hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 04:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #13019 from jcogs33/jcogs33/url-open-stream-updates

Browse Source 
Java: switch `url-open-stream` sink models to `experimentalSinkModel`
This commit is contained in:
Jami
2023-05-04 15:07:44 -04:00
committed by GitHub
parent 27c4408431 2e683b3dd2
commit 3c74c8bbe0
7 changed files with 28 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/codeql/codeql-language-guides/customizing-library-models-for-java.rst
View File

@@ -84,7 +84,7 @@ The remaining values are used to define the **access path**, the **kind**, and t
- The seventh value **Argument[0]** is the **access path** to the first argument passed to the method, which means that this is the location of the sink.
- The eighth value **sql** is the kind of the sink. The sink kind is used to define the queries where the sink is in scope. In this case - the SQL injection queries.
- The ninth value **manual** is the provenance of the sink, which is used to identify the origin of the sink.
Example: Taint source from the **java.net** package
----------------------------------------------------
In this example we show how to model the return value from the **getInputStream** method as a **remote** source.
@@ -241,7 +241,7 @@ A neutral model is used to define that there is no flow through a method.
Note that the neutral model for the **now** method is already added to the CodeQL Java analysis.
.. code-block:: java
public static void taintflow() {
Instant t = Instant.now(); // There is no flow from now to t.
...
@@ -334,7 +334,7 @@ Below is an enumeration of the remaining sinks, but they are out of scope for th
- **open-url**, **jndi-injection**, **ldap**, **jdbc-url**
- **mvel**, **xpath**, **groovy**, **ognl-injection**
- **intent-start**, **pending-intent-sent**, **url-open-stream**, **url-redirect**
- **intent-start**, **pending-intent-sent**, **url-redirect**
- **create-file**, **read-file**, **write-file**, **set-hostname-verifier**
- **header-splitting**, **information-leak**, **xslt**, **jexl**
- **bean-validation**, **ssti**, **fragment-injection**, **regex-use[**\ `arg`\ **]**
@@ -414,4 +414,4 @@ Furthermore, it impacts the data flow analysis in the following way:
That is, generated models are less trusted than manual models and only used if neither source code nor a manual model is available.
.. include:: ../reusables/data-extensions.rst
.. include:: ../reusables/data-extensions.rst

3
java/documentation/library-coverage/cwe-sink.csv
View File

@@ -1,8 +1,7 @@
CWE,Sink identifier,Label
CWE089,sql,SQL injection
CWE022,create-file,Path injection
CWE036,url-open-stream,Path traversal
CWE094,bean-validation,Code injection
CWE319,open-url,Cleartext transmission
CWE079,xss,Cross-site scripting
CWE090,ldap,LDAP injection
CWE090,ldap,LDAP injection
1 CWE Sink identifier Label
2 CWE‑089 sql SQL injection
3 CWE‑022 create-file Path injection
CWE‑036 url-open-stream Path traversal
4 CWE‑094 bean-validation Code injection
5 CWE‑319 open-url Cleartext transmission
6 CWE‑079 xss Cross-site scripting
7 CWE‑090 ldap LDAP injection

4
java/ql/lib/change-notes/2023-05-03-url-open-stream-as-experimental.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Moved the `url-open-stream` sink models to experimental and removed `url-open-stream` as a sink option from the [Customizing Library Models for Java](https://github.com/github/codeql/blob/733a00039efdb39c3dd76ddffad5e6d6c85e6774/docs/codeql/codeql-language-guides/customizing-library-models-for-java.rst#customizing-library-models-for-java) documentation.

6
java/ql/lib/ext/com.google.common.io.model.yml
View File

@@ -11,12 +11,6 @@ extensions:
- ["com.google.common.io", "Files", False, "toString", "(File,Charset)", "", "Argument[0]", "read-file", "ai-manual"]
- ["com.google.common.io", "Files", False, "write", "(byte[],File)", "", "Argument[0]", "write-file", "ai-manual"]
- ["com.google.common.io", "Files", False, "write", "(byte[],File)", "", "Argument[1]", "create-file", "manual"]
- ["com.google.common.io", "Resources", False, "asByteSource", "(URL)", "", "Argument[0]", "url-open-stream", "manual"]
- ["com.google.common.io", "Resources", False, "asCharSource", "(URL,Charset)", "", "Argument[0]", "url-open-stream", "manual"]
- ["com.google.common.io", "Resources", False, "copy", "(URL,OutputStream)", "", "Argument[0]", "url-open-stream", "manual"]
- ["com.google.common.io", "Resources", False, "readLines", "", "", "Argument[0]", "url-open-stream", "manual"]
- ["com.google.common.io", "Resources", False, "toByteArray", "(URL)", "", "Argument[0]", "url-open-stream", "manual"]
- ["com.google.common.io", "Resources", False, "toString", "(URL,Charset)", "", "Argument[0]", "url-open-stream", "manual"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel

11
java/ql/lib/ext/experimental/com.google.common.io.model.yml Normal file
View File

@@ -0,0 +1,11 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: experimentalSinkModel
data:
- ["com.google.common.io", "Resources", False, "asByteSource", "(URL)", "", "Argument[0]", "url-open-stream", "manual", "openstream-called-on-tainted-url"]
- ["com.google.common.io", "Resources", False, "asCharSource", "(URL,Charset)", "", "Argument[0]", "url-open-stream", "manual", "openstream-called-on-tainted-url"]
- ["com.google.common.io", "Resources", False, "copy", "(URL,OutputStream)", "", "Argument[0]", "url-open-stream", "manual", "openstream-called-on-tainted-url"]
- ["com.google.common.io", "Resources", False, "readLines", "", "", "Argument[0]", "url-open-stream", "manual", "openstream-called-on-tainted-url"]
- ["com.google.common.io", "Resources", False, "toByteArray", "(URL)", "", "Argument[0]", "url-open-stream", "manual", "openstream-called-on-tainted-url"]
- ["com.google.common.io", "Resources", False, "toString", "(URL,Charset)", "", "Argument[0]", "url-open-stream", "manual", "openstream-called-on-tainted-url"]

8
java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
View File

@@ -273,10 +273,10 @@ module ModelValidation {
not kind =
[
"open-url", "jndi-injection", "ldap", "sql", "jdbc-url", "logging", "mvel", "xpath",
"groovy", "xss", "ognl-injection", "intent-start", "pending-intent-sent",
"url-open-stream", "url-redirect", "create-file", "read-file", "write-file",
"set-hostname-verifier", "header-splitting", "information-leak", "xslt", "jexl",
"bean-validation", "ssti", "fragment-injection", "command-injection"
"groovy", "xss", "ognl-injection", "intent-start", "pending-intent-sent", "url-redirect",
"create-file", "read-file", "write-file", "set-hostname-verifier", "header-splitting",
"information-leak", "xslt", "jexl", "bean-validation", "ssti", "fragment-injection",
"command-injection"
] and
not kind.matches("regex-use%") and
not kind.matches("qltest%") and

4
java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql
View File

@@ -17,6 +17,10 @@ import semmle.code.java.dataflow.FlowSources
import semmle.code.java.dataflow.ExternalFlow
import RemoteUrlToOpenStreamFlow::PathGraph
private class ActivateModels extends ActiveExperimentalModels {
ActivateModels() { this = "openstream-called-on-tainted-url" }
}
class UrlConstructor extends ClassInstanceExpr {
UrlConstructor() { this.getConstructor().getDeclaringType() instanceof TypeUrl }