From 43db83a28fff4d9411cb3a64322148821c5943aa Mon Sep 17 00:00:00 2001 From: tiferet Date: Mon, 27 Feb 2023 10:20:31 -0800 Subject: [PATCH] Delete some commented out code that was copied directly from JS --- .../EndpointCharacteristics.qll | 198 ------------------ 1 file changed, 198 deletions(-) diff --git a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll index 22a07c1ca68..fffc52ec21d 100644 --- a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll +++ b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll @@ -174,118 +174,6 @@ abstract class EndpointCharacteristic extends string { final float mediumConfidence() { result = 0.6 } } -// /* -// * Helper predicates. -// */ -// /** -// * Holds if the node `n` is a known sink for the external API security query. -// * -// * This corresponds to known sinks from security queries whose sources include remote flow and -// * DOM-based sources. -// */ -// private predicate isKnownExternalApiQuerySink(DataFlow::Node n) { -// n instanceof Xxe::Sink or -// n instanceof TaintedPath::Sink or -// n instanceof XpathInjection::Sink or -// n instanceof Xss::Sink or -// n instanceof ClientSideUrlRedirect::Sink or -// n instanceof CodeInjection::Sink or -// n instanceof RequestForgery::Sink or -// n instanceof CorsMisconfigurationForCredentials::Sink or -// n instanceof CommandInjection::Sink or -// n instanceof PrototypePollution::Sink or -// n instanceof UnvalidatedDynamicMethodCall::Sink or -// n instanceof TaintedFormatString::Sink or -// n instanceof NosqlInjection::Sink or -// n instanceof PostMessageStar::Sink or -// n instanceof RegExpInjection::Sink or -// n instanceof SqlInjection::Sink or -// n instanceof XmlBomb::Sink or -// n instanceof ZipSlip::Sink or -// n instanceof UnsafeDeserialization::Sink or -// n instanceof ServerSideUrlRedirect::Sink or -// n instanceof CleartextStorage::Sink or -// n instanceof HttpToFileAccess::Sink -// } -// /** -// * Holds if the node `n` is a known sink in a modeled library. -// */ -// private predicate isKnownLibrarySink(DataFlow::Node n) { -// isKnownExternalApiQuerySink(n) or -// n instanceof CleartextLogging::Sink or -// n instanceof StackTraceExposure::Sink or -// n instanceof ShellCommandInjectionFromEnvironment::Sink or -// n instanceof InsecureRandomness::Sink or -// n instanceof FileAccessToHttp::Sink or -// n instanceof IndirectCommandInjection::Sink -// } -// /** -// * Holds if the node `n` is known as the predecessor in a modeled flow step. -// */ -// private predicate isKnownStepSrc(DataFlow::Node n) { -// TaintTracking::sharedTaintStep(n, _) or -// DataFlow::SharedFlowStep::step(n, _) or -// DataFlow::SharedFlowStep::step(n, _, _, _) -// } -// /** -// * Holds if the data flow node is a (possibly indirect) argument of a likely external library call. -// * -// * This includes direct arguments of likely external library calls as well as nested object -// * literals within those calls. -// */ -// private predicate flowsToArgumentOfLikelyExternalLibraryCall(DataFlow::Node n) { -// n = getACallWithoutCallee().getAnArgument() -// or -// exists(DataFlow::SourceNode src | flowsToArgumentOfLikelyExternalLibraryCall(src) | -// n = src.getAPropertyWrite().getRhs() -// ) -// or -// exists(DataFlow::ArrayCreationNode arr | flowsToArgumentOfLikelyExternalLibraryCall(arr) | -// n = arr.getAnElement() -// ) -// } -// /** -// * Get calls for which we do not have the callee (i.e. the definition of the called function). This -// * acts as a heuristic for identifying calls to external library functions. -// */ -// private DataFlow::CallNode getACallWithoutCallee() { -// forall(Function callee | callee = result.getACallee() | callee.getTopLevel().isExterns()) and -// not exists(DataFlow::ParameterNode param, DataFlow::FunctionNode callback | -// param.flowsTo(result.getCalleeNode()) and -// callback = getACallback(param, DataFlow::TypeBackTracker::end()) -// ) -// } -// /** -// * Gets a node that flows to callback-parameter `p`. -// */ -// private DataFlow::SourceNode getACallback(DataFlow::ParameterNode p, DataFlow::TypeBackTracker t) { -// t.start() and -// result = p and -// any(DataFlow::FunctionNode f).getLastParameter() = p and -// exists(p.getACall()) -// or -// exists(DataFlow::TypeBackTracker t2 | result = getACallback(p, t2).backtrack(t2, t)) -// } -/* - * Characteristics that are indicative of a sink. - * NOTE: Initially each sink type has only one characteristic, which is that it's a sink of this type in the standard - * Java libraries. - */ - -// /** -// * Endpoints identified as "DomBasedXssSink" by the standard Java libraries are XSS sinks with maximal confidence. -// */ -// private class DomBasedXssSinkCharacteristic extends EndpointCharacteristic { -// DomBasedXssSinkCharacteristic() { this = any(XssSinkType type).getDescription() } -// override predicate appliesToEndpoint(DataFlow::Node n) { n instanceof DomBasedXss::Sink } -// override predicate hasImplications( -// EndpointType endpointClass, boolean isPositiveIndicator, float confidence -// ) { -// endpointClass instanceof XssSinkType and -// isPositiveIndicator = true and -// confidence = maximalConfidence() -// } -// } /** * Endpoints identified as "create-file" sinks by the MaD modeling are tainted path sinks with maximal confidence. */ @@ -557,22 +445,6 @@ private class ExceptionCharacteristic extends NotASinkCharacteristic { } } -// private class JQueryArgumentCharacteristic extends NotASinkCharacteristic, -// OtherModeledArgumentCharacteristic { -// JQueryArgumentCharacteristic() { this = "JQueryArgument" } -// override predicate appliesToEndpoint(DataFlow::Node n) { -// any(JQuery::MethodCall m).getAnArgument() = n -// } -// } -// private class ClientRequestCharacteristic extends NotASinkCharacteristic, -// OtherModeledArgumentCharacteristic { -// ClientRequestCharacteristic() { this = "ClientRequest" } -// override predicate appliesToEndpoint(DataFlow::Node n) { -// exists(ClientRequest r | -// r.getAnArgument() = n or n = r.getUrl() or n = r.getHost() or n = r.getADataNode() -// ) -// } -// } /* * Characteristics that have historically acted as endpoint filters to exclude endpoints from scoring at inference time. */ @@ -678,73 +550,3 @@ private class TestFileCharacteristic extends StandardEndpointFilterCharacteristi file.getAbsolutePath().matches("%/guava-testlib/%") } } -// class IsArgumentToModeledFunctionCharacteristic extends StandardEndpointFilterCharacteristic { -// IsArgumentToModeledFunctionCharacteristic() { this = "argument to modeled function" } -// override predicate appliesToEndpoint(DataFlow::Node n) { -// exists(DataFlow::InvokeNode invk, DataFlow::Node known | -// invk.getAnArgument() = n and -// invk.getAnArgument() = known and -// ( -// isKnownLibrarySink(known) -// or -// isKnownStepSrc(known) -// or -// exists(OtherModeledArgumentCharacteristic characteristic | -// characteristic.appliesToEndpoint(known) -// ) -// ) -// ) -// } -// } -// private class IsArgumentToSinklessLibraryCharacteristic extends StandardEndpointFilterCharacteristic { -// IsArgumentToSinklessLibraryCharacteristic() { this = "argument to sinkless library" } -// override predicate appliesToEndpoint(DataFlow::Node n) { -// exists(DataFlow::InvokeNode invk, DataFlow::SourceNode commonSafeLibrary, string libraryName | -// libraryName = ["slugify", "striptags", "marked"] -// | -// commonSafeLibrary = DataFlow::moduleImport(libraryName) and -// invk = [commonSafeLibrary, commonSafeLibrary.getAPropertyRead()].getAnInvocation() and -// n = invk.getAnArgument() -// ) -// } -// } -// private class IsSanitizerCharacteristic extends StandardEndpointFilterCharacteristic { -// IsSanitizerCharacteristic() { this = "sanitizer" } -// override predicate appliesToEndpoint(DataFlow::Node n) { -// exists(DataFlow::CallNode call | n = call.getAnArgument() | -// call.getCalleeName().regexpMatch("(?i).*(escape|valid(ate)?|sanitize|purify).*") -// ) -// } -// } -// private class IsPredicateCharacteristic extends StandardEndpointFilterCharacteristic { -// IsPredicateCharacteristic() { this = "predicate" } -// override predicate appliesToEndpoint(DataFlow::Node n) { -// exists(DataFlow::CallNode call | n = call.getAnArgument() | -// call.getCalleeName().regexpMatch("(equals|(|is|has|can)(_|[A-Z])).*") -// ) -// } -// } -// private class IsHashCharacteristic extends StandardEndpointFilterCharacteristic { -// IsHashCharacteristic() { this = "hash" } -// override predicate appliesToEndpoint(DataFlow::Node n) { -// exists(DataFlow::CallNode call | n = call.getAnArgument() | -// call.getCalleeName().regexpMatch("(?i)^(sha\\d*|md5|hash)$") -// ) -// } -// } -// private class IsNumericCharacteristic extends StandardEndpointFilterCharacteristic { -// IsNumericCharacteristic() { this = "numeric" } -// override predicate appliesToEndpoint(DataFlow::Node n) { -// SyntacticHeuristics::isReadFrom(n, ".*index.*") -// } -// } -// private class InIrrelevantFileCharacteristic extends StandardEndpointFilterCharacteristic { -// private string category; -// InIrrelevantFileCharacteristic() { -// this = "in " + category + " file" and category = ["externs", "generated", "library", "test"] -// } -// override predicate appliesToEndpoint(DataFlow::Node n) { -// // Ignore candidate sinks within externs, generated, library, and test code -// ClassifyFiles::classify(n.getFile(), category) -// } -// }