Improved heuristics to increase precision

2026-05-01 03:35:13 +02:00 · 2021-09-14 12:26:40 +02:00
parent f8d1e2ac11
commit 097927226b
2 changed files with 10 additions and 12 deletions
--- a/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll
@@ -15,7 +15,10 @@ predicate conditionControlsMethod(MethodAccess ma, Expr e) {
  exists(ConditionBlock cb, SensitiveExecutionMethod m, boolean cond |
    ma.getMethod() = m and
    cb.controls(ma.getBasicBlock(), cond) and
-    not cb.controls(m.getAReference().getBasicBlock(), cond.booleanNot()) and
+    not cb.controls(any(SensitiveExecutionMethod sem).getAReference().getBasicBlock(),
+      cond.booleanNot()) and
+    not cb.controls(any(ThrowStmt t).getBasicBlock(), _) and
+    not cb.controls(any(ReturnStmt r).getBasicBlock(), _) and
    e = cb.getCondition()
  )
 }
--- a/java/ql/lib/semmle/code/java/security/SensitiveActions.qll
+++ b/java/ql/lib/semmle/code/java/security/SensitiveActions.qll
@@ -80,17 +80,12 @@ abstract class SensitiveExecutionMethod extends Method { }
 class AuthMethod extends SensitiveExecutionMethod {
  AuthMethod() {
    exists(string s | s = this.getName().toLowerCase() |
-      (
-        s.matches("%login%") or
-        s.matches("%auth%")
-      ) and
-      not (
-        s.matches("get%") or
-        s.matches("set%") or
-        s.matches("parse%") or
-        s.matches("%loginfo%")
-      )
-    )
+      s.matches(["%login%", "%auth%"]) and
+      not s.matches([
+          "get%", "set%", "parse%", "%loginfo%", "remove%", "clean%", "%unauth%", "%author%"
+        ])
+    ) and
+    not this.getDeclaringType().getASupertype*() instanceof TypeException
  }
 }