Skip to content

Ruby/Python: parse anchors in regexes as special characters#7120

Merged
nickrolfe merged 3 commits intomainfrom
nickrolfe/regexp_g_anchor
Dec 3, 2021
Merged

Ruby/Python: parse anchors in regexes as special characters#7120
nickrolfe merged 3 commits intomainfrom
nickrolfe/regexp_g_anchor

Conversation

@nickrolfe
Copy link
Copy Markdown
Contributor

Fixes https://github.com/github/codeql-team/issues/599

It means the ReDoS query no longer suggests an example input starting with 'G'.

@nickrolfe nickrolfe requested a review from a team as a code owner November 12, 2021 12:18
@nickrolfe nickrolfe added the Ruby label Nov 12, 2021
Copy link
Copy Markdown
Contributor

@alexrford alexrford left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change looks good - should we have similar special handling for \b and \B?

@nickrolfe
Copy link
Copy Markdown
Contributor Author

Yes, probably. I'll check on that once #6561 is merged.

@nickrolfe nickrolfe force-pushed the nickrolfe/regexp_g_anchor branch from ddaea93 to df6ba43 Compare November 19, 2021 16:29
@nickrolfe nickrolfe requested a review from a team as a code owner November 19, 2021 16:29
@nickrolfe nickrolfe changed the title Ruby: parse \G anchor in regexes as special characters Ruby/Python: parse anchors in regexes as special characters Nov 19, 2021
@nickrolfe
Copy link
Copy Markdown
Contributor Author

nickrolfe commented Nov 19, 2021

I've updated this to handle \b and \B in Ruby, in addition to \G.

I've also changed Python to handle \b, \B, \A, and \Z in a similar fashion (\A and \Z were already handled in Ruby).

These changes should fix ReDoS FPs such as this one in ruby/ruby, but also means we give more accurate alert text for some TPs.

I should probably add that Ruby FP as a test case, but I'm not sure how to handle the licensing.

cc @erik-krogh @yoff

yoff
yoff previously approved these changes Dec 2, 2021
Copy link
Copy Markdown
Contributor

@yoff yoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work, thanks for also fixing the Python side (including tests and all)!

@nickrolfe
Copy link
Copy Markdown
Contributor Author

Thanks! There were merge conflicts in the Ruby ReDoS test – now resolved.

@nickrolfe nickrolfe merged commit 5a2ef83 into main Dec 3, 2021
@nickrolfe nickrolfe deleted the nickrolfe/regexp_g_anchor branch December 3, 2021 15:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants