hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Avoid cross-class flow for field writes

Browse Source
This commit is contained in:
Benjamin Muskalla
2021-11-09 12:17:56 +01:00
parent 74ac234f1c
commit 974c7b0898
1 changed files with 18 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
java/ql/src/utils/model-generator/CaptureSummaryModels.ql
View File

@@ -116,18 +116,30 @@ class ParameterToFieldConfig extends TaintTracking::Configuration {
* `p;Foo;true;doSomething;(String);Argument[0];Argument[-1];taint`
*/
string captureFieldFlowIn(Callable api) {
exists(DataFlow::ParameterNode source, DataFlow::ExprNode sink, ParameterToFieldConfig config |
sink.asExpr().getEnclosingCallable().getDeclaringType() =
source.asParameter().getCallable().getDeclaringType() and
exists(DataFlow::PathNode source, DataFlow::PathNode sink |
not api.isStatic() and
config.hasFlow(source, sink) and
source.asParameter().getCallable() = api
restrictedFlow(source, sink) and
source.getNode().asParameter().getCallable() = api
|
result =
asTaintModel(api, "Argument[" + source.asParameter().getPosition() + "]", "Argument[-1]")
asTaintModel(api, "Argument[" + source.getNode().asParameter().getPosition() + "]",
"Argument[-1]")
)
}
predicate restrictedEdge(DataFlow::PathNode n1, DataFlow::PathNode n2) {
n1.getASuccessor() = n2 and
n1.getNode().getEnclosingCallable().getDeclaringType() =
n2.getNode().getEnclosingCallable().getDeclaringType()
}
predicate restrictedFlow(DataFlow::PathNode src, DataFlow::PathNode sink) {
src.getConfiguration() instanceof ParameterToFieldConfig and
src.isSource() and
src.getConfiguration().isSink(sink.getNode()) and
restrictedEdge*(src, sink)
}
class ParameterToReturnValueTaintConfig extends TaintTracking::Configuration {
ParameterToReturnValueTaintConfig() { this = "ParameterToReturnValueTaintConfig" }