Merge pull request #87 from dvershinin/copilot/report-invalid-regex-location

Add invalid_regex plugin to detect nonexistent regex capture groups

Author: dvershinin

README.md

@@ -45,6 +45,7 @@ Right now Gixy can find:
 *   [[error_log_off] `error_log` set to `off`](https://gixy.getpagespeed.com/en/plugins/error_log_off/)
 *   [[unanchored_regex] Regular expression without anchors](https://gixy.getpagespeed.com/en/plugins/unanchored_regex/)
 *   [[regex_redos] Regular expressions may result in easy denial-of-service (ReDoS) attacks](https://gixy.getpagespeed.com/en/plugins/regex_redos/)
+*   [[invalid_regex] Using a nonexistent regex capture group](https://github.com/dvershinin/gixy/blob/master/docs/en/plugins/invalid_regex.md)
 
 You can find things that Gixy is learning to detect at [Issues labeled with "new plugin"](https://github.com/dvershinin/gixy/issues?q=is%3Aissue+is%3Aopen+label%3A%22new+plugin%22)
 

docs/en/plugins/invalid_regex.md

@@ -0,0 +1,123 @@
+# [invalid_regex] Using a nonexistent regex capture group
+
+When using regular expressions with capturing groups in NGINX directives like `rewrite` or within `if` conditions, you can reference these captured groups using `$1`, `$2`, etc. in replacement strings or subsequent directives. However, if you reference a capture group that doesn't exist in the regex pattern, NGINX will treat it as an empty string, which can lead to unexpected behavior.
+
+## How can I find it?
+
+You should check:
+- `rewrite` directives where the replacement string references capture groups (e.g., `$1`, `$2`) that don't exist in the regex pattern
+- `set` directives inside `if` blocks that reference capture groups from the `if` condition's regex pattern
+- Non-capturing groups like `(?:...)` or inline modifiers like `(?i)` which don't create numbered capture groups
+
+## Examples
+
+### Example 1: Non-capturing inline modifier
+
+**Problematic configuration:**
+```nginx
+server {
+    location / {
+        # (?i) is a case-insensitive flag, NOT a capturing group
+        rewrite "(?i)/" $1 break;
+    }
+}
+```
+
+**Issue:** The pattern `(?i)/` uses `(?i)` to enable case-insensitive matching, but it doesn't create a capturing group. The `$1` reference will be empty.
+
+**Fix:**
+```nginx
+server {
+    location / {
+        # Add parentheses to create a capturing group
+        rewrite "(?i)/(.*)" /$1 break;
+    }
+}
+```
+
+### Example 2: Missing capture groups
+
+**Problematic configuration:**
+```nginx
+server {
+    location / {
+        rewrite "^/path" $1 redirect;
+    }
+}
+```
+
+**Issue:** The pattern `^/path` has no capturing groups, so `$1` will be empty.
+
+**Fix:**
+```nginx
+server {
+    location / {
+        # Either remove the unnecessary $1 reference
+        rewrite "^/path" /newpath redirect;
+        # Or add a capturing group if needed
+        rewrite "^/path/(.*)$" /newpath/$1 redirect;
+    }
+}
+```
+
+### Example 3: Referencing wrong group number
+
+**Problematic configuration:**
+```nginx
+server {
+    location / {
+        # Pattern has only 1 capturing group, but references $2
+        rewrite "^/(.*)$" /$1/$2 break;
+    }
+}
+```
+
+**Issue:** The pattern only has one capturing group `(.*)`, but the replacement references both `$1` and `$2`. The `$2` will be empty.
+
+**Fix:**
+```nginx
+server {
+    location / {
+        # Add a second capturing group if needed
+        rewrite "^/([^/]+)/(.*)$" /$2/$1 break;
+        # Or remove the invalid reference
+        rewrite "^/(.*)$" /prefix/$1 break;
+    }
+}
+```
+
+### Example 4: Set in if block
+
+**Problematic configuration:**
+```nginx
+server {
+    location / {
+        if ($uri ~ "^/path") {
+            set $x $1;  # $1 doesn't exist
+        }
+    }
+}
+```
+
+**Issue:** The regex pattern in the `if` condition has no capturing groups, so `$1` is undefined.
+
+**Fix:**
+```nginx
+server {
+    location / {
+        if ($uri ~ "^/path/(.*)$") {
+            set $x $1;  # Now $1 contains the captured value
+        }
+    }
+}
+```
+
+## What can I do?
+
+1. **Add capturing groups to your regex pattern** if you need to reference parts of the matched string
+2. **Remove unnecessary capture group references** if you don't actually need them
+3. **Use the correct group numbers** - remember that group numbering starts at 1, and `$0` is not available in NGINX
+4. **Remember that non-capturing groups don't create references** - patterns like `(?:...)`, `(?i)`, `(?=...)` don't create numbered groups
+5. **Test your regex patterns** to ensure they capture what you expect
+
+--8<-- "en/snippets/nginx-extras-cta.md"

gixy/plugins/invalid_regex.py

@@ -0,0 +1,148 @@
+import re
+import gixy
+from gixy.plugins.plugin import Plugin
+from gixy.core.regexp import Regexp
+
+
+class invalid_regex(Plugin):
+    """
+    Detects when a directive references a regex capture group ($1, $2, etc.) 
+    that doesn't exist in the associated regex pattern.
+    
+    Insecure examples:
+        rewrite "(?i)/" $1 break;  # (?i) is a non-capturing flag, no groups exist
+        rewrite "^/path" $1 redirect;  # No capturing groups in pattern
+        if ($uri ~ "^/test") { set $x $1; }  # No capturing groups in pattern
+    """
+
+    summary = 'Using a nonexistent regex capture group.'
+    severity = gixy.severity.MEDIUM
+    description = 'Referencing a capture group (like $1, $2) that does not exist in the regex pattern will result in an empty value.'
+    help_url = 'https://nginx.org/en/docs/http/ngx_http_rewrite_module.html'
+    directives = ['rewrite', 'set']
+
+    # Pattern to find $1, $2, etc. references in strings
+    CAPTURE_GROUP_REF = re.compile(r'\$([1-9]\d*)')
+
+    def audit(self, directive):
+        if directive.name == 'rewrite':
+            self._audit_rewrite(directive)
+        elif directive.name == 'set':
+            self._audit_set(directive)
+
+    def _audit_rewrite(self, directive):
+        """Audit rewrite directives for invalid group references."""
+        if len(directive.args) < 2:
+            return
+
+        pattern = directive.args[0]
+        replacement = directive.args[1]
+        
+        # Find all referenced capture groups in the replacement string
+        referenced_groups = set()
+        for match in self.CAPTURE_GROUP_REF.finditer(replacement):
+            referenced_groups.add(int(match.group(1)))
+        
+        if not referenced_groups:
+            return
+        
+        # Parse the regex to determine available groups
+        try:
+            regexp = Regexp(pattern, case_sensitive=True)
+            available_groups = set(regexp.groups.keys())
+            # Remove group 0 (the full match) from available groups
+            available_groups.discard(0)
+        except Exception:
+            # If we can't parse the regex, skip this check
+            return
+        
+        # Check for referenced groups that don't exist
+        invalid_groups = referenced_groups - available_groups
+        
+        if invalid_groups:
+            invalid_list = ', '.join(f'${g}' for g in sorted(invalid_groups))
+            if len(available_groups) == 0:
+                reason = (
+                    f'The replacement string references capture group(s) {invalid_list}, '
+                    f'but the pattern "{pattern}" has no capturing groups.'
+                )
+            else:
+                available_list = ', '.join(f'${g}' for g in sorted(available_groups))
+                reason = (
+                    f'The replacement string references capture group(s) {invalid_list}, '
+                    f'but the pattern "{pattern}" only has {available_list}.'
+                )
+            
+            self.add_issue(
+                directive=directive,
+                reason=reason
+            )
+
+    def _audit_set(self, directive):
+        """Audit set directives that may reference regex groups from parent if blocks."""
+        if len(directive.args) < 2:
+            return
+        
+        value = directive.args[1]
+        
+        # Find all referenced capture groups
+        referenced_groups = set()
+        for match in self.CAPTURE_GROUP_REF.finditer(value):
+            referenced_groups.add(int(match.group(1)))
+        
+        if not referenced_groups:
+            return
+        
+        # Check if this set is inside an if block with a regex
+        parent = directive.parent
+        if_directive = None
+        
+        while parent and not if_directive:
+            if hasattr(parent, 'name') and parent.name == 'if':
+                if_directive = parent
+                break
+            parent = getattr(parent, 'parent', None)
+        
+        if not if_directive:
+            # Not in an if block, can't determine regex context
+            return
+        
+        # Check if the if condition has a regex operator
+        if not hasattr(if_directive, 'args') or len(if_directive.args) < 3:
+            return
+        
+        operator = if_directive.args[1]
+        if operator not in ['~', '~*']:
+            return
+        
+        pattern = if_directive.args[2]
+        
+        # Parse the regex to determine available groups
+        try:
+            regexp = Regexp(pattern, case_sensitive=(operator == '~'))
+            available_groups = set(regexp.groups.keys())
+            available_groups.discard(0)
+        except Exception:
+            return
+        
+        # Check for referenced groups that don't exist
+        invalid_groups = referenced_groups - available_groups
+        
+        if invalid_groups:
+            invalid_list = ', '.join(f'${g}' for g in sorted(invalid_groups))
+            if len(available_groups) == 0:
+                reason = (
+                    f'The set directive references capture group(s) {invalid_list}, '
+                    f'but the if condition pattern "{pattern}" has no capturing groups.'
+                )
+            else:
+                available_list = ', '.join(f'${g}' for g in sorted(available_groups))
+                reason = (
+                    f'The set directive references capture group(s) {invalid_list}, '
+                    f'but the if condition pattern "{pattern}" only has {available_list}.'
+                )
+            
+            self.add_issue(
+                directive=[directive, if_directive],
+                reason=reason
+            )

tests/plugins/simply/invalid_regex/if_no_groups.conf

@@ -0,0 +1,8 @@
+server {
+    location / {
+        if ($uri ~ "^/path") {
+            # Invalid: if regex has no groups
+            set $x $1;
+        }
+    }
+}

tests/plugins/simply/invalid_regex/if_valid_group_fp.conf

@@ -0,0 +1,8 @@
+server {
+    location / {
+        if ($uri ~ "^/(.*)$") {
+            # Valid: if regex has groups
+            set $x $1;
+        }
+    }
+}

tests/plugins/simply/invalid_regex/multiple_groups_fp.conf

@@ -0,0 +1,6 @@
+server {
+    location / {
+        # Valid: Multiple groups referenced correctly
+        rewrite "^/([^/]+)/([^/]+)$" /$2/$1 break;
+    }
+}

tests/plugins/simply/invalid_regex/no_groups.conf

@@ -0,0 +1,6 @@
+server {
+    location / {
+        # No capturing groups, but references $1
+        rewrite "(?i)/" $1 break;
+    }
+}

tests/plugins/simply/invalid_regex/no_refs_fp.conf

@@ -0,0 +1,6 @@
+server {
+    location / {
+        # Valid: No group references
+        rewrite "^/old$" /new break;
+    }
+}

tests/plugins/simply/invalid_regex/valid_group_fp.conf

@@ -0,0 +1,6 @@
+server {
+    location / {
+        # Valid: has capturing group and references it correctly
+        rewrite "^/(.*)$" /$1 break;
+    }
+}

tests/plugins/simply/invalid_regex/wrong_group.conf

@@ -0,0 +1,6 @@
+server {
+    location / {
+        # One group, but references $2
+        rewrite "^/(.*)$" /$1/$2 break;
+    }
+}