Merge branch 'main' into fix/thread-resource-arithmetic

2026-04-26 01:05:15 +02:00 · 2023-10-10 09:38:16 -07:00
parent 80c8259e34 f1266a3e81
commit 7a4382fb69
392 changed files with 12506 additions and 5953 deletions
--- a/java/ql/src/Telemetry/ExternalApi.qll
+++ b/java/ql/src/Telemetry/ExternalApi.qll
@@ -90,9 +90,6 @@ class ExternalApi extends Callable {
  }
 }

-/** DEPRECATED: Alias for ExternalApi */
-deprecated class ExternalAPI = ExternalApi;
-
 /**
 * Gets the limit for the number of results produced by a telemetry query.
 */
--- a/java/ql/src/change-notes/2023-10-06-threat-models.md
+++ b/java/ql/src/change-notes/2023-10-06-threat-models.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Most data flow queries that track flow from *remote* flow sources now use the current *threat model* configuration instead. This doesn't lead to any changes in the produced alerts (as the default configuration is *remote* flow sources) unless the threat model configuration is changed.
--- a/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql
@@ -43,7 +43,7 @@ class Log4jInjectionSanitizer extends DataFlow::Node {
 * A taint-tracking configuration for tracking untrusted user input used in log entries.
 */
 module Log4jInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) { sink instanceof Log4jInjectionSink }

--- a/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql
@@ -33,7 +33,7 @@ class UrlConstructor extends ClassInstanceExpr {
 }

 module RemoteUrlToOpenStreamFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) {
    exists(MethodAccess m |
--- a/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql
@@ -48,7 +48,7 @@ class NormalizedPathNode extends DataFlow::Node {
 }

 module InjectFilePathConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) {
    sinkNode(sink, "path-injection") and
--- a/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql
@@ -14,7 +14,7 @@
 import CommandInjectionRuntimeExec
 import ExecUserFlow::PathGraph

-class RemoteSource extends Source instanceof RemoteFlowSource { }
+class ThreatModelSource extends Source instanceof ThreatModelFlowSource { }

 from
  ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink, DataFlow::Node sourceCmd,
--- a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql
@@ -20,7 +20,7 @@ import semmle.code.java.dataflow.TaintTracking
 import MyBatisAnnotationSqlInjectionFlow::PathGraph

 private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisAnnotatedMethodCallArgument }

--- a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql
@@ -20,7 +20,7 @@ import semmle.code.java.dataflow.FlowSources
 import MyBatisMapperXmlSqlInjectionFlow::PathGraph

 private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisMapperMethodCallAnArgument }

--- a/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql
@@ -18,7 +18,7 @@ import semmle.code.java.dataflow.TaintTracking
 import BeanShellInjectionFlow::PathGraph

 module BeanShellInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) { sink instanceof BeanShellInjectionSink }

--- a/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.ql
@@ -18,7 +18,7 @@ import semmle.code.java.dataflow.TaintTracking
 import JShellInjectionFlow::PathGraph

 module JShellInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) { sink instanceof JShellInjectionSink }

--- a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
@@ -8,7 +8,7 @@ import semmle.code.java.dataflow.TaintTracking
 * that is used to construct and evaluate an expression.
 */
 module JakartaExpressionInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionEvaluationSink }

--- a/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
@@ -99,17 +99,17 @@ class CodeInjectionSink extends DataFlow::ExprNode {
 }

 /**
- * A taint configuration for tracking flow from `RemoteFlowSource` to a Jython method call
+ * A taint configuration for tracking flow from `ThreatModelFlowSource` to a Jython method call
 * `CodeInjectionSink` that executes injected code.
 */
 module CodeInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink }
 }

 /**
- * Taint tracking flow from `RemoteFlowSource` to a Jython method call
+ * Taint tracking flow from `ThreatModelFlowSource` to a Jython method call
 * `CodeInjectionSink` that executes injected code.
 */
 module CodeInjectionFlow = TaintTracking::Global<CodeInjectionConfig>;
--- a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
@@ -131,11 +131,11 @@ class ScriptInjectionSink extends DataFlow::ExprNode {
 }

 /**
- * A taint tracking configuration that tracks flow from `RemoteFlowSource` to an argument
+ * A taint tracking configuration that tracks flow from `ThreatModelFlowSource` to an argument
 * of a method call that executes injected script.
 */
 module ScriptInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) { sink instanceof ScriptInjectionSink }
 }
--- a/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll
@@ -42,7 +42,7 @@ class PortletRenderRequestMethod extends Method {
 */
 module SpringViewManipulationConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource or
+    source instanceof ThreatModelFlowSource or
    source instanceof WebRequestSource or
    source.asExpr().(MethodAccess).getMethod() instanceof PortletRenderRequestMethod
  }
--- a/java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql
@@ -19,7 +19,7 @@ import AndroidWebResourceResponse
 import InsecureWebResourceResponseFlow::PathGraph

 module InsecureWebResourceResponseConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) { sink instanceof WebResourceResponseSink }

--- a/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll
@@ -148,7 +148,7 @@ private predicate updateMessageDigestStep(DataFlow2::Node fromNode, DataFlow2::N
 * such as cipher, MAC or signature.
 */
 private module UserInputInCryptoOperationConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) {
    exists(ProduceCryptoCall call | call.getQualifier() = sink.asExpr())
@@ -214,7 +214,7 @@ private class NonConstantTimeComparisonCall extends StaticMethodAccess {
 * that compare inputs using a non-constant-time algorithm.
 */
 private module UserInputInComparisonConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) {
    exists(NonConstantTimeEqualsCall call |
--- a/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql
@@ -63,7 +63,7 @@ module CorsSourceReachesCheckConfig implements DataFlow::ConfigSig {
 module CorsSourceReachesCheckFlow = TaintTracking::Global<CorsSourceReachesCheckConfig>;

 private module CorsOriginConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) {
    exists(MethodAccess corsHeader, MethodAccess allowCredentialsHeader |
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
@@ -22,7 +22,7 @@ import RequestResponseFlow::PathGraph
 /** Taint-tracking configuration tracing flow from get method request sources to output jsonp data. */
 module RequestResponseFlowConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource and
+    source instanceof ThreatModelFlowSource and
    any(RequestGetMethod m).polyCalls*(source.getEnclosingCallable())
  }

--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -77,16 +77,16 @@ class JsonpBuilderExpr extends AddExpr {
  Expr getJsonExpr() { result = this.getLeftOperand().(AddExpr).getRightOperand() }
 }

-/** A data flow configuration tracing flow from remote sources to jsonp function name. */
-module RemoteFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+/** A data flow configuration tracing flow from threat model sources to jsonp function name. */
+module ThreatModelFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) {
    exists(JsonpBuilderExpr jhe | jhe.getFunctionName() = sink.asExpr())
  }
 }

-module RemoteFlow = DataFlow::Global<RemoteFlowConfig>;
+module ThreatModelFlow = DataFlow::Global<ThreatModelFlowConfig>;

 /** A data flow configuration tracing flow from json data into the argument `json` of JSONP-like string `someFunctionName + "(" + json + ")"`. */
 module JsonDataFlowConfig implements DataFlow::ConfigSig {
@@ -105,7 +105,7 @@ module JsonpInjectionFlowConfig implements DataFlow::ConfigSig {
    exists(JsonpBuilderExpr jhe |
      jhe = src.asExpr() and
      JsonDataFlow::flowTo(DataFlow::exprNode(jhe.getJsonExpr())) and
-      RemoteFlow::flowTo(DataFlow::exprNode(jhe.getFunctionName()))
+      ThreatModelFlow::flowTo(DataFlow::exprNode(jhe.getFunctionName()))
    )
  }

--- a/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql
@@ -17,7 +17,7 @@ import ThreadResourceAbuseFlow::PathGraph

 /** Taint configuration of uncontrolled thread resource consumption. */
 module ThreadResourceAbuseConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) { sink instanceof PauseThreadSink }

--- a/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql
@@ -32,7 +32,7 @@ private predicate equalsSanitizer(Guard g, Expr e, boolean branch) {
 }

 module UnsafeReflectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeReflectionSink }

--- a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql
@@ -21,7 +21,7 @@ import UnsafeUrlForwardFlow::PathGraph

 module UnsafeUrlForwardFlowConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource and
+    source instanceof ThreatModelFlowSource and
    not exists(MethodAccess ma, Method m | ma.getMethod() = m |
      (
        m instanceof HttpServletRequestGetRequestUriMethod or
--- a/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql
@@ -65,9 +65,9 @@ class UncaughtServletExceptionSink extends DataFlow::ExprNode {
  }
 }

-/** Taint configuration of uncaught exceptions caused by user provided data from `RemoteFlowSource` */
+/** Taint configuration of uncaught exceptions caused by user provided data from `ThreatModelFlowSource` */
 module UncaughtServletExceptionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) { sink instanceof UncaughtServletExceptionSink }
 }
--- a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql
@@ -26,7 +26,7 @@ private predicate startsWithSanitizer(Guard g, Expr e, boolean branch) {
 }

 module SpringUrlRedirectFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) { sink instanceof SpringUrlRedirectSink }

--- a/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql
@@ -20,7 +20,7 @@ import XQueryInjectionFlow::PathGraph
 * A taint-tracking configuration tracing flow from remote sources, through an XQuery parser, to its eventual execution.
 */
 module XQueryInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) {
    sink.asExpr() = any(XQueryPreparedExecuteCall xpec).getPreparedExpression() or
--- a/java/ql/src/experimental/Security/CWE/CWE-755/NFEAndroidDoS.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-755/NFEAndroidDoS.ql
@@ -24,7 +24,7 @@ import NfeLocalDoSFlow::PathGraph
 */
 module NfeLocalDoSConfig implements DataFlow::ConfigSig {
  /** Holds if source is a remote flow source */
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  /** Holds if NFE is thrown but not caught */
  predicate isSink(DataFlow::Node sink) {