Add query for initCause and addSuppressed

2026-04-28 02:05:14 +02:00 · 2020-11-02 11:59:14 +00:00
parent 78d7fe2fbb
commit 6a8ce37428
3 changed files with 58 additions and 3 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql
@@ -21,11 +21,25 @@ private predicate exceptionIsCaught(TryStmt t, RefType exType) {
    cc.getVariable() = v and
    v.getType().(RefType).getASubtype*() = exType and // Detect the case that a subclass exception is thrown but its parent class is declared in the catch clause.
    not exists(
-      ThrowStmt ts, ClassInstanceExpr cie // Catch and rethrow an exception without processing, e.g. catch (UnknownHostException uhex) {throw new IOException(uhex);}
+      ThrowStmt ts, ClassInstanceExpr cie // Catch and rethrow an exception without processing
    |
      ts.getEnclosingStmt() = cc.getBlock() and
-      ts.getExpr() = cie and
-      cie.getArgument(0) = v.getAnAccess()
+      (
+        ts.getExpr() = cie and
+        cie.getAnArgument() = v.getAnAccess() // catch (UnknownHostException uhex) {throw new IOException(uhex);}
+        or
+        exists(MethodAccess ma |
+          ma.getMethod().getName() in ["initCause", "addSuppressed"] and
+          ma.getAnArgument() = v.getAnAccess() and
+          (
+            ma.getQualifier().(VarAccess).getVariable().getAnAssignedValue() = cie and
+            ts.getExpr() = ma.getQualifier().(VarAccess).getVariable().getAnAccess() // e.g. IOException ioException = new IOException(); ioException.initCause(e); throw ioException;
+          )
+          or
+          ma.getQualifier() = cie and
+          ts.getExpr() = ma // e.g. throw new IOException().initCause(uhex);
+        )
+      )
    )
  )
 }
--- a/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.expected
@@ -1,9 +1,15 @@
 edges
+| UncaughtServletException2.java:14:16:14:44 | getParameter(...) : String | UncaughtServletException2.java:15:45:15:46 | ip |
+| UncaughtServletException2.java:26:16:26:44 | getParameter(...) : String | UncaughtServletException2.java:27:45:27:46 | ip |
 | UncaughtServletException.java:13:15:13:43 | getParameter(...) : String | UncaughtServletException.java:14:44:14:45 | ip |
 | UncaughtServletException.java:16:19:16:41 | getRemoteUser(...) : String | UncaughtServletException.java:17:20:17:25 | userId |
 | UncaughtServletException.java:54:16:54:44 | getParameter(...) : String | UncaughtServletException.java:55:45:55:46 | ip |
 | UncaughtServletException.java:74:21:74:43 | getRemoteUser(...) : String | UncaughtServletException.java:75:22:75:27 | userId |
 nodes
+| UncaughtServletException2.java:14:16:14:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| UncaughtServletException2.java:15:45:15:46 | ip | semmle.label | ip |
+| UncaughtServletException2.java:26:16:26:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| UncaughtServletException2.java:27:45:27:46 | ip | semmle.label | ip |
 | UncaughtServletException.java:13:15:13:43 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | UncaughtServletException.java:14:44:14:45 | ip | semmle.label | ip |
 | UncaughtServletException.java:16:19:16:41 | getRemoteUser(...) : String | semmle.label | getRemoteUser(...) : String |
@@ -13,6 +19,8 @@ nodes
 | UncaughtServletException.java:74:21:74:43 | getRemoteUser(...) : String | semmle.label | getRemoteUser(...) : String |
 | UncaughtServletException.java:75:22:75:27 | userId | semmle.label | userId |
 #select
+| UncaughtServletException2.java:15:45:15:46 | ip | UncaughtServletException2.java:14:16:14:44 | getParameter(...) : String | UncaughtServletException2.java:15:45:15:46 | ip | $@ flows to here and can throw uncaught exception. | UncaughtServletException2.java:14:16:14:44 | getParameter(...) | User-provided value |
+| UncaughtServletException2.java:27:45:27:46 | ip | UncaughtServletException2.java:26:16:26:44 | getParameter(...) : String | UncaughtServletException2.java:27:45:27:46 | ip | $@ flows to here and can throw uncaught exception. | UncaughtServletException2.java:26:16:26:44 | getParameter(...) | User-provided value |
 | UncaughtServletException.java:14:44:14:45 | ip | UncaughtServletException.java:13:15:13:43 | getParameter(...) : String | UncaughtServletException.java:14:44:14:45 | ip | $@ flows to here and can throw uncaught exception. | UncaughtServletException.java:13:15:13:43 | getParameter(...) | User-provided value |
 | UncaughtServletException.java:17:20:17:25 | userId | UncaughtServletException.java:16:19:16:41 | getRemoteUser(...) : String | UncaughtServletException.java:17:20:17:25 | userId | $@ flows to here and can throw uncaught exception. | UncaughtServletException.java:16:19:16:41 | getRemoteUser(...) | User-provided value |
 | UncaughtServletException.java:55:45:55:46 | ip | UncaughtServletException.java:54:16:54:44 | getParameter(...) : String | UncaughtServletException.java:55:45:55:46 | ip | $@ flows to here and can throw uncaught exception. | UncaughtServletException.java:54:16:54:44 | getParameter(...) | User-provided value |
--- a/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException2.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException2.java
@@ -0,0 +1,33 @@
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.ServletException;
+
+class UncaughtServletException2 extends HttpServlet {
+	// BAD - Tests rethrowing caught exceptions with stack trace using an exception variable.
+	public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		try {
+			String ip = request.getParameter("srcIP");
+			InetAddress addr = InetAddress.getByName(ip);
+		} catch (UnknownHostException uhex) {
+			IOException ioException = new IOException();
+			ioException.initCause(uhex);
+			throw ioException;
+		}
+	}
+
+	// BAD - Tests rethrowing caught exceptions with stack trace using class instance directly.
+	public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		try {
+			String ip = request.getParameter("srcIP");
+			InetAddress addr = InetAddress.getByName(ip);
+		} catch (UnknownHostException uhex) {
+			throw new IOException().initCause(uhex);
+		}
+	}
+}
+