hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 05:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6600 from atorralba/atorralba/fix-conditionalbypass

Browse Source 
Java: Fix performance of the query User-controlled bypass of sensitive method
This commit is contained in:
Anders Schack-Mulligen
2021-09-17 16:07:39 +02:00
committed by GitHub
parent 3247794e2f f18c163408
commit 2cbad4aed6
11 changed files with 189 additions and 113 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll Normal file
View File

@@ -0,0 +1,35 @@
/**
* Provides classes to be used in queries related to vulnerabilities
* about unstrusted input being used in security decisions.
*/
import java
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.SensitiveActions
import semmle.code.java.controlflow.Guards
/**
* Holds if `ma` is controlled by the condition expression `e`.
*/
predicate conditionControlsMethod(MethodAccess ma, Expr e) {
exists(ConditionBlock cb, SensitiveExecutionMethod m, boolean cond |
ma.getMethod() = m and
cb.controls(ma.getBasicBlock(), cond) and
not cb.controls(any(SensitiveExecutionMethod sem).getAReference().getBasicBlock(),
cond.booleanNot()) and
not cb.controls(any(ThrowStmt t).getBasicBlock(), cond.booleanNot()) and
not cb.controls(any(ReturnStmt r).getBasicBlock(), cond.booleanNot()) and
e = cb.getCondition()
)
}
/**
* A taint tracking configuration for untrusted data flowing to sensitive conditions.
*/
class ConditionalBypassFlowConfig extends TaintTracking::Configuration {
ConditionalBypassFlowConfig() { this = "ConditionalBypassFlowConfig" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { conditionControlsMethod(_, sink.asExpr()) }
}

17
java/ql/lib/semmle/code/java/security/SensitiveActions.qll
View File

@@ -80,17 +80,12 @@ abstract class SensitiveExecutionMethod extends Method { }
class AuthMethod extends SensitiveExecutionMethod {
AuthMethod() {
exists(string s | s = this.getName().toLowerCase() |
(
s.matches("%login%") or
s.matches("%auth%")
) and
not (
s.matches("get%") or
s.matches("set%") or
s.matches("parse%") or
s.matches("%loginfo%")
)
)
s.matches(["%login%", "%auth%"]) and
not s.matches(["get%", "set%", "parse%", "%loginfo%", "remove%", "clean%", "%unauth%"]) and
// exclude "author", but not "authorize" or "authority"
not s.regexpMatch(".*[aA]uthors?([A-Z0-9_].*|$)")
) and
not this.getDeclaringType().getASupertype*() instanceof TypeException
}
}