github
diff --git a/‎javascript/ql/src/semmle/javascript/security/performance/SuperlinearBackTracking.qll‎
Lines changed: 13 additions & 3 deletions b/‎javascript/ql/src/semmle/javascript/security/performance/SuperlinearBackTracking.qll‎
Lines changed: 13 additions & 3 deletions
diff --git a/‎javascript/ql/test/query-tests/Performance/ReDoS/PolynomialBackTracking.expected‎
Lines changed: 53 additions & 0 deletions b/‎javascript/ql/test/query-tests/Performance/ReDoS/PolynomialBackTracking.expected‎
Lines changed: 53 additions & 0 deletions
@@ -124,10 +124,20 @@ class PolynomialBackTrackingTerm extends InfiniteRepetitionQuantifier {
       forall(RegExpTerm pred | pred = this.getPredecessor+() | matchesEpsilon(pred)) and
       reason = "it can start matching anywhere"
       or
-      exists(InfiniteRepetitionQuantifier pred |
-        pred = getAMatchPredecessor(this.getPredecessor()) and
-        compatible(pred.getAChild(), this.getAChild())
+      exists(RegExpTerm pred |
+        pred instanceof InfiniteRepetitionQuantifier
+        or
+        forall(RegExpTerm predpred | predpred = pred.getPredecessor+() | matchesEpsilon(predpred))
       |
+        pred = getAMatchPredecessor(this.getPredecessor()) and
+        (
+          // compatible children
+          compatible(pred.getAChild(), this.getAChild())
+          or
+          // or `this` is compatible with everything (and the predecessor is something)
+          unique( | | this.getAChild()) instanceof RegExpDot and
+          exists([pred, pred.getAChild()].getAMatchedString())
+        ) and
         reason =
           "it can start matching anywhere after the start of the preceeding '" + pred.toString() +
             "'"
 
@@ -12,12 +12,44 @@
 | polynomial-redos.js:22:57:22:59 | \\d+ | it can start matching anywhere after the start of the preceeding '\\d*' |
 | polynomial-redos.js:22:57:22:59 | \\d+ | it can start matching anywhere after the start of the preceeding '\\d+' |
 | polynomial-redos.js:25:37:25:56 | [a-zA-Z0-9+\\/ \\t\\n]+ | it can start matching anywhere after the start of the preceeding '[ \\t]+' |
+| polynomial-redos.js:25:63:25:64 | .* | it can start matching anywhere after the start of the preceeding '[=]*' |
+| polynomial-redos.js:25:63:25:64 | .* | it can start matching anywhere after the start of the preceeding '[a-zA-Z0-9+\\/ \\t\\n]+' |
 | polynomial-redos.js:27:14:27:22 | [A-Z]{2,} | it can start matching anywhere |
 | polynomial-redos.js:30:19:30:22 | [?]+ | it can start matching anywhere |
+| polynomial-redos.js:30:23:30:24 | .* | it can start matching anywhere after the start of the preceeding '[?]' |
+| polynomial-redos.js:30:23:30:24 | .* | it can start matching anywhere after the start of the preceeding '[?]+' |
 | polynomial-redos.js:31:42:31:43 | -+ | it can start matching anywhere |
 | polynomial-redos.js:32:45:32:47 | \\n* | it can start matching anywhere |
 | polynomial-redos.js:33:17:33:20 | (.)* | it can start matching anywhere |
+| polynomial-redos.js:36:18:36:19 | .* | it can start matching anywhere after the start of the preceeding '<' |
+| polynomial-redos.js:37:18:37:19 | .* | it can start matching anywhere after the start of the preceeding '<' |
+| polynomial-redos.js:38:18:38:19 | .* | it can start matching anywhere after the start of the preceeding '<' |
 | polynomial-redos.js:48:22:48:24 | \\s* | it can start matching anywhere |
+| polynomial-redos.js:50:4:50:5 | .* | it can start matching anywhere after the start of the preceeding 'Y' |
+| polynomial-redos.js:51:11:51:17 | (YH\|J)* | it can start matching anywhere after the start of the preceeding '(YH\|K)' |
+| polynomial-redos.js:51:11:51:17 | (YH\|J)* | it can start matching anywhere after the start of the preceeding 'YH\|K' |
+| polynomial-redos.js:52:12:52:13 | .* | it can start matching anywhere after the start of the preceeding '(YH\|K)' |
+| polynomial-redos.js:52:12:52:13 | .* | it can start matching anywhere after the start of the preceeding 'K' |
+| polynomial-redos.js:52:12:52:13 | .* | it can start matching anywhere after the start of the preceeding 'YH' |
+| polynomial-redos.js:52:12:52:13 | .* | it can start matching anywhere after the start of the preceeding 'YH\|K' |
+| polynomial-redos.js:53:3:53:8 | (B\|Y)+ | it can start matching anywhere |
+| polynomial-redos.js:53:9:53:12 | (Y)* | it can start matching anywhere after the start of the preceeding '(B\|Y)' |
+| polynomial-redos.js:53:9:53:12 | (Y)* | it can start matching anywhere after the start of the preceeding '(B\|Y)+' |
+| polynomial-redos.js:53:9:53:12 | (Y)* | it can start matching anywhere after the start of the preceeding 'B\|Y' |
+| polynomial-redos.js:54:4:54:9 | (B\|Y)+ | it can start matching anywhere |
+| polynomial-redos.js:55:11:55:14 | (Y)* | it can start matching anywhere after the start of the preceeding '(B\|Y)+' |
+| polynomial-redos.js:56:10:56:13 | (Y)* | it can start matching anywhere after the start of the preceeding '(B\|Y)+' |
+| polynomial-redos.js:57:11:57:16 | (Y\|K)* | it can start matching anywhere after the start of the preceeding '(B\|Y)+' |
+| polynomial-redos.js:58:11:58:12 | .* | it can start matching anywhere after the start of the preceeding '(B\|Y)+' |
+| polynomial-redos.js:62:7:62:8 | Y* | it can start matching anywhere after the start of the preceeding 'Y*' |
+| polynomial-redos.js:63:11:63:12 | Y* | it can start matching anywhere after the start of the preceeding '(K\|Y)+' |
+| polynomial-redos.js:64:14:64:15 | Y* | it can start matching anywhere after the start of the preceeding '(K\|Y)+' |
+| polynomial-redos.js:65:14:65:15 | .* | it can start matching anywhere after the start of the preceeding '(K\|Y)+' |
+| polynomial-redos.js:66:9:66:10 | .* | it can start matching anywhere after the start of the preceeding '(K\|Y)' |
+| polynomial-redos.js:66:9:66:10 | .* | it can start matching anywhere after the start of the preceeding 'K' |
+| polynomial-redos.js:66:9:66:10 | .* | it can start matching anywhere after the start of the preceeding 'K\|Y' |
+| polynomial-redos.js:66:9:66:10 | .* | it can start matching anywhere after the start of the preceeding 'Y' |
+| polynomial-redos.js:67:8:67:9 | .* | it can start matching anywhere after the start of the preceeding '[^Y]' |
 | regexplib/address.js:18:26:18:31 | [ \\w]* | it can start matching anywhere after the start of the preceeding '[ \\w]{3,}' |
 | regexplib/address.js:20:144:20:147 | [ ]+ | it can start matching anywhere after the start of the preceeding '[a-zA-Z0-9 \\-.]{6,}' |
 | regexplib/address.js:24:26:24:31 | [ \\w]* | it can start matching anywhere after the start of the preceeding '[ \\w]{3,}' |
@@ -36,7 +68,11 @@
 | regexplib/address.js:75:631:75:635 | \\x20* | it can start matching anywhere after the start of the preceeding '\\x20*' |
 | regexplib/address.js:75:796:75:798 | \\s+ | it can start matching anywhere after the start of the preceeding '\\s+' |
 | regexplib/address.js:85:15:85:49 | ([0-9]\|[ ]\|[-]\|[\\(]\|[\\)]\|ext.\|[,])+ | it can start matching anywhere |
+| regexplib/address.js:85:51:85:67 | ([ ]\|[:]\|\\t\|[-])* | it can start matching anywhere after the start of the preceeding '([0-9]\|[ ]\|[-]\|[\\(]\|[\\)]\|ext.\|[,])' |
 | regexplib/address.js:85:51:85:67 | ([ ]\|[:]\|\\t\|[-])* | it can start matching anywhere after the start of the preceeding '([0-9]\|[ ]\|[-]\|[\\(]\|[\\)]\|ext.\|[,])+' |
+| regexplib/address.js:85:51:85:67 | ([ ]\|[:]\|\\t\|[-])* | it can start matching anywhere after the start of the preceeding '[0-9]\|[ ]\|[-]\|[\\(]\|[\\)]\|ext.\|[,]' |
+| regexplib/address.js:85:51:85:67 | ([ ]\|[:]\|\\t\|[-])* | it can start matching anywhere after the start of the preceeding '[ ]' |
+| regexplib/address.js:85:51:85:67 | ([ ]\|[:]\|\\t\|[-])* | it can start matching anywhere after the start of the preceeding '[-]' |
 | regexplib/address.js:93:3:93:5 | \\s* | it can start matching anywhere |
 | regexplib/address.js:93:48:93:50 | \\s* | it can start matching anywhere |
 | regexplib/address.js:93:93:93:95 | \\s* | it can start matching anywhere |
@@ -50,19 +86,28 @@
 | regexplib/email.js:28:73:28:87 | [0-9a-zA-Z'\\.]+ | it can start matching anywhere |
 | regexplib/email.js:28:125:28:139 | [0-9a-zA-Z'\\.]+ | it can start matching anywhere |
 | regexplib/email.js:29:2:29:7 | [\\w-]+ | it can start matching anywhere |
+| regexplib/markup.js:1:11:1:12 | .* | it can start matching anywhere after the start of the preceeding '<' |
 | regexplib/markup.js:6:99:6:113 | [\\s\\w\\d\\)\\(\\,]* | it can start matching anywhere after the start of the preceeding '[\\d\\w]+' |
+| regexplib/markup.js:11:6:11:8 | .*? | it can start matching anywhere after the start of the preceeding '<!--' |
+| regexplib/markup.js:13:14:13:16 | .+? | it can start matching anywhere after the start of the preceeding '<' |
+| regexplib/markup.js:14:10:14:11 | .* | it can start matching anywhere after the start of the preceeding '<' |
+| regexplib/markup.js:14:13:14:14 | .* | it can start matching anywhere after the start of the preceeding '<' |
 | regexplib/markup.js:19:2:19:12 | (<meta\\s+)* | it can start matching anywhere |
 | regexplib/markup.js:20:155:20:156 | '+ | it can start matching anywhere after the start of the preceeding ''+' |
 | regexplib/markup.js:20:197:20:198 | "+ | it can start matching anywhere after the start of the preceeding '"+' |
 | regexplib/markup.js:37:15:37:19 | [\\w]* | it can start matching anywhere after the start of the preceeding '\\w+' |
 | regexplib/markup.js:53:15:53:19 | [\\w]* | it can start matching anywhere after the start of the preceeding '\\w+' |
+| regexplib/markup.js:62:35:62:37 | .*? | it can start matching anywhere after the start of the preceeding '[\\s\\"\\']+' |
 | regexplib/markup.js:62:39:62:45 | [\\"\\']+ | it can start matching anywhere after the start of the preceeding '[\\s\\"\\']+' |
+| regexplib/markup.js:62:46:62:48 | .*? | it can start matching anywhere after the start of the preceeding '[\\"\\']+' |
 | regexplib/misc.js:76:2:76:27 | (AUX\|PRN\|NUL\|COM\\d\|LPT\\d)+ | it can start matching anywhere |
 | regexplib/misc.js:83:15:83:17 | \\d* | it can start matching anywhere after the start of the preceeding '\\d*' |
 | regexplib/misc.js:83:69:83:71 | \\d* | it can start matching anywhere after the start of the preceeding '\\d*' |
 | regexplib/misc.js:93:3:93:4 | .* | it can start matching anywhere |
+| regexplib/misc.js:95:25:95:26 | .+ | it can start matching anywhere after the start of the preceeding 'at\\s' |
 | regexplib/misc.js:112:3:112:5 | \\s* | it can start matching anywhere |
 | regexplib/misc.js:112:32:112:34 | \\s* | it can start matching anywhere |
+| regexplib/misc.js:116:3:116:4 | .* | it can start matching anywhere after the start of the preceeding '{' |
 | regexplib/misc.js:119:9:119:11 | \\s* | it can start matching anywhere |
 | regexplib/misc.js:119:12:119:14 | \\(* | it can start matching anywhere |
 | regexplib/misc.js:119:16:119:18 | \\s* | it can start matching anywhere |
@@ -114,13 +159,17 @@
 | regexplib/strings.js:91:2:91:7 | (\\S*)+ | it can start matching anywhere |
 | regexplib/strings.js:91:3:91:5 | \\S* | it can start matching anywhere |
 | regexplib/uri.js:2:45:2:66 | [\\w\\-\\.,@?^=%&:/~\\+#]* | it can start matching anywhere after the start of the preceeding '[\\w\\-_]+' |
+| regexplib/uri.js:5:42:5:43 | .* | it can start matching anywhere after the start of the preceeding '[\\w ]*' |
 | regexplib/uri.js:13:69:13:102 | [a-zA-Z0-9\\-\\.\\?\\,\\'\\/\\\\\\+&%\\$#_]* | it can start matching anywhere after the start of the preceeding '[a-zA-Z0-9\\-\\._]+' |
+| regexplib/uri.js:17:42:17:43 | .* | it can start matching anywhere after the start of the preceeding '[\\w ]*' |
 | regexplib/uri.js:18:47:18:96 | ([ A-Za-z0-9'~` !@#$%&^_+=\\(\\){},\\-\\[\\];]\|([.]))*? | it can start matching anywhere after the start of the preceeding '([A-Za-z0-9'~`!@#$%&^_+=\\(\\){},\\-\\[\\]\\;])+?' |
 | regexplib/uri.js:18:148:18:189 | ([A-Za-z0-9'~`!@#$%&^_+=\\(\\){},\\-\\[ \\];])+ | it can start matching anywhere after the start of the preceeding '[ A-Za-z0-9'~`!@#$ %&^_+=\\(\\){},\\-\\[\\]\\;]*?' |
 | regexplib/uri.js:23:2:23:74 | (((file\|gopher\|news\|nntp\|telnet\|http\|ftp\|https\|ftps\|sftp):\\/\\/)\|(www\\.))+ | it can start matching anywhere |
+| regexplib/uri.js:23:77:23:92 | [a-zA-Z0-9\\._-]+ | it can start matching anywhere after the start of the preceeding 'www\\.' |
 | regexplib/uri.js:28:2:28:13 | [a-zA-Z]{3,} | it can start matching anywhere |
 | regexplib/uri.js:29:2:29:45 | ((http\\:\\/\\/\|https\\:\\/\\/\|ftp\\:\\/\\/)\|(www.))+ | it can start matching anywhere |
 | regexplib/uri.js:34:3:34:9 | [^\\=&]+ | it can start matching anywhere |
+| regexplib/uri.js:39:7:39:9 | .*? | it can start matching anywhere after the start of the preceeding '<a' |
 | regexplib/uri.js:44:2:44:4 | .*? | it can start matching anywhere |
 | regexplib/uri.js:53:3:53:9 | [^\\=&]+ | it can start matching anywhere |
 | regexplib/uri.js:58:2:58:45 | ((http\\:\\/\\/\|https\\:\\/\\/\|ftp\\:\\/\\/)\|(www.))+ | it can start matching anywhere |
@@ -129,8 +178,12 @@
 | tst.js:14:13:14:18 | (.*,)+ | it can start matching anywhere |
 | tst.js:14:14:14:15 | .* | it can start matching anywhere |
 | tst.js:47:15:47:37 | (?:[^"']\|".*?"\|'.*?')*? | it can start matching anywhere |
+| tst.js:47:25:47:27 | .*? | it can start matching anywhere after the start of the preceeding '"' |
+| tst.js:47:31:47:33 | .*? | it can start matching anywhere after the start of the preceeding ''' |
 | tst.js:66:15:66:44 | ([\\w#:.~>+()\\s-]+\|\\*\|\\[.*?\\])+ | it can start matching anywhere |
 | tst.js:66:16:66:31 | [\\w#:.~>+()\\s-]+ | it can start matching anywhere |
+| tst.js:66:38:66:40 | .*? | it can start matching anywhere after the start of the preceeding '\\[' |
+| tst.js:66:46:66:48 | \\s* | it can start matching anywhere after the start of the preceeding '[\\w#:.~>+()\\s-]' |
 | tst.js:66:46:66:48 | \\s* | it can start matching anywhere after the start of the preceeding '[\\w#:.~>+()\\s-]+' |
 | tst.js:74:14:74:21 | (b\|a?b)* | it can start matching anywhere |
 | tst.js:77:14:77:21 | (a\|aa?)* | it can start matching anywhere |