github
diff --git a/‎java/ql/lib/semmle/code/java/regex/RegexDiffInformed.qll
Copy file name to clipboard
+28 b/‎java/ql/lib/semmle/code/java/regex/RegexDiffInformed.qll
Copy file name to clipboard
+28
diff --git a/‎java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll
Copy file name to clipboardExpand all lines: java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll
+9 b/‎java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll
Copy file name to clipboardExpand all lines: java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll
+9
diff --git a/‎java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll
Copy file name to clipboardExpand all lines: java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll
+9 b/‎java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll
Copy file name to clipboardExpand all lines: java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll
+9
diff --git a/‎java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql
Copy file name to clipboardExpand all lines: java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql
+8 b/‎java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql
Copy file name to clipboardExpand all lines: java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql
+8
diff --git a/‎java/ql/src/Security/CWE/CWE-730/ReDoS.ql
Copy file name to clipboardExpand all lines: java/ql/src/Security/CWE/CWE-730/ReDoS.ql
+8 b/‎java/ql/src/Security/CWE/CWE-730/ReDoS.ql
Copy file name to clipboardExpand all lines: java/ql/src/Security/CWE/CWE-730/ReDoS.ql
+8
@@ -0,0 +1,28 @@
+private import java
+private import semmle.code.java.dataflow.DataFlow
+private import codeql.util.Unit
+
+/**
+ * An extension point to allow a query to detect only the regular expressions
+ * it needs in diff-informed incremental mode. The data-flow analysis that's
+ * modified by this class has its sources as (certain) string literals and its
+ * sinks as regular-expression matches.
+ */
+class RegexDiffInformedConfig instanceof Unit {
+  /**
+   * Holds if discovery of regular expressions should be diff-informed, which
+   * is possible when there cannot be any elements selected by the query in the
+   * diff range except the regular expressions and (locations derived from) the
+   * places where they are matched against.
+   */
+  abstract predicate observeDiffInformedIncrementalMode();
+
+  /**
+   * Gets a location of a regex match that will be part of the query results.
+   * If the query does not select the match locations, this predicate can be
+   * `none()` for performance.
+   */
+  abstract Location getASelectedSinkLocation(DataFlow::Node sink);
+
+  string toString() { result = "RegexDiffInformedConfig" }
+}
@@ -6,6 +6,7 @@ import java
 import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.security.SecurityTests
+private import RegexDiffInformed
 
 private class ExploitableStringLiteral extends StringLiteral {
   ExploitableStringLiteral() { this.getValue().matches(["%+%", "%*%", "%{%}%"]) }
@@ -157,6 +158,14 @@ private module RegexFlowConfig implements DataFlow::ConfigSig {
   }
 
   int fieldFlowBranchLimit() { result = 1 }
+
+  predicate observeDiffInformedIncrementalMode() {
+    exists(RegexDiffInformedConfig c | c.observeDiffInformedIncrementalMode())
+  }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(RegexDiffInformedConfig c | result = c.getASelectedSinkLocation(sink))
+  }
 }
 
 private module RegexFlow = DataFlow::Global<RegexFlowConfig>;
 
@@ -4,6 +4,7 @@ private import semmle.code.java.regex.RegexTreeView::RegexTreeView as TreeView
 import codeql.regex.nfa.SuperlinearBackTracking::Make<TreeView> as SuperlinearBackTracking
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.regex.RegexFlowConfigs
+import semmle.code.java.regex.RegexDiffInformed
 import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.security.Sanitizers
 
@@ -33,6 +34,14 @@ private class LengthRestrictedMethod extends Method {
   }
 }
 
+class PolynomialRedDosDiffInformed extends RegexDiffInformedConfig {
+  override predicate observeDiffInformedIncrementalMode() {
+    not PolynomialRedosFlow::hasSourceInDiffRange()
+  }
+
+  override Location getASelectedSinkLocation(DataFlow::Node sink) { result = sink.getLocation() }
+}
+
 /** A configuration for Polynomial ReDoS queries. */
 module PolynomialRedosConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource }
 
@@ -12,9 +12,17 @@
  *       external/cwe/cwe-020
  */
 
+import semmle.code.java.regex.RegexDiffInformed
+import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.regex.RegexTreeView::RegexTreeView as TreeView
 import codeql.regex.OverlyLargeRangeQuery::Make<TreeView>
 
+class OverlyLargeRangeDiffInformed extends RegexDiffInformedConfig {
+  override predicate observeDiffInformedIncrementalMode() { any() }
+
+  override Location getASelectedSinkLocation(DataFlow::Node sink) { none() }
+}
+
 TreeView::RegExpCharacterClass potentialMisparsedCharClass() {
   // nested char classes are currently misparsed
   result.getAChild().(TreeView::RegExpNormalChar).getValue() = "["
 
@@ -14,9 +14,17 @@
  *       external/cwe/cwe-400
  */
 
+import semmle.code.java.regex.RegexDiffInformed
+import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.regex.RegexTreeView::RegexTreeView as TreeView
 import codeql.regex.nfa.ExponentialBackTracking::Make<TreeView> as ExponentialBackTracking
 
+class ReDoSDiffInformed extends RegexDiffInformedConfig {
+  override predicate observeDiffInformedIncrementalMode() { any() }
+
+  override Location getASelectedSinkLocation(DataFlow::Node sink) { none() }
+}
+
 from TreeView::RegExpTerm t, string pump, ExponentialBackTracking::State s, string prefixMsg
 where
   ExponentialBackTracking::hasReDoSResult(t, pump, s, prefixMsg) and