Skip to content

Python: Fix false positive for unmatchable dollar/caret #20495

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Python: Fix false positive for unmatchable dollar/caret #20495

wants to merge 2 commits into from
+66 −29

Conversation

tausbn
Copy link
Contributor

@tausbn tausbn commented Sep 19, 2025

Our previous modelling did not account for the fact that a lookahead can potentially extend all the way to the end of the input (and similarly, that a lookbehind can extend all the way to the beginning).

To fix this, I extended firstPart and lastPart to handle lookbehinds and lookaheads correctly, and added some test cases (all of which yield no new results).

Fixes #20429.

@tausbn
Python: Fix false positive for unmatchable dollar/caret
95a84ad 
Our previous modelling did not account for the fact that a lookahead can
potentially extend all the way to the end of the input (and similarly,
that a lookbehind can extend all the way to the beginning).

To fix this, I extended `firstPart` and `lastPart` to handle lookbehinds
and lookaheads correctly, and added some test cases (all of which yield
no new results).

Fixes #20429.
@smowton smowton mentioned this pull request Sep 19, 2025
Open
@tausbn tausbn marked this pull request as ready for review September 19, 2025 18:49
@tausbn tausbn requested a review from a team as a code owner September 19, 2025 18:49
@Copilot Copilot AI review requested due to automatic review settings September 19, 2025 18:49
Copilot
Copilot AI reviewed Sep 19, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes false positives in CodeQL queries that check for unmatchable $ and ^ anchors in regular expressions by improving the handling of lookahead and lookbehind assertions. The fix ensures that anchors inside these assertions are correctly analyzed for their potential to match the beginning or end of input.

Key changes:

  • Extended lookahead/lookbehind predicate signatures to include content boundaries
  • Updated firstPart and lastPart logic to handle assertions that can reach string boundaries
  • Added test cases covering various lookahead and lookbehind scenarios

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
python/ql/lib/semmle/python/regexp/internal/ParseRegExp.qll Core fix: extended assertion predicates and added logic for handling assertions in first/last part detection
python/ql/lib/semmle/python/regexp/RegexTreeView.qll Updated calls to assertion predicates to match new signatures
python/ql/test/query-tests/Expressions/Regex/test.py Added test cases for lookahead and lookbehind assertions
python/ql/test/library-tests/regex/FirstLast.expected Updated expected test results reflecting the improved analysis
python/ql/src/change-notes/2025-09-19-fix-unmatchable-dollar-and-caret-in-assertions.md Added release notes documenting the fix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation Python
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

False positive: Unmatchable dollar in regular expression with lookahead assertion
1 participant
@tausbn