Add ExternallyControlledFormatStringLocalQuery.qll

2026-04-29 10:45:15 +02:00 · 2023-04-03 17:05:06 -04:00
parent 5834e4ac52
commit 0249187282
3 changed files with 23 additions and 15 deletions
--- a/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md
+++ b/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md
@@ -4,4 +4,5 @@ category: minorAnalysis
 * Added the `TaintedPermissionQuery.qll` library to provide the `TaintedPermissionFlow` taint-tracking module to reason about tainted permission vulnerabilities.
 * Added the `XPathInjectionQuery.qll` library to provide the `XPathInjectionFlow` taint-tracking module to reason about XPath injection vulnerabilities.
 * Added the `SqlConcatenatedQuery.qll` library to provide the `UncontrolledStringBuilderSourceFlow` taint-tracking module to reason about SQL injection vulnerabilities caused by concatenating untrusted strings.
-* Added the `XssLocalQuery.qll` library to provide the `XssLocalFlow` taint-tracking module to reason about XSS vulnerabilities caused by local data flow.
+* Added the `XssLocalQuery.qll` library to provide the `XssLocalFlow` taint-tracking module to reason about XSS vulnerabilities caused by local data flow.
+* Added the `ExternallyControlledFormatStringLocalQuery.qll` library to provide the `ExternallyControlledFormatStringLocalFlow` taint-tracking module to reason about format string vulnerabilities caused by local data flow.
--- a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringLocalQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringLocalQuery.qll
@@ -0,0 +1,20 @@
+/** Provides a taint-tracking configuration to reason about externally-controlled format strings from local sources. */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.StringFormat
+
+/** A taint-tracking configuration to reason about externally-controlled format strings from local sources. */
+module ExternallyControlledFormatStringLocalConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
+
+  predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() = any(StringFormat formatCall).getFormatArgument()
+  }
+}
+
+/**
+ * Taint-tracking flow for externally-controlled format strings from local sources.
+ */
+module ExternallyControlledFormatStringLocalFlow =
+  TaintTracking::Global<ExternallyControlledFormatStringLocalConfig>;
--- a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql
@@ -11,20 +11,7 @@
 */

 import java
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.StringFormat
-
-module ExternallyControlledFormatStringLocalConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
-
-  predicate isSink(DataFlow::Node sink) {
-    sink.asExpr() = any(StringFormat formatCall).getFormatArgument()
-  }
-}
-
-module ExternallyControlledFormatStringLocalFlow =
-  TaintTracking::Global<ExternallyControlledFormatStringLocalConfig>;
-
+import semmle.code.java.security.ExternallyControlledFormatStringLocalQuery
 import ExternallyControlledFormatStringLocalFlow::PathGraph

 from