sqry-core 6.0.21

Core library for sqry - semantic code search engine
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220

//! Tests to verify regex validator security
//!
//! NOTE: Consecutive quantifier validation has been REMOVED as of Sprint 1 Phase 1.
//! Rust's `regex` crate uses Thompson NFA/DFA construction and is immune to catastrophic
//! backtracking. Patterns like .*.+, \w*\w*, [a-z]+\d* are safe and will not cause `ReDoS`.
//!
//! We still check nested quantifiers (e.g., (a+)+) for code clarity, as they can indicate
//! logic errors, even though they don't cause performance issues.
//!
//! See `CRGREP_RUST_COMPARISON.md` and `PHASE1_CODEX_REVIEW_RESPONSE.md` for detailed rationale.

use sqry_core::ast::parse_query;

use sqry_core::test_support::verbosity;
use std::sync::Once;

// Initialize verbose logging once for all tests in this file
static INIT: Once = Once::new();

fn init_logging() {
    INIT.call_once(|| {
        verbosity::init(env!("CARGO_PKG_NAME"));
    });
}

#[test]
fn test_consecutive_quantifiers_allowed() {
    init_logging();
    log::info!("Testing test_consecutive_quantifiers_allowed");

    println!("\n=== Verifying Consecutive Quantifiers Are Allowed ===\n");
    println!("NOTE: Rust's regex crate is immune to catastrophic backtracking.\n");

    // These patterns are SAFE in Rust and should be ALLOWED
    let safe_patterns = vec![
        (".*.*", "consecutive wildcards - safe"),
        (".+.+", "consecutive plus wildcards - safe"),
        ("\\w*\\w*", "consecutive word quantifiers - safe"),
        ("\\d+\\d+", "consecutive digit quantifiers - safe"),
        ("[a-z]+\\d*", "disjoint character classes - safe"),
        ("\\w+\\s*", "word followed by whitespace - safe"),
    ];

    for (pattern, desc) in safe_patterns {
        println!("Testing: {pattern} ({desc})");
        let result = parse_query(&format!("name~={pattern}"));
        match result {
            Ok(_) => println!("  ✓ ALLOWED (correct - Rust regex is safe)"),
            Err(e) => panic!("FALSE POSITIVE: Safe pattern '{pattern}' was blocked: {e}"),
        }
    }

    println!("\nAll consecutive quantifier patterns are allowed (as expected).");
    println!("Rust's regex crate guarantees O(n) matching time.");
}

#[test]
fn test_nested_quantifiers_detection() {
    println!("\n=== Testing Nested Quantifiers ===\n");

    let dangerous_patterns = vec![
        ("(a+)+", "nested quantifiers"),
        ("(x*)*", "nested star quantifiers"),
        ("(\\w+)+", "nested word quantifiers"),
    ];

    for (pattern, desc) in dangerous_patterns {
        println!("Testing: {pattern} ({desc})");

        let result = parse_query(&format!("name~={pattern}"));

        match result {
            Ok(_) => {
                println!("  ⚠️  VULNERABILITY: Pattern '{pattern}' was ALLOWED");
                println!("      This can cause exponential backtracking!");
            }
            Err(e) => {
                println!("  ✓ BLOCKED: {e}");
            }
        }
    }

    // Validator SHOULD block (x+)+ according to code (lines 107-114)
    let result_nested = parse_query("name~=(a+)+");
    assert!(
        result_nested.is_err(),
        "Pattern '(a+)+' should be blocked (nested quantifiers)"
    );
}

#[test]
fn test_lookahead_quantifiers() {
    println!("\n=== Testing Lookahead/Lookbehind Quantifiers (M1 from review) ===\n");

    // M1: Patterns with quantified lookaheads can be expensive
    let patterns = vec![
        ("(?=a+)+", "quantified lookahead"),
        ("(?!x*)*", "quantified negative lookahead"),
    ];

    for (pattern, desc) in patterns {
        println!("Testing: {pattern} ({desc})");

        let result = parse_query(&format!("name~={pattern}"));

        match result {
            Ok(_) => {
                println!("  ⚠️  MEDIUM RISK: Pattern '{pattern}' was ALLOWED");
                println!("      Lookaheads with quantifiers can be expensive");
            }
            Err(e) => {
                println!("  ✓ BLOCKED: {e}");
            }
        }
    }

    // Review says this is MEDIUM severity and currently not detected
    // Let's verify
    let result = parse_query("name~=(?=a+)+");
    if result.is_ok() {
        println!("\n⚠️  CONFIRMED: Lookahead quantifiers not currently detected");
        println!("   Severity: MEDIUM (per review)");
        println!("   Recommendation: Document as known limitation or add detection");
    }
}

#[test]
fn test_safe_patterns_allowed() {
    println!("\n=== Testing Safe Patterns (Should Be Allowed) ===\n");

    let safe_patterns = vec![
        (".*", "single wildcard quantifier"),
        ("a+", "simple quantifier"),
        ("\\w+", "word quantifier"),
        ("(a|b)", "alternation without quantifier"),
        ("a{1,10}", "bounded repetition"),
    ];

    for (pattern, desc) in safe_patterns {
        println!("Testing: {pattern} ({desc})");

        let result = parse_query(&format!("name~={pattern}"));

        match result {
            Ok(_) => {
                println!("  ✓ ALLOWED (correct)");
            }
            Err(e) => {
                println!("  ❌ BLOCKED (should be allowed): {e}");
            }
        }
    }

    // Safe patterns should be allowed
    let result = parse_query("name~=.*");
    assert!(result.is_ok(), "Safe pattern '.*' should be allowed");
}

// NOTE: Consecutive quantifier validation has been removed.
//
// Rust's `regex` crate uses Thompson NFA/DFA construction and is immune to
// catastrophic backtracking. Patterns like .*.+, \w*\w*, or [a-z]+\d* are safe.
//
// This test has been removed. See CRGREP_RUST_COMPARISON.md for rationale.

#[test]
fn test_deep_alternation_patterns() {
    println!("\n=== Testing Deep Alternation Patterns ===\n");

    // Deep nesting without quantifiers — should be ALLOWED
    let safe_nested = vec![
        ("(a|(b|c))", "nested alternation depth 2"),
        ("((foo|bar)|baz)", "nested alternation depth 2 reversed"),
        ("(a|(b|(c|d)))", "nested alternation depth 3"),
    ];

    for (pattern, desc) in safe_nested {
        println!("Testing: {pattern} ({desc})");
        let result = parse_query(&format!("name~={pattern}"));
        match result {
            Ok(_) => println!("  ✓ ALLOWED (correct)"),
            Err(e) => {
                println!("  ❌ BLOCKED (should be allowed): {e}");
                panic!("FALSE POSITIVE: Nested alternation '{pattern}' should be allowed");
            }
        }
    }
}

#[test]
fn test_boolean_grouping_with_regex_alternation() {
    println!("\n=== Testing Boolean Grouping vs Regex Alternation ===\n");

    // Boolean grouping with parentheses — should work
    let boolean_queries = vec![
        "(kind:function AND name~=foo)",
        "(kind:method OR kind:function)",
        "((kind:function AND name~=foo) OR name~=bar)",
    ];

    for query in boolean_queries {
        println!("Testing boolean: {query}");
        let result = parse_query(query);
        match result {
            Ok(_) => println!("  ✓ Boolean grouping works"),
            Err(e) => {
                println!("  ❌ Boolean grouping broken: {e}");
                panic!("REGRESSION: Boolean grouping '{query}' should work");
            }
        }
    }

    // Regex alternation in name predicate — should work
    println!("\nTesting regex alternation: name~=(foo|bar)");
    let result = parse_query("name~=(foo|bar)");
    match result {
        Ok(_) => println!("  ✓ Regex alternation works"),
        Err(e) => panic!("REGRESSION: Regex alternation should work: {e}"),
    }
}