mirror of
https://github.com/github/codeql.git
synced 2026-04-18 13:34:02 +02:00
Merge pull request #17424 from RasmusWL/active-threat-model-source
Go/Java/C#: Rename `ThreatModelFlowSource` to `ActiveThreatModelSource`
This commit is contained in:
Rasmus Wriedt Larsen
@@ -42,11 +42,18 @@ abstract class SourceNode extends DataFlow::Node {
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `ActiveThreatModelSource` instead.
|
||||
*
|
||||
* A class of data flow sources that respects the
|
||||
* current threat model configuration.
|
||||
*/
|
||||
class ThreatModelFlowSource extends DataFlow::Node {
|
||||
ThreatModelFlowSource() {
|
||||
deprecated class ThreatModelFlowSource = ActiveThreatModelSource;
|
||||
|
||||
/**
|
||||
* A data flow source that is enabled in the current threat model configuration.
|
||||
*/
|
||||
class ActiveThreatModelSource extends DataFlow::Node {
|
||||
ActiveThreatModelSource() {
|
||||
exists(string kind |
|
||||
// Specific threat model.
|
||||
currentThreatModel(kind) and
|
||||
@@ -195,7 +202,7 @@ abstract class LocalUserInput extends UserInput {
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use the threat models feature.
|
||||
* That is, use `ThreatModelFlowSource` as the class of nodes for sources
|
||||
* That is, use `ActiveThreatModelSource` as the class of nodes for sources
|
||||
* and set up the threat model configuration to filter source nodes.
|
||||
* Alternatively, use `getThreatModel` to filter nodes to create the
|
||||
* class of nodes you need.
|
||||
@@ -266,7 +273,7 @@ private class FileInput extends LocalUserInput {
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use the threat models feature.
|
||||
* That is, use `ThreatModelFlowSource` as the class of nodes for sources
|
||||
* That is, use `ActiveThreatModelSource` as the class of nodes for sources
|
||||
* and set up the threat model configuration to filter source nodes.
|
||||
* Alternatively, use `getThreatModel` to filter nodes to create the
|
||||
* class of nodes you need.
|
||||
|
||||
@@ -640,7 +640,7 @@ private MethodCall callReturningSameType(Expr ref) {
|
||||
}
|
||||
|
||||
private SrcRefType entrypointType() {
|
||||
exists(ThreatModelFlowSource s, RefType t |
|
||||
exists(ActiveThreatModelSource s, RefType t |
|
||||
s instanceof DataFlow::ExplicitParameterNode and
|
||||
t = pragma[only_bind_out](s).getType() and
|
||||
not t instanceof TypeObject and
|
||||
|
||||
@@ -9,7 +9,7 @@ import semmle.code.java.security.AndroidIntentRedirection
|
||||
|
||||
/** A taint tracking configuration for tainted Intents being used to start Android components. */
|
||||
module IntentRedirectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof IntentRedirectionSink }
|
||||
|
||||
@@ -38,7 +38,7 @@ private class OriginalIntentSanitizer extends IntentRedirectionSanitizer {
|
||||
* flowing directly to sinks that start Android components.
|
||||
*/
|
||||
private module SameIntentBeingRelaunchedConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof IntentRedirectionSink }
|
||||
|
||||
@@ -74,7 +74,7 @@ private class IntentWithTaintedComponent extends DataFlow::Node {
|
||||
* A taint tracking configuration for tainted data flowing to an `Intent`'s component.
|
||||
*/
|
||||
private module TaintedIntentComponentConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
any(IntentSetComponent setComponent).getSink() = sink.asExpr()
|
||||
|
||||
@@ -75,7 +75,7 @@ class ExternalApkSource extends ApiSourceNode {
|
||||
sourceNode(this, "android-external-storage-dir") or
|
||||
this.asExpr().(MethodCall).getMethod() instanceof UriConstructorMethod or
|
||||
this.asExpr().(StringLiteral).getValue().matches("file://%") or
|
||||
this instanceof ThreatModelFlowSource
|
||||
this instanceof ActiveThreatModelSource
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -6,7 +6,7 @@ private import semmle.code.java.security.ArithmeticCommon
|
||||
|
||||
/** A taint-tracking configuration to reason about overflow from unvalidated input. */
|
||||
module ArithmeticOverflowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) }
|
||||
|
||||
@@ -22,7 +22,7 @@ deprecated module RemoteUserInputOverflowConfig = ArithmeticOverflowConfig;
|
||||
|
||||
/** A taint-tracking configuration to reason about underflow from unvalidated input. */
|
||||
module ArithmeticUnderflowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) }
|
||||
|
||||
|
||||
@@ -49,7 +49,7 @@ private class DefaultCommandInjectionSanitizer extends CommandInjectionSanitizer
|
||||
* A taint-tracking configuration for unvalidated user input that is used to run an external process.
|
||||
*/
|
||||
module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
|
||||
|
||||
|
||||
@@ -40,7 +40,7 @@ private predicate endsWithStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
* A taint tracking configuration for untrusted data flowing to sensitive conditions.
|
||||
*/
|
||||
module ConditionalBypassFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { conditionControlsMethod(_, sink.asExpr()) }
|
||||
|
||||
|
||||
@@ -93,10 +93,10 @@ class ExternalApiDataNode extends DataFlow::Node {
|
||||
}
|
||||
|
||||
/**
|
||||
* Taint tracking configuration for flow from `ThreatModelFlowSource`s to `ExternalApiDataNode`s.
|
||||
* Taint tracking configuration for flow from `ActiveThreatModelSource`s to `ExternalApiDataNode`s.
|
||||
*/
|
||||
module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
|
||||
}
|
||||
|
||||
@@ -16,7 +16,7 @@ private class StringFormatSink extends ApiSinkNode {
|
||||
* A taint-tracking configuration for externally controlled format string vulnerabilities.
|
||||
*/
|
||||
module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof StringFormatSink }
|
||||
|
||||
|
||||
@@ -10,7 +10,7 @@ import semmle.code.java.security.FragmentInjection
|
||||
* that is used to create Android fragments dynamically.
|
||||
*/
|
||||
module FragmentInjectionTaintConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof FragmentInjectionSink }
|
||||
|
||||
|
||||
@@ -10,7 +10,7 @@ import semmle.code.java.security.GroovyInjection
|
||||
* that is used to evaluate a Groovy expression.
|
||||
*/
|
||||
module GroovyInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof GroovyInjectionSink }
|
||||
|
||||
|
||||
@@ -9,7 +9,7 @@ private import semmle.code.java.dataflow.FlowSources
|
||||
* user-provided size used for array construction.
|
||||
*/
|
||||
module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)
|
||||
|
||||
@@ -9,7 +9,7 @@ private import semmle.code.java.dataflow.FlowSources
|
||||
* of user-provided array index.
|
||||
*/
|
||||
module ImproperValidationOfArrayIndexConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
any(CheckableArrayAccess caa).canThrowOutOfBounds(sink.asExpr())
|
||||
|
||||
@@ -46,7 +46,7 @@ class SetMessageInterpolatorCall extends MethodCall {
|
||||
* to the argument of a method that builds constraint error messages.
|
||||
*/
|
||||
module BeanValidationConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink }
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ private import IntentUriPermissionManipulation
|
||||
* A taint tracking configuration for user-provided Intents being returned to third party apps.
|
||||
*/
|
||||
module IntentUriPermissionManipulationConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof IntentUriPermissionManipulationSink }
|
||||
|
||||
|
||||
@@ -44,7 +44,7 @@ private class DefaultJexlInjectionAdditionalTaintStep extends JexlInjectionAddit
|
||||
* It supports both JEXL 2 and 3.
|
||||
*/
|
||||
module JexlInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }
|
||||
|
||||
|
||||
@@ -11,7 +11,7 @@ private import semmle.code.java.security.Sanitizers
|
||||
* A taint-tracking configuration for unvalidated user input that is used in JNDI lookup.
|
||||
*/
|
||||
module JndiInjectionFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof JndiInjectionSink }
|
||||
|
||||
|
||||
@@ -8,7 +8,7 @@ import semmle.code.java.security.LdapInjection
|
||||
* A taint-tracking configuration for unvalidated user input that is used to construct LDAP queries.
|
||||
*/
|
||||
module LdapInjectionFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof LdapInjectionSink }
|
||||
|
||||
|
||||
@@ -8,7 +8,7 @@ import semmle.code.java.security.LogInjection
|
||||
* A taint-tracking configuration for tracking untrusted user input used in log entries.
|
||||
*/
|
||||
module LogInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof LogInjectionSink }
|
||||
|
||||
|
||||
@@ -10,7 +10,7 @@ import semmle.code.java.security.MvelInjection
|
||||
* that is used to construct and evaluate a MVEL expression.
|
||||
*/
|
||||
module MvelInjectionFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof MvelEvaluationSink }
|
||||
|
||||
|
||||
@@ -85,7 +85,7 @@ private predicate smallExpr(Expr e) {
|
||||
* numeric cast.
|
||||
*/
|
||||
module NumericCastFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
sink.asExpr() = any(NumericNarrowingCastExpr cast).getExpr() and
|
||||
|
||||
@@ -9,7 +9,7 @@ private import semmle.code.java.security.Sanitizers
|
||||
* A taint-tracking configuration for unvalidated user input that is used in OGNL EL evaluation.
|
||||
*/
|
||||
module OgnlInjectionFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof OgnlInjectionSink }
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ import semmle.code.java.dataflow.FlowSources
|
||||
* and remains vulnerable to Partial Path Traversal.
|
||||
*/
|
||||
module PartialPathTraversalFromRemoteConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node node) { node instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node node) { node instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node node) {
|
||||
any(PartialPathTraversalMethodCall ma).getQualifier() = node.asExpr()
|
||||
|
||||
@@ -12,7 +12,7 @@ import semmle.code.java.security.RequestForgery
|
||||
*/
|
||||
module RequestForgeryConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source instanceof ThreatModelFlowSource and
|
||||
source instanceof ActiveThreatModelSource and
|
||||
// Exclude results of remote HTTP requests: fetching something else based on that result
|
||||
// is no worse than following a redirect returned by the remote server, and typically
|
||||
// we're requesting a resource via https which we trust to only send us to safe URLs.
|
||||
|
||||
@@ -10,7 +10,7 @@ import semmle.code.java.security.ResponseSplitting
|
||||
*/
|
||||
module ResponseSplittingConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source instanceof ThreatModelFlowSource and
|
||||
source instanceof ActiveThreatModelSource and
|
||||
not source instanceof SafeHeaderSplittingSource
|
||||
}
|
||||
|
||||
|
||||
@@ -19,7 +19,7 @@ private class ResultReceiverSendCall extends MethodCall {
|
||||
}
|
||||
|
||||
private module UntrustedResultReceiverConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node node) { node instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node node) { node instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node node) {
|
||||
node.asExpr() = any(ResultReceiverSendCall c).getReceiver()
|
||||
|
||||
@@ -11,7 +11,7 @@ private import semmle.code.java.security.SpelInjection
|
||||
* that is used to construct and evaluate a SpEL expression.
|
||||
*/
|
||||
module SpelInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof SpelExpressionEvaluationSink }
|
||||
|
||||
|
||||
@@ -15,7 +15,7 @@ import semmle.code.java.security.QueryInjection
|
||||
* A taint-tracking configuration for unvalidated user input that is used in SQL queries.
|
||||
*/
|
||||
module QueryInjectionFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
|
||||
|
||||
|
||||
@@ -26,7 +26,7 @@ abstract class ExecTaintedEnvironmentSanitizer extends DataFlow::Node { }
|
||||
* A taint-tracking configuration that tracks flow from unvalidated data to an environment variable for a subprocess.
|
||||
*/
|
||||
module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isBarrier(DataFlow::Node barrier) { barrier instanceof ExecTaintedEnvironmentSanitizer }
|
||||
|
||||
|
||||
@@ -60,7 +60,7 @@ private class TaintPreservingUriCtorParam extends Parameter {
|
||||
* A taint-tracking configuration for tracking flow from remote sources to the creation of a path.
|
||||
*/
|
||||
module TaintedPathConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof TaintedPathSink }
|
||||
|
||||
|
||||
@@ -54,7 +54,7 @@ private class WildCardPermissionConstruction extends ClassInstanceExpr, Permissi
|
||||
* A configuration for tracking flow from user input to a permissions check.
|
||||
*/
|
||||
module TaintedPermissionsCheckFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
sink.asExpr() = any(PermissionsConstruction p).getInput()
|
||||
|
||||
@@ -83,7 +83,7 @@ abstract deprecated class TemplateInjectionSanitizerWithState extends DataFlow::
|
||||
abstract deprecated predicate hasState(DataFlow::FlowState state);
|
||||
}
|
||||
|
||||
private class DefaultTemplateInjectionSource extends TemplateInjectionSource instanceof ThreatModelFlowSource
|
||||
private class DefaultTemplateInjectionSource extends TemplateInjectionSource instanceof ActiveThreatModelSource
|
||||
{ }
|
||||
|
||||
private class DefaultTemplateInjectionSink extends TemplateInjectionSink {
|
||||
|
||||
@@ -13,7 +13,7 @@ private import semmle.code.java.security.Sanitizers
|
||||
*/
|
||||
abstract class TrustBoundaryViolationSource extends DataFlow::Node { }
|
||||
|
||||
private class ThreatModelSource extends TrustBoundaryViolationSource instanceof ThreatModelFlowSource
|
||||
private class ThreatModelSource extends TrustBoundaryViolationSource instanceof ActiveThreatModelSource
|
||||
{ }
|
||||
|
||||
/**
|
||||
|
||||
@@ -10,7 +10,7 @@ import semmle.code.java.security.UnsafeAndroidAccess
|
||||
* A taint configuration tracking flow from untrusted inputs to a resource fetching call.
|
||||
*/
|
||||
module FetchUntrustedResourceConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof UrlResourceSink }
|
||||
|
||||
|
||||
@@ -9,7 +9,7 @@ import semmle.code.java.security.UnsafeContentUriResolution
|
||||
* A taint-tracking configuration to find paths from remote sources to content URI resolutions.
|
||||
*/
|
||||
module UnsafeContentResolutionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof ContentUriResolutionSink }
|
||||
|
||||
|
||||
@@ -316,7 +316,7 @@ private predicate isUnsafeDeserializationTaintStep(DataFlow::Node pred, DataFlow
|
||||
|
||||
/** Tracks flows from remote user input to a deserialization sink. */
|
||||
private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserializationSink }
|
||||
|
||||
@@ -418,7 +418,7 @@ private predicate isUnsafeTypeAdditionalTaintStep(DataFlow::Node fromNode, DataF
|
||||
* If this is user-controlled, arbitrary code could be executed while instantiating the user-specified type.
|
||||
*/
|
||||
module UnsafeTypeConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeTypeSink }
|
||||
|
||||
|
||||
@@ -178,7 +178,7 @@ private class FullyDecodesUrlBarrier extends DataFlow::Node {
|
||||
*/
|
||||
module UrlForwardFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source instanceof ThreatModelFlowSource and
|
||||
source instanceof ActiveThreatModelSource and
|
||||
// excluded due to FPs
|
||||
not exists(MethodCall mc, Method m |
|
||||
m instanceof HttpServletRequestGetRequestUriMethod or
|
||||
|
||||
@@ -8,7 +8,7 @@ private import semmle.code.java.security.UrlRedirect
|
||||
* A taint-tracking configuration for reasoning about URL redirections.
|
||||
*/
|
||||
module UrlRedirectConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink }
|
||||
|
||||
|
||||
@@ -9,7 +9,7 @@ private import semmle.code.java.security.XPath
|
||||
* A taint-tracking configuration for reasoning about XPath injection vulnerabilities.
|
||||
*/
|
||||
module XPathInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
|
||||
|
||||
|
||||
@@ -11,7 +11,7 @@ private import semmle.code.java.security.Sanitizers
|
||||
* A taint-tracking configuration for unvalidated user input that is used in XSLT transformation.
|
||||
*/
|
||||
module XsltInjectionFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof XsltInjectionSink }
|
||||
|
||||
|
||||
@@ -9,7 +9,7 @@ import semmle.code.java.security.XSS
|
||||
* A taint-tracking configuration for cross site scripting vulnerabilities.
|
||||
*/
|
||||
module XssConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
|
||||
|
||||
|
||||
@@ -9,7 +9,7 @@ private import semmle.code.java.security.XxeQuery
|
||||
* A taint-tracking configuration for unvalidated remote user input that is used in XML external entity expansion.
|
||||
*/
|
||||
module XxeConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof XxeSink }
|
||||
|
||||
|
||||
@@ -35,7 +35,7 @@ private class LengthRestrictedMethod extends Method {
|
||||
|
||||
/** A configuration for Polynomial ReDoS queries. */
|
||||
module PolynomialRedosConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(SuperlinearBackTracking::PolynomialBackTrackingTerm regexp |
|
||||
|
||||
@@ -9,7 +9,7 @@ import semmle.code.java.security.regexp.RegexInjection
|
||||
* A taint-tracking configuration for untrusted user input used to construct regular expressions.
|
||||
*/
|
||||
module RegexInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof RegexInjectionSink }
|
||||
|
||||
|
||||
Reference in New Issue
Block a user