Convert trust boundary models to MaD

2026-04-29 18:55:14 +02:00 · 2023-06-08 10:54:07 -04:00
parent 76438f13b6
commit a8b7e70d01
5 changed files with 31 additions and 55 deletions
--- a/java/ql/lib/ext/org.apache.struts2.dispatcher.model.yml
+++ b/java/ql/lib/ext/org.apache.struts2.dispatcher.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+    - ["org.apache.struts2.dispatcher", "SessionMap", False, "put", "", "", "Argument[0..1]", "trust-boundary", "manual"]
--- a/java/ql/lib/ext/org.apache.struts2.interceptor.model.yml
+++ b/java/ql/lib/ext/org.apache.struts2.interceptor.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+    - ["org.apache.struts2.interceptor", "SessionAware", False, "setSession", "", "", "Argument[0]", "trust-boundary", "manual"]
+    - ["org.apache.struts2.interceptor", "SessionAware", False, "withSession", "", "", "Argument[0]", "trust-boundary", "manual"]
--- a/java/ql/lib/ext/play.mvc.model.yml
+++ b/java/ql/lib/ext/play.mvc.model.yml
@@ -16,6 +16,11 @@ extensions:
      - ["play.mvc", "Http$RequestHeader", True, "queryString", "", "", "ReturnValue", "remote", "manual"]
      - ["play.mvc", "Http$RequestHeader", True, "remoteAddress", "", "", "ReturnValue", "remote", "manual"]
      - ["play.mvc", "Http$RequestHeader", True, "uri", "", "", "ReturnValue", "remote", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["play.mvc", "Result", False, "addingToSession", "", "", "Argument[1..2]", "trust-boundary", "manual"]
  - addsTo:
      pack: codeql/java-all
      extensible: summaryModel
--- a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll
@@ -7,11 +7,21 @@ private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.frameworks.Servlets

 class TrustBoundaryViolationSource extends DataFlow::Node {
-  TrustBoundaryViolationSource() {
-    this instanceof RemoteFlowSource and this.asExpr().getType() instanceof HttpServletRequest
-  }
+  TrustBoundaryViolationSource() { this.asExpr().getType() instanceof HttpServletRequest }
 }

 class TrustBoundaryViolationSink extends DataFlow::Node {
  TrustBoundaryViolationSink() { sinkNode(this, "trust-boundary") }
 }
+
+module TrustBoundaryConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof TrustBoundaryViolationSource }
+
+  predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
+    n2.asExpr().(MethodAccess).getQualifier() = n1.asExpr()
+  }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof TrustBoundaryViolationSink }
+}
+
+module TrustBoundaryFlow = TaintTracking::Global<TrustBoundaryConfig>;