hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Refactor to use ConditionalBypassQuery.qll

Browse Source
This commit is contained in:
Tony Torralba
2021-09-02 13:53:35 +02:00
parent a484e9fb06
commit 1f7990d6bb
2 changed files with 34 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll Normal file
View File

@@ -0,0 +1,32 @@
/**
* Provides classes to be used in queries related to vulnerabilities
* about unstrusted input being used in security decisions.
*/
import java
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.SensitiveActions
import semmle.code.java.controlflow.Guards
/**
* Holds if `ma` is controlled by the condition expression `e`.
*/
predicate conditionControlsMethod(MethodAccess ma, Expr e) {
exists(ConditionBlock cb, SensitiveExecutionMethod m, boolean cond |
ma.getMethod() = m and
cb.controls(ma.getBasicBlock(), cond) and
not cb.controls(m.getAReference().getBasicBlock(), cond.booleanNot()) and
e = cb.getCondition()
)
}
/**
* A taint tracking configuration for untrusted data flowing to sensitive conditions.
*/
class ConditionalBypassFlowConfig extends TaintTracking::Configuration {
ConditionalBypassFlowConfig() { this = "ConditionalBypassFlowConfig" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { conditionControlsMethod(_, sink.asExpr()) }
}

27
java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql
View File

@@ -13,33 +13,10 @@
*/ */
import java import java
import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.DataFlow
import semmle.code.java.security.SensitiveActions import semmle.code.java.security.ConditionalBypassQuery
import semmle.code.java.controlflow.Dominance
import semmle.code.java.controlflow.Guards
import DataFlow::PathGraph import DataFlow::PathGraph
/**
* Calls to a sensitive method that are controlled by a condition
* on the given expression.
*/
predicate conditionControlsMethod(MethodAccess m, Expr e) {
exists(ConditionBlock cb, SensitiveExecutionMethod def, boolean cond |
cb.controls(m.getBasicBlock(), cond) and
def = m.getMethod() and
not cb.controls(def.getAReference().getBasicBlock(), cond.booleanNot()) and
e = cb.getCondition()
)
}
class ConditionalBypassFlowConfig extends TaintTracking::Configuration {
ConditionalBypassFlowConfig() { this = "ConditionalBypassFlowConfig" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { conditionControlsMethod(_, sink.asExpr()) }
}
from from
DataFlow::PathNode source, DataFlow::PathNode sink, MethodAccess m, Expr e, DataFlow::PathNode source, DataFlow::PathNode sink, MethodAccess m, Expr e,
ConditionalBypassFlowConfig conf ConditionalBypassFlowConfig conf