Swift: Import more test cases from other languages (this highlights some issues).

geoffw0 · geoffw0 · commit 44eb7bf6427a · 2023-06-14T18:23:05.000+01:00
diff --git a/swift/ql/test/library-tests/regex/redos_variants.swift b/swift/ql/test/library-tests/regex/redos_variants.swift
@@ -35,7 +35,6 @@ extension String {
 
 func myRegexpVariantsTests(myUrl: URL) throws {
 	let tainted = String(contentsOf: myUrl) // tainted
-	let untainted = "abcdef"
 
 	// basic cases:
 
@@ -106,4 +105,360 @@ func myRegexpVariantsTests(myUrl: URL) throws {
 	// Adapted from Prism (https://github.com/PrismJS/prism), which is licensed
 	// under the MIT license; see file licenses/Prism-LICENSE.
 	_ = try Regex("(\"|')(\\\\?.)*?\\1").firstMatch(in: tainted) // $ redos-vulnerable=
+
+	// more cases:
+
+    // GOOD
+    _ = try Regex("(\\r\\n|\\r|\\n)+").firstMatch(in: tainted)
+
+    // GOOD
+    _ = try Regex("(a|.)*").firstMatch(in: tainted)
+
+    // Testing the NFA - only some of the below are detected.
+    _ = try Regex("^([a-z]+)+$").firstMatch(in: tainted) // $ redos-vulnerable=
+    _ = try Regex("^([a-z]*)*$").firstMatch(in: tainted) // $ redos-vulnerable=
+    _ = try Regex("^([a-zA-Z0-9])(([\\\\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$").firstMatch(in: tainted) // $ redos-vulnerable=
+    _ = try Regex("^(([a-z])+.)+[A-Z]([a-z])+$").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("(b|a?b)*c").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("(a|aa?)*b").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // GOOD
+    _ = try Regex("(.|\\n)*!").firstMatch(in: tainted)
+
+    // NOT GOOD; attack: "\n".repeat(100) + "." TODO: investigate, we should be getting this one.
+    _ = try Regex("(?s)(.|\\n)*!").firstMatch(in: tainted) // $ MISSING: redos-vulnerable=
+
+    // GOOD
+    _ = try Regex("([\\w.]+)*").firstMatch(in: tainted)
+
+    // NOT GOOD
+    _ = try Regex("(a|aa?)*b").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("(([\\s\\S]|[^a])*)\"").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // GOOD - there is no witness in the end that could cause the regexp to not match
+    _ = try Regex("([^\"']+)*").firstMatch(in: tainted)
+
+    // NOT GOOD
+    _ = try Regex("((.|[^a])*)\"").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // GOOD
+    _ = try Regex("((a|[^a])*)\"").firstMatch(in: tainted)
+
+    // NOT GOOD
+    _ = try Regex("((b|[^a])*)\"").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("((G|[^a])*)\"").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("(([0-9]|[^a])*)\"").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD (missing)
+    _ = try Regex("(?:=(?:([!#\\$%&'\\*\\+\\-\\.\\^_`\\|~0-9A-Za-z]+)|\"((?:\\\\[\\x00-\\x7f]|[^\\x00-\\x08\\x0a-\\x1f\\x7f\"])*)\"))?").firstMatch(in: tainted) // $ MISSING: redos-vulnerable=
+
+    // NOT GOOD (missing)
+    _ = try Regex("\"((?:\\\\[\\x00-\\x7f]|[^\\x00-\\x08\\x0a-\\x1f\\x7f\"])*)\"").firstMatch(in: tainted) // $ MISSING: redos-vulnerable=
+
+    // GOOD
+    _ = try Regex("\"((?:\\\\[\\x00-\\x7f]|[^\\x00-\\x08\\x0a-\\x1f\\x7f\"\\\\])*)\"").firstMatch(in: tainted)
+
+    // NOT GOOD
+    _ = try Regex("(([a-z]|[d-h])*)\"").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("(([^a-z]|[^0-9])*)\"").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("((\\d|[0-9])*)\"").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("((\\s|\\s)*)\"").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("((\\w|G)*)\"").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // GOOD
+    _ = try Regex("((\\s|\\d)*)\"").firstMatch(in: tainted)
+
+    // NOT GOOD
+    _ = try Regex("((\\d|\\w)*)\"").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("((\\d|5)*)\"").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("((\\s|[\\f])*)\"").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD - but not detected (likely because \v is a character class in Java rather than a specific character in other langs)
+    _ = try Regex("((\\s|[\\v]|\\\\v)*)\"").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("((\\f|[\\f])*)\"").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("((\\W|\\D)*)\"").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("((\\S|\\w)*)\"").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("((\\S|[\\w])*)\"").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("((1s|[\\da-z])*)\"").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("((0|[\\d])*)\"").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("(([\\d]+)*)\"").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // GOOD - there is no witness in the end that could cause the regexp to not match
+    _ = try Regex("(\\d+(X\\d+)?)+").firstMatch(in: tainted)
+
+    // GOOD - there is no witness in the end that could cause the regexp to not match
+    _ = try Regex("([0-9]+(X[0-9]*)?)*").firstMatch(in: tainted)
+
+    // GOOD
+    _ = try Regex("^([^>]+)*(>|$)").firstMatch(in: tainted)
+
+    // NOT GOOD
+    _ = try Regex("^([^>a]+)*(>|$)").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("(\\n\\s*)+$").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("^(?:\\s+|#.*|\\(\\?#[^)]*\\))*(?:[?*+]|\\{\\d+(?:,\\d*)?})").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("\\{\\[\\s*([a-zA-Z]+)\\(([a-zA-Z]+)\\)((\\s*([a-zA-Z]+)\\: ?([ a-zA-Z{}]+),?)+)*\\s*\\]\\}").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("(a+|b+|c+)*c").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("(((a+a?)*)+b+)").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("(a+)+bbbb").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // GOOD
+    _ = try Regex("(a+)+aaaaa*a+").firstMatch(in: tainted)
+
+    // NOT GOOD
+    _ = try Regex("(a+)+aaaaa$").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // GOOD
+    _ = try Regex("(\\n+)+\\n\\n").firstMatch(in: tainted)
+
+    // NOT GOOD
+    _ = try Regex("(\\n+)+\\n\\n$").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("([^X]+)*$").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("(([^X]b)+)*$").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // GOOD
+    _ = try Regex("(([^X]b)+)*($|[^X]b)").firstMatch(in: tainted)
+
+    // NOT GOOD
+    _ = try Regex("(([^X]b)+)*($|[^X]c)").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // GOOD
+    _ = try Regex("((ab)+)*ababab").firstMatch(in: tainted)
+
+    // GOOD
+    _ = try Regex("((ab)+)*abab(ab)*(ab)+").firstMatch(in: tainted)
+
+    // GOOD
+    _ = try Regex("((ab)+)*").firstMatch(in: tainted)
+
+    // NOT GOOD
+    _ = try Regex("((ab)+)*$").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // GOOD
+    _ = try Regex("((ab)+)*[a1][b1][a2][b2][a3][b3]").firstMatch(in: tainted)
+
+    // NOT GOOD
+    _ = try Regex("([\\n\\s]+)*(.)").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // GOOD - any witness passes through the accept state.
+    _ = try Regex("(A*A*X)*").firstMatch(in: tainted)
+
+    // GOOD
+    _ = try Regex("([^\\\\\\]]+)*").firstMatch(in: tainted)
+
+    // NOT GOOD TODO: QL evaluation times out (for test, at 5 minutes)
+//    _ = try Regex("(\\w*foobarbaz\\w*foobarbaz\\w*foobarbaz\\w*foobarbaz\\s*foobarbaz\\d*foobarbaz\\w*)+-").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD (but cannot currently construct a prefix)
+    _ = try Regex("a{2,3}(b+)+X").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD (and a good prefix test)
+    _ = try Regex("^<(\\w+)((?:\\s+\\w+(?:\\s*=\\s*(?:(?:\"[^\"]*\")|(?:'[^']*')|[^>\\s]+))?)*)\\s*(\\/?)>").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // GOOD
+    _ = try Regex("(a+)*[\\s\\S][\\s\\S][\\s\\S]?").firstMatch(in: tainted)
+
+    // GOOD - but we fail to see that repeating the attack string ends in the "accept any" state (due to not parsing the range `[\s\S]{2,3}`).
+    _ = try Regex("(a+)*[\\s\\S]{2,3}").firstMatch(in: tainted) // $ SPURIOUS: redos-vulnerable=
+
+    // GOOD - but we spuriously conclude that a rejecting suffix exists (due to not parsing the range `[\s\S]{2,}` when constructing the NFA).
+    _ = try Regex("(a+)*([\\s\\S]{2,}|X)$").firstMatch(in: tainted) // $ SPURIOUS: redos-vulnerable=
+
+    // GOOD
+    _ = try Regex("(a+)*([\\s\\S]*|X)$").firstMatch(in: tainted)
+
+    // NOT GOOD
+    _ = try Regex("((a+)*$|[\\s\\S]+)").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // GOOD - but still flagged. The only change compared to the above is the order of alternatives, which we don't model.
+    _ = try Regex("([\\s\\S]+|(a+)*$)").firstMatch(in: tainted) // $ SPURIOUS: redos-vulnerable=
+
+    // GOOD
+    _ = try Regex("((;|^)a+)+$").firstMatch(in: tainted)
+
+    // NOT GOOD (a good prefix test)
+    _ = try Regex("(^|;)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(e+)+f").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("^ab(c+)+$").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("(\\d(\\s+)*){20}").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // GOOD - but we spuriously conclude that a rejecting suffix exists.
+    _ = try Regex("(([^/]|X)+)(\\/[\\s\\S]*)*$").firstMatch(in: tainted) // $ SPURIOUS: redos-vulnerable=
+
+    // GOOD - but we spuriously conclude that a rejecting suffix exists.
+    _ = try Regex("^((x([^Y]+)?)*(Y|$))").firstMatch(in: tainted) // $ SPURIOUS: redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("(a*)+b").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("foo([\\w-]*)+bar").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("((ab)*)+c").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("(a?a?)*b").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // GOOD
+    _ = try Regex("(a?)*b").firstMatch(in: tainted)
+
+    // NOT GOOD - but not detected
+    _ = try Regex("(c?a?)*b").firstMatch(in: tainted) // $ MISSING: redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("(?:a|a?)+b").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD - but not detected.
+    _ = try Regex("(a?b?)*$").firstMatch(in: tainted) // $ MISSING: redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("PRE(([a-c]|[c-d])T(e?e?e?e?|X))+(cTcT|cTXcTX$)").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("^((a)+\\w)+$").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // NOT GOOD
+    _ = try Regex("^(b+.)+$").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // GOOD
+    _ = try Regex("a*b").firstMatch(in: tainted)
+
+    // All 4 bad combinations of nested * and +
+    _ = try Regex("(a*)*b").firstMatch(in: tainted) // $ redos-vulnerable=
+    _ = try Regex("(a+)*b").firstMatch(in: tainted) // $ redos-vulnerable=
+    _ = try Regex("(a*)+b").firstMatch(in: tainted) // $ redos-vulnerable=
+    _ = try Regex("(a+)+b").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // GOOD
+    _ = try Regex("(a|b)+").firstMatch(in: tainted)
+    _ = try Regex("(?:[\\s;,\"'<>(){}|\\[\\]@=+*]|:(?![/\\\\]))+").firstMatch(in: tainted)
+
+	// TODO: investigate; these were marked `hasParseFailure`
+    _ = try Regex("^((?:a{|-)|\\w\\{)+X$").firstMatch(in: tainted) // $ SPURIOUS: redos-vulnerable=
+    _ = try Regex("^((?:a{0|-)|\\w\\{\\d)+X$").firstMatch(in: tainted) // $ SPURIOUS: redos-vulnerable=
+    _ = try Regex("^((?:a{0,|-)|\\w\\{\\d,)+X$").firstMatch(in: tainted) // $ SPURIOUS: redos-vulnerable=
+    _ = try Regex("^((?:a{0,2|-)|\\w\\{\\d,\\d)+X$").firstMatch(in: tainted) // $ SPURIOUS: redos-vulnerable=
+
+    // GOOD
+    _ = try Regex("^((?:a{0,2}|-)|\\w\\{\\d,\\d\\})+X$").firstMatch(in: tainted)
+
+    // NOT GOOD
+    _ = try Regex("X(\\u0061|a)*Y").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // GOOD
+    _ = try Regex("X(\\u0061|b)+Y").firstMatch(in: tainted)
+
+    // NOT GOOD TODO: we should get this one
+    _ = try Regex("X(\\x61|a)*Y").firstMatch(in: tainted) // $ MISSING: redos-vulnerable=
+
+    // GOOD
+    _ = try Regex("X(\\x61|b)+Y").firstMatch(in: tainted)
+
+    // NOT GOOD TODO: we should get this one
+    _ = try Regex("X(\\x{061}|a)*Y").firstMatch(in: tainted) // $ MISSING: redos-vulnerable=
+
+    // GOOD
+    _ = try Regex("X(\\x{061}|b)+Y").firstMatch(in: tainted)
+
+    // NOT GOOD
+    _ = try Regex("X(\\p{Digit}|7)*Y").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // GOOD
+    _ = try Regex("X(\\p{Digit}|b)+Y").firstMatch(in: tainted)
+
+    // NOT GOOD
+    _ = try Regex("X(\\P{Digit}|b)*Y").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // GOOD
+    _ = try Regex("X(\\P{Digit}|7)+Y").firstMatch(in: tainted)
+
+    // NOT GOOD TODO: we should get this one
+    _ = try Regex("X(\\p{IsDigit}|7)*Y").firstMatch(in: tainted) // $ MISSING: redos-vulnerable=
+
+    // GOOD
+    _ = try Regex("X(\\p{IsDigit}|b)+Y").firstMatch(in: tainted)
+
+    // NOT GOOD - but not detected
+    _ = try Regex("X(\\p{Alpha}|a)*Y").firstMatch(in: tainted) // $ MISSING: redos-vulnerable=
+
+    // GOOD
+    _ = try Regex("X(\\p{Alpha}|7)+Y").firstMatch(in: tainted)
+
+    // GOOD
+    _ = try Regex("(\"[^\"]*?\"|[^\"\\s]+)+(?=\\s*|\\s*$)").firstMatch(in: tainted)
+
+    // BAD
+    _ = try Regex("/(\"[^\"]*?\"|[^\"\\s]+)+(?=\\s*|\\s*$)X").firstMatch(in: tainted) // $ redos-vulnerable=
+    _ = try Regex("/(\"[^\"]*?\"|[^\"\\s]+)+(?=X)").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // BAD
+    _ = try Regex("\\A(\\d|0)*x").firstMatch(in: tainted) // $ redos-vulnerable=
+    _ = try Regex("(\\d|0)*\\Z").firstMatch(in: tainted) // $ redos-vulnerable=
+    _ = try Regex("\\b(\\d|0)*x").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // GOOD - possessive quantifiers don't backtrack
+    _ = try Regex("(a*+)*+b").firstMatch(in: tainted)
+    _ = try Regex("(a*)*+b").firstMatch(in: tainted)
+    _ = try Regex("(a*+)*b").firstMatch(in: tainted)
+
+    // BAD
+    _ = try Regex("(a*)*b").firstMatch(in: tainted) // $ redos-vulnerable=
+
+    // BAD - but not detected due to the way possessive quantifiers are approximated
+    _ = try Regex("((aa|a*+)b)*c").firstMatch(in: tainted) // $ MISSING: redos-vulnerable=
 }
