try to restrict the edges we follow (related to upper/lower-case) when contructing possible attack-strings for polynomial-redos

erik-krogh · erik-krogh · commit e74e5b3613e7 · 2024-02-22T13:15:17.000+01:00
diff --git a/shared/regex/codeql/regex/nfa/SuperlinearBackTracking.qll b/shared/regex/codeql/regex/nfa/SuperlinearBackTracking.qll
@@ -365,11 +365,19 @@ module Make<RegexTreeViewSig TreeImpl> {
       )
     }
 
-    string getChar(CharNode t) {
+    private string getCharInternal(CharNode t) {
       exists(InputSymbol s1, InputSymbol s2, InputSymbol s3 | t = Step(s1, s2, s3, _) |
         result = getAThreewayIntersect(s1, s2, s3)
       )
     }
+
+    string getChar(CharNode t) {
+      result = getCharInternal(t) and
+      not (
+        // skip the upper-case char if we have the lower-case version.
+        result.toLowerCase() != result and result.toLowerCase() = getCharInternal(t)
+      )
+    }
   }
 
   /**

Original file line number	Diff line number	Diff line change
`@@ -365,11 +365,19 @@ module Make<RegexTreeViewSig TreeImpl> {`
`365`	`365`	`)`
`366`	`366`	`}`
`367`	`367`
`368`		`- string getChar(CharNode t) {`
	`368`	`+ private string getCharInternal(CharNode t) {`
`369`	`369`	`exists(InputSymbol s1, InputSymbol s2, InputSymbol s3 \| t = Step(s1, s2, s3, _) \|`
`370`	`370`	`result = getAThreewayIntersect(s1, s2, s3)`
`371`	`371`	`)`
`372`	`372`	`}`
	`373`	`+`
	`374`	`+ string getChar(CharNode t) {`
	`375`	`+ result = getCharInternal(t) and`
	`376`	`+ not (`
	`377`	`+ // skip the upper-case char if we have the lower-case version.`
	`378`	`+ result.toLowerCase() != result and result.toLowerCase() = getCharInternal(t)`
	`379`	`+ )`
	`380`	`+ }`
`373`	`381`	`}`
`374`	`382`
`375`	`383`	`/**`