highlight the use of the regular expression, instead of the sink for user input

erik-krogh · erik-krogh · commit a520a51d4227 · 2021-01-14T11:22:20.000+01:00
diff --git a/javascript/ql/src/Performance/PolynomialReDoS.ql b/javascript/ql/src/Performance/PolynomialReDoS.ql
@@ -16,13 +16,13 @@ import semmle.javascript.security.performance.PolynomialReDoS::PolynomialReDoS
 import semmle.javascript.security.performance.SuperlinearBackTracking
 import DataFlow::PathGraph
 
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, Sink sinkNode
 where
   cfg.hasFlowPath(source, sink) and
+  sinkNode = sink.getNode() and
   not (
     source.getNode().(Source).getKind() = "url" and
-    sink.getNode().(Sink).getRegExp().(PolynomialBackTrackingTerm).isAtEndLine()
+    sinkNode.getRegExp().(PolynomialBackTrackingTerm).isAtEndLine()
   )
-select sink.getNode(), source, sink, "This expensive $@ use depends on $@.",
-  sink.getNode().(Sink).getRegExp(), "regular expression", source.getNode(),
-  source.getNode().(Source).describe()
+select sinkNode.getHighlight(), source, sink, "This expensive $@ use depends on $@.",
+  sinkNode.getRegExp(), "regular expression", source.getNode(), source.getNode().(Source).describe()
diff --git a/javascript/ql/src/semmle/javascript/security/performance/PolynomialReDoSCustomizations.qll b/javascript/ql/src/semmle/javascript/security/performance/PolynomialReDoSCustomizations.qll
@@ -31,6 +31,11 @@ module PolynomialReDoS {
    */
   abstract class Sink extends DataFlow::Node {
     abstract RegExpTerm getRegExp();
+
+    /**
+     * Gets the node to highlight in the alert message.
+     */
+    DataFlow::Node getHighlight() { result = this }
   }
 
   /**
@@ -54,9 +59,10 @@ module PolynomialReDoS {
    */
   class PolynomialBackTrackingTermUse extends Sink {
     PolynomialBackTrackingTerm term;
+    DataFlow::MethodCallNode mcn;
 
     PolynomialBackTrackingTermUse() {
-      exists(DataFlow::MethodCallNode mcn, DataFlow::Node regexp, string name |
+      exists(DataFlow::Node regexp, string name |
         term.getRootTerm() = RegExp::getRegExpFromNode(regexp)
       |
         this = mcn.getArgument(0) and
@@ -77,6 +83,8 @@ module PolynomialReDoS {
     }
 
     override RegExpTerm getRegExp() { result = term }
+
+    override DataFlow::Node getHighlight() { result = mcn }
   }
 
   /**
diff --git a/javascript/ql/test/query-tests/Performance/ReDoS/PolynomialReDoS.expected b/javascript/ql/test/query-tests/Performance/ReDoS/PolynomialReDoS.expected
