Title: Enable polynomial ReDoS query to use plain `regex-use` sinks by Copilot · Pull Request #21115 · github/codeql · GitHub
Open Graph Title: Enable polynomial ReDoS query to use plain `regex-use` sinks by Copilot · Pull Request #21115 · github/codeql
X Title: Enable polynomial ReDoS query to use plain `regex-use` sinks by Copilot · Pull Request #21115 · github/codeql
Description: The polynomial ReDoS query couldn't detect vulnerabilities in Apache Commons Lang3 RegExUtils methods because they use the plain regex-use sink kind, while regexSinkKindInfo only parsed bracketed forms like regex-use[0]. Changes Extended regexSinkKindInfo predicate to handle plain regex-use with defaults: non-full-string matching, string argument at index 0 Updated comment in org.apache.commons.lang3.model.yml to document the behavior Added test coverage for all RegExUtils methods in polynomial ReDoS test suite Technical Details The plain regex-use kind is used by methods where both pattern and input are provided in a single call, like RegExUtils.removeAll(text, regex). The defaults (full=false, strArg=0) match this signature pattern where the regex is at Argument[1] and the text to match is at Argument[0]. This preserves the existing behavior where regex injection and polynomial ReDoS queries select different sink kinds to avoid false positives, while enabling the ReDoS query to analyze these methods. private predicate regexSinkKindInfo(string kind, boolean full, int strArg) { sinkModel(_, _, _, _, _, _, _, kind, _, _) and ( exists(string fullStr, string strArgStr | /* bracketed forms */ ) or // Plain regex-use sinks default to non-full-string matching with string arg at index 0 kind = "regex-use" and full = false and strArg = 0 ) } Original prompt Work on TODO: refactor the regex-use% sink kind so that the polynomial ReDoS query (from java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll) Created from VS Code via the GitHub Pull Request extension. 💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.
Open Graph Description: The polynomial ReDoS query couldn't detect vulnerabilities in Apache Commons Lang3 RegExUtils methods because they use the plain regex-use sink kind, while regexSinkKindInfo only parsed bracket...
X Description: The polynomial ReDoS query couldn't detect vulnerabilities in Apache Commons Lang3 RegExUtils methods because they use the plain regex-use sink kind, while regexSinkKindInfo only parsed bra...
Opengraph URL: https://github.com/github/codeql/pull/21115
X: @github
Domain: patch-diff.githubusercontent.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:97c796e8-70df-152c-8bb2-a0cfe828e46e |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | C988:1587BA:804C3FF:A9782D4:696DEA0E |
| html-safe-nonce | 26293d724d2f966e6091160484ff3273d5fdccc9907688eea3237afcb0c2f7c9 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJDOTg4OjE1ODdCQTo4MDRDM0ZGOkE5NzgyRDQ6Njk2REVBMEUiLCJ2aXNpdG9yX2lkIjoiMTE1NTM5ODc3NDc5MjUxNDA2MyIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | fa5fcb805a63989ac00f59349b59bb9f758ed501c19cf04588647745f1128110 |
| hovercard-subject-tag | pull_request:3152250308 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/github/codeql/pull/21115/files |
| twitter:image | https://avatars.githubusercontent.com/in/1143301?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/in/1143301?s=400&v=4 |
| og:image:alt | The polynomial ReDoS query couldn't detect vulnerabilities in Apache Commons Lang3 RegExUtils methods because they use the plain regex-use sink kind, while regexSinkKindInfo only parsed bracket... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | 4922b452d03cd8dbce479d866a11bc25b59ef6ee2da23aa9b0ddefa6bd4d0064 |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/github/codeql git https://github.com/github/codeql.git |
| octolytics-dimension-user_id | 9919 |
| octolytics-dimension-user_login | github |
| octolytics-dimension-repository_id | 143040428 |
| octolytics-dimension-repository_nwo | github/codeql |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 143040428 |
| octolytics-dimension-repository_network_root_nwo | github/codeql |
| turbo-body-classes | logged-out env-production page-responsive full-width |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 7e5ae23c70136152637ceee8d6faceb35596ec46 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width