From 6770d2a49bd15a2f5be15b4dbc02fbee9c0df333 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Mon, 17 Jul 2023 09:06:49 +0200 Subject: [PATCH] Java: Exclude source-to-source flow in 5 queries. --- .../lib/semmle/code/java/security/ArithmeticTaintedQuery.qll | 4 ++++ .../java/security/ImproperValidationOfArrayIndexQuery.qll | 2 ++ java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll | 2 ++ .../lib/semmle/code/java/security/NumericCastTaintedQuery.qll | 2 ++ .../ql/lib/semmle/code/java/security/RequestForgeryConfig.qll | 2 ++ 5 files changed, 12 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll index fba7ac38cbb..f2be743e11b 100644 --- a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll @@ -11,6 +11,8 @@ module RemoteUserInputOverflowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) } predicate isBarrier(DataFlow::Node n) { overflowBarrier(n) } + + predicate isBarrierIn(DataFlow::Node node) { isSource(node) } } /** A taint-tracking configuration to reason about underflow from unvalidated user input. */ @@ -20,6 +22,8 @@ module RemoteUserInputUnderflowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) } predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) } + + predicate isBarrierIn(DataFlow::Node node) { isSource(node) } } /** Taint-tracking flow for overflow from unvalidated user input. */ diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll index 07b6b5e28cf..fd93b73b7c3 100644 --- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll @@ -15,6 +15,8 @@ module ImproperValidationOfArrayIndexConfig implements DataFlow::ConfigSig { } predicate isBarrier(DataFlow::Node node) { node.getType() instanceof BooleanType } + + predicate isBarrierIn(DataFlow::Node node) { isSource(node) } } /** diff --git a/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll index 2610870b383..5b57847d286 100644 --- a/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll @@ -36,6 +36,8 @@ module LogInjectionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(LogInjectionAdditionalTaintStep c).step(node1, node2) } + + predicate isBarrierIn(DataFlow::Node node) { isSource(node) } } /** diff --git a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll index d2b0e75f052..d3098a18a11 100644 --- a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll @@ -100,6 +100,8 @@ module NumericCastFlowConfig implements DataFlow::ConfigSig { node.getEnclosingCallable() instanceof HashCodeMethod or exists(RightShiftOp e | e.getShiftedVariable().getAnAccess() = node.asExpr()) } + + predicate isBarrierIn(DataFlow::Node node) { isSource(node) } } /** diff --git a/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll b/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll index 0e3afacb83f..6a79193c4fd 100644 --- a/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll +++ b/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll @@ -51,6 +51,8 @@ module RequestForgeryConfig implements DataFlow::ConfigSig { } predicate isBarrier(DataFlow::Node node) { node instanceof RequestForgerySanitizer } + + predicate isBarrierIn(DataFlow::Node node) { isSource(node) } } module RequestForgeryFlow = TaintTracking::Global;