hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 11:16:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Decouple GrovyInjection.qll to reuse the taint tracking configuration

Browse Source
This commit is contained in:
Tony Torralba
2021-07-19 12:53:37 +02:00
parent b08f417a1e
commit 441e8afe81
5 changed files with 68 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
java/ql/src/Security/CWE/CWE-094/GroovyInjection.ql
View File

@@ -11,27 +11,9 @@
*/
import java
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.security.GroovyInjection
import semmle.code.java.security.GroovyInjectionQuery
import DataFlow::PathGraph
/**
* A taint-tracking configuration for unsafe user input
* that is used to evaluate a Groovy expression.
*/
class GroovyInjectionConfig extends TaintTracking::Configuration {
GroovyInjectionConfig() { this = "GroovyInjectionConfig" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { sink instanceof GroovyInjectionSink }
override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
any(GroovyInjectionAdditionalTaintStep c).step(fromNode, toNode)
}
}
from DataFlow::PathNode source, DataFlow::PathNode sink, GroovyInjectionConfig conf
where conf.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "Groovy Injection from $@.", source.getNode(),

2
java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
View File

@@ -99,7 +99,7 @@ private module Frameworks {
private import semmle.code.java.security.JexlInjectionSinkModels
private import semmle.code.java.security.LdapInjection
private import semmle.code.java.security.XPath
private import semmle.code.java.security.GroovyInjection
private import semmle.code.java.security.GroovyInjectionSinkModels
private import semmle.code.java.frameworks.android.SQLite
private import semmle.code.java.frameworks.Jdbc
private import semmle.code.java.frameworks.SpringJdbc

59
java/ql/src/semmle/code/java/security/GroovyInjection.qll → java/ql/src/semmle/code/java/security/GroovyInjectionQuery.qll
View File

@@ -3,6 +3,8 @@
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.ExternalFlow
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.frameworks.Networking
/** A data flow sink for Groovy expression injection vulnerabilities. */
@@ -25,47 +27,6 @@ private class DefaultGroovyInjectionSink extends GroovyInjectionSink {
DefaultGroovyInjectionSink() { sinkNode(this, "groovy") }
}
private class DefaultLdapInjectionSinkModel extends SinkModelCsv {
override predicate row(string row) {
row =
[
// Signatures are specified to exclude sinks of the type `File`
"groovy.lang;GroovyShell;false;evaluate;(GroovyCodeSource);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;evaluate;(Reader);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;evaluate;(Reader,String);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;evaluate;(String);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;evaluate;(String,String);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;evaluate;(String,String,String);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;evaluate;(URI);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;parse;(Reader);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;parse;(Reader,String);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;parse;(String);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;parse;(String,String);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;parse;(URI);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;run;(GroovyCodeSource,String[]);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;run;(GroovyCodeSource,List);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;run;(Reader,String,String[]);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;run;(Reader,String,List);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;run;(String,String,String[]);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;run;(String,String,List);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;run;(URI,String[]);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;run;(URI,List);;Argument[0];groovy",
"groovy.util;Eval;false;me;(String);;Argument[0];groovy",
"groovy.util;Eval;false;me;(String,Object,String);;Argument[2];groovy",
"groovy.util;Eval;false;x;(Object,String);;Argument[1];groovy",
"groovy.util;Eval;false;xy;(Object,Object,String);;Argument[2];groovy",
"groovy.util;Eval;false;xyz;(Object,Object,Object,String);;Argument[3];groovy",
"groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource);;Argument[0];groovy",
"groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource,boolean);;Argument[0];groovy",
"groovy.lang;GroovyClassLoader;false;parseClass;(InputStream,String);;Argument[0];groovy",
"groovy.lang;GroovyClassLoader;false;parseClass;(Reader,String);;Argument[0];groovy",
"groovy.lang;GroovyClassLoader;false;parseClass;(String);;Argument[0];groovy",
"groovy.lang;GroovyClassLoader;false;parseClass;(String,String);;Argument[0];groovy",
"org.codehaus.groovy.control;CompilationUnit;false;compile;;;Argument[-1];groovy"
]
}
}
/** A set of additional taint steps to consider when taint tracking Groovy related data flows. */
private class DefaultGroovyInjectionAdditionalTaintStep extends GroovyInjectionAdditionalTaintStep {
override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
@@ -76,6 +37,22 @@ private class DefaultGroovyInjectionAdditionalTaintStep extends GroovyInjectionA
}
}
/**
* A taint-tracking configuration for unsafe user input
* that is used to evaluate a Groovy expression.
*/
class GroovyInjectionConfig extends TaintTracking::Configuration {
GroovyInjectionConfig() { this = "GroovyInjectionConfig" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { sink instanceof GroovyInjectionSink }
override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
any(GroovyInjectionAdditionalTaintStep c).step(fromNode, toNode)
}
}
/**
* Holds if `fromNode` to `toNode` is a dataflow step from a tainted string to
* a `GroovyCodeSource` instance by calling `new GroovyCodeSource(tainted, ...)`.

44
java/ql/src/semmle/code/java/security/GroovyInjectionSinkModels.qll Normal file
View File

@@ -0,0 +1,44 @@
/** Provides sink models relating to Groovy injection vulnerabilities. */
private import semmle.code.java.dataflow.ExternalFlow
private class DefaultLdapInjectionSinkModel extends SinkModelCsv {
override predicate row(string row) {
row =
[
// Signatures are specified to exclude sinks of the type `File`
"groovy.lang;GroovyShell;false;evaluate;(GroovyCodeSource);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;evaluate;(Reader);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;evaluate;(Reader,String);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;evaluate;(String);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;evaluate;(String,String);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;evaluate;(String,String,String);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;evaluate;(URI);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;parse;(Reader);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;parse;(Reader,String);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;parse;(String);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;parse;(String,String);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;parse;(URI);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;run;(GroovyCodeSource,String[]);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;run;(GroovyCodeSource,List);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;run;(Reader,String,String[]);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;run;(Reader,String,List);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;run;(String,String,String[]);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;run;(String,String,List);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;run;(URI,String[]);;Argument[0];groovy",
"groovy.lang;GroovyShell;false;run;(URI,List);;Argument[0];groovy",
"groovy.util;Eval;false;me;(String);;Argument[0];groovy",
"groovy.util;Eval;false;me;(String,Object,String);;Argument[2];groovy",
"groovy.util;Eval;false;x;(Object,String);;Argument[1];groovy",
"groovy.util;Eval;false;xy;(Object,Object,String);;Argument[2];groovy",
"groovy.util;Eval;false;xyz;(Object,Object,Object,String);;Argument[3];groovy",
"groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource);;Argument[0];groovy",
"groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource,boolean);;Argument[0];groovy",
"groovy.lang;GroovyClassLoader;false;parseClass;(InputStream,String);;Argument[0];groovy",
"groovy.lang;GroovyClassLoader;false;parseClass;(Reader,String);;Argument[0];groovy",
"groovy.lang;GroovyClassLoader;false;parseClass;(String);;Argument[0];groovy",
"groovy.lang;GroovyClassLoader;false;parseClass;(String,String);;Argument[0];groovy",
"org.codehaus.groovy.control;CompilationUnit;false;compile;;;Argument[-1];groovy"
]
}
}