Try implementing SqlInjectionATM.qll in Java

2026-05-21 22:57:11 +02:00 · 2022-12-21 21:45:14 -08:00
parent c0f58371b4
commit 653b0128f5
4 changed files with 61 additions and 64 deletions
--- a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll
+++ b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll
@@ -4,6 +4,7 @@

 private import java as java
 import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.security.QueryInjection
 import experimental.adaptivethreatmodeling.EndpointTypes

 /**
@@ -153,41 +154,35 @@ abstract class EndpointCharacteristic extends string {
 * JavaScript libraries.
 */

-/**
- * Endpoints identified as "DomBasedXssSink" by the standard JavaScript libraries are XSS sinks with maximal confidence.
- */
-private class DomBasedXssSinkCharacteristic extends EndpointCharacteristic {
-  DomBasedXssSinkCharacteristic() { this = "DomBasedXssSink" }
-
-  override predicate appliesToEndpoint(DataFlow::Node n) { n instanceof DomBasedXss::Sink }
-
-  override predicate hasImplications(
-    EndpointType endpointClass, boolean isPositiveIndicator, float confidence
-  ) {
-    endpointClass instanceof XssSinkType and
-    isPositiveIndicator = true and
-    confidence = maximalConfidence()
-  }
-}
-
-/**
- * Endpoints identified as "TaintedPathSink" by the standard JavaScript libraries are path injection sinks with maximal
- * confidence.
- */
-private class TaintedPathSinkCharacteristic extends EndpointCharacteristic {
-  TaintedPathSinkCharacteristic() { this = "TaintedPathSink" }
-
-  override predicate appliesToEndpoint(DataFlow::Node n) { n instanceof TaintedPath::Sink }
-
-  override predicate hasImplications(
-    EndpointType endpointClass, boolean isPositiveIndicator, float confidence
-  ) {
-    endpointClass instanceof TaintedPathSinkType and
-    isPositiveIndicator = true and
-    confidence = maximalConfidence()
-  }
-}
-
+// /**
+//  * Endpoints identified as "DomBasedXssSink" by the standard JavaScript libraries are XSS sinks with maximal confidence.
+//  */
+// private class DomBasedXssSinkCharacteristic extends EndpointCharacteristic {
+//   DomBasedXssSinkCharacteristic() { this = "DomBasedXssSink" }
+//   override predicate appliesToEndpoint(DataFlow::Node n) { n instanceof DomBasedXss::Sink }
+//   override predicate hasImplications(
+//     EndpointType endpointClass, boolean isPositiveIndicator, float confidence
+//   ) {
+//     endpointClass instanceof XssSinkType and
+//     isPositiveIndicator = true and
+//     confidence = maximalConfidence()
+//   }
+// }
+// /**
+//  * Endpoints identified as "TaintedPathSink" by the standard JavaScript libraries are path injection sinks with maximal
+//  * confidence.
+//  */
+// private class TaintedPathSinkCharacteristic extends EndpointCharacteristic {
+//   TaintedPathSinkCharacteristic() { this = "TaintedPathSink" }
+//   override predicate appliesToEndpoint(DataFlow::Node n) { n instanceof TaintedPath::Sink }
+//   override predicate hasImplications(
+//     EndpointType endpointClass, boolean isPositiveIndicator, float confidence
+//   ) {
+//     endpointClass instanceof TaintedPathSinkType and
+//     isPositiveIndicator = true and
+//     confidence = maximalConfidence()
+//   }
+// }
 /**
 * Endpoints identified as "SqlInjectionSink" by the standard JavaScript libraries are SQL injection sinks with maximal
 * confidence.
@@ -195,7 +190,7 @@ private class TaintedPathSinkCharacteristic extends EndpointCharacteristic {
 private class SqlInjectionSinkCharacteristic extends EndpointCharacteristic {
  SqlInjectionSinkCharacteristic() { this = "SqlInjectionSink" }

-  override predicate appliesToEndpoint(DataFlow::Node n) { n instanceof SqlInjection::Sink }
+  override predicate appliesToEndpoint(DataFlow::Node n) { n instanceof QueryInjectionSink }

  override predicate hasImplications(
    EndpointType endpointClass, boolean isPositiveIndicator, float confidence
@@ -206,24 +201,21 @@ private class SqlInjectionSinkCharacteristic extends EndpointCharacteristic {
  }
 }

-/**
- * Endpoints identified as "NosqlInjectionSink" by the standard JavaScript libraries are NoSQL injection sinks with
- * maximal confidence.
- */
-private class NosqlInjectionSinkCharacteristic extends EndpointCharacteristic {
-  NosqlInjectionSinkCharacteristic() { this = "NosqlInjectionSink" }
-
-  override predicate appliesToEndpoint(DataFlow::Node n) { n instanceof NosqlInjection::Sink }
-
-  override predicate hasImplications(
-    EndpointType endpointClass, boolean isPositiveIndicator, float confidence
-  ) {
-    endpointClass instanceof NosqlInjectionSinkType and
-    isPositiveIndicator = true and
-    confidence = maximalConfidence()
-  }
-}
-
+// /**
+//  * Endpoints identified as "NosqlInjectionSink" by the standard JavaScript libraries are NoSQL injection sinks with
+//  * maximal confidence.
+//  */
+// private class NosqlInjectionSinkCharacteristic extends EndpointCharacteristic {
+//   NosqlInjectionSinkCharacteristic() { this = "NosqlInjectionSink" }
+//   override predicate appliesToEndpoint(DataFlow::Node n) { n instanceof NosqlInjection::Sink }
+//   override predicate hasImplications(
+//     EndpointType endpointClass, boolean isPositiveIndicator, float confidence
+//   ) {
+//     endpointClass instanceof NosqlInjectionSinkType and
+//     isPositiveIndicator = true and
+//     confidence = maximalConfidence()
+//   }
+// }
 /*
 * Characteristics that have historically acted as endpoint filters to exclude endpoints from scoring at inference time.
 */
--- a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/SqlInjectionATM.qll
+++ b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/SqlInjectionATM.qll
@@ -3,16 +3,17 @@
 *
 * A taint-tracking configuration for reasoning about SQL injection vulnerabilities.
 * Defines shared code used by the SQL injection boosted query.
+ * Largely copied from semmle.code.java.security.SqlInjectionQuery.
 */

-import semmle.javascript.heuristics.SyntacticHeuristics
-import semmle.javascript.security.dataflow.SqlInjectionCustomizations
 import AdaptiveThreatModeling
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.QueryInjection

 class SqlInjectionAtmConfig extends AtmConfig {
  SqlInjectionAtmConfig() { this = "SqlInjectionAtmConfig" }

-  override predicate isKnownSource(DataFlow::Node source) { source instanceof SqlInjection::Source }
+  override predicate isKnownSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

  override EndpointType getASinkEndpointType() { result instanceof SqlInjectionSinkType }

@@ -22,7 +23,12 @@ class SqlInjectionAtmConfig extends AtmConfig {
   */

  override predicate isSanitizer(DataFlow::Node node) {
-    super.isSanitizer(node) or
-    node instanceof SqlInjection::Sanitizer
+    node.getType() instanceof PrimitiveType or
+    node.getType() instanceof BoxedType or
+    node.getType() instanceof NumberType
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(AdditionalQueryInjectionTaintStep s).step(node1, node2)
  }
 }
--- a/java/ql/experimental/adaptivethreatmodeling/src/ExtractSinkCandidatesWithFlow.ql
+++ b/java/ql/experimental/adaptivethreatmodeling/src/ExtractSinkCandidatesWithFlow.ql
@@ -10,12 +10,12 @@
 private import java
 import semmle.code.java.dataflow.TaintTracking
 private import experimental.adaptivethreatmodeling.ATMConfig as AtmConfig
-private import experimental.adaptivethreatmodeling.NosqlInjectionATM as NosqlInjectionAtm
+// private import experimental.adaptivethreatmodeling.NosqlInjectionATM as NosqlInjectionAtm
 private import experimental.adaptivethreatmodeling.SqlInjectionATM as SqlInjectionAtm
-private import experimental.adaptivethreatmodeling.TaintedPathATM as TaintedPathAtm
-private import experimental.adaptivethreatmodeling.XssATM as XssAtm
-private import experimental.adaptivethreatmodeling.XssThroughDomATM as XssThroughDomAtm

+// private import experimental.adaptivethreatmodeling.TaintedPathATM as TaintedPathAtm
+// private import experimental.adaptivethreatmodeling.XssATM as XssAtm
+// private import experimental.adaptivethreatmodeling.XssThroughDomATM as XssThroughDomAtm
 from DataFlow::PathNode sink
 where exists(AtmConfig::AtmConfig queryConfig | queryConfig.isSinkCandidateWithFlow(sink))
 select sink.getNode().getLocation()
--- a/java/ql/experimental/adaptivethreatmodeling/src/qlpack.yml
+++ b/java/ql/experimental/adaptivethreatmodeling/src/qlpack.yml
@@ -9,4 +9,3 @@ groups:
    - experimental
 dependencies:
    codeql/java-experimental-atm-lib: ${workspace}
-    codeql/java-experimental-atm-model: "0.3.0"