hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-24 00:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/LoadClassNoSignatureCheck' into LoadClassNoSignatureCheck

Browse Source
This commit is contained in:
masterofnow
2023-12-21 12:15:06 +08:00
parent 25c818f425 39708524e7
commit 8dc522fb5f
1 changed files with 6 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
java/ql/src/experimental/Security/CWE/CWE-470/LoadClassNoSignatureCheck.ql
View File

@@ -7,21 +7,20 @@
* @problem.severity error
* @precision high
* @kind path-problem
* @id java/unsafe-reflection
* @id java/android/unsafe-reflection
* @tags security
* experimental
* external/cwe/cwe-470
*/
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.controlflow.Guards
import semmle.code.java.dataflow.SSA
import semmle.code.java.frameworks.android.Intent
class CheckSignaturesGuard extends Guard instanceof EqualityTest {
MethodAccess checkSignatures;
MethodCall checkSignatures;
CheckSignaturesGuard() {
this.getAnOperand() = checkSignatures and
@@ -52,15 +51,15 @@ predicate signatureChecked(Expr safe) {
module InsecureLoadingConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) {
exists(Method m | m = src.asExpr().(MethodAccess).getMethod() |
exists(Method m | m = src.asExpr().(MethodCall).getMethod() |
m.getDeclaringType().getASourceSupertype*() instanceof TypeContext and
m.hasName("createPackageContext") and
not signatureChecked(src.asExpr().(MethodAccess).getArgument(0))
not signatureChecked(src.asExpr().(MethodCall).getArgument(0))
)
}
predicate isSink(DataFlow::Node sink) {
exists(MethodAccess ma |
exists(MethodCall ma |
ma.getMethod().hasQualifiedName("java.lang", "ClassLoader", "loadClass")
|
sink.asExpr() = ma.getQualifier()
@@ -68,7 +67,7 @@ module InsecureLoadingConfig implements DataFlow::ConfigSig {
}
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
exists(MethodAccess ma, Method m |
exists(MethodCall ma, Method m |
ma.getMethod() = m and
m.getDeclaringType().getASourceSupertype*() instanceof TypeContext and
m.hasName("getClassLoader")
@@ -87,4 +86,3 @@ from InsecureLoadFlow::PathNode source, InsecureLoadFlow::PathNode sink
where InsecureLoadFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "Class loaded from a $@ without signature check",
source.getNode(), "third party library"