mirror of
https://github.com/github/codeql.git
synced 2026-04-30 03:05:15 +02:00
Merge pull request #12645 from aschackmull/dataflow/renaming
Dataflow: Rename Make to Global and hasFlow to flow
This commit is contained in:
Anders Schack-Mulligen
6
java/ql/lib/change-notes/2023-03-23-dataflow-renaming.md
Normal file
6
java/ql/lib/change-notes/2023-03-23-dataflow-renaming.md
Normal file
@@ -0,0 +1,6 @@
|
||||
---
|
||||
category: deprecated
|
||||
---
|
||||
* The recently introduced new data flow and taint tracking APIs have had a
|
||||
number of module and predicate renamings. The old APIs remain in place for
|
||||
now.
|
||||
@@ -2,7 +2,7 @@
|
||||
* Provides an implementation of global (interprocedural) data flow. This file
|
||||
* re-exports the local (intraprocedural) data flow analysis from
|
||||
* `DataFlowImplSpecific::Public` and adds a global analysis, mainly exposed
|
||||
* through the `Make` and `MakeWithState` modules.
|
||||
* through the `Global` and `GlobalWithState` modules.
|
||||
*/
|
||||
|
||||
private import DataFlowImplCommon
|
||||
@@ -73,10 +73,10 @@ signature module ConfigSig {
|
||||
*/
|
||||
default FlowFeature getAFeature() { none() }
|
||||
|
||||
/** Holds if sources should be grouped in the result of `hasFlowPath`. */
|
||||
/** Holds if sources should be grouped in the result of `flowPath`. */
|
||||
default predicate sourceGrouping(Node source, string sourceGroup) { none() }
|
||||
|
||||
/** Holds if sinks should be grouped in the result of `hasFlowPath`. */
|
||||
/** Holds if sinks should be grouped in the result of `flowPath`. */
|
||||
default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
|
||||
|
||||
/**
|
||||
@@ -166,10 +166,10 @@ signature module StateConfigSig {
|
||||
*/
|
||||
default FlowFeature getAFeature() { none() }
|
||||
|
||||
/** Holds if sources should be grouped in the result of `hasFlowPath`. */
|
||||
/** Holds if sources should be grouped in the result of `flowPath`. */
|
||||
default predicate sourceGrouping(Node source, string sourceGroup) { none() }
|
||||
|
||||
/** Holds if sinks should be grouped in the result of `hasFlowPath`. */
|
||||
/** Holds if sinks should be grouped in the result of `flowPath`. */
|
||||
default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
|
||||
|
||||
/**
|
||||
@@ -182,15 +182,15 @@ signature module StateConfigSig {
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
|
||||
* Gets the exploration limit for `partialFlow` and `partialFlowRev`
|
||||
* measured in approximate number of interprocedural steps.
|
||||
*/
|
||||
signature int explorationLimitSig();
|
||||
|
||||
/**
|
||||
* The output of a data flow computation.
|
||||
* The output of a global data flow computation.
|
||||
*/
|
||||
signature module DataFlowSig {
|
||||
signature module GlobalFlowSig {
|
||||
/**
|
||||
* A `Node` augmented with a call context (except for sinks) and an access path.
|
||||
* Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
|
||||
@@ -203,28 +203,28 @@ signature module DataFlowSig {
|
||||
* The corresponding paths are generated from the end-points and the graph
|
||||
* included in the module `PathGraph`.
|
||||
*/
|
||||
predicate hasFlowPath(PathNode source, PathNode sink);
|
||||
predicate flowPath(PathNode source, PathNode sink);
|
||||
|
||||
/**
|
||||
* Holds if data can flow from `source` to `sink`.
|
||||
*/
|
||||
predicate hasFlow(Node source, Node sink);
|
||||
predicate flow(Node source, Node sink);
|
||||
|
||||
/**
|
||||
* Holds if data can flow from some source to `sink`.
|
||||
*/
|
||||
predicate hasFlowTo(Node sink);
|
||||
predicate flowTo(Node sink);
|
||||
|
||||
/**
|
||||
* Holds if data can flow from some source to `sink`.
|
||||
*/
|
||||
predicate hasFlowToExpr(DataFlowExpr sink);
|
||||
predicate flowToExpr(DataFlowExpr sink);
|
||||
}
|
||||
|
||||
/**
|
||||
* Constructs a standard data flow computation.
|
||||
*/
|
||||
module Make<ConfigSig Config> implements DataFlowSig {
|
||||
module Global<ConfigSig Config> implements GlobalFlowSig {
|
||||
private module C implements FullStateConfigSig {
|
||||
import DefaultState<Config>
|
||||
import Config
|
||||
@@ -233,10 +233,15 @@ module Make<ConfigSig Config> implements DataFlowSig {
|
||||
import Impl<C>
|
||||
}
|
||||
|
||||
/** DEPRECATED: Use `Global` instead. */
|
||||
deprecated module Make<ConfigSig Config> implements GlobalFlowSig {
|
||||
import Global<Config>
|
||||
}
|
||||
|
||||
/**
|
||||
* Constructs a data flow computation using flow state.
|
||||
*/
|
||||
module MakeWithState<StateConfigSig Config> implements DataFlowSig {
|
||||
module GlobalWithState<StateConfigSig Config> implements GlobalFlowSig {
|
||||
private module C implements FullStateConfigSig {
|
||||
import Config
|
||||
}
|
||||
@@ -244,6 +249,11 @@ module MakeWithState<StateConfigSig Config> implements DataFlowSig {
|
||||
import Impl<C>
|
||||
}
|
||||
|
||||
/** DEPRECATED: Use `GlobalWithState` instead. */
|
||||
deprecated module MakeWithState<StateConfigSig Config> implements GlobalFlowSig {
|
||||
import GlobalWithState<Config>
|
||||
}
|
||||
|
||||
signature class PathNodeSig {
|
||||
/** Gets a textual representation of this element. */
|
||||
string toString();
|
||||
|
||||
@@ -91,10 +91,10 @@ signature module FullStateConfigSig {
|
||||
*/
|
||||
FlowFeature getAFeature();
|
||||
|
||||
/** Holds if sources should be grouped in the result of `hasFlowPath`. */
|
||||
/** Holds if sources should be grouped in the result of `flowPath`. */
|
||||
predicate sourceGrouping(Node source, string sourceGroup);
|
||||
|
||||
/** Holds if sinks should be grouped in the result of `hasFlowPath`. */
|
||||
/** Holds if sinks should be grouped in the result of `flowPath`. */
|
||||
predicate sinkGrouping(Node sink, string sinkGroup);
|
||||
|
||||
/**
|
||||
@@ -3629,7 +3629,7 @@ module Impl<FullStateConfigSig Config> {
|
||||
* The corresponding paths are generated from the end-points and the graph
|
||||
* included in the module `PathGraph`.
|
||||
*/
|
||||
predicate hasFlowPath(PathNode source, PathNode sink) {
|
||||
predicate flowPath(PathNode source, PathNode sink) {
|
||||
exists(PathNodeImpl flowsource, PathNodeImpl flowsink |
|
||||
source = flowsource and sink = flowsink
|
||||
|
|
||||
@@ -3639,6 +3639,9 @@ module Impl<FullStateConfigSig Config> {
|
||||
)
|
||||
}
|
||||
|
||||
/** DEPRECATED: Use `flowPath` instead. */
|
||||
deprecated predicate hasFlowPath = flowPath/2;
|
||||
|
||||
private predicate flowsTo(PathNodeImpl flowsource, PathNodeSink flowsink, Node source, Node sink) {
|
||||
flowsource.isSource() and
|
||||
flowsource.getNodeEx().asNode() = source and
|
||||
@@ -3649,17 +3652,26 @@ module Impl<FullStateConfigSig Config> {
|
||||
/**
|
||||
* Holds if data can flow from `source` to `sink`.
|
||||
*/
|
||||
predicate hasFlow(Node source, Node sink) { flowsTo(_, _, source, sink) }
|
||||
predicate flow(Node source, Node sink) { flowsTo(_, _, source, sink) }
|
||||
|
||||
/** DEPRECATED: Use `flow` instead. */
|
||||
deprecated predicate hasFlow = flow/2;
|
||||
|
||||
/**
|
||||
* Holds if data can flow from some source to `sink`.
|
||||
*/
|
||||
predicate hasFlowTo(Node sink) { sink = any(PathNodeSink n).getNodeEx().asNode() }
|
||||
predicate flowTo(Node sink) { sink = any(PathNodeSink n).getNodeEx().asNode() }
|
||||
|
||||
/** DEPRECATED: Use `flowTo` instead. */
|
||||
deprecated predicate hasFlowTo = flowTo/1;
|
||||
|
||||
/**
|
||||
* Holds if data can flow from some source to `sink`.
|
||||
*/
|
||||
predicate hasFlowToExpr(DataFlowExpr sink) { hasFlowTo(exprNode(sink)) }
|
||||
predicate flowToExpr(DataFlowExpr sink) { flowTo(exprNode(sink)) }
|
||||
|
||||
/** DEPRECATED: Use `flowToExpr` instead. */
|
||||
deprecated predicate hasFlowToExpr = flowToExpr/1;
|
||||
|
||||
private predicate finalStats(
|
||||
boolean fwd, int nodes, int fields, int conscand, int states, int tuples
|
||||
@@ -4570,7 +4582,7 @@ module Impl<FullStateConfigSig Config> {
|
||||
*
|
||||
* To use this in a `path-problem` query, import the module `PartialPathGraph`.
|
||||
*/
|
||||
predicate hasPartialFlow(PartialPathNode source, PartialPathNode node, int dist) {
|
||||
predicate partialFlow(PartialPathNode source, PartialPathNode node, int dist) {
|
||||
partialFlow(source, node) and
|
||||
dist = node.getSourceDistance()
|
||||
}
|
||||
@@ -4590,7 +4602,7 @@ module Impl<FullStateConfigSig Config> {
|
||||
* Note that reverse flow has slightly lower precision than the corresponding
|
||||
* forward flow, as reverse flow disregards type pruning among other features.
|
||||
*/
|
||||
predicate hasPartialFlowRev(PartialPathNode node, PartialPathNode sink, int dist) {
|
||||
predicate partialFlowRev(PartialPathNode node, PartialPathNode sink, int dist) {
|
||||
revPartialFlow(node, sink) and
|
||||
dist = node.getSinkDistance()
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* DEPRECATED: Use `Make` and `MakeWithState` instead.
|
||||
* DEPRECATED: Use `Global` and `GlobalWithState` instead.
|
||||
*
|
||||
* Provides a `Configuration` class backwards-compatible interface to the data
|
||||
* flow library.
|
||||
@@ -388,7 +388,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
|
||||
}
|
||||
|
||||
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
|
||||
hasFlowPath(source, sink) and source.getConfiguration() = config
|
||||
flowPath(source, sink) and source.getConfiguration() = config
|
||||
}
|
||||
|
||||
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* DEPRECATED: Use `Make` and `MakeWithState` instead.
|
||||
* DEPRECATED: Use `Global` and `GlobalWithState` instead.
|
||||
*
|
||||
* Provides a `Configuration` class backwards-compatible interface to the data
|
||||
* flow library.
|
||||
@@ -388,7 +388,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
|
||||
}
|
||||
|
||||
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
|
||||
hasFlowPath(source, sink) and source.getConfiguration() = config
|
||||
flowPath(source, sink) and source.getConfiguration() = config
|
||||
}
|
||||
|
||||
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* DEPRECATED: Use `Make` and `MakeWithState` instead.
|
||||
* DEPRECATED: Use `Global` and `GlobalWithState` instead.
|
||||
*
|
||||
* Provides a `Configuration` class backwards-compatible interface to the data
|
||||
* flow library.
|
||||
@@ -388,7 +388,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
|
||||
}
|
||||
|
||||
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
|
||||
hasFlowPath(source, sink) and source.getConfiguration() = config
|
||||
flowPath(source, sink) and source.getConfiguration() = config
|
||||
}
|
||||
|
||||
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* DEPRECATED: Use `Make` and `MakeWithState` instead.
|
||||
* DEPRECATED: Use `Global` and `GlobalWithState` instead.
|
||||
*
|
||||
* Provides a `Configuration` class backwards-compatible interface to the data
|
||||
* flow library.
|
||||
@@ -388,7 +388,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
|
||||
}
|
||||
|
||||
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
|
||||
hasFlowPath(source, sink) and source.getConfiguration() = config
|
||||
flowPath(source, sink) and source.getConfiguration() = config
|
||||
}
|
||||
|
||||
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* DEPRECATED: Use `Make` and `MakeWithState` instead.
|
||||
* DEPRECATED: Use `Global` and `GlobalWithState` instead.
|
||||
*
|
||||
* Provides a `Configuration` class backwards-compatible interface to the data
|
||||
* flow library.
|
||||
@@ -388,7 +388,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
|
||||
}
|
||||
|
||||
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
|
||||
hasFlowPath(source, sink) and source.getConfiguration() = config
|
||||
flowPath(source, sink) and source.getConfiguration() = config
|
||||
}
|
||||
|
||||
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* DEPRECATED: Use `Make` and `MakeWithState` instead.
|
||||
* DEPRECATED: Use `Global` and `GlobalWithState` instead.
|
||||
*
|
||||
* Provides a `Configuration` class backwards-compatible interface to the data
|
||||
* flow library.
|
||||
@@ -388,7 +388,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
|
||||
}
|
||||
|
||||
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
|
||||
hasFlowPath(source, sink) and source.getConfiguration() = config
|
||||
flowPath(source, sink) and source.getConfiguration() = config
|
||||
}
|
||||
|
||||
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }
|
||||
|
||||
@@ -35,7 +35,7 @@ private module AddTaintDefaults<DataFlowInternal::FullStateConfigSig Config> imp
|
||||
/**
|
||||
* Constructs a standard taint tracking computation.
|
||||
*/
|
||||
module Make<DataFlow::ConfigSig Config> implements DataFlow::DataFlowSig {
|
||||
module Global<DataFlow::ConfigSig Config> implements DataFlow::GlobalFlowSig {
|
||||
private module Config0 implements DataFlowInternal::FullStateConfigSig {
|
||||
import DataFlowInternal::DefaultState<Config>
|
||||
import Config
|
||||
@@ -48,10 +48,15 @@ module Make<DataFlow::ConfigSig Config> implements DataFlow::DataFlowSig {
|
||||
import DataFlowInternal::Impl<C>
|
||||
}
|
||||
|
||||
/** DEPRECATED: Use `Global` instead. */
|
||||
deprecated module Make<DataFlow::ConfigSig Config> implements DataFlow::GlobalFlowSig {
|
||||
import Global<Config>
|
||||
}
|
||||
|
||||
/**
|
||||
* Constructs a taint tracking computation using flow state.
|
||||
*/
|
||||
module MakeWithState<DataFlow::StateConfigSig Config> implements DataFlow::DataFlowSig {
|
||||
module GlobalWithState<DataFlow::StateConfigSig Config> implements DataFlow::GlobalFlowSig {
|
||||
private module Config0 implements DataFlowInternal::FullStateConfigSig {
|
||||
import Config
|
||||
}
|
||||
@@ -62,3 +67,8 @@ module MakeWithState<DataFlow::StateConfigSig Config> implements DataFlow::DataF
|
||||
|
||||
import DataFlowInternal::Impl<C>
|
||||
}
|
||||
|
||||
/** DEPRECATED: Use `GlobalWithState` instead. */
|
||||
deprecated module MakeWithState<DataFlow::StateConfigSig Config> implements DataFlow::GlobalFlowSig {
|
||||
import GlobalWithState<Config>
|
||||
}
|
||||
|
||||
@@ -28,7 +28,7 @@ class OnActivityResultIncomingIntent extends DataFlow::Node {
|
||||
*/
|
||||
predicate isRemoteSource() {
|
||||
exists(RefType startingType, Expr startActivityForResultArg |
|
||||
ImplicitStartActivityForResult::hasFlowToExpr(startActivityForResultArg) and
|
||||
ImplicitStartActivityForResult::flowToExpr(startActivityForResultArg) and
|
||||
// startingType is the class enclosing the method that calls `startActivityForResult`.
|
||||
startingType = startActivityForResultArg.getEnclosingCallable().getDeclaringType()
|
||||
|
|
||||
@@ -104,7 +104,7 @@ private module ImplicitStartActivityForResultConfig implements DataFlow::ConfigS
|
||||
}
|
||||
|
||||
private module ImplicitStartActivityForResult =
|
||||
DataFlow::Make<ImplicitStartActivityForResultConfig>;
|
||||
DataFlow::Global<ImplicitStartActivityForResultConfig>;
|
||||
|
||||
/** An Android Activity or Fragment. */
|
||||
private class ActivityOrFragment extends Class {
|
||||
|
||||
@@ -21,10 +21,10 @@ private module TypeLiteralToParseAsFlowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
private module TypeLiteralToParseAsFlow = DataFlow::Make<TypeLiteralToParseAsFlowConfig>;
|
||||
private module TypeLiteralToParseAsFlow = DataFlow::Global<TypeLiteralToParseAsFlowConfig>;
|
||||
|
||||
private TypeLiteral getSourceWithFlowToParseAs() {
|
||||
TypeLiteralToParseAsFlow::hasFlow(DataFlow::exprNode(result), _)
|
||||
TypeLiteralToParseAsFlow::flow(DataFlow::exprNode(result), _)
|
||||
}
|
||||
|
||||
/** A field that is deserialized by `HttpResponse.parseAs`. */
|
||||
|
||||
@@ -108,10 +108,10 @@ private module TypeLiteralToJacksonDatabindFlowConfig implements DataFlow::Confi
|
||||
}
|
||||
|
||||
private module TypeLiteralToJacksonDatabindFlow =
|
||||
DataFlow::Make<TypeLiteralToJacksonDatabindFlowConfig>;
|
||||
DataFlow::Global<TypeLiteralToJacksonDatabindFlowConfig>;
|
||||
|
||||
private TypeLiteral getSourceWithFlowToJacksonDatabind() {
|
||||
TypeLiteralToJacksonDatabindFlow::hasFlow(DataFlow::exprNode(result), _)
|
||||
TypeLiteralToJacksonDatabindFlow::flow(DataFlow::exprNode(result), _)
|
||||
}
|
||||
|
||||
/** A type whose values are explicitly deserialized in a call to a Jackson method. */
|
||||
|
||||
@@ -173,4 +173,4 @@ private module SensitiveCommunicationConfig implements DataFlow::ConfigSig {
|
||||
/**
|
||||
* Tracks taint flow from variables containing sensitive information to broadcast Intents.
|
||||
*/
|
||||
module SensitiveCommunicationFlow = TaintTracking::Make<SensitiveCommunicationConfig>;
|
||||
module SensitiveCommunicationFlow = TaintTracking::Global<SensitiveCommunicationConfig>;
|
||||
|
||||
@@ -17,15 +17,15 @@ private module ApkInstallationConfig implements DataFlow::ConfigSig {
|
||||
ma.getMethod() instanceof SetDataMethod and
|
||||
ma.getArgument(0) = node.asExpr() and
|
||||
(
|
||||
PackageArchiveMimeTypeFlow::hasFlowToExpr(ma.getQualifier())
|
||||
PackageArchiveMimeTypeFlow::flowToExpr(ma.getQualifier())
|
||||
or
|
||||
InstallPackageActionFlow::hasFlowToExpr(ma.getQualifier())
|
||||
InstallPackageActionFlow::flowToExpr(ma.getQualifier())
|
||||
)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
module ApkInstallationFlow = DataFlow::Make<ApkInstallationConfig>;
|
||||
module ApkInstallationFlow = DataFlow::Global<ApkInstallationConfig>;
|
||||
|
||||
private newtype ActionState =
|
||||
ActionUnset() or
|
||||
@@ -72,7 +72,8 @@ private module InstallPackageActionConfig implements DataFlow::StateConfigSig {
|
||||
predicate isBarrier(DataFlow::Node node, FlowState state) { none() }
|
||||
}
|
||||
|
||||
private module InstallPackageActionFlow = TaintTracking::MakeWithState<InstallPackageActionConfig>;
|
||||
private module InstallPackageActionFlow =
|
||||
TaintTracking::GlobalWithState<InstallPackageActionConfig>;
|
||||
|
||||
private newtype MimeTypeState =
|
||||
MimeTypeUnset() or
|
||||
@@ -117,4 +118,4 @@ private module PackageArchiveMimeTypeConfig implements DataFlow::StateConfigSig
|
||||
}
|
||||
|
||||
private module PackageArchiveMimeTypeFlow =
|
||||
TaintTracking::MakeWithState<PackageArchiveMimeTypeConfig>;
|
||||
TaintTracking::GlobalWithState<PackageArchiveMimeTypeConfig>;
|
||||
|
||||
@@ -37,4 +37,4 @@ private module FragmentInjectionTaintConfig implements DataFlow::ConfigSig {
|
||||
* Taint-tracking flow for unsafe user input
|
||||
* that is used to create Android fragments dynamically.
|
||||
*/
|
||||
module FragmentInjectionTaintFlow = TaintTracking::Make<FragmentInjectionTaintConfig>;
|
||||
module FragmentInjectionTaintFlow = TaintTracking::Global<FragmentInjectionTaintConfig>;
|
||||
|
||||
@@ -53,4 +53,4 @@ private module IntentUriPermissionManipulationConfig implements DataFlow::Config
|
||||
* Taint tracking flow for user-provided Intents being returned to third party apps.
|
||||
*/
|
||||
module IntentUriPermissionManipulationFlow =
|
||||
TaintTracking::Make<IntentUriPermissionManipulationConfig>;
|
||||
TaintTracking::Global<IntentUriPermissionManipulationConfig>;
|
||||
|
||||
@@ -38,4 +38,4 @@ private module LogInjectionConfig implements DataFlow::ConfigSig {
|
||||
/**
|
||||
* Taint-tracking flow for tracking untrusted user input used in log entries.
|
||||
*/
|
||||
module LogInjectionFlow = TaintTracking::Make<LogInjectionConfig>;
|
||||
module LogInjectionFlow = TaintTracking::Global<LogInjectionConfig>;
|
||||
|
||||
@@ -53,4 +53,4 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig {
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof RequestForgerySanitizer }
|
||||
}
|
||||
|
||||
module RequestForgeryFlow = TaintTracking::Make<RequestForgeryConfig>;
|
||||
module RequestForgeryFlow = TaintTracking::Global<RequestForgeryConfig>;
|
||||
|
||||
@@ -42,4 +42,4 @@ private module RsaWithoutOaepConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
/** Flow for finding RSA ciphers initialized without using OAEP padding. */
|
||||
module RsaWithoutOaepFlow = DataFlow::Make<RsaWithoutOaepConfig>;
|
||||
module RsaWithoutOaepFlow = DataFlow::Global<RsaWithoutOaepConfig>;
|
||||
|
||||
@@ -65,4 +65,4 @@ private module SensitiveLoggerConfig implements DataFlow::ConfigSig {
|
||||
predicate isBarrierIn(Node node) { isSource(node) }
|
||||
}
|
||||
|
||||
module SensitiveLoggerFlow = TaintTracking::Make<SensitiveLoggerConfig>;
|
||||
module SensitiveLoggerFlow = TaintTracking::Global<SensitiveLoggerConfig>;
|
||||
|
||||
@@ -41,4 +41,4 @@ private module UnsafeContentResolutionConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
/** Taint-tracking flow to find paths from remote sources to content URI resolutions. */
|
||||
module UnsafeContentResolutionFlow = TaintTracking::Make<UnsafeContentResolutionConfig>;
|
||||
module UnsafeContentResolutionFlow = TaintTracking::Global<UnsafeContentResolutionConfig>;
|
||||
|
||||
@@ -43,7 +43,7 @@ private class DefaultXssSink extends XssSink {
|
||||
or
|
||||
exists(MethodAccess ma |
|
||||
ma.getMethod() instanceof WritingMethod and
|
||||
XssVulnerableWriterSourceToWritingMethodFlow::hasFlowToExpr(ma.getQualifier()) and
|
||||
XssVulnerableWriterSourceToWritingMethodFlow::flowToExpr(ma.getQualifier()) and
|
||||
this.asExpr() = ma.getArgument(_)
|
||||
)
|
||||
}
|
||||
@@ -71,7 +71,7 @@ private module XssVulnerableWriterSourceToWritingMethodFlowConfig implements Dat
|
||||
}
|
||||
|
||||
private module XssVulnerableWriterSourceToWritingMethodFlow =
|
||||
TaintTracking::Make<XssVulnerableWriterSourceToWritingMethodFlowConfig>;
|
||||
TaintTracking::Global<XssVulnerableWriterSourceToWritingMethodFlowConfig>;
|
||||
|
||||
/** A method that can be used to output data to an output stream or writer. */
|
||||
private class WritingMethod extends Method {
|
||||
|
||||
@@ -42,4 +42,4 @@ module XxeLocalConfig implements DataFlow::ConfigSig {
|
||||
/**
|
||||
* Detect taint flow of unvalidated local user input that is used in XML external entity expansion.
|
||||
*/
|
||||
module XxeLocalFlow = TaintTracking::Make<XxeLocalConfig>;
|
||||
module XxeLocalFlow = TaintTracking::Global<XxeLocalConfig>;
|
||||
|
||||
@@ -42,4 +42,4 @@ module XxeConfig implements DataFlow::ConfigSig {
|
||||
/**
|
||||
* Detect taint flow of unvalidated remote user input that is used in XML external entity expansion.
|
||||
*/
|
||||
module XxeFlow = TaintTracking::Make<XxeConfig>;
|
||||
module XxeFlow = TaintTracking::Global<XxeConfig>;
|
||||
|
||||
@@ -81,4 +81,4 @@ private module PolynomialRedosConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module PolynomialRedosFlow = TaintTracking::Make<PolynomialRedosConfig>;
|
||||
module PolynomialRedosFlow = TaintTracking::Global<PolynomialRedosConfig>;
|
||||
|
||||
@@ -41,7 +41,7 @@ module TaintedPathConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module TaintedPath = TaintTracking::Make<TaintedPathConfig>;
|
||||
module TaintedPath = TaintTracking::Global<TaintedPathConfig>;
|
||||
|
||||
import TaintedPath::PathGraph
|
||||
|
||||
@@ -53,13 +53,13 @@ import TaintedPath::PathGraph
|
||||
* continue to report there; otherwise we report directly at `sink`.
|
||||
*/
|
||||
DataFlow::Node getReportingNode(DataFlow::Node sink) {
|
||||
TaintedPath::hasFlowTo(sink) and
|
||||
TaintedPath::flowTo(sink) and
|
||||
if exists(PathCreation pc | pc.getAnInput() = sink.asExpr())
|
||||
then result.asExpr() = any(PathCreation pc | pc.getAnInput() = sink.asExpr())
|
||||
else result = sink
|
||||
}
|
||||
|
||||
from TaintedPath::PathNode source, TaintedPath::PathNode sink
|
||||
where TaintedPath::hasFlowPath(source, sink)
|
||||
where TaintedPath::flowPath(source, sink)
|
||||
select getReportingNode(sink.getNode()), source, sink, "This path depends on a $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -41,7 +41,7 @@ module TaintedPathLocalConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module TaintedPathLocalFlow = TaintTracking::Make<TaintedPathLocalConfig>;
|
||||
module TaintedPathLocalFlow = TaintTracking::Global<TaintedPathLocalConfig>;
|
||||
|
||||
import TaintedPathLocalFlow::PathGraph
|
||||
|
||||
@@ -53,13 +53,13 @@ import TaintedPathLocalFlow::PathGraph
|
||||
* continue to report there; otherwise we report directly at `sink`.
|
||||
*/
|
||||
DataFlow::Node getReportingNode(DataFlow::Node sink) {
|
||||
TaintedPathLocalFlow::hasFlowTo(sink) and
|
||||
TaintedPathLocalFlow::flowTo(sink) and
|
||||
if exists(PathCreation pc | pc.getAnInput() = sink.asExpr())
|
||||
then result.asExpr() = any(PathCreation pc | pc.getAnInput() = sink.asExpr())
|
||||
else result = sink
|
||||
}
|
||||
|
||||
from TaintedPathLocalFlow::PathNode source, TaintedPathLocalFlow::PathNode sink
|
||||
where TaintedPathLocalFlow::hasFlowPath(source, sink)
|
||||
where TaintedPathLocalFlow::flowPath(source, sink)
|
||||
select getReportingNode(sink.getNode()), source, sink, "This path depends on a $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -44,7 +44,7 @@ module ZipSlipConfig implements DataFlow::ConfigSig {
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof PathInjectionSanitizer }
|
||||
}
|
||||
|
||||
module ZipSlipFlow = TaintTracking::Make<ZipSlipConfig>;
|
||||
module ZipSlipFlow = TaintTracking::Global<ZipSlipConfig>;
|
||||
|
||||
import ZipSlipFlow::PathGraph
|
||||
|
||||
@@ -56,7 +56,7 @@ private class FileCreationSink extends DataFlow::Node {
|
||||
}
|
||||
|
||||
from ZipSlipFlow::PathNode source, ZipSlipFlow::PathNode sink
|
||||
where ZipSlipFlow::hasFlowPath(source, sink)
|
||||
where ZipSlipFlow::flowPath(source, sink)
|
||||
select source.getNode(), source, sink,
|
||||
"Unsanitized archive entry, which may contain '..', is used in a $@.", sink.getNode(),
|
||||
"file system operation"
|
||||
|
||||
@@ -32,7 +32,7 @@ module LocalUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
module LocalUserInputToArgumentToExecFlow =
|
||||
TaintTracking::Make<LocalUserInputToArgumentToExecFlowConfig>;
|
||||
TaintTracking::Global<LocalUserInputToArgumentToExecFlowConfig>;
|
||||
|
||||
import LocalUserInputToArgumentToExecFlow::PathGraph
|
||||
|
||||
@@ -40,7 +40,7 @@ from
|
||||
LocalUserInputToArgumentToExecFlow::PathNode source,
|
||||
LocalUserInputToArgumentToExecFlow::PathNode sink, ArgumentToExec execArg
|
||||
where
|
||||
LocalUserInputToArgumentToExecFlow::hasFlowPath(source, sink) and
|
||||
LocalUserInputToArgumentToExecFlow::flowPath(source, sink) and
|
||||
sink.getNode().asExpr() = execArg
|
||||
select execArg, source, sink, "This command line depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -29,11 +29,11 @@ module XssConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module XssFlow = TaintTracking::Make<XssConfig>;
|
||||
module XssFlow = TaintTracking::Global<XssConfig>;
|
||||
|
||||
import XssFlow::PathGraph
|
||||
|
||||
from XssFlow::PathNode source, XssFlow::PathNode sink
|
||||
where XssFlow::hasFlowPath(source, sink)
|
||||
where XssFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to a $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -21,11 +21,11 @@ module XssLocalConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
|
||||
}
|
||||
|
||||
module XssLocalFlow = TaintTracking::Make<XssLocalConfig>;
|
||||
module XssLocalFlow = TaintTracking::Global<XssLocalConfig>;
|
||||
|
||||
import XssLocalFlow::PathGraph
|
||||
|
||||
from XssLocalFlow::PathNode source, XssLocalFlow::PathNode sink
|
||||
where XssLocalFlow::hasFlowPath(source, sink)
|
||||
where XssLocalFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -36,7 +36,7 @@ module UncontrolledStringBuilderSourceFlowConfig implements DataFlow::ConfigSig
|
||||
}
|
||||
|
||||
module UncontrolledStringBuilderSourceFlow =
|
||||
TaintTracking::Make<UncontrolledStringBuilderSourceFlowConfig>;
|
||||
TaintTracking::Global<UncontrolledStringBuilderSourceFlowConfig>;
|
||||
|
||||
from QueryInjectionSink query, Expr uncontrolled
|
||||
where
|
||||
@@ -45,7 +45,7 @@ where
|
||||
or
|
||||
exists(StringBuilderVar sbv |
|
||||
uncontrolledStringBuilderQuery(sbv, uncontrolled) and
|
||||
UncontrolledStringBuilderSourceFlow::hasFlow(DataFlow::exprNode(sbv.getToStringCall()), query)
|
||||
UncontrolledStringBuilderSourceFlow::flow(DataFlow::exprNode(sbv.getToStringCall()), query)
|
||||
)
|
||||
) and
|
||||
not queryTaintedBy(query, _, _)
|
||||
|
||||
@@ -31,13 +31,13 @@ module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
module LocalUserInputToQueryInjectionFlow =
|
||||
TaintTracking::Make<LocalUserInputToQueryInjectionFlowConfig>;
|
||||
TaintTracking::Global<LocalUserInputToQueryInjectionFlowConfig>;
|
||||
|
||||
import LocalUserInputToQueryInjectionFlow::PathGraph
|
||||
|
||||
from
|
||||
LocalUserInputToQueryInjectionFlow::PathNode source,
|
||||
LocalUserInputToQueryInjectionFlow::PathNode sink
|
||||
where LocalUserInputToQueryInjectionFlow::hasFlowPath(source, sink)
|
||||
where LocalUserInputToQueryInjectionFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -17,6 +17,6 @@ import LdapInjectionLib
|
||||
import LdapInjectionFlow::PathGraph
|
||||
|
||||
from LdapInjectionFlow::PathNode source, LdapInjectionFlow::PathNode sink
|
||||
where LdapInjectionFlow::hasFlowPath(source, sink)
|
||||
where LdapInjectionFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "This LDAP query depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -17,4 +17,4 @@ module LdapInjectionFlowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module LdapInjectionFlow = TaintTracking::Make<LdapInjectionFlowConfig>;
|
||||
module LdapInjectionFlow = TaintTracking::Global<LdapInjectionFlowConfig>;
|
||||
|
||||
@@ -15,5 +15,5 @@ import semmle.code.java.security.ArbitraryApkInstallationQuery
|
||||
import ApkInstallationFlow::PathGraph
|
||||
|
||||
from ApkInstallationFlow::PathNode source, ApkInstallationFlow::PathNode sink
|
||||
where ApkInstallationFlow::hasFlowPath(source, sink)
|
||||
where ApkInstallationFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Arbitrary Android APK installation."
|
||||
|
||||
@@ -61,7 +61,7 @@ module BeanValidationConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink }
|
||||
}
|
||||
|
||||
module BeanValidationFlow = TaintTracking::Make<BeanValidationConfig>;
|
||||
module BeanValidationFlow = TaintTracking::Global<BeanValidationConfig>;
|
||||
|
||||
import BeanValidationFlow::PathGraph
|
||||
|
||||
@@ -80,6 +80,6 @@ where
|
||||
or
|
||||
exists(SetMessageInterpolatorCall c | not c.isSafe())
|
||||
) and
|
||||
BeanValidationFlow::hasFlowPath(source, sink)
|
||||
BeanValidationFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Custom constraint error message contains an unsanitized $@.",
|
||||
source, "user-provided value"
|
||||
|
||||
@@ -42,12 +42,12 @@ module ResponseSplittingConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module ResponseSplitting = TaintTracking::Make<ResponseSplittingConfig>;
|
||||
module ResponseSplitting = TaintTracking::Global<ResponseSplittingConfig>;
|
||||
|
||||
import ResponseSplitting::PathGraph
|
||||
|
||||
from ResponseSplitting::PathNode source, ResponseSplitting::PathNode sink
|
||||
where ResponseSplitting::hasFlowPath(source, sink)
|
||||
where ResponseSplitting::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"This header depends on a $@, which may cause a response-splitting vulnerability.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -26,12 +26,12 @@ module ResponseSplittingLocalConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module ResponseSplitting = TaintTracking::Make<ResponseSplittingLocalConfig>;
|
||||
module ResponseSplitting = TaintTracking::Global<ResponseSplittingLocalConfig>;
|
||||
|
||||
import ResponseSplitting::PathGraph
|
||||
|
||||
from ResponseSplitting::PathNode source, ResponseSplitting::PathNode sink
|
||||
where ResponseSplitting::hasFlowPath(source, sink)
|
||||
where ResponseSplitting::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"This header depends on a $@, which may cause a response-splitting vulnerability.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -16,6 +16,6 @@ import semmle.code.java.security.LogInjectionQuery
|
||||
import LogInjectionFlow::PathGraph
|
||||
|
||||
from LogInjectionFlow::PathNode source, LogInjectionFlow::PathNode sink
|
||||
where LogInjectionFlow::hasFlowPath(source, sink)
|
||||
where LogInjectionFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "This log entry depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -23,7 +23,7 @@ private module ImproperValidationOfArrayConstructionConfig implements DataFlow::
|
||||
}
|
||||
|
||||
module ImproperValidationOfArrayConstructionFlow =
|
||||
TaintTracking::Make<ImproperValidationOfArrayConstructionConfig>;
|
||||
TaintTracking::Global<ImproperValidationOfArrayConstructionConfig>;
|
||||
|
||||
import ImproperValidationOfArrayConstructionFlow::PathGraph
|
||||
|
||||
@@ -34,7 +34,7 @@ from
|
||||
where
|
||||
arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sizeExpr, arrayCreation) and
|
||||
sizeExpr = sink.getNode().asExpr() and
|
||||
ImproperValidationOfArrayConstructionFlow::hasFlowPath(source, sink)
|
||||
ImproperValidationOfArrayConstructionFlow::flowPath(source, sink)
|
||||
select arrayAccess.getIndexExpr(), source, sink,
|
||||
"This accesses the $@, but the array is initialized using a $@ which may be zero.", arrayCreation,
|
||||
"array", source.getNode(), "user-provided value"
|
||||
|
||||
@@ -27,7 +27,7 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module BoundedFlowSourceFlow = DataFlow::Make<BoundedFlowSourceConfig>;
|
||||
module BoundedFlowSourceFlow = DataFlow::Global<BoundedFlowSourceConfig>;
|
||||
|
||||
import BoundedFlowSourceFlow::PathGraph
|
||||
|
||||
@@ -39,7 +39,7 @@ where
|
||||
arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sizeExpr, arrayCreation) and
|
||||
sizeExpr = sink.getNode().asExpr() and
|
||||
boundedsource = source.getNode() and
|
||||
BoundedFlowSourceFlow::hasFlowPath(source, sink)
|
||||
BoundedFlowSourceFlow::flowPath(source, sink)
|
||||
select arrayAccess.getIndexExpr(), source, sink,
|
||||
"This accesses the $@, but the array is initialized using $@ which may be zero.", arrayCreation,
|
||||
"array", boundedsource, boundedsource.getDescription().toLowerCase()
|
||||
|
||||
@@ -24,7 +24,7 @@ module ImproperValidationOfArrayConstructionLocalConfig implements DataFlow::Con
|
||||
}
|
||||
|
||||
module ImproperValidationOfArrayConstructionLocalFlow =
|
||||
TaintTracking::Make<ImproperValidationOfArrayConstructionLocalConfig>;
|
||||
TaintTracking::Global<ImproperValidationOfArrayConstructionLocalConfig>;
|
||||
|
||||
import ImproperValidationOfArrayConstructionLocalFlow::PathGraph
|
||||
|
||||
@@ -35,7 +35,7 @@ from
|
||||
where
|
||||
arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sizeExpr, arrayCreation) and
|
||||
sizeExpr = sink.getNode().asExpr() and
|
||||
ImproperValidationOfArrayConstructionLocalFlow::hasFlowPath(source, sink)
|
||||
ImproperValidationOfArrayConstructionLocalFlow::flowPath(source, sink)
|
||||
select arrayAccess.getIndexExpr(), source, sink,
|
||||
"This accesses the $@, but the array is initialized using a $@ which may be zero.", arrayCreation,
|
||||
"array", source.getNode(), "user-provided value"
|
||||
|
||||
@@ -25,7 +25,7 @@ module ImproperValidationOfArrayIndexConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
module ImproperValidationOfArrayIndexFlow =
|
||||
TaintTracking::Make<ImproperValidationOfArrayIndexConfig>;
|
||||
TaintTracking::Global<ImproperValidationOfArrayIndexConfig>;
|
||||
|
||||
import ImproperValidationOfArrayIndexFlow::PathGraph
|
||||
|
||||
@@ -34,7 +34,7 @@ from
|
||||
ImproperValidationOfArrayIndexFlow::PathNode sink, CheckableArrayAccess arrayAccess
|
||||
where
|
||||
arrayAccess.canThrowOutOfBounds(sink.getNode().asExpr()) and
|
||||
ImproperValidationOfArrayIndexFlow::hasFlowPath(source, sink)
|
||||
ImproperValidationOfArrayIndexFlow::flowPath(source, sink)
|
||||
select arrayAccess.getIndexExpr(), source, sink,
|
||||
"This index depends on a $@ which can cause an ArrayIndexOutOfBoundsException.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -24,7 +24,7 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module BoundedFlowSourceFlow = DataFlow::Make<BoundedFlowSourceConfig>;
|
||||
module BoundedFlowSourceFlow = DataFlow::Global<BoundedFlowSourceConfig>;
|
||||
|
||||
import BoundedFlowSourceFlow::PathGraph
|
||||
|
||||
@@ -34,7 +34,7 @@ from
|
||||
where
|
||||
arrayAccess.canThrowOutOfBounds(sink.getNode().asExpr()) and
|
||||
boundedsource = source.getNode() and
|
||||
BoundedFlowSourceFlow::hasFlowPath(source, sink) and
|
||||
BoundedFlowSourceFlow::flowPath(source, sink) and
|
||||
boundedsource != sink.getNode() and
|
||||
not (
|
||||
(
|
||||
|
||||
@@ -24,7 +24,7 @@ module ImproperValidationOfArrayIndexLocalConfig implements DataFlow::ConfigSig
|
||||
}
|
||||
|
||||
module ImproperValidationOfArrayIndexLocalFlow =
|
||||
TaintTracking::Make<ImproperValidationOfArrayIndexLocalConfig>;
|
||||
TaintTracking::Global<ImproperValidationOfArrayIndexLocalConfig>;
|
||||
|
||||
import ImproperValidationOfArrayIndexLocalFlow::PathGraph
|
||||
|
||||
@@ -33,7 +33,7 @@ from
|
||||
ImproperValidationOfArrayIndexLocalFlow::PathNode sink, CheckableArrayAccess arrayAccess
|
||||
where
|
||||
arrayAccess.canThrowOutOfBounds(sink.getNode().asExpr()) and
|
||||
ImproperValidationOfArrayIndexLocalFlow::hasFlowPath(source, sink)
|
||||
ImproperValidationOfArrayIndexLocalFlow::flowPath(source, sink)
|
||||
select arrayAccess.getIndexExpr(), source, sink,
|
||||
"This index depends on a $@ which can cause an ArrayIndexOutOfBoundsException.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -27,7 +27,7 @@ module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
module ExternallyControlledFormatStringFlow =
|
||||
TaintTracking::Make<ExternallyControlledFormatStringConfig>;
|
||||
TaintTracking::Global<ExternallyControlledFormatStringConfig>;
|
||||
|
||||
import ExternallyControlledFormatStringFlow::PathGraph
|
||||
|
||||
@@ -35,7 +35,7 @@ from
|
||||
ExternallyControlledFormatStringFlow::PathNode source,
|
||||
ExternallyControlledFormatStringFlow::PathNode sink, StringFormat formatCall
|
||||
where
|
||||
ExternallyControlledFormatStringFlow::hasFlowPath(source, sink) and
|
||||
ExternallyControlledFormatStringFlow::flowPath(source, sink) and
|
||||
sink.getNode().asExpr() = formatCall.getFormatArgument()
|
||||
select formatCall.getFormatArgument(), source, sink, "Format string depends on a $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -23,7 +23,7 @@ module ExternallyControlledFormatStringLocalConfig implements DataFlow::ConfigSi
|
||||
}
|
||||
|
||||
module ExternallyControlledFormatStringLocalFlow =
|
||||
TaintTracking::Make<ExternallyControlledFormatStringLocalConfig>;
|
||||
TaintTracking::Global<ExternallyControlledFormatStringLocalConfig>;
|
||||
|
||||
import ExternallyControlledFormatStringLocalFlow::PathGraph
|
||||
|
||||
@@ -31,7 +31,7 @@ from
|
||||
ExternallyControlledFormatStringLocalFlow::PathNode source,
|
||||
ExternallyControlledFormatStringLocalFlow::PathNode sink, StringFormat formatCall
|
||||
where
|
||||
ExternallyControlledFormatStringLocalFlow::hasFlowPath(source, sink) and
|
||||
ExternallyControlledFormatStringLocalFlow::flowPath(source, sink) and
|
||||
sink.getNode().asExpr() = formatCall.getFormatArgument()
|
||||
select formatCall.getFormatArgument(), source, sink, "Format string depends on a $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -32,9 +32,9 @@ module RemoteUserInputUnderflowConfig implements DataFlow::ConfigSig {
|
||||
predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) }
|
||||
}
|
||||
|
||||
module RemoteUserInputOverflow = TaintTracking::Make<RemoteUserInputOverflowConfig>;
|
||||
module RemoteUserInputOverflow = TaintTracking::Global<RemoteUserInputOverflowConfig>;
|
||||
|
||||
module RemoteUserInputUnderflow = TaintTracking::Make<RemoteUserInputUnderflowConfig>;
|
||||
module RemoteUserInputUnderflow = TaintTracking::Global<RemoteUserInputUnderflowConfig>;
|
||||
|
||||
module Flow =
|
||||
DataFlow::MergePathGraph<RemoteUserInputOverflow::PathNode, RemoteUserInputUnderflow::PathNode,
|
||||
@@ -44,11 +44,11 @@ import Flow::PathGraph
|
||||
|
||||
from Flow::PathNode source, Flow::PathNode sink, ArithExpr exp, string effect
|
||||
where
|
||||
RemoteUserInputOverflow::hasFlowPath(source.asPathNode1(), sink.asPathNode1()) and
|
||||
RemoteUserInputOverflow::flowPath(source.asPathNode1(), sink.asPathNode1()) and
|
||||
overflowSink(exp, sink.getNode().asExpr()) and
|
||||
effect = "overflow"
|
||||
or
|
||||
RemoteUserInputUnderflow::hasFlowPath(source.asPathNode2(), sink.asPathNode2()) and
|
||||
RemoteUserInputUnderflow::flowPath(source.asPathNode2(), sink.asPathNode2()) and
|
||||
underflowSink(exp, sink.getNode().asExpr()) and
|
||||
effect = "underflow"
|
||||
select exp, source, sink,
|
||||
|
||||
@@ -25,7 +25,7 @@ module ArithmeticTaintedLocalOverflowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
module ArithmeticTaintedLocalOverflowFlow =
|
||||
TaintTracking::Make<ArithmeticTaintedLocalOverflowConfig>;
|
||||
TaintTracking::Global<ArithmeticTaintedLocalOverflowConfig>;
|
||||
|
||||
module ArithmeticTaintedLocalUnderflowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
|
||||
@@ -36,7 +36,7 @@ module ArithmeticTaintedLocalUnderflowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
module ArithmeticTaintedLocalUnderflowFlow =
|
||||
TaintTracking::Make<ArithmeticTaintedLocalUnderflowConfig>;
|
||||
TaintTracking::Global<ArithmeticTaintedLocalUnderflowConfig>;
|
||||
|
||||
module Flow =
|
||||
DataFlow::MergePathGraph<ArithmeticTaintedLocalOverflowFlow::PathNode,
|
||||
@@ -47,11 +47,11 @@ import Flow::PathGraph
|
||||
|
||||
from Flow::PathNode source, Flow::PathNode sink, ArithExpr exp, string effect
|
||||
where
|
||||
ArithmeticTaintedLocalOverflowFlow::hasFlowPath(source.asPathNode1(), sink.asPathNode1()) and
|
||||
ArithmeticTaintedLocalOverflowFlow::flowPath(source.asPathNode1(), sink.asPathNode1()) and
|
||||
overflowSink(exp, sink.getNode().asExpr()) and
|
||||
effect = "overflow"
|
||||
or
|
||||
ArithmeticTaintedLocalUnderflowFlow::hasFlowPath(source.asPathNode2(), sink.asPathNode2()) and
|
||||
ArithmeticTaintedLocalUnderflowFlow::flowPath(source.asPathNode2(), sink.asPathNode2()) and
|
||||
underflowSink(exp, sink.getNode().asExpr()) and
|
||||
effect = "underflow"
|
||||
select exp, source, sink,
|
||||
|
||||
@@ -33,7 +33,7 @@ module ArithmeticUncontrolledOverflowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
module ArithmeticUncontrolledOverflowFlow =
|
||||
TaintTracking::Make<ArithmeticUncontrolledOverflowConfig>;
|
||||
TaintTracking::Global<ArithmeticUncontrolledOverflowConfig>;
|
||||
|
||||
module ArithmeticUncontrolledUnderflowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof TaintSource }
|
||||
@@ -44,7 +44,7 @@ module ArithmeticUncontrolledUnderflowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
module ArithmeticUncontrolledUnderflowFlow =
|
||||
TaintTracking::Make<ArithmeticUncontrolledUnderflowConfig>;
|
||||
TaintTracking::Global<ArithmeticUncontrolledUnderflowConfig>;
|
||||
|
||||
module Flow =
|
||||
DataFlow::MergePathGraph<ArithmeticUncontrolledOverflowFlow::PathNode,
|
||||
@@ -55,11 +55,11 @@ import Flow::PathGraph
|
||||
|
||||
from Flow::PathNode source, Flow::PathNode sink, ArithExpr exp, string effect
|
||||
where
|
||||
ArithmeticUncontrolledOverflowFlow::hasFlowPath(source.asPathNode1(), sink.asPathNode1()) and
|
||||
ArithmeticUncontrolledOverflowFlow::flowPath(source.asPathNode1(), sink.asPathNode1()) and
|
||||
overflowSink(exp, sink.getNode().asExpr()) and
|
||||
effect = "overflow"
|
||||
or
|
||||
ArithmeticUncontrolledUnderflowFlow::hasFlowPath(source.asPathNode2(), sink.asPathNode2()) and
|
||||
ArithmeticUncontrolledUnderflowFlow::flowPath(source.asPathNode2(), sink.asPathNode2()) and
|
||||
underflowSink(exp, sink.getNode().asExpr()) and
|
||||
effect = "underflow"
|
||||
select exp, source, sink,
|
||||
|
||||
@@ -45,7 +45,7 @@ module MaxValueFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isBarrier(DataFlow::Node n) { overflowBarrier(n) }
|
||||
}
|
||||
|
||||
module MaxValueFlow = DataFlow::Make<MaxValueFlowConfig>;
|
||||
module MaxValueFlow = DataFlow::Global<MaxValueFlowConfig>;
|
||||
|
||||
module MinValueFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
@@ -59,7 +59,7 @@ module MinValueFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) }
|
||||
}
|
||||
|
||||
module MinValueFlow = DataFlow::Make<MinValueFlowConfig>;
|
||||
module MinValueFlow = DataFlow::Global<MinValueFlowConfig>;
|
||||
|
||||
module Flow =
|
||||
DataFlow::MergePathGraph<MaxValueFlow::PathNode, MinValueFlow::PathNode, MaxValueFlow::PathGraph,
|
||||
@@ -71,11 +71,11 @@ predicate query(
|
||||
Flow::PathNode source, Flow::PathNode sink, ArithExpr exp, string effect, Type srctyp
|
||||
) {
|
||||
(
|
||||
MaxValueFlow::hasFlowPath(source.asPathNode1(), sink.asPathNode1()) and
|
||||
MaxValueFlow::flowPath(source.asPathNode1(), sink.asPathNode1()) and
|
||||
overflowSink(exp, sink.getNode().asExpr()) and
|
||||
effect = "overflow"
|
||||
or
|
||||
MinValueFlow::hasFlowPath(source.asPathNode2(), sink.asPathNode2()) and
|
||||
MinValueFlow::flowPath(source.asPathNode2(), sink.asPathNode2()) and
|
||||
underflowSink(exp, sink.getNode().asExpr()) and
|
||||
effect = "underflow"
|
||||
) and
|
||||
|
||||
@@ -102,7 +102,7 @@ module WebViewDisallowContentAccessConfig implements DataFlow::StateConfigSig {
|
||||
}
|
||||
|
||||
module WebViewDisallowContentAccessFlow =
|
||||
TaintTracking::MakeWithState<WebViewDisallowContentAccessConfig>;
|
||||
TaintTracking::GlobalWithState<WebViewDisallowContentAccessConfig>;
|
||||
|
||||
from Expr e
|
||||
where
|
||||
@@ -116,7 +116,7 @@ where
|
||||
// implicit: no setAllowContentAccess(false)
|
||||
exists(WebViewSource source |
|
||||
source.asExpr() = e and
|
||||
not WebViewDisallowContentAccessFlow::hasFlow(source, _)
|
||||
not WebViewDisallowContentAccessFlow::flow(source, _)
|
||||
)
|
||||
select e,
|
||||
"Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView."
|
||||
|
||||
@@ -133,7 +133,7 @@ module TempDirSystemGetPropertyToCreateConfig implements DataFlow::ConfigSig {
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
sink instanceof FileCreationSink and
|
||||
not TempDirSystemGetPropertyDirectlyToMkdir::hasFlowTo(sink)
|
||||
not TempDirSystemGetPropertyDirectlyToMkdir::flowTo(sink)
|
||||
}
|
||||
|
||||
predicate isBarrier(DataFlow::Node sanitizer) {
|
||||
@@ -146,7 +146,7 @@ module TempDirSystemGetPropertyToCreateConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
module TempDirSystemGetPropertyToCreate =
|
||||
TaintTracking::Make<TempDirSystemGetPropertyToCreateConfig>;
|
||||
TaintTracking::Global<TempDirSystemGetPropertyToCreateConfig>;
|
||||
|
||||
/**
|
||||
* Configuration that tracks calls to to `mkdir` or `mkdirs` that are are directly on the temp directory system property.
|
||||
@@ -179,7 +179,7 @@ module TempDirSystemGetPropertyDirectlyToMkdirConfig implements DataFlow::Config
|
||||
}
|
||||
|
||||
module TempDirSystemGetPropertyDirectlyToMkdir =
|
||||
TaintTracking::Make<TempDirSystemGetPropertyDirectlyToMkdirConfig>;
|
||||
TaintTracking::Global<TempDirSystemGetPropertyDirectlyToMkdirConfig>;
|
||||
|
||||
//
|
||||
// Begin configuration for tracking single-method calls that are vulnerable.
|
||||
@@ -270,7 +270,7 @@ import Flow::PathGraph
|
||||
from Flow::PathNode source, Flow::PathNode sink, string message
|
||||
where
|
||||
(
|
||||
TempDirSystemGetPropertyToCreate::hasFlowPath(source.asPathNode1(), sink.asPathNode1()) and
|
||||
TempDirSystemGetPropertyToCreate::flowPath(source.asPathNode1(), sink.asPathNode1()) and
|
||||
message =
|
||||
"Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users."
|
||||
or
|
||||
|
||||
@@ -42,7 +42,7 @@ module ServletWriterSourceToPrintStackTraceMethodFlowConfig implements DataFlow:
|
||||
}
|
||||
|
||||
module ServletWriterSourceToPrintStackTraceMethodFlow =
|
||||
TaintTracking::Make<ServletWriterSourceToPrintStackTraceMethodFlowConfig>;
|
||||
TaintTracking::Global<ServletWriterSourceToPrintStackTraceMethodFlowConfig>;
|
||||
|
||||
/**
|
||||
* A call that uses `Throwable.printStackTrace()` on a stream that is connected
|
||||
@@ -51,7 +51,7 @@ module ServletWriterSourceToPrintStackTraceMethodFlow =
|
||||
predicate printsStackToWriter(MethodAccess call) {
|
||||
exists(PrintStackTraceMethod printStackTrace |
|
||||
call.getMethod() = printStackTrace and
|
||||
ServletWriterSourceToPrintStackTraceMethodFlow::hasFlowToExpr(call.getAnArgument())
|
||||
ServletWriterSourceToPrintStackTraceMethodFlow::flowToExpr(call.getAnArgument())
|
||||
)
|
||||
}
|
||||
|
||||
@@ -87,7 +87,7 @@ module StackTraceStringToHttpResponseSinkFlowConfig implements DataFlow::ConfigS
|
||||
}
|
||||
|
||||
module StackTraceStringToHttpResponseSinkFlow =
|
||||
TaintTracking::Make<StackTraceStringToHttpResponseSinkFlowConfig>;
|
||||
TaintTracking::Global<StackTraceStringToHttpResponseSinkFlowConfig>;
|
||||
|
||||
/**
|
||||
* A write of stack trace data to an external stream.
|
||||
@@ -104,8 +104,7 @@ predicate printsStackExternally(MethodAccess call, Expr stackTrace) {
|
||||
predicate stringifiedStackFlowsExternally(DataFlow::Node externalExpr, Expr stackTrace) {
|
||||
exists(MethodAccess stackTraceString |
|
||||
stackTraceExpr(stackTrace, stackTraceString) and
|
||||
StackTraceStringToHttpResponseSinkFlow::hasFlow(DataFlow::exprNode(stackTraceString),
|
||||
externalExpr)
|
||||
StackTraceStringToHttpResponseSinkFlow::flow(DataFlow::exprNode(stackTraceString), externalExpr)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -127,13 +126,13 @@ module GetMessageFlowSourceToHttpResponseSinkFlowConfig implements DataFlow::Con
|
||||
}
|
||||
|
||||
module GetMessageFlowSourceToHttpResponseSinkFlow =
|
||||
TaintTracking::Make<GetMessageFlowSourceToHttpResponseSinkFlowConfig>;
|
||||
TaintTracking::Global<GetMessageFlowSourceToHttpResponseSinkFlowConfig>;
|
||||
|
||||
/**
|
||||
* A call to `getMessage()` that then flows to a servlet response.
|
||||
*/
|
||||
predicate getMessageFlowsExternally(DataFlow::Node externalExpr, GetMessageFlowSource getMessage) {
|
||||
GetMessageFlowSourceToHttpResponseSinkFlow::hasFlow(DataFlow::exprNode(getMessage), externalExpr)
|
||||
GetMessageFlowSourceToHttpResponseSinkFlow::flow(DataFlow::exprNode(getMessage), externalExpr)
|
||||
}
|
||||
|
||||
from Expr externalExpr, Expr errorInformation
|
||||
|
||||
@@ -20,7 +20,7 @@ import IntentUriPermissionManipulationFlow::PathGraph
|
||||
from
|
||||
IntentUriPermissionManipulationFlow::PathNode source,
|
||||
IntentUriPermissionManipulationFlow::PathNode sink
|
||||
where IntentUriPermissionManipulationFlow::hasFlowPath(source, sink)
|
||||
where IntentUriPermissionManipulationFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"This Intent can be set with arbitrary flags from a $@, " +
|
||||
"and used to give access to internal content providers.", source.getNode(),
|
||||
|
||||
@@ -77,7 +77,7 @@ module TrustAllHostnameVerifierConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module TrustAllHostnameVerifierFlow = DataFlow::Make<TrustAllHostnameVerifierConfig>;
|
||||
module TrustAllHostnameVerifierFlow = DataFlow::Global<TrustAllHostnameVerifierConfig>;
|
||||
|
||||
import TrustAllHostnameVerifierFlow::PathGraph
|
||||
|
||||
@@ -118,7 +118,7 @@ from
|
||||
TrustAllHostnameVerifierFlow::PathNode source, TrustAllHostnameVerifierFlow::PathNode sink,
|
||||
RefType verifier
|
||||
where
|
||||
TrustAllHostnameVerifierFlow::hasFlowPath(source, sink) and
|
||||
TrustAllHostnameVerifierFlow::flowPath(source, sink) and
|
||||
not isNodeGuardedByFlag(sink.getNode()) and
|
||||
verifier = source.getNode().asExpr().(ClassInstanceExpr).getConstructedType()
|
||||
select sink, source, sink,
|
||||
|
||||
@@ -38,7 +38,7 @@ module InsecureCryptoConfig implements ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module InsecureCryptoFlow = TaintTracking::Make<InsecureCryptoConfig>;
|
||||
module InsecureCryptoFlow = TaintTracking::Global<InsecureCryptoConfig>;
|
||||
|
||||
import InsecureCryptoFlow::PathGraph
|
||||
|
||||
@@ -48,6 +48,6 @@ from
|
||||
where
|
||||
sink.getNode().asExpr() = c.getAlgoSpec() and
|
||||
source.getNode().asExpr() = s and
|
||||
InsecureCryptoFlow::hasFlowPath(source, sink)
|
||||
InsecureCryptoFlow::flowPath(source, sink)
|
||||
select c, source, sink, "Cryptographic algorithm $@ is weak and should not be used.", s,
|
||||
s.getValue()
|
||||
|
||||
@@ -61,7 +61,7 @@ module InsecureCryptoConfig implements ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module InsecureCryptoFlow = TaintTracking::Make<InsecureCryptoConfig>;
|
||||
module InsecureCryptoFlow = TaintTracking::Global<InsecureCryptoConfig>;
|
||||
|
||||
import InsecureCryptoFlow::PathGraph
|
||||
|
||||
@@ -71,7 +71,7 @@ from
|
||||
where
|
||||
sink.getNode().asExpr() = c.getAlgoSpec() and
|
||||
source.getNode().asExpr() = s and
|
||||
InsecureCryptoFlow::hasFlowPath(source, sink)
|
||||
InsecureCryptoFlow::flowPath(source, sink)
|
||||
select c, source, sink,
|
||||
"Cryptographic algorithm $@ may not be secure, consider using a different algorithm.", s,
|
||||
s.getValue()
|
||||
|
||||
@@ -17,7 +17,7 @@ import semmle.code.java.security.UnsafeContentUriResolutionQuery
|
||||
import UnsafeContentResolutionFlow::PathGraph
|
||||
|
||||
from UnsafeContentResolutionFlow::PathNode src, UnsafeContentResolutionFlow::PathNode sink
|
||||
where UnsafeContentResolutionFlow::hasFlowPath(src, sink)
|
||||
where UnsafeContentResolutionFlow::flowPath(src, sink)
|
||||
select sink.getNode(), src, sink,
|
||||
"This ContentResolver method that resolves a URI depends on a $@.", src.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -16,7 +16,7 @@ import semmle.code.java.security.FragmentInjectionQuery
|
||||
import FragmentInjectionTaintFlow::PathGraph
|
||||
|
||||
from FragmentInjectionTaintFlow::PathNode source, FragmentInjectionTaintFlow::PathNode sink
|
||||
where FragmentInjectionTaintFlow::hasFlowPath(source, sink)
|
||||
where FragmentInjectionTaintFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"Fragment depends on a $@, which may allow a malicious application to bypass access controls.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -16,6 +16,6 @@ import semmle.code.java.security.SensitiveLoggingQuery
|
||||
import SensitiveLoggerFlow::PathGraph
|
||||
|
||||
from SensitiveLoggerFlow::PathNode source, SensitiveLoggerFlow::PathNode sink
|
||||
where SensitiveLoggerFlow::hasFlowPath(source, sink)
|
||||
where SensitiveLoggerFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "This $@ is written to a log file.", source.getNode(),
|
||||
"potentially sensitive information"
|
||||
|
||||
@@ -21,11 +21,11 @@ module UrlRedirectConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink }
|
||||
}
|
||||
|
||||
module UrlRedirectFlow = TaintTracking::Make<UrlRedirectConfig>;
|
||||
module UrlRedirectFlow = TaintTracking::Global<UrlRedirectConfig>;
|
||||
|
||||
import UrlRedirectFlow::PathGraph
|
||||
|
||||
from UrlRedirectFlow::PathNode source, UrlRedirectFlow::PathNode sink
|
||||
where UrlRedirectFlow::hasFlowPath(source, sink)
|
||||
where UrlRedirectFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Untrusted URL redirection depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -21,11 +21,11 @@ module UrlRedirectLocalConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink }
|
||||
}
|
||||
|
||||
module UrlRedirectLocalFlow = TaintTracking::Make<UrlRedirectLocalConfig>;
|
||||
module UrlRedirectLocalFlow = TaintTracking::Global<UrlRedirectLocalConfig>;
|
||||
|
||||
import UrlRedirectLocalFlow::PathGraph
|
||||
|
||||
from UrlRedirectLocalFlow::PathNode source, UrlRedirectLocalFlow::PathNode sink
|
||||
where UrlRedirectLocalFlow::hasFlowPath(source, sink)
|
||||
where UrlRedirectLocalFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Untrusted URL redirection depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -19,7 +19,7 @@ import semmle.code.java.security.XxeRemoteQuery
|
||||
import XxeFlow::PathGraph
|
||||
|
||||
from XxeFlow::PathNode source, XxeFlow::PathNode sink
|
||||
where XxeFlow::hasFlowPath(source, sink)
|
||||
where XxeFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"XML parsing depends on a $@ without guarding against external entity expansion.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -19,7 +19,7 @@ import semmle.code.java.security.XxeLocalQuery
|
||||
import XxeLocalFlow::PathGraph
|
||||
|
||||
from XxeLocalFlow::PathNode source, XxeLocalFlow::PathNode sink
|
||||
where XxeLocalFlow::hasFlowPath(source, sink)
|
||||
where XxeLocalFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"XML parsing depends on a $@ without guarding against external entity expansion.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -47,10 +47,10 @@ module SecureCookieConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module SecureCookieFlow = DataFlow::Make<SecureCookieConfig>;
|
||||
module SecureCookieFlow = DataFlow::Global<SecureCookieConfig>;
|
||||
|
||||
from MethodAccess add
|
||||
where
|
||||
add.getMethod() instanceof ResponseAddCookieMethod and
|
||||
not SecureCookieFlow::hasFlowToExpr(add.getArgument(0))
|
||||
not SecureCookieFlow::flowToExpr(add.getArgument(0))
|
||||
select add, "Cookie is added to response without the 'secure' flag being set."
|
||||
|
||||
@@ -22,11 +22,11 @@ module XPathInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
|
||||
}
|
||||
|
||||
module XPathInjectionFlow = TaintTracking::Make<XPathInjectionConfig>;
|
||||
module XPathInjectionFlow = TaintTracking::Global<XPathInjectionConfig>;
|
||||
|
||||
import XPathInjectionFlow::PathGraph
|
||||
|
||||
from XPathInjectionFlow::PathNode source, XPathInjectionFlow::PathNode sink
|
||||
where XPathInjectionFlow::hasFlowPath(source, sink)
|
||||
where XPathInjectionFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "XPath expression depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -34,14 +34,14 @@ module NumericCastFlowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module NumericCastFlow = TaintTracking::Make<NumericCastFlowConfig>;
|
||||
module NumericCastFlow = TaintTracking::Global<NumericCastFlowConfig>;
|
||||
|
||||
import NumericCastFlow::PathGraph
|
||||
|
||||
from NumericCastFlow::PathNode source, NumericCastFlow::PathNode sink, NumericNarrowingCastExpr exp
|
||||
where
|
||||
sink.getNode().asExpr() = exp.getExpr() and
|
||||
NumericCastFlow::hasFlowPath(source, sink)
|
||||
NumericCastFlow::flowPath(source, sink)
|
||||
select exp, source, sink,
|
||||
"This cast to a narrower type depends on a $@, potentially causing truncation.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -32,7 +32,7 @@ module NumericCastFlowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module NumericCastFlow = TaintTracking::Make<NumericCastFlowConfig>;
|
||||
module NumericCastFlow = TaintTracking::Global<NumericCastFlowConfig>;
|
||||
|
||||
import NumericCastFlow::PathGraph
|
||||
|
||||
@@ -42,7 +42,7 @@ from
|
||||
where
|
||||
exp.getExpr() = tainted and
|
||||
sink.getNode().asExpr() = tainted and
|
||||
NumericCastFlow::hasFlowPath(source, sink) and
|
||||
NumericCastFlow::flowPath(source, sink) and
|
||||
not exists(RightShiftOp e | e.getShiftedVariable() = tainted.getVariable())
|
||||
select exp, source, sink,
|
||||
"This cast to a narrower type depends on a $@, potentially causing truncation.", source.getNode(),
|
||||
|
||||
@@ -21,7 +21,7 @@ from
|
||||
PolynomialRedosFlow::PathNode source, PolynomialRedosFlow::PathNode sink,
|
||||
SuperlinearBackTracking::PolynomialBackTrackingTerm regexp
|
||||
where
|
||||
PolynomialRedosFlow::hasFlowPath(source, sink) and
|
||||
PolynomialRedosFlow::flowPath(source, sink) and
|
||||
regexp.getRootTerm() = sink.getNode().(PolynomialRedosSink).getRegExp()
|
||||
select sink, source, sink,
|
||||
"This $@ that depends on a $@ may run slow on strings " + regexp.getPrefixMessage() +
|
||||
|
||||
@@ -15,6 +15,6 @@ import semmle.code.java.security.RsaWithoutOaepQuery
|
||||
import RsaWithoutOaepFlow::PathGraph
|
||||
|
||||
from RsaWithoutOaepFlow::PathNode source, RsaWithoutOaepFlow::PathNode sink
|
||||
where RsaWithoutOaepFlow::hasFlowPath(source, sink)
|
||||
where RsaWithoutOaepFlow::flowPath(source, sink)
|
||||
select source, source, sink, "This specification is used to $@ without OAEP padding.", sink,
|
||||
"initialize an RSA cipher"
|
||||
|
||||
@@ -60,14 +60,13 @@ module TaintedPermissionsCheckFlowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module TaintedPermissionsCheckFlow = TaintTracking::Make<TaintedPermissionsCheckFlowConfig>;
|
||||
module TaintedPermissionsCheckFlow = TaintTracking::Global<TaintedPermissionsCheckFlowConfig>;
|
||||
|
||||
import TaintedPermissionsCheckFlow::PathGraph
|
||||
|
||||
from
|
||||
TaintedPermissionsCheckFlow::PathNode source, TaintedPermissionsCheckFlow::PathNode sink,
|
||||
PermissionsConstruction p
|
||||
where
|
||||
sink.getNode().asExpr() = p.getInput() and TaintedPermissionsCheckFlow::hasFlowPath(source, sink)
|
||||
where sink.getNode().asExpr() = p.getInput() and TaintedPermissionsCheckFlow::flowPath(source, sink)
|
||||
select p, source, sink, "Permissions check depends on a $@.", source.getNode(),
|
||||
"user-controlled value"
|
||||
|
||||
@@ -16,6 +16,6 @@ import semmle.code.java.security.RequestForgeryConfig
|
||||
import RequestForgeryFlow::PathGraph
|
||||
|
||||
from RequestForgeryFlow::PathNode source, RequestForgeryFlow::PathNode sink
|
||||
where RequestForgeryFlow::hasFlowPath(source, sink)
|
||||
where RequestForgeryFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Potential server-side request forgery due to a $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -16,6 +16,6 @@ import semmle.code.java.security.AndroidSensitiveCommunicationQuery
|
||||
import SensitiveCommunicationFlow::PathGraph
|
||||
|
||||
from SensitiveCommunicationFlow::PathNode source, SensitiveCommunicationFlow::PathNode sink
|
||||
where SensitiveCommunicationFlow::hasFlowPath(source, sink)
|
||||
where SensitiveCommunicationFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "This call may leak $@.", source.getNode(),
|
||||
"sensitive information"
|
||||
|
||||
@@ -210,7 +210,7 @@ module ThroughFlowConfig implements DataFlow::StateConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
private module ThroughFlow = TaintTracking::MakeWithState<ThroughFlowConfig>;
|
||||
private module ThroughFlow = TaintTracking::GlobalWithState<ThroughFlowConfig>;
|
||||
|
||||
/**
|
||||
* Gets the summary model(s) of `api`, if there is flow from parameters to return value or parameter.
|
||||
@@ -220,7 +220,7 @@ string captureThroughFlow(DataFlowTargetApi api) {
|
||||
DataFlow::ParameterNode p, DataFlowImplCommon::ReturnNodeExt returnNodeExt, string input,
|
||||
string output
|
||||
|
|
||||
ThroughFlow::hasFlow(p, returnNodeExt) and
|
||||
ThroughFlow::flow(p, returnNodeExt) and
|
||||
returnNodeExt.getEnclosingCallable() = api and
|
||||
input = parameterNodeAsInput(p) and
|
||||
output = returnNodeAsOutput(returnNodeExt) and
|
||||
@@ -253,14 +253,14 @@ module FromSourceConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
private module FromSource = TaintTracking::Make<FromSourceConfig>;
|
||||
private module FromSource = TaintTracking::Global<FromSourceConfig>;
|
||||
|
||||
/**
|
||||
* Gets the source model(s) of `api`, if there is flow from an existing known source to the return of `api`.
|
||||
*/
|
||||
string captureSource(DataFlowTargetApi api) {
|
||||
exists(DataFlow::Node source, DataFlow::Node sink, string kind |
|
||||
FromSource::hasFlow(source, sink) and
|
||||
FromSource::flow(source, sink) and
|
||||
ExternalFlow::sourceNode(source, kind) and
|
||||
api = sink.getEnclosingCallable() and
|
||||
isRelevantSourceKind(kind) and
|
||||
@@ -285,14 +285,14 @@ module PropagateToSinkConfig implements DataFlow::ConfigSig {
|
||||
DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
|
||||
}
|
||||
|
||||
private module PropagateToSink = TaintTracking::Make<PropagateToSinkConfig>;
|
||||
private module PropagateToSink = TaintTracking::Global<PropagateToSinkConfig>;
|
||||
|
||||
/**
|
||||
* Gets the sink model(s) of `api`, if there is flow from a parameter to an existing known sink.
|
||||
*/
|
||||
string captureSink(DataFlowTargetApi api) {
|
||||
exists(DataFlow::Node src, DataFlow::Node sink, string kind |
|
||||
PropagateToSink::hasFlow(src, sink) and
|
||||
PropagateToSink::flow(src, sink) and
|
||||
ExternalFlow::sinkNode(sink, kind) and
|
||||
api = src.getEnclosingCallable() and
|
||||
isRelevantSinkKind(kind) and
|
||||
|
||||
@@ -57,9 +57,9 @@ module DefaultFlowConfig implements DataFlow::ConfigSig {
|
||||
int fieldFlowBranchLimit() { result = 1000 }
|
||||
}
|
||||
|
||||
private module DefaultValueFlow = DataFlow::Make<DefaultFlowConfig>;
|
||||
private module DefaultValueFlow = DataFlow::Global<DefaultFlowConfig>;
|
||||
|
||||
private module DefaultTaintFlow = TaintTracking::Make<DefaultFlowConfig>;
|
||||
private module DefaultTaintFlow = TaintTracking::Global<DefaultFlowConfig>;
|
||||
|
||||
class DefaultValueFlowConf extends DataFlow::Configuration {
|
||||
DefaultValueFlowConf() { this = "qltest:defaultValueFlowConf" }
|
||||
@@ -118,13 +118,13 @@ class InlineFlowTest extends InlineExpectationsTest {
|
||||
predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) {
|
||||
if exists(EnableLegacyConfiguration e)
|
||||
then getValueFlowConfig().hasFlow(src, sink)
|
||||
else DefaultValueFlow::hasFlow(src, sink)
|
||||
else DefaultValueFlow::flow(src, sink)
|
||||
}
|
||||
|
||||
predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
|
||||
if exists(EnableLegacyConfiguration e)
|
||||
then getTaintFlowConfig().hasFlow(src, sink)
|
||||
else DefaultTaintFlow::hasFlow(src, sink)
|
||||
else DefaultTaintFlow::flow(src, sink)
|
||||
}
|
||||
|
||||
DataFlow::Configuration getValueFlowConfig() { result = any(DefaultValueFlowConf config) }
|
||||
|
||||
@@ -47,13 +47,13 @@ module Conf4 implements ConfigSig {
|
||||
}
|
||||
|
||||
predicate flow(Node src, Node sink, string s) {
|
||||
Make<Conf1>::hasFlow(src, sink) and s = "nobarrier"
|
||||
Global<Conf1>::flow(src, sink) and s = "nobarrier"
|
||||
or
|
||||
Make<Conf2>::hasFlow(src, sink) and s = "srcbarrier"
|
||||
Global<Conf2>::flow(src, sink) and s = "srcbarrier"
|
||||
or
|
||||
Make<Conf3>::hasFlow(src, sink) and s = "sinkbarrier"
|
||||
Global<Conf3>::flow(src, sink) and s = "sinkbarrier"
|
||||
or
|
||||
Make<Conf4>::hasFlow(src, sink) and s = "both"
|
||||
Global<Conf4>::flow(src, sink) and s = "both"
|
||||
}
|
||||
|
||||
from Node src, Node sink, string s
|
||||
|
||||
@@ -10,10 +10,10 @@ module Config implements ConfigSig {
|
||||
|
||||
int explorationLimit() { result = 10 }
|
||||
|
||||
module PartialFlow = Make<Config>::FlowExploration<explorationLimit/0>;
|
||||
module PartialFlow = Global<Config>::FlowExploration<explorationLimit/0>;
|
||||
|
||||
import PartialFlow::PartialPathGraph
|
||||
|
||||
from PartialFlow::PartialPathNode n, int dist
|
||||
where PartialFlow::hasPartialFlow(_, n, dist)
|
||||
where PartialFlow::partialFlow(_, n, dist)
|
||||
select dist, n
|
||||
|
||||
@@ -10,10 +10,10 @@ module Config implements ConfigSig {
|
||||
|
||||
int explorationLimit() { result = 10 }
|
||||
|
||||
module PartialFlow = Make<Config>::FlowExploration<explorationLimit/0>;
|
||||
module PartialFlow = Global<Config>::FlowExploration<explorationLimit/0>;
|
||||
|
||||
import PartialFlow::PartialPathGraph
|
||||
|
||||
from PartialFlow::PartialPathNode n, int dist
|
||||
where PartialFlow::hasPartialFlowRev(n, _, dist)
|
||||
where PartialFlow::partialFlowRev(n, _, dist)
|
||||
select dist, n
|
||||
|
||||
@@ -55,7 +55,7 @@ module Config implements DataFlow::StateConfigSig {
|
||||
|
||||
int explorationLimit() { result = 0 }
|
||||
|
||||
module Flow = TaintTracking::MakeWithState<Config>;
|
||||
module Flow = TaintTracking::GlobalWithState<Config>;
|
||||
|
||||
module PartialFlow = Flow::FlowExploration<explorationLimit/0>;
|
||||
|
||||
@@ -67,7 +67,7 @@ class HasFlowTest extends InlineExpectationsTest {
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "flow" and
|
||||
exists(Flow::PathNode src, Flow::PathNode sink |
|
||||
Flow::hasFlowPath(src, sink) and
|
||||
Flow::flowPath(src, sink) and
|
||||
sink.getNode().getLocation() = location and
|
||||
element = sink.toString() and
|
||||
value = src.getState()
|
||||
@@ -75,7 +75,7 @@ class HasFlowTest extends InlineExpectationsTest {
|
||||
or
|
||||
tag = "pFwd" and
|
||||
exists(PartialFlow::PartialPathNode src, PartialFlow::PartialPathNode node |
|
||||
PartialFlow::hasPartialFlow(src, node, _) and
|
||||
PartialFlow::partialFlow(src, node, _) and
|
||||
checkNode(node.getNode()) and
|
||||
node.getNode().getLocation() = location and
|
||||
element = node.toString() and
|
||||
@@ -84,7 +84,7 @@ class HasFlowTest extends InlineExpectationsTest {
|
||||
or
|
||||
tag = "pRev" and
|
||||
exists(PartialFlow::PartialPathNode node, PartialFlow::PartialPathNode sink |
|
||||
PartialFlow::hasPartialFlowRev(node, sink, _) and
|
||||
PartialFlow::partialFlowRev(node, sink, _) and
|
||||
checkNode(node.getNode()) and
|
||||
node.getNode().getLocation() = location and
|
||||
element = node.toString() and
|
||||
|
||||
@@ -10,7 +10,7 @@ class HasApkInstallationTest extends InlineExpectationsTest {
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "hasApkInstallation" and
|
||||
exists(DataFlow::Node sink | ApkInstallationFlow::hasFlowTo(sink) |
|
||||
exists(DataFlow::Node sink | ApkInstallationFlow::flowTo(sink) |
|
||||
sink.getLocation() = location and
|
||||
element = sink.toString() and
|
||||
value = ""
|
||||
|
||||
@@ -12,6 +12,6 @@ private class LogInjectionTest extends InlineFlowTest {
|
||||
override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
|
||||
|
||||
override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
|
||||
LogInjectionFlow::hasFlow(src, sink)
|
||||
LogInjectionFlow::flow(src, sink)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -6,6 +6,6 @@ class IntentUriPermissionManipulationTest extends InlineFlowTest {
|
||||
override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
|
||||
|
||||
override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
|
||||
IntentUriPermissionManipulationFlow::hasFlow(src, sink)
|
||||
IntentUriPermissionManipulationFlow::flow(src, sink)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -6,6 +6,6 @@ class Test extends InlineFlowTest {
|
||||
override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
|
||||
|
||||
override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
|
||||
UnsafeContentResolutionFlow::hasFlow(src, sink)
|
||||
UnsafeContentResolutionFlow::flow(src, sink)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -6,6 +6,6 @@ class Test extends InlineFlowTest {
|
||||
override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
|
||||
|
||||
override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
|
||||
FragmentInjectionTaintFlow::hasFlow(src, sink)
|
||||
FragmentInjectionTaintFlow::flow(src, sink)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -4,7 +4,7 @@ import semmle.code.java.security.SensitiveLoggingQuery
|
||||
|
||||
class HasFlowTest extends InlineFlowTest {
|
||||
override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
|
||||
SensitiveLoggerFlow::hasFlow(src, sink)
|
||||
SensitiveLoggerFlow::flow(src, sink)
|
||||
}
|
||||
|
||||
override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
|
||||
|
||||
@@ -9,7 +9,7 @@ class HasPolyRedos extends InlineExpectationsTest {
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "hasPolyRedos" and
|
||||
exists(DataFlow::Node sink |
|
||||
PolynomialRedosFlow::hasFlowTo(sink) and
|
||||
PolynomialRedosFlow::flowTo(sink) and
|
||||
location = sink.getLocation() and
|
||||
element = sink.toString() and
|
||||
value = ""
|
||||
|
||||
@@ -7,6 +7,6 @@ class HasFlowTest extends InlineFlowTest {
|
||||
override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
|
||||
|
||||
override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
|
||||
RsaWithoutOaepFlow::hasFlow(src, sink)
|
||||
RsaWithoutOaepFlow::flow(src, sink)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -10,7 +10,7 @@ class HasFlowTest extends InlineExpectationsTest {
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "SSRF" and
|
||||
exists(DataFlow::Node sink |
|
||||
RequestForgeryFlow::hasFlowTo(sink) and
|
||||
RequestForgeryFlow::flowTo(sink) and
|
||||
sink.getLocation() = location and
|
||||
element = sink.toString() and
|
||||
value = ""
|
||||
|
||||
@@ -7,6 +7,6 @@ class HasFlowTest extends InlineFlowTest {
|
||||
override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
|
||||
|
||||
override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
|
||||
SensitiveCommunicationFlow::hasFlow(src, sink)
|
||||
SensitiveCommunicationFlow::flow(src, sink)
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user