Java: move config to Query.qll file

2026-04-25 00:35:20 +02:00 · 2023-11-20 16:56:41 -05:00
parent 0d38a9625e
commit 2793f28428
5 changed files with 105 additions and 46 deletions
--- a/java/ql/lib/semmle/code/java/Jsf.qll
+++ b/java/ql/lib/semmle/code/java/Jsf.qll
@@ -0,0 +1,35 @@
+/**
+ * Provides classes and predicates for working with the Java Server Faces (JSF).
+ */
+
+// TODO: COMBINE WITH EXISTING JSF-RELATED QLL FILES!
+import java
+
+/**
+ * The JSF class `ExternalContext` for processing HTTP requests.
+ */
+class ExternalContext extends RefType {
+  ExternalContext() {
+    this.hasQualifiedName(["javax.faces.context", "jakarta.faces.context"], "ExternalContext")
+  }
+}
+
+/**
+ * The method `getResource()` declared in JSF `ExternalContext`.
+ */
+class GetFacesResourceMethod extends Method {
+  GetFacesResourceMethod() {
+    this.getDeclaringType().getASupertype*() instanceof ExternalContext and
+    this.hasName("getResource")
+  }
+}
+
+/**
+ * The method `getResourceAsStream()` declared in JSF `ExternalContext`.
+ */
+class GetFacesResourceAsStreamMethod extends Method {
+  GetFacesResourceAsStreamMethod() {
+    this.getDeclaringType().getASupertype*() instanceof ExternalContext and
+    this.hasName("getResourceAsStream")
+  }
+}
--- a/java/ql/lib/semmle/code/java/SpringResource.qll
+++ b/java/ql/lib/semmle/code/java/SpringResource.qll
@@ -0,0 +1,22 @@
+/**
+ * Provides classes for working with resource loading in Spring.
+ */
+
+// TODO: COMBINE WITH EXISTING SPRING-RELATED QLL FILES!
+import java
+private import semmle.code.java.dataflow.FlowSources
+
+/** A utility class for resolving resource locations to files in the file system in the Spring framework. */
+class ResourceUtils extends Class {
+  ResourceUtils() { this.hasQualifiedName("org.springframework.util", "ResourceUtils") }
+}
+
+/**
+ * A method declared in `org.springframework.util.ResourceUtils` that loads Spring resources.
+ */
+class GetResourceUtilsMethod extends Method {
+  GetResourceUtilsMethod() {
+    this.getDeclaringType().getASupertype*() instanceof ResourceUtils and
+    this.hasName(["extractArchiveURL", "extractJarFileURL", "getFile", "getURL"])
+  }
+}
--- a/java/ql/lib/semmle/code/java/security/UnsafeUrlForward.qll
+++ b/java/ql/lib/semmle/code/java/security/UnsafeUrlForward.qll
@@ -1,10 +1,10 @@
 import java
-private import experimental.semmle.code.java.frameworks.Jsf
+private import semmle.code.java.Jsf
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.dataflow.StringPrefixes
 private import semmle.code.java.frameworks.javaee.ejb.EJBRestrictions
-private import experimental.semmle.code.java.frameworks.SpringResource
+private import semmle.code.java.SpringResource

 /** A sink for unsafe URL forward vulnerabilities. */
 abstract class UnsafeUrlForwardSink extends DataFlow::Node { }
--- a/java/ql/lib/semmle/code/java/security/UnsafeUrlForwardQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/UnsafeUrlForwardQuery.qll
@@ -0,0 +1,45 @@
+import java
+import semmle.code.java.security.UnsafeUrlForward
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.Jsf
+import semmle.code.java.security.PathSanitizer
+
+module UnsafeUrlForwardFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source instanceof ThreatModelFlowSource and
+    not exists(MethodCall ma, Method m | ma.getMethod() = m |
+      (
+        m instanceof HttpServletRequestGetRequestUriMethod or
+        m instanceof HttpServletRequestGetRequestUrlMethod or
+        m instanceof HttpServletRequestGetPathMethod
+      ) and
+      ma = source.asExpr()
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeUrlForwardSink }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof UnsafeUrlForwardSanitizer or
+    node instanceof PathInjectionSanitizer
+  }
+
+  DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+
+  predicate isAdditionalFlowStep(DataFlow::Node prev, DataFlow::Node succ) {
+    exists(MethodCall ma |
+      (
+        ma.getMethod() instanceof GetServletResourceMethod or
+        ma.getMethod() instanceof GetFacesResourceMethod or
+        ma.getMethod() instanceof GetClassResourceMethod or
+        ma.getMethod() instanceof GetClassLoaderResourceMethod or
+        ma.getMethod() instanceof GetWildflyResourceMethod
+      ) and
+      ma.getArgument(0) = prev.asExpr() and
+      ma = succ.asExpr()
+    )
+  }
+}
+
+module UnsafeUrlForwardFlow = TaintTracking::Global<UnsafeUrlForwardFlowConfig>;
--- a/java/ql/src/Security/CWE/CWE-552/UnsafeUrlForward.ql
+++ b/java/ql/src/Security/CWE/CWE-552/UnsafeUrlForward.ql
@@ -11,52 +11,9 @@
 */

 import java
-import UnsafeUrlForward
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.dataflow.TaintTracking
-import experimental.semmle.code.java.frameworks.Jsf
-import semmle.code.java.security.PathSanitizer
+import semmle.code.java.security.UnsafeUrlForwardQuery
 import UnsafeUrlForwardFlow::PathGraph

-module UnsafeUrlForwardFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    source instanceof ThreatModelFlowSource and
-    not exists(MethodCall ma, Method m | ma.getMethod() = m |
-      (
-        m instanceof HttpServletRequestGetRequestUriMethod or
-        m instanceof HttpServletRequestGetRequestUrlMethod or
-        m instanceof HttpServletRequestGetPathMethod
-      ) and
-      ma = source.asExpr()
-    )
-  }
-
-  predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeUrlForwardSink }
-
-  predicate isBarrier(DataFlow::Node node) {
-    node instanceof UnsafeUrlForwardSanitizer or
-    node instanceof PathInjectionSanitizer
-  }
-
-  DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
-
-  predicate isAdditionalFlowStep(DataFlow::Node prev, DataFlow::Node succ) {
-    exists(MethodCall ma |
-      (
-        ma.getMethod() instanceof GetServletResourceMethod or
-        ma.getMethod() instanceof GetFacesResourceMethod or
-        ma.getMethod() instanceof GetClassResourceMethod or
-        ma.getMethod() instanceof GetClassLoaderResourceMethod or
-        ma.getMethod() instanceof GetWildflyResourceMethod
-      ) and
-      ma.getArgument(0) = prev.asExpr() and
-      ma = succ.asExpr()
-    )
-  }
-}
-
-module UnsafeUrlForwardFlow = TaintTracking::Global<UnsafeUrlForwardFlowConfig>;
-
 from UnsafeUrlForwardFlow::PathNode source, UnsafeUrlForwardFlow::PathNode sink
 where UnsafeUrlForwardFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "Potentially untrusted URL forward due to $@.",