hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-20 22:44:52 +02:00
Code Issues Packages Projects Releases Wiki Activity

Use hasFlow where path is not needed

Browse Source
This commit is contained in:
edvraa
2021-04-15 15:16:38 +03:00
parent 1581a27d3d
commit 773556e5e0
2 changed files with 14 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql
View File

@@ -19,10 +19,10 @@ where
(
sink instanceof InstanceMethodSink and
not exists(
SafeConstructorTrackingConfig safeConstructorTracking, DataFlow::PathNode safeTypeUsage
SafeConstructorTrackingConfig safeConstructorTracking, DataFlow::Node safeTypeUsage
|
safeConstructorTracking.hasFlowPath(_, safeTypeUsage) and
safeTypeUsage.getNode().asExpr().getParent() = deserializeCall
safeConstructorTracking.hasFlow(_, safeTypeUsage) and
safeTypeUsage.asExpr().getParent() = deserializeCall
)
or
sink instanceof ConstructorOrStaticMethodSink

24
csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql
View File

@@ -33,30 +33,28 @@ where
// intersect with strong types, but user controlled or weak types deserialization usages
(
exists(
DataFlow::PathNode weakTypeCreation, DataFlow::PathNode weakTypeUsage,
DataFlow::Node weakTypeCreation, DataFlow::Node weakTypeUsage,
WeakTypeCreationToUsageTrackingConfig weakTypeDeserializerTracking
|
weakTypeDeserializerTracking.hasFlowPath(weakTypeCreation, weakTypeUsage) and
weakTypeUsage.getNode().asExpr().getParent() =
deserializeCallArg.getNode().asExpr().getParent()
weakTypeDeserializerTracking.hasFlow(weakTypeCreation, weakTypeUsage) and
weakTypeUsage.asExpr().getParent() = deserializeCallArg.getNode().asExpr().getParent()
)
or
exists(
TaintToObjectTypeTrackingConfig userControlledTypeTracking,
DataFlow::PathNode taintedTypeUsage, DataFlow::PathNode userInput2
TaintToObjectTypeTrackingConfig userControlledTypeTracking, DataFlow::Node taintedTypeUsage,
DataFlow::Node userInput2
|
userControlledTypeTracking.hasFlowPath(userInput2, taintedTypeUsage) and
taintedTypeUsage.getNode().asExpr().getParent() =
deserializeCallArg.getNode().asExpr().getParent()
userControlledTypeTracking.hasFlow(userInput2, taintedTypeUsage) and
taintedTypeUsage.asExpr().getParent() = deserializeCallArg.getNode().asExpr().getParent()
)
) and
// exclude deserialization flows with safe instances (i.e. JavaScriptSerializer without resolver)
not exists(
SafeConstructorTrackingConfig safeConstructorTracking, DataFlow::PathNode safeCreation,
DataFlow::PathNode safeTypeUsage
SafeConstructorTrackingConfig safeConstructorTracking, DataFlow::Node safeCreation,
DataFlow::Node safeTypeUsage
|
safeConstructorTracking.hasFlowPath(safeCreation, safeTypeUsage) and
safeTypeUsage.getNode().asExpr().getParent() = deserializeCallArg.getNode().asExpr().getParent()
safeConstructorTracking.hasFlow(safeCreation, safeTypeUsage) and
safeTypeUsage.asExpr().getParent() = deserializeCallArg.getNode().asExpr().getParent()
)
or
// no type check needed - straightforward taint -> sink