Merge pull request #13164 from erik-krogh/polyQhelp

erik-krogh · web-flow · commit 50cb5ea184dc · 2023-05-23T09:25:15.000+02:00
ReDoS: add another example to the qhelp in poly-redos, showing how to just limit the length of the input
diff --git a/java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.qhelp b/java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.qhelp
@@ -15,8 +15,7 @@
 		</p>
 
 		<sample language="java">
-			Pattern.compile("^\\s+|\\s+$").matcher(text).replaceAll("") // BAD
-		</sample>
+Pattern.compile("^\\s+|\\s+$").matcher(text).replaceAll("") // BAD</sample>
 
 		<p>
 
@@ -71,8 +70,7 @@
 		</p>
 
 		<sample language="java">
-			"^0\\.\\d+E?\\d+$"" 
-		</sample>
+"^0\\.\\d+E?\\d+$"" </sample>
 
 		<p>
 
@@ -103,6 +101,33 @@
 
 	</example>
 
+    <example>
+        <p>
+            Sometimes it is unclear how a regular expression can be rewritten to
+            avoid the problem. In such cases, it often suffices to limit the
+            length of the input string. For instance, the following 
+            regular expression is used to match numbers, and on some non-number 
+            inputs it can have quadratic time complexity:
+        </p>
+
+        <sample language="java">
+Pattern.matches("^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$", str); </sample>
+
+        <p>
+            It is not immediately obvious how to rewrite this regular expression 
+            to avoid the problem. However, you can mitigate performance issues by limiting the length
+            to 1000 characters, which will always finish in a reasonable amount
+            of time.
+        </p>
+
+        <sample language="java">
+if (str.length() &gt; 1000) {
+    throw new IllegalArgumentException("Input too long");
+}
+
+Pattern.matches("^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$", str); </sample>
+    </example>
+
 	<include src="ReDoSReferences.inc.qhelp"/>
 
 </qhelp>
diff --git a/javascript/ql/src/Performance/PolynomialReDoS.qhelp b/javascript/ql/src/Performance/PolynomialReDoS.qhelp
@@ -15,8 +15,7 @@
 		</p>
 
 		<sample language="javascript">
-			text.replace(/^\s+|\s+$/g, ''); // BAD
-		</sample>
+text.replace(/^\s+|\s+$/g, ''); // BAD</sample>
 
 		<p>
 
@@ -71,8 +70,7 @@
 		</p>
 
 		<sample language="javascript">
-			/^0\.\d+E?\d+$/.test(str) // BAD
-		</sample>
+/^0\.\d+E?\d+$/.test(str) // BAD</sample>
 
 		<p>
 
@@ -103,6 +101,33 @@
 
 	</example>
 
+    <example>
+        <p>
+            Sometimes it is unclear how a regular expression can be rewritten to
+            avoid the problem. In such cases, it often suffices to limit the
+            length of the input string. For instance, the following 
+            regular expression is used to match numbers, and on some non-number 
+            inputs it can have quadratic time complexity:
+        </p>
+
+        <sample language="javascript">
+/^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$/.test(str) // BAD</sample>
+
+        <p>
+            It is not immediately obvious how to rewrite this regular expression 
+            to avoid the problem. However, you can mitigate performance issues by limiting the length
+            to 1000 characters, which will always finish in a reasonable amount
+            of time.
+        </p>
+
+        <sample language="javascript">
+if (str.length &gt; 1000) {
+    throw new Error("Input too long");
+}
+
+/^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$/.test(str)</sample>
+    </example>
+
 	<include src="ReDoSReferences.inc.qhelp"/>
 
 </qhelp>
diff --git a/python/ql/src/Security/CWE-730/PolynomialReDoS.qhelp b/python/ql/src/Security/CWE-730/PolynomialReDoS.qhelp
@@ -15,8 +15,7 @@
 		</p>
 
 		<sample language="python">
-			re.sub(r"^\s+|\s+$", "", text) # BAD
-		</sample>
+re.sub(r"^\s+|\s+$", "", text) # BAD</sample>
 
 		<p>
 
@@ -71,8 +70,7 @@
 		</p>
 
 		<sample language="python">
-			^0\.\d+E?\d+$ # BAD
-		</sample>
+^0\.\d+E?\d+$ # BAD</sample>
 
 		<p>
 
@@ -103,6 +101,32 @@
 
 	</example>
 
+    <example>
+        <p>
+            Sometimes it is unclear how a regular expression can be rewritten to
+            avoid the problem. In such cases, it often suffices to limit the
+            length of the input string. For instance, the following 
+            regular expression is used to match numbers, and on some non-number 
+            inputs it can have quadratic time complexity:
+        </p>
+
+        <sample language="python">
+match = re.search(r'^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$', str) </sample>
+
+        <p>
+            It is not immediately obvious how to rewrite this regular expression 
+            to avoid the problem. However, you can mitigate performance issues by limiting the length
+            to 1000 characters, which will always finish in a reasonable amount
+            of time.
+        </p>
+
+        <sample language="python">
+if len(str) &gt; 1000:
+    raise ValueError("Input too long")
+
+match = re.search(r'^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$', str) </sample>
+    </example>
+
 	<include src="ReDoSReferences.inc.qhelp"/>
 
 </qhelp>
diff --git a/ruby/ql/src/queries/security/cwe-1333/PolynomialReDoS.qhelp b/ruby/ql/src/queries/security/cwe-1333/PolynomialReDoS.qhelp
@@ -15,8 +15,7 @@
 		</p>
 
 		<sample language="ruby">
-			text.gsub!(/^\s+|\s+$/, '') # BAD
-		</sample>
+text.gsub!(/^\s+|\s+$/, '') # BAD</sample>
 
 		<p>
 
@@ -74,8 +73,7 @@
 		</p>
 
 		<sample language="ruby">
-			/^0\.\d+E?\d+$/ # BAD
-		</sample>
+/^0\.\d+E?\d+$/ # BAD</sample>
 
 		<p>
 
@@ -108,6 +106,33 @@
 
 	</example>
 
+    <example>
+        <p>
+            Sometimes it is unclear how a regular expression can be rewritten to
+            avoid the problem. In such cases, it often suffices to limit the
+            length of the input string. For instance, the following 
+            regular expression is used to match numbers, and on some non-number 
+            inputs it can have quadratic time complexity:
+        </p>
+
+        <sample language="ruby">
+is_matching = /^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$/.match?(str)</sample>
+
+        <p>
+            It is not immediately obvious how to rewrite this regular expression 
+            to avoid the problem. However, you can mitigate performance issues by limiting the length
+            to 1000 characters, which will always finish in a reasonable amount
+            of time.
+        </p>
+
+        <sample language="ruby">
+if str.length &gt; 1000
+    raise ArgumentError, "Input too long"
+end
+
+is_matching = /^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$/.match?(str)</sample>
+    </example>
+
 	<include src="ReDoSReferences.inc.qhelp"/>
 
 </qhelp>
