-z] | 14 | 19 | (\\w*) | 15 | 18 | \\w* |
 | (?P<name>[\\w]+)\| | 0 | 15 | (?P<name>[\\w]+) | 9 | 14 | [\\w]+ |
-| (?m)^(?!$) | 0 | 4 | (?m) | 2 | 3 | m |
 | (?m)^(?!$) | 5 | 10 | (?!$) | 8 | 9 | $ |
 | (\\033\|~{) | 0 | 9 | (\\033\|~{) | 1 | 8 | \\033\|~{ |
 | \\[(?P<txt>[^[]*)\\]\\((?P<uri>[^)]*) | 2 | 16 | (?P<txt>[^[]*) | 10 | 15 | [^[]* |
diff --git a/python/ql/test/library-tests/regex/Regex.expected b/python/ql/test/library-tests/regex/Regex.expected
@@ -77,11 +77,9 @@
 | (?P<name>[\\w]+)\| | sequence | 0 | 15 |
 | (?m)^(?!$) | $ | 8 | 9 |
 | (?m)^(?!$) | ^ | 4 | 5 |
-| (?m)^(?!$) | char | 2 | 3 |
+| (?m)^(?!$) | empty group | 0 | 4 |
 | (?m)^(?!$) | empty group | 5 | 10 |
-| (?m)^(?!$) | non-empty group | 0 | 4 |
 | (?m)^(?!$) | sequence | 0 | 10 |
-| (?m)^(?!$) | sequence | 2 | 3 |
 | (?m)^(?!$) | sequence | 8 | 9 |
 | (\\033\|~{) | char | 1 | 5 |
 | (\\033\|~{) | char | 6 | 7 |
diff --git a/python/ql/test/query-tests/Security/CWE-116-BadTagFilter/BadTagFilter.expected b/python/ql/test/query-tests/Security/CWE-116-BadTagFilter/BadTagFilter.expected
@@ -1,6 +1,7 @@
 | tst.py:4:20:4:43 | <script.*?>.*?<\\/script> | This regular expression does not match script end tags like </script >. |
 | tst.py:5:20:5:43 | <script.*?>.*?<\\/script> | This regular expression does not match script end tags like </script >. |
 | tst.py:9:20:9:30 | <!--.*--!?> | This regular expression does not match comments containing newlines. |
+| tst.py:11:20:11:34 | (?i)<!--.*--!?> | This regular expression does not match comments containing newlines. |
 | tst.py:12:20:12:53 | <script.*?>(.\|\\s)*?<\\/script[^>]*> | This regular expression matches <script></script>, but not <script \\n></script> |
 | tst.py:13:20:13:51 | <script[^>]*?>.*?<\\/script[^>]*> | This regular expression matches <script>...</script>, but not <script >...\\n</script> |
 | tst.py:14:20:14:58 | <script(\\s\|\\w\|=\|")*?>.*?<\\/script[^>]*> | This regular expression does not match script tags where the attribute uses single-quotes. |
diff --git a/python/ql/test/query-tests/Security/CWE-730-ReDoS/ReDoS.expected b/python/ql/test/query-tests/Security/CWE-730-ReDoS/ReDoS.expected
@@ -7,7 +7,7 @@
 | redos.py:21:57:21:76 | (?:[^'\\\\]\|\\\\\\\\\|\\\\.)+ | This part of the regular expression may cause exponential backtracking on strings starting with '\\t'' and containing many repetitions of '\\\\\\\\'. |
 | redos.py:21:81:21:100 | (?:[^)\\\\]\|\\\\\\\\\|\\\\.)+ | This part of the regular expression may cause exponential backtracking on strings starting with '\\t(' and containing many repetitions of '\\\\\\\\'. |
 | redos.py:33:64:33:65 | .* | This part of the regular expression may cause exponential backtracking on strings starting with '!\|\\n-\|\\n' and containing many repetitions of '\|\|\\n'. |
-| redos.py:38:33:38:42 | (\\\\\\/\|.)*? | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\\\\/'. |
+| redos.py:38:33:38:42 | (\\\\\\/\|.)*? | This part of the regular expression may cause exponential backtracking on strings starting with '/' and containing many repetitions of '\\\\/'. |
 | redos.py:43:37:43:38 | .* | This part of the regular expression may cause exponential backtracking on strings starting with '#' and containing many repetitions of '#'. |
 | redos.py:49:41:49:43 | .*? | This part of the regular expression may cause exponential backtracking on strings starting with '"' and containing many repetitions of '""'. |
 | redos.py:49:47:49:49 | .*? | This part of the regular expression may cause exponential backtracking on strings starting with ''' and containing many repetitions of ''''. |
@@ -105,5 +105,6 @@
 | redos.py:391:15:391:25 | (\\u0061\|a)* | This part of the regular expression may cause exponential backtracking on strings starting with 'X' and containing many repetitions of 'a'. |
 | unittests.py:5:17:5:23 | (\u00c6\|\\\u00c6)+ | This part of the regular expression may cause exponential backtracking on strings starting with 'X' and containing many repetitions of '\\u00c6'. |
 | unittests.py:9:16:9:24 | (?:.\|\\n)* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\\n'. |
-| unittests.py:11:20:11:28 | (?:.\|\\n)* | This part of the regular expression may cause exponential backtracking on strings starting with 's' and containing many repetitions of '\\n'. |
-| unittests.py:12:21:12:29 | (?:.\|\\n)* | This part of the regular expression may cause exponential backtracking on strings starting with 'is' and containing many repetitions of '\\n'. |
+| unittests.py:11:20:11:28 | (?:.\|\\n)* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\\n'. |
+| unittests.py:12:21:12:29 | (?:.\|\\n)* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\\n'. |
+| unittests.py:13:22:13:30 | (?:.\|\\n)* | This part of the regular expression may cause exponential backtracking on strings starting with 'x' and containing many repetitions of '\\n'. |
diff --git a/python/ql/test/query-tests/Security/CWE-730-ReDoS/unittests.py b/python/ql/test/query-tests/Security/CWE-730-ReDoS/unittests.py
@@ -10,3 +10,4 @@
 re.compile(r'(?i)(?:.|\n)*b') # No ReDoS.
 re.compile(r'(?s)(?:.|\n)*b') # Has ReDoS.
 re.compile(r'(?is)(?:.|\n)*b') # Has ReDoS.
+re.compile(r'(?is)X(?:.|\n)*Y') # Has ReDoS.
diff --git a/shared/regex/codeql/regex/nfa/NfaUtils.qll b/shared/regex/codeql/regex/nfa/NfaUtils.qll
@@ -760,6 +760,12 @@ module Make<RegexTreeViewSig TreeImpl> {
     or
     exists(RegExpGroup grp | lbl = Epsilon() | q1 = before(grp) and q2 = before(grp.getChild(0)))
     or
+    exists(RegExpGroup grp | lbl = Epsilon() |
+      not exists(grp.getAChild()) and
+      q1 = before(grp) and
+      q2 = before(grp.getSuccessor())
+    )
+    or
     exists(EffectivelyStar star | lbl = Epsilon() |
       q1 = before(star) and q2 = before(star.getChild(0))
       or
