hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-06 23:56:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

Modify isAdditionalTaintStep

Browse Source
This commit is contained in:
haby0
2021-07-27 10:59:38 +08:00
parent 291ca3830a
commit 00f13e1e6e
5 changed files with 87 additions and 168 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.java
View File

@@ -62,78 +62,42 @@ public class UnsafeReflection {
private Object invokeService(String beanIdOrClassName, String methodName, MultipartFile[] files, List<Object> data) throws Exception {
BeanFactory beanFactory = new BeanFactory();
try {
Object bean = null;
String beanName = null;
Class<?> beanClass = null;
try {
beanClass = Class.forName(beanIdOrClassName);
beanName = StringUtils.uncapitalize(beanClass.getSimpleName());
} catch (ClassNotFoundException classNotFoundException) {
beanName = beanIdOrClassName;
}
try {
bean = beanFactory.getBean(beanName);
} catch (BeansException beansException) {
bean = beanFactory.getBean(beanClass);
}
byte b;
int i;
Method[] arrayOfMethod;
for (i = (arrayOfMethod = bean.getClass().getMethods()).length, b = 0; b < i; ) {
Method method = arrayOfMethod[b];
if (!method.getName().equals(methodName)) {
b++;
continue;
}
ProxygenSerializer serializer = new ProxygenSerializer();
Object[] methodInput = serializer.deserializeMethodInput(data, files, method);
Object result = method.invoke(bean, methodInput);
Map<String, Object> map = new HashMap<>();
map.put("result", serializer.serialize(result));
return map;
}
} catch (Exception e) {
return e;
}
return null;
try {
Object bean = null;
Class<?> beanClass = Class.forName(beanIdOrClassName);
bean = beanFactory.getBean(beanClass);
byte b;
int i;
Method[] arrayOfMethod;
for (i = (arrayOfMethod = bean.getClass().getMethods()).length, b = 0; b < i; ) {
Method method = arrayOfMethod[b];
if (!method.getName().equals(methodName)) {
b++;
continue;
}
Object result = method.invoke(bean, data);
Map<String, Object> map = new HashMap<>();
return map;
}
} catch (Exception e) {
return e;
}
return null;
}
}
class BeansException extends Exception {
}
class BeanFactory {
private static HashMap<String, Object> classNameMap = new HashMap<>();
private static HashMap<String, Object> classNameMap = new HashMap<>();
private static HashMap<Class<?>, Object> classMap = new HashMap<>();;
private static HashMap<Class<?>, Object> classMap = new HashMap<>();
static {
classNameMap.put("xxxx", Runtime.getRuntime());
classMap.put(Runtime.class, Runtime.getRuntime());
}
static {
classNameMap.put("xxxx", Runtime.getRuntime());
classMap.put(Runtime.class, Runtime.getRuntime());
}
public Object getBean(String className) throws BeansException {
if (classNameMap.get(className) == null) {
throw new BeansException();
}
return classNameMap.get(className);
}
public Object getBean(Class<?> clzz) {
return classMap.get(clzz);
}
}
class ProxygenSerializer {
public Object[] deserializeMethodInput(List<Object> data, MultipartFile[] files, Method method) {
return null;
}
public String serialize(Object result) {
return null;
}
public Object getBean(Class<?> clzz) {
return classMap.get(clzz);
}
}

20
java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql
View File

@@ -55,16 +55,9 @@ class UnsafeReflectionConfig extends TaintTracking::Configuration {
ma = succ.asExpr()
)
or
exists(MethodAccess ma, Method m, int i, Expr arg |
m = ma.getMethod() and arg = ma.getArgument(i)
exists(
MethodAccess ma // Object.getClass()
|
m.getReturnType() instanceof TypeObject and
arg.getType() instanceof TypeClass and
arg = pred.asExpr() and
ma = succ.asExpr()
)
or
exists(MethodAccess ma |
ma.getMethod().hasName("getClass") and
ma.getMethod().getDeclaringType().hasQualifiedName("java.lang", "Object") and
ma.getQualifier() = pred.asExpr() and
@@ -79,6 +72,15 @@ class UnsafeReflectionConfig extends TaintTracking::Configuration {
arg = pred.asExpr() and
ma = succ.asExpr()
)
or
exists(MethodAccess ma, Method m, int i, Expr arg |
m = ma.getMethod() and arg = ma.getArgument(i)
|
m.getReturnType() instanceof TypeObject and
arg.getType() instanceof TypeClass and
arg = pred.asExpr() and
ma = succ.asExpr()
)
}
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {

27
java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflectionLib.qll
View File

@@ -1,10 +1,8 @@
import java
import DataFlow
import semmle.code.java.Reflection
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.DataFlow3
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.dataflow.TaintTracking2
/**
@@ -44,18 +42,10 @@ class ReflectionArgsConfig extends TaintTracking2::Configuration {
override predicate isSink(DataFlow::Node sink) {
exists(NewInstance ni | ni.getAnArgument() = sink.asExpr())
or
exists(MethodAccess ma, ReflectionInvokeObjectConfig rioc |
exists(MethodAccess ma |
ma.getMethod().hasQualifiedName("java.lang.reflect", "Method", "invoke") and
ma.getArgument(1) = sink.asExpr() and
rioc.hasFlow(_, DataFlow::exprNode(ma.getArgument(0)))
)
}
override predicate isAdditionalTaintStep(Node pred, Node succ) {
exists(MethodAccess ma |
ma.getMethod().getReturnType().hasName("Object[]") and
ma.getAnArgument() = pred.asExpr() and
ma = succ.asExpr()
exists(ReflectionInvokeObjectConfig rioc | rioc.hasFlowToExpr(ma.getArgument(0)))
)
}
}
@@ -81,13 +71,12 @@ class ReflectionInvokeObjectConfig extends DataFlow3::Configuration {
ni = succ.asExpr()
)
or
exists(MethodAccess ma |
ma.getMethod().getReturnType() instanceof TypeObject and
(
ma.getMethod().getAParamType() instanceof TypeString or
ma.getMethod().getAParamType() instanceof TypeClass
) and
ma.getAnArgument() = pred.asExpr() and
exists(MethodAccess ma, Method m, int i, Expr arg |
m = ma.getMethod() and arg = ma.getArgument(i)
|
m.getReturnType() instanceof TypeObject and
arg.getType() instanceof TypeClass and
arg = pred.asExpr() and
ma = succ.asExpr()
)
}