From 39a4513fccabc54f87ae6480040c3a1bc8cde6cf Mon Sep 17 00:00:00 2001 From: tiferet Date: Tue, 3 Jan 2023 11:17:22 -0800 Subject: [PATCH] Delete the queries the Java team isn't currently interested in boosting --- .../NosqlInjectionATM.qll | 95 ------------------- .../adaptivethreatmodeling/XssATM.qll | 57 ----------- .../XssThroughDomATM.qll | 88 ----------------- 3 files changed, 240 deletions(-) delete mode 100644 java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/NosqlInjectionATM.qll delete mode 100644 java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssATM.qll delete mode 100644 java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssThroughDomATM.qll diff --git a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/NosqlInjectionATM.qll b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/NosqlInjectionATM.qll deleted file mode 100644 index 7ca71b75c7f..00000000000 --- a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/NosqlInjectionATM.qll +++ /dev/null @@ -1,95 +0,0 @@ -/** - * For internal use only. - * - * A taint-tracking configuration for reasoning about NoSQL injection vulnerabilities. - * Defines shared code used by the NoSQL injection boosted query. - */ - -import java -import semmle.code.java.dataflow.TaintTracking -private import semmle.javascript.heuristics.SyntacticHeuristics -private import semmle.javascript.security.dataflow.NosqlInjectionCustomizations -import AdaptiveThreatModeling - -class NosqlInjectionAtmConfig extends AtmConfig { - NosqlInjectionAtmConfig() { this = "NosqlInjectionAtmConfig" } - - override predicate isKnownSource(DataFlow::Node source) { - source instanceof NosqlInjection::Source or TaintedObject::isSource(source, _) - } - - override EndpointType getASinkEndpointType() { result instanceof NosqlInjectionSinkType } - - /* - * This is largely a copy of the taint tracking configuration for the standard NoSQL injection - * query, except additional ATM sinks have been added and the additional flow step has been - * generalised to cover the sinks predicted by ATM. - */ - - override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { - TaintedObject::isSource(source, label) - } - - override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { - sink.(NosqlInjection::Sink).getAFlowLabel() = label - or - // Allow effective sinks to have any taint label - isEffectiveSink(sink) - } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof NosqlInjection::Sanitizer - } - - override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { - guard instanceof TaintedObject::SanitizerGuard - } - - override predicate isAdditionalFlowStep( - DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl - ) { - // additional flow steps from the base (non-boosted) security query - isBaseAdditionalFlowStep(src, trg, inlbl, outlbl) - or - // relaxed version of previous step to track taint through unmodeled NoSQL query objects - isEffectiveSink(trg) and - src = getASubexpressionWithinQuery(trg) - } - - /** Holds if src -> trg is an additional flow step in the non-boosted NoSql injection security query. */ - private predicate isBaseAdditionalFlowStep( - DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl - ) { - TaintedObject::step(src, trg, inlbl, outlbl) - or - // additional flow step to track taint through NoSQL query objects - inlbl = TaintedObject::label() and - outlbl = TaintedObject::label() and - exists(NoSql::Query query, DataFlow::SourceNode queryObj | - queryObj.flowsTo(query) and - queryObj.flowsTo(trg) and - src = queryObj.getAPropertyWrite().getRhs() - ) - } - - /** - * Gets a value that is (transitively) written to `query`, where `query` is a NoSQL sink. - * - * This predicate allows us to propagate data flow through property writes and array constructors - * within a query object, enabling the security query to pick up NoSQL injection vulnerabilities - * involving more complex queries. - */ - private DataFlow::Node getASubexpressionWithinQuery(DataFlow::Node query) { - isEffectiveSink(query) and - exists(DataFlow::SourceNode receiver | - receiver = [getASubexpressionWithinQuery(query), query].getALocalSource() - | - result = - [ - receiver.getAPropertyWrite().getRhs(), - receiver.(DataFlow::ArrayCreationNode).getAnElement() - ] - ) - } -} diff --git a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssATM.qll b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssATM.qll deleted file mode 100644 index d28b669bf49..00000000000 --- a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssATM.qll +++ /dev/null @@ -1,57 +0,0 @@ -/** - * For internal use only. - * - * A taint-tracking configuration for reasoning about XSS vulnerabilities. - * Defines shared code used by the XSS boosted query. - */ - -private import semmle.javascript.heuristics.SyntacticHeuristics -private import semmle.javascript.security.dataflow.DomBasedXssCustomizations -import AdaptiveThreatModeling - -class DomBasedXssAtmConfig extends AtmConfig { - DomBasedXssAtmConfig() { this = "DomBasedXssAtmConfig" } - - override predicate isKnownSource(DataFlow::Node source) { source instanceof DomBasedXss::Source } - - override EndpointType getASinkEndpointType() { result instanceof XssSinkType } - - /* - * This is largely a copy of the taint tracking configuration for the standard XSSThroughDom query, - * except additional ATM sinks have been added to the `isSink` predicate. - */ - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof DomBasedXss::Sanitizer - } - - override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { - guard instanceof PrefixStringSanitizerActivated or - guard instanceof QuoteGuard or - guard instanceof ContainsHtmlGuard - } - - override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) { - DomBasedXss::isOptionallySanitizedEdge(pred, succ) - } -} - -private import semmle.javascript.security.dataflow.Xss::Shared as Shared - -private class PrefixStringSanitizerActivated extends TaintTracking::SanitizerGuardNode, - DomBasedXss::PrefixStringSanitizer { - PrefixStringSanitizerActivated() { this = this } -} - -private class PrefixStringActivated extends DataFlow::FlowLabel, DomBasedXss::PrefixString { - PrefixStringActivated() { this = this } -} - -private class QuoteGuard extends TaintTracking::SanitizerGuardNode, Shared::QuoteGuard { - QuoteGuard() { this = this } -} - -private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard { - ContainsHtmlGuard() { this = this } -} diff --git a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssThroughDomATM.qll b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssThroughDomATM.qll deleted file mode 100644 index 87d69a37165..00000000000 --- a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssThroughDomATM.qll +++ /dev/null @@ -1,88 +0,0 @@ -/** - * For internal use only. - * - * A taint-tracking configuration for reasoning about XSS through the DOM. - * Defines shared code used by the XSS Through DOM boosted query. - */ - -private import semmle.javascript.heuristics.SyntacticHeuristics -private import semmle.javascript.security.dataflow.DomBasedXssCustomizations -private import semmle.javascript.dataflow.InferredTypes -private import semmle.javascript.security.dataflow.XssThroughDomCustomizations::XssThroughDom as XssThroughDom -private import semmle.javascript.security.dataflow.UnsafeJQueryPluginCustomizations::UnsafeJQueryPlugin as UnsafeJQuery -import AdaptiveThreatModeling - -class XssThroughDomAtmConfig extends AtmConfig { - XssThroughDomAtmConfig() { this = "XssThroughDomAtmConfig" } - - override predicate isKnownSource(DataFlow::Node source) { - source instanceof XssThroughDom::Source - } - - override EndpointType getASinkEndpointType() { result instanceof XssSinkType } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof DomBasedXss::Sanitizer - } - - override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { - guard instanceof TypeTestGuard or - guard instanceof UnsafeJQuery::PropertyPresenceSanitizer or - guard instanceof UnsafeJQuery::NumberGuard or - guard instanceof PrefixStringSanitizer or - guard instanceof QuoteGuard or - guard instanceof ContainsHtmlGuard - } - - override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) { - DomBasedXss::isOptionallySanitizedEdge(pred, succ) - } -} - -/** - * A test of form `typeof x === "something"`, preventing `x` from being a string in some cases. - * - * This sanitizer helps prune infeasible paths in type-overloaded functions. - */ -class TypeTestGuard extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNode { - override EqualityTest astNode; - Expr operand; - boolean polarity; - - TypeTestGuard() { - exists(TypeofTag tag | TaintTracking::isTypeofGuard(astNode, operand, tag) | - // typeof x === "string" sanitizes `x` when it evaluates to false - tag = "string" and - polarity = astNode.getPolarity().booleanNot() - or - // typeof x === "object" sanitizes `x` when it evaluates to true - tag != "string" and - polarity = astNode.getPolarity() - ) - } - - override predicate sanitizes(boolean outcome, Expr e) { - polarity = outcome and - e = operand - } -} - -private import semmle.javascript.security.dataflow.Xss::Shared as Shared - -private class PrefixStringSanitizer extends TaintTracking::SanitizerGuardNode, - DomBasedXss::PrefixStringSanitizer { - PrefixStringSanitizer() { this = this } -} - -private class PrefixString extends DataFlow::FlowLabel, DomBasedXss::PrefixString { - PrefixString() { this = this } -} - -private class QuoteGuard extends TaintTracking::SanitizerGuardNode, Shared::QuoteGuard { - QuoteGuard() { this = this } -} - -private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard { - ContainsHtmlGuard() { this = this } -}