add really long regex as a test-case

Author: erik-krogh

ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.expected

@@ -40,6 +40,9 @@ edges
 | PolynomialReDoS.rb:70:12:70:24 | ...[...] | PolynomialReDoS.rb:70:5:70:8 | name |
 | PolynomialReDoS.rb:73:32:73:35 | name | PolynomialReDoS.rb:76:35:76:39 | input |
 | PolynomialReDoS.rb:76:35:76:39 | input | PolynomialReDoS.rb:77:5:77:9 | input |
+| PolynomialReDoS.rb:103:5:103:8 | name | PolynomialReDoS.rb:105:5:105:8 | name |
+| PolynomialReDoS.rb:103:12:103:17 | call to params | PolynomialReDoS.rb:103:12:103:24 | ...[...] |
+| PolynomialReDoS.rb:103:12:103:24 | ...[...] | PolynomialReDoS.rb:103:5:103:8 | name |
 | lib/index.rb:2:11:2:11 | x | lib/index.rb:4:13:4:13 | x |
 | lib/index.rb:8:13:8:13 | x | lib/index.rb:9:15:9:15 | x |
 | lib/index.rb:8:13:8:13 | x | lib/index.rb:11:16:11:16 | x |
@@ -91,6 +94,10 @@ nodes
 | PolynomialReDoS.rb:73:32:73:35 | name | semmle.label | name |
 | PolynomialReDoS.rb:76:35:76:39 | input | semmle.label | input |
 | PolynomialReDoS.rb:77:5:77:9 | input | semmle.label | input |
+| PolynomialReDoS.rb:103:5:103:8 | name | semmle.label | name |
+| PolynomialReDoS.rb:103:12:103:17 | call to params | semmle.label | call to params |
+| PolynomialReDoS.rb:103:12:103:24 | ...[...] | semmle.label | ...[...] |
+| PolynomialReDoS.rb:105:5:105:8 | name | semmle.label | name |
 | lib/index.rb:2:11:2:11 | x | semmle.label | x |
 | lib/index.rb:4:13:4:13 | x | semmle.label | x |
 | lib/index.rb:8:13:8:13 | x | semmle.label | x |
@@ -121,6 +128,8 @@ subpaths
 | PolynomialReDoS.rb:62:5:62:22 | call to gsub | PolynomialReDoS.rb:54:12:54:17 | call to params | PolynomialReDoS.rb:62:5:62:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:56:31:56:33 | \\s+ | regular expression | PolynomialReDoS.rb:54:12:54:17 | call to params | user-provided value |
 | PolynomialReDoS.rb:66:5:66:34 | call to match? | PolynomialReDoS.rb:54:12:54:17 | call to params | PolynomialReDoS.rb:66:5:66:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:58:30:58:32 | \\s+ | regular expression | PolynomialReDoS.rb:54:12:54:17 | call to params | user-provided value |
 | PolynomialReDoS.rb:77:5:77:22 | call to gsub | PolynomialReDoS.rb:70:12:70:17 | call to params | PolynomialReDoS.rb:77:5:77:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:72:28:72:30 | \\s+ | regular expression | PolynomialReDoS.rb:70:12:70:17 | call to params | user-provided value |
+| PolynomialReDoS.rb:105:5:105:23 | ... =~ ... | PolynomialReDoS.rb:103:12:103:17 | call to params | PolynomialReDoS.rb:105:5:105:8 | name | This $@ that depends on a $@ may run slow on strings starting with '''' and with many repetitions of ' '. | PolynomialReDoS.rb:100:397:100:399 | \\s* | regular expression | PolynomialReDoS.rb:103:12:103:17 | call to params | user-provided value |
+| PolynomialReDoS.rb:105:5:105:23 | ... =~ ... | PolynomialReDoS.rb:103:12:103:17 | call to params | PolynomialReDoS.rb:105:5:105:8 | name | This $@ that depends on a $@ may run slow on strings starting with '''' and with many repetitions of ' '. | PolynomialReDoS.rb:100:405:100:407 | \\s* | regular expression | PolynomialReDoS.rb:103:12:103:17 | call to params | user-provided value |
 | lib/index.rb:4:13:4:26 | call to match | lib/index.rb:2:11:2:11 | x | lib/index.rb:4:13:4:13 | x | This $@ that depends on a $@ may run slow on strings with many repetitions of 'a'. | lib/index.rb:4:22:4:23 | a+ | regular expression | lib/index.rb:2:11:2:11 | x | library input |
 | lib/index.rb:9:15:9:28 | call to match | lib/index.rb:8:13:8:13 | x | lib/index.rb:9:15:9:15 | x | This $@ that depends on a $@ may run slow on strings with many repetitions of 'a'. | lib/index.rb:9:24:9:25 | a+ | regular expression | lib/index.rb:8:13:8:13 | x | library input |
 | lib/index.rb:11:16:11:276 | call to match | lib/index.rb:8:13:8:13 | x | lib/index.rb:11:16:11:16 | x | This $@ that depends on a $@ may run slow on strings starting with 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC' and with many repetitions of 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC'. | lib/index.rb:11:271:11:272 | .* | regular expression | lib/index.rb:8:13:8:13 | x | library input |

ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.rb

@@ -76,4 +76,32 @@ def re_compile_indirect
   def re_compile_indirect_2 (reg, input)
     input.gsub reg, '' # NOT GOOD
   end
+
+  # See https://github.com/dependabot/dependabot-core/blob/37dc1767fde9b7184020763f4d0c1434f93d11d6/python/lib/dependabot/python/requirement_parser.rb#L6-L25
+  NAME = /[a-zA-Z0-9](?:[a-zA-Z0-9\-_\.]*[a-zA-Z0-9])?/
+  EXTRA = /[a-zA-Z0-9\-_\.]+/
+  COMPARISON = /===|==|>=|<=|<|>|~=|!=/
+  VERSION = /([1-9][0-9]*!)?[0-9]+[a-zA-Z0-9\-_.*]*(\+[0-9a-zA-Z]+(\.[0-9a-zA-Z]+)*)?/
+
+  REQUIREMENT = /(?<comparison>#{COMPARISON})\s*\\?\s*(?<version>#{VERSION})/
+  HASH = /--hash=(?<algorithm>.*?):(?<hash>.*?)(?=\s|\\|$)/
+  REQUIREMENTS = /#{REQUIREMENT}(\s*,\s*\\?\s*#{REQUIREMENT})*/
+  HASHES = /#{HASH}(\s*\\?\s*#{HASH})*/
+  MARKER_OP = /\s*(#{COMPARISON}|(\s*in)|(\s*not\s*in))/
+  PYTHON_STR_C = %r{[a-zA-Z0-9\s\(\)\.\{\}\-_\*#:;/\?\[\]!~`@\$%\^&=\+\|<>]}
+  PYTHON_STR = /('(#{PYTHON_STR_C}|")*'|"(#{PYTHON_STR_C}|')*")/
+  ENV_VAR =
+      /python_version|python_full_version|os_name|sys_platform|
+      platform_release|platform_system|platform_version|platform_machine|
+      platform_python_implementation|implementation_name|
+      implementation_version/
+  MARKER_VAR = /\s*(#{ENV_VAR}|#{PYTHON_STR})/
+  MARKER_EXPR_ONE = /#{MARKER_VAR}#{MARKER_OP}#{MARKER_VAR}/
+  MARKER_EXPR = /(#{MARKER_EXPR_ONE}|\(\s*|\s*\)|\s+and\s+|\s+or\s+)+/
+
+  def use_marker_expr 
+    name = params[:name] # source
+
+    name =~ MARKER_EXPR 
+  end  
 end