Java: Diff-informed regex queries

jbj · jbj · commit d569f86524d6 · 2025-02-07T14:50:33.000+01:00
An alternative to dynamic dispatch would have been to use parameterised
modules. I tried that but abandoned it because it led to cascading
changes and noise in too many places. The parameterisation used here has
to be propagated through three different library files, and that
propagation becomes invisible (for better or worse) when using dynamic
dispatch.
diff --git a/java/ql/lib/semmle/code/java/regex/RegexDiffInformed.qll b/java/ql/lib/semmle/code/java/regex/RegexDiffInformed.qll
@@ -0,0 +1,28 @@
+private import java
+private import semmle.code.java.dataflow.DataFlow
+private import codeql.util.Unit
+
+/**
+ * An extension point to allow a query to detect only the regular expressions
+ * it needs in diff-informed incremental mode. The data-flow analysis that's
+ * modified by this class has its sources as (certain) string literals and its
+ * sinks as regular-expression matches.
+ */
+class RegexDiffInformedConfig instanceof Unit {
+  /**
+   * Holds if discovery of regular expressions should be diff-informed, which
+   * is possible when there cannot be any elements selected by the query in the
+   * diff range except the regular expressions and (locations derived from) the
+   * places where they are matched against.
+   */
+  abstract predicate observeDiffInformedIncrementalMode();
+
+  /**
+   * Gets a location of a regex match that will be part of the query results.
+   * If the query does not select the match locations, this predicate can be
+   * `none()` for performance.
+   */
+  abstract Location getASelectedSinkLocation(DataFlow::Node sink);
+
+  string toString() { result = "RegexDiffInformedConfig" }
+}
diff --git a/java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll b/java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll
@@ -6,6 +6,7 @@ import java
 import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.security.SecurityTests
+private import RegexDiffInformed
 
 private class ExploitableStringLiteral extends StringLiteral {
   ExploitableStringLiteral() { this.getValue().matches(["%+%", "%*%", "%{%}%"]) }
@@ -157,6 +158,14 @@ private module RegexFlowConfig implements DataFlow::ConfigSig {
   }
 
   int fieldFlowBranchLimit() { result = 1 }
+
+  predicate observeDiffInformedIncrementalMode() {
+    exists(RegexDiffInformedConfig c | c.observeDiffInformedIncrementalMode())
+  }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(RegexDiffInformedConfig c | result = c.getASelectedSinkLocation(sink))
+  }
 }
 
 private module RegexFlow = DataFlow::Global<RegexFlowConfig>;
diff --git a/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll b/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll
@@ -4,6 +4,7 @@ private import semmle.code.java.regex.RegexTreeView::RegexTreeView as TreeView
 import codeql.regex.nfa.SuperlinearBackTracking::Make<TreeView> as SuperlinearBackTracking
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.regex.RegexFlowConfigs
+import semmle.code.java.regex.RegexDiffInformed
 import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.security.Sanitizers
 
@@ -33,6 +34,12 @@ private class LengthRestrictedMethod extends Method {
   }
 }
 
+class PolynomialRedDosDiffInformed extends RegexDiffInformedConfig {
+  override predicate observeDiffInformedIncrementalMode() { not PolynomialRedosFlow::hasSourceInDiffRange() }
+
+  override Location getASelectedSinkLocation(DataFlow::Node sink) { result = sink.getLocation() }
+}
+
 /** A configuration for Polynomial ReDoS queries. */
 module PolynomialRedosConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource }
diff --git a/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql b/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql
@@ -12,9 +12,17 @@
  *       external/cwe/cwe-020
  */
 
+import semmle.code.java.regex.RegexDiffInformed
+import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.regex.RegexTreeView::RegexTreeView as TreeView
 import codeql.regex.OverlyLargeRangeQuery::Make<TreeView>
 
+class OverlyLargeRangeDiffInformed extends RegexDiffInformedConfig {
+  override predicate observeDiffInformedIncrementalMode() { any() }
+
+  override Location getASelectedSinkLocation(DataFlow::Node sink) { none() }
+}
+
 TreeView::RegExpCharacterClass potentialMisparsedCharClass() {
   // nested char classes are currently misparsed
   result.getAChild().(TreeView::RegExpNormalChar).getValue() = "["
diff --git a/java/ql/src/Security/CWE/CWE-730/ReDoS.ql b/java/ql/src/Security/CWE/CWE-730/ReDoS.ql
@@ -14,9 +14,17 @@
  *       external/cwe/cwe-400
  */
 
+import semmle.code.java.regex.RegexDiffInformed
+import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.regex.RegexTreeView::RegexTreeView as TreeView
 import codeql.regex.nfa.ExponentialBackTracking::Make<TreeView> as ExponentialBackTracking
 
+class ReDoSDiffInformed extends RegexDiffInformedConfig {
+  override predicate observeDiffInformedIncrementalMode() { any() }
+
+  override Location getASelectedSinkLocation(DataFlow::Node sink) { none() }
+}
+
 from TreeView::RegExpTerm t, string pump, ExponentialBackTracking::State s, string prefixMsg
 where
   ExponentialBackTracking::hasReDoSResult(t, pump, s, prefixMsg) and
