SONARPY-4278 Narrow S5852 to exponential backtracking and create S8786 (#1190)

Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
GitOrigin-RevId: 1bd378324f03e3ab6c032c0f4951629e9959ccc5

Author: 3 people

python-checks/src/main/java/org/sonar/python/checks/OpenSourceCheckList.java

@@ -87,6 +87,7 @@
 import org.sonar.python.checks.regex.SingleCharacterAlternationCheck;
 import org.sonar.python.checks.regex.StringReplaceCheck;
 import org.sonar.python.checks.regex.SuperfluousCurlyBraceCheck;
+import org.sonar.python.checks.regex.SuperLinearRegexCheck;
 import org.sonar.python.checks.regex.UnquantifiedNonCapturingGroupCheck;
 import org.sonar.python.checks.regex.UnusedGroupNamesCheck;
 import org.sonar.python.checks.regex.VerboseRegexCheck;
@@ -424,6 +425,7 @@ public Stream<Class<?>> getChecks() {
       SklearnPipelineSpecifyMemoryArgumentCheck.class,
       SklearnPipelineParameterAreCorrectCheck.class,
       SuperfluousCurlyBraceCheck.class,
+      SuperLinearRegexCheck.class,
       SynchronousFileOperationsInAsyncCheck.class,
       SynchronousHttpOperationsInAsyncCheck.class,
       SynchronousSubprocessOperationsInAsyncCheck.class,

python-checks/src/main/java/org/sonar/python/checks/regex/AbstractRedosCheck.java

@@ -0,0 +1,41 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * You can redistribute and/or modify this program under the terms of
+ * the Sonar Source-Available License Version 1, as published by SonarSource Sàrl.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks.regex;
+
+import java.util.Optional;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonarsource.analyzer.commons.regex.MatchType;
+import org.sonarsource.analyzer.commons.regex.RegexParseResult;
+import org.sonarsource.analyzer.commons.regex.finders.RedosFinder;
+
+public abstract class AbstractRedosCheck extends AbstractRegexCheck {
+
+  @Override
+  public void checkRegex(RegexParseResult regexParseResult, CallExpression regexFunctionCall) {
+    MatchType matchType = RedosMatchTypeHelper.getMatchTypeFromCalledMethod(regexFunctionCall);
+    new PythonRedosFinder().checkRegex(regexParseResult, matchType, this::addIssue);
+  }
+
+  protected abstract Optional<String> buildMessage(RedosFinder.BacktrackingType backtrackingType, boolean regexContainsBackReference);
+
+  private class PythonRedosFinder extends RedosFinder {
+    @Override
+    protected Optional<String> message(RedosFinder.BacktrackingType backtrackingType, boolean regexContainsBackReference) {
+      return buildMessage(backtrackingType, regexContainsBackReference);
+    }
+  }
+}

python-checks/src/main/java/org/sonar/python/checks/regex/RedosCheck.java

@@ -18,111 +18,23 @@
 
 
 import java.util.Optional;
-import java.util.Set;
-import java.util.function.Predicate;
 import org.sonar.check.Rule;
-import org.sonar.plugins.python.api.symbols.Symbol;
-import org.sonar.plugins.python.api.symbols.Usage;
-import org.sonar.plugins.python.api.tree.AssignmentStatement;
-import org.sonar.plugins.python.api.tree.CallExpression;
-import org.sonar.plugins.python.api.tree.HasSymbol;
-import org.sonar.plugins.python.api.tree.Name;
-import org.sonar.plugins.python.api.tree.Tree;
-import org.sonar.python.tree.TreeUtils;
-import org.sonarsource.analyzer.commons.regex.MatchType;
-import org.sonarsource.analyzer.commons.regex.RegexParseResult;
 import org.sonarsource.analyzer.commons.regex.finders.RedosFinder;
 
-
 @Rule(key = "S5852")
-public class RedosCheck extends AbstractRegexCheck {
+public class RedosCheck extends AbstractRedosCheck {
 
   private static final String MESSAGE = """
     Make sure the regex used here, which is vulnerable to %s runtime due to backtracking,\
      cannot lead to denial of service.""";
   private static final String EXP = "exponential";
-  private static final String POLY = "polynomial";
-  private static final Set<String> FULL_MATCH_METHODS = Set.of("fullmatch");
-  private static final Set<String> PARTIAL_MATCH_METHODS = Set.of("findall", "search", "split", "sub", "subn");
-  private static final String COMPILE_METHOD = "compile";
 
   @Override
-  public void checkRegex(RegexParseResult regexParseResult, CallExpression regexFunctionCall) {
-    MatchType matchType = getMatchTypeFromCalledMethod(regexFunctionCall);
-    new PythonRedosFinder().checkRegex(regexParseResult, matchType, this::addIssue);
-  }
-
-  private static MatchType getMatchTypeFromCalledMethod(CallExpression regexFunctionCall) {
-    Symbol symbol = regexFunctionCall.calleeSymbol();
-    if (symbol == null) {
-      // Defensive, callee symbol should have been checked prior to calling "checkRegex"
-      return MatchType.UNKNOWN;
-    }
-    if (FULL_MATCH_METHODS.contains(symbol.name())) {
-      return MatchType.FULL;
-    }
-    if (PARTIAL_MATCH_METHODS.contains(symbol.name())) {
-      return MatchType.PARTIAL;
-    }
-    if (COMPILE_METHOD.equals(symbol.name())) {
-      return matchTypeOfCompiledPattern(regexFunctionCall);
-    }
-    return MatchType.UNKNOWN;
-  }
-
-  private static MatchType matchTypeOfCompiledPattern(CallExpression regexFunctionCall) {
-    return Optional.ofNullable(TreeUtils.firstAncestorOfKind(regexFunctionCall, Tree.Kind.ASSIGNMENT_STMT))
-      .map(AssignmentStatement.class::cast)
-      .map(a -> a.lhsExpressions().get(0).expressions().get(0))
-      .filter(lhs -> lhs.is(Tree.Kind.NAME))
-      .map(n -> (Name) n)
-      .map(HasSymbol::symbol)
-      .map(RedosCheck::getMatchTypeFromSymbolUsages)
-      .orElse(MatchType.UNKNOWN);
-  }
-
-  private static MatchType getMatchTypeFromSymbolUsages(Symbol s) {
-    boolean isUsedForFullMatch = s.usages().stream().map(Usage::tree).anyMatch(t -> isUsedInMethod(t, FULL_MATCH_METHODS));
-    boolean isUsedForPartialMatch = s.usages().stream().map(Usage::tree).anyMatch(t -> isUsedInMethod(t, PARTIAL_MATCH_METHODS));
-    return getMatchType(isUsedForFullMatch, isUsedForPartialMatch);
-  }
-
-  private static MatchType getMatchType(boolean isUsedForFullMatch, boolean isUsedForPartialMatch) {
-    if (isUsedForFullMatch && isUsedForPartialMatch) {
-      return MatchType.BOTH;
-    }
-    if (isUsedForFullMatch) {
-      return MatchType.FULL;
-    }
-    if (isUsedForPartialMatch) {
-      return MatchType.PARTIAL;
-    }
-    return MatchType.UNKNOWN;
-  }
-
-  private static boolean isUsedInMethod(Tree tree, Set<String> methodNames) {
-    return TreeUtils.firstAncestor(tree, isCallToMethod(methodNames)) != null;
-  }
-
-  private static Predicate<Tree> isCallToMethod(Set<String> methodNames) {
-    return tree -> Optional.ofNullable(tree)
-      .filter(t -> t.is(Tree.Kind.CALL_EXPR))
-      .map(CallExpression.class::cast)
-      .map(CallExpression::calleeSymbol)
-      .map(Symbol::name)
-      .filter(methodNames::contains)
-      .isPresent();
-  }
-
-  static class PythonRedosFinder extends RedosFinder {
-
-    @Override
-    protected Optional<String> message(RedosFinder.BacktrackingType backtrackingType, boolean regexContainsBackReference) {
-      return switch (backtrackingType) {
-        case ALWAYS_EXPONENTIAL, QUADRATIC_WHEN_OPTIMIZED, LINEAR_WHEN_OPTIMIZED -> Optional.of(String.format(MESSAGE, EXP));
-        case ALWAYS_QUADRATIC -> Optional.of(String.format(MESSAGE, POLY));
-        default -> Optional.empty();
-      };
-    }
+  protected Optional<String> buildMessage(RedosFinder.BacktrackingType backtrackingType, boolean regexContainsBackReference) {
+    return switch (backtrackingType) {
+      // Python has no JIT-style optimisation for QUADRATIC_WHEN_OPTIMIZED or LINEAR_WHEN_OPTIMIZED, so it stays in S5852
+      case ALWAYS_EXPONENTIAL, QUADRATIC_WHEN_OPTIMIZED, LINEAR_WHEN_OPTIMIZED -> Optional.of(String.format(MESSAGE, EXP));
+      default -> Optional.empty();
+    };
   }
 }

python-checks/src/main/java/org/sonar/python/checks/regex/RedosMatchTypeHelper.java

@@ -0,0 +1,102 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * You can redistribute and/or modify this program under the terms of
+ * the Sonar Source-Available License Version 1, as published by SonarSource Sàrl.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks.regex;
+
+import java.util.Optional;
+import java.util.Set;
+import java.util.function.Predicate;
+import org.sonar.plugins.python.api.symbols.Symbol;
+import org.sonar.plugins.python.api.symbols.Usage;
+import org.sonar.plugins.python.api.tree.AssignmentStatement;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonar.plugins.python.api.tree.HasSymbol;
+import org.sonar.plugins.python.api.tree.Name;
+import org.sonar.plugins.python.api.tree.Tree;
+import org.sonar.python.tree.TreeUtils;
+import org.sonarsource.analyzer.commons.regex.MatchType;
+
+final class RedosMatchTypeHelper {
+
+  private static final Set<String> FULL_MATCH_METHODS = Set.of("fullmatch");
+  private static final Set<String> PARTIAL_MATCH_METHODS = Set.of("findall", "search", "split", "sub", "subn");
+  private static final String COMPILE_METHOD = "compile";
+
+  private RedosMatchTypeHelper() {
+  }
+
+  static MatchType getMatchTypeFromCalledMethod(CallExpression regexFunctionCall) {
+    Symbol symbol = regexFunctionCall.calleeSymbol();
+    if (symbol == null) {
+      // Defensive: callee symbol should have been checked prior to calling "checkRegex"
+      return MatchType.UNKNOWN;
+    }
+    if (FULL_MATCH_METHODS.contains(symbol.name())) {
+      return MatchType.FULL;
+    }
+    if (PARTIAL_MATCH_METHODS.contains(symbol.name())) {
+      return MatchType.PARTIAL;
+    }
+    if (COMPILE_METHOD.equals(symbol.name())) {
+      return matchTypeOfCompiledPattern(regexFunctionCall);
+    }
+    return MatchType.UNKNOWN;
+  }
+
+  private static MatchType matchTypeOfCompiledPattern(CallExpression regexFunctionCall) {
+    return Optional.ofNullable(TreeUtils.firstAncestorOfKind(regexFunctionCall, Tree.Kind.ASSIGNMENT_STMT))
+      .map(AssignmentStatement.class::cast)
+      .map(a -> a.lhsExpressions().get(0).expressions().get(0))
+      .filter(lhs -> lhs.is(Tree.Kind.NAME))
+      .map(n -> (Name) n)
+      .map(HasSymbol::symbol)
+      .map(RedosMatchTypeHelper::getMatchTypeFromSymbolUsages)
+      .orElse(MatchType.UNKNOWN);
+  }
+
+  private static MatchType getMatchTypeFromSymbolUsages(Symbol s) {
+    boolean isUsedForFullMatch = s.usages().stream().map(Usage::tree).anyMatch(t -> isUsedInMethod(t, FULL_MATCH_METHODS));
+    boolean isUsedForPartialMatch = s.usages().stream().map(Usage::tree).anyMatch(t -> isUsedInMethod(t, PARTIAL_MATCH_METHODS));
+    return getMatchType(isUsedForFullMatch, isUsedForPartialMatch);
+  }
+
+  private static MatchType getMatchType(boolean isUsedForFullMatch, boolean isUsedForPartialMatch) {
+    if (isUsedForFullMatch && isUsedForPartialMatch) {
+      return MatchType.BOTH;
+    }
+    if (isUsedForFullMatch) {
+      return MatchType.FULL;
+    }
+    if (isUsedForPartialMatch) {
+      return MatchType.PARTIAL;
+    }
+    return MatchType.UNKNOWN;
+  }
+
+  private static boolean isUsedInMethod(Tree tree, Set<String> methodNames) {
+    return TreeUtils.firstAncestor(tree, isCallToMethod(methodNames)) != null;
+  }
+
+  private static Predicate<Tree> isCallToMethod(Set<String> methodNames) {
+    return tree -> Optional.ofNullable(tree)
+      .filter(t -> t.is(Tree.Kind.CALL_EXPR))
+      .map(CallExpression.class::cast)
+      .map(CallExpression::calleeSymbol)
+      .map(Symbol::name)
+      .filter(methodNames::contains)
+      .isPresent();
+  }
+}

python-checks/src/main/java/org/sonar/python/checks/regex/SuperLinearRegexCheck.java

@@ -0,0 +1,36 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * You can redistribute and/or modify this program under the terms of
+ * the Sonar Source-Available License Version 1, as published by SonarSource Sàrl.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks.regex;
+
+
+import java.util.Optional;
+import org.sonar.check.Rule;
+import org.sonarsource.analyzer.commons.regex.finders.RedosFinder;
+
+@Rule(key = "S8786")
+public class SuperLinearRegexCheck extends AbstractRedosCheck {
+
+  private static final String MESSAGE = "Simplify this regular expression to reduce its runtime, as it has super-linear performance due to backtracking.";
+
+  @Override
+  protected Optional<String> buildMessage(RedosFinder.BacktrackingType backtrackingType, boolean regexContainsBackReference) {
+    return switch (backtrackingType) {
+      case ALWAYS_QUADRATIC -> Optional.of(MESSAGE);
+      default -> Optional.empty();
+    };
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S8786.html

@@ -0,0 +1,46 @@
+<p>Regular expression engines rely on backtracking to evaluate patterns against input. Certain regex patterns lead to non-linear backtracking, where
+the evaluation time grows polynomially with input size.</p>
+<h2>Why is this an issue?</h2>
+<p>Regular expression engines use backtracking to try all possible execution paths when evaluating a pattern against an input. In some cases, this
+leads to non-linear backtracking where the worst-case evaluation time grows polynomially (e.g., O(n²) or O(n³)) with the input size. While not as
+severe as catastrophic backtracking, such patterns can significantly degrade application performance when processing large or untrusted inputs.</p>
+<p>This rule reports regular expressions that exhibit non-linear backtracking behavior.</p>
+<h2>How to fix it</h2>
+<p>To fix a regular expression with non-linear backtracking, consider the following strategies:</p>
+<ul>
+  <li>Replace <code>.</code> with negated character classes to exclude separators where applicable (e.g., <code><strong></strong></code><strong>
+  instead of <code>.</code></strong> before <code>,</code>).</li>
+  <li>Use bounded quantifiers such as <code>{1,5}</code> to limit repetitions.</li>
+  <li>Restructure alternations and quantifiers to eliminate ambiguity — avoid patterns where multiple alternatives can match the same character.</li>
+  <li>Use possessive quantifiers and atomic grouping (available since Python 3.11) to prevent the regex engine from keeping backtracking
+  positions.</li>
+</ul>
+<h3>Code examples</h3>
+<p>The following regular expression has polynomial backtracking: without a start anchor, the engine retries the pattern at every position, leading to
+quadratic evaluation time when there is no match.</p>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+import re
+
+re.search(r"a+b", input)  # Noncompliant - polynomial backtracking when the pattern does not match
+</pre>
+<h4>Compliant solution</h4>
+<p>Adding a start anchor prevents the engine from retrying at every position:</p>
+<pre data-diff-id="1" data-diff-type="compliant">
+import re
+
+re.search(r"^a+b", input)  # Compliant - anchor eliminates redundant backtracking positions
+</pre>
+<h2>Resources</h2>
+<h3>Articles &amp; blog posts</h3>
+<ul>
+  <li><a href="https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS">owasp.org</a> - Regular expression Denial of
+  Service - ReDoS</li>
+  <li><a href="https://www.regular-expressions.info/catastrophic.html">regular-expressions.info</a> - Runaway Regular Expressions: Catastrophic
+  Backtracking</li>
+</ul>
+<h3>Related rules</h3>
+<ul>
+  <li>{rule:python:S5852} - Regular expressions should not cause catastrophic backtracking</li>
+</ul>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S8786.json

@@ -0,0 +1,24 @@
+{
+  "title": "Regular expressions should not cause non-linear backtracking",
+  "type": "CODE_SMELL",
+  "code": {
+    "impacts": {
+      "RELIABILITY": "MEDIUM"
+    },
+    "attribute": "EFFICIENT"
+  },
+  "status": "ready",
+  "quickfix": "unknown",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "20min"
+  },
+  "tags": [
+    "regex",
+    "performance"
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-8786",
+  "sqKey": "S8786",
+  "scope": "All"
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_agentic_AI_profile.json

@@ -305,6 +305,7 @@
     "S8411",
     "S8413",
     "S8414",
-    "S8415"
+    "S8415",
+    "S8786"
   ]
 }