Skip to content

JS/Python: Fix FP in redos related to empty lookaheads#6288

Merged
erik-krogh merged 7 commits intogithub:mainfrom
erik-krogh:emptyRedos
Aug 16, 2021
Merged

JS/Python: Fix FP in redos related to empty lookaheads#6288
erik-krogh merged 7 commits intogithub:mainfrom
erik-krogh:emptyRedos

Conversation

@erik-krogh
Copy link
Contributor

@erik-krogh erik-krogh commented Jul 14, 2021

Fixes #5964


Lookaheads/lookbehinds that match the empty string will always match, and they are thus pretty much useless and unnecessary.
However, I've now seen multiple regular expressions that have empty lookaheads.

The ReDoS query assumed that a lookahead had a rejecting suffix, but that assumptions breaks with lookaheads that match the empty string.

This PR fixes that by adding an epsilon transition across lookaheads/lookbehinds that match the empty string.


JavaScript evaluation looks fine
Python evaluation looks fine

I don't think this needs a change-note.

@erik-krogh erik-krogh added the no-change-note-required This PR does not need a change note label Jul 14, 2021
@erik-krogh erik-krogh marked this pull request as ready for review July 15, 2021 10:45
@erik-krogh erik-krogh requested review from a team as code owners July 15, 2021 10:45
@asgerf
Copy link
Contributor

asgerf commented Jul 16, 2021

LGTM

I think it would be worth adding some test cases with a lookahead that just checks for an anchor, without an alternative that is also empty. That's one of the main cases where matchesEpsilon differs from RegExpTerm.isNullable.

/(x*)+(?=$)/
/(x*)+(?=$|y)/
/([\s\S]*)+(?=$)/
/([\s\S]*)+(?=$|y)/

Comment on lines +376 to +377
var bad91 = /([\s\S]*)+(?=$)/
var bad92 = /([\s\S]*)+(?=$|y)/ No newline at end of file
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe the last two ones should be marked as good? I'm not asking for the query to handle them, just that the test is accurate.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right. I was a little fast there.

@erik-krogh
Copy link
Contributor Author

ping @asgerf, @yoff
Can I get a review?

asgerf
asgerf previously approved these changes Aug 12, 2021
Copy link
Contributor

@yoff yoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one thing to address. I also wonder if matchesEpsilon would be nicer as a member predicate on RegExpTerm, but I will not insist on that for this PR.

Co-authored-by: yoff <lerchedahl@gmail.com>
Copy link
Contributor

@yoff yoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@erik-krogh erik-krogh merged commit 4695923 into github:main Aug 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

JS no-change-note-required This PR does not need a change note Python

Projects

None yet

Development

Successfully merging this pull request may close these issues.

LGTM.com - false positive javascript/ql/src/Performance/ReDoS.ql

4 participants