mirror of
https://github.com/github/codeql.git
synced 2026-04-22 07:15:15 +02:00
Convert experimental queries' isBarrier to use instanceof SimpleScalarSanitizer
This commit is contained in:
Ed Minnix
@@ -19,6 +19,7 @@ import java
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.dataflow.ExternalFlow
|
||||
private import semmle.code.java.security.dataflow.CommonSanitizers
|
||||
import Log4jInjectionFlow::PathGraph
|
||||
|
||||
private class ActivateModels extends ActiveExperimentalModels {
|
||||
@@ -33,11 +34,7 @@ class Log4jInjectionSink extends DataFlow::Node {
|
||||
/**
|
||||
* A node that sanitizes a message before logging to avoid log injection.
|
||||
*/
|
||||
class Log4jInjectionSanitizer extends DataFlow::Node {
|
||||
Log4jInjectionSanitizer() {
|
||||
this.getType() instanceof BoxedType or this.getType() instanceof PrimitiveType
|
||||
}
|
||||
}
|
||||
class Log4jInjectionSanitizer extends DataFlow::Node instanceof SimpleScalarSanitizer { }
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for tracking untrusted user input used in log entries.
|
||||
|
||||
@@ -18,6 +18,7 @@ import semmle.code.java.dataflow.ExternalFlow
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import JFinalController
|
||||
import semmle.code.java.security.PathSanitizer
|
||||
private import semmle.code.java.security.dataflow.CommonSanitizers
|
||||
import InjectFilePathFlow::PathGraph
|
||||
|
||||
private class ActivateModels extends ActiveExperimentalModels {
|
||||
@@ -56,7 +57,7 @@ module InjectFilePathConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) {
|
||||
exists(Type t | t = node.getType() | t instanceof BoxedType or t instanceof PrimitiveType)
|
||||
node instanceof SimpleScalarSanitizer
|
||||
or
|
||||
node instanceof PathInjectionSanitizer
|
||||
}
|
||||
|
||||
@@ -2,6 +2,7 @@ import java
|
||||
import semmle.code.java.frameworks.javaee.ejb.EJBRestrictions
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
private import semmle.code.java.security.dataflow.CommonSanitizers
|
||||
|
||||
module ExecCmdFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
@@ -20,8 +21,7 @@ module ExecCmdFlowConfig implements DataFlow::ConfigSig {
|
||||
node instanceof AssignToNonZeroIndex or
|
||||
node instanceof ArrayInitAtNonZeroIndex or
|
||||
node instanceof StreamConcatAtNonZeroIndex or
|
||||
node.getType() instanceof PrimitiveType or
|
||||
node.getType() instanceof BoxedType
|
||||
node instanceof SimpleScalarSanitizer
|
||||
}
|
||||
}
|
||||
|
||||
@@ -41,10 +41,7 @@ module ExecUserFlowConfig implements DataFlow::ConfigSig {
|
||||
)
|
||||
}
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) {
|
||||
node.getType() instanceof PrimitiveType or
|
||||
node.getType() instanceof BoxedType
|
||||
}
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer }
|
||||
}
|
||||
|
||||
/** Tracks flow of unvalidated user input that is used in Runtime.Exec */
|
||||
|
||||
@@ -17,6 +17,7 @@ import MyBatisCommonLib
|
||||
import MyBatisAnnotationSqlInjectionLib
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
private import semmle.code.java.security.dataflow.CommonSanitizers
|
||||
import MyBatisAnnotationSqlInjectionFlow::PathGraph
|
||||
|
||||
private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSig {
|
||||
@@ -24,11 +25,7 @@ private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSi
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisAnnotatedMethodCallArgument }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) {
|
||||
node.getType() instanceof PrimitiveType or
|
||||
node.getType() instanceof BoxedType or
|
||||
node.getType() instanceof NumberType
|
||||
}
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer }
|
||||
|
||||
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
exists(MethodCall ma |
|
||||
|
||||
@@ -17,6 +17,7 @@ import MyBatisCommonLib
|
||||
import MyBatisMapperXmlSqlInjectionLib
|
||||
import semmle.code.xml.MyBatisMapperXML
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
private import semmle.code.java.security.dataflow.CommonSanitizers
|
||||
import MyBatisMapperXmlSqlInjectionFlow::PathGraph
|
||||
|
||||
private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig {
|
||||
@@ -24,11 +25,7 @@ private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisMapperMethodCallAnArgument }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) {
|
||||
node.getType() instanceof PrimitiveType or
|
||||
node.getType() instanceof BoxedType or
|
||||
node.getType() instanceof NumberType
|
||||
}
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer }
|
||||
|
||||
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
exists(MethodCall ma |
|
||||
|
||||
@@ -14,6 +14,7 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.security.dataflow.CommonSanitizers
|
||||
import ClientSuppliedIpUsedInSecurityCheckLib
|
||||
import ClientSuppliedIpUsedInSecurityCheckFlow::PathGraph
|
||||
|
||||
@@ -38,9 +39,7 @@ module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::ConfigSig
|
||||
not aa.getIndexExpr().(CompileTimeConstantExpr).getIntValue() = 0
|
||||
)
|
||||
or
|
||||
node.getType() instanceof PrimitiveType
|
||||
or
|
||||
node.getType() instanceof BoxedType
|
||||
node instanceof SimpleScalarSanitizer
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -5,6 +5,7 @@ private import semmle.code.java.dataflow.FlowSources
|
||||
private import semmle.code.java.dataflow.StringPrefixes
|
||||
private import semmle.code.java.frameworks.javaee.ejb.EJBRestrictions
|
||||
private import experimental.semmle.code.java.frameworks.SpringResource
|
||||
private import semmle.code.java.security.dataflow.CommonSanitizers
|
||||
|
||||
private class ActiveModels extends ActiveExperimentalModels {
|
||||
ActiveModels() { this = "unsafe-url-forward" }
|
||||
@@ -128,12 +129,7 @@ private class SpringModelAndViewSink extends UnsafeUrlForwardSink {
|
||||
}
|
||||
}
|
||||
|
||||
private class PrimitiveSanitizer extends UnsafeUrlForwardSanitizer {
|
||||
PrimitiveSanitizer() {
|
||||
this.getType() instanceof PrimitiveType or
|
||||
this.getType() instanceof BoxedType or
|
||||
this.getType() instanceof NumberType
|
||||
}
|
||||
private class PrimitiveSanitizer extends UnsafeUrlForwardSanitizer instanceof SimpleScalarSanitizer {
|
||||
}
|
||||
|
||||
private class SanitizingPrefix extends InterestingPrefix {
|
||||
|
||||
Reference in New Issue
Block a user