Fix #41, lint for regular expression catastrophic backtracking in re …

…module

CHANGELOG.md

@@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 ### Added
 - `DUO137`: lint for insecure itsdangerous kwarg usage ([#36](https://github.com/duo-labs/dlint/issues/36))
+- `DUO138`: lint for regular expression catastrophic backtracking in re module ([#41](https://github.com/duo-labs/dlint/issues/41))
 
 ### Fixed
 - False positive for `DUO137` when kwarg missing ([#39](https://github.com/duo-labs/dlint/issues/39))

dlint/__init__.py

@@ -8,6 +8,7 @@
 from . import linters  # noqa F401
 from . import multi  # noqa F401
 from . import namespace  # noqa F401
+from . import redos  # noqa F401
 from . import test  # noqa F401
 from . import tree  # noqa F401
 from . import util  # noqa F401

dlint/linters/__init__.py

@@ -26,6 +26,7 @@
 from .bad_os_use import BadOSUseLinter
 from .bad_popen2_use import BadPopen2UseLinter
 from .bad_random_generator_use import BadRandomGeneratorUseLinter
+from .bad_re_catastrophic_use import BadReCatastrophicUseLinter
 from .bad_requests_use import BadRequestsUseLinter
 from .bad_shelve_use import BadShelveUseLinter
 from .bad_subprocess_use import BadSubprocessUseLinter
@@ -66,6 +67,7 @@
     BadOSUseLinter,
     BadPopen2UseLinter,
     BadRandomGeneratorUseLinter,
+    BadReCatastrophicUseLinter,
     BadRequestsUseLinter,
     BadShelveUseLinter,
     BadSSLModuleAttributeUseLinter,

dlint/linters/bad_re_catastrophic_use.py

@@ -0,0 +1,76 @@
+#!/usr/bin/env python
+
+from __future__ import (
+    absolute_import,
+    division,
+    print_function,
+    unicode_literals,
+)
+
+import ast
+
+from .helpers import bad_module_attribute_use
+from . import base
+from .. import redos
+
+
+class BadReCatastrophicUseLinter(bad_module_attribute_use.BadModuleAttributeUseLinter):
+    """This linter looks for regular expression catastrophic backtracking in
+    the re module. Catastrophic backtracking can cause denial-of-service.
+    """
+    off_by_default = False
+
+    _code = 'DUO138'
+    _error_tmpl = 'DUO138 catastrophic "re" usage - denial-of-service possible'
+
+    @property
+    def illegal_module_attributes(self):
+        return {
+            're': [
+                'compile',
+                'search',
+                'match',
+                'fullmatch',
+                'split',
+                'findall',
+                'finditer',
+                'sub',
+                'subn',
+            ],
+        }
+
+    def __init__(self, *args, **kwargs):
+        self.calls = {}
+
+        super(BadReCatastrophicUseLinter, self).__init__(*args, **kwargs)
+
+    def visit_Call(self, node):
+        self.generic_visit(node)
+
+        self.calls[node.func] = node
+
+    def get_results(self):
+        pattern_argument_number = 0
+
+        def pattern_is_catastrophic(node):
+            call = self.calls.get(node)
+            if call is None or not call.args:
+                return False
+
+            pattern = call.args[pattern_argument_number]
+
+            # Only handle string literals for now
+            if not isinstance(pattern, ast.Str):
+                return False
+
+            return redos.detect.catastrophic(pattern.s)
+
+        return [
+            base.Flake8Result(
+                lineno=node.lineno,
+                col_offset=node.col_offset,
+                message=self._error_tmpl
+            )
+            for node in self.bad_nodes
+            if pattern_is_catastrophic(node)
+        ]

dlint/redos/__init__.py

@@ -0,0 +1,8 @@
+from __future__ import (
+    absolute_import,
+    division,
+    print_function,
+    unicode_literals,
+)
+
+from . import detect  # noqa F401

dlint/redos/__main__.py

@@ -0,0 +1,69 @@
+#!/usr/bin/env python
+
+from __future__ import (
+    absolute_import,
+    division,
+    print_function,
+    unicode_literals,
+)
+
+import argparse
+import sys
+
+from dlint import redos
+
+
+def parse_args():
+    p = argparse.ArgumentParser(description='''
+        Detect redos regular expression patterns from the command-line.
+        ''', formatter_class=argparse.RawTextHelpFormatter)
+
+    p.add_argument(
+        '-p',
+        '--pattern',
+        action='store',
+        required=True,
+        help='regular expression pattern'
+    )
+
+    dump_group = p.add_mutually_exclusive_group()
+
+    dump_group.add_argument(
+        '-d',
+        '--dump',
+        action='store_true',
+        help='print parsed pattern'
+    )
+    dump_group.add_argument(
+        '-t',
+        '--dump-tree',
+        action='store_true',
+        help='print parsed op node tree'
+    )
+
+    args = p.parse_args()
+
+    return args
+
+
+def main():
+    args = parse_args()
+
+    if args.dump:
+        redos.detect.dump(args.pattern)
+        return
+
+    if args.dump_tree:
+        redos.detect.dump_tree(args.pattern)
+        return
+
+    if args.pattern == '-':
+        pattern = sys.stdin.read()
+    else:
+        pattern = args.pattern
+
+    print((pattern, redos.detect.catastrophic(pattern)))
+
+
+if __name__ == "__main__":
+    main()