detect redos between charclass and inverted charclass

Author: erik-krogh

javascript/ql/src/Performance/ReDoS.ql

@@ -443,6 +443,57 @@ predicate charClassMatchesChar(RegExpCharacterClass cc, string char) {
   )
 }
 
+/**
+ * Gets the minimum char that is matched by both the positive char class `c` and the
+ * negative char class `d`.
+ */
+pragma[noinline]
+private string getMinOverlapBetweenCharacterClasses(CharClass c, InvertedCharClass d) {
+  result = min(getAOverlapBetweenCharacterClasses(c, d))
+}
+
+/**
+ * Gets a char that is mentioned in the character class `c`.
+ */
+private string getAMentionedChar(RegExpCharacterClass c) {
+  exists(RegExpTerm child | child = c.getAChild() |
+    result = child.(RegExpConstant).getValue()
+    or
+    child.(RegExpCharacterRange).isRange(result, _)
+    or
+    child.(RegExpCharacterRange).isRange(_, result)
+  )
+}
+
+/**
+ * Gets a char that is relevant for ReDoS analysis of `symbol`.
+ * The result is either mentioned in the character class `symbol`,
+ * or, if `symbol` is an inverted character class, then the result is the next/previous charcode.
+ */
+pragma[noinline]
+private string getARelevantCharClassChar(TInputSymbol symbol) {
+  exists(RegExpCharacterClass cc | symbol = CharClass(cc) | result = getAMentionedChar(cc))
+  or
+  exists(RegExpCharacterClass cc | symbol = InvertedCharClass(cc) |
+    result = nextChar(getAMentionedChar(cc)) or
+    nextChar(result) = getAMentionedChar(cc)
+  )
+}
+
+/**
+ * Gets a char that is matched by both the positive char class `c` and the
+ * negative char class `d`.
+ */
+private string getAOverlapBetweenCharacterClasses(CharClass c, InvertedCharClass d) {
+  result = [getARelevantCharClassChar(c), getARelevantCharClassChar(d)] and
+  exists(RegExpCharacterClass negClass, RegExpCharacterClass posClass |
+    c = CharClass(posClass) and
+    d = InvertedCharClass(negClass) and
+    charClassMatchesChar(posClass, result) and
+    not charClassMatchesChar(negClass, result)
+  )
+}
+
 /**
  * Gets a character that is represented by both `c` and `d`.
  */
@@ -463,6 +514,8 @@ string intersect(InputSymbol c, InputSymbol d) {
     d = Any()
   )
   or
+  result = getMinOverlapBetweenCharacterClasses(c, d)
+  or
   exists(RegExpCharacterClass cc | c = InvertedCharClass(cc) and result = chooseFromInverted(cc) |
     d = InvertedCharClass(cc)
     or

javascript/ql/test/query-tests/Performance/ReDoS/ReDoS.expected

@@ -33,6 +33,7 @@
 | regexplib/uri.js:3:128:3:129 | .* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '/'. |
 | regexplib/uri.js:38:35:38:40 | [a-z]+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
 | regexplib/uri.js:55:35:55:40 | [a-z]+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
+| regexplib/uri.js:63:393:63:429 | [a-zA-Z0-9\\.\\,\\?\\'\\\\/\\+&%\\$#\\=~_\\-@]* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '/#'. |
 | tst.js:4:18:4:32 | (?:__\|[\\s\\S])+? | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '__'. |
 | tst.js:4:42:4:58 | (?:\\*\\*\|[\\s\\S])+? | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '**'. |
 | tst.js:14:14:14:15 | .* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of ','. |
@@ -56,6 +57,10 @@
 | tst.js:83:14:83:20 | (.\|\\n)* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\\n'. |
 | tst.js:89:25:89:32 | (a\|aa?)* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
 | tst.js:95:15:95:25 | ([^]\|[^a])* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'b'. |
+| tst.js:98:15:98:20 | [^"']+ | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '('. |
 | tst.js:101:15:101:23 | (.\|[^a])* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'b'. |
 | tst.js:107:15:107:23 | (b\|[^a])* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'b'. |
 | tst.js:110:15:110:23 | (G\|[^a])* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'G'. |
+| tst.js:113:15:113:27 | ([0-9]\|[^a])* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '0'. |
+| tst.js:116:60:116:104 | (?:\\\\[\\x00-\\x7f]\|[^\\x00-\\x08\\x0a-\\x1f\\x7f"])* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\\\\!'. |
+| tst.js:119:16:119:60 | (?:\\\\[\\x00-\\x7f]\|[^\\x00-\\x08\\x0a-\\x1f\\x7f"])* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '\\\\!'. |

javascript/ql/test/query-tests/Performance/ReDoS/tst.js

@@ -94,7 +94,7 @@ var good9 = '(a|aa?)*b';
 // NOT GOOD
 var bad18 = /(([^]|[^a])*)"/;
 
-// NOT GOOD - but not flagged
+// NOT GOOD
 var bad19 = /([^"']+)*/g;
 
 // NOT GOOD
@@ -108,3 +108,15 @@ var bad21 = /((b|[^a])*)"/;
 
 // NOT GOOD
 var bad22 = /((G|[^a])*)"/;
+
+// NOT GOOD
+var bad23 = /(([0-9]|[^a])*)"/;
+
+// NOT GOOD
+var bad24 = /(?:=(?:([!#\$%&'\*\+\-\.\^_`\|~0-9A-Za-z]+)|"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"))?/;
+
+// NOT GOOD
+var bad25 = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"/;
+
+// GOOD
+var bad26 = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"\\])*)"/;