hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 03:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add new sinks and taint steps

Browse Source
This commit is contained in:
Tony Torralba
2021-12-16 13:42:58 +01:00
parent 3bc6247ad8
commit 7d70b77141
1 changed files with 123 additions and 117 deletions
Download Patch File Download Diff File Expand all files Collapse all files

240
java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql
View File

@@ -19,7 +19,7 @@ import semmle.code.java.dataflow.FlowSources
import semmle.code.java.dataflow.ExternalFlow
import DataFlow::PathGraph
private class LoggingSinkModels extends SinkModelCsv {
private class Log4jLoggingSinkModels extends SinkModelCsv {
override predicate row(string row) {
row =
[
@@ -27,132 +27,138 @@ private class LoggingSinkModels extends SinkModelCsv {
"org.apache.logging.log4j;Logger;true;" +
["debug", "error", "fatal", "info", "trace", "warn"] +
[
";(CharSequence);;Argument[0];logging",
";(CharSequence,Throwable);;Argument[0];logging",
";(Marker,CharSequence);;Argument[1];logging",
";(Marker,CharSequence,Throwable);;Argument[1];logging",
";(Marker,Message);;Argument[1];logging",
";(Marker,MessageSupplier);;Argument[1];logging",
";(Marker,MessageSupplier);;Argument[1];logging",
";(Marker,MessageSupplier,Throwable);;Argument[1];logging",
";(Marker,Object);;Argument[1];logging",
";(Marker,Object,Throwable);;Argument[1];logging",
";(Marker,String);;Argument[1];logging",
";(Marker,String,Object[]);;Argument[1..2];logging",
";(Marker,String,Object);;Argument[1..2];logging",
";(Marker,String,Object,Object);;Argument[1..3];logging",
";(Marker,String,Object,Object,Object);;Argument[1..4];logging",
";(Marker,String,Object,Object,Object,Object);;Argument[1..5];logging",
";(Marker,String,Object,Object,Object,Object,Object);;Argument[1..6];logging",
";(Marker,String,Object,Object,Object,Object,Object,Object);;Argument[1..7];logging",
";(Marker,String,Object,Object,Object,Object,Object,Object,Object);;Argument[1..8];logging",
";(Marker,String,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[1..9];logging",
";(Marker,String,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[1..10];logging",
";(Marker,String,Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[1..11];logging",
";(Marker,String,Supplier);;Argument[1..2];logging",
";(Marker,String,Throwable);;Argument[1];logging",
";(Marker,Supplier);;Argument[1];logging",
";(Marker,Supplier,Throwable);;Argument[1];logging",
";(MessageSupplier);;Argument[0];logging",
";(MessageSupplier,Throwable);;Argument[0];logging", ";(Message);;Argument[0];logging",
";(Message,Throwable);;Argument[0];logging", ";(Object);;Argument[0];logging",
";(Object,Throwable);;Argument[0];logging", ";(String);;Argument[0];logging",
";(String,Object[]);;Argument[0..1];logging",
";(String,Object);;Argument[0..1];logging",
";(String,Object,Object);;Argument[0..2];logging",
";(String,Object,Object,Object);;Argument[0..3];logging",
";(String,Object,Object,Object,Object);;Argument[0..4];logging",
";(String,Object,Object,Object,Object,Object);;Argument[0..5];logging",
";(String,Object,Object,Object,Object,Object,Object);;Argument[0..6];logging",
";(String,Object,Object,Object,Object,Object,Object,Object);;Argument[0..7];logging",
";(String,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[0..8];logging",
";(String,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[0..9];logging",
";(String,Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[0..10];logging",
";(String,Supplier);;Argument[0..1];logging",
";(String,Throwable);;Argument[0];logging", ";(Supplier);;Argument[0];logging",
";(Supplier,Throwable);;Argument[0];logging"
";(CharSequence);;Argument[0];log4j", ";(CharSequence,Throwable);;Argument[0];log4j",
";(Marker,CharSequence);;Argument[1];log4j",
";(Marker,CharSequence,Throwable);;Argument[1];log4j",
";(Marker,Message);;Argument[1];log4j", ";(Marker,MessageSupplier);;Argument[1];log4j",
";(Marker,MessageSupplier);;Argument[1];log4j",
";(Marker,MessageSupplier,Throwable);;Argument[1];log4j",
";(Marker,Object);;Argument[1];log4j", ";(Marker,Object,Throwable);;Argument[1];log4j",
";(Marker,String);;Argument[1];log4j",
";(Marker,String,Object[]);;Argument[1..2];log4j",
";(Marker,String,Object);;Argument[1..2];log4j",
";(Marker,String,Object,Object);;Argument[1..3];log4j",
";(Marker,String,Object,Object,Object);;Argument[1..4];log4j",
";(Marker,String,Object,Object,Object,Object);;Argument[1..5];log4j",
";(Marker,String,Object,Object,Object,Object,Object);;Argument[1..6];log4j",
";(Marker,String,Object,Object,Object,Object,Object,Object);;Argument[1..7];log4j",
";(Marker,String,Object,Object,Object,Object,Object,Object,Object);;Argument[1..8];log4j",
";(Marker,String,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[1..9];log4j",
";(Marker,String,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[1..10];log4j",
";(Marker,String,Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[1..11];log4j",
";(Marker,String,Supplier);;Argument[1..2];log4j",
";(Marker,String,Throwable);;Argument[1];log4j",
";(Marker,Supplier);;Argument[1];log4j",
";(Marker,Supplier,Throwable);;Argument[1];log4j",
";(MessageSupplier);;Argument[0];log4j",
";(MessageSupplier,Throwable);;Argument[0];log4j", ";(Message);;Argument[0];log4j",
";(Message,Throwable);;Argument[0];log4j", ";(Object);;Argument[0];log4j",
";(Object,Throwable);;Argument[0];log4j", ";(String);;Argument[0];log4j",
";(String,Object[]);;Argument[0..1];log4j", ";(String,Object);;Argument[0..1];log4j",
";(String,Object,Object);;Argument[0..2];log4j",
";(String,Object,Object,Object);;Argument[0..3];log4j",
";(String,Object,Object,Object,Object);;Argument[0..4];log4j",
";(String,Object,Object,Object,Object,Object);;Argument[0..5];log4j",
";(String,Object,Object,Object,Object,Object,Object);;Argument[0..6];log4j",
";(String,Object,Object,Object,Object,Object,Object,Object);;Argument[0..7];log4j",
";(String,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[0..8];log4j",
";(String,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[0..9];log4j",
";(String,Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[0..10];log4j",
";(String,Supplier);;Argument[0..1];log4j", ";(String,Throwable);;Argument[0];log4j",
";(Supplier);;Argument[0];log4j", ";(Supplier,Throwable);;Argument[0];log4j"
],
"org.apache.logging.log4j;Logger;true;log" +
[
";(Level,CharSequence);;Argument[1];logging",
";(Level,CharSequence,Throwable);;Argument[1];logging",
";(Level,Marker,CharSequence);;Argument[2];logging",
";(Level,Marker,CharSequence,Throwable);;Argument[2];logging",
";(Level,Marker,Message);;Argument[2];logging",
";(Level,Marker,MessageSupplier);;Argument[2];logging",
";(Level,Marker,MessageSupplier);;Argument[2];logging",
";(Level,Marker,MessageSupplier,Throwable);;Argument[2];logging",
";(Level,Marker,Object);;Argument[2];logging",
";(Level,Marker,Object,Throwable);;Argument[2];logging",
";(Level,Marker,String);;Argument[2];logging",
";(Level,Marker,String,Object[]);;Argument[2..3];logging",
";(Level,Marker,String,Object);;Argument[2..3];logging",
";(Level,Marker,String,Object,Object);;Argument[2..4];logging",
";(Level,Marker,String,Object,Object,Object);;Argument[2..5];logging",
";(Level,Marker,String,Object,Object,Object,Object);;Argument[2..6];logging",
";(Level,Marker,String,Object,Object,Object,Object,Object);;Argument[2..7];logging",
";(Level,Marker,String,Object,Object,Object,Object,Object,Object);;Argument[2..8];logging",
";(Level,Marker,String,Object,Object,Object,Object,Object,Object,Object);;Argument[2..9];logging",
";(Level,Marker,String,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[2..10];logging",
";(Level,Marker,String,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[2..11];logging",
";(Level,Marker,String,Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[2..12];logging",
";(Level,Marker,String,Supplier);;Argument[2..3];logging",
";(Level,Marker,String,Throwable);;Argument[2];logging",
";(Level,Marker,Supplier);;Argument[2];logging",
";(Level,Marker,Supplier,Throwable);;Argument[2];logging",
";(Level,Message);;Argument[1];logging",
";(Level,MessageSupplier);;Argument[1];logging",
";(Level,MessageSupplier,Throwable);;Argument[1];logging",
";(Level,Message);;Argument[1];logging",
";(Level,Message,Throwable);;Argument[1];logging",
";(Level,Object);;Argument[1];logging", ";(Level,Object);;Argument[1];logging",
";(Level,String);;Argument[1];logging",
";(Level,Object,Throwable);;Argument[1];logging",
";(Level,String);;Argument[1];logging",
";(Level,String,Object[]);;Argument[1..2];logging",
";(Level,String,Object);;Argument[1..2];logging",
";(Level,String,Object,Object);;Argument[1..3];logging",
";(Level,String,Object,Object,Object);;Argument[1..4];logging",
";(Level,String,Object,Object,Object,Object);;Argument[1..5];logging",
";(Level,String,Object,Object,Object,Object,Object);;Argument[1..6];logging",
";(Level,String,Object,Object,Object,Object,Object,Object);;Argument[1..7];logging",
";(Level,String,Object,Object,Object,Object,Object,Object,Object);;Argument[1..8];logging",
";(Level,String,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[1..9];logging",
";(Level,String,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[1..10];logging",
";(Level,String,Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[1..11];logging",
";(Level,String,Supplier);;Argument[1..2];logging",
";(Level,String,Throwable);;Argument[1];logging",
";(Level,Supplier);;Argument[1];logging",
";(Level,Supplier,Throwable);;Argument[1];logging"
], "org.apache.logging.log4j;Logger;true;entry;(Object[]);;Argument[0];logging",
"org.apache.logging.log4j;Logger;true;logMessage;(Level,Marker,String,StackTraceElement,Message,Throwable);;Argument[4];logging",
"org.apache.logging.log4j;Logger;true;printf;(Level,Marker,String,Object[]);;Argument[2..3];logging",
"org.apache.logging.log4j;Logger;true;printf;(Level,String,Object[]);;Argument[1..2];logging",
";(Level,CharSequence);;Argument[1];log4j",
";(Level,CharSequence,Throwable);;Argument[1];log4j",
";(Level,Marker,CharSequence);;Argument[2];log4j",
";(Level,Marker,CharSequence,Throwable);;Argument[2];log4j",
";(Level,Marker,Message);;Argument[2];log4j",
";(Level,Marker,MessageSupplier);;Argument[2];log4j",
";(Level,Marker,MessageSupplier);;Argument[2];log4j",
";(Level,Marker,MessageSupplier,Throwable);;Argument[2];log4j",
";(Level,Marker,Object);;Argument[2];log4j",
";(Level,Marker,Object,Throwable);;Argument[2];log4j",
";(Level,Marker,String);;Argument[2];log4j",
";(Level,Marker,String,Object[]);;Argument[2..3];log4j",
";(Level,Marker,String,Object);;Argument[2..3];log4j",
";(Level,Marker,String,Object,Object);;Argument[2..4];log4j",
";(Level,Marker,String,Object,Object,Object);;Argument[2..5];log4j",
";(Level,Marker,String,Object,Object,Object,Object);;Argument[2..6];log4j",
";(Level,Marker,String,Object,Object,Object,Object,Object);;Argument[2..7];log4j",
";(Level,Marker,String,Object,Object,Object,Object,Object,Object);;Argument[2..8];log4j",
";(Level,Marker,String,Object,Object,Object,Object,Object,Object,Object);;Argument[2..9];log4j",
";(Level,Marker,String,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[2..10];log4j",
";(Level,Marker,String,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[2..11];log4j",
";(Level,Marker,String,Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[2..12];log4j",
";(Level,Marker,String,Supplier);;Argument[2..3];log4j",
";(Level,Marker,String,Throwable);;Argument[2];log4j",
";(Level,Marker,Supplier);;Argument[2];log4j",
";(Level,Marker,Supplier,Throwable);;Argument[2];log4j",
";(Level,Message);;Argument[1];log4j", ";(Level,MessageSupplier);;Argument[1];log4j",
";(Level,MessageSupplier,Throwable);;Argument[1];log4j",
";(Level,Message);;Argument[1];log4j", ";(Level,Message,Throwable);;Argument[1];log4j",
";(Level,Object);;Argument[1];log4j", ";(Level,Object);;Argument[1];log4j",
";(Level,String);;Argument[1];log4j", ";(Level,Object,Throwable);;Argument[1];log4j",
";(Level,String);;Argument[1];log4j", ";(Level,String,Object[]);;Argument[1..2];log4j",
";(Level,String,Object);;Argument[1..2];log4j",
";(Level,String,Object,Object);;Argument[1..3];log4j",
";(Level,String,Object,Object,Object);;Argument[1..4];log4j",
";(Level,String,Object,Object,Object,Object);;Argument[1..5];log4j",
";(Level,String,Object,Object,Object,Object,Object);;Argument[1..6];log4j",
";(Level,String,Object,Object,Object,Object,Object,Object);;Argument[1..7];log4j",
";(Level,String,Object,Object,Object,Object,Object,Object,Object);;Argument[1..8];log4j",
";(Level,String,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[1..9];log4j",
";(Level,String,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[1..10];log4j",
";(Level,String,Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[1..11];log4j",
";(Level,String,Supplier);;Argument[1..2];log4j",
";(Level,String,Throwable);;Argument[1];log4j", ";(Level,Supplier);;Argument[1];log4j",
";(Level,Supplier,Throwable);;Argument[1];log4j"
], "org.apache.logging.log4j;Logger;true;entry;(Object[]);;Argument[0];log4j",
"org.apache.logging.log4j;Logger;true;logMessage;(Level,Marker,String,StackTraceElement,Message,Throwable);;Argument[4];log4j",
"org.apache.logging.log4j;Logger;true;printf;(Level,Marker,String,Object[]);;Argument[2..3];log4j",
"org.apache.logging.log4j;Logger;true;printf;(Level,String,Object[]);;Argument[1..2];log4j",
// org.apache.logging.log4j.LogBuilder
"org.apache.logging.log4j;LogBuilder;true;log;(CharSequence);;Argument[0];logging",
"org.apache.logging.log4j;LogBuilder;true;log;(Message);;Argument[0];logging",
"org.apache.logging.log4j;LogBuilder;true;log;(Object);;Argument[0];logging",
"org.apache.logging.log4j;LogBuilder;true;log;(String);;Argument[0];logging",
"org.apache.logging.log4j;LogBuilder;true;log;(String,Object[]);;Argument[0..1];logging",
"org.apache.logging.log4j;LogBuilder;true;log;(String,Object);;Argument[0..1];logging",
"org.apache.logging.log4j;LogBuilder;true;log;(String,Object,Object);;Argument[0..2];logging",
"org.apache.logging.log4j;LogBuilder;true;log;(String,Object,Object,Object);;Argument[0..3];logging",
"org.apache.logging.log4j;LogBuilder;true;log;(String,Object,Object,Object,Object);;Argument[0..4];logging",
"org.apache.logging.log4j;LogBuilder;true;log;(String,Object,Object,Object,Object,Object);;Argument[0..5];logging",
"org.apache.logging.log4j;LogBuilder;true;log;(String,Object,Object,Object,Object,Object,Object);;Argument[0..6];logging",
"org.apache.logging.log4j;LogBuilder;true;log;(String,Object,Object,Object,Object,Object,Object,Object);;Argument[0..7];logging",
"org.apache.logging.log4j;LogBuilder;true;log;(String,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[0..8];logging",
"org.apache.logging.log4j;LogBuilder;true;log;(String,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[0..9];logging",
"org.apache.logging.log4j;LogBuilder;true;log;(String,Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[0..10];logging",
"org.apache.logging.log4j;LogBuilder;true;log;(String,Supplier[]);;Argument[0..1];logging",
"org.apache.logging.log4j;LogBuilder;true;log;(Supplier);;Argument[0];logging"
"org.apache.logging.log4j;LogBuilder;true;log;(CharSequence);;Argument[0];log4j",
"org.apache.logging.log4j;LogBuilder;true;log;(Message);;Argument[0];log4j",
"org.apache.logging.log4j;LogBuilder;true;log;(Object);;Argument[0];log4j",
"org.apache.logging.log4j;LogBuilder;true;log;(String);;Argument[0];log4j",
"org.apache.logging.log4j;LogBuilder;true;log;(String,Object[]);;Argument[0..1];log4j",
"org.apache.logging.log4j;LogBuilder;true;log;(String,Object);;Argument[0..1];log4j",
"org.apache.logging.log4j;LogBuilder;true;log;(String,Object,Object);;Argument[0..2];log4j",
"org.apache.logging.log4j;LogBuilder;true;log;(String,Object,Object,Object);;Argument[0..3];log4j",
"org.apache.logging.log4j;LogBuilder;true;log;(String,Object,Object,Object,Object);;Argument[0..4];log4j",
"org.apache.logging.log4j;LogBuilder;true;log;(String,Object,Object,Object,Object,Object);;Argument[0..5];log4j",
"org.apache.logging.log4j;LogBuilder;true;log;(String,Object,Object,Object,Object,Object,Object);;Argument[0..6];log4j",
"org.apache.logging.log4j;LogBuilder;true;log;(String,Object,Object,Object,Object,Object,Object,Object);;Argument[0..7];log4j",
"org.apache.logging.log4j;LogBuilder;true;log;(String,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[0..8];log4j",
"org.apache.logging.log4j;LogBuilder;true;log;(String,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[0..9];log4j",
"org.apache.logging.log4j;LogBuilder;true;log;(String,Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[0..10];log4j",
"org.apache.logging.log4j;LogBuilder;true;log;(String,Supplier[]);;Argument[0..1];log4j",
"org.apache.logging.log4j;LogBuilder;true;log;(Supplier);;Argument[0];log4j",
// org.apache.logging.log4j.ThreadContet
"org.apache.logging.log4j;ThreadContext;false;put;;;Argument[1];log4j",
"org.apache.logging.log4j;ThreadContext;false;putIfNull;;;Argument[1];log4j",
"org.apache.logging.log4j;ThreadContext;false;putAll;;;Argument[0];log4j",
]
}
}
class Log4jInjectionSummaries extends SummaryModelCsv {
override predicate row(string row) {
row =
[
"org.apache.logging.log4j.message;MapMessage;true;with;;;Argument[1];Argument[-1];taint",
"org.apache.logging.log4j.message;MapMessage;true;with;;;Argument[-1];ReturnValue;value",
"org.apache.logging.log4j.message;MapMessage;true;put;;;Argument[1];Argument[-1];taint",
"org.apache.logging.log4j.message;MapMessage;true;putAll;;;MapValue of Argument[0];Argument[-1];taint",
]
}
}
/** A data flow sink for unvalidated user input that is used to log messages. */
class Log4jInjectionSink extends DataFlow::Node {
Log4jInjectionSink() { sinkNode(this, "logging") }
Log4jInjectionSink() { sinkNode(this, "log4j") }
}
/**