mirror of
https://github.com/github/codeql.git
synced 2026-04-23 15:55:18 +02:00
Merge pull request #17349 from erik-krogh/del-deps-sep-2024
All: delete outdated deprecations
This commit is contained in:
Erik Krogh Kristensen
@@ -6,7 +6,6 @@ private import java
|
||||
private import semmle.code.Location as Location
|
||||
private import semmle.code.java.dataflow.DataFlow
|
||||
private import semmle.code.java.dataflow.TaintTracking
|
||||
private import semmle.code.java.security.PathCreation
|
||||
private import semmle.code.java.dataflow.ExternalFlow as ExternalFlow
|
||||
private import semmle.code.java.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
|
||||
private import semmle.code.java.security.ExternalAPIs as ExternalAPIs
|
||||
|
||||
@@ -6,7 +6,6 @@ private import java
|
||||
private import semmle.code.Location as Location
|
||||
private import semmle.code.java.dataflow.DataFlow
|
||||
private import semmle.code.java.dataflow.TaintTracking
|
||||
private import semmle.code.java.security.PathCreation
|
||||
private import semmle.code.java.dataflow.ExternalFlow as ExternalFlow
|
||||
private import semmle.code.java.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
|
||||
private import semmle.code.java.security.ExternalAPIs as ExternalAPIs
|
||||
|
||||
11
java/ql/lib/change-notes/2024-09-03-outdated-deprecations.md
Normal file
11
java/ql/lib/change-notes/2024-09-03-outdated-deprecations.md
Normal file
@@ -0,0 +1,11 @@
|
||||
---
|
||||
category: breaking
|
||||
---
|
||||
* Deleted the deprecated `ProcessBuilderConstructor`, `MethodProcessBuilderCommand`, and `MethodRuntimeExec` from `JDK.qll`.
|
||||
* Deleted the deprecated `explorationLimit` predicate from `DataFlow::Configuration`, use `FlowExploration<explorationLimit>` instead.
|
||||
* Deleted many deprecated taint-tracking configurations based on `TaintTracking::Configuration`.
|
||||
* Deleted the deprecated `getURI` predicate from `CamelJavaDslToDecl` and `SpringCamelXmlToElement`, use `getUri` instead.
|
||||
* Deleted the deprecated `ExecCallable` class from `ExternalProcess.qll`.
|
||||
* Deleted many deprecated dataflow configurations based on `DataFlow::Configuration`.
|
||||
* Deleted the deprecated `PathCreation.qll` file.
|
||||
* Deleted the deprecated `WebviewDubuggingEnabledQuery.qll` file.
|
||||
@@ -210,39 +210,6 @@ class TypeFile extends Class {
|
||||
}
|
||||
|
||||
// --- Standard methods ---
|
||||
/**
|
||||
* DEPRECATED: Any constructor of class `java.lang.ProcessBuilder`.
|
||||
*/
|
||||
deprecated class ProcessBuilderConstructor extends Constructor, ExecCallable {
|
||||
ProcessBuilderConstructor() { this.getDeclaringType() instanceof TypeProcessBuilder }
|
||||
|
||||
override int getAnExecutedArgument() { result = 0 }
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Any of the methods named `command` on class `java.lang.ProcessBuilder`.
|
||||
*/
|
||||
deprecated class MethodProcessBuilderCommand extends Method, ExecCallable {
|
||||
MethodProcessBuilderCommand() {
|
||||
this.hasName("command") and
|
||||
this.getDeclaringType() instanceof TypeProcessBuilder
|
||||
}
|
||||
|
||||
override int getAnExecutedArgument() { result = 0 }
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Any method named `exec` on class `java.lang.Runtime`.
|
||||
*/
|
||||
deprecated class MethodRuntimeExec extends Method, ExecCallable {
|
||||
MethodRuntimeExec() {
|
||||
this.hasName("exec") and
|
||||
this.getDeclaringType() instanceof TypeRuntime
|
||||
}
|
||||
|
||||
override int getAnExecutedArgument() { result = 0 }
|
||||
}
|
||||
|
||||
/**
|
||||
* Any method named `getenv` on class `java.lang.System`.
|
||||
*/
|
||||
|
||||
@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
|
||||
*/
|
||||
predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
|
||||
*
|
||||
* Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
|
||||
* measured in approximate number of interprocedural steps.
|
||||
*/
|
||||
deprecated int explorationLimit() { none() }
|
||||
|
||||
/**
|
||||
* Holds if hidden nodes should be included in the data flow graph.
|
||||
*
|
||||
|
||||
@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
|
||||
*/
|
||||
predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
|
||||
*
|
||||
* Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
|
||||
* measured in approximate number of interprocedural steps.
|
||||
*/
|
||||
deprecated int explorationLimit() { none() }
|
||||
|
||||
/**
|
||||
* Holds if hidden nodes should be included in the data flow graph.
|
||||
*
|
||||
|
||||
@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
|
||||
*/
|
||||
predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
|
||||
*
|
||||
* Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
|
||||
* measured in approximate number of interprocedural steps.
|
||||
*/
|
||||
deprecated int explorationLimit() { none() }
|
||||
|
||||
/**
|
||||
* Holds if hidden nodes should be included in the data flow graph.
|
||||
*
|
||||
|
||||
@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
|
||||
*/
|
||||
predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
|
||||
*
|
||||
* Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
|
||||
* measured in approximate number of interprocedural steps.
|
||||
*/
|
||||
deprecated int explorationLimit() { none() }
|
||||
|
||||
/**
|
||||
* Holds if hidden nodes should be included in the data flow graph.
|
||||
*
|
||||
|
||||
@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
|
||||
*/
|
||||
predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
|
||||
*
|
||||
* Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
|
||||
* measured in approximate number of interprocedural steps.
|
||||
*/
|
||||
deprecated int explorationLimit() { none() }
|
||||
|
||||
/**
|
||||
* Holds if hidden nodes should be included in the data flow graph.
|
||||
*
|
||||
|
||||
@@ -168,14 +168,6 @@ abstract deprecated class Configuration extends string {
|
||||
*/
|
||||
predicate hasFlowToExpr(DataFlowExpr sink) { this.hasFlowTo(exprNode(sink)) }
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `FlowExploration<explorationLimit>` instead.
|
||||
*
|
||||
* Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
|
||||
* measured in approximate number of interprocedural steps.
|
||||
*/
|
||||
deprecated int explorationLimit() { none() }
|
||||
|
||||
/**
|
||||
* Holds if hidden nodes should be included in the data flow graph.
|
||||
*
|
||||
|
||||
@@ -43,34 +43,6 @@ class JsonIoUseMapsSetter extends MethodCall {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `SafeJsonIoFlow` instead.
|
||||
*
|
||||
* A data flow configuration tracing flow from JsonIo safe settings.
|
||||
*/
|
||||
deprecated class SafeJsonIoConfig extends DataFlow2::Configuration {
|
||||
SafeJsonIoConfig() { this = "UnsafeDeserialization::SafeJsonIoConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node src) {
|
||||
exists(MethodCall ma |
|
||||
ma instanceof JsonIoUseMapsSetter and
|
||||
src.asExpr() = ma.getQualifier()
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodCall ma |
|
||||
ma.getMethod() instanceof JsonIoJsonToJavaMethod and
|
||||
sink.asExpr() = ma.getArgument(1)
|
||||
)
|
||||
or
|
||||
exists(ClassInstanceExpr cie |
|
||||
cie.getConstructor().getDeclaringType() instanceof JsonIoJsonReader and
|
||||
sink.asExpr() = cie.getArgument(1)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A data flow configuration tracing flow from JsonIo safe settings.
|
||||
*/
|
||||
|
||||
@@ -42,9 +42,6 @@ class CamelJavaDslToDecl extends ProcessorDefinitionElement {
|
||||
* Gets the URI specified by this `to` declaration.
|
||||
*/
|
||||
string getUri() { result = this.getArgument(0).(CompileTimeConstantExpr).getStringValue() }
|
||||
|
||||
/** DEPRECATED: Alias for getUri */
|
||||
deprecated string getURI() { result = this.getUri() }
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -97,9 +97,6 @@ class SpringCamelXmlToElement extends SpringCamelXmlRouteElement {
|
||||
* Gets the URI attribute for this `<to>` element.
|
||||
*/
|
||||
string getUri() { result = this.getAttribute("uri").getValue() }
|
||||
|
||||
/** DEPRECATED: Alias for getUri */
|
||||
deprecated string getURI() { result = this.getUri() }
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -7,27 +7,6 @@ import semmle.code.java.dataflow.TaintTracking
|
||||
deprecated import semmle.code.java.dataflow.TaintTracking3
|
||||
import semmle.code.java.security.AndroidIntentRedirection
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `IntentRedirectionFlow` instead.
|
||||
*
|
||||
* A taint tracking configuration for tainted Intents being used to start Android components.
|
||||
*/
|
||||
deprecated class IntentRedirectionConfiguration extends TaintTracking::Configuration {
|
||||
IntentRedirectionConfiguration() { this = "IntentRedirectionConfiguration" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof IntentRedirectionSink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node sanitizer) {
|
||||
sanitizer instanceof IntentRedirectionSanitizer
|
||||
}
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
any(IntentRedirectionAdditionalTaintStep c).step(node1, node2)
|
||||
}
|
||||
}
|
||||
|
||||
/** A taint tracking configuration for tainted Intents being used to start Android components. */
|
||||
module IntentRedirectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
|
||||
@@ -122,36 +122,6 @@ private predicate isStartActivityOrServiceSink(DataFlow::Node arg) {
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `SensitiveCommunicationFlow` instead.
|
||||
*
|
||||
* Taint configuration tracking flow from variables containing sensitive information to broadcast Intents.
|
||||
*/
|
||||
deprecated class SensitiveCommunicationConfig extends TaintTracking::Configuration {
|
||||
SensitiveCommunicationConfig() { this = "Sensitive Communication Configuration" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) {
|
||||
source.asExpr() instanceof SensitiveInfoExpr
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
isSensitiveBroadcastSink(sink)
|
||||
or
|
||||
isStartActivityOrServiceSink(sink)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if broadcast doesn't specify receiving package name of the 3rd party app
|
||||
*/
|
||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof ExplicitIntentSanitizer }
|
||||
|
||||
override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
|
||||
super.allowImplicitRead(node, c)
|
||||
or
|
||||
this.isSink(node)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A sensitive communication sink node.
|
||||
*/
|
||||
|
||||
@@ -109,37 +109,3 @@ predicate execIsTainted(
|
||||
InputToArgumentToExecFlow::flowPath(source, sink) and
|
||||
argumentToExec(execArg, sink.getNode())
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `execIsTainted` instead.
|
||||
*
|
||||
* Implementation of `ExecTainted.ql`. It is extracted to a QLL
|
||||
* so that it can be excluded from `ExecUnescaped.ql` to avoid
|
||||
* reporting overlapping results.
|
||||
*/
|
||||
deprecated predicate execTainted(DataFlow::PathNode source, DataFlow::PathNode sink, Expr execArg) {
|
||||
exists(RemoteUserInputToArgumentToExecFlowConfig conf |
|
||||
conf.hasFlowPath(source, sink) and argumentToExec(execArg, sink.getNode())
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `RemoteUserInputToArgumentToExecFlow` instead.
|
||||
*
|
||||
* A taint-tracking configuration for unvalidated user input that is used to run an external process.
|
||||
*/
|
||||
deprecated class RemoteUserInputToArgumentToExecFlowConfig extends TaintTracking::Configuration {
|
||||
RemoteUserInputToArgumentToExecFlowConfig() {
|
||||
this = "ExecCommon::RemoteUserInputToArgumentToExecFlowConfig"
|
||||
}
|
||||
|
||||
override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof CommandInjectionSanitizer }
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
|
||||
any(CommandInjectionAdditionalTaintStep s).step(n1, n2)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -36,23 +36,6 @@ private predicate endsWithStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `ConditionalBypassFlow` instead.
|
||||
*
|
||||
* A taint tracking configuration for untrusted data flowing to sensitive conditions.
|
||||
*/
|
||||
deprecated class ConditionalBypassFlowConfig extends TaintTracking::Configuration {
|
||||
ConditionalBypassFlowConfig() { this = "ConditionalBypassFlowConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { conditionControlsMethod(_, sink.asExpr()) }
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
endsWithStep(node1, node2)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for untrusted data flowing to sensitive conditions.
|
||||
*/
|
||||
|
||||
@@ -92,19 +92,6 @@ class ExternalApiDataNode extends DataFlow::Node {
|
||||
string getMethodDescription() { result = this.getMethod().getQualifiedName() }
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `UntrustedDataToExternalApiFlow` instead.
|
||||
*
|
||||
* A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s.
|
||||
*/
|
||||
deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
|
||||
UntrustedDataToExternalApiConfig() { this = "UntrustedDataToExternalAPIConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
|
||||
}
|
||||
|
||||
/**
|
||||
* Taint tracking configuration for flow from `ThreatModelFlowSource`s to `ExternalApiDataNode`s.
|
||||
*/
|
||||
|
||||
@@ -4,16 +4,6 @@ import semmle.code.java.Member
|
||||
private import semmle.code.java.dataflow.DataFlow
|
||||
private import semmle.code.java.security.CommandLineQuery
|
||||
|
||||
/**
|
||||
* DEPRECATED: A callable that executes a command.
|
||||
*/
|
||||
abstract deprecated class ExecCallable extends Callable {
|
||||
/**
|
||||
* Gets the index of an argument that will be part of the command that is executed.
|
||||
*/
|
||||
abstract int getAnExecutedArgument();
|
||||
}
|
||||
|
||||
/**
|
||||
* An expression used as an argument to a call that executes an external command. For calls to
|
||||
* varargs method calls, this only includes the first argument, which will be the command
|
||||
|
||||
@@ -5,24 +5,6 @@ import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.security.FragmentInjection
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `FragmentInjectionFlow` instead.
|
||||
*
|
||||
* A taint-tracking configuration for unsafe user input
|
||||
* that is used to create Android fragments dynamically.
|
||||
*/
|
||||
deprecated class FragmentInjectionTaintConf extends TaintTracking::Configuration {
|
||||
FragmentInjectionTaintConf() { this = "FragmentInjectionTaintConf" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof FragmentInjectionSink }
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
|
||||
any(FragmentInjectionAdditionalTaintStep c).step(n1, n2)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for unsafe user input
|
||||
* that is used to create Android fragments dynamically.
|
||||
|
||||
@@ -5,24 +5,6 @@ import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.security.GroovyInjection
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `GroovyInjectionFlow` instead.
|
||||
*
|
||||
* A taint-tracking configuration for unsafe user input
|
||||
* that is used to evaluate a Groovy expression.
|
||||
*/
|
||||
deprecated class GroovyInjectionConfig extends TaintTracking::Configuration {
|
||||
GroovyInjectionConfig() { this = "GroovyInjectionConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof GroovyInjectionSink }
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
|
||||
any(GroovyInjectionAdditionalTaintStep c).step(fromNode, toNode)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for unsafe user input
|
||||
* that is used to evaluate a Groovy expression.
|
||||
|
||||
@@ -6,55 +6,6 @@ import java
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
import HardcodedCredentials
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `HardcodedCredentialApiCallFlow` instead.
|
||||
*
|
||||
* A data-flow configuration that tracks flow from a hard-coded credential in a call to a sensitive Java API which may compromise security.
|
||||
*/
|
||||
deprecated class HardcodedCredentialApiCallConfiguration extends DataFlow::Configuration {
|
||||
HardcodedCredentialApiCallConfiguration() { this = "HardcodedCredentialApiCallConfiguration" }
|
||||
|
||||
override predicate isSource(DataFlow::Node n) {
|
||||
n.asExpr() instanceof HardcodedExpr and
|
||||
not n.asExpr().getEnclosingCallable() instanceof ToStringMethod
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node n) { n.asExpr() instanceof CredentialsApiSink }
|
||||
|
||||
override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
node1.asExpr().getType() instanceof TypeString and
|
||||
(
|
||||
exists(MethodCall ma | ma.getMethod().hasName(["getBytes", "toCharArray"]) |
|
||||
node2.asExpr() = ma and
|
||||
ma.getQualifier() = node1.asExpr()
|
||||
)
|
||||
or
|
||||
// These base64 routines are usually taint propagators, and this is not a general
|
||||
// TaintTracking::Configuration, so we must specifically include them here
|
||||
// as a common transform applied to a constant before passing to a remote API.
|
||||
exists(MethodCall ma |
|
||||
ma.getMethod()
|
||||
.hasQualifiedName([
|
||||
"java.util", "cn.hutool.core.codec", "org.apache.shiro.codec",
|
||||
"apache.commons.codec.binary", "org.springframework.util"
|
||||
], ["Base64$Encoder", "Base64$Decoder", "Base64", "Base64Utils"],
|
||||
[
|
||||
"encode", "encodeToString", "decode", "decodeBase64", "encodeBase64",
|
||||
"encodeBase64Chunked", "encodeBase64String", "encodeBase64URLSafe",
|
||||
"encodeBase64URLSafeString"
|
||||
])
|
||||
|
|
||||
node1.asExpr() = ma.getArgument(0) and
|
||||
node2.asExpr() = ma
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isBarrier(DataFlow::Node n) {
|
||||
n.asExpr().(MethodCall).getMethod() instanceof MethodSystemGetenv
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A data-flow configuration that tracks flow from a hard-coded credential in a call to a sensitive Java API which may compromise security.
|
||||
*/
|
||||
|
||||
@@ -8,22 +8,6 @@ deprecated import semmle.code.java.dataflow.DataFlow2
|
||||
private import semmle.code.java.dataflow.DataFlow2
|
||||
import HardcodedCredentials
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `HardcodedCredentialSourceCallFlow` instead.
|
||||
*
|
||||
* A data-flow configuration that tracks hardcoded expressions flowing to a parameter whose name suggests
|
||||
* it may be a credential, excluding those which flow on to other such insecure usage sites.
|
||||
*/
|
||||
deprecated class HardcodedCredentialSourceCallConfiguration extends DataFlow::Configuration {
|
||||
HardcodedCredentialSourceCallConfiguration() {
|
||||
this = "HardcodedCredentialSourceCallConfiguration"
|
||||
}
|
||||
|
||||
override predicate isSource(DataFlow::Node n) { n.asExpr() instanceof HardcodedExpr }
|
||||
|
||||
override predicate isSink(DataFlow::Node n) { n.asExpr() instanceof FinalCredentialsSourceSink }
|
||||
}
|
||||
|
||||
/**
|
||||
* A data-flow configuration that tracks hardcoded expressions flowing to a parameter whose name suggests
|
||||
* it may be a credential, excluding those which flow on to other such insecure usage sites.
|
||||
@@ -40,22 +24,6 @@ module HardcodedCredentialSourceCallConfig implements DataFlow::ConfigSig {
|
||||
*/
|
||||
module HardcodedCredentialSourceCallFlow = DataFlow::Global<HardcodedCredentialSourceCallConfig>;
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `HardcodedCredentialParameterSourceCallFlow` instead.
|
||||
*
|
||||
* A data-flow configuration that tracks flow from an argument whose corresponding parameter name suggests
|
||||
* a credential, to an argument to a sensitive call.
|
||||
*/
|
||||
deprecated class HardcodedCredentialSourceCallConfiguration2 extends DataFlow2::Configuration {
|
||||
HardcodedCredentialSourceCallConfiguration2() {
|
||||
this = "HardcodedCredentialSourceCallConfiguration2"
|
||||
}
|
||||
|
||||
override predicate isSource(DataFlow::Node n) { n.asExpr() instanceof CredentialsSourceSink }
|
||||
|
||||
override predicate isSink(DataFlow::Node n) { n.asExpr() instanceof CredentialsSink }
|
||||
}
|
||||
|
||||
/**
|
||||
* A data-flow configuration that tracks flow from an argument whose corresponding parameter name suggests
|
||||
* a credential, to an argument to a sensitive call.
|
||||
|
||||
@@ -6,27 +6,6 @@ import semmle.code.java.frameworks.Networking
|
||||
import semmle.code.java.security.HttpsUrls
|
||||
private import semmle.code.java.security.Sanitizers
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `HttpsStringToUrlOpenMethodFlow` instead.
|
||||
*
|
||||
* A taint tracking configuration for HTTP connections.
|
||||
*/
|
||||
deprecated class HttpStringToUrlOpenMethodFlowConfig extends TaintTracking::Configuration {
|
||||
HttpStringToUrlOpenMethodFlowConfig() { this = "HttpStringToUrlOpenMethodFlowConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof HttpStringLiteral }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof UrlOpenSink }
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
any(HttpUrlsAdditionalTaintStep c).step(node1, node2)
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for HTTP connections.
|
||||
*/
|
||||
|
||||
@@ -6,55 +6,6 @@ import semmle.code.java.frameworks.android.Intent
|
||||
import semmle.code.java.frameworks.android.PendingIntent
|
||||
import semmle.code.java.security.ImplicitPendingIntents
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `ImplicitPendingIntentStartFlow` instead.
|
||||
*
|
||||
* A taint tracking configuration for implicit `PendingIntent`s
|
||||
* being wrapped in another implicit `Intent` that gets started.
|
||||
*/
|
||||
deprecated class ImplicitPendingIntentStartConf extends TaintTracking::Configuration {
|
||||
ImplicitPendingIntentStartConf() { this = "ImplicitPendingIntentStartConf" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
|
||||
source.(ImplicitPendingIntentSource).hasState(state)
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
|
||||
sink.(ImplicitPendingIntentSink).hasState(state)
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node sanitizer) {
|
||||
sanitizer instanceof ExplicitIntentSanitizer
|
||||
}
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
any(ImplicitPendingIntentAdditionalTaintStep c).step(node1, node2)
|
||||
}
|
||||
|
||||
override predicate isAdditionalTaintStep(
|
||||
DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
|
||||
DataFlow::FlowState state2
|
||||
) {
|
||||
any(ImplicitPendingIntentAdditionalTaintStep c).step(node1, state1, node2, state2)
|
||||
}
|
||||
|
||||
override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
|
||||
super.allowImplicitRead(node, c)
|
||||
or
|
||||
this.isSink(node, _) and
|
||||
allowIntentExtrasImplicitRead(node, c)
|
||||
or
|
||||
this.isAdditionalTaintStep(node, _) and
|
||||
c.(DataFlow::FieldContent).getType() instanceof PendingIntent
|
||||
or
|
||||
// Allow implicit reads of Intent arrays for steps like getActivities
|
||||
// or sinks like startActivities
|
||||
(this.isSink(node, _) or this.isAdditionalFlowStep(node, _, _, _)) and
|
||||
node.getType().(Array).getElementType() instanceof TypeIntent and
|
||||
c instanceof DataFlow::ArrayContent
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for implicit `PendingIntent`s
|
||||
* being wrapped in another implicit `Intent` that gets started.
|
||||
|
||||
@@ -5,24 +5,6 @@ import semmle.code.java.security.HttpsUrls
|
||||
import semmle.code.java.security.InsecureBasicAuth
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `InsecureBasicAuthFlow` instead.
|
||||
*
|
||||
* A taint tracking configuration for the Basic authentication scheme
|
||||
* being used in HTTP connections.
|
||||
*/
|
||||
deprecated class BasicAuthFlowConfig extends TaintTracking::Configuration {
|
||||
BasicAuthFlowConfig() { this = "InsecureBasicAuth::BasicAuthFlowConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node src) { src instanceof InsecureBasicAuthSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof InsecureBasicAuthSink }
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
any(HttpUrlsAdditionalTaintStep c).step(node1, node2)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for the Basic authentication scheme
|
||||
* being used in HTTP connections.
|
||||
|
||||
@@ -4,28 +4,6 @@ import java
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.security.InsecureTrustManager
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `InsecureTrustManagerFlow` instead.
|
||||
*
|
||||
* A configuration to model the flow of an insecure `TrustManager`
|
||||
* to the initialization of an SSL context.
|
||||
*/
|
||||
deprecated class InsecureTrustManagerConfiguration extends DataFlow::Configuration {
|
||||
InsecureTrustManagerConfiguration() { this = "InsecureTrustManagerConfiguration" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) {
|
||||
source instanceof InsecureTrustManagerSource
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof InsecureTrustManagerSink }
|
||||
|
||||
override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
|
||||
(this.isSink(node) or this.isAdditionalFlowStep(node, _)) and
|
||||
node.getType() instanceof Array and
|
||||
c instanceof DataFlow::ArrayContent
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A configuration to model the flow of an insecure `TrustManager`
|
||||
* to the initialization of an SSL context.
|
||||
|
||||
@@ -3,23 +3,6 @@
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
import semmle.code.java.security.InsufficientKeySize
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `KeySizeFlow` instead.
|
||||
*
|
||||
* A data flow configuration for tracking key sizes used in cryptographic algorithms.
|
||||
*/
|
||||
deprecated class KeySizeConfiguration extends DataFlow::Configuration {
|
||||
KeySizeConfiguration() { this = "KeySizeConfiguration" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
|
||||
exists(KeySizeState s | source.(InsufficientKeySizeSource).hasState(s) and state = s.toString())
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
|
||||
exists(KeySizeState s | sink.(InsufficientKeySizeSink).hasState(s) and state = s.toString())
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A data flow configuration for tracking key sizes used in cryptographic algorithms.
|
||||
*/
|
||||
|
||||
@@ -8,29 +8,6 @@ private import semmle.code.java.dataflow.FlowSources
|
||||
private import semmle.code.java.dataflow.DataFlow
|
||||
private import IntentUriPermissionManipulation
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `IntentUriPermissionManipulationFlow` instead.
|
||||
*
|
||||
* A taint tracking configuration for user-provided Intents being returned to third party apps.
|
||||
*/
|
||||
deprecated class IntentUriPermissionManipulationConf extends TaintTracking::Configuration {
|
||||
IntentUriPermissionManipulationConf() { this = "UriPermissionManipulationConf" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
sink instanceof IntentUriPermissionManipulationSink
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node barrier) {
|
||||
barrier instanceof IntentUriPermissionManipulationSanitizer
|
||||
}
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
any(IntentUriPermissionManipulationAdditionalTaintStep c).step(node1, node2)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for user-provided Intents being returned to third party apps.
|
||||
*/
|
||||
|
||||
@@ -38,25 +38,6 @@ private class DefaultJexlInjectionAdditionalTaintStep extends JexlInjectionAddit
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `JexlInjectionFlow` instead.
|
||||
*
|
||||
* A taint-tracking configuration for unsafe user input
|
||||
* that is used to construct and evaluate a JEXL expression.
|
||||
* It supports both JEXL 2 and 3.
|
||||
*/
|
||||
deprecated class JexlInjectionConfig extends TaintTracking::Configuration {
|
||||
JexlInjectionConfig() { this = "JexlInjectionConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
any(JexlInjectionAdditionalTaintStep c).step(node1, node2)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for unsafe user input
|
||||
* that is used to construct and evaluate a JEXL expression.
|
||||
|
||||
@@ -7,28 +7,6 @@ import semmle.code.java.frameworks.SpringLdap
|
||||
import semmle.code.java.security.JndiInjection
|
||||
private import semmle.code.java.security.Sanitizers
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `JndiInjectionFlow` instead.
|
||||
*
|
||||
* A taint-tracking configuration for unvalidated user input that is used in JNDI lookup.
|
||||
*/
|
||||
deprecated class JndiInjectionFlowConfig extends TaintTracking::Configuration {
|
||||
JndiInjectionFlowConfig() { this = "JndiInjectionFlowConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof JndiInjectionSink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
node instanceof SimpleTypeSanitizer or
|
||||
node instanceof JndiInjectionSanitizer
|
||||
}
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
any(JndiInjectionAdditionalTaintStep c).step(node1, node2)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for unvalidated user input that is used in JNDI lookup.
|
||||
*/
|
||||
|
||||
@@ -4,25 +4,6 @@ import java
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.security.LogInjection
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `LogInjectionFlow` instead.
|
||||
*
|
||||
* A taint-tracking configuration for tracking untrusted user input used in log entries.
|
||||
*/
|
||||
deprecated class LogInjectionConfiguration extends TaintTracking::Configuration {
|
||||
LogInjectionConfiguration() { this = "LogInjectionConfiguration" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof LogInjectionSink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof LogInjectionSanitizer }
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
any(LogInjectionAdditionalTaintStep c).step(node1, node2)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for tracking untrusted user input used in log entries.
|
||||
*/
|
||||
|
||||
@@ -4,26 +4,6 @@ import java
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
import semmle.code.java.security.JWT
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `MissingJwtSignatureCheckFlow` instead.
|
||||
*
|
||||
* Models flow from signing keys assignments to qualifiers of JWT insecure parsers.
|
||||
* This is used to determine whether a `JwtParser` performing unsafe parsing has a signing key set.
|
||||
*/
|
||||
deprecated class MissingJwtSignatureCheckConf extends DataFlow::Configuration {
|
||||
MissingJwtSignatureCheckConf() { this = "SigningToExprDataFlow" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) {
|
||||
source instanceof JwtParserWithInsecureParseSource
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof JwtParserWithInsecureParseSink }
|
||||
|
||||
override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
any(JwtParserWithInsecureParseAdditionalFlowStep c).step(node1, node2)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Models flow from signing keys assignments to qualifiers of JWT insecure parsers.
|
||||
* This is used to determine whether a `JwtParser` performing unsafe parsing has a signing key set.
|
||||
|
||||
@@ -5,28 +5,6 @@ import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.security.MvelInjection
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `MvelInjectionFlow` instead.
|
||||
*
|
||||
* A taint-tracking configuration for unsafe user input
|
||||
* that is used to construct and evaluate a MVEL expression.
|
||||
*/
|
||||
deprecated class MvelInjectionFlowConfig extends TaintTracking::Configuration {
|
||||
MvelInjectionFlowConfig() { this = "MvelInjectionFlowConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof MvelEvaluationSink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node sanitizer) {
|
||||
sanitizer instanceof MvelInjectionSanitizer
|
||||
}
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
any(MvelInjectionAdditionalTaintStep c).step(node1, node2)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for unsafe user input
|
||||
* that is used to construct and evaluate a MVEL expression.
|
||||
|
||||
@@ -5,27 +5,6 @@ import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.security.OgnlInjection
|
||||
private import semmle.code.java.security.Sanitizers
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `OgnlInjectionFlow` instead.
|
||||
*
|
||||
* A taint-tracking configuration for unvalidated user input that is used in OGNL EL evaluation.
|
||||
*/
|
||||
deprecated class OgnlInjectionFlowConfig extends TaintTracking::Configuration {
|
||||
OgnlInjectionFlowConfig() { this = "OgnlInjectionFlowConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof OgnlInjectionSink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
|
||||
}
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
any(OgnlInjectionAdditionalTaintStep c).step(node1, node2)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for unvalidated user input that is used in OGNL EL evaluation.
|
||||
*/
|
||||
|
||||
@@ -6,23 +6,6 @@ import semmle.code.java.dataflow.DataFlow
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `PartialPathTraversalFromRemoteFlow` instead.
|
||||
*
|
||||
* A taint-tracking configuration for unsafe user input
|
||||
* that is used to validate against path traversal, but is insufficient
|
||||
* and remains vulnerable to Partial Path Traversal.
|
||||
*/
|
||||
deprecated class PartialPathTraversalFromRemoteConfig extends TaintTracking::Configuration {
|
||||
PartialPathTraversalFromRemoteConfig() { this = "PartialPathTraversalFromRemoteConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node node) {
|
||||
any(PartialPathTraversalMethodCall ma).getQualifier() = node.asExpr()
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for unsafe user input
|
||||
* that is used to validate against path traversal, but is insufficient
|
||||
|
||||
@@ -1,143 +0,0 @@
|
||||
/**
|
||||
* DEPRECATED.
|
||||
*
|
||||
* Models the different ways to create paths. Either by using `java.io.File`-related APIs or `java.nio.file.Path`-related APIs.
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
/** DEPRECATED: Models the creation of a path. */
|
||||
abstract deprecated class PathCreation extends Expr {
|
||||
/**
|
||||
* Gets an input that is used in the creation of this path.
|
||||
* This excludes inputs of type `File` and `Path`.
|
||||
*/
|
||||
abstract Expr getAnInput();
|
||||
}
|
||||
|
||||
/** Models the `java.nio.file.Paths.get` method. */
|
||||
deprecated private class PathsGet extends PathCreation, MethodCall {
|
||||
PathsGet() {
|
||||
exists(Method m | m = this.getMethod() |
|
||||
m.getDeclaringType() instanceof TypePaths and
|
||||
m.getName() = "get"
|
||||
)
|
||||
}
|
||||
|
||||
override Expr getAnInput() { result = this.getAnArgument() }
|
||||
}
|
||||
|
||||
/** Models the `java.nio.file.FileSystem.getPath` method. */
|
||||
deprecated private class FileSystemGetPath extends PathCreation, MethodCall {
|
||||
FileSystemGetPath() {
|
||||
exists(Method m | m = this.getMethod() |
|
||||
m.getDeclaringType() instanceof TypeFileSystem and
|
||||
m.getName() = "getPath"
|
||||
)
|
||||
}
|
||||
|
||||
override Expr getAnInput() { result = this.getAnArgument() }
|
||||
}
|
||||
|
||||
/** Models the `new java.io.File(...)` constructor. */
|
||||
deprecated private class FileCreation extends PathCreation, ClassInstanceExpr {
|
||||
FileCreation() { this.getConstructedType() instanceof TypeFile }
|
||||
|
||||
override Expr getAnInput() {
|
||||
result = this.getAnArgument() and
|
||||
// Relevant arguments include those that are not a `File`.
|
||||
not result.getType() instanceof TypeFile
|
||||
}
|
||||
}
|
||||
|
||||
/** Models the `java.nio.file.Path.resolveSibling` method. */
|
||||
deprecated private class PathResolveSiblingCreation extends PathCreation, MethodCall {
|
||||
PathResolveSiblingCreation() {
|
||||
exists(Method m | m = this.getMethod() |
|
||||
m.getDeclaringType() instanceof TypePath and
|
||||
m.getName() = "resolveSibling"
|
||||
)
|
||||
}
|
||||
|
||||
override Expr getAnInput() {
|
||||
result = this.getAnArgument() and
|
||||
// Relevant arguments are those of type `String`.
|
||||
result.getType() instanceof TypeString
|
||||
}
|
||||
}
|
||||
|
||||
/** Models the `java.nio.file.Path.resolve` method. */
|
||||
deprecated private class PathResolveCreation extends PathCreation, MethodCall {
|
||||
PathResolveCreation() {
|
||||
exists(Method m | m = this.getMethod() |
|
||||
m.getDeclaringType() instanceof TypePath and
|
||||
m.getName() = "resolve"
|
||||
)
|
||||
}
|
||||
|
||||
override Expr getAnInput() {
|
||||
result = this.getAnArgument() and
|
||||
// Relevant arguments are those of type `String`.
|
||||
result.getType() instanceof TypeString
|
||||
}
|
||||
}
|
||||
|
||||
/** Models the `java.nio.file.Path.of` method. */
|
||||
deprecated private class PathOfCreation extends PathCreation, MethodCall {
|
||||
PathOfCreation() {
|
||||
exists(Method m | m = this.getMethod() |
|
||||
m.getDeclaringType() instanceof TypePath and
|
||||
m.getName() = "of"
|
||||
)
|
||||
}
|
||||
|
||||
override Expr getAnInput() { result = this.getAnArgument() }
|
||||
}
|
||||
|
||||
/** Models the `new java.io.FileWriter(...)` constructor. */
|
||||
deprecated private class FileWriterCreation extends PathCreation, ClassInstanceExpr {
|
||||
FileWriterCreation() { this.getConstructedType().hasQualifiedName("java.io", "FileWriter") }
|
||||
|
||||
override Expr getAnInput() {
|
||||
result = this.getAnArgument() and
|
||||
// Relevant arguments are those of type `String`.
|
||||
result.getType() instanceof TypeString
|
||||
}
|
||||
}
|
||||
|
||||
/** Models the `new java.io.FileReader(...)` constructor. */
|
||||
deprecated private class FileReaderCreation extends PathCreation, ClassInstanceExpr {
|
||||
FileReaderCreation() { this.getConstructedType().hasQualifiedName("java.io", "FileReader") }
|
||||
|
||||
override Expr getAnInput() {
|
||||
result = this.getAnArgument() and
|
||||
// Relevant arguments are those of type `String`.
|
||||
result.getType() instanceof TypeString
|
||||
}
|
||||
}
|
||||
|
||||
/** Models the `new java.io.FileInputStream(...)` constructor. */
|
||||
deprecated private class FileInputStreamCreation extends PathCreation, ClassInstanceExpr {
|
||||
FileInputStreamCreation() {
|
||||
this.getConstructedType().hasQualifiedName("java.io", "FileInputStream")
|
||||
}
|
||||
|
||||
override Expr getAnInput() {
|
||||
result = this.getAnArgument() and
|
||||
// Relevant arguments are those of type `String`.
|
||||
result.getType() instanceof TypeString
|
||||
}
|
||||
}
|
||||
|
||||
/** Models the `new java.io.FileOutputStream(...)` constructor. */
|
||||
deprecated private class FileOutputStreamCreation extends PathCreation, ClassInstanceExpr {
|
||||
FileOutputStreamCreation() {
|
||||
this.getConstructedType().hasQualifiedName("java.io", "FileOutputStream")
|
||||
}
|
||||
|
||||
override Expr getAnInput() {
|
||||
result = this.getAnArgument() and
|
||||
// Relevant arguments are those of type `String`.
|
||||
result.getType() instanceof TypeString
|
||||
}
|
||||
}
|
||||
@@ -7,31 +7,6 @@
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.security.RequestForgery
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `RequestForgeryConfiguration` module instead.
|
||||
*
|
||||
* A taint-tracking configuration characterising request-forgery risks.
|
||||
*/
|
||||
deprecated class RequestForgeryConfiguration extends TaintTracking::Configuration {
|
||||
RequestForgeryConfiguration() { this = "Server-Side Request Forgery" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) {
|
||||
source instanceof RemoteFlowSource and
|
||||
// Exclude results of remote HTTP requests: fetching something else based on that result
|
||||
// is no worse than following a redirect returned by the remote server, and typically
|
||||
// we're requesting a resource via https which we trust to only send us to safe URLs.
|
||||
not source.asExpr().(MethodCall).getCallee() instanceof UrlConnectionGetInputStreamMethod
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
any(RequestForgeryAdditionalTaintStep r).propagatesTaint(pred, succ)
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof RequestForgerySanitizer }
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration characterising request-forgery risks.
|
||||
*/
|
||||
|
||||
@@ -4,28 +4,6 @@ import java
|
||||
import Encryption
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `RsaWithoutOaepFlow` instead.
|
||||
*
|
||||
* A configuration for finding RSA ciphers initialized without using OAEP padding.
|
||||
*/
|
||||
deprecated class RsaWithoutOaepConfig extends DataFlow::Configuration {
|
||||
RsaWithoutOaepConfig() { this = "RsaWithoutOaepConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node src) {
|
||||
exists(CompileTimeConstantExpr specExpr, string spec |
|
||||
specExpr.getStringValue() = spec and
|
||||
specExpr = src.asExpr() and
|
||||
spec.matches("RSA/%") and
|
||||
not spec.matches("%OAEP%")
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
exists(CryptoAlgoSpec cr | sink.asExpr() = cr.getAlgoSpec())
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A configuration for finding RSA ciphers initialized without using OAEP padding.
|
||||
*/
|
||||
|
||||
@@ -40,29 +40,6 @@ private class TypeType extends RefType {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `SensitiveLoggerConfiguration` module instead.
|
||||
*
|
||||
* A data-flow configuration for identifying potentially-sensitive data flowing to a log output.
|
||||
*/
|
||||
deprecated class SensitiveLoggerConfiguration extends TaintTracking::Configuration {
|
||||
SensitiveLoggerConfiguration() { this = "SensitiveLoggerConfiguration" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof SensitiveLoggerSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "log-injection") }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node sanitizer) {
|
||||
sanitizer.asExpr() instanceof LiveLiteral or
|
||||
sanitizer.getType() instanceof PrimitiveType or
|
||||
sanitizer.getType() instanceof BoxedType or
|
||||
sanitizer.getType() instanceof NumberType or
|
||||
sanitizer.getType() instanceof TypeType
|
||||
}
|
||||
|
||||
override predicate isSanitizerIn(DataFlow::Node node) { this.isSource(node) }
|
||||
}
|
||||
|
||||
/** A data-flow configuration for identifying potentially-sensitive data flowing to a log output. */
|
||||
module SensitiveLoggerConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof SensitiveLoggerSource }
|
||||
|
||||
@@ -32,25 +32,6 @@ private predicate untrustedResultReceiverSend(DataFlow::Node src, ResultReceiver
|
||||
UntrustedResultReceiverFlow::flow(src, DataFlow::exprNode(call.getReceiver()))
|
||||
}
|
||||
|
||||
deprecated private class SensitiveResultReceiverConf extends TaintTracking::Configuration {
|
||||
SensitiveResultReceiverConf() { this = "SensitiveResultReceiverConf" }
|
||||
|
||||
override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }
|
||||
|
||||
override predicate isSink(DataFlow::Node node) {
|
||||
exists(ResultReceiverSendCall call |
|
||||
untrustedResultReceiverSend(_, call) and
|
||||
node.asExpr() = call.getSentData()
|
||||
)
|
||||
}
|
||||
|
||||
override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
|
||||
super.allowImplicitRead(node, c)
|
||||
or
|
||||
this.isSink(node)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A sensitive result receiver sink node.
|
||||
*/
|
||||
@@ -74,21 +55,6 @@ private module SensitiveResultReceiverConfig implements DataFlow::ConfigSig {
|
||||
/** Taint tracking flow for sensitive expressions flowing to untrusted result receivers. */
|
||||
module SensitiveResultReceiverFlow = TaintTracking::Global<SensitiveResultReceiverConfig>;
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `isSensitiveResultReceiver` instead.
|
||||
*
|
||||
* Holds if there is a path from sensitive data at `src` to a result receiver at `sink`, and the receiver was obtained from an untrusted source `recSrc`.
|
||||
*/
|
||||
deprecated predicate sensitiveResultReceiver(
|
||||
DataFlow::PathNode src, DataFlow::PathNode sink, DataFlow::Node recSrc
|
||||
) {
|
||||
exists(ResultReceiverSendCall call |
|
||||
any(SensitiveResultReceiverConf c).hasFlowPath(src, sink) and
|
||||
sink.getNode().asExpr() = call.getSentData() and
|
||||
untrustedResultReceiverSend(recSrc, call)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if there is a path from sensitive data at `src` to a result receiver at `sink`, and the receiver was obtained from an untrusted source `recSrc`.
|
||||
*/
|
||||
|
||||
@@ -6,24 +6,6 @@ private import semmle.code.java.dataflow.TaintTracking
|
||||
private import semmle.code.java.frameworks.spring.SpringExpression
|
||||
private import semmle.code.java.security.SpelInjection
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `SpelInjectionFlow` instead.
|
||||
*
|
||||
* A taint-tracking configuration for unsafe user input
|
||||
* that is used to construct and evaluate a SpEL expression.
|
||||
*/
|
||||
deprecated class SpelInjectionConfig extends TaintTracking::Configuration {
|
||||
SpelInjectionConfig() { this = "SpelInjectionConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof SpelExpressionEvaluationSink }
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
any(SpelExpressionInjectionAdditionalTaintStep c).step(node1, node2)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for unsafe user input
|
||||
* that is used to construct and evaluate a SpEL expression.
|
||||
|
||||
@@ -11,29 +11,6 @@ import semmle.code.java.dataflow.FlowSources
|
||||
private import semmle.code.java.security.Sanitizers
|
||||
import semmle.code.java.security.QueryInjection
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `QueryInjectionFlow` instead.
|
||||
*
|
||||
* A taint-tracking configuration for unvalidated user input that is used in SQL queries.
|
||||
*/
|
||||
deprecated class QueryInjectionFlowConfig extends TaintTracking::Configuration {
|
||||
QueryInjectionFlowConfig() { this = "SqlInjectionLib::QueryInjectionFlowConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
node.getType() instanceof PrimitiveType or
|
||||
node.getType() instanceof BoxedType or
|
||||
node.getType() instanceof NumberType
|
||||
}
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
any(AdditionalQueryInjectionTaintStep s).step(node1, node2)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for unvalidated user input that is used in SQL queries.
|
||||
*/
|
||||
@@ -52,16 +29,6 @@ module QueryInjectionFlowConfig implements DataFlow::ConfigSig {
|
||||
/** Tracks flow of unvalidated user input that is used in SQL queries. */
|
||||
module QueryInjectionFlow = TaintTracking::Global<QueryInjectionFlowConfig>;
|
||||
|
||||
/**
|
||||
* Implementation of `SqlTainted.ql`. This is extracted to a QLL so that it
|
||||
* can be excluded from `SqlConcatenated.ql` to avoid overlapping results.
|
||||
*/
|
||||
deprecated predicate queryTaintedBy(
|
||||
QueryInjectionSink query, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
) {
|
||||
any(QueryInjectionFlowConfig c).hasFlowPath(source, sink) and sink.getNode() = query
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of `SqlTainted.ql`. This is extracted to a QLL so that it
|
||||
* can be excluded from `SqlConcatenated.ql` to avoid overlapping results.
|
||||
|
||||
@@ -119,21 +119,6 @@ private class EncryptionInitializationSink extends DataFlow::Node {
|
||||
EncryptionInitializationSink() { sinkNode(this, "encryption-iv") }
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `StaticInitializationVectorFlow` instead.
|
||||
*
|
||||
* A config that tracks dataflow to initializing a cipher with a static initialization vector.
|
||||
*/
|
||||
deprecated class StaticInitializationVectorConfig extends TaintTracking::Configuration {
|
||||
StaticInitializationVectorConfig() { this = "StaticInitializationVectorConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) {
|
||||
source instanceof StaticInitializationVectorSource
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof EncryptionInitializationSink }
|
||||
}
|
||||
|
||||
/**
|
||||
* A config that tracks dataflow to initializing a cipher with a static initialization vector.
|
||||
*/
|
||||
|
||||
@@ -5,42 +5,6 @@ import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.security.TemplateInjection
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `TemplateInjectionFlow` instead.
|
||||
*
|
||||
* A taint tracking configuration to reason about server-side template injection (SST) vulnerabilities
|
||||
*/
|
||||
deprecated class TemplateInjectionFlowConfig extends TaintTracking::Configuration {
|
||||
TemplateInjectionFlowConfig() { this = "TemplateInjectionFlowConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
|
||||
source.(TemplateInjectionSource).hasState(state)
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
|
||||
sink.(TemplateInjectionSink).hasState(state)
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node sanitizer) {
|
||||
sanitizer instanceof TemplateInjectionSanitizer
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node sanitizer, DataFlow::FlowState state) {
|
||||
sanitizer.(TemplateInjectionSanitizerWithState).hasState(state)
|
||||
}
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
any(TemplateInjectionAdditionalTaintStep a).isAdditionalTaintStep(node1, node2)
|
||||
}
|
||||
|
||||
override predicate isAdditionalTaintStep(
|
||||
DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
|
||||
DataFlow::FlowState state2
|
||||
) {
|
||||
any(TemplateInjectionAdditionalTaintStep a).isAdditionalTaintStep(node1, state1, node2, state2)
|
||||
}
|
||||
}
|
||||
|
||||
/** A taint tracking configuration to reason about server-side template injection (SST) vulnerabilities */
|
||||
module TemplateInjectionFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof TemplateInjectionSource }
|
||||
|
||||
@@ -6,23 +6,6 @@ import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.security.RequestForgery
|
||||
import semmle.code.java.security.UnsafeAndroidAccess
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `FetchUntrustedResourceFlow` instead.
|
||||
*
|
||||
* A taint configuration tracking flow from untrusted inputs to a resource fetching call.
|
||||
*/
|
||||
deprecated class FetchUntrustedResourceConfiguration extends TaintTracking::Configuration {
|
||||
FetchUntrustedResourceConfiguration() { this = "FetchUntrustedResourceConfiguration" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof UrlResourceSink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node sanitizer) {
|
||||
sanitizer instanceof RequestForgerySanitizer
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint configuration tracking flow from untrusted inputs to a resource fetching call.
|
||||
*/
|
||||
|
||||
@@ -5,23 +5,6 @@ import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.security.UnsafeCertTrust
|
||||
import semmle.code.java.security.Encryption
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `SslEndpointIdentificationFlow` instead.
|
||||
*
|
||||
* A taint flow configuration for SSL connections created without a proper certificate trust configuration.
|
||||
*/
|
||||
deprecated class SslEndpointIdentificationFlowConfig extends TaintTracking::Configuration {
|
||||
SslEndpointIdentificationFlowConfig() { this = "SslEndpointIdentificationFlowConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof SslConnectionInit }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof SslConnectionCreation }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node sanitizer) {
|
||||
sanitizer instanceof SslUnsafeCertTrustSanitizer
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint flow configuration for SSL connections created without a proper certificate trust configuration.
|
||||
*/
|
||||
|
||||
@@ -5,27 +5,6 @@ import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.security.UnsafeContentUriResolution
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `UnsafeContentUriResolutionFlow` instead.
|
||||
*
|
||||
* A taint-tracking configuration to find paths from remote sources to content URI resolutions.
|
||||
*/
|
||||
deprecated class UnsafeContentResolutionConf extends TaintTracking::Configuration {
|
||||
UnsafeContentResolutionConf() { this = "UnsafeContentResolutionConf" }
|
||||
|
||||
override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof ContentUriResolutionSink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node sanitizer) {
|
||||
sanitizer instanceof ContentUriResolutionSanitizer
|
||||
}
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
any(ContentUriResolutionAdditionalTaintStep s).step(node1, node2)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration to find paths from remote sources to content URI resolutions.
|
||||
*/
|
||||
|
||||
@@ -314,25 +314,6 @@ private predicate isUnsafeDeserializationTaintStep(DataFlow::Node pred, DataFlow
|
||||
intentFlowsToParcel(pred, succ)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `UnsafeDeserializationFlow` instead.
|
||||
*
|
||||
* Tracks flows from remote user input to a deserialization sink.
|
||||
*/
|
||||
deprecated class UnsafeDeserializationConfig extends TaintTracking::Configuration {
|
||||
UnsafeDeserializationConfig() { this = "UnsafeDeserializationConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserializationSink }
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
isUnsafeDeserializationTaintStep(pred, succ)
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) { isUnsafeDeserializationSanitizer(node) }
|
||||
}
|
||||
|
||||
/** Tracks flows from remote user input to a deserialization sink. */
|
||||
private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
|
||||
@@ -428,30 +409,6 @@ private predicate isUnsafeTypeAdditionalTaintStep(DataFlow::Node fromNode, DataF
|
||||
intentFlowsToParcel(fromNode, toNode)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `UnsafeTypeFlow` instead.
|
||||
*
|
||||
* Tracks flow from a remote source to a type descriptor (e.g. a `java.lang.Class` instance)
|
||||
* passed to a deserialization method.
|
||||
*
|
||||
* If this is user-controlled, arbitrary code could be executed while instantiating the user-specified type.
|
||||
*/
|
||||
deprecated class UnsafeTypeConfig extends TaintTracking2::Configuration {
|
||||
UnsafeTypeConfig() { this = "UnsafeTypeConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeTypeSink }
|
||||
|
||||
/**
|
||||
* Holds if `fromNode` to `toNode` is a dataflow step that resolves a class
|
||||
* or at least looks like resolving a class.
|
||||
*/
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
|
||||
isUnsafeTypeAdditionalTaintStep(fromNode, toNode)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks flow from a remote source to a type descriptor (e.g. a `java.lang.Class` instance)
|
||||
* passed to a deserialization method.
|
||||
@@ -480,21 +437,6 @@ module UnsafeTypeConfig implements DataFlow::ConfigSig {
|
||||
*/
|
||||
module UnsafeTypeFlow = TaintTracking::Global<UnsafeTypeConfig>;
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `EnableJacksonDefaultTypingFlow` instead.
|
||||
*
|
||||
* Tracks flow from `enableDefaultTyping` calls to a subsequent Jackson deserialization method call.
|
||||
*/
|
||||
deprecated class EnableJacksonDefaultTypingConfig extends DataFlow2::Configuration {
|
||||
EnableJacksonDefaultTypingConfig() { this = "EnableJacksonDefaultTypingConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node src) {
|
||||
any(EnableJacksonDefaultTyping ma).getQualifier() = src.asExpr()
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof ObjectMapperReadQualifier }
|
||||
}
|
||||
|
||||
private module EnableJacksonDefaultTypingConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) {
|
||||
any(EnableJacksonDefaultTyping ma).getQualifier() = src.asExpr()
|
||||
@@ -523,32 +465,6 @@ private predicate isObjectMapperBuilderAdditionalFlowStep(
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `SafeObjectMapperFlow` instead.
|
||||
*
|
||||
* Tracks flow from calls that set a type validator to a subsequent Jackson deserialization method call,
|
||||
* including across builder method calls.
|
||||
*
|
||||
* Such a Jackson deserialization method call is safe because validation will likely prevent instantiating unexpected types.
|
||||
*/
|
||||
deprecated class SafeObjectMapperConfig extends DataFlow2::Configuration {
|
||||
SafeObjectMapperConfig() { this = "SafeObjectMapperConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node src) {
|
||||
src instanceof SetPolymorphicTypeValidatorSource
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof ObjectMapperReadQualifier }
|
||||
|
||||
/**
|
||||
* Holds if `fromNode` to `toNode` is a dataflow step
|
||||
* that configures or creates an `ObjectMapper` via a builder.
|
||||
*/
|
||||
override predicate isAdditionalFlowStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
|
||||
isObjectMapperBuilderAdditionalFlowStep(fromNode, toNode)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks flow from calls that set a type validator to a subsequent Jackson deserialization method call,
|
||||
* including across builder method calls.
|
||||
|
||||
@@ -19,32 +19,6 @@ private predicate isDebugCheck(Expr ex) {
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `WebviewDebugEnabledFlow` instead.
|
||||
*
|
||||
* A configuration to find instances of `setWebContentDebuggingEnabled` called with `true` values.
|
||||
*/
|
||||
deprecated class WebviewDebugEnabledConfig extends DataFlow::Configuration {
|
||||
WebviewDebugEnabledConfig() { this = "WebviewDebugEnabledConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node node) {
|
||||
node.asExpr().(BooleanLiteral).getBooleanValue() = true
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node node) {
|
||||
exists(MethodCall ma |
|
||||
ma.getMethod().hasQualifiedName("android.webkit", "WebView", "setWebContentsDebuggingEnabled") and
|
||||
node.asExpr() = ma.getArgument(0)
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isBarrier(DataFlow::Node node) {
|
||||
exists(Guard debug | isDebugCheck(debug) and debug.controls(node.asExpr().getBasicBlock(), _))
|
||||
or
|
||||
node.getEnclosingCallable().getDeclaringType() instanceof NonSecurityTestClass
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A webview debug sink node.
|
||||
*/
|
||||
|
||||
@@ -1,11 +0,0 @@
|
||||
/**
|
||||
* DEPRECATED: Use `semmle.code.java.security.WebviewDebuggingEnabledQuery` instead.
|
||||
*
|
||||
* Definitions for the Android Webview Debugging Enabled query
|
||||
*/
|
||||
|
||||
import java
|
||||
private import semmle.code.java.security.WebviewDebuggingEnabledQuery as WebviewDebuggingEnabledQuery
|
||||
|
||||
deprecated class WebviewDebugEnabledConfig =
|
||||
WebviewDebuggingEnabledQuery::WebviewDebugEnabledConfig;
|
||||
@@ -833,27 +833,6 @@ class TransformerFactoryConfig extends TransformerConfig {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED.
|
||||
*
|
||||
* A dataflow configuration that identifies `TransformerFactory` and `SAXTransformerFactory`
|
||||
* instances that have been safely configured.
|
||||
*/
|
||||
deprecated class SafeTransformerFactoryFlowConfig extends DataFlow3::Configuration {
|
||||
SafeTransformerFactoryFlowConfig() { this = "XmlParsers::SafeTransformerFactoryFlowConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeTransformerFactory }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodCall ma |
|
||||
sink.asExpr() = ma.getQualifier() and
|
||||
ma.getMethod().getDeclaringType() instanceof TransformerFactory
|
||||
)
|
||||
}
|
||||
|
||||
override int fieldFlowBranchLimit() { result = 0 }
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED.
|
||||
*
|
||||
|
||||
@@ -7,27 +7,6 @@ import semmle.code.java.security.XmlParsers
|
||||
import semmle.code.java.security.XsltInjection
|
||||
private import semmle.code.java.security.Sanitizers
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `XsltInjectionFlow` instead.
|
||||
*
|
||||
* A taint-tracking configuration for unvalidated user input that is used in XSLT transformation.
|
||||
*/
|
||||
deprecated class XsltInjectionFlowConfig extends TaintTracking::Configuration {
|
||||
XsltInjectionFlowConfig() { this = "XsltInjectionFlowConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof XsltInjectionSink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
|
||||
}
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
any(XsltInjectionAdditionalTaintStep c).step(node1, node2)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for unvalidated user input that is used in XSLT transformation.
|
||||
*/
|
||||
|
||||
@@ -5,25 +5,6 @@ private import semmle.code.java.dataflow.FlowSources
|
||||
private import semmle.code.java.dataflow.TaintTracking
|
||||
private import semmle.code.java.security.XxeQuery
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `XxeLocalFlow` instead.
|
||||
*
|
||||
* A taint-tracking configuration for unvalidated local user input that is used in XML external entity expansion.
|
||||
*/
|
||||
deprecated class XxeLocalConfig extends TaintTracking::Configuration {
|
||||
XxeLocalConfig() { this = "XxeLocalConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof XxeSink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof XxeSanitizer }
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
|
||||
any(XxeAdditionalTaintStep s).step(n1, n2)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for unvalidated local user input that is used in XML external entity expansion.
|
||||
*/
|
||||
|
||||
@@ -5,25 +5,6 @@ private import semmle.code.java.dataflow.FlowSources
|
||||
private import semmle.code.java.dataflow.TaintTracking
|
||||
private import semmle.code.java.security.XxeQuery
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `XxeFlow` instead.
|
||||
*
|
||||
* A taint-tracking configuration for unvalidated remote user input that is used in XML external entity expansion.
|
||||
*/
|
||||
deprecated class XxeConfig extends TaintTracking::Configuration {
|
||||
XxeConfig() { this = "XxeConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof XxeSink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof XxeSanitizer }
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
|
||||
any(XxeAdditionalTaintStep s).step(n1, n2)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for unvalidated remote user input that is used in XML external entity expansion.
|
||||
*/
|
||||
|
||||
@@ -5,7 +5,6 @@ import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.security.PathSanitizer
|
||||
private import semmle.code.java.dataflow.ExternalFlow
|
||||
private import semmle.code.java.dataflow.FlowSources
|
||||
private import semmle.code.java.security.PathCreation
|
||||
private import semmle.code.java.security.Sanitizers
|
||||
|
||||
/**
|
||||
|
||||
@@ -33,38 +33,6 @@ private class LengthRestrictedMethod extends Method {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `PolynomialRedosFlow` instead.
|
||||
*
|
||||
* A configuration for Polynomial ReDoS queries.
|
||||
*/
|
||||
deprecated class PolynomialRedosConfig extends TaintTracking::Configuration {
|
||||
PolynomialRedosConfig() { this = "PolynomialRedosConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof PolynomialRedosSink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
node.getType() instanceof PrimitiveType or
|
||||
node.getType() instanceof BoxedType or
|
||||
node.asExpr().(MethodCall).getMethod() instanceof LengthRestrictedMethod
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `PolynomialRedosFlow` instead.
|
||||
*
|
||||
* Holds if there is flow from `source` to `sink` that is matched against the regexp term `regexp` that is vulnerable to Polynomial ReDoS.
|
||||
*/
|
||||
deprecated predicate hasPolynomialReDoSResult(
|
||||
DataFlow::PathNode source, DataFlow::PathNode sink,
|
||||
SuperlinearBackTracking::PolynomialBackTrackingTerm regexp
|
||||
) {
|
||||
any(PolynomialRedosConfig config).hasFlowPath(source, sink) and
|
||||
regexp.getRootTerm() = sink.getNode().(PolynomialRedosSink).getRegExp()
|
||||
}
|
||||
|
||||
/** A configuration for Polynomial ReDoS queries. */
|
||||
module PolynomialRedosConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }
|
||||
|
||||
@@ -5,21 +5,6 @@ import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.security.regexp.RegexInjection
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `RegexInjectionFlow` instead.
|
||||
*
|
||||
* A taint-tracking configuration for untrusted user input used to construct regular expressions.
|
||||
*/
|
||||
deprecated class RegexInjectionConfiguration extends TaintTracking::Configuration {
|
||||
RegexInjectionConfiguration() { this = "RegexInjection" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof RegexInjectionSink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof RegexInjectionSanitizer }
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for untrusted user input used to construct regular expressions.
|
||||
*/
|
||||
|
||||
@@ -14,7 +14,6 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.security.PathCreation
|
||||
import semmle.code.java.security.TaintedPathQuery
|
||||
import TaintedPathFlow::PathGraph
|
||||
|
||||
|
||||
@@ -1,26 +0,0 @@
|
||||
WARNING: type 'PathCreation' has been deprecated and may be removed in future (PathCreation.ql:4,6-18)
|
||||
| PathCreation.java:13:18:13:32 | new File(...) | PathCreation.java:13:27:13:31 | "dir" |
|
||||
| PathCreation.java:14:19:14:40 | new File(...) | PathCreation.java:14:28:14:32 | "dir" |
|
||||
| PathCreation.java:14:19:14:40 | new File(...) | PathCreation.java:14:35:14:39 | "sub" |
|
||||
| PathCreation.java:18:18:18:49 | new File(...) | PathCreation.java:18:44:18:48 | "sub" |
|
||||
| PathCreation.java:18:27:18:41 | new File(...) | PathCreation.java:18:36:18:40 | "dir" |
|
||||
| PathCreation.java:22:18:22:41 | new File(...) | PathCreation.java:22:27:22:40 | new URI(...) |
|
||||
| PathCreation.java:26:18:26:31 | of(...) | PathCreation.java:26:26:26:30 | "dir" |
|
||||
| PathCreation.java:27:19:27:39 | of(...) | PathCreation.java:27:27:27:31 | "dir" |
|
||||
| PathCreation.java:27:19:27:39 | of(...) | PathCreation.java:27:34:27:38 | "sub" |
|
||||
| PathCreation.java:31:18:31:40 | of(...) | PathCreation.java:31:26:31:39 | new URI(...) |
|
||||
| PathCreation.java:35:18:35:33 | get(...) | PathCreation.java:35:28:35:32 | "dir" |
|
||||
| PathCreation.java:36:19:36:41 | get(...) | PathCreation.java:36:29:36:33 | "dir" |
|
||||
| PathCreation.java:36:19:36:41 | get(...) | PathCreation.java:36:36:36:40 | "sub" |
|
||||
| PathCreation.java:40:18:40:42 | get(...) | PathCreation.java:40:28:40:41 | new URI(...) |
|
||||
| PathCreation.java:44:18:44:56 | getPath(...) | PathCreation.java:44:51:44:55 | "dir" |
|
||||
| PathCreation.java:45:19:45:64 | getPath(...) | PathCreation.java:45:52:45:56 | "dir" |
|
||||
| PathCreation.java:45:19:45:64 | getPath(...) | PathCreation.java:45:59:45:63 | "sub" |
|
||||
| PathCreation.java:49:18:49:31 | of(...) | PathCreation.java:49:26:49:30 | "dir" |
|
||||
| PathCreation.java:49:18:49:53 | resolveSibling(...) | PathCreation.java:49:48:49:52 | "sub" |
|
||||
| PathCreation.java:53:18:53:31 | of(...) | PathCreation.java:53:26:53:30 | "dir" |
|
||||
| PathCreation.java:53:18:53:46 | resolve(...) | PathCreation.java:53:41:53:45 | "sub" |
|
||||
| PathCreation.java:57:25:57:45 | new FileWriter(...) | PathCreation.java:57:40:57:44 | "dir" |
|
||||
| PathCreation.java:61:25:61:45 | new FileReader(...) | PathCreation.java:61:40:61:44 | "dir" |
|
||||
| PathCreation.java:65:32:65:58 | new FileOutputStream(...) | PathCreation.java:65:53:65:57 | "dir" |
|
||||
| PathCreation.java:69:31:69:56 | new FileInputStream(...) | PathCreation.java:69:51:69:55 | "dir" |
|
||||
@@ -1,71 +0,0 @@
|
||||
import java.io.File;
|
||||
import java.io.FileWriter;
|
||||
import java.io.FileReader;
|
||||
import java.io.FileOutputStream;
|
||||
import java.io.FileInputStream;
|
||||
import java.nio.file.Path;
|
||||
import java.nio.file.Paths;
|
||||
import java.nio.file.FileSystems;
|
||||
import java.net.URI;
|
||||
|
||||
class PathCreation {
|
||||
public void testNewFileWithString() {
|
||||
File f = new File("dir");
|
||||
File f2 = new File("dir", "sub");
|
||||
}
|
||||
|
||||
public void testNewFileWithFileString() {
|
||||
File f = new File(new File("dir"), "sub");
|
||||
}
|
||||
|
||||
public void testNewFileWithURI() throws java.net.URISyntaxException {
|
||||
File f = new File(new URI("dir"));
|
||||
}
|
||||
|
||||
public void testPathOfWithString() {
|
||||
Path p = Path.of("dir");
|
||||
Path p2 = Path.of("dir", "sub");
|
||||
}
|
||||
|
||||
public void testPathOfWithURI() throws java.net.URISyntaxException {
|
||||
Path p = Path.of(new URI("dir"));
|
||||
}
|
||||
|
||||
public void testPathsGetWithString() {
|
||||
Path p = Paths.get("dir");
|
||||
Path p2 = Paths.get("dir", "sub");
|
||||
}
|
||||
|
||||
public void testPathsGetWithURI() throws java.net.URISyntaxException {
|
||||
Path p = Paths.get(new URI("dir"));
|
||||
}
|
||||
|
||||
public void testFileSystemGetPathWithString() {
|
||||
Path p = FileSystems.getDefault().getPath("dir");
|
||||
Path p2 = FileSystems.getDefault().getPath("dir", "sub");
|
||||
}
|
||||
|
||||
public void testPathResolveSiblingWithString() {
|
||||
Path p = Path.of("dir").resolveSibling("sub");
|
||||
}
|
||||
|
||||
public void testPathResolveWithString() {
|
||||
Path p = Path.of("dir").resolve("sub");
|
||||
}
|
||||
|
||||
public void testNewFileWriterWithString() throws java.io.IOException {
|
||||
FileWriter fw = new FileWriter("dir");
|
||||
}
|
||||
|
||||
public void testNewFileReaderWithString() throws java.io.FileNotFoundException {
|
||||
FileReader fr = new FileReader("dir");
|
||||
}
|
||||
|
||||
public void testNewFileOutputStreamWithString() throws java.io.FileNotFoundException {
|
||||
FileOutputStream fos = new FileOutputStream("dir");
|
||||
}
|
||||
|
||||
public void testNewFileInputStreamWithString() throws java.io.FileNotFoundException {
|
||||
FileInputStream fis = new FileInputStream("dir");
|
||||
}
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
import java
|
||||
import semmle.code.java.security.PathCreation
|
||||
|
||||
from PathCreation path
|
||||
select path, path.getAnInput()
|
||||
Reference in New Issue
Block a user