hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Refactor CWE-129 queries

Browse Source
This commit is contained in:
Ed Minnix
2023-03-15 16:42:04 -04:00
parent ae57807359
commit 73a17536f5
6 changed files with 70 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql
View File

@@ -13,25 +13,28 @@
import java
import ArraySizing
import semmle.code.java.dataflow.FlowSources
import DataFlow::PathGraph
class Conf extends TaintTracking::Configuration {
Conf() { this = "RemoteUserInputTocanThrowOutOfBoundsDueToEmptyArrayConfig" }
private module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)
}
}
module ImproperValidationOfArrayConstructionFlow =
TaintTracking::Make<ImproperValidationOfArrayConstructionConfig>;
import ImproperValidationOfArrayConstructionFlow::PathGraph
from
DataFlow::PathNode source, DataFlow::PathNode sink, Expr sizeExpr,
ImproperValidationOfArrayConstructionFlow::PathNode source,
ImproperValidationOfArrayConstructionFlow::PathNode sink, Expr sizeExpr,
ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess
where
arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sizeExpr, arrayCreation) and
sizeExpr = sink.getNode().asExpr() and
any(Conf conf).hasFlowPath(source, sink)
ImproperValidationOfArrayConstructionFlow::hasFlowPath(source, sink)
select arrayAccess.getIndexExpr(), source, sink,
"This accesses the $@, but the array is initialized using a $@ which may be zero.", arrayCreation,
"array", source.getNode(), "user-provided value"

21
java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql
View File

@@ -13,30 +13,33 @@
import java
import ArraySizing
import DataFlow::PathGraph
import semmle.code.java.dataflow.TaintTracking
class BoundedFlowSourceConf extends DataFlow::Configuration {
BoundedFlowSourceConf() { this = "BoundedFlowSource" }
override predicate isSource(DataFlow::Node source) {
private module BoundedFlowSourceConf implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof BoundedFlowSource and
// There is not a fixed lower bound which is greater than zero.
not source.(BoundedFlowSource).lowerBound() > 0
}
override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)
}
}
module BoundedFlowSourceFlow = DataFlow::Make<BoundedFlowSourceConf>;
import BoundedFlowSourceFlow::PathGraph
from
DataFlow::PathNode source, DataFlow::PathNode sink, BoundedFlowSource boundedsource,
Expr sizeExpr, ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess
BoundedFlowSourceFlow::PathNode source, BoundedFlowSourceFlow::PathNode sink,
BoundedFlowSource boundedsource, Expr sizeExpr, ArrayCreationExpr arrayCreation,
CheckableArrayAccess arrayAccess
where
arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sizeExpr, arrayCreation) and
sizeExpr = sink.getNode().asExpr() and
boundedsource = source.getNode() and
any(BoundedFlowSourceConf conf).hasFlowPath(source, sink)
BoundedFlowSourceFlow::hasFlowPath(source, sink)
select arrayAccess.getIndexExpr(), source, sink,
"This accesses the $@, but the array is initialized using $@ which may be zero.", arrayCreation,
"array", boundedsource, boundedsource.getDescription().toLowerCase()

19
java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql
View File

@@ -14,25 +14,28 @@
import java
import ArraySizing
import semmle.code.java.dataflow.FlowSources
import DataFlow::PathGraph
class Conf extends TaintTracking::Configuration {
Conf() { this = "LocalUserInputTocanThrowOutOfBoundsDueToEmptyArrayConfig" }
private module ImproperValidationOfArrayConstructionLocalConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)
}
}
module ImproperValidationOfArrayConstructionLocalFlow =
TaintTracking::Make<ImproperValidationOfArrayConstructionLocalConfig>;
import ImproperValidationOfArrayConstructionLocalFlow::PathGraph
from
DataFlow::PathNode source, DataFlow::PathNode sink, Expr sizeExpr,
ImproperValidationOfArrayConstructionLocalFlow::PathNode source,
ImproperValidationOfArrayConstructionLocalFlow::PathNode sink, Expr sizeExpr,
ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess
where
arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sizeExpr, arrayCreation) and
sizeExpr = sink.getNode().asExpr() and
any(Conf conf).hasFlowPath(source, sink)
ImproperValidationOfArrayConstructionLocalFlow::hasFlowPath(source, sink)
select arrayAccess.getIndexExpr(), source, sink,
"This accesses the $@, but the array is initialized using a $@ which may be zero.", arrayCreation,
"array", source.getNode(), "user-provided value"

22
java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql
View File

@@ -13,24 +13,28 @@
import java
import ArraySizing
import semmle.code.java.dataflow.FlowSources
import DataFlow::PathGraph
class Conf extends TaintTracking::Configuration {
Conf() { this = "RemoteUserInputTocanThrowOutOfBoundsDueToEmptyArrayConfig" }
private module ImproperValidationOfArrayIndexConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
any(CheckableArrayAccess caa).canThrowOutOfBounds(sink.asExpr())
}
override predicate isSanitizer(DataFlow::Node node) { node.getType() instanceof BooleanType }
predicate isBarrier(DataFlow::Node node) { node.getType() instanceof BooleanType }
}
from DataFlow::PathNode source, DataFlow::PathNode sink, CheckableArrayAccess arrayAccess
module ImproperValidationOfArrayIndexFlow =
TaintTracking::Make<ImproperValidationOfArrayIndexConfig>;
import ImproperValidationOfArrayIndexFlow::PathGraph
from
ImproperValidationOfArrayIndexFlow::PathNode source,
ImproperValidationOfArrayIndexFlow::PathNode sink, CheckableArrayAccess arrayAccess
where
arrayAccess.canThrowOutOfBounds(sink.getNode().asExpr()) and
any(Conf conf).hasFlowPath(source, sink)
ImproperValidationOfArrayIndexFlow::hasFlowPath(source, sink)
select arrayAccess.getIndexExpr(), source, sink,
"This index depends on a $@ which can cause an ArrayIndexOutOfBoundsException.", source.getNode(),
"user-provided value"

20
java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql
View File

@@ -14,25 +14,27 @@
import java
import ArraySizing
import BoundingChecks
import DataFlow::PathGraph
import semmle.code.java.dataflow.TaintTracking
class BoundedFlowSourceConf extends DataFlow::Configuration {
BoundedFlowSourceConf() { this = "BoundedFlowSource" }
private module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof BoundedFlowSource }
override predicate isSource(DataFlow::Node source) { source instanceof BoundedFlowSource }
override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
exists(CheckableArrayAccess arrayAccess | arrayAccess.canThrowOutOfBounds(sink.asExpr()))
}
}
module BoundedFlowSourceFlow = DataFlow::Make<BoundedFlowSourceConfig>;
import BoundedFlowSourceFlow::PathGraph
from
DataFlow::PathNode source, DataFlow::PathNode sink, BoundedFlowSource boundedsource,
CheckableArrayAccess arrayAccess
BoundedFlowSourceFlow::PathNode source, BoundedFlowSourceFlow::PathNode sink,
BoundedFlowSource boundedsource, CheckableArrayAccess arrayAccess
where
arrayAccess.canThrowOutOfBounds(sink.getNode().asExpr()) and
boundedsource = source.getNode() and
any(BoundedFlowSourceConf conf).hasFlowPath(source, sink) and
BoundedFlowSourceFlow::hasFlowPath(source, sink) and
boundedsource != sink.getNode() and
not (
(

20
java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql
View File

@@ -14,22 +14,26 @@
import java
import ArraySizing
import semmle.code.java.dataflow.FlowSources
import DataFlow::PathGraph
class Conf extends TaintTracking::Configuration {
Conf() { this = "LocalUserInputTocanThrowOutOfBoundsDueToEmptyArrayConfig" }
private module ImproperValidationOfArrayIndexLocalConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
any(CheckableArrayAccess caa).canThrowOutOfBounds(sink.asExpr())
}
}
from DataFlow::PathNode source, DataFlow::PathNode sink, CheckableArrayAccess arrayAccess
module ImproperValidationOfArrayIndexLocalFlow =
TaintTracking::Make<ImproperValidationOfArrayIndexLocalConfig>;
import ImproperValidationOfArrayIndexLocalFlow::PathGraph
from
ImproperValidationOfArrayIndexLocalFlow::PathNode source,
ImproperValidationOfArrayIndexLocalFlow::PathNode sink, CheckableArrayAccess arrayAccess
where
arrayAccess.canThrowOutOfBounds(sink.getNode().asExpr()) and
any(Conf conf).hasFlowPath(source, sink)
ImproperValidationOfArrayIndexLocalFlow::hasFlowPath(source, sink)
select arrayAccess.getIndexExpr(), source, sink,
"This index depends on a $@ which can cause an ArrayIndexOutOfBoundsException.", source.getNode(),
"user-provided value"