Java: use approximate related sink locations in polynomial redos

asgerf · asgerf · commit d06547935574 · 2025-07-01T16:17:24.000+02:00
diff --git a/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll b/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll
@@ -55,7 +55,13 @@ module PolynomialRedosConfig implements DataFlow::ConfigSig {
       regexp.getRootTerm() = sink.(PolynomialRedosSink).getRegExp()
     |
       result = sink.getLocation()
-      or
+    )
+  }
+
+  Location getASelectedSinkLocationApprox(DataFlow::Node sink) {
+    exists(SuperlinearBackTracking::PolynomialBackTrackingTerm regexp |
+      regexp.getRootTerm() = sink.(PolynomialRedosSink).getRegExp()
+    |
       result = regexp.getLocation()
     )
   }

Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,13 @@ module PolynomialRedosConfig implements DataFlow::ConfigSig {`
`55`	`55`	`regexp.getRootTerm() = sink.(PolynomialRedosSink).getRegExp()`
`56`	`56`	`\|`
`57`	`57`	`result = sink.getLocation()`
`58`		`- or`
	`58`	`+ )`
	`59`	`+ }`
	`60`	`+`
	`61`	`+ Location getASelectedSinkLocationApprox(DataFlow::Node sink) {`
	`62`	`+ exists(SuperlinearBackTracking::PolynomialBackTrackingTerm regexp \|`
	`63`	`+ regexp.getRootTerm() = sink.(PolynomialRedosSink).getRegExp()`
	`64`	`+ \|`
`59`	`65`	`result = regexp.getLocation()`
`60`	`66`	`)`
`61`	`67`	`}`