Fix potential polynomial Regular Expression Denial of Service in the DataSource mechanism (GHSA-rqpx-f6rc-7hm5)

Signed-off-by: Olivier Perrin <[email protected]>

Author: olperr1

ampl-converter/src/main/java/com/powsybl/ampl/converter/AmplNetworkReader.java

@@ -8,6 +8,8 @@
 package com.powsybl.ampl.converter;
 
 import com.powsybl.commons.datasource.ReadOnlyDataSource;
+import com.google.re2j.Matcher;
+import com.google.re2j.Pattern;
 import com.powsybl.commons.util.StringToIntMapper;
 import com.powsybl.iidm.network.*;
 import org.slf4j.Logger;
@@ -21,8 +23,6 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.function.Function;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 
 import static com.powsybl.ampl.converter.AmplConstants.DEFAULT_VARIANT_INDEX;

cgmes/cgmes-conversion/src/main/java/com/powsybl/cgmes/conversion/export/CgmesExportUtil.java

@@ -7,6 +7,7 @@
  */
 package com.powsybl.cgmes.conversion.export;
 
+import com.google.re2j.Pattern;
 import com.powsybl.cgmes.conversion.CgmesReports;
 import com.powsybl.cgmes.conversion.Conversion;
 import com.powsybl.cgmes.conversion.export.elements.RegulatingControlEq;
@@ -34,7 +35,6 @@
 import java.time.ZonedDateTime;
 import java.time.format.DateTimeFormatter;
 import java.util.*;
-import java.util.regex.Pattern;
 
 import static com.powsybl.cgmes.conversion.naming.CgmesObjectReference.ref;
 import static com.powsybl.cgmes.conversion.naming.CgmesObjectReference.refTyped;

cgmes/cgmes-conversion/src/test/java/com/powsybl/cgmes/conversion/test/ConversionUtil.java

@@ -7,6 +7,8 @@
  */
 package com.powsybl.cgmes.conversion.test;
 
+import com.google.re2j.Matcher;
+import com.google.re2j.Pattern;
 import com.powsybl.cgmes.conversion.CgmesExport;
 import com.powsybl.cgmes.conversion.CgmesImportPostProcessor;
 import com.powsybl.cgmes.conversion.Conversion;
@@ -29,8 +31,6 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.*;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 
 /**
  * @author Geoffroy Jamgotchian {@literal <geoffroy.jamgotchian at rte-france.com>}
@@ -135,6 +135,14 @@ public static long getElementCount(String xmlFile, String className) {
         String regex = "(<cim:" + className + " (rdf:ID=\"_|rdf:about=\"#_).*?\")>";
         Pattern pattern = Pattern.compile(regex);
         Matcher matcher = pattern.matcher(xmlFile);
-        return matcher.results().count();
+        return matcherCount(matcher);
+    }
+
+    public static int matcherCount(Matcher matcher) {
+        int count = 0;
+        while (matcher.find()) {
+            count++;
+        }
+        return count;
     }
 }

cgmes/cgmes-conversion/src/test/java/com/powsybl/cgmes/conversion/test/OperationalLimitConversionTest.java

@@ -15,9 +15,10 @@
 import com.powsybl.iidm.network.*;
 import org.junit.jupiter.api.Test;
 
+import com.google.re2j.Pattern;
+
 import java.io.IOException;
 import java.util.*;
-import java.util.regex.Pattern;
 
 import static com.powsybl.cgmes.conversion.test.ConversionUtil.*;
 import static org.junit.jupiter.api.Assertions.*;

cgmes/cgmes-conversion/src/test/java/com/powsybl/cgmes/conversion/test/export/CgmesExportTest.java

@@ -9,6 +9,8 @@
 
 import com.google.common.jimfs.Configuration;
 import com.google.common.jimfs.Jimfs;
+import com.google.re2j.Matcher;
+import com.google.re2j.Pattern;
 import com.powsybl.cgmes.conformity.CgmesConformity1Catalog;
 import com.powsybl.cgmes.conformity.CgmesConformity1ModifiedCatalog;
 import com.powsybl.cgmes.conversion.CgmesExport;
@@ -36,8 +38,6 @@
 import java.nio.file.*;
 import java.util.List;
 import java.util.Properties;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 
 import static com.powsybl.cgmes.conversion.test.ConversionUtil.*;
 import static org.junit.jupiter.api.Assertions.*;
@@ -414,7 +414,7 @@ void testModelEquipmentOperationProfile() throws IOException {
             String regex = "<md:Model.profile>http://entsoe.eu/CIM/EquipmentOperation/3/1</md:Model.profile>";
             Pattern pattern = Pattern.compile(regex);
             Matcher matcher = pattern.matcher(eqFile);
-            assertEquals(1, matcher.results().count());
+            assertEquals(1, matcherCount(matcher));
         }
     }
 

cgmes/cgmes-conversion/src/test/java/com/powsybl/cgmes/conversion/test/export/CommonGridModelExportTest.java

@@ -7,6 +7,7 @@
  */
 package com.powsybl.cgmes.conversion.test.export;
 
+import com.google.re2j.Pattern;
 import com.powsybl.cgmes.conformity.CgmesConformity1Catalog;
 import com.powsybl.cgmes.conversion.CgmesExport;
 import com.powsybl.cgmes.extensions.CgmesMetadataModels;
@@ -35,7 +36,6 @@
 import java.nio.file.Path;
 import java.time.ZonedDateTime;
 import java.util.*;
-import java.util.regex.Pattern;
 
 import static com.powsybl.cgmes.conversion.test.ConversionUtil.*;
 import static org.junit.jupiter.api.Assertions.assertEquals;

cgmes/cgmes-conversion/src/test/java/com/powsybl/cgmes/conversion/test/export/EquipmentExportTest.java

@@ -36,6 +36,8 @@
 import com.powsybl.iidm.network.util.BranchData;
 import com.powsybl.iidm.network.util.TwtData;
 
+import com.google.re2j.Matcher;
+import com.google.re2j.Pattern;
 import org.apache.commons.lang3.tuple.Pair;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -52,8 +54,6 @@
 import java.nio.file.Path;
 import java.nio.file.FileSystem;
 import java.util.*;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 import com.google.common.jimfs.Configuration;
 import com.google.common.jimfs.Jimfs;
 

cgmes/cgmes-conversion/src/test/java/com/powsybl/cgmes/conversion/test/export/LegacyCommonGridModelExportTest.java

@@ -7,6 +7,8 @@
  */
 package com.powsybl.cgmes.conversion.test.export;
 
+import com.google.re2j.Matcher;
+import com.google.re2j.Pattern;
 import com.powsybl.cgmes.conformity.CgmesConformity1ModifiedCatalog;
 import com.powsybl.cgmes.conversion.CgmesExport;
 import com.powsybl.cgmes.extensions.CgmesMetadataModels;
@@ -22,8 +24,6 @@
 import java.io.IOException;
 import java.nio.file.Files;
 import java.util.*;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 
 import static com.powsybl.cgmes.conversion.Conversion.CGMES_PREFIX_ALIAS_PROPERTIES;
 import static org.junit.jupiter.api.Assertions.*;

cgmes/cgmes-conversion/src/test/java/com/powsybl/cgmes/conversion/test/export/StateVariablesExportTest.java

@@ -7,6 +7,8 @@
  */
 package com.powsybl.cgmes.conversion.test.export;
 
+import com.google.re2j.Matcher;
+import com.google.re2j.Pattern;
 import com.powsybl.cgmes.conformity.*;
 import com.powsybl.cgmes.conversion.CgmesExport;
 import com.powsybl.cgmes.conversion.CgmesImport;
@@ -43,11 +45,10 @@
 import java.nio.file.Path;
 import java.util.*;
 import java.util.function.Consumer;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
+import static com.powsybl.cgmes.conversion.test.ConversionUtil.matcherCount;
 import static org.junit.jupiter.api.Assertions.*;
 
 /**
@@ -696,7 +697,7 @@ void testWriteBoundaryTnInTopologicalIsland() throws XMLStreamException {
         ReferenceTerminals.addTerminal(terminal.get());
         String sv = exportSvAsString(network, false);
         Pattern p = Pattern.compile("<cim:TopologicalIsland.TopologicalNodes rdf:resource=");
-        assertEquals(10, p.matcher(sv).results().count());
+        assertEquals(10, matcherCount(p.matcher(sv)));
         // 10 is the number of topological nodes in the island associated to buses and to dangling lines
         assertEquals(5, network.getBusBreakerView().getBusStream().count());
         assertEquals(5, network.getDanglingLineStream().count());

cgmes/cgmes-conversion/src/test/java/com/powsybl/cgmes/conversion/test/export/issues/ConsiderValidMasterRIDWithLeadingUnderscoreTest.java

@@ -7,6 +7,8 @@
  */
 package com.powsybl.cgmes.conversion.test.export.issues;
 
+import com.google.re2j.Matcher;
+import com.google.re2j.Pattern;
 import com.powsybl.cgmes.conversion.CgmesExport;
 import com.powsybl.cgmes.conversion.export.CgmesExportUtil;
 import com.powsybl.commons.test.AbstractSerDeTest;
@@ -16,8 +18,6 @@
 import java.io.IOException;
 import java.nio.file.Files;
 import java.util.*;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 
 import static org.junit.jupiter.api.Assertions.assertTrue;
 

cgmes/cgmes-conversion/src/test/java/com/powsybl/cgmes/conversion/test/export/issues/ExportNumberMaxValueTest.java

@@ -1,5 +1,7 @@
 package com.powsybl.cgmes.conversion.test.export.issues;
 
+import com.google.re2j.Matcher;
+import com.google.re2j.Pattern;
 import com.powsybl.cgmes.conversion.CgmesExport;
 import com.powsybl.commons.test.AbstractSerDeTest;
 import com.powsybl.iidm.network.*;
@@ -8,8 +10,6 @@
 import java.io.IOException;
 import java.nio.file.Files;
 import java.util.Properties;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 
 import static org.junit.jupiter.api.Assertions.*;
 

cgmes/cgmes-conversion/src/test/java/com/powsybl/cgmes/conversion/test/export/issues/ModelIdTest.java

@@ -7,6 +7,8 @@
  */
 package com.powsybl.cgmes.conversion.test.export.issues;
 
+import com.google.re2j.Matcher;
+import com.google.re2j.Pattern;
 import com.powsybl.cgmes.conversion.CgmesExport;
 import com.powsybl.cgmes.extensions.CgmesMetadataModelsAdder;
 import com.powsybl.cgmes.model.CgmesSubset;
@@ -24,8 +26,6 @@
 import java.util.Map;
 import java.util.Properties;
 import java.util.Set;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 
 import static org.junit.jupiter.api.Assertions.*;
 

cgmes/cgmes-model/src/main/java/com/powsybl/cgmes/model/CgmesNamespace.java

@@ -9,14 +9,14 @@
 
 import com.google.common.collect.BiMap;
 import com.google.common.collect.HashBiMap;
+import com.google.re2j.Pattern;
 import com.powsybl.commons.PowsyblException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
-import java.util.regex.Pattern;
 
 /**
  * @author Geoffroy Jamgotchian {@literal <geoffroy.jamgotchian at rte-france.com>}

cgmes/cgmes-model/src/main/java/com/powsybl/cgmes/model/triplestore/CgmesModelTripleStore.java

@@ -8,6 +8,8 @@
 
 package com.powsybl.cgmes.model.triplestore;
 
+import com.google.re2j.Matcher;
+import com.google.re2j.Pattern;
 import com.powsybl.cgmes.model.*;
 import com.powsybl.commons.datasource.DataSource;
 import com.powsybl.commons.report.ReportNode;
@@ -31,8 +33,6 @@
 import java.util.Objects;
 import java.util.Set;
 import java.util.function.Consumer;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 
 import static com.powsybl.cgmes.model.CgmesNamespace.CGMES_EQ_3_OR_GREATER_PREFIX;
 import static com.powsybl.cgmes.model.CgmesNamespace.CIM_100_EQ_PROFILE;

commons/pom.xml

@@ -56,6 +56,10 @@
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
         </dependency>
+        <dependency>
+            <groupId>com.google.re2j</groupId>
+            <artifactId>re2j</artifactId>
+        </dependency>
         <dependency>
             <groupId>com.univocity</groupId>
             <artifactId>univocity-parsers</artifactId>
@@ -123,6 +127,11 @@
             <artifactId>jimfs</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.awaitility</groupId>
+            <artifactId>awaitility</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.junit.jupiter</groupId>
             <artifactId>junit-jupiter</artifactId>

commons/src/main/java/com/powsybl/commons/datasource/DirectoryDataSource.java

@@ -7,14 +7,15 @@
  */
 package com.powsybl.commons.datasource;
 
+import com.google.re2j.Pattern;
+
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.Objects;
 import java.util.Set;
-import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 

commons/src/main/java/com/powsybl/commons/datasource/ReadOnlyMemDataSource.java

@@ -8,6 +8,7 @@
 package com.powsybl.commons.datasource;
 
 import com.google.common.io.ByteStreams;
+import com.google.re2j.Pattern;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -17,7 +18,6 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
-import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 
 /**

commons/src/main/java/com/powsybl/commons/datasource/ResourceDataSource.java

@@ -7,12 +7,13 @@
  */
 package com.powsybl.commons.datasource;
 
+import com.google.re2j.Pattern;
+
 import java.io.InputStream;
 import java.util.Arrays;
 import java.util.List;
 import java.util.Objects;
 import java.util.Set;
-import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 
 /**

commons/src/main/java/com/powsybl/commons/datasource/TarArchiveDataSource.java

@@ -8,6 +8,7 @@
 package com.powsybl.commons.datasource;
 
 import com.google.common.io.ByteStreams;
+import com.google.re2j.Pattern;
 import com.powsybl.commons.io.ForwardingInputStream;
 import com.powsybl.commons.io.ForwardingOutputStream;
 import org.apache.commons.compress.archivers.ArchiveEntry;
@@ -31,7 +32,6 @@
 import java.util.HashSet;
 import java.util.Objects;
 import java.util.Set;
-import java.util.regex.Pattern;
 
 /**
  * @author Nicolas Rol {@literal <nicolas.rol at rte-france.com>}

commons/src/main/java/com/powsybl/commons/datasource/ZipArchiveDataSource.java

@@ -8,6 +8,7 @@
 package com.powsybl.commons.datasource;
 
 import com.google.common.io.ByteStreams;
+import com.google.re2j.Pattern;
 import com.powsybl.commons.io.ForwardingInputStream;
 import com.powsybl.commons.io.ForwardingOutputStream;
 import org.apache.commons.compress.archivers.zip.ZipArchiveEntry;
@@ -23,7 +24,6 @@
 import java.util.HashSet;
 import java.util.Objects;
 import java.util.Set;
-import java.util.regex.Pattern;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipOutputStream;
 

commons/src/test/java/com/powsybl/commons/datasource/AbstractFileSystemDataSourceTest.java

@@ -21,12 +21,17 @@
 import java.util.Set;
 import java.util.stream.Collectors;
 
-import static org.junit.jupiter.api.Assertions.*;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertInstanceOf;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
 
 /**
  * @author Nicolas Rol {@literal <nicolas.rol at rte-france.com>}
  */
-abstract class AbstractFileSystemDataSourceTest {
+abstract class AbstractFileSystemDataSourceTest extends AbstractReadOnlyDataSourceTest {
     protected FileSystem fileSystem;
     protected Path testDir;
     protected Set<String> unlistedFiles;