1- private import ReDoSUtil
2- private import RegExpTreeView
3- private import codeql.Locations
4-
5- /*
6- * This query implements the analysis described in the following two papers:
1+ /**
2+ * This library implements the analysis described in the following two papers:
73 *
84 * James Kirrage, Asiri Rathnayake, Hayo Thielecke: Static Analysis for
95 * Regular Expression Denial-of-Service Attacks. NSS 2013.
@@ -31,17 +27,17 @@ private import codeql.Locations
3127 * condition is equivalent to saying that `(q, q)` is reachable from `(r1, r2)`
3228 * in the product NFA.
3329 *
34- * This is what the query does. It makes a simple attempt to construct a
30+ * This is what the library does. It makes a simple attempt to construct a
3531 * prefix `v` leading into `q`, but only to improve the alert message.
36- * And the query tries to prove the existence of a suffix that ensures
32+ * And the library tries to prove the existence of a suffix that ensures
3733 * rejection. This check might fail, which can cause false positives.
3834 *
3935 * Finally, sometimes it depends on the translation whether the NFA generated
4036 * for a regular expression has a pumpable fork or not. We implement one
4137 * particular translation, which may result in false positives or negatives
4238 * relative to some particular JavaScript engine.
4339 *
44- * More precisely, the query constructs an NFA from a regular expression `r`
40+ * More precisely, the library constructs an NFA from a regular expression `r`
4541 * as follows:
4642 *
4743 * * Every sub-term `t` gives rise to an NFA state `Match(t,i)`, representing
@@ -66,6 +62,8 @@ private import codeql.Locations
6662 * a suffix `x` (possible empty) that is most likely __not__ accepted.
6763 */
6864
65+ import ReDoSUtil
66+
6967/**
7068 * Holds if state `s` might be inside a backtracking repetition.
7169 */
@@ -90,18 +88,19 @@ private class MaybeBacktrackingRepetition extends InfiniteRepetitionQuantifier {
9088
9189/**
9290 * A state in the product automaton.
93- *
94- * We lazily only construct those states that we are actually
95- * going to need: `(q, q)` for every fork state `q`, and any
96- * pair of states that can be reached from a pair that we have
97- * already constructed. To cut down on the number of states,
98- * we only represent states `(q1, q2)` where `q1` is lexicographically
99- * no bigger than `q2`.
100- *
101- * States are only constructed if both states in the pair are
102- * inside a repetition that might backtrack.
10391 */
10492private newtype TStatePair =
93+ /**
94+ * We lazily only construct those states that we are actually
95+ * going to need: `(q, q)` for every fork state `q`, and any
96+ * pair of states that can be reached from a pair that we have
97+ * already constructed. To cut down on the number of states,
98+ * we only represent states `(q1, q2)` where `q1` is lexicographically
99+ * no bigger than `q2`.
100+ *
101+ * States are only constructed if both states in the pair are
102+ * inside a repetition that might backtrack.
103+ */
105104 MkStatePair ( State q1 , State q2 ) {
106105 isFork ( q1 , _, _, _, _) and q2 = q1
107106 or
0 commit comments