From e4f567979a6821a0296233a75e1fcdb553ff9086 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Wed, 11 Oct 2023 17:00:33 -0400 Subject: [PATCH 1/8] Sync XSS Local --- java/ql/lib/semmle/code/java/security/XssLocalQuery.qll | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/XssLocalQuery.qll b/java/ql/lib/semmle/code/java/security/XssLocalQuery.qll index 83eb33682af..f19872bb489 100644 --- a/java/ql/lib/semmle/code/java/security/XssLocalQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XssLocalQuery.qll @@ -12,6 +12,14 @@ module XssLocalConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput } predicate isSink(DataFlow::Node sink) { sink instanceof XssSink } + + predicate isBarrier(DataFlow::Node node) { node instanceof XssSanitizer } + + predicate isBarrierOut(DataFlow::Node node) { node instanceof XssSinkBarrier } + + predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { + any(XssAdditionalTaintStep s).step(node1, node2) + } } /** From ef282955fdcc9c660d3424145e1776f1535ab61c Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Wed, 11 Oct 2023 17:04:03 -0400 Subject: [PATCH 2/8] Sync SqlTaintedLocalQuery with SqlInjectionQuery --- .../ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll b/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll index f926901a8b9..eeab7f7f6cd 100644 --- a/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll @@ -17,7 +17,9 @@ module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink } predicate isBarrier(DataFlow::Node node) { - node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType + node.getType() instanceof PrimitiveType or + node.getType() instanceof BoxedType or + node.getType() instanceof NumberType } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { From 69531b9f7c01ce19ee7b88b1eec256ddfede7118 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Wed, 11 Oct 2023 17:06:09 -0400 Subject: [PATCH 3/8] Sync ResponseSplittingLocalQuery --- .../java/security/ResponseSplittingLocalQuery.qll | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/java/ql/lib/semmle/code/java/security/ResponseSplittingLocalQuery.qll b/java/ql/lib/semmle/code/java/security/ResponseSplittingLocalQuery.qll index 01743bd3c61..a39c213502a 100644 --- a/java/ql/lib/semmle/code/java/security/ResponseSplittingLocalQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ResponseSplittingLocalQuery.qll @@ -13,8 +13,21 @@ module ResponseSplittingLocalConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink } predicate isBarrier(DataFlow::Node node) { - node.getType() instanceof PrimitiveType or + node.getType() instanceof PrimitiveType + or node.getType() instanceof BoxedType + or + exists(MethodAccess ma, string methodName, CompileTimeConstantExpr target | + node.asExpr() = ma and + ma.getMethod().hasQualifiedName("java.lang", "String", methodName) and + target = ma.getArgument(0) and + ( + methodName = "replace" and target.getIntValue() = [10, 13] // 10 == "\n", 13 == "\r" + or + methodName = "replaceAll" and + target.getStringValue().regexpMatch(".*([\n\r]|\\[\\^[^\\]\r\n]*\\]).*") + ) + ) } } From f1886320e50e951a291b1fcfd272b0fa4f834ba7 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Wed, 11 Oct 2023 17:07:31 -0400 Subject: [PATCH 4/8] Sync ImproperValidationOfArrayIndexLocalQuery --- .../security/ImproperValidationOfArrayIndexLocalQuery.qll | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexLocalQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexLocalQuery.qll index 6b078bc2830..d21de6c7fdf 100644 --- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexLocalQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexLocalQuery.qll @@ -13,6 +13,10 @@ module ImproperValidationOfArrayIndexLocalConfig implements DataFlow::ConfigSig predicate isSink(DataFlow::Node sink) { any(CheckableArrayAccess caa).canThrowOutOfBounds(sink.asExpr()) } + + predicate isBarrier(DataFlow::Node node) { node.getType() instanceof BooleanType } + + predicate isBarrierIn(DataFlow::Node node) { isSource(node) } } /** From da933fb77adf9d09fc52977e17af3843ce095f06 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Wed, 11 Oct 2023 17:08:50 -0400 Subject: [PATCH 5/8] Sync ExternallyControlledFormatStringLocalQuery --- .../security/ExternallyControlledFormatStringLocalQuery.qll | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringLocalQuery.qll b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringLocalQuery.qll index 34c23682221..4d07e8bddd0 100644 --- a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringLocalQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringLocalQuery.qll @@ -11,6 +11,10 @@ module ExternallyControlledFormatStringLocalConfig implements DataFlow::ConfigSi predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(StringFormat formatCall).getFormatArgument() } + + predicate isBarrier(DataFlow::Node node) { + node.getType() instanceof NumericType or node.getType() instanceof BooleanType + } } /** From ec84f072ebfd1cb23f451ce8cf4c973b96d0067b Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Wed, 11 Oct 2023 17:11:22 -0400 Subject: [PATCH 6/8] Sync ArithmeticTaintedLocalQuery --- .../semmle/code/java/security/ArithmeticTaintedLocalQuery.qll | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedLocalQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedLocalQuery.qll index c33414f59be..979f4b23466 100644 --- a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedLocalQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedLocalQuery.qll @@ -13,6 +13,8 @@ module ArithmeticTaintedLocalOverflowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) } predicate isBarrier(DataFlow::Node n) { overflowBarrier(n) } + + predicate isBarrierIn(DataFlow::Node node) { isSource(node) } } /** @@ -30,6 +32,8 @@ module ArithmeticTaintedLocalUnderflowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) } predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) } + + predicate isBarrierIn(DataFlow::Node node) { isSource(node) } } /** From 4eeaf841338ff229ee848f6cf0ccf067cbbbd577 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Wed, 11 Oct 2023 17:15:57 -0400 Subject: [PATCH 7/8] Sync NumericCastTaintedQuery --- .../semmle/code/java/security/NumericCastTaintedQuery.qll | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll index 58a93319350..d59e8abb5c5 100644 --- a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll @@ -117,7 +117,8 @@ module NumericCastLocalFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput } predicate isSink(DataFlow::Node sink) { - sink.asExpr() = any(NumericNarrowingCastExpr cast).getExpr() + sink.asExpr() = any(NumericNarrowingCastExpr cast).getExpr() and + sink.asExpr() instanceof VarAccess } predicate isBarrier(DataFlow::Node node) { @@ -125,8 +126,11 @@ module NumericCastLocalFlowConfig implements DataFlow::ConfigSig { castCheck(node.asExpr()) or node.getType() instanceof SmallType or smallExpr(node.asExpr()) or - node.getEnclosingCallable() instanceof HashCodeMethod + node.getEnclosingCallable() instanceof HashCodeMethod or + exists(RightShiftOp e | e.getShiftedVariable().getAnAccess() = node.asExpr()) } + + predicate isBarrierIn(DataFlow::Node node) { isSource(node) } } /** From 31c04b50f707210d5e69d01e20bcca809d6372b3 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Thu, 12 Oct 2023 09:57:18 -0400 Subject: [PATCH 8/8] Change note --- ...023-10-12-sync-local-and-remote-dataflow-configurations.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 java/ql/lib/change-notes/2023-10-12-sync-local-and-remote-dataflow-configurations.md diff --git a/java/ql/lib/change-notes/2023-10-12-sync-local-and-remote-dataflow-configurations.md b/java/ql/lib/change-notes/2023-10-12-sync-local-and-remote-dataflow-configurations.md new file mode 100644 index 00000000000..7e512093fb4 --- /dev/null +++ b/java/ql/lib/change-notes/2023-10-12-sync-local-and-remote-dataflow-configurations.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* The `isBarrier`, `isBarrierIn`, `isBarrierOut`, and `isAdditionalFlowStep` methods of the taint-tracking configurations for local queries in the `ArithmeticTaintedLocalQuery`, `ExternallyControlledFormatStringLocalQuery`, `ImproperValidationOfArrayIndexQuery`, `NumericCastTaintedQuery`, `ResponseSplittingLocalQuery`, `SqlTaintedLocalQuery`, and `XssLocalQuery` libraries have been changed to match their remote counterpart configurations.