Merge branch 'main' into fix/thread-resource-arithmetic

This commit is contained in:
Eric Bickle
2023-10-10 09:38:16 -07:00
committed by GitHub
392 changed files with 12506 additions and 5953 deletions

View File

@@ -90,9 +90,6 @@ class ExternalApi extends Callable {
}
}
/** DEPRECATED: Alias for ExternalApi */
deprecated class ExternalAPI = ExternalApi;
/**
* Gets the limit for the number of results produced by a telemetry query.
*/

View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Most data flow queries that track flow from *remote* flow sources now use the current *threat model* configuration instead. This doesn't lead to any changes in the produced alerts (as the default configuration is *remote* flow sources) unless the threat model configuration is changed.

View File

@@ -43,7 +43,7 @@ class Log4jInjectionSanitizer extends DataFlow::Node {
* A taint-tracking configuration for tracking untrusted user input used in log entries.
*/
module Log4jInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) { sink instanceof Log4jInjectionSink }

View File

@@ -33,7 +33,7 @@ class UrlConstructor extends ClassInstanceExpr {
}
module RemoteUrlToOpenStreamFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) {
exists(MethodAccess m |

View File

@@ -48,7 +48,7 @@ class NormalizedPathNode extends DataFlow::Node {
}
module InjectFilePathConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) {
sinkNode(sink, "path-injection") and

View File

@@ -14,7 +14,7 @@
import CommandInjectionRuntimeExec
import ExecUserFlow::PathGraph
class RemoteSource extends Source instanceof RemoteFlowSource { }
class ThreatModelSource extends Source instanceof ThreatModelFlowSource { }
from
ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink, DataFlow::Node sourceCmd,

View File

@@ -20,7 +20,7 @@ import semmle.code.java.dataflow.TaintTracking
import MyBatisAnnotationSqlInjectionFlow::PathGraph
private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisAnnotatedMethodCallArgument }

View File

@@ -20,7 +20,7 @@ import semmle.code.java.dataflow.FlowSources
import MyBatisMapperXmlSqlInjectionFlow::PathGraph
private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisMapperMethodCallAnArgument }

View File

@@ -18,7 +18,7 @@ import semmle.code.java.dataflow.TaintTracking
import BeanShellInjectionFlow::PathGraph
module BeanShellInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) { sink instanceof BeanShellInjectionSink }

View File

@@ -18,7 +18,7 @@ import semmle.code.java.dataflow.TaintTracking
import JShellInjectionFlow::PathGraph
module JShellInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) { sink instanceof JShellInjectionSink }

View File

@@ -8,7 +8,7 @@ import semmle.code.java.dataflow.TaintTracking
* that is used to construct and evaluate an expression.
*/
module JakartaExpressionInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionEvaluationSink }

View File

@@ -99,17 +99,17 @@ class CodeInjectionSink extends DataFlow::ExprNode {
}
/**
* A taint configuration for tracking flow from `RemoteFlowSource` to a Jython method call
* A taint configuration for tracking flow from `ThreatModelFlowSource` to a Jython method call
* `CodeInjectionSink` that executes injected code.
*/
module CodeInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink }
}
/**
* Taint tracking flow from `RemoteFlowSource` to a Jython method call
* Taint tracking flow from `ThreatModelFlowSource` to a Jython method call
* `CodeInjectionSink` that executes injected code.
*/
module CodeInjectionFlow = TaintTracking::Global<CodeInjectionConfig>;

View File

@@ -131,11 +131,11 @@ class ScriptInjectionSink extends DataFlow::ExprNode {
}
/**
* A taint tracking configuration that tracks flow from `RemoteFlowSource` to an argument
* A taint tracking configuration that tracks flow from `ThreatModelFlowSource` to an argument
* of a method call that executes injected script.
*/
module ScriptInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) { sink instanceof ScriptInjectionSink }
}

View File

@@ -42,7 +42,7 @@ class PortletRenderRequestMethod extends Method {
*/
module SpringViewManipulationConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof RemoteFlowSource or
source instanceof ThreatModelFlowSource or
source instanceof WebRequestSource or
source.asExpr().(MethodAccess).getMethod() instanceof PortletRenderRequestMethod
}

View File

@@ -19,7 +19,7 @@ import AndroidWebResourceResponse
import InsecureWebResourceResponseFlow::PathGraph
module InsecureWebResourceResponseConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) { sink instanceof WebResourceResponseSink }

View File

@@ -148,7 +148,7 @@ private predicate updateMessageDigestStep(DataFlow2::Node fromNode, DataFlow2::N
* such as cipher, MAC or signature.
*/
private module UserInputInCryptoOperationConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) {
exists(ProduceCryptoCall call | call.getQualifier() = sink.asExpr())
@@ -214,7 +214,7 @@ private class NonConstantTimeComparisonCall extends StaticMethodAccess {
* that compare inputs using a non-constant-time algorithm.
*/
private module UserInputInComparisonConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) {
exists(NonConstantTimeEqualsCall call |

View File

@@ -63,7 +63,7 @@ module CorsSourceReachesCheckConfig implements DataFlow::ConfigSig {
module CorsSourceReachesCheckFlow = TaintTracking::Global<CorsSourceReachesCheckConfig>;
private module CorsOriginConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) {
exists(MethodAccess corsHeader, MethodAccess allowCredentialsHeader |

View File

@@ -22,7 +22,7 @@ import RequestResponseFlow::PathGraph
/** Taint-tracking configuration tracing flow from get method request sources to output jsonp data. */
module RequestResponseFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof RemoteFlowSource and
source instanceof ThreatModelFlowSource and
any(RequestGetMethod m).polyCalls*(source.getEnclosingCallable())
}

View File

@@ -77,16 +77,16 @@ class JsonpBuilderExpr extends AddExpr {
Expr getJsonExpr() { result = this.getLeftOperand().(AddExpr).getRightOperand() }
}
/** A data flow configuration tracing flow from remote sources to jsonp function name. */
module RemoteFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
/** A data flow configuration tracing flow from threat model sources to jsonp function name. */
module ThreatModelFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) {
exists(JsonpBuilderExpr jhe | jhe.getFunctionName() = sink.asExpr())
}
}
module RemoteFlow = DataFlow::Global<RemoteFlowConfig>;
module ThreatModelFlow = DataFlow::Global<ThreatModelFlowConfig>;
/** A data flow configuration tracing flow from json data into the argument `json` of JSONP-like string `someFunctionName + "(" + json + ")"`. */
module JsonDataFlowConfig implements DataFlow::ConfigSig {
@@ -105,7 +105,7 @@ module JsonpInjectionFlowConfig implements DataFlow::ConfigSig {
exists(JsonpBuilderExpr jhe |
jhe = src.asExpr() and
JsonDataFlow::flowTo(DataFlow::exprNode(jhe.getJsonExpr())) and
RemoteFlow::flowTo(DataFlow::exprNode(jhe.getFunctionName()))
ThreatModelFlow::flowTo(DataFlow::exprNode(jhe.getFunctionName()))
)
}

View File

@@ -17,7 +17,7 @@ import ThreadResourceAbuseFlow::PathGraph
/** Taint configuration of uncontrolled thread resource consumption. */
module ThreadResourceAbuseConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) { sink instanceof PauseThreadSink }

View File

@@ -32,7 +32,7 @@ private predicate equalsSanitizer(Guard g, Expr e, boolean branch) {
}
module UnsafeReflectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeReflectionSink }

View File

@@ -21,7 +21,7 @@ import UnsafeUrlForwardFlow::PathGraph
module UnsafeUrlForwardFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof RemoteFlowSource and
source instanceof ThreatModelFlowSource and
not exists(MethodAccess ma, Method m | ma.getMethod() = m |
(
m instanceof HttpServletRequestGetRequestUriMethod or

View File

@@ -65,9 +65,9 @@ class UncaughtServletExceptionSink extends DataFlow::ExprNode {
}
}
/** Taint configuration of uncaught exceptions caused by user provided data from `RemoteFlowSource` */
/** Taint configuration of uncaught exceptions caused by user provided data from `ThreatModelFlowSource` */
module UncaughtServletExceptionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) { sink instanceof UncaughtServletExceptionSink }
}

View File

@@ -26,7 +26,7 @@ private predicate startsWithSanitizer(Guard g, Expr e, boolean branch) {
}
module SpringUrlRedirectFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) { sink instanceof SpringUrlRedirectSink }

View File

@@ -20,7 +20,7 @@ import XQueryInjectionFlow::PathGraph
* A taint-tracking configuration tracing flow from remote sources, through an XQuery parser, to its eventual execution.
*/
module XQueryInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) {
sink.asExpr() = any(XQueryPreparedExecuteCall xpec).getPreparedExpression() or

View File

@@ -24,7 +24,7 @@ import NfeLocalDoSFlow::PathGraph
*/
module NfeLocalDoSConfig implements DataFlow::ConfigSig {
/** Holds if source is a remote flow source */
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
/** Holds if NFE is thrown but not caught */
predicate isSink(DataFlow::Node sink) {