hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Java: Replace global flow by local flow

Browse Source
This commit is contained in:
intrigus
2021-01-11 19:02:07 +01:00
parent 722bd4dafa
commit 85286f362c
1 changed files with 31 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
View File

@@ -106,11 +106,8 @@ private predicate isEqualsIgnoreCaseMethodAccess(MethodAccess ma) {
ma.getMethod().getDeclaringType() instanceof TypeString
}
/** A configuration to model the flow of feature flags into `Guard`s. This is used to determine whether something is guarded by such a flag. */
private class FlagToGuardFlow extends DataFlow::Configuration {
FlagToGuardFlow() { this = "FlagToGuardFlow" }
override predicate isSource(DataFlow::Node source) {
/** Holds if `source` should is considered a flag. */
private predicate isFlag(DataFlow::Node source) {
exists(VarAccess v | v.getVariable().getName() = getAFlagName() |
source.asExpr() = v and v.getType() instanceof FlagType
)
@@ -122,11 +119,12 @@ private class FlagToGuardFlow extends DataFlow::Configuration {
ma.getType() instanceof FlagType and
not isEqualsIgnoreCaseMethodAccess(ma)
)
}
}
override predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof Guard }
override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
/** Holds if there is flow from `node1` to `node2` either due to local flow or due to custom flow steps. */
private predicate flagFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
DataFlow::localFlowStep(node1, node2)
or
exists(MethodAccess ma | ma.getMethod() = any(EnvReadMethod m) |
ma = node2.asExpr() and ma.getAnArgument() = node1.asExpr()
)
@@ -137,14 +135,13 @@ private class FlagToGuardFlow extends DataFlow::Configuration {
|
ma = node2.asExpr() and ma.getAnArgument() = node1.asExpr()
)
}
}
/** Gets a guard that depends on a flag. */
private Guard getAGuard() {
exists(FlagToGuardFlow cfg, DataFlow::Node source, DataFlow::Node sink |
cfg.hasFlow(source, sink)
|
exists(DataFlow::Node source, DataFlow::Node sink |
isFlag(source) and
flagFlowStep*(source, sink) and
sink.asExpr() = result
)
}