Regular expression models for literals

[pkesseli]

As discussed in the workplace group I added support for source models for literals matching configurable regular expressions. The models.md documentation outlines what that would look like:

---

Example literal models:

[
  {
    "pattern": "SELECT \\*.*",
    "description": "Potential SQL Query",
    "sources": [
      {
        "kind": "SqlQuery"
      }
    ]
  },
  {
    "pattern": "AI[0-9A-Z]{16}",
    "description": "Suspected Google API Key",
    "sources": [
      {
        "kind": "GoogleAPIKey"
      }
    ]
  }
]

Example code:

void testRegexSource() {
  String prefix = "SELECT * FROM USERS WHERE id = ";
  String aci = getAttackerControlledInput();
  String query = prefix + aci; // Sink
}

void testRegexSourceGoogleApiKey() {
  String secret = "AIABCD1234EFGH5678";
  sink(secret);
}

---

Reviewer note

In order to test these changes, I added new classes and methods to source/tests/integration/end-to-end/library_classes, which causes a significant amount of unrelated changes to other tests' expected_xxx.json. I tried to constrain those changes to the commit Update library_classes.

[yuhshin-oss]

Thanks! Looks pretty good to me :D Just small comments/nits

[yuhshin-oss]

nit: spelling "Indicates"

[pkesseli]

🐱‍👓

[yuhshin-oss]

nit: we generally don't define json keys as constants in our code base (reasoning being that it adds another level of indirection for something that is quite localized). We just use the string literal at the call-site directly

[yuhshin-oss]

nit: I think check_unexpected_members already calls validate_object

[yuhshin-oss]

nit: think we usually do:

for (const auto& [pattern, model] : literal_models_) {
  if (pattern.matches(literal)) {
    // ...
  }
}

[yuhshin-oss]

nit: we usually have the word "issue" somewhere in the method name if we're expecting an issue there... so maybe testRegexSourceIssue() or something? (and testRegexSourceNoMatchNoIssue() when there are no issues expected)

[pkesseli]

I also realised since I updated library_classes I also affected source/tests/integration/end-to-end/code/check_cast_types, which doesn't get run by default in tests.yml. I updated those expected JSON files in my latest push as well now.

I manually compiled check_cast_types/KotlinCheckCast.kt and added it to the JAR - not sure whether that's intended way of running this test, but it produced the same JSON output files again except for my new models in library_classes. 🙂

[facebook-github-bot]

@yuhshin-oss has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator.

[yuhshin-oss]

Missed this before, but let's use <re2/re2.h> instead

[yuhshin-oss]

Missed this before, but let's use <re2/re2.h> instead

[yuhshin-oss]

nit: style:

if (model.empty()) {
  return false;
}

[yuhshin-oss]

Similarly, use <re2/re2.h> instead.

[yuhshin-oss]

nit:

} // namespace marianatrench

[yuhshin-oss]

Ugh, couple of clangtidy/format issues showing up internally that's too tedious to type all of them here. If you can address the RE2 one, we should be able to auto-format after importing

[pkesseli]

Ugh, couple of clangtidy/format issues showing up internally that's too tedious to type all of them here. If you can address the RE2 one, we should be able to auto-format after importing

Thanks, all addressed. I wasn't sure how to run the linter myself, otherwise I would have checked for that!

[facebook-github-bot]

@yuhshin-oss has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator.

[arthaud]

Sorry for coming up late on this, I saw a few things after @yuhshin-oss that I think are worth improving. Please bear with me.

[arthaud]

I think we should use a strong update here. This could matter if this is in a loop.

[arthaud]

You are using std::move on a const ref, that does nothing. might as well remove that std::move.

[pkesseli]

Thanks, I changed this to a const ref when I migrated to re2 and I missed the move.

[arthaud]

so we create a LiteralModel with an empty string and a pattern for the empty string?
I would prefer if this was more clear in the internal state, for instance we could use a std::optional<re2::RE2>.

[pkesseli]

I now used an optional, and we do not match anything if default.

[arthaud]

We usually take by copy in those cases.
See https://www.youtube.com/watch?v=PNRju6_yn3o

Also, as a rule of thumb, let's be consistent with the rest of the codebase.

[pkesseli]

Replaced by a std::string_view.

[arthaud]

Well technically std::string_view is worse in the case where we move a std::string, it will make an extra copy.
but performance is not a problem here unless proven otherwise, so that's fine.

[pkesseli]

I am not sure I am seeing an extra copy in that case? std::string_view doesn't have a constructor for std::string &&, so won't it just do the same as usual and just copy the pointer and length? And the constructor of RE2 will always copy exactly once, irrespective of whether we use const std::string & or const StringPiece &/std::string_view, since StringPiece has a string_view constructor.

I thus defaulted to std::string_view since it doesn't require the caller to use std::move. Having said that, we invoke this constructor exactly once with an rvalue anyway, so I just changed it to an std::string to keep things simple and consistent. 🙂

[arthaud]

If the patterns are different I think it would make sense to set it to null/empty?

[pkesseli]

Now checking if they have the same pattern, resetting regex_ otherwise.

[arthaud]

We don't need to store the pattern since RE2 already does it. We could get it with regex_.pattern().

[pkesseli]

Thanks, this was still an artifact from using std::regex before I migrated to RE2.

[arthaud]

nitpick: we usually use literal_models_.end(). Let's be consistent with the rest of the codebase.

[arthaud]

pre-existing but we should probably rewrite this with a proper iterator. These index computations are error prone.

[pkesseli]

I'm not sure what refactoring you have in mind here. Presently these models are stored in three different vectors and accessed based on the current batch number. Is there an iterator-based API in sparta that I should use?

[arthaud]

Just to be clear, I'm not expecting you to implement this here. This could be done in another PR, or we could do this internally.

Anyway, I changed my mind here. Yes we could probably make this work with iterators but the fact that iterators hide the indexing will make this code unreadable.

What might make it easier to read is abstracting away "models + field_models + literal_models". We could have:

class ModelVector {
  public:
   std::size_t size() const { return _models.size() + _field_models.size() + _literal_models.size(); }

  // TODO: find a better name..
  Json::Value json_for_index(std::size_t i) {
    if (i < _models.size()) {
      return _models[i].to_json();
    }
    i -= _models.size();
    if (i < _field_models.size()) {
      return _field_models[i].to_json();
    }
    i -= _field_models.size();
    if (i < _literal_models.size()) {
      return _literal_models[i].to_json();
    }
    mt_unreachable("invalid index");
  }

  private:
    std::vector<Model> _models;
    std::vector<FieldModel> _field_models;
    std::vector<LiteralModel> _literal_models;
}

[arthaud]

Could we change the name of this method?
When I read get I usually expect a O(1) but here we loop over all literal models.
Also, we might want another API latter that is an actual get for a given pattern.
I would call it match_literal or something.
Also nitpick: the comment above says "These are thread-safe" but your implementation of get is not thread-safe (iterating on a ConcurrentMap is not thread safe). I think it's fine though as long as there are no mutations in parallel.

[pkesseli]

Technically not my comment, but definitely surprised to learn that concurrent traversal in redex' ConcurrentMap is not safe. Not what I'm used to from concurrent_unordered_map. 🙂

Since I renamed the method, I now moved it away from those two get mehods and gave it a comment of its own.

[arthaud]

Could all changes to library_classes be in a different PR? This causes a lot of changes in integration tests that are not related to the PR, making it hard to review.

[pkesseli]

Not a problem, here is the extracted PR:
#140

[arthaud]

Thanks, could you rebase this on top of master now that #140 was merged?

[pkesseli]

Done!

[arthaud]

I guess this is because re2::RE2 is not copyable? That's annoying.

[pkesseli]

Correct:

  // Not copyable.
  // RE2 objects are expensive. You should probably use std::shared_ptr<RE2>
  // instead. If you really must copy, RE2(first.pattern(), first.options())
  // effectively does so: it produces a second object that mimics the first.
  RE2(const RE2&) = delete;

One alternative would indeed be to use a shared_ptr instead of an optional, RE2 objects are safe for concurrent use after all. Happy to apply that change if preferred.

[arthaud]

I think that's fine as is :)

[arthaud]

Could we return a std::optional instead? Not a fan of implicitly returning "no pattern".

[arthaud]

nitpick: We generally prefer the early-return pattern, instead of nesting if blocks.

Suggested change

	if (this != &other) {
	if (this == &other) {
	return;
	}

[arthaud]

We should check beforehand if the pattern is empty

[pkesseli]

Omitted now if the pattern is empty.

[arthaud]

Fine, let's keep it for consistency.

[arthaud]

Maybe assert that the pattern is non-empty?

[pkesseli]

Now using mt_assert:

const std::optional<std::string> pattern{literal_model.pattern()};
mt_assert(pattern);

[facebook-github-bot]

@arthaud has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator.

[facebook-github-bot]

@arthaud merged this pull request in c266c18.