Validate regex patterns against non-backtracking engine (#16687)

jeskew · web-flow · commit 1f661a23c4a3 · 2025-03-24T09:27:19.000-04:00
Resolves #16676 Resolves #16681 ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/16687)
diff --git a/src/Bicep.Core.IntegrationTests/ScenarioTests.cs b/src/Bicep.Core.IntegrationTests/ScenarioTests.cs
@@ -7080,4 +7080,39 @@ public void DependsOn_on_existing_resource_triggers_languageVersion_2()
         result.Template.Should().HaveValueAtPath("$.languageVersion", "2.0");
         result.Template.Should().HaveJsonAtPath("$.resources.sa.dependsOn", """["empty"]""");
     }
+
+    [TestMethod]
+    public void Non_spec_compliant_provider_sourced_regexes_degrade_gracefully()
+    {
+        var result = CompilationHelper.Compile("""
+            param name string
+            param location string = resourceGroup().location
+            param sku object
+            param administratorLogin string
+            @secure()
+            param administratorLoginPassword string
+            param version string
+
+            resource mysqlServer 'Microsoft.DBforMySQL/flexibleServers@2023-06-30' = {
+              name: name
+              location: location
+              sku: sku
+              properties: {
+                version: version
+                administratorLogin: administratorLogin
+                administratorLoginPassword: administratorLoginPassword
+              }
+
+              resource firewall_all 'firewallRules' = {
+                name: 'allow-all-IPs'
+                properties: {
+                  startIpAddress: '0.0.0.0'
+                  endIpAddress: '255.255.255.255'
+                }
+              }
+            }
+            """);
+
+        result.ExcludingLinterDiagnostics().Should().NotHaveAnyDiagnostics();
+    }
 }
diff --git a/src/Bicep.Core/TypeSystem/Providers/Az/AzResourceTypeFactory.cs b/src/Bicep.Core/TypeSystem/Providers/Az/AzResourceTypeFactory.cs
@@ -115,7 +115,7 @@ private TypeSymbol ToTypeSymbol(Azure.Bicep.Types.Concrete.TypeBase typeBase, bo
                 case Azure.Bicep.Types.Concrete.StringType @string:
                     return TypeFactory.CreateStringType(@string.MinLength,
                         @string.MaxLength,
-                        @string.Pattern,
+                        TypeHelper.AsOptionalValidFiniteRegexPattern(@string.Pattern),
                         GetValidationFlags(isResourceBodyType, isResourceBodyTopLevelPropertyType));
                 case Azure.Bicep.Types.Concrete.BuiltInType builtInType:
                     return builtInType.Kind switch
diff --git a/src/Bicep.Core/TypeSystem/Providers/MicrosoftGraph/MicrosoftGraphResourceTypeFactory.cs b/src/Bicep.Core/TypeSystem/Providers/MicrosoftGraph/MicrosoftGraphResourceTypeFactory.cs
@@ -91,7 +91,7 @@ private TypeSymbol ToTypeSymbol(Azure.Bicep.Types.Concrete.TypeBase typeBase, bo
                     return TypeFactory.CreateStringType(
                         @string.MinLength,
                         @string.MaxLength,
-                        @string.Pattern);
+                        TypeHelper.AsOptionalValidFiniteRegexPattern(@string.Pattern));
                 case Azure.Bicep.Types.Concrete.BuiltInType builtInType:
                     return builtInType.Kind switch
                     {
diff --git a/src/Bicep.Core/TypeSystem/Providers/ThirdParty/ExtensibilityResourceTypeFactory.cs b/src/Bicep.Core/TypeSystem/Providers/ThirdParty/ExtensibilityResourceTypeFactory.cs
@@ -135,7 +135,7 @@ private TypeSymbol ToTypeSymbol(Azure.Bicep.Types.Concrete.TypeBase typeBase, bo
                     return TypeFactory.CreateStringType(
                         @string.MinLength,
                         @string.MaxLength,
-                        @string.Pattern);
+                        TypeHelper.AsOptionalValidFiniteRegexPattern(@string.Pattern));
                 case Azure.Bicep.Types.Concrete.BuiltInType builtInType:
                     return builtInType.Kind switch
                     {
diff --git a/src/Bicep.Core/TypeSystem/TypeHelper.cs b/src/Bicep.Core/TypeSystem/TypeHelper.cs
@@ -721,6 +721,41 @@ private static ObjectType RemovePropertyFlagsRecursively(
                 property.Flags & ~flagsToRemove,
                 property.Description));
 
+        /// <summary>
+        /// Validates that the supplied pattern is: 1) a syntactically valid regular expression, and 2) compatible with
+        /// .NET's non-backtracking regular expression engine.
+        /// </summary>
+        /// <param name="pattern">The regular expression pattern</param>
+        /// <returns>The pattern string iff it can be used with the non-backtracking engine.</returns>
+        public static string? AsOptionalValidFiniteRegexPattern(string? pattern)
+        {
+            if (pattern is not null && TryGetRegularExpressionValidationException(pattern) is null)
+            {
+                return pattern;
+            }
+
+            return null;
+        }
+
+        /// <summary>
+        /// Attempts to instantiate a <see cref="Regex"/> with the supplied pattern and returns the error raised
+        /// thereby.
+        /// </summary>
+        /// <param name="pattern">The regular expression pattern</param>
+        /// <returns>The exception raised by <see cref="Regex.Regex(string, RegexOptions)"/>, if any.</returns>
+        public static Exception? TryGetRegularExpressionValidationException(string pattern)
+        {
+            try
+            {
+                var _ = new Regex(pattern, RegexOptions.NonBacktracking);
+                return null;
+            }
+            catch (Exception e)
+            {
+                return e;
+            }
+        }
+
         public static bool MatchesPattern(string pattern, string value)
             => Regex.IsMatch(value, pattern, RegexOptions.NonBacktracking);
     }
diff --git a/src/Bicep.Core/TypeSystem/Types/StringType.cs b/src/Bicep.Core/TypeSystem/Types/StringType.cs
@@ -8,6 +8,11 @@ public class StringType : TypeSymbol
     internal StringType(long? minLength, long? maxLength, string? pattern, TypeSymbolValidationFlags validationFlags)
         : base(LanguageConstants.TypeNameString)
     {
+        if (pattern is not null && TypeHelper.TryGetRegularExpressionValidationException(pattern) is { } error)
+        {
+            throw new ArgumentException($"The supplied regular expression pattern /{pattern}/ is not valid", error);
+        }
+
         ValidationFlags = validationFlags;
         MinLength = minLength;
         MaxLength = maxLength;

Original file line number	Diff line number	Diff line change
`@@ -91,7 +91,7 @@ private TypeSymbol ToTypeSymbol(Azure.Bicep.Types.Concrete.TypeBase typeBase, bo`
`91`	`91`	`return TypeFactory.CreateStringType(`
`92`	`92`	`@string.MinLength,`
`93`	`93`	`@string.MaxLength,`
`94`		`- @string.Pattern);`
	`94`	`+ TypeHelper.AsOptionalValidFiniteRegexPattern(@string.Pattern));`
`95`	`95`	`case Azure.Bicep.Types.Concrete.BuiltInType builtInType:`
`96`	`96`	`return builtInType.Kind switch`
`97`	`97`	`{`
Original file line number	Diff line number	Diff line change
`@@ -135,7 +135,7 @@ private TypeSymbol ToTypeSymbol(Azure.Bicep.Types.Concrete.TypeBase typeBase, bo`
`135`	`135`	`return TypeFactory.CreateStringType(`
`136`	`136`	`@string.MinLength,`
`137`	`137`	`@string.MaxLength,`
`138`		`- @string.Pattern);`
	`138`	`+ TypeHelper.AsOptionalValidFiniteRegexPattern(@string.Pattern));`
`139`	`139`	`case Azure.Bicep.Types.Concrete.BuiltInType builtInType:`
`140`	`140`	`return builtInType.Kind switch`
`141`	`141`	`{`