diff --git a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll index fd51c65b102..3c7e46348dd 100644 --- a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll +++ b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll @@ -4,6 +4,7 @@ private import java as java import semmle.code.java.dataflow.TaintTracking +import semmle.code.java.security.QueryInjection import experimental.adaptivethreatmodeling.EndpointTypes /** @@ -153,41 +154,35 @@ abstract class EndpointCharacteristic extends string { * JavaScript libraries. */ -/** - * Endpoints identified as "DomBasedXssSink" by the standard JavaScript libraries are XSS sinks with maximal confidence. - */ -private class DomBasedXssSinkCharacteristic extends EndpointCharacteristic { - DomBasedXssSinkCharacteristic() { this = "DomBasedXssSink" } - - override predicate appliesToEndpoint(DataFlow::Node n) { n instanceof DomBasedXss::Sink } - - override predicate hasImplications( - EndpointType endpointClass, boolean isPositiveIndicator, float confidence - ) { - endpointClass instanceof XssSinkType and - isPositiveIndicator = true and - confidence = maximalConfidence() - } -} - -/** - * Endpoints identified as "TaintedPathSink" by the standard JavaScript libraries are path injection sinks with maximal - * confidence. - */ -private class TaintedPathSinkCharacteristic extends EndpointCharacteristic { - TaintedPathSinkCharacteristic() { this = "TaintedPathSink" } - - override predicate appliesToEndpoint(DataFlow::Node n) { n instanceof TaintedPath::Sink } - - override predicate hasImplications( - EndpointType endpointClass, boolean isPositiveIndicator, float confidence - ) { - endpointClass instanceof TaintedPathSinkType and - isPositiveIndicator = true and - confidence = maximalConfidence() - } -} - +// /** +// * Endpoints identified as "DomBasedXssSink" by the standard JavaScript libraries are XSS sinks with maximal confidence. +// */ +// private class DomBasedXssSinkCharacteristic extends EndpointCharacteristic { +// DomBasedXssSinkCharacteristic() { this = "DomBasedXssSink" } +// override predicate appliesToEndpoint(DataFlow::Node n) { n instanceof DomBasedXss::Sink } +// override predicate hasImplications( +// EndpointType endpointClass, boolean isPositiveIndicator, float confidence +// ) { +// endpointClass instanceof XssSinkType and +// isPositiveIndicator = true and +// confidence = maximalConfidence() +// } +// } +// /** +// * Endpoints identified as "TaintedPathSink" by the standard JavaScript libraries are path injection sinks with maximal +// * confidence. +// */ +// private class TaintedPathSinkCharacteristic extends EndpointCharacteristic { +// TaintedPathSinkCharacteristic() { this = "TaintedPathSink" } +// override predicate appliesToEndpoint(DataFlow::Node n) { n instanceof TaintedPath::Sink } +// override predicate hasImplications( +// EndpointType endpointClass, boolean isPositiveIndicator, float confidence +// ) { +// endpointClass instanceof TaintedPathSinkType and +// isPositiveIndicator = true and +// confidence = maximalConfidence() +// } +// } /** * Endpoints identified as "SqlInjectionSink" by the standard JavaScript libraries are SQL injection sinks with maximal * confidence. @@ -195,7 +190,7 @@ private class TaintedPathSinkCharacteristic extends EndpointCharacteristic { private class SqlInjectionSinkCharacteristic extends EndpointCharacteristic { SqlInjectionSinkCharacteristic() { this = "SqlInjectionSink" } - override predicate appliesToEndpoint(DataFlow::Node n) { n instanceof SqlInjection::Sink } + override predicate appliesToEndpoint(DataFlow::Node n) { n instanceof QueryInjectionSink } override predicate hasImplications( EndpointType endpointClass, boolean isPositiveIndicator, float confidence @@ -206,24 +201,21 @@ private class SqlInjectionSinkCharacteristic extends EndpointCharacteristic { } } -/** - * Endpoints identified as "NosqlInjectionSink" by the standard JavaScript libraries are NoSQL injection sinks with - * maximal confidence. - */ -private class NosqlInjectionSinkCharacteristic extends EndpointCharacteristic { - NosqlInjectionSinkCharacteristic() { this = "NosqlInjectionSink" } - - override predicate appliesToEndpoint(DataFlow::Node n) { n instanceof NosqlInjection::Sink } - - override predicate hasImplications( - EndpointType endpointClass, boolean isPositiveIndicator, float confidence - ) { - endpointClass instanceof NosqlInjectionSinkType and - isPositiveIndicator = true and - confidence = maximalConfidence() - } -} - +// /** +// * Endpoints identified as "NosqlInjectionSink" by the standard JavaScript libraries are NoSQL injection sinks with +// * maximal confidence. +// */ +// private class NosqlInjectionSinkCharacteristic extends EndpointCharacteristic { +// NosqlInjectionSinkCharacteristic() { this = "NosqlInjectionSink" } +// override predicate appliesToEndpoint(DataFlow::Node n) { n instanceof NosqlInjection::Sink } +// override predicate hasImplications( +// EndpointType endpointClass, boolean isPositiveIndicator, float confidence +// ) { +// endpointClass instanceof NosqlInjectionSinkType and +// isPositiveIndicator = true and +// confidence = maximalConfidence() +// } +// } /* * Characteristics that have historically acted as endpoint filters to exclude endpoints from scoring at inference time. */ diff --git a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/SqlInjectionATM.qll b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/SqlInjectionATM.qll index 917e79f401e..47e9fba77df 100644 --- a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/SqlInjectionATM.qll +++ b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/SqlInjectionATM.qll @@ -3,16 +3,17 @@ * * A taint-tracking configuration for reasoning about SQL injection vulnerabilities. * Defines shared code used by the SQL injection boosted query. + * Largely copied from semmle.code.java.security.SqlInjectionQuery. */ -import semmle.javascript.heuristics.SyntacticHeuristics -import semmle.javascript.security.dataflow.SqlInjectionCustomizations import AdaptiveThreatModeling +import semmle.code.java.dataflow.FlowSources +import semmle.code.java.security.QueryInjection class SqlInjectionAtmConfig extends AtmConfig { SqlInjectionAtmConfig() { this = "SqlInjectionAtmConfig" } - override predicate isKnownSource(DataFlow::Node source) { source instanceof SqlInjection::Source } + override predicate isKnownSource(DataFlow::Node source) { source instanceof RemoteFlowSource } override EndpointType getASinkEndpointType() { result instanceof SqlInjectionSinkType } @@ -22,7 +23,12 @@ class SqlInjectionAtmConfig extends AtmConfig { */ override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof SqlInjection::Sanitizer + node.getType() instanceof PrimitiveType or + node.getType() instanceof BoxedType or + node.getType() instanceof NumberType + } + + override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { + any(AdditionalQueryInjectionTaintStep s).step(node1, node2) } } diff --git a/java/ql/experimental/adaptivethreatmodeling/src/ExtractSinkCandidatesWithFlow.ql b/java/ql/experimental/adaptivethreatmodeling/src/ExtractSinkCandidatesWithFlow.ql index 138406f3fe6..1214cc6d002 100644 --- a/java/ql/experimental/adaptivethreatmodeling/src/ExtractSinkCandidatesWithFlow.ql +++ b/java/ql/experimental/adaptivethreatmodeling/src/ExtractSinkCandidatesWithFlow.ql @@ -10,12 +10,12 @@ private import java import semmle.code.java.dataflow.TaintTracking private import experimental.adaptivethreatmodeling.ATMConfig as AtmConfig -private import experimental.adaptivethreatmodeling.NosqlInjectionATM as NosqlInjectionAtm +// private import experimental.adaptivethreatmodeling.NosqlInjectionATM as NosqlInjectionAtm private import experimental.adaptivethreatmodeling.SqlInjectionATM as SqlInjectionAtm -private import experimental.adaptivethreatmodeling.TaintedPathATM as TaintedPathAtm -private import experimental.adaptivethreatmodeling.XssATM as XssAtm -private import experimental.adaptivethreatmodeling.XssThroughDomATM as XssThroughDomAtm +// private import experimental.adaptivethreatmodeling.TaintedPathATM as TaintedPathAtm +// private import experimental.adaptivethreatmodeling.XssATM as XssAtm +// private import experimental.adaptivethreatmodeling.XssThroughDomATM as XssThroughDomAtm from DataFlow::PathNode sink where exists(AtmConfig::AtmConfig queryConfig | queryConfig.isSinkCandidateWithFlow(sink)) select sink.getNode().getLocation() diff --git a/java/ql/experimental/adaptivethreatmodeling/src/qlpack.yml b/java/ql/experimental/adaptivethreatmodeling/src/qlpack.yml index 459893e1302..f38e161daac 100644 --- a/java/ql/experimental/adaptivethreatmodeling/src/qlpack.yml +++ b/java/ql/experimental/adaptivethreatmodeling/src/qlpack.yml @@ -9,4 +9,3 @@ groups: - experimental dependencies: codeql/java-experimental-atm-lib: ${workspace} - codeql/java-experimental-atm-model: "0.3.0"