hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Address review comments.

Browse Source
This commit is contained in:
Sebastian Bauersfeld
2022-09-16 14:35:30 +07:00
parent 20d78972f5
commit 95478f1af6
3 changed files with 36 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
View File

@@ -29,7 +29,7 @@ predicate containsDotDotSanitizer(Guard g, Expr e, boolean branch) {
) )
} }
class TaintedPathConfig extends TaintTracking::Configuration { class TaintedPathConfig extends TaintedPathCommonConfig {
TaintedPathConfig() { this = "TaintedPathConfig" } TaintedPathConfig() { this = "TaintedPathConfig" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

44
java/ql/src/Security/CWE/CWE-022/TaintedPathCommon.qll
View File

@@ -5,17 +5,41 @@
import java import java
import semmle.code.java.controlflow.Guards import semmle.code.java.controlflow.Guards
import semmle.code.java.security.PathCreation import semmle.code.java.security.PathCreation
import semmle.code.java.dataflow.ExternalFlow import semmle.code.java.frameworks.Networking
import semmle.code.java.dataflow.TaintTracking
class TaintedPathInjectionSummaries extends SummaryModelCsv { abstract class TaintedPathCommonConfig extends TaintTracking::Configuration {
override predicate row(string row) { bindingset[this]
row = TaintedPathCommonConfig() { any() }
[
"java.net;URI;false;URI;(String,String,String);;Argument[1];Argument[-1];taint;manual", final override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
"java.net;URI;false;URI;(String,String,String,String);;Argument[1..2];Argument[-1];taint;manual", exists(Argument a |
"java.net;URI;false;URI;(String,String,String,String,String);;Argument[2];Argument[-1];taint;manual", a = n1.asExpr() and
"java.net;URI;false;URI;(String,String,String,int,String,String,String);;Argument[4];Argument[-1];taint;manual", a.getCall() = n2.asExpr() and
] a = any(TaintPreservingUriCtorParam tpp).getAnArgument()
)
}
}
private class TaintPreservingUriCtorParam extends Parameter {
TaintPreservingUriCtorParam() {
exists(Constructor ctor, int idx, int nParams |
ctor.getDeclaringType() instanceof TypeUri and
this = ctor.getParameter(idx) and
nParams = ctor.getNumberOfParameters()
|
// URI(String scheme, String ssp, String fragment)
idx = 1 and nParams = 3
or
// URI(String scheme, String host, String path, String fragment)
idx = [1, 2] and nParams = 4
or
// URI(String scheme, String authority, String path, String query, String fragment)
idx = 2 and nParams = 5
or
// URI(String scheme, String userInfo, String host, int port, String path, String query, String fragment)
idx = 4 and nParams = 7
)
} }
} }

2
java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql
View File

@@ -19,7 +19,7 @@ import semmle.code.java.security.PathCreation
import DataFlow::PathGraph import DataFlow::PathGraph
import TaintedPathCommon import TaintedPathCommon
class TaintedPathLocalConfig extends TaintTracking::Configuration { class TaintedPathLocalConfig extends TaintedPathCommonConfig {
TaintedPathLocalConfig() { this = "TaintedPathLocalConfig" } TaintedPathLocalConfig() { this = "TaintedPathLocalConfig" }
override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput } override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }