Semgrep-sast fails scanning minified JS using eslint.detect-object-injection rule

Summary

Starting with semgrep:2.20.0, semgrep-sast jobs may choke on minified JavaScript using the eslint.detect-object-injection rule.

With semgrep:2.19.1, the semgrep-sast job executes quickly and successfully produces results.

Scanning the same file with semgrep:2.20.0 (and every release since), the job runs for 10+ minutes before failing with

[FATA] [Semgrep] [2022-05-26T20:34:43Z] ▶ open /builds/greg/287451-semgrep-bug/semgrep.sarif: no such file or directory

The problem appears to be caused by the introduction of this eslint.detect-object-injection rule.

rules:
- id: eslint.detect-object-injection
  patterns:
    - pattern: $O[$ARG]
    - pattern-not: $O["..."]
    - pattern-not: "$O[($ARG : float)]"
    - pattern-not-inside: |
        $ARG = [$V];
        ...
        <... $O[$ARG] ...>;
    - pattern-not-inside: |
        $ARG = $V;
        ...
        <... $O[$ARG] ...>;
    - metavariable-regex:
        metavariable: $ARG
        regex: (?![0-9]+)
  message: "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution."
  languages:
    - javascript
    - typescript
  severity: WARNING
  metadata:
    cwe: "CWE-94: Improper Control of Generation of Code ('Code Injection')"

Steps to reproduce

1. Fork this project https://gitlab.com/greg/287451-semgrep-bug
2. Trigger a pipeline
3. Note that the semgrep-sast runs for an unusually long amount of time, then inevitably fails (as described in Summary)

Example Project

• https://gitlab.com/greg/287451-semgrep-bug

What is the current bug behavior?

Semgrep chokes while analyzing the minified swagger-ui-es-bundle-core.js file using eslint.detect-object-injection rule, causing the job to run for 10+ minutes and before failing with open /builds/namespace/project/semgrep.sarif: no such file or directory.

• https://gitlab.com/greg/287451-semgrep-bug/-/jobs/2511977650

What is the expected correct behavior?

Semgrep doesn't choke when analyzing minified javascript using the eslint.detect-object-injection rule.

https://gitlab.com/greg/287451-semgrep-bug/-/jobs/2507636890

Relevant logs and/or screenshots

• semgrep-sast run on swagger-ui-es-bundle-core.js with just eslint.detect-object-injection rule active causes it to crash: https://gitlab.com/greg/287451-semgrep-bug/-/jobs/2511977650
• semgrep-sast run on swagger-ui-es-bundle-core.js without eslint.detect-object-injection rule works great: https://gitlab.com/greg/287451-semgrep-bug/-/jobs/2507636890

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

This bug happens on GitLab.com

Results of GitLab application Check

This bug happens on GitLab.com

Possible fixes

Fix the rule?

• https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/-/blob/main/rules/eslint.yml#L751-773