Evil RegEx from user input vulnerability is not reported by codeQL

[dnovatchev]

I created a simple C# console application based on this article:
Attacking Evil Regex: Understanding Regular Expression Denial of Service Attacks (ReDoS)

Running the CodeQL CLI didn't write any issues in the created .csv file (0 rows).

Here is the complete code:

using System.Text.RegularExpressions;

namespace ReDoS
{
    internal class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine("UserName: ");
            var userName = Console.ReadLine();
           
            Console.WriteLine("Password: ");
            var password = Console.ReadLine();
            
            Console.WriteLine(Authenticate(userName, password));
        }

        public static string Authenticate(string userName, string password)
        {
            var pattern = userName;
            var numMatches = Regex.Matches(password, pattern ).Count;
            return numMatches == 0
                ? "OK"
                : "Password must not contain userName!";
        }
    }
} 

Needless to say, entering input as the below one results in indefinitely long execution, so this is a serious attack:

My question is: Is this a known issue, or am I missing something?

Thanks in advance for your time and attention,

Dimitre

[aibaars]

I think the C# version of the query only flags up remote user input.

• https://github.com/github/codeql/blob/7c2f26e0c32a0b9ec215c06f068a2bbc74e78d5c/csharp/ql/src/Security%20Features/CWE-730/ReDoS.ql

• codeql/csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll

  Line 59 in 7c2f26e

  class RemoteSource extends Source instanceof RemoteFlowSource { }

It would make sense for the query to also complain about user input from other sources such as the command line or files.

[dnovatchev]

I think the C# version of the query only flags up remote user input.

• https://github.com/github/codeql/blob/7c2f26e0c32a0b9ec215c06f068a2bbc74e78d5c/csharp/ql/src/Security%20Features/CWE-730/ReDoS.ql

• codeql/csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll

  Line 59 in 7c2f26e

  class RemoteSource extends Source instanceof RemoteFlowSource { }

@aibaars Thank you for explaining this!

It would make sense for the query to also complain about user input from other sources such as the command line or files.

Yes, definitely. Even if the developer who writes this code will not "inflict self-wounds" in this case, he must be made aware that propagating this coding style when creating remotely-accessed applications might have disastrous effect!

I would definitely support/vote for such natural completeness of CodeQL functionality.

Not to speak that it is easiest to produce complete code examples with just console applications.

On this note, where can one find a small, simple and complete C# codebase containing at least some vulnerability, that could be used as example when teaching CodeQL to other people?

Thanks,
Dimitre

[aibaars]

On this note, where can one find a small, simple and complete C# codebase containing at least some vulnerability, that could be used as example when teaching CodeQL to other people?

You could try https://github.com/jerryhoff/WebGoat.NET . It's a deliberately vulnerable web application.

[dnovatchev]

Thank you Arthur!

Shall I now close this issue and open another one for the need to produce alerts even for "non-remote input" in order to signal the developer about the security vulnerability weaknesses of their coding style?

These could then be flagged just as "warnings" instead of "errors", if someone still wants the reaction to "local input" vulnerabilities to be less critical than with remote input vulnerabilities.