mirror of
https://github.com/github/codeql.git
synced 2025-12-23 12:16:33 +01:00
Merge pull request #12812 from egregius313/egregius313/java/dataflow/refactor-tests
Java: Refactor Test DataFlow configurations to new API
This commit is contained in:
Edward Minnix III
@@ -1,18 +1,16 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.TaintTracking
|
import semmle.code.java.dataflow.TaintTracking
|
||||||
|
|
||||||
class Conf extends TaintTracking::Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Conf() { this = "qltest:extension-method" }
|
predicate isSource(DataFlow::Node n) {
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node n) {
|
|
||||||
n.asExpr().(Argument).getCall().getCallee().hasName("taint")
|
n.asExpr().(Argument).getCall().getCallee().hasName("taint")
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node n) {
|
predicate isSink(DataFlow::Node n) { n.asExpr().(Argument).getCall().getCallee().hasName("sink") }
|
||||||
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
from DataFlow::Node src, DataFlow::Node sink, Conf conf
|
module Flow = TaintTracking::Global<Config>;
|
||||||
where conf.hasFlow(src, sink)
|
|
||||||
|
from DataFlow::Node src, DataFlow::Node sink
|
||||||
|
where Flow::flow(src, sink)
|
||||||
select src, sink
|
select src, sink
|
||||||
|
|||||||
@@ -1,18 +1,16 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.TaintTracking
|
import semmle.code.java.dataflow.TaintTracking
|
||||||
|
|
||||||
class Conf extends TaintTracking::Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Conf() { this = "qltest:foreach-array-iterator" }
|
predicate isSource(DataFlow::Node n) {
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node n) {
|
|
||||||
n.asExpr().(Argument).getCall().getCallee().hasName("taint")
|
n.asExpr().(Argument).getCall().getCallee().hasName("taint")
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node n) {
|
predicate isSink(DataFlow::Node n) { n.asExpr().(Argument).getCall().getCallee().hasName("sink") }
|
||||||
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
from DataFlow::Node src, DataFlow::Node sink, Conf conf
|
module Flow = TaintTracking::Global<Config>;
|
||||||
where conf.hasFlow(src, sink)
|
|
||||||
|
from DataFlow::Node src, DataFlow::Node sink
|
||||||
|
where Flow::flow(src, sink)
|
||||||
select src, sink
|
select src, sink
|
||||||
|
|||||||
@@ -1,18 +1,14 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.TaintTracking
|
import semmle.code.java.dataflow.TaintTracking
|
||||||
|
|
||||||
class Conf extends TaintTracking::Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Conf() { this = "qltest:lambdaFlow" }
|
predicate isSource(DataFlow::Node n) { n.asExpr().(MethodAccess).getMethod().hasName("taint") }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node n) {
|
predicate isSink(DataFlow::Node n) { n.asExpr().(Argument).getCall().getCallee().hasName("sink") }
|
||||||
n.asExpr().(MethodAccess).getMethod().hasName("taint")
|
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node n) {
|
module Flow = TaintTracking::Global<Config>;
|
||||||
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
from DataFlow::Node src, DataFlow::Node sink, Conf conf
|
from DataFlow::Node src, DataFlow::Node sink
|
||||||
where conf.hasFlow(src, sink)
|
where Flow::flow(src, sink)
|
||||||
select src, sink
|
select src, sink
|
||||||
|
|||||||
@@ -1,18 +1,14 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.TaintTracking
|
import semmle.code.java.dataflow.TaintTracking
|
||||||
|
|
||||||
class Conf extends TaintTracking::Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Conf() { this = "qltest:notNullExprFlow" }
|
predicate isSource(DataFlow::Node n) { n.asExpr().(MethodAccess).getMethod().hasName("taint") }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node n) {
|
predicate isSink(DataFlow::Node n) { n.asExpr().(Argument).getCall().getCallee().hasName("sink") }
|
||||||
n.asExpr().(MethodAccess).getMethod().hasName("taint")
|
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node n) {
|
module Flow = TaintTracking::Global<Config>;
|
||||||
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
from DataFlow::Node src, DataFlow::Node sink, Conf conf
|
from DataFlow::Node src, DataFlow::Node sink
|
||||||
where conf.hasFlow(src, sink)
|
where Flow::flow(src, sink)
|
||||||
select src, sink
|
select src, sink
|
||||||
|
|||||||
@@ -1,18 +1,16 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.DataFlow
|
import semmle.code.java.dataflow.DataFlow
|
||||||
|
|
||||||
class Conf extends DataFlow::Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Conf() { this = "qltest:exprStmtFlow" }
|
predicate isSource(DataFlow::Node n) {
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node n) {
|
|
||||||
n.asExpr().(ClassInstanceExpr).getType().(RefType).getASupertype*().hasName("Source")
|
n.asExpr().(ClassInstanceExpr).getType().(RefType).getASupertype*().hasName("Source")
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node n) {
|
predicate isSink(DataFlow::Node n) { n.asExpr().(Argument).getCall().getCallee().hasName("sink") }
|
||||||
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
from DataFlow::Node src, DataFlow::Node sink, Conf conf
|
module Flow = DataFlow::Global<Config>;
|
||||||
where conf.hasFlow(src, sink)
|
|
||||||
|
from DataFlow::Node src, DataFlow::Node sink
|
||||||
|
where Flow::flow(src, sink)
|
||||||
select src, sink
|
select src, sink
|
||||||
|
|||||||
@@ -1,18 +1,14 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.TaintTracking
|
import semmle.code.java.dataflow.TaintTracking
|
||||||
|
|
||||||
class Conf extends TaintTracking::Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Conf() { this = "kttaintconf" }
|
predicate isSource(DataFlow::Node n) { n.asExpr().(MethodAccess).getMethod().hasName("taint") }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node n) {
|
predicate isSink(DataFlow::Node n) { n.asExpr().(Argument).getCall().getCallee().hasName("sink") }
|
||||||
n.asExpr().(MethodAccess).getMethod().hasName("taint")
|
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node n) {
|
module Flow = TaintTracking::Global<Config>;
|
||||||
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
from DataFlow::Node src, DataFlow::Node sink, Conf conf
|
from DataFlow::Node src, DataFlow::Node sink
|
||||||
where conf.hasFlow(src, sink)
|
where Flow::flow(src, sink)
|
||||||
select src, sink
|
select src, sink
|
||||||
|
|||||||
@@ -1,18 +1,14 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.TaintTracking
|
import semmle.code.java.dataflow.TaintTracking
|
||||||
|
|
||||||
class Conf extends TaintTracking::Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Conf() { this = "qltest:notNullExprFlow" }
|
predicate isSource(DataFlow::Node n) { n.asExpr().(MethodAccess).getMethod().hasName("taint") }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node n) {
|
predicate isSink(DataFlow::Node n) { n.asExpr().(Argument).getCall().getCallee().hasName("sink") }
|
||||||
n.asExpr().(MethodAccess).getMethod().hasName("taint")
|
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node n) {
|
module Flow = TaintTracking::Global<Config>;
|
||||||
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
from DataFlow::Node src, DataFlow::Node sink, Conf conf
|
from DataFlow::Node src, DataFlow::Node sink
|
||||||
where conf.hasFlow(src, sink)
|
where Flow::flow(src, sink)
|
||||||
select src, sink
|
select src, sink
|
||||||
|
|||||||
@@ -1,20 +1,20 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.DataFlow
|
import semmle.code.java.dataflow.DataFlow
|
||||||
|
|
||||||
class Config extends DataFlow::Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Config() { this = "Config" }
|
predicate isSource(DataFlow::Node n) { n.asExpr().(StringLiteral).getValue() = "Source" }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node n) { n.asExpr().(StringLiteral).getValue() = "Source" }
|
predicate isSink(DataFlow::Node n) {
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node n) {
|
|
||||||
n.asExpr().(Argument).getCall().getCallee().getName() = "sink"
|
n.asExpr().(Argument).getCall().getCallee().getName() = "sink"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
module Flow = DataFlow::Global<Config>;
|
||||||
|
|
||||||
query predicate isFinalField(Field f) {
|
query predicate isFinalField(Field f) {
|
||||||
exists(FieldDeclaration f2 | f = f2.getAField()) and f.isFinal()
|
exists(FieldDeclaration f2 | f = f2.getAField()) and f.isFinal()
|
||||||
}
|
}
|
||||||
|
|
||||||
from DataFlow::Node source, DataFlow::Node sink
|
from DataFlow::Node source, DataFlow::Node sink
|
||||||
where any(Config c).hasFlow(source, sink)
|
where Flow::flow(source, sink)
|
||||||
select source, sink
|
select source, sink
|
||||||
|
|||||||
@@ -1,18 +1,18 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.DataFlow
|
import semmle.code.java.dataflow.DataFlow
|
||||||
|
|
||||||
class Config extends DataFlow::Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Config() { this = "config" }
|
predicate isSource(DataFlow::Node n) {
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node n) {
|
|
||||||
n.asExpr().(MethodAccess).getCallee().getName() = "source"
|
n.asExpr().(MethodAccess).getCallee().getName() = "source"
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node n) {
|
predicate isSink(DataFlow::Node n) {
|
||||||
n.asExpr().(Argument).getCall().getCallee().getName() = "sink"
|
n.asExpr().(Argument).getCall().getCallee().getName() = "sink"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
from Config c, DataFlow::Node source, DataFlow::Node sink
|
module Flow = DataFlow::Global<Config>;
|
||||||
where c.hasFlow(source, sink)
|
|
||||||
|
from DataFlow::Node source, DataFlow::Node sink
|
||||||
|
where Flow::flow(source, sink)
|
||||||
select source, sink, source.getEnclosingCallable()
|
select source, sink, source.getEnclosingCallable()
|
||||||
|
|||||||
@@ -12,21 +12,21 @@ class ShouldBeSunk extends StringLiteral {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
class Config extends DataFlow::Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Config() { this = "Config" }
|
predicate isSource(DataFlow::Node n) {
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node n) {
|
|
||||||
n.asExpr() instanceof ShouldBeSunk or
|
n.asExpr() instanceof ShouldBeSunk or
|
||||||
n.asExpr() instanceof ShouldNotBeSunk
|
n.asExpr() instanceof ShouldNotBeSunk
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node n) {
|
predicate isSink(DataFlow::Node n) {
|
||||||
n.asExpr().(Argument).getCall().getCallee().getName() = "sink"
|
n.asExpr().(Argument).getCall().getCallee().getName() = "sink"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
module Flow = DataFlow::Global<Config>;
|
||||||
|
|
||||||
predicate isSunk(StringLiteral sl) {
|
predicate isSunk(StringLiteral sl) {
|
||||||
exists(Config c, DataFlow::Node source | c.hasFlow(source, _) and sl = source.asExpr())
|
exists(DataFlow::Node source | Flow::flow(source, _) and sl = source.asExpr())
|
||||||
}
|
}
|
||||||
|
|
||||||
query predicate shouldBeSunkButIsnt(ShouldBeSunk src) { not isSunk(src) }
|
query predicate shouldBeSunkButIsnt(ShouldBeSunk src) { not isSunk(src) }
|
||||||
|
|||||||
@@ -1,18 +1,18 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.DataFlow
|
import semmle.code.java.dataflow.DataFlow
|
||||||
|
|
||||||
class Config extends DataFlow::Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Config() { this = "abc" }
|
predicate isSource(DataFlow::Node n) {
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node n) {
|
|
||||||
n.asExpr().(MethodAccess).getMethod().getName() = "source"
|
n.asExpr().(MethodAccess).getMethod().getName() = "source"
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node n) {
|
predicate isSink(DataFlow::Node n) {
|
||||||
n.asExpr().(Argument).getCall().getCallee().getName() = "sink"
|
n.asExpr().(Argument).getCall().getCallee().getName() = "sink"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
from Config c, DataFlow::Node n1, DataFlow::Node n2
|
module Flow = DataFlow::Global<Config>;
|
||||||
where c.hasFlow(n1, n2)
|
|
||||||
|
from DataFlow::Node n1, DataFlow::Node n2
|
||||||
|
where Flow::flow(n1, n2)
|
||||||
select n1, n2
|
select n1, n2
|
||||||
|
|||||||
@@ -1,18 +1,18 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.DataFlow
|
import semmle.code.java.dataflow.DataFlow
|
||||||
|
|
||||||
class Config extends DataFlow::Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Config() { this = "varargs-dataflow-test" }
|
predicate isSource(DataFlow::Node n) {
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node n) {
|
|
||||||
n.asExpr().(CompileTimeConstantExpr).getEnclosingCallable().fromSource()
|
n.asExpr().(CompileTimeConstantExpr).getEnclosingCallable().fromSource()
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node n) {
|
predicate isSink(DataFlow::Node n) {
|
||||||
n.asExpr() = any(MethodAccess ma | ma.getMethod().getName() = "sink").getAnArgument()
|
n.asExpr() = any(MethodAccess ma | ma.getMethod().getName() = "sink").getAnArgument()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
from DataFlow::Node source, DataFlow::Node sink, Config c
|
module Flow = DataFlow::Global<Config>;
|
||||||
where c.hasFlow(source, sink)
|
|
||||||
|
from DataFlow::Node source, DataFlow::Node sink
|
||||||
|
where Flow::flow(source, sink)
|
||||||
select source, sink
|
select source, sink
|
||||||
|
|||||||
@@ -4,14 +4,12 @@
|
|||||||
|
|
||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.DataFlow
|
import semmle.code.java.dataflow.DataFlow
|
||||||
import DataFlow::PathGraph
|
import Flow::PathGraph
|
||||||
|
|
||||||
class Conf extends DataFlow::Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Conf() { this = "CallSensitiveFlowConf" }
|
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof ClassInstanceExpr }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof ClassInstanceExpr }
|
predicate isSink(DataFlow::Node sink) {
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node sink) {
|
|
||||||
exists(MethodAccess ma |
|
exists(MethodAccess ma |
|
||||||
ma.getMethod().hasName("sink") and
|
ma.getMethod().hasName("sink") and
|
||||||
ma.getAnArgument() = sink.asExpr()
|
ma.getAnArgument() = sink.asExpr()
|
||||||
@@ -19,6 +17,8 @@ class Conf extends DataFlow::Configuration {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
from DataFlow::PathNode source, DataFlow::PathNode sink, Conf conf
|
module Flow = DataFlow::Global<Config>;
|
||||||
where conf.hasFlowPath(source, sink)
|
|
||||||
|
from Flow::PathNode source, Flow::PathNode sink
|
||||||
|
where Flow::flowPath(source, sink)
|
||||||
select source, source, sink, "$@", sink, sink.toString()
|
select source, source, sink, "$@", sink, sink.toString()
|
||||||
|
|||||||
@@ -2,18 +2,16 @@ import java
|
|||||||
import semmle.code.java.dataflow.DataFlow
|
import semmle.code.java.dataflow.DataFlow
|
||||||
import TestUtilities.InlineExpectationsTest
|
import TestUtilities.InlineExpectationsTest
|
||||||
|
|
||||||
class Conf extends DataFlow::Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Conf() { this = "qltest:callback-dispatch" }
|
predicate isSource(DataFlow::Node n) { n.asExpr().(MethodAccess).getMethod().hasName("source") }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node n) {
|
predicate isSink(DataFlow::Node n) {
|
||||||
n.asExpr().(MethodAccess).getMethod().hasName("source")
|
|
||||||
}
|
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node n) {
|
|
||||||
exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
|
exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
module Flow = DataFlow::Global<Config>;
|
||||||
|
|
||||||
class HasFlowTest extends InlineExpectationsTest {
|
class HasFlowTest extends InlineExpectationsTest {
|
||||||
HasFlowTest() { this = "HasFlowTest" }
|
HasFlowTest() { this = "HasFlowTest" }
|
||||||
|
|
||||||
@@ -21,7 +19,7 @@ class HasFlowTest extends InlineExpectationsTest {
|
|||||||
|
|
||||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||||
tag = "flow" and
|
tag = "flow" and
|
||||||
exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
|
exists(DataFlow::Node src, DataFlow::Node sink | Flow::flow(src, sink) |
|
||||||
sink.getLocation() = location and
|
sink.getLocation() = location and
|
||||||
element = sink.toString() and
|
element = sink.toString() and
|
||||||
value = src.asExpr().(MethodAccess).getAnArgument().toString()
|
value = src.asExpr().(MethodAccess).getAnArgument().toString()
|
||||||
|
|||||||
@@ -1,17 +1,16 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.DataFlow
|
import semmle.code.java.dataflow.DataFlow
|
||||||
import DataFlow
|
|
||||||
|
|
||||||
StringLiteral src() { result.getCompilationUnit().fromSource() }
|
StringLiteral src() { result.getCompilationUnit().fromSource() }
|
||||||
|
|
||||||
class Conf extends Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Conf() { this = "qq capture" }
|
predicate isSource(DataFlow::Node n) { n.asExpr() = src() }
|
||||||
|
|
||||||
override predicate isSource(Node n) { n.asExpr() = src() }
|
predicate isSink(DataFlow::Node n) { any() }
|
||||||
|
|
||||||
override predicate isSink(Node n) { any() }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
from Node src, Node sink, Conf conf
|
module Flow = DataFlow::Global<Config>;
|
||||||
where conf.hasFlow(src, sink)
|
|
||||||
|
from DataFlow::Node src, DataFlow::Node sink
|
||||||
|
where Flow::flow(src, sink)
|
||||||
select src, sink
|
select src, sink
|
||||||
|
|||||||
@@ -1,10 +1,8 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.TaintTracking
|
import semmle.code.java.dataflow.TaintTracking
|
||||||
|
|
||||||
class Conf extends TaintTracking::Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Conf() { this = "conf" }
|
predicate isSource(DataFlow::Node src) {
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node src) {
|
|
||||||
(
|
(
|
||||||
src.asExpr().(VarAccess).getVariable().hasName("tainted")
|
src.asExpr().(VarAccess).getVariable().hasName("tainted")
|
||||||
or
|
or
|
||||||
@@ -14,7 +12,7 @@ class Conf extends TaintTracking::Configuration {
|
|||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node sink) {
|
predicate isSink(DataFlow::Node sink) {
|
||||||
exists(MethodAccess ma |
|
exists(MethodAccess ma |
|
||||||
sink.asExpr() = ma.getAnArgument() and
|
sink.asExpr() = ma.getAnArgument() and
|
||||||
ma.getMethod().hasName("sink")
|
ma.getMethod().hasName("sink")
|
||||||
@@ -25,6 +23,8 @@ class Conf extends TaintTracking::Configuration {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
from Conf c, DataFlow::Node src, DataFlow::Node sink
|
module Flow = TaintTracking::Global<Config>;
|
||||||
where c.hasFlow(src, sink)
|
|
||||||
|
from DataFlow::Node src, DataFlow::Node sink
|
||||||
|
where Flow::flow(src, sink)
|
||||||
select src, sink
|
select src, sink
|
||||||
|
|||||||
@@ -8,16 +8,16 @@ class TestRemoteFlowSource extends RemoteFlowSource {
|
|||||||
override string getSourceType() { result = "test" }
|
override string getSourceType() { result = "test" }
|
||||||
}
|
}
|
||||||
|
|
||||||
class TaintFlowConf extends TaintTracking::Configuration {
|
module TaintFlowConfig implements DataFlow::ConfigSig {
|
||||||
TaintFlowConf() { this = "qltest:dataflow:entrypoint-types-taint" }
|
predicate isSource(DataFlow::Node n) { n instanceof RemoteFlowSource }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node n) { n instanceof RemoteFlowSource }
|
predicate isSink(DataFlow::Node n) {
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node n) {
|
|
||||||
exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
|
exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
module TaintFlow = TaintTracking::Global<TaintFlowConfig>;
|
||||||
|
|
||||||
class HasFlowTest extends InlineExpectationsTest {
|
class HasFlowTest extends InlineExpectationsTest {
|
||||||
HasFlowTest() { this = "HasFlowTest" }
|
HasFlowTest() { this = "HasFlowTest" }
|
||||||
|
|
||||||
@@ -25,7 +25,7 @@ class HasFlowTest extends InlineExpectationsTest {
|
|||||||
|
|
||||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||||
tag = "hasTaintFlow" and
|
tag = "hasTaintFlow" and
|
||||||
exists(DataFlow::Node sink, TaintFlowConf conf | conf.hasFlowTo(sink) |
|
exists(DataFlow::Node sink | TaintFlow::flowTo(sink) |
|
||||||
sink.getLocation() = location and
|
sink.getLocation() = location and
|
||||||
element = sink.toString() and
|
element = sink.toString() and
|
||||||
value = ""
|
value = ""
|
||||||
|
|||||||
@@ -1,12 +1,10 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.DataFlow
|
import semmle.code.java.dataflow.DataFlow
|
||||||
|
|
||||||
class Conf extends DataFlow::Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Conf() { this = "FieldFlowConf" }
|
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof ClassInstanceExpr }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof ClassInstanceExpr }
|
predicate isSink(DataFlow::Node sink) {
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node sink) {
|
|
||||||
exists(MethodAccess ma |
|
exists(MethodAccess ma |
|
||||||
ma.getMethod().hasName("sink") and
|
ma.getMethod().hasName("sink") and
|
||||||
ma.getAnArgument() = sink.asExpr()
|
ma.getAnArgument() = sink.asExpr()
|
||||||
@@ -14,6 +12,8 @@ class Conf extends DataFlow::Configuration {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
from DataFlow::Node src, DataFlow::Node sink, Conf conf
|
module Flow = DataFlow::Global<Config>;
|
||||||
where conf.hasFlow(src, sink)
|
|
||||||
|
from DataFlow::Node src, DataFlow::Node sink
|
||||||
|
where Flow::flow(src, sink)
|
||||||
select src, sink
|
select src, sink
|
||||||
|
|||||||
@@ -1,16 +1,14 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.TaintTracking
|
import semmle.code.java.dataflow.TaintTracking
|
||||||
|
|
||||||
class Conf extends TaintTracking::Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Conf() { this = "qltest lambda" }
|
predicate isSource(DataFlow::Node src) {
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node src) {
|
|
||||||
src.asExpr().(VarAccess).getVariable().hasName("args")
|
src.asExpr().(VarAccess).getVariable().hasName("args")
|
||||||
or
|
or
|
||||||
src.asExpr().(MethodAccess).getMethod().hasName("source")
|
src.asExpr().(MethodAccess).getMethod().hasName("source")
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node sink) {
|
predicate isSink(DataFlow::Node sink) {
|
||||||
sink.asExpr().(Argument).getCall() =
|
sink.asExpr().(Argument).getCall() =
|
||||||
any(MethodAccess ma |
|
any(MethodAccess ma |
|
||||||
ma.getMethod().hasName("exec") and
|
ma.getMethod().hasName("exec") and
|
||||||
@@ -19,6 +17,8 @@ class Conf extends TaintTracking::Configuration {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
from DataFlow::Node src, DataFlow::Node sink, Conf c
|
module Flow = TaintTracking::Global<Config>;
|
||||||
where c.hasFlow(src, sink)
|
|
||||||
|
from DataFlow::Node src, DataFlow::Node sink
|
||||||
|
where Flow::flow(src, sink)
|
||||||
select src, sink
|
select src, sink
|
||||||
|
|||||||
@@ -1,14 +1,12 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.DataFlow
|
import semmle.code.java.dataflow.DataFlow
|
||||||
|
|
||||||
class Conf extends DataFlow::Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Conf() { this = "conf" }
|
predicate isSource(DataFlow::Node src) {
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node src) {
|
|
||||||
src.asExpr().(MethodAccess).getMethod().hasName("source")
|
src.asExpr().(MethodAccess).getMethod().hasName("source")
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node sink) {
|
predicate isSink(DataFlow::Node sink) {
|
||||||
exists(MethodAccess ma |
|
exists(MethodAccess ma |
|
||||||
sink.asExpr() = ma.getAnArgument() and
|
sink.asExpr() = ma.getAnArgument() and
|
||||||
ma.getMethod().hasName("sink")
|
ma.getMethod().hasName("sink")
|
||||||
@@ -16,6 +14,8 @@ class Conf extends DataFlow::Configuration {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
from Conf c, DataFlow::Node src, DataFlow::Node sink
|
module Flow = DataFlow::Global<Config>;
|
||||||
where c.hasFlow(src, sink)
|
|
||||||
|
from DataFlow::Node src, DataFlow::Node sink
|
||||||
|
where Flow::flow(src, sink)
|
||||||
select src, sink
|
select src, sink
|
||||||
|
|||||||
@@ -1,14 +1,14 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.DataFlow
|
import semmle.code.java.dataflow.DataFlow
|
||||||
|
|
||||||
class Conf extends DataFlow::Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Conf() { this = "qqconf" }
|
predicate isSource(DataFlow::Node n) { n.asExpr() instanceof NullLiteral }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node n) { n.asExpr() instanceof NullLiteral }
|
predicate isSink(DataFlow::Node n) { any() }
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node n) { any() }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
from Conf conf, DataFlow::Node src, DataFlow::Node sink
|
module Flow = DataFlow::Global<Config>;
|
||||||
where conf.hasFlow(src, sink)
|
|
||||||
|
from DataFlow::Node src, DataFlow::Node sink
|
||||||
|
where Flow::flow(src, sink)
|
||||||
select src, sink
|
select src, sink
|
||||||
|
|||||||
@@ -1,15 +1,14 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.DataFlow
|
import semmle.code.java.dataflow.DataFlow
|
||||||
import DataFlow
|
|
||||||
|
|
||||||
class Conf extends Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Conf() { this = "qqconf" }
|
predicate isSource(DataFlow::Node n) { n.asExpr().(MethodAccess).getMethod().hasName("source") }
|
||||||
|
|
||||||
override predicate isSource(Node n) { n.asExpr().(MethodAccess).getMethod().hasName("source") }
|
predicate isSink(DataFlow::Node n) { n.asExpr().(Argument).getCall().getCallee().hasName("sink") }
|
||||||
|
|
||||||
override predicate isSink(Node n) { n.asExpr().(Argument).getCall().getCallee().hasName("sink") }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
from Conf conf, Node src, Node sink
|
module Flow = DataFlow::Global<Config>;
|
||||||
where conf.hasFlow(src, sink)
|
|
||||||
|
from DataFlow::Node src, DataFlow::Node sink
|
||||||
|
where Flow::flow(src, sink)
|
||||||
select src, sink
|
select src, sink
|
||||||
|
|||||||
@@ -1,15 +1,14 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.DataFlow
|
import semmle.code.java.dataflow.DataFlow
|
||||||
import DataFlow
|
|
||||||
|
|
||||||
class Conf extends Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Conf() { this = "qqconf" }
|
predicate isSource(DataFlow::Node n) { n.asExpr().(MethodAccess).getMethod().hasName("source") }
|
||||||
|
|
||||||
override predicate isSource(Node n) { n.asExpr().(MethodAccess).getMethod().hasName("source") }
|
predicate isSink(DataFlow::Node n) { any() }
|
||||||
|
|
||||||
override predicate isSink(Node n) { any() }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
from Conf c, Node sink
|
module Flow = DataFlow::Global<Config>;
|
||||||
where c.hasFlow(_, sink)
|
|
||||||
|
from DataFlow::Node sink
|
||||||
|
where Flow::flowTo(sink)
|
||||||
select sink
|
select sink
|
||||||
|
|||||||
@@ -2,14 +2,14 @@ import semmle.code.java.dataflow.DataFlow
|
|||||||
import semmle.code.java.dataflow.TaintTracking
|
import semmle.code.java.dataflow.TaintTracking
|
||||||
import semmle.code.java.dataflow.FlowSources
|
import semmle.code.java.dataflow.FlowSources
|
||||||
|
|
||||||
class Conf extends TaintTracking::Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Conf() { this = "qltest:dataflow:ioutils" }
|
predicate isSource(DataFlow::Node source) { source instanceof UserInput }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof UserInput }
|
predicate isSink(DataFlow::Node sink) { any() }
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node sink) { any() }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
from UserInput u, DataFlow::Node e, Conf config
|
module Flow = TaintTracking::Global<Config>;
|
||||||
where config.hasFlow(u, e) and e.getEnclosingCallable().hasName("ioutils")
|
|
||||||
|
from UserInput u, DataFlow::Node e
|
||||||
|
where Flow::flow(u, e) and e.getEnclosingCallable().hasName("ioutils")
|
||||||
select e
|
select e
|
||||||
|
|||||||
@@ -1,18 +1,14 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.TaintTracking
|
import semmle.code.java.dataflow.TaintTracking
|
||||||
|
|
||||||
class Conf extends TaintTracking::Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Conf() { this = "qqconf" }
|
predicate isSource(DataFlow::Node n) { n.asExpr().(MethodAccess).getMethod().hasName("taint") }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node n) {
|
predicate isSink(DataFlow::Node n) { n.asExpr().(Argument).getCall().getCallee().hasName("sink") }
|
||||||
n.asExpr().(MethodAccess).getMethod().hasName("taint")
|
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node n) {
|
module Flow = TaintTracking::Global<Config>;
|
||||||
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
from DataFlow::Node src, DataFlow::Node sink, Conf conf
|
from DataFlow::Node src, DataFlow::Node sink
|
||||||
where conf.hasFlow(src, sink)
|
where Flow::flow(src, sink)
|
||||||
select src, sink
|
select src, sink
|
||||||
|
|||||||
@@ -1,25 +1,24 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.DataFlow
|
import semmle.code.java.dataflow.DataFlow
|
||||||
import DataFlow
|
|
||||||
|
|
||||||
class Conf extends Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Conf() { this = "taintgettersetter" }
|
predicate isSource(DataFlow::Node n) { n.asExpr().(MethodAccess).getMethod().hasName("taint") }
|
||||||
|
|
||||||
override predicate isSource(Node n) { n.asExpr().(MethodAccess).getMethod().hasName("taint") }
|
predicate isSink(DataFlow::Node n) {
|
||||||
|
|
||||||
override predicate isSink(Node n) {
|
|
||||||
exists(MethodAccess sink |
|
exists(MethodAccess sink |
|
||||||
sink.getAnArgument() = n.asExpr() and sink.getMethod().hasName("sink")
|
sink.getAnArgument() = n.asExpr() and sink.getMethod().hasName("sink")
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isAdditionalFlowStep(Node n1, Node n2) {
|
predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
|
||||||
exists(AddExpr add |
|
exists(AddExpr add |
|
||||||
add.getType() instanceof TypeString and add.getAnOperand() = n1.asExpr() and n2.asExpr() = add
|
add.getType() instanceof TypeString and add.getAnOperand() = n1.asExpr() and n2.asExpr() = add
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
from Node src, Node sink, Conf conf
|
module Flow = DataFlow::Global<Config>;
|
||||||
where conf.hasFlow(src, sink)
|
|
||||||
|
from DataFlow::Node src, DataFlow::Node sink
|
||||||
|
where Flow::flow(src, sink)
|
||||||
select src, sink
|
select src, sink
|
||||||
|
|||||||
@@ -1,6 +1,5 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.TaintTracking
|
import semmle.code.java.dataflow.TaintTracking
|
||||||
import DataFlow
|
|
||||||
|
|
||||||
predicate step(Expr e1, Expr e2) {
|
predicate step(Expr e1, Expr e2) {
|
||||||
exists(MethodAccess ma |
|
exists(MethodAccess ma |
|
||||||
@@ -17,28 +16,35 @@ predicate isSink0(Expr sink) {
|
|||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
class Conf1 extends Configuration {
|
module FirstConfig implements DataFlow::ConfigSig {
|
||||||
Conf1() { this = "testconf1" }
|
predicate isSource(DataFlow::Node n) { n.asExpr().(MethodAccess).getMethod().hasName("src") }
|
||||||
|
|
||||||
override predicate isSource(Node n) { n.asExpr().(MethodAccess).getMethod().hasName("src") }
|
predicate isSink(DataFlow::Node n) { any() }
|
||||||
|
|
||||||
override predicate isSink(Node n) { any() }
|
predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
|
||||||
|
step(n1.asExpr(), n2.asExpr())
|
||||||
override predicate isAdditionalFlowStep(Node n1, Node n2) { step(n1.asExpr(), n2.asExpr()) }
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
class Conf2 extends Configuration {
|
module FirstFlow = DataFlow::Global<FirstConfig>;
|
||||||
Conf2() { this = "testconf2" }
|
|
||||||
|
|
||||||
override predicate isSource(Node n) { n.asExpr().(MethodAccess).getMethod().hasName("src") }
|
module SecondConfig implements DataFlow::ConfigSig {
|
||||||
|
predicate isSource(DataFlow::Node n) { n.asExpr().(MethodAccess).getMethod().hasName("src") }
|
||||||
|
|
||||||
override predicate isSink(Node n) { isSink0(n.asExpr()) }
|
predicate isSink(DataFlow::Node n) { isSink0(n.asExpr()) }
|
||||||
|
|
||||||
override predicate isAdditionalFlowStep(Node n1, Node n2) { step(n1.asExpr(), n2.asExpr()) }
|
predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
|
||||||
|
step(n1.asExpr(), n2.asExpr())
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
module SecondFlow = DataFlow::Global<SecondConfig>;
|
||||||
|
|
||||||
from int i1, int i2
|
from int i1, int i2
|
||||||
where
|
where
|
||||||
i1 = count(Node src, Node sink, Conf1 c | c.hasFlow(src, sink) and isSink0(sink.asExpr())) and
|
i1 =
|
||||||
i2 = count(Node src, Node sink, Conf2 c | c.hasFlow(src, sink))
|
count(DataFlow::Node src, DataFlow::Node sink |
|
||||||
|
FirstFlow::flow(src, sink) and isSink0(sink.asExpr())
|
||||||
|
) and
|
||||||
|
i2 = count(DataFlow::Node src, DataFlow::Node sink | SecondFlow::flow(src, sink))
|
||||||
select i1, i2
|
select i1, i2
|
||||||
|
|||||||
@@ -10,22 +10,22 @@ predicate isTestSink(DataFlow::Node n) {
|
|||||||
exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
|
exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
|
||||||
}
|
}
|
||||||
|
|
||||||
class LocalValueConf extends DataFlow::Configuration {
|
module LocalValueConfig implements DataFlow::ConfigSig {
|
||||||
LocalValueConf() { this = "LocalValueConf" }
|
predicate isSource(DataFlow::Node n) { n instanceof LocalSource }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node n) { n instanceof LocalSource }
|
predicate isSink(DataFlow::Node n) { isTestSink(n) }
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node n) { isTestSink(n) }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
class LocalTaintConf extends TaintTracking::Configuration {
|
module LocalValueFlow = DataFlow::Global<LocalValueConfig>;
|
||||||
LocalTaintConf() { this = "LocalTaintConf" }
|
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node n) { n instanceof LocalSource }
|
module LocalTaintConfig implements DataFlow::ConfigSig {
|
||||||
|
predicate isSource(DataFlow::Node n) { n instanceof LocalSource }
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node n) { isTestSink(n) }
|
predicate isSink(DataFlow::Node n) { isTestSink(n) }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
module LocalTaintFlow = TaintTracking::Global<LocalTaintConfig>;
|
||||||
|
|
||||||
class LocalFlowTest extends InlineExpectationsTest {
|
class LocalFlowTest extends InlineExpectationsTest {
|
||||||
LocalFlowTest() { this = "LocalFlowTest" }
|
LocalFlowTest() { this = "LocalFlowTest" }
|
||||||
|
|
||||||
@@ -33,7 +33,7 @@ class LocalFlowTest extends InlineExpectationsTest {
|
|||||||
|
|
||||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||||
tag = "hasLocalValueFlow" and
|
tag = "hasLocalValueFlow" and
|
||||||
exists(DataFlow::Node sink | any(LocalValueConf c).hasFlowTo(sink) |
|
exists(DataFlow::Node sink | LocalValueFlow::flowTo(sink) |
|
||||||
sink.getLocation() = location and
|
sink.getLocation() = location and
|
||||||
element = sink.toString() and
|
element = sink.toString() and
|
||||||
value = ""
|
value = ""
|
||||||
@@ -41,7 +41,7 @@ class LocalFlowTest extends InlineExpectationsTest {
|
|||||||
or
|
or
|
||||||
tag = "hasLocalTaintFlow" and
|
tag = "hasLocalTaintFlow" and
|
||||||
exists(DataFlow::Node src, DataFlow::Node sink |
|
exists(DataFlow::Node src, DataFlow::Node sink |
|
||||||
any(LocalTaintConf c).hasFlow(src, sink) and not any(LocalValueConf c).hasFlow(src, sink)
|
LocalTaintFlow::flow(src, sink) and not LocalValueFlow::flow(src, sink)
|
||||||
|
|
|
|
||||||
sink.getLocation() = location and
|
sink.getLocation() = location and
|
||||||
element = sink.toString() and
|
element = sink.toString() and
|
||||||
|
|||||||
@@ -6,22 +6,22 @@ predicate isTestSink(DataFlow::Node n) {
|
|||||||
exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
|
exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
|
||||||
}
|
}
|
||||||
|
|
||||||
class RemoteValueConf extends DataFlow::Configuration {
|
module RemoteValueConfig implements DataFlow::ConfigSig {
|
||||||
RemoteValueConf() { this = "RemoteValueConf" }
|
predicate isSource(DataFlow::Node n) { n instanceof RemoteFlowSource }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node n) { n instanceof RemoteFlowSource }
|
predicate isSink(DataFlow::Node n) { isTestSink(n) }
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node n) { isTestSink(n) }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
class RemoteTaintConf extends TaintTracking::Configuration {
|
module RemoteValueFlow = DataFlow::Global<RemoteValueConfig>;
|
||||||
RemoteTaintConf() { this = "RemoteTaintConf" }
|
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node n) { n instanceof RemoteFlowSource }
|
module RemoteTaintConfig implements DataFlow::ConfigSig {
|
||||||
|
predicate isSource(DataFlow::Node n) { n instanceof RemoteFlowSource }
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node n) { isTestSink(n) }
|
predicate isSink(DataFlow::Node n) { isTestSink(n) }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
module RemoteTaintFlow = TaintTracking::Global<RemoteTaintConfig>;
|
||||||
|
|
||||||
class RemoteFlowTest extends InlineExpectationsTest {
|
class RemoteFlowTest extends InlineExpectationsTest {
|
||||||
RemoteFlowTest() { this = "RemoteFlowTest" }
|
RemoteFlowTest() { this = "RemoteFlowTest" }
|
||||||
|
|
||||||
@@ -29,7 +29,7 @@ class RemoteFlowTest extends InlineExpectationsTest {
|
|||||||
|
|
||||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||||
tag = "hasRemoteValueFlow" and
|
tag = "hasRemoteValueFlow" and
|
||||||
exists(DataFlow::Node sink | any(RemoteValueConf c).hasFlowTo(sink) |
|
exists(DataFlow::Node sink | RemoteValueFlow::flowTo(sink) |
|
||||||
sink.getLocation() = location and
|
sink.getLocation() = location and
|
||||||
element = sink.toString() and
|
element = sink.toString() and
|
||||||
value = ""
|
value = ""
|
||||||
@@ -37,7 +37,7 @@ class RemoteFlowTest extends InlineExpectationsTest {
|
|||||||
or
|
or
|
||||||
tag = "hasRemoteTaintFlow" and
|
tag = "hasRemoteTaintFlow" and
|
||||||
exists(DataFlow::Node src, DataFlow::Node sink |
|
exists(DataFlow::Node src, DataFlow::Node sink |
|
||||||
any(RemoteTaintConf c).hasFlow(src, sink) and not any(RemoteValueConf c).hasFlow(src, sink)
|
RemoteTaintFlow::flow(src, sink) and not RemoteValueFlow::flow(src, sink)
|
||||||
|
|
|
|
||||||
sink.getLocation() = location and
|
sink.getLocation() = location and
|
||||||
element = sink.toString() and
|
element = sink.toString() and
|
||||||
|
|||||||
@@ -1,19 +1,18 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.DataFlow
|
import semmle.code.java.dataflow.DataFlow
|
||||||
import DataFlow
|
|
||||||
|
|
||||||
class ThisFlowConfig extends Configuration {
|
module ThisFlowConfig implements DataFlow::ConfigSig {
|
||||||
ThisFlowConfig() { this = "ThisFlowConfig" }
|
predicate isSource(DataFlow::Node src) {
|
||||||
|
exists(DataFlow::PostUpdateNode cie | cie.asExpr() instanceof ClassInstanceExpr |
|
||||||
override predicate isSource(Node src) {
|
|
||||||
exists(PostUpdateNode cie | cie.asExpr() instanceof ClassInstanceExpr |
|
|
||||||
cie.getPreUpdateNode() = src or cie = src
|
cie.getPreUpdateNode() = src or cie = src
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isSink(Node sink) { any() }
|
predicate isSink(DataFlow::Node sink) { any() }
|
||||||
}
|
}
|
||||||
|
|
||||||
from Node n, ThisFlowConfig conf
|
module ThisFlow = DataFlow::Global<ThisFlowConfig>;
|
||||||
where conf.hasFlow(_, n)
|
|
||||||
|
from DataFlow::Node n
|
||||||
|
where ThisFlow::flowTo(n)
|
||||||
select n
|
select n
|
||||||
|
|||||||
@@ -2,18 +2,16 @@ import java
|
|||||||
import semmle.code.java.dataflow.DataFlow
|
import semmle.code.java.dataflow.DataFlow
|
||||||
import DataFlow
|
import DataFlow
|
||||||
|
|
||||||
class Conf extends Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Conf() { this = "test types" }
|
predicate isSource(Node n) { n.asExpr().(MethodAccess).getMethod().hasName("source") }
|
||||||
|
|
||||||
override predicate isSource(Node n) { n.asExpr().(MethodAccess).getMethod().hasName("source") }
|
predicate isSink(Node n) {
|
||||||
|
|
||||||
override predicate isSink(Node n) {
|
|
||||||
exists(MethodAccess sink |
|
exists(MethodAccess sink |
|
||||||
sink.getAnArgument() = n.asExpr() and sink.getMethod().hasName("sink")
|
sink.getAnArgument() = n.asExpr() and sink.getMethod().hasName("sink")
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isAdditionalFlowStep(Node n1, Node n2) {
|
predicate isAdditionalFlowStep(Node n1, Node n2) {
|
||||||
exists(MethodAccess ma |
|
exists(MethodAccess ma |
|
||||||
ma.getMethod().hasName("customStep") and
|
ma.getMethod().hasName("customStep") and
|
||||||
ma.getAnArgument() = n1.asExpr() and
|
ma.getAnArgument() = n1.asExpr() and
|
||||||
@@ -22,6 +20,8 @@ class Conf extends Configuration {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
from Node src, Node sink, Conf conf
|
module Flow = DataFlow::Global<Config>;
|
||||||
where conf.hasFlow(src, sink)
|
|
||||||
|
from Node src, Node sink
|
||||||
|
where Flow::flow(src, sink)
|
||||||
select src, sink, sink.getEnclosingCallable()
|
select src, sink, sink.getEnclosingCallable()
|
||||||
|
|||||||
@@ -2,14 +2,20 @@ import java
|
|||||||
import semmle.code.java.dataflow.FlowSources
|
import semmle.code.java.dataflow.FlowSources
|
||||||
import TestUtilities.InlineFlowTest
|
import TestUtilities.InlineFlowTest
|
||||||
|
|
||||||
class EnableLegacy extends EnableLegacyConfiguration {
|
module ProviderTaintFlowConfig implements DataFlow::ConfigSig {
|
||||||
EnableLegacy() { exists(this) }
|
predicate isSource(DataFlow::Node n) { n instanceof RemoteFlowSource }
|
||||||
|
|
||||||
|
predicate isSink(DataFlow::Node n) { DefaultFlowConfig::isSink(n) }
|
||||||
|
|
||||||
|
int fieldFlowBranchLimit() { result = DefaultFlowConfig::fieldFlowBranchLimit() }
|
||||||
}
|
}
|
||||||
|
|
||||||
class ProviderTaintFlowConf extends DefaultTaintFlowConf {
|
module ProviderTaintFlow = TaintTracking::Global<ProviderTaintFlowConfig>;
|
||||||
override predicate isSource(DataFlow::Node n) { n instanceof RemoteFlowSource }
|
|
||||||
}
|
|
||||||
|
|
||||||
class ProviderInlineFlowTest extends InlineFlowTest {
|
class ProviderInlineFlowTest extends InlineFlowTest {
|
||||||
override DataFlow::Configuration getValueFlowConfig() { none() }
|
override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
|
||||||
|
|
||||||
|
override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
|
||||||
|
ProviderTaintFlow::flow(src, sink)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -3,22 +3,18 @@ import semmle.code.java.dataflow.DataFlow
|
|||||||
import semmle.code.java.dataflow.FlowSources
|
import semmle.code.java.dataflow.FlowSources
|
||||||
import TestUtilities.InlineFlowTest
|
import TestUtilities.InlineFlowTest
|
||||||
|
|
||||||
class EnableLegacy extends EnableLegacyConfiguration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
EnableLegacy() { exists(this) }
|
predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
|
||||||
}
|
|
||||||
|
|
||||||
class Conf extends TaintTracking::Configuration {
|
predicate isSink(DataFlow::Node sink) {
|
||||||
Conf() { this = "test:AndroidExternalFlowConf" }
|
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
|
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node sink) {
|
|
||||||
sink.asExpr().(Argument).getCall().getCallee().hasName("sink")
|
sink.asExpr().(Argument).getCall().getCallee().hasName("sink")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
class ExternalStorageTest extends InlineFlowTest {
|
module Flow = TaintTracking::Global<Config>;
|
||||||
override DataFlow::Configuration getValueFlowConfig() { none() }
|
|
||||||
|
|
||||||
override DataFlow::Configuration getTaintFlowConfig() { result instanceof Conf }
|
class ExternalStorageTest extends InlineFlowTest {
|
||||||
|
override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
|
||||||
|
|
||||||
|
override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) { Flow::flow(src, sink) }
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -2,14 +2,20 @@ import java
|
|||||||
import semmle.code.java.dataflow.FlowSources
|
import semmle.code.java.dataflow.FlowSources
|
||||||
import TestUtilities.InlineFlowTest
|
import TestUtilities.InlineFlowTest
|
||||||
|
|
||||||
class EnableLegacy extends EnableLegacyConfiguration {
|
module SourceValueFlowConfig implements DataFlow::ConfigSig {
|
||||||
EnableLegacy() { exists(this) }
|
predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
|
||||||
|
|
||||||
|
predicate isSink(DataFlow::Node sink) { DefaultFlowConfig::isSink(sink) }
|
||||||
|
|
||||||
|
int fieldFlowBranchLimit() { result = DefaultFlowConfig::fieldFlowBranchLimit() }
|
||||||
}
|
}
|
||||||
|
|
||||||
class SourceValueFlowConf extends DefaultValueFlowConf {
|
module SourceValueFlow = DataFlow::Global<SourceValueFlowConfig>;
|
||||||
override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
|
|
||||||
}
|
|
||||||
|
|
||||||
class SourceInlineFlowTest extends InlineFlowTest {
|
class SourceInlineFlowTest extends InlineFlowTest {
|
||||||
override DataFlow::Configuration getTaintFlowConfig() { none() }
|
override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) {
|
||||||
|
SourceValueFlow::flow(src, sink)
|
||||||
|
}
|
||||||
|
|
||||||
|
override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -4,16 +4,16 @@ import semmle.code.java.dataflow.FlowSources
|
|||||||
import semmle.code.java.security.QueryInjection
|
import semmle.code.java.security.QueryInjection
|
||||||
import TestUtilities.InlineExpectationsTest
|
import TestUtilities.InlineExpectationsTest
|
||||||
|
|
||||||
class Conf extends TaintTracking::Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Conf() { this = "qltest:dataflow:android::flow" }
|
predicate isSource(DataFlow::Node source) {
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) {
|
|
||||||
source.asExpr().(MethodAccess).getMethod().hasName("taint")
|
source.asExpr().(MethodAccess).getMethod().hasName("taint")
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(ReturnStmt r).getResult() }
|
predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(ReturnStmt r).getResult() }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
module Flow = TaintTracking::Global<Config>;
|
||||||
|
|
||||||
class FlowStepTest extends InlineExpectationsTest {
|
class FlowStepTest extends InlineExpectationsTest {
|
||||||
FlowStepTest() { this = "FlowStepTest" }
|
FlowStepTest() { this = "FlowStepTest" }
|
||||||
|
|
||||||
@@ -22,8 +22,7 @@ class FlowStepTest extends InlineExpectationsTest {
|
|||||||
override predicate hasActualResult(Location l, string element, string tag, string value) {
|
override predicate hasActualResult(Location l, string element, string tag, string value) {
|
||||||
tag = "taintReachesReturn" and
|
tag = "taintReachesReturn" and
|
||||||
value = "" and
|
value = "" and
|
||||||
exists(Conf conf, DataFlow::Node source |
|
exists(DataFlow::Node source | Flow::flow(source, _) |
|
||||||
conf.hasFlow(source, _) and
|
|
||||||
l = source.getLocation() and
|
l = source.getLocation() and
|
||||||
element = source.toString()
|
element = source.toString()
|
||||||
)
|
)
|
||||||
|
|||||||
@@ -4,16 +4,16 @@ import semmle.code.java.dataflow.FlowSources
|
|||||||
import semmle.code.java.security.QueryInjection
|
import semmle.code.java.security.QueryInjection
|
||||||
import TestUtilities.InlineExpectationsTest
|
import TestUtilities.InlineExpectationsTest
|
||||||
|
|
||||||
class Conf extends TaintTracking::Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Conf() { this = "qltest:dataflow:android::flow" }
|
predicate isSource(DataFlow::Node source) {
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) {
|
|
||||||
source.asExpr().(MethodAccess).getMethod().hasName("taint")
|
source.asExpr().(MethodAccess).getMethod().hasName("taint")
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
|
predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
module Flow = TaintTracking::Global<Config>;
|
||||||
|
|
||||||
class SinkTest extends InlineExpectationsTest {
|
class SinkTest extends InlineExpectationsTest {
|
||||||
SinkTest() { this = "SinkTest" }
|
SinkTest() { this = "SinkTest" }
|
||||||
|
|
||||||
@@ -22,8 +22,7 @@ class SinkTest extends InlineExpectationsTest {
|
|||||||
override predicate hasActualResult(Location l, string element, string tag, string value) {
|
override predicate hasActualResult(Location l, string element, string tag, string value) {
|
||||||
tag = "taintReachesSink" and
|
tag = "taintReachesSink" and
|
||||||
value = "" and
|
value = "" and
|
||||||
exists(Conf conf, DataFlow::Node source |
|
exists(DataFlow::Node source | Flow::flow(source, _) |
|
||||||
conf.hasFlow(source, _) and
|
|
||||||
l = source.getLocation() and
|
l = source.getLocation() and
|
||||||
element = source.toString()
|
element = source.toString()
|
||||||
)
|
)
|
||||||
|
|||||||
@@ -5,20 +5,14 @@ import semmle.code.java.security.XSS
|
|||||||
import semmle.code.java.security.UrlRedirect
|
import semmle.code.java.security.UrlRedirect
|
||||||
import TestUtilities.InlineFlowTest
|
import TestUtilities.InlineFlowTest
|
||||||
|
|
||||||
class EnableLegacy extends EnableLegacyConfiguration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
EnableLegacy() { exists(this) }
|
predicate isSource(DataFlow::Node n) {
|
||||||
}
|
|
||||||
|
|
||||||
class Conf extends TaintTracking::Configuration {
|
|
||||||
Conf() { this = "qltest:frameworks:apache-http" }
|
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node n) {
|
|
||||||
n.asExpr().(MethodAccess).getMethod().hasName("taint")
|
n.asExpr().(MethodAccess).getMethod().hasName("taint")
|
||||||
or
|
or
|
||||||
n instanceof RemoteFlowSource
|
n instanceof RemoteFlowSource
|
||||||
}
|
}
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node n) {
|
predicate isSink(DataFlow::Node n) {
|
||||||
exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
|
exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
|
||||||
or
|
or
|
||||||
n instanceof XssSink
|
n instanceof XssSink
|
||||||
@@ -27,8 +21,10 @@ class Conf extends TaintTracking::Configuration {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
class HasFlowTest extends InlineFlowTest {
|
module Flow = TaintTracking::Global<Config>;
|
||||||
override DataFlow::Configuration getValueFlowConfig() { none() }
|
|
||||||
|
|
||||||
override DataFlow::Configuration getTaintFlowConfig() { result = any(Conf c) }
|
class HasFlowTest extends InlineFlowTest {
|
||||||
|
override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
|
||||||
|
|
||||||
|
override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) { Flow::flow(src, sink) }
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -2,32 +2,28 @@ import java
|
|||||||
import semmle.code.java.dataflow.TaintTracking
|
import semmle.code.java.dataflow.TaintTracking
|
||||||
import TestUtilities.InlineExpectationsTest
|
import TestUtilities.InlineExpectationsTest
|
||||||
|
|
||||||
class TaintFlowConf extends TaintTracking::Configuration {
|
module TaintFlowConfig implements DataFlow::ConfigSig {
|
||||||
TaintFlowConf() { this = "qltest:frameworks:guava-taint" }
|
predicate isSource(DataFlow::Node n) { n.asExpr().(MethodAccess).getMethod().hasName("taint") }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node n) {
|
predicate isSink(DataFlow::Node n) {
|
||||||
n.asExpr().(MethodAccess).getMethod().hasName("taint")
|
|
||||||
}
|
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node n) {
|
|
||||||
exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
|
exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
class ValueFlowConf extends DataFlow::Configuration {
|
module TaintFlow = TaintTracking::Global<TaintFlowConfig>;
|
||||||
ValueFlowConf() { this = "qltest:frameworks:guava-value" }
|
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node n) {
|
module ValueFlowConfig implements DataFlow::ConfigSig {
|
||||||
n.asExpr().(MethodAccess).getMethod().hasName("taint")
|
predicate isSource(DataFlow::Node n) { n.asExpr().(MethodAccess).getMethod().hasName("taint") }
|
||||||
}
|
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node n) {
|
predicate isSink(DataFlow::Node n) {
|
||||||
exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
|
exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
|
||||||
}
|
}
|
||||||
|
|
||||||
override int fieldFlowBranchLimit() { result = 100 }
|
int fieldFlowBranchLimit() { result = 100 }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
module ValueFlow = DataFlow::Global<ValueFlowConfig>;
|
||||||
|
|
||||||
class HasFlowTest extends InlineExpectationsTest {
|
class HasFlowTest extends InlineExpectationsTest {
|
||||||
HasFlowTest() { this = "HasFlowTest" }
|
HasFlowTest() { this = "HasFlowTest" }
|
||||||
|
|
||||||
@@ -35,22 +31,20 @@ class HasFlowTest extends InlineExpectationsTest {
|
|||||||
|
|
||||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||||
tag = "numTaintFlow" and
|
tag = "numTaintFlow" and
|
||||||
exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf tconf, int num |
|
exists(DataFlow::Node src, DataFlow::Node sink, int num | TaintFlow::flow(src, sink) |
|
||||||
tconf.hasFlow(src, sink)
|
not ValueFlow::flow(src, sink) and
|
||||||
|
|
|
||||||
not any(ValueFlowConf vconf).hasFlow(src, sink) and
|
|
||||||
value = num.toString() and
|
value = num.toString() and
|
||||||
sink.getLocation() = location and
|
sink.getLocation() = location and
|
||||||
element = sink.toString() and
|
element = sink.toString() and
|
||||||
num = strictcount(DataFlow::Node src2 | tconf.hasFlow(src2, sink))
|
num = strictcount(DataFlow::Node src2 | TaintFlow::flow(src2, sink))
|
||||||
)
|
)
|
||||||
or
|
or
|
||||||
tag = "numValueFlow" and
|
tag = "numValueFlow" and
|
||||||
exists(DataFlow::Node sink, ValueFlowConf vconf, int num | vconf.hasFlowTo(sink) |
|
exists(DataFlow::Node sink, int num | ValueFlow::flowTo(sink) |
|
||||||
value = num.toString() and
|
value = num.toString() and
|
||||||
sink.getLocation() = location and
|
sink.getLocation() = location and
|
||||||
element = sink.toString() and
|
element = sink.toString() and
|
||||||
num = strictcount(DataFlow::Node src2 | vconf.hasFlow(src2, sink))
|
num = strictcount(DataFlow::Node src2 | ValueFlow::flow(src2, sink))
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -2,12 +2,10 @@ import java
|
|||||||
import semmle.code.java.dataflow.FlowSources
|
import semmle.code.java.dataflow.FlowSources
|
||||||
import semmle.code.java.dataflow.TaintTracking
|
import semmle.code.java.dataflow.TaintTracking
|
||||||
|
|
||||||
class Conf extends TaintTracking::Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Conf() { this = "conf" }
|
predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
|
predicate isSink(DataFlow::Node sink) {
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node sink) {
|
|
||||||
exists(MethodAccess ma |
|
exists(MethodAccess ma |
|
||||||
sink.asExpr() = ma.getAnArgument() and
|
sink.asExpr() = ma.getAnArgument() and
|
||||||
ma.getMethod().hasName("sink")
|
ma.getMethod().hasName("sink")
|
||||||
@@ -16,6 +14,8 @@ class Conf extends TaintTracking::Configuration {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
from Conf c, DataFlow::Node src, DataFlow::Node sink
|
module Flow = TaintTracking::Global<Config>;
|
||||||
where c.hasFlow(src, sink)
|
|
||||||
|
from DataFlow::Node src, DataFlow::Node sink
|
||||||
|
where Flow::flow(src, sink)
|
||||||
select src, sink
|
select src, sink
|
||||||
|
|||||||
@@ -2,18 +2,18 @@ import java
|
|||||||
import semmle.code.java.dataflow.FlowSources
|
import semmle.code.java.dataflow.FlowSources
|
||||||
import TestUtilities.InlineExpectationsTest
|
import TestUtilities.InlineExpectationsTest
|
||||||
|
|
||||||
class TestConfig extends TaintTracking::Configuration {
|
module TestConfig implements DataFlow::ConfigSig {
|
||||||
TestConfig() { this = "TestConfig" }
|
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
predicate isSink(DataFlow::Node sink) {
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node sink) {
|
|
||||||
exists(MethodAccess call |
|
exists(MethodAccess call |
|
||||||
call.getMethod().hasName("sink") and call.getArgument(0) = sink.asExpr()
|
call.getMethod().hasName("sink") and call.getArgument(0) = sink.asExpr()
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
module TestFlow = TaintTracking::Global<TestConfig>;
|
||||||
|
|
||||||
class JmsFlowTest extends InlineExpectationsTest {
|
class JmsFlowTest extends InlineExpectationsTest {
|
||||||
JmsFlowTest() { this = "JmsFlowTest" }
|
JmsFlowTest() { this = "JmsFlowTest" }
|
||||||
|
|
||||||
@@ -21,7 +21,7 @@ class JmsFlowTest extends InlineExpectationsTest {
|
|||||||
|
|
||||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||||
tag = "tainted" and
|
tag = "tainted" and
|
||||||
exists(DataFlow::PathNode sink, TestConfig conf | conf.hasFlowPath(_, sink) |
|
exists(TestFlow::PathNode sink | TestFlow::flowPath(_, sink) |
|
||||||
location = sink.getNode().getLocation() and element = sink.getNode().toString() and value = ""
|
location = sink.getNode().getLocation() and element = sink.getNode().toString() and value = ""
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -3,22 +3,18 @@ import semmle.code.java.dataflow.TaintTracking
|
|||||||
import semmle.code.java.dataflow.FlowSources
|
import semmle.code.java.dataflow.FlowSources
|
||||||
import TestUtilities.InlineFlowTest
|
import TestUtilities.InlineFlowTest
|
||||||
|
|
||||||
class EnableLegacy extends EnableLegacyConfiguration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
EnableLegacy() { exists(this) }
|
predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
|
||||||
}
|
|
||||||
|
|
||||||
class Conf extends TaintTracking::Configuration {
|
predicate isSink(DataFlow::Node node) {
|
||||||
Conf() { this = "qltest:frameworks:rabbitmq" }
|
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
|
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node node) {
|
|
||||||
exists(MethodAccess ma | ma.getMethod().hasName("sink") | node.asExpr() = ma.getAnArgument())
|
exists(MethodAccess ma | ma.getMethod().hasName("sink") | node.asExpr() = ma.getAnArgument())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
class HasFlowTest extends InlineFlowTest {
|
module Flow = TaintTracking::Global<Config>;
|
||||||
override DataFlow::Configuration getValueFlowConfig() { none() }
|
|
||||||
|
|
||||||
override DataFlow::Configuration getTaintFlowConfig() { result = any(Conf c) }
|
class HasFlowTest extends InlineFlowTest {
|
||||||
|
override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
|
||||||
|
|
||||||
|
override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) { Flow::flow(src, sink) }
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.TaintTracking
|
import semmle.code.java.dataflow.TaintTracking
|
||||||
import semmle.code.java.dataflow.FlowSources
|
import semmle.code.java.dataflow.FlowSources
|
||||||
import TestUtilities.InlineExpectationsTest
|
import TestUtilities.InlineFlowTest
|
||||||
|
|
||||||
module Config implements DataFlow::ConfigSig {
|
module Config implements DataFlow::ConfigSig {
|
||||||
predicate isSource(DataFlow::Node n) {
|
predicate isSource(DataFlow::Node n) {
|
||||||
@@ -17,17 +17,10 @@ module Config implements DataFlow::ConfigSig {
|
|||||||
|
|
||||||
module Flow = TaintTracking::Global<Config>;
|
module Flow = TaintTracking::Global<Config>;
|
||||||
|
|
||||||
class HasFlowTest extends InlineExpectationsTest {
|
class HasFlowTest extends InlineFlowTest {
|
||||||
HasFlowTest() { this = "HasFlowTest" }
|
HasFlowTest() { this = "HasFlowTest" }
|
||||||
|
|
||||||
override string getARelevantTag() { result = "hasTaintFlow" }
|
override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
|
||||||
|
|
||||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) { Flow::flow(src, sink) }
|
||||||
tag = "hasTaintFlow" and
|
|
||||||
exists(DataFlow::Node sink | Flow::flowTo(sink) |
|
|
||||||
sink.getLocation() = location and
|
|
||||||
element = sink.toString() and
|
|
||||||
value = ""
|
|
||||||
)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -2,20 +2,18 @@ import java
|
|||||||
import semmle.code.java.dataflow.FlowSources
|
import semmle.code.java.dataflow.FlowSources
|
||||||
import TestUtilities.InlineFlowTest
|
import TestUtilities.InlineFlowTest
|
||||||
|
|
||||||
class EnableLegacy extends EnableLegacyConfiguration {
|
module ValueFlowConfig implements DataFlow::ConfigSig {
|
||||||
EnableLegacy() { exists(this) }
|
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||||
}
|
|
||||||
|
|
||||||
class ValueFlowConf extends DataFlow::Configuration {
|
predicate isSink(DataFlow::Node sink) {
|
||||||
ValueFlowConf() { this = "ValueFlowConf" }
|
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node sink) {
|
|
||||||
sink.asExpr().(Argument).getCall().getCallee().hasName("sink")
|
sink.asExpr().(Argument).getCall().getCallee().hasName("sink")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
module ValueFlow = DataFlow::Global<ValueFlowConfig>;
|
||||||
|
|
||||||
class Test extends InlineFlowTest {
|
class Test extends InlineFlowTest {
|
||||||
override DataFlow::Configuration getValueFlowConfig() { result = any(ValueFlowConf config) }
|
override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) {
|
||||||
|
ValueFlow::flow(src, sink)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -2,18 +2,20 @@ import java
|
|||||||
import semmle.code.java.security.PathSanitizer
|
import semmle.code.java.security.PathSanitizer
|
||||||
import TestUtilities.InlineFlowTest
|
import TestUtilities.InlineFlowTest
|
||||||
|
|
||||||
class EnableLegacy extends EnableLegacyConfiguration {
|
module PathSanitizerConfig implements DataFlow::ConfigSig {
|
||||||
EnableLegacy() { exists(this) }
|
predicate isSource(DataFlow::Node source) { DefaultFlowConfig::isSource(source) }
|
||||||
|
|
||||||
|
predicate isSink(DataFlow::Node sink) { DefaultFlowConfig::isSink(sink) }
|
||||||
|
|
||||||
|
predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof PathInjectionSanitizer }
|
||||||
}
|
}
|
||||||
|
|
||||||
class PathSanitizerConf extends DefaultTaintFlowConf {
|
module PathSanitizerFlow = TaintTracking::Global<PathSanitizerConfig>;
|
||||||
override predicate isSanitizer(DataFlow::Node sanitizer) {
|
|
||||||
sanitizer instanceof PathInjectionSanitizer
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
class Test extends InlineFlowTest {
|
class Test extends InlineFlowTest {
|
||||||
override DataFlow::Configuration getValueFlowConfig() { none() }
|
override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
|
||||||
|
|
||||||
override DataFlow::Configuration getTaintFlowConfig() { result = any(PathSanitizerConf config) }
|
override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
|
||||||
|
PathSanitizerFlow::flow(src, sink)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,22 +1,7 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.FlowSources
|
import semmle.code.java.security.XssQuery
|
||||||
import semmle.code.java.security.XSS
|
|
||||||
import TestUtilities.InlineExpectationsTest
|
import TestUtilities.InlineExpectationsTest
|
||||||
|
|
||||||
class XssConfig extends TaintTracking::Configuration {
|
|
||||||
XssConfig() { this = "XSSConfig" }
|
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
|
|
||||||
|
|
||||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof XssSanitizer }
|
|
||||||
|
|
||||||
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
|
|
||||||
any(XssAdditionalTaintStep s).step(node1, node2)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
class XssTest extends InlineExpectationsTest {
|
class XssTest extends InlineExpectationsTest {
|
||||||
XssTest() { this = "XssTest" }
|
XssTest() { this = "XssTest" }
|
||||||
|
|
||||||
@@ -24,7 +9,7 @@ class XssTest extends InlineExpectationsTest {
|
|||||||
|
|
||||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||||
tag = "xss" and
|
tag = "xss" and
|
||||||
exists(DataFlow::Node sink, XssConfig conf | conf.hasFlowTo(sink) |
|
exists(DataFlow::Node sink | XssFlow::flowTo(sink) |
|
||||||
sink.getLocation() = location and
|
sink.getLocation() = location and
|
||||||
element = sink.toString() and
|
element = sink.toString() and
|
||||||
value = ""
|
value = ""
|
||||||
|
|||||||
@@ -1,26 +1,12 @@
|
|||||||
import java
|
import java
|
||||||
import semmle.code.java.dataflow.TaintTracking
|
import semmle.code.java.dataflow.FlowSources
|
||||||
import semmle.code.java.security.QueryInjection
|
import semmle.code.java.security.SqlInjectionQuery
|
||||||
import TestUtilities.InlineExpectationsTest
|
import TestUtilities.InlineExpectationsTest
|
||||||
|
|
||||||
private class QueryInjectionFlowConfig extends TaintTracking::Configuration {
|
private class SourceMethodSource extends RemoteFlowSource {
|
||||||
QueryInjectionFlowConfig() { this = "SqlInjectionLib::QueryInjectionFlowConfig" }
|
SourceMethodSource() { this.asExpr().(MethodAccess).getMethod().hasName("source") }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node src) {
|
override string getSourceType() { result = "source" }
|
||||||
src.asExpr() = any(MethodAccess ma | ma.getMethod().hasName("source"))
|
|
||||||
}
|
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
|
|
||||||
|
|
||||||
override predicate isSanitizer(DataFlow::Node node) {
|
|
||||||
node.getType() instanceof PrimitiveType or
|
|
||||||
node.getType() instanceof BoxedType or
|
|
||||||
node.getType() instanceof NumberType
|
|
||||||
}
|
|
||||||
|
|
||||||
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
|
|
||||||
any(AdditionalQueryInjectionTaintStep s).step(node1, node2)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
class HasFlowTest extends InlineExpectationsTest {
|
class HasFlowTest extends InlineExpectationsTest {
|
||||||
@@ -30,7 +16,7 @@ class HasFlowTest extends InlineExpectationsTest {
|
|||||||
|
|
||||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||||
tag = "sqlInjection" and
|
tag = "sqlInjection" and
|
||||||
exists(DataFlow::Node sink, QueryInjectionFlowConfig conf | conf.hasFlowTo(sink) |
|
exists(DataFlow::Node sink | QueryInjectionFlow::flowTo(sink) |
|
||||||
sink.getLocation() = location and
|
sink.getLocation() = location and
|
||||||
element = sink.toString() and
|
element = sink.toString() and
|
||||||
value = ""
|
value = ""
|
||||||
|
|||||||
@@ -4,14 +4,14 @@ import semmle.code.java.dataflow.FlowSources
|
|||||||
import semmle.code.java.security.XPath
|
import semmle.code.java.security.XPath
|
||||||
import TestUtilities.InlineExpectationsTest
|
import TestUtilities.InlineExpectationsTest
|
||||||
|
|
||||||
class Conf extends TaintTracking::Configuration {
|
module Config implements DataFlow::ConfigSig {
|
||||||
Conf() { this = "test:xml:xpathinjection" }
|
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
|
||||||
|
|
||||||
override predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
module Flow = TaintTracking::Global<Config>;
|
||||||
|
|
||||||
class HasXPathInjectionTest extends InlineExpectationsTest {
|
class HasXPathInjectionTest extends InlineExpectationsTest {
|
||||||
HasXPathInjectionTest() { this = "HasXPathInjectionTest" }
|
HasXPathInjectionTest() { this = "HasXPathInjectionTest" }
|
||||||
|
|
||||||
@@ -19,7 +19,7 @@ class HasXPathInjectionTest extends InlineExpectationsTest {
|
|||||||
|
|
||||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||||
tag = "hasXPathInjection" and
|
tag = "hasXPathInjection" and
|
||||||
exists(DataFlow::Node sink, Conf conf | conf.hasFlowTo(sink) |
|
exists(DataFlow::Node sink | Flow::flowTo(sink) |
|
||||||
sink.getLocation() = location and
|
sink.getLocation() = location and
|
||||||
element = sink.toString() and
|
element = sink.toString() and
|
||||||
value = ""
|
value = ""
|
||||||
|
|||||||
Reference in New Issue
Block a user