From 2468bd978b13e277a16c3d18e0394db0f92792ec Mon Sep 17 00:00:00 2001 From: Jonas Jensen Date: Wed, 13 Nov 2024 11:20:39 +0100 Subject: [PATCH] Java: Make taint-tracking queries speculative I've considered every query in the code-scanning suite (high-precision security queries). Taint-tracking queries made speculative: - java/ql/src/Security/CWE/CWE-022/TaintedPath.ql - java/ql/src/Security/CWE/CWE-022/ZipSlip.ql - java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql - java/ql/src/Security/CWE/CWE-074/JndiInjection.ql - java/ql/src/Security/CWE/CWE-074/XsltInjection.ql - java/ql/src/Security/CWE/CWE-078/ExecTainted.ql - java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql - java/ql/src/Security/CWE/CWE-079/XSS.ql - java/ql/src/Security/CWE/CWE-089/SqlTainted.ql - java/ql/src/Security/CWE/CWE-090/LdapInjection.ql - java/ql/src/Security/CWE/CWE-094/GroovyInjection.ql - java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql - java/ql/src/Security/CWE/CWE-094/JexlInjection.ql - java/ql/src/Security/CWE/CWE-094/MvelInjection.ql - java/ql/src/Security/CWE/CWE-094/SpelInjection.ql - java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql - java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql - java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql - java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql - java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql - java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql - java/ql/src/Security/CWE/CWE-330/InsecureRandomness.ql - java/ql/src/Security/CWE/CWE-441/UnsafeContentUriResolution.ql - java/ql/src/Security/CWE/CWE-470/FragmentInjection.ql - java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql - java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql - java/ql/src/Security/CWE/CWE-552/UrlForward.ql - java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql - java/ql/src/Security/CWE/CWE-611/XXE.ql - java/ql/src/Security/CWE/CWE-643/XPathInjection.ql - java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql - java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.ql - java/ql/src/Security/CWE/CWE-730/RegexInjection.ql - java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql - java/ql/src/Security/CWE/CWE-918/RequestForgery.ql - java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.ql - java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirection.ql Skipped because they're problem queries, not path-problem, even though they use taint tracking: - java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql - java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql - java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql - java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql - java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql Skipped because they use data flow, not taint tracking - java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql - java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql - java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql - java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql - java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql - java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql - java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql - java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql --- java/ql/lib/Customizations.qll | 3 +++ .../code/java/security/AndroidIntentRedirectionQuery.qll | 3 ++- .../semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/CommandLineQuery.qll | 3 ++- .../java/security/ExternallyControlledFormatStringQuery.qll | 2 +- .../lib/semmle/code/java/security/FragmentInjectionQuery.qll | 3 ++- .../lib/semmle/code/java/security/GroovyInjectionQuery.qll | 3 ++- .../code/java/security/ImplicitPendingIntentsQuery.qll | 2 +- .../code/java/security/InsecureBeanValidationQuery.qll | 2 +- .../lib/semmle/code/java/security/InsecureLdapAuthQuery.qll | 3 ++- .../semmle/code/java/security/InsecureRandomnessQuery.qll | 3 ++- .../java/security/IntentUriPermissionManipulationQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll | 3 ++- java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll | 3 ++- .../semmle/code/java/security/NumericCastTaintedQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll | 3 ++- .../semmle/code/java/security/PartialPathTraversalQuery.qll | 2 +- .../lib/semmle/code/java/security/RequestForgeryConfig.qll | 2 +- .../lib/semmle/code/java/security/ResponseSplittingQuery.qll | 3 ++- java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll | 2 +- .../code/java/security/StaticInitializationVectorQuery.qll | 3 ++- java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll | 2 +- .../lib/semmle/code/java/security/TemplateInjectionQuery.qll | 2 +- .../code/java/security/UnsafeContentUriResolutionQuery.qll | 3 ++- .../semmle/code/java/security/UnsafeDeserializationQuery.qll | 5 ++++- java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll | 2 +- .../ql/lib/semmle/code/java/security/XPathInjectionQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll | 3 ++- java/ql/lib/semmle/code/java/security/XssQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll | 2 +- .../code/java/security/regexp/PolynomialReDoSQuery.qll | 3 ++- .../semmle/code/java/security/regexp/RegexInjectionQuery.qll | 2 +- 37 files changed, 56 insertions(+), 36 deletions(-) diff --git a/java/ql/lib/Customizations.qll b/java/ql/lib/Customizations.qll index 1f5716726e3..d14dbc6c08b 100644 --- a/java/ql/lib/Customizations.qll +++ b/java/ql/lib/Customizations.qll @@ -10,3 +10,6 @@ */ import java + +// For the hackathon, make speculative data flow tunable from a central location +int speculativity() { result = 5 } diff --git a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll index 109300458d2..c7b7e9e1d71 100644 --- a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll @@ -23,7 +23,8 @@ module IntentRedirectionConfig implements DataFlow::ConfigSig { } /** Tracks the flow of tainted Intents being used to start Android components. */ -module IntentRedirectionFlow = TaintTracking::Global; +module IntentRedirectionFlow = + TaintTracking::SpeculativeGlobal; /** * A sanitizer for sinks that receive the original incoming Intent, diff --git a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll index bfd48b24e80..b6ae742fc19 100644 --- a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll +++ b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll @@ -36,4 +36,4 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig { /** * Taint-tracking flow for use of broken or risky cryptographic algorithms. */ -module InsecureCryptoFlow = TaintTracking::Global; +module InsecureCryptoFlow = TaintTracking::SpeculativeGlobal; diff --git a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll index af5476f8b3d..bad30385688 100644 --- a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll @@ -68,7 +68,8 @@ deprecated module RemoteUserInputToArgumentToExecFlowConfig = InputToArgumentToE /** * Taint-tracking flow for unvalidated input that is used to run an external process. */ -module InputToArgumentToExecFlow = TaintTracking::Global; +module InputToArgumentToExecFlow = + TaintTracking::SpeculativeGlobal; /** * DEPRECATED: Use `InputToArgumentToExecFlow` instead. diff --git a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll index da440e0cd2c..882bbbac913 100644 --- a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll @@ -31,4 +31,4 @@ module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig { * Taint-tracking flow for externally controlled format string vulnerabilities. */ module ExternallyControlledFormatStringFlow = - TaintTracking::Global; + TaintTracking::SpeculativeGlobal; diff --git a/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll index 40636ffd8c2..8e9abdc34f9 100644 --- a/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll @@ -25,4 +25,5 @@ module FragmentInjectionTaintConfig implements DataFlow::ConfigSig { * Taint-tracking flow for unsafe user input * that is used to create Android fragments dynamically. */ -module FragmentInjectionTaintFlow = TaintTracking::Global; +module FragmentInjectionTaintFlow = + TaintTracking::SpeculativeGlobal; diff --git a/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll index b497873b9bb..27e57d5743b 100644 --- a/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll @@ -25,4 +25,5 @@ module GroovyInjectionConfig implements DataFlow::ConfigSig { * Detect taint flow of unsafe user input * that is used to evaluate a Groovy expression. */ -module GroovyInjectionFlow = TaintTracking::Global; +module GroovyInjectionFlow = + TaintTracking::SpeculativeGlobal; diff --git a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll index a57f643d817..196cba8b8bc 100644 --- a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll @@ -53,4 +53,4 @@ module ImplicitPendingIntentStartConfig implements DataFlow::StateConfigSig { } module ImplicitPendingIntentStartFlow = - TaintTracking::GlobalWithState; + TaintTracking::SpeculativeGlobalWithState; diff --git a/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll index e1c840ce264..040af1cb137 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll @@ -54,7 +54,7 @@ module BeanValidationConfig implements DataFlow::ConfigSig { } /** Tracks flow from user input to the argument of a method that builds constraint error messages. */ -module BeanValidationFlow = TaintTracking::Global; +module BeanValidationFlow = TaintTracking::SpeculativeGlobal; /** * A bean validation sink, such as method `buildConstraintViolationWithTemplate` diff --git a/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll index 94d80b9b37b..49bb6eee07c 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll @@ -26,7 +26,8 @@ module InsecureLdapUrlConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } } -module InsecureLdapUrlFlow = TaintTracking::Global; +module InsecureLdapUrlFlow = + TaintTracking::SpeculativeGlobal; /** * A taint-tracking configuration for `simple` basic-authentication in LDAP configuration. diff --git a/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll index 77da25d3586..43058731352 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll @@ -103,4 +103,5 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig { /** * Taint-tracking flow of a Insecurely random value into a sensitive sink. */ -module InsecureRandomnessFlow = TaintTracking::Global; +module InsecureRandomnessFlow = + TaintTracking::SpeculativeGlobal; diff --git a/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll b/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll index 5ac8024d81f..90bc7945d95 100644 --- a/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll @@ -31,4 +31,4 @@ module IntentUriPermissionManipulationConfig implements DataFlow::ConfigSig { * Taint tracking flow for user-provided Intents being returned to third party apps. */ module IntentUriPermissionManipulationFlow = - TaintTracking::Global; + TaintTracking::SpeculativeGlobal; diff --git a/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll index 4ad1dd3ba31..f82a47985a7 100644 --- a/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll @@ -59,7 +59,7 @@ module JexlInjectionConfig implements DataFlow::ConfigSig { * Tracks unsafe user input that is used to construct and evaluate a JEXL expression. * It supports both JEXL 2 and 3. */ -module JexlInjectionFlow = TaintTracking::Global; +module JexlInjectionFlow = TaintTracking::SpeculativeGlobal; /** * Holds if `n1` to `n2` is a dataflow step that creates a JEXL script using an unsafe engine diff --git a/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll index f50787fef02..e0a0de10f20 100644 --- a/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll @@ -28,7 +28,8 @@ module JndiInjectionFlowConfig implements DataFlow::ConfigSig { } /** Tracks flow of unvalidated user input that is used in JNDI lookup */ -module JndiInjectionFlow = TaintTracking::Global; +module JndiInjectionFlow = + TaintTracking::SpeculativeGlobal; /** * A method that does a JNDI lookup when it receives a `SearchControls` argument with `setReturningObjFlag` = `true` diff --git a/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll index ef27fa3cd16..2b56cba55e7 100644 --- a/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll @@ -22,4 +22,4 @@ module LdapInjectionFlowConfig implements DataFlow::ConfigSig { } /** Tracks flow from remote sources to LDAP injection vulnerabilities. */ -module LdapInjectionFlow = TaintTracking::Global; +module LdapInjectionFlow = TaintTracking::SpeculativeGlobal; diff --git a/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll index d0f6e02357b..00b40c53d4b 100644 --- a/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll @@ -24,4 +24,5 @@ module MvelInjectionFlowConfig implements DataFlow::ConfigSig { } /** Tracks flow of unsafe user input that is used to construct and evaluate a MVEL expression. */ -module MvelInjectionFlow = TaintTracking::Global; +module MvelInjectionFlow = + TaintTracking::SpeculativeGlobal; diff --git a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll index 7efa6e03062..ca65df0fea2 100644 --- a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll @@ -109,7 +109,7 @@ module NumericCastFlowConfig implements DataFlow::ConfigSig { /** * Taint-tracking flow for user input that is used in a numeric cast. */ -module NumericCastFlow = TaintTracking::Global; +module NumericCastFlow = TaintTracking::SpeculativeGlobal; /** * A taint-tracking configuration for reasoning about local user input that is diff --git a/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll index d9bfad41259..2ee03478b69 100644 --- a/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll @@ -23,4 +23,5 @@ module OgnlInjectionFlowConfig implements DataFlow::ConfigSig { } /** Tracks flow of unvalidated user input that is used in OGNL EL evaluation. */ -module OgnlInjectionFlow = TaintTracking::Global; +module OgnlInjectionFlow = + TaintTracking::SpeculativeGlobal; diff --git a/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll b/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll index 78b9098beee..c71849ce0a3 100644 --- a/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll +++ b/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll @@ -23,4 +23,4 @@ module PartialPathTraversalFromRemoteConfig implements DataFlow::ConfigSig { /** Tracks flow of unsafe user input that is used to validate against path traversal, but is insufficient and remains vulnerable to Partial Path Traversal. */ module PartialPathTraversalFromRemoteFlow = - TaintTracking::Global; + TaintTracking::SpeculativeGlobal; diff --git a/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll b/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll index ec4bbaf8d09..ba1d3b8be15 100644 --- a/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll +++ b/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll @@ -32,4 +32,4 @@ module RequestForgeryConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } } -module RequestForgeryFlow = TaintTracking::Global; +module RequestForgeryFlow = TaintTracking::SpeculativeGlobal; diff --git a/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll b/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll index 9bd96a51a68..7dab4e12351 100644 --- a/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll @@ -38,4 +38,5 @@ module ResponseSplittingConfig implements DataFlow::ConfigSig { /** * Tracks flow from remote sources to response splitting vulnerabilities. */ -module ResponseSplittingFlow = TaintTracking::Global; +module ResponseSplittingFlow = + TaintTracking::SpeculativeGlobal; diff --git a/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll index a982b094ee4..285fe7de620 100644 --- a/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll @@ -23,7 +23,7 @@ module SpelInjectionConfig implements DataFlow::ConfigSig { } /** Tracks flow of unsafe user input that is used to construct and evaluate a SpEL expression. */ -module SpelInjectionFlow = TaintTracking::Global; +module SpelInjectionFlow = TaintTracking::SpeculativeGlobal; /** Default sink for SpEL injection vulnerabilities. */ private class DefaultSpelExpressionEvaluationSink extends SpelExpressionEvaluationSink { diff --git a/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll index 0aaf46cf2dd..d641ca7f20f 100644 --- a/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll @@ -27,7 +27,7 @@ module QueryInjectionFlowConfig implements DataFlow::ConfigSig { } /** Tracks flow of unvalidated user input that is used in SQL queries. */ -module QueryInjectionFlow = TaintTracking::Global; +module QueryInjectionFlow = TaintTracking::SpeculativeGlobal; /** * Implementation of `SqlTainted.ql`. This is extracted to a QLL so that it diff --git a/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll b/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll index 282133ec5c6..2dd71116ef2 100644 --- a/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll +++ b/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll @@ -131,4 +131,5 @@ module StaticInitializationVectorConfig implements DataFlow::ConfigSig { } /** Tracks the flow from a static initialization vector to the initialization of a cipher */ -module StaticInitializationVectorFlow = TaintTracking::Global; +module StaticInitializationVectorFlow = + TaintTracking::SpeculativeGlobal; diff --git a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll index 6726bcc3508..b506ec30dba 100644 --- a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll @@ -77,7 +77,7 @@ module TaintedPathConfig implements DataFlow::ConfigSig { } /** Tracks flow from remote sources to the creation of a path. */ -module TaintedPathFlow = TaintTracking::Global; +module TaintedPathFlow = TaintTracking::SpeculativeGlobal; /** * A taint-tracking configuration for tracking flow from local user input to the creation of a path. diff --git a/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll index 536c8f33daf..2128e074fac 100644 --- a/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll @@ -21,4 +21,4 @@ module TemplateInjectionFlowConfig implements DataFlow::ConfigSig { } /** Tracks server-side template injection (SST) vulnerabilities */ -module TemplateInjectionFlow = TaintTracking::Global; +module TemplateInjectionFlow = TaintTracking::SpeculativeGlobal; diff --git a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll index d072de05c1c..2b1b39c1446 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll @@ -25,4 +25,5 @@ module UnsafeContentResolutionConfig implements DataFlow::ConfigSig { } /** Taint-tracking flow to find paths from remote sources to content URI resolutions. */ -module UnsafeContentResolutionFlow = TaintTracking::Global; +module UnsafeContentResolutionFlow = + TaintTracking::SpeculativeGlobal; diff --git a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll index 9a627d54c5a..d2c536ffb60 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll @@ -329,7 +329,10 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } } -module UnsafeDeserializationFlow = TaintTracking::Global; +int speculationLimit() { result = 10 } + +module UnsafeDeserializationFlow = + TaintTracking::SpeculativeGlobal; /** * Gets a safe usage of the `use` method of Flexjson, which could be: diff --git a/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll b/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll index bc3b4000927..fcd72792516 100644 --- a/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll @@ -202,4 +202,4 @@ module UrlForwardFlowConfig implements DataFlow::ConfigSig { /** * Taint-tracking flow for URL forwarding. */ -module UrlForwardFlow = TaintTracking::Global; +module UrlForwardFlow = TaintTracking::SpeculativeGlobal; diff --git a/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll b/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll index 26d133d4adb..39eb4b85862 100644 --- a/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll @@ -20,4 +20,4 @@ module UrlRedirectConfig implements DataFlow::ConfigSig { /** * Taint-tracking flow for URL redirections. */ -module UrlRedirectFlow = TaintTracking::Global; +module UrlRedirectFlow = TaintTracking::SpeculativeGlobal; diff --git a/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll index e387f0d0e11..0a19063c5f0 100644 --- a/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll @@ -19,4 +19,4 @@ module XPathInjectionConfig implements DataFlow::ConfigSig { /** * Taint-tracking flow for XPath injection vulnerabilities. */ -module XPathInjectionFlow = TaintTracking::Global; +module XPathInjectionFlow = TaintTracking::SpeculativeGlobal; diff --git a/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll index 7ff745a057c..356152ce74c 100644 --- a/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll @@ -27,7 +27,8 @@ module XsltInjectionFlowConfig implements DataFlow::ConfigSig { /** * Tracks flow from unvalidated user input to XSLT transformation. */ -module XsltInjectionFlow = TaintTracking::Global; +module XsltInjectionFlow = + TaintTracking::SpeculativeGlobal; /** * A set of additional taint steps to consider when taint tracking XSLT related data flows. diff --git a/java/ql/lib/semmle/code/java/security/XssQuery.qll b/java/ql/lib/semmle/code/java/security/XssQuery.qll index c0d7035a4f9..1b6199bafae 100644 --- a/java/ql/lib/semmle/code/java/security/XssQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XssQuery.qll @@ -25,4 +25,4 @@ module XssConfig implements DataFlow::ConfigSig { } /** Tracks flow from remote sources to cross site scripting vulnerabilities. */ -module XssFlow = TaintTracking::Global; +module XssFlow = TaintTracking::SpeculativeGlobal; diff --git a/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll b/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll index ecfdb7c4ae1..e418060a43a 100644 --- a/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll @@ -25,4 +25,4 @@ module XxeConfig implements DataFlow::ConfigSig { /** * Detect taint flow of unvalidated remote user input that is used in XML external entity expansion. */ -module XxeFlow = TaintTracking::Global; +module XxeFlow = TaintTracking::SpeculativeGlobal; diff --git a/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll b/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll index 9e2e5e4a6c7..de1597aa781 100644 --- a/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll @@ -48,7 +48,7 @@ module ZipSlipConfig implements DataFlow::ConfigSig { } /** Tracks flow from archive entries to file creation. */ -module ZipSlipFlow = TaintTracking::Global; +module ZipSlipFlow = TaintTracking::SpeculativeGlobal; /** * A sink that represents a file creation, such as a file write, copy or move operation. diff --git a/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll b/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll index ba65e13dd61..ce164f20711 100644 --- a/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll +++ b/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll @@ -49,4 +49,5 @@ module PolynomialRedosConfig implements DataFlow::ConfigSig { } } -module PolynomialRedosFlow = TaintTracking::Global; +module PolynomialRedosFlow = + TaintTracking::SpeculativeGlobal; diff --git a/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll index 533482a8af1..b9d30cf57a0 100644 --- a/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll @@ -21,4 +21,4 @@ module RegexInjectionConfig implements DataFlow::ConfigSig { /** * Taint-tracking flow for untrusted user input used to construct regular expressions. */ -module RegexInjectionFlow = TaintTracking::Global; +module RegexInjectionFlow = TaintTracking::SpeculativeGlobal;