mirror of
https://github.com/github/codeql.git
synced 2026-04-24 00:05:14 +02:00
Merge pull request #17424 from RasmusWL/active-threat-model-source
Go/Java/C#: Rename `ThreatModelFlowSource` to `ActiveThreatModelSource`
This commit is contained in:
Rasmus Wriedt Larsen
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: deprecated
|
||||
---
|
||||
* The class `ThreatModelFlowSource` has been renamed to `ActiveThreatModelSource` to more clearly reflect it only contains the currently active threat model sources. `ThreatModelFlowSource` has been marked as deprecated.
|
||||
@@ -42,11 +42,18 @@ abstract class SourceNode extends DataFlow::Node {
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `ActiveThreatModelSource` instead.
|
||||
*
|
||||
* A class of data flow sources that respects the
|
||||
* current threat model configuration.
|
||||
*/
|
||||
class ThreatModelFlowSource extends DataFlow::Node {
|
||||
ThreatModelFlowSource() {
|
||||
deprecated class ThreatModelFlowSource = ActiveThreatModelSource;
|
||||
|
||||
/**
|
||||
* A data flow source that is enabled in the current threat model configuration.
|
||||
*/
|
||||
class ActiveThreatModelSource extends DataFlow::Node {
|
||||
ActiveThreatModelSource() {
|
||||
exists(string kind |
|
||||
// Specific threat model.
|
||||
currentThreatModel(kind) and
|
||||
@@ -195,7 +202,7 @@ abstract class LocalUserInput extends UserInput {
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use the threat models feature.
|
||||
* That is, use `ThreatModelFlowSource` as the class of nodes for sources
|
||||
* That is, use `ActiveThreatModelSource` as the class of nodes for sources
|
||||
* and set up the threat model configuration to filter source nodes.
|
||||
* Alternatively, use `getThreatModel` to filter nodes to create the
|
||||
* class of nodes you need.
|
||||
@@ -266,7 +273,7 @@ private class FileInput extends LocalUserInput {
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use the threat models feature.
|
||||
* That is, use `ThreatModelFlowSource` as the class of nodes for sources
|
||||
* That is, use `ActiveThreatModelSource` as the class of nodes for sources
|
||||
* and set up the threat model configuration to filter source nodes.
|
||||
* Alternatively, use `getThreatModel` to filter nodes to create the
|
||||
* class of nodes you need.
|
||||
|
||||
@@ -640,7 +640,7 @@ private MethodCall callReturningSameType(Expr ref) {
|
||||
}
|
||||
|
||||
private SrcRefType entrypointType() {
|
||||
exists(ThreatModelFlowSource s, RefType t |
|
||||
exists(ActiveThreatModelSource s, RefType t |
|
||||
s instanceof DataFlow::ExplicitParameterNode and
|
||||
t = pragma[only_bind_out](s).getType() and
|
||||
not t instanceof TypeObject and
|
||||
|
||||
@@ -9,7 +9,7 @@ import semmle.code.java.security.AndroidIntentRedirection
|
||||
|
||||
/** A taint tracking configuration for tainted Intents being used to start Android components. */
|
||||
module IntentRedirectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof IntentRedirectionSink }
|
||||
|
||||
@@ -38,7 +38,7 @@ private class OriginalIntentSanitizer extends IntentRedirectionSanitizer {
|
||||
* flowing directly to sinks that start Android components.
|
||||
*/
|
||||
private module SameIntentBeingRelaunchedConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof IntentRedirectionSink }
|
||||
|
||||
@@ -74,7 +74,7 @@ private class IntentWithTaintedComponent extends DataFlow::Node {
|
||||
* A taint tracking configuration for tainted data flowing to an `Intent`'s component.
|
||||
*/
|
||||
private module TaintedIntentComponentConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
any(IntentSetComponent setComponent).getSink() = sink.asExpr()
|
||||
|
||||
@@ -75,7 +75,7 @@ class ExternalApkSource extends ApiSourceNode {
|
||||
sourceNode(this, "android-external-storage-dir") or
|
||||
this.asExpr().(MethodCall).getMethod() instanceof UriConstructorMethod or
|
||||
this.asExpr().(StringLiteral).getValue().matches("file://%") or
|
||||
this instanceof ThreatModelFlowSource
|
||||
this instanceof ActiveThreatModelSource
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -6,7 +6,7 @@ private import semmle.code.java.security.ArithmeticCommon
|
||||
|
||||
/** A taint-tracking configuration to reason about overflow from unvalidated input. */
|
||||
module ArithmeticOverflowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) }
|
||||
|
||||
@@ -22,7 +22,7 @@ deprecated module RemoteUserInputOverflowConfig = ArithmeticOverflowConfig;
|
||||
|
||||
/** A taint-tracking configuration to reason about underflow from unvalidated input. */
|
||||
module ArithmeticUnderflowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) }
|
||||
|
||||
|
||||
@@ -49,7 +49,7 @@ private class DefaultCommandInjectionSanitizer extends CommandInjectionSanitizer
|
||||
* A taint-tracking configuration for unvalidated user input that is used to run an external process.
|
||||
*/
|
||||
module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
|
||||
|
||||
|
||||
@@ -40,7 +40,7 @@ private predicate endsWithStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
* A taint tracking configuration for untrusted data flowing to sensitive conditions.
|
||||
*/
|
||||
module ConditionalBypassFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { conditionControlsMethod(_, sink.asExpr()) }
|
||||
|
||||
|
||||
@@ -93,10 +93,10 @@ class ExternalApiDataNode extends DataFlow::Node {
|
||||
}
|
||||
|
||||
/**
|
||||
* Taint tracking configuration for flow from `ThreatModelFlowSource`s to `ExternalApiDataNode`s.
|
||||
* Taint tracking configuration for flow from `ActiveThreatModelSource`s to `ExternalApiDataNode`s.
|
||||
*/
|
||||
module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
|
||||
}
|
||||
|
||||
@@ -16,7 +16,7 @@ private class StringFormatSink extends ApiSinkNode {
|
||||
* A taint-tracking configuration for externally controlled format string vulnerabilities.
|
||||
*/
|
||||
module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof StringFormatSink }
|
||||
|
||||
|
||||
@@ -10,7 +10,7 @@ import semmle.code.java.security.FragmentInjection
|
||||
* that is used to create Android fragments dynamically.
|
||||
*/
|
||||
module FragmentInjectionTaintConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof FragmentInjectionSink }
|
||||
|
||||
|
||||
@@ -10,7 +10,7 @@ import semmle.code.java.security.GroovyInjection
|
||||
* that is used to evaluate a Groovy expression.
|
||||
*/
|
||||
module GroovyInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof GroovyInjectionSink }
|
||||
|
||||
|
||||
@@ -9,7 +9,7 @@ private import semmle.code.java.dataflow.FlowSources
|
||||
* user-provided size used for array construction.
|
||||
*/
|
||||
module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)
|
||||
|
||||
@@ -9,7 +9,7 @@ private import semmle.code.java.dataflow.FlowSources
|
||||
* of user-provided array index.
|
||||
*/
|
||||
module ImproperValidationOfArrayIndexConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
any(CheckableArrayAccess caa).canThrowOutOfBounds(sink.asExpr())
|
||||
|
||||
@@ -46,7 +46,7 @@ class SetMessageInterpolatorCall extends MethodCall {
|
||||
* to the argument of a method that builds constraint error messages.
|
||||
*/
|
||||
module BeanValidationConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink }
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ private import IntentUriPermissionManipulation
|
||||
* A taint tracking configuration for user-provided Intents being returned to third party apps.
|
||||
*/
|
||||
module IntentUriPermissionManipulationConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof IntentUriPermissionManipulationSink }
|
||||
|
||||
|
||||
@@ -44,7 +44,7 @@ private class DefaultJexlInjectionAdditionalTaintStep extends JexlInjectionAddit
|
||||
* It supports both JEXL 2 and 3.
|
||||
*/
|
||||
module JexlInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }
|
||||
|
||||
|
||||
@@ -11,7 +11,7 @@ private import semmle.code.java.security.Sanitizers
|
||||
* A taint-tracking configuration for unvalidated user input that is used in JNDI lookup.
|
||||
*/
|
||||
module JndiInjectionFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof JndiInjectionSink }
|
||||
|
||||
|
||||
@@ -8,7 +8,7 @@ import semmle.code.java.security.LdapInjection
|
||||
* A taint-tracking configuration for unvalidated user input that is used to construct LDAP queries.
|
||||
*/
|
||||
module LdapInjectionFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof LdapInjectionSink }
|
||||
|
||||
|
||||
@@ -8,7 +8,7 @@ import semmle.code.java.security.LogInjection
|
||||
* A taint-tracking configuration for tracking untrusted user input used in log entries.
|
||||
*/
|
||||
module LogInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof LogInjectionSink }
|
||||
|
||||
|
||||
@@ -10,7 +10,7 @@ import semmle.code.java.security.MvelInjection
|
||||
* that is used to construct and evaluate a MVEL expression.
|
||||
*/
|
||||
module MvelInjectionFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof MvelEvaluationSink }
|
||||
|
||||
|
||||
@@ -85,7 +85,7 @@ private predicate smallExpr(Expr e) {
|
||||
* numeric cast.
|
||||
*/
|
||||
module NumericCastFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
sink.asExpr() = any(NumericNarrowingCastExpr cast).getExpr() and
|
||||
|
||||
@@ -9,7 +9,7 @@ private import semmle.code.java.security.Sanitizers
|
||||
* A taint-tracking configuration for unvalidated user input that is used in OGNL EL evaluation.
|
||||
*/
|
||||
module OgnlInjectionFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof OgnlInjectionSink }
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ import semmle.code.java.dataflow.FlowSources
|
||||
* and remains vulnerable to Partial Path Traversal.
|
||||
*/
|
||||
module PartialPathTraversalFromRemoteConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node node) { node instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node node) { node instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node node) {
|
||||
any(PartialPathTraversalMethodCall ma).getQualifier() = node.asExpr()
|
||||
|
||||
@@ -12,7 +12,7 @@ import semmle.code.java.security.RequestForgery
|
||||
*/
|
||||
module RequestForgeryConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source instanceof ThreatModelFlowSource and
|
||||
source instanceof ActiveThreatModelSource and
|
||||
// Exclude results of remote HTTP requests: fetching something else based on that result
|
||||
// is no worse than following a redirect returned by the remote server, and typically
|
||||
// we're requesting a resource via https which we trust to only send us to safe URLs.
|
||||
|
||||
@@ -10,7 +10,7 @@ import semmle.code.java.security.ResponseSplitting
|
||||
*/
|
||||
module ResponseSplittingConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source instanceof ThreatModelFlowSource and
|
||||
source instanceof ActiveThreatModelSource and
|
||||
not source instanceof SafeHeaderSplittingSource
|
||||
}
|
||||
|
||||
|
||||
@@ -19,7 +19,7 @@ private class ResultReceiverSendCall extends MethodCall {
|
||||
}
|
||||
|
||||
private module UntrustedResultReceiverConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node node) { node instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node node) { node instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node node) {
|
||||
node.asExpr() = any(ResultReceiverSendCall c).getReceiver()
|
||||
|
||||
@@ -11,7 +11,7 @@ private import semmle.code.java.security.SpelInjection
|
||||
* that is used to construct and evaluate a SpEL expression.
|
||||
*/
|
||||
module SpelInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof SpelExpressionEvaluationSink }
|
||||
|
||||
|
||||
@@ -15,7 +15,7 @@ import semmle.code.java.security.QueryInjection
|
||||
* A taint-tracking configuration for unvalidated user input that is used in SQL queries.
|
||||
*/
|
||||
module QueryInjectionFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
|
||||
|
||||
|
||||
@@ -26,7 +26,7 @@ abstract class ExecTaintedEnvironmentSanitizer extends DataFlow::Node { }
|
||||
* A taint-tracking configuration that tracks flow from unvalidated data to an environment variable for a subprocess.
|
||||
*/
|
||||
module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isBarrier(DataFlow::Node barrier) { barrier instanceof ExecTaintedEnvironmentSanitizer }
|
||||
|
||||
|
||||
@@ -60,7 +60,7 @@ private class TaintPreservingUriCtorParam extends Parameter {
|
||||
* A taint-tracking configuration for tracking flow from remote sources to the creation of a path.
|
||||
*/
|
||||
module TaintedPathConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof TaintedPathSink }
|
||||
|
||||
|
||||
@@ -54,7 +54,7 @@ private class WildCardPermissionConstruction extends ClassInstanceExpr, Permissi
|
||||
* A configuration for tracking flow from user input to a permissions check.
|
||||
*/
|
||||
module TaintedPermissionsCheckFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
sink.asExpr() = any(PermissionsConstruction p).getInput()
|
||||
|
||||
@@ -83,7 +83,7 @@ abstract deprecated class TemplateInjectionSanitizerWithState extends DataFlow::
|
||||
abstract deprecated predicate hasState(DataFlow::FlowState state);
|
||||
}
|
||||
|
||||
private class DefaultTemplateInjectionSource extends TemplateInjectionSource instanceof ThreatModelFlowSource
|
||||
private class DefaultTemplateInjectionSource extends TemplateInjectionSource instanceof ActiveThreatModelSource
|
||||
{ }
|
||||
|
||||
private class DefaultTemplateInjectionSink extends TemplateInjectionSink {
|
||||
|
||||
@@ -13,7 +13,7 @@ private import semmle.code.java.security.Sanitizers
|
||||
*/
|
||||
abstract class TrustBoundaryViolationSource extends DataFlow::Node { }
|
||||
|
||||
private class ThreatModelSource extends TrustBoundaryViolationSource instanceof ThreatModelFlowSource
|
||||
private class ThreatModelSource extends TrustBoundaryViolationSource instanceof ActiveThreatModelSource
|
||||
{ }
|
||||
|
||||
/**
|
||||
|
||||
@@ -10,7 +10,7 @@ import semmle.code.java.security.UnsafeAndroidAccess
|
||||
* A taint configuration tracking flow from untrusted inputs to a resource fetching call.
|
||||
*/
|
||||
module FetchUntrustedResourceConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof UrlResourceSink }
|
||||
|
||||
|
||||
@@ -9,7 +9,7 @@ import semmle.code.java.security.UnsafeContentUriResolution
|
||||
* A taint-tracking configuration to find paths from remote sources to content URI resolutions.
|
||||
*/
|
||||
module UnsafeContentResolutionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof ContentUriResolutionSink }
|
||||
|
||||
|
||||
@@ -316,7 +316,7 @@ private predicate isUnsafeDeserializationTaintStep(DataFlow::Node pred, DataFlow
|
||||
|
||||
/** Tracks flows from remote user input to a deserialization sink. */
|
||||
private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserializationSink }
|
||||
|
||||
@@ -418,7 +418,7 @@ private predicate isUnsafeTypeAdditionalTaintStep(DataFlow::Node fromNode, DataF
|
||||
* If this is user-controlled, arbitrary code could be executed while instantiating the user-specified type.
|
||||
*/
|
||||
module UnsafeTypeConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeTypeSink }
|
||||
|
||||
|
||||
@@ -178,7 +178,7 @@ private class FullyDecodesUrlBarrier extends DataFlow::Node {
|
||||
*/
|
||||
module UrlForwardFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source instanceof ThreatModelFlowSource and
|
||||
source instanceof ActiveThreatModelSource and
|
||||
// excluded due to FPs
|
||||
not exists(MethodCall mc, Method m |
|
||||
m instanceof HttpServletRequestGetRequestUriMethod or
|
||||
|
||||
@@ -8,7 +8,7 @@ private import semmle.code.java.security.UrlRedirect
|
||||
* A taint-tracking configuration for reasoning about URL redirections.
|
||||
*/
|
||||
module UrlRedirectConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink }
|
||||
|
||||
|
||||
@@ -9,7 +9,7 @@ private import semmle.code.java.security.XPath
|
||||
* A taint-tracking configuration for reasoning about XPath injection vulnerabilities.
|
||||
*/
|
||||
module XPathInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
|
||||
|
||||
|
||||
@@ -11,7 +11,7 @@ private import semmle.code.java.security.Sanitizers
|
||||
* A taint-tracking configuration for unvalidated user input that is used in XSLT transformation.
|
||||
*/
|
||||
module XsltInjectionFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof XsltInjectionSink }
|
||||
|
||||
|
||||
@@ -9,7 +9,7 @@ import semmle.code.java.security.XSS
|
||||
* A taint-tracking configuration for cross site scripting vulnerabilities.
|
||||
*/
|
||||
module XssConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
|
||||
|
||||
|
||||
@@ -9,7 +9,7 @@ private import semmle.code.java.security.XxeQuery
|
||||
* A taint-tracking configuration for unvalidated remote user input that is used in XML external entity expansion.
|
||||
*/
|
||||
module XxeConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof XxeSink }
|
||||
|
||||
|
||||
@@ -35,7 +35,7 @@ private class LengthRestrictedMethod extends Method {
|
||||
|
||||
/** A configuration for Polynomial ReDoS queries. */
|
||||
module PolynomialRedosConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(SuperlinearBackTracking::PolynomialBackTrackingTerm regexp |
|
||||
|
||||
@@ -9,7 +9,7 @@ import semmle.code.java.security.regexp.RegexInjection
|
||||
* A taint-tracking configuration for untrusted user input used to construct regular expressions.
|
||||
*/
|
||||
module RegexInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof RegexInjectionSink }
|
||||
|
||||
|
||||
@@ -40,7 +40,7 @@ class Log4jInjectionSanitizer extends DataFlow::Node instanceof SimpleTypeSaniti
|
||||
* A taint-tracking configuration for tracking untrusted user input used in log entries.
|
||||
*/
|
||||
module Log4jInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Log4jInjectionSink }
|
||||
|
||||
|
||||
@@ -33,7 +33,7 @@ class UrlConstructor extends ClassInstanceExpr {
|
||||
}
|
||||
|
||||
module RemoteUrlToOpenStreamFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodCall m |
|
||||
|
||||
@@ -50,7 +50,7 @@ class NormalizedPathNode extends DataFlow::Node {
|
||||
}
|
||||
|
||||
module InjectFilePathConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
sink instanceof TaintedPathSink and
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
import CommandInjectionRuntimeExec
|
||||
import ExecUserFlow::PathGraph
|
||||
|
||||
class ThreatModelSource extends Source instanceof ThreatModelFlowSource { }
|
||||
class ThreatModelSource extends Source instanceof ActiveThreatModelSource { }
|
||||
|
||||
from
|
||||
ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink, DataFlow::Node sourceCmd,
|
||||
|
||||
@@ -21,7 +21,7 @@ private import semmle.code.java.security.Sanitizers
|
||||
import MyBatisAnnotationSqlInjectionFlow::PathGraph
|
||||
|
||||
private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisAnnotatedMethodCallArgument }
|
||||
|
||||
|
||||
@@ -21,7 +21,7 @@ private import semmle.code.java.security.Sanitizers
|
||||
import MyBatisMapperXmlSqlInjectionFlow::PathGraph
|
||||
|
||||
private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisMapperMethodCallAnArgument }
|
||||
|
||||
|
||||
@@ -18,7 +18,7 @@ import semmle.code.java.dataflow.TaintTracking
|
||||
import BeanShellInjectionFlow::PathGraph
|
||||
|
||||
module BeanShellInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof BeanShellInjectionSink }
|
||||
|
||||
|
||||
@@ -18,7 +18,7 @@ import semmle.code.java.dataflow.TaintTracking
|
||||
import JShellInjectionFlow::PathGraph
|
||||
|
||||
module JShellInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof JShellInjectionSink }
|
||||
|
||||
|
||||
@@ -8,7 +8,7 @@ import semmle.code.java.dataflow.TaintTracking
|
||||
* that is used to construct and evaluate an expression.
|
||||
*/
|
||||
module JakartaExpressionInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionEvaluationSink }
|
||||
|
||||
|
||||
@@ -99,17 +99,17 @@ class CodeInjectionSink extends DataFlow::ExprNode {
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint configuration for tracking flow from `ThreatModelFlowSource` to a Jython method call
|
||||
* A taint configuration for tracking flow from `ActiveThreatModelSource` to a Jython method call
|
||||
* `CodeInjectionSink` that executes injected code.
|
||||
*/
|
||||
module CodeInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink }
|
||||
}
|
||||
|
||||
/**
|
||||
* Taint tracking flow from `ThreatModelFlowSource` to a Jython method call
|
||||
* Taint tracking flow from `ActiveThreatModelSource` to a Jython method call
|
||||
* `CodeInjectionSink` that executes injected code.
|
||||
*/
|
||||
module CodeInjectionFlow = TaintTracking::Global<CodeInjectionConfig>;
|
||||
|
||||
@@ -131,11 +131,11 @@ class ScriptInjectionSink extends DataFlow::ExprNode {
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint tracking configuration that tracks flow from `ThreatModelFlowSource` to an argument
|
||||
* A taint tracking configuration that tracks flow from `ActiveThreatModelSource` to an argument
|
||||
* of a method call that executes injected script.
|
||||
*/
|
||||
module ScriptInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof ScriptInjectionSink }
|
||||
}
|
||||
|
||||
@@ -42,7 +42,7 @@ class PortletRenderRequestMethod extends Method {
|
||||
*/
|
||||
module SpringViewManipulationConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source instanceof ThreatModelFlowSource or
|
||||
source instanceof ActiveThreatModelSource or
|
||||
source instanceof WebRequestSource or
|
||||
source.asExpr().(MethodCall).getMethod() instanceof PortletRenderRequestMethod
|
||||
}
|
||||
|
||||
@@ -19,7 +19,7 @@ import AndroidWebResourceResponse
|
||||
import InsecureWebResourceResponseFlow::PathGraph
|
||||
|
||||
module InsecureWebResourceResponseConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof WebResourceResponseSink }
|
||||
|
||||
|
||||
@@ -148,7 +148,7 @@ private predicate updateMessageDigestStep(DataFlow2::Node fromNode, DataFlow2::N
|
||||
* such as cipher, MAC or signature.
|
||||
*/
|
||||
private module UserInputInCryptoOperationConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(ProduceCryptoCall call | call.getQualifier() = sink.asExpr())
|
||||
@@ -214,7 +214,7 @@ private class NonConstantTimeComparisonCall extends StaticMethodCall {
|
||||
* that compare inputs using a non-constant-time algorithm.
|
||||
*/
|
||||
private module UserInputInComparisonConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(NonConstantTimeEqualsCall call |
|
||||
|
||||
@@ -63,7 +63,7 @@ module CorsSourceReachesCheckConfig implements DataFlow::ConfigSig {
|
||||
module CorsSourceReachesCheckFlow = TaintTracking::Global<CorsSourceReachesCheckConfig>;
|
||||
|
||||
private module CorsOriginConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodCall corsHeader, MethodCall allowCredentialsHeader |
|
||||
|
||||
@@ -22,7 +22,7 @@ import RequestResponseFlow::PathGraph
|
||||
/** Taint-tracking configuration tracing flow from get method request sources to output jsonp data. */
|
||||
module RequestResponseFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source instanceof ThreatModelFlowSource and
|
||||
source instanceof ActiveThreatModelSource and
|
||||
any(RequestGetMethod m).polyCalls*(source.getEnclosingCallable())
|
||||
}
|
||||
|
||||
|
||||
@@ -79,7 +79,7 @@ class JsonpBuilderExpr extends AddExpr {
|
||||
|
||||
/** A data flow configuration tracing flow from threat model sources to jsonp function name. */
|
||||
module ThreatModelFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(JsonpBuilderExpr jhe | jhe.getFunctionName() = sink.asExpr())
|
||||
|
||||
@@ -17,7 +17,7 @@ import ThreadResourceAbuseFlow::PathGraph
|
||||
|
||||
/** Taint configuration of uncontrolled thread resource consumption. */
|
||||
module ThreadResourceAbuseConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof PauseThreadSink }
|
||||
|
||||
|
||||
@@ -32,7 +32,7 @@ private predicate equalsSanitizer(Guard g, Expr e, boolean branch) {
|
||||
}
|
||||
|
||||
module UnsafeReflectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeReflectionSink }
|
||||
|
||||
|
||||
@@ -65,9 +65,9 @@ class UncaughtServletExceptionSink extends DataFlow::ExprNode {
|
||||
}
|
||||
}
|
||||
|
||||
/** Taint configuration of uncaught exceptions caused by user provided data from `ThreatModelFlowSource` */
|
||||
/** Taint configuration of uncaught exceptions caused by user provided data from `ActiveThreatModelSource` */
|
||||
module UncaughtServletExceptionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof UncaughtServletExceptionSink }
|
||||
}
|
||||
|
||||
@@ -26,7 +26,7 @@ private predicate startsWithSanitizer(Guard g, Expr e, boolean branch) {
|
||||
}
|
||||
|
||||
module SpringUrlRedirectFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof SpringUrlRedirectSink }
|
||||
|
||||
|
||||
@@ -20,7 +20,7 @@ import XQueryInjectionFlow::PathGraph
|
||||
* A taint-tracking configuration tracing flow from remote sources, through an XQuery parser, to its eventual execution.
|
||||
*/
|
||||
module XQueryInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
sink.asExpr() = any(XQueryPreparedExecuteCall xpec).getPreparedExpression() or
|
||||
|
||||
@@ -24,7 +24,7 @@ import NfeLocalDoSFlow::PathGraph
|
||||
*/
|
||||
module NfeLocalDoSConfig implements DataFlow::ConfigSig {
|
||||
/** Holds if source is a remote flow source */
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
/** Holds if NFE is thrown but not caught */
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
|
||||
@@ -9,7 +9,7 @@ class TestRemoteFlowSource extends RemoteFlowSource {
|
||||
}
|
||||
|
||||
module TaintFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node n) { n instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node n) { n instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node n) {
|
||||
exists(MethodCall ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
|
||||
|
||||
@@ -5,7 +5,7 @@ private import semmle.code.java.dataflow.FlowSources
|
||||
private import semmle.code.java.dataflow.TaintTracking
|
||||
|
||||
private module ThreatModelConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sinkNode(sink, _) }
|
||||
}
|
||||
|
||||
@@ -7,7 +7,7 @@ module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node node) {
|
||||
DefaultFlowConfig::isSource(node)
|
||||
or
|
||||
node instanceof ThreatModelFlowSource
|
||||
node instanceof ActiveThreatModelSource
|
||||
}
|
||||
|
||||
predicate isSink = DefaultFlowConfig::isSink/1;
|
||||
|
||||
@@ -3,7 +3,7 @@ import semmle.code.java.dataflow.FlowSources
|
||||
import TestUtilities.InlineFlowTest
|
||||
|
||||
module ProviderTaintFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node n) { n instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node n) { n instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node n) { DefaultFlowConfig::isSink(n) }
|
||||
|
||||
|
||||
@@ -4,7 +4,7 @@ import semmle.code.java.dataflow.FlowSources
|
||||
import TestUtilities.InlineFlowTest
|
||||
|
||||
module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
sink.asExpr().(Argument).getCall().getCallee().hasName("sink")
|
||||
|
||||
@@ -5,7 +5,7 @@ import semmle.code.java.dataflow.FlowSources
|
||||
|
||||
module SliceValueFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
DefaultFlowConfig::isSource(source) or source instanceof ThreatModelFlowSource
|
||||
DefaultFlowConfig::isSource(source) or source instanceof ActiveThreatModelSource
|
||||
}
|
||||
|
||||
predicate isSink = DefaultFlowConfig::isSink/1;
|
||||
|
||||
@@ -3,7 +3,7 @@ import semmle.code.java.dataflow.FlowSources
|
||||
import TestUtilities.InlineFlowTest
|
||||
|
||||
module SourceValueFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { DefaultFlowConfig::isSink(sink) }
|
||||
|
||||
|
||||
@@ -9,7 +9,7 @@ module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node n) {
|
||||
n.asExpr().(MethodCall).getMethod().hasName("taint")
|
||||
or
|
||||
n instanceof ThreatModelFlowSource
|
||||
n instanceof ActiveThreatModelSource
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node n) {
|
||||
|
||||
@@ -3,7 +3,7 @@ import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
|
||||
module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodCall ma |
|
||||
|
||||
@@ -3,7 +3,7 @@ import semmle.code.java.dataflow.FlowSources
|
||||
import TestUtilities.InlineExpectationsTest
|
||||
|
||||
module TestConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodCall call |
|
||||
|
||||
@@ -7,7 +7,7 @@ module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node node) {
|
||||
DefaultFlowConfig::isSource(node)
|
||||
or
|
||||
node instanceof ThreatModelFlowSource
|
||||
node instanceof ActiveThreatModelSource
|
||||
}
|
||||
|
||||
predicate isSink = DefaultFlowConfig::isSink/1;
|
||||
|
||||
@@ -4,7 +4,7 @@ import semmle.code.java.dataflow.FlowSources
|
||||
import TestUtilities.InlineFlowTest
|
||||
|
||||
module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node node) { node instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node node) { node instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node node) {
|
||||
exists(MethodCall ma | ma.getMethod().hasName("sink") | node.asExpr() = ma.getAnArgument())
|
||||
|
||||
@@ -7,7 +7,7 @@ module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node n) {
|
||||
n.asExpr().(MethodCall).getMethod().hasName("taint")
|
||||
or
|
||||
n instanceof ThreatModelFlowSource
|
||||
n instanceof ActiveThreatModelSource
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node n) {
|
||||
|
||||
@@ -3,7 +3,7 @@ import semmle.code.java.dataflow.FlowSources
|
||||
import TestUtilities.InlineFlowTest
|
||||
|
||||
module ValueFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
sink.asExpr().(Argument).getCall().getCallee().hasName("sink")
|
||||
|
||||
Reference in New Issue
Block a user