From 06c83ee14da3b7c764fa044e8b6dc7157247f9e3 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Fri, 19 May 2023 11:18:10 -0400 Subject: [PATCH 1/5] Java: add error message for deprecated sink kinds to 'getInvalidModelKind' --- .../code/java/dataflow/ExternalFlow.qll | 66 ++++++++++++++++++- 1 file changed, 64 insertions(+), 2 deletions(-) diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll index 5776d64f402..f933a615c83 100644 --- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll +++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll @@ -265,13 +265,72 @@ module ModelValidation { ) } + private class DeprecatedSinkKind extends string { + DeprecatedSinkKind() { + this = + [ + "sql", "url-redirect", "xpath", "ssti", "logging", "groovy", "jexl", "mvel", "xslt", + "ldap", "pending-intent-sent", "intent-start", "set-hostname-verifier", + "header-splitting", "xss", "write-file", "create-file", "read-file", "open-url", + "jdbc-url" + ] + } + + private string replacementKind() { + this = "sql" and result = "\"sql-injection\"" + or + this = "url-redirect" and result = "\"url-redirection\"" + or + this = "xpath" and result = "\"xpath-injection\"" + or + this = "ssti" and result = "\"template-injection\"" + or + this = "logging" and result = "\"log-injection\"" + or + this = "groovy" and result = "\"groovy-injection\"" + or + this = "jexl" and result = "\"jexl-injection\"" + or + this = "mvel" and result = "\"mvel-injection\"" + or + this = "xslt" and result = "\"xslt-injection\"" + or + this = "ldap" and result = "\"ldap-injection\"" + or + this = "pending-intent-sent" and result = "\"pending-intents\"" + or + this = "intent-start" and result = "\"intent-redirection\"" + or + this = "set-hostname-verifier" and result = "\"hostname-verification\"" + or + this = "header-splitting" and result = "\"response-splitting\"" + or + this = "xss" and result = "\"html-injection\" or \"js-injection\"" + or + this = "write-file" and result = "\"file-content-store\"" + or + this = "create-file" and result = "\"path-injection\"" + or + this = "read-file" and result = "\"path-injection\"" + or + this = "open-url" and result = "\"request-forgery\"" + or + this = "jdbc-url" and result = "\"request-forgery\"" + } + + string deprecationMessage() { + result = + "The kind \"" + this + "\" is deprecated. Use " + this.replacementKind() + " instead." + } + } + private string getInvalidModelKind() { exists(string kind | summaryModel(_, _, _, _, _, _, _, _, kind, _) | not kind = ["taint", "value"] and result = "Invalid kind \"" + kind + "\" in summary model." ) or - exists(string kind | sinkModel(_, _, _, _, _, _, _, kind, _) | + exists(string kind, string msg | sinkModel(_, _, _, _, _, _, _, kind, _) | not kind = [ "request-forgery", "jndi-injection", "ldap-injection", "sql-injection", "log-injection", @@ -283,7 +342,10 @@ module ModelValidation { ] and not kind.matches("regex-use%") and not kind.matches("qltest%") and - result = "Invalid kind \"" + kind + "\" in sink model." + msg = "Invalid kind \"" + kind + "\" in sink model." and + if kind instanceof DeprecatedSinkKind + then result = msg + " " + kind.(DeprecatedSinkKind).deprecationMessage() + else result = msg ) or exists(string kind | sourceModel(_, _, _, _, _, _, _, kind, _) | From b3d218a50322041d2c4eb275a66afe188e53c702 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Mon, 22 May 2023 10:15:34 -0400 Subject: [PATCH 2/5] Java: condense 'replacementKind' code --- .../code/java/dataflow/ExternalFlow.qll | 43 ++++++------------- 1 file changed, 14 insertions(+), 29 deletions(-) diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll index f933a615c83..1b0ce54af38 100644 --- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll +++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll @@ -277,50 +277,35 @@ module ModelValidation { } private string replacementKind() { - this = "sql" and result = "\"sql-injection\"" + this = ["sql", "xpath", "groovy", "jexl", "mvel", "xslt", "ldap"] and + result = this + "-injection" or - this = "url-redirect" and result = "\"url-redirection\"" + this = "url-redirect" and result = "url-redirection" or - this = "xpath" and result = "\"xpath-injection\"" + this = "ssti" and result = "template-injection" or - this = "ssti" and result = "\"template-injection\"" + this = "logging" and result = "log-injection" or - this = "logging" and result = "\"log-injection\"" + this = "pending-intent-sent" and result = "pending-intents" or - this = "groovy" and result = "\"groovy-injection\"" + this = "intent-start" and result = "intent-redirection" or - this = "jexl" and result = "\"jexl-injection\"" + this = "set-hostname-verifier" and result = "hostname-verification" or - this = "mvel" and result = "\"mvel-injection\"" + this = "header-splitting" and result = "response-splitting" or - this = "xslt" and result = "\"xslt-injection\"" + this = "xss" and result = "html-injection\" or \"js-injection" or - this = "ldap" and result = "\"ldap-injection\"" + this = "write-file" and result = "file-content-store" or - this = "pending-intent-sent" and result = "\"pending-intents\"" + this = ["create-file", "read-file"] and result = "path-injection" or - this = "intent-start" and result = "\"intent-redirection\"" - or - this = "set-hostname-verifier" and result = "\"hostname-verification\"" - or - this = "header-splitting" and result = "\"response-splitting\"" - or - this = "xss" and result = "\"html-injection\" or \"js-injection\"" - or - this = "write-file" and result = "\"file-content-store\"" - or - this = "create-file" and result = "\"path-injection\"" - or - this = "read-file" and result = "\"path-injection\"" - or - this = "open-url" and result = "\"request-forgery\"" - or - this = "jdbc-url" and result = "\"request-forgery\"" + this = ["open-url", "jdbc-url"] and result = "request-forgery" } string deprecationMessage() { result = - "The kind \"" + this + "\" is deprecated. Use " + this.replacementKind() + " instead." + "The kind \"" + this + "\" is deprecated. Use \"" + this.replacementKind() + "\" instead." } } From 0355b78f13845ab90ce109dae58f5f5ce4a9bd83 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Mon, 22 May 2023 10:34:56 -0400 Subject: [PATCH 3/5] Java: add deprecation deletion comment --- java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll | 3 +++ 1 file changed, 3 insertions(+) diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll index 1b0ce54af38..0304e64398f 100644 --- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll +++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll @@ -247,6 +247,8 @@ module ModelValidation { ) } + /** + */ private string getInvalidModelOutput() { exists(string pred, AccessPath output, AccessPathToken part | sourceModel(_, _, _, _, _, _, output, _, _) and pred = "source" @@ -328,6 +330,7 @@ module ModelValidation { not kind.matches("regex-use%") and not kind.matches("qltest%") and msg = "Invalid kind \"" + kind + "\" in sink model." and + // The deprecation part of this message can be deleted after June 1st, 2024. if kind instanceof DeprecatedSinkKind then result = msg + " " + kind.(DeprecatedSinkKind).deprecationMessage() else result = msg From d10857fbdb8991bd7630fb7eae85e67089a1f47a Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Mon, 22 May 2023 10:39:59 -0400 Subject: [PATCH 4/5] Java: fix typo blank qldoc --- java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll index 0304e64398f..cebf330c8e4 100644 --- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll +++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll @@ -247,8 +247,6 @@ module ModelValidation { ) } - /** - */ private string getInvalidModelOutput() { exists(string pred, AccessPath output, AccessPathToken part | sourceModel(_, _, _, _, _, _, output, _, _) and pred = "source" From b8cedfa817b6b4bc8d56cad8d3cf6faf4da69b01 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 1 Jun 2023 13:30:27 -0400 Subject: [PATCH 5/5] Java: switch 'deprecated' to 'outdated' --- .../lib/semmle/code/java/dataflow/ExternalFlow.qll | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll index cebf330c8e4..ca662ee5610 100644 --- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll +++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll @@ -265,8 +265,8 @@ module ModelValidation { ) } - private class DeprecatedSinkKind extends string { - DeprecatedSinkKind() { + private class OutdatedSinkKind extends string { + OutdatedSinkKind() { this = [ "sql", "url-redirect", "xpath", "ssti", "logging", "groovy", "jexl", "mvel", "xslt", @@ -303,9 +303,9 @@ module ModelValidation { this = ["open-url", "jdbc-url"] and result = "request-forgery" } - string deprecationMessage() { + string outdatedMessage() { result = - "The kind \"" + this + "\" is deprecated. Use \"" + this.replacementKind() + "\" instead." + "The kind \"" + this + "\" is outdated. Use \"" + this.replacementKind() + "\" instead." } } @@ -328,9 +328,9 @@ module ModelValidation { not kind.matches("regex-use%") and not kind.matches("qltest%") and msg = "Invalid kind \"" + kind + "\" in sink model." and - // The deprecation part of this message can be deleted after June 1st, 2024. - if kind instanceof DeprecatedSinkKind - then result = msg + " " + kind.(DeprecatedSinkKind).deprecationMessage() + // The part of this message that refers to outdated sink kinds can be deleted after June 1st, 2024. + if kind instanceof OutdatedSinkKind + then result = msg + " " + kind.(OutdatedSinkKind).outdatedMessage() else result = msg ) or