From 24e01104a20d36d434e5cda241124d8700bf47a8 Mon Sep 17 00:00:00 2001 From: tiferet Date: Mon, 13 Feb 2023 14:43:58 -0800 Subject: [PATCH] As part of the metadata extraction predicate, surface whether or not the argument is being passed to an external API --- .../adaptivethreatmodeling/EndpointCharacteristics.qll | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll index 0b13c7bac95..db7cbb94114 100644 --- a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll +++ b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll @@ -96,7 +96,8 @@ predicate isTypeAccess(DataFlow::Node n) { n.asExpr() instanceof TypeAccess } predicate hasMetadata(DataFlow::Node n, string metadata) { exists( Callable callee, Call call, string package, string type, boolean subtypes, string name, - string signature, string ext, int input, string provenance, boolean isPublic + string signature, string ext, int input, string provenance, boolean isPublic, + boolean isExternalApiDataNode | n.asExpr() = call.getArgument(input) and callee = call.getCallee() and @@ -112,11 +113,16 @@ predicate hasMetadata(DataFlow::Node n, string metadata) { ext = "" and // see https://github.slack.com/archives/CP9127VUK/p1673979477496069 provenance = "manual" and // TODO (if callee.isPublic() then isPublic = true else isPublic = false) and + ( + if n instanceof ExternalAPIs::ExternalApiDataNode + then isExternalApiDataNode = true + else isExternalApiDataNode = false + ) and metadata = "{'Package': '" + package + "', 'Type': '" + type + "', 'Subtypes': " + subtypes + ", 'Name': '" + name + "', 'Signature': '" + signature + "', 'Ext': '" + ext + "', 'Argument index': " + input + ", 'Provenance': '" + provenance + "', 'Is public': " + - isPublic + "}" // TODO: Why are the curly braces added twice? + isPublic + ", 'Is passed to external API': " + isExternalApiDataNode + "}" // TODO: Why are the curly braces added twice? ) }