Convert trust boundary models to MaD

This commit is contained in:
Ed Minnix
2023-06-08 10:54:07 -04:00
parent 76438f13b6
commit a8b7e70d01
5 changed files with 31 additions and 55 deletions

View File

@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["org.apache.struts2.dispatcher", "SessionMap", False, "put", "", "", "Argument[0..1]", "trust-boundary", "manual"]

View File

@@ -0,0 +1,7 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["org.apache.struts2.interceptor", "SessionAware", False, "setSession", "", "", "Argument[0]", "trust-boundary", "manual"]
- ["org.apache.struts2.interceptor", "SessionAware", False, "withSession", "", "", "Argument[0]", "trust-boundary", "manual"]

View File

@@ -16,6 +16,11 @@ extensions:
- ["play.mvc", "Http$RequestHeader", True, "queryString", "", "", "ReturnValue", "remote", "manual"]
- ["play.mvc", "Http$RequestHeader", True, "remoteAddress", "", "", "ReturnValue", "remote", "manual"]
- ["play.mvc", "Http$RequestHeader", True, "uri", "", "", "ReturnValue", "remote", "manual"]
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["play.mvc", "Result", False, "addingToSession", "", "", "Argument[1..2]", "trust-boundary", "manual"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel

View File

@@ -7,11 +7,21 @@ private import semmle.code.java.dataflow.FlowSources
private import semmle.code.java.frameworks.Servlets
class TrustBoundaryViolationSource extends DataFlow::Node {
TrustBoundaryViolationSource() {
this instanceof RemoteFlowSource and this.asExpr().getType() instanceof HttpServletRequest
}
TrustBoundaryViolationSource() { this.asExpr().getType() instanceof HttpServletRequest }
}
class TrustBoundaryViolationSink extends DataFlow::Node {
TrustBoundaryViolationSink() { sinkNode(this, "trust-boundary") }
}
module TrustBoundaryConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof TrustBoundaryViolationSource }
predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
n2.asExpr().(MethodAccess).getQualifier() = n1.asExpr()
}
predicate isSink(DataFlow::Node sink) { sink instanceof TrustBoundaryViolationSink }
}
module TrustBoundaryFlow = TaintTracking::Global<TrustBoundaryConfig>;

View File

@@ -14,58 +14,6 @@ import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.security.TrustBoundaryViolationQuery
/**
* The `setAttribute` method of the `HttpSession` interface.
*/
abstract class SessionSetAttributeMethod extends Method {
abstract int getArgumentIndex();
}
private class PlayMvcResultAddingToSessionMethod extends SessionSetAttributeMethod {
PlayMvcResultAddingToSessionMethod() {
this.getDeclaringType().hasQualifiedName("play.mvc", "Result") and
this.hasName("addingToSession")
}
override int getArgumentIndex() { result = [1, 2] }
}
private class Struts2SessionMapPutMethod extends SessionSetAttributeMethod {
Struts2SessionMapPutMethod() {
this.getDeclaringType().hasQualifiedName("org.apache.struts2.dispatcher", "SessionMap") and
this.hasName("put")
}
override int getArgumentIndex() { result = 1 }
}
private class Struts2SessionSetMethod extends SessionSetAttributeMethod {
Struts2SessionSetMethod() {
this.getDeclaringType().hasQualifiedName("org.apache.struts2.interceptor", "SessionAware") and
this.hasName(["setSession", "withSession"])
}
override int getArgumentIndex() { result = 0 }
}
module TrustBoundaryConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof RemoteFlowSource and
source.asExpr().(MethodAccess).getQualifier().getType() instanceof HttpServletRequest
}
predicate isSink(DataFlow::Node sink) {
exists(MethodAccess ma, SessionSetAttributeMethod m | m = ma.getMethod() |
sink.asExpr() = ma.getArgument(m.getArgumentIndex())
)
or
sink instanceof TrustBoundaryViolationSink
}
}
module TrustBoundaryFlow = TaintTracking::Global<TrustBoundaryConfig>;
import TrustBoundaryFlow::PathGraph
from TrustBoundaryFlow::PathNode source, TrustBoundaryFlow::PathNode sink