diff --git a/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql b/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql index e246d231da1..e8a80e372b7 100644 --- a/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql +++ b/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql @@ -16,16 +16,13 @@ import semmle.code.java.Expr import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.ExternalProcess import semmle.code.java.security.CommandArguments -import DataFlow::PathGraph -class LocalUserInputToArgumentToExecFlowConfig extends TaintTracking::Configuration { - LocalUserInputToArgumentToExecFlowConfig() { this = "LocalUserInputToArgumentToExecFlowConfig" } +module LocalUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput } - override predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput } + predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof ArgumentToExec } - override predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof ArgumentToExec } - - override predicate isSanitizer(DataFlow::Node node) { + predicate isBarrier(DataFlow::Node node) { node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType @@ -34,9 +31,16 @@ class LocalUserInputToArgumentToExecFlowConfig extends TaintTracking::Configurat } } +module LocalUserInputToArgumentToExecFlow = + TaintTracking::Make; + +import LocalUserInputToArgumentToExecFlow::PathGraph + from - DataFlow::PathNode source, DataFlow::PathNode sink, ArgumentToExec execArg, - LocalUserInputToArgumentToExecFlowConfig conf -where conf.hasFlowPath(source, sink) and sink.getNode().asExpr() = execArg + LocalUserInputToArgumentToExecFlow::PathNode source, + LocalUserInputToArgumentToExecFlow::PathNode sink, ArgumentToExec execArg +where + LocalUserInputToArgumentToExecFlow::hasFlowPath(source, sink) and + sink.getNode().asExpr() = execArg select execArg, source, sink, "This command line depends on a $@.", source.getNode(), "user-provided value" diff --git a/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql b/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql index da318a5b7cb..fd9c397f812 100644 --- a/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql +++ b/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql @@ -14,17 +14,18 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.XSS -import DataFlow::PathGraph -class XssLocalConfig extends TaintTracking::Configuration { - XssLocalConfig() { this = "XSSLocalConfig" } +module XssLocalConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput } - override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput } - - override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink } + predicate isSink(DataFlow::Node sink) { sink instanceof XssSink } } -from DataFlow::PathNode source, DataFlow::PathNode sink, XssLocalConfig conf -where conf.hasFlowPath(source, sink) +module XssLocalFlow = TaintTracking::Make; + +import XssLocalFlow::PathGraph + +from XssLocalFlow::PathNode source, XssLocalFlow::PathNode sink +where XssLocalFlow::hasFlowPath(source, sink) select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.", source.getNode(), "user-provided value" diff --git a/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql b/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql index 13e0c7556f6..209d778dca8 100644 --- a/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql +++ b/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql @@ -25,28 +25,27 @@ class UncontrolledStringBuilderSource extends DataFlow::ExprNode { } } -class UncontrolledStringBuilderSourceFlowConfig extends TaintTracking::Configuration { - UncontrolledStringBuilderSourceFlowConfig() { - this = "SqlConcatenated::UncontrolledStringBuilderSourceFlowConfig" - } +module UncontrolledStringBuilderSourceFlowConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node src) { src instanceof UncontrolledStringBuilderSource } - override predicate isSource(DataFlow::Node src) { src instanceof UncontrolledStringBuilderSource } + predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink } - override predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink } - - override predicate isSanitizer(DataFlow::Node node) { + predicate isBarrier(DataFlow::Node node) { node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType } } +module UncontrolledStringBuilderSourceFlow = + TaintTracking::Make; + from QueryInjectionSink query, Expr uncontrolled where ( builtFromUncontrolledConcat(query.asExpr(), uncontrolled) or - exists(StringBuilderVar sbv, UncontrolledStringBuilderSourceFlowConfig conf | + exists(StringBuilderVar sbv | uncontrolledStringBuilderQuery(sbv, uncontrolled) and - conf.hasFlow(DataFlow::exprNode(sbv.getToStringCall()), query) + UncontrolledStringBuilderSourceFlow::hasFlow(DataFlow::exprNode(sbv.getToStringCall()), query) ) ) and not queryTaintedBy(query, _, _) diff --git a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql index d6c874e1fd8..0ad803533c5 100644 --- a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql +++ b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql @@ -15,26 +15,29 @@ import semmle.code.java.Expr import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.SqlInjectionQuery -import DataFlow::PathGraph -class LocalUserInputToQueryInjectionFlowConfig extends TaintTracking::Configuration { - LocalUserInputToQueryInjectionFlowConfig() { this = "LocalUserInputToQueryInjectionFlowConfig" } +module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput } - override predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput } + predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink } - override predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink } - - override predicate isSanitizer(DataFlow::Node node) { + predicate isBarrier(DataFlow::Node node) { node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType } - override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { + predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(AdditionalQueryInjectionTaintStep s).step(node1, node2) } } +module LocalUserInputToQueryInjectionFlow = + TaintTracking::Make; + +import LocalUserInputToQueryInjectionFlow::PathGraph + from - DataFlow::PathNode source, DataFlow::PathNode sink, LocalUserInputToQueryInjectionFlowConfig conf -where conf.hasFlowPath(source, sink) + LocalUserInputToQueryInjectionFlow::PathNode source, + LocalUserInputToQueryInjectionFlow::PathNode sink +where LocalUserInputToQueryInjectionFlow::hasFlowPath(source, sink) select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(), "user-provided value" diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql index 032f2f4ce3c..c723e7d7067 100644 --- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql +++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql @@ -13,25 +13,28 @@ import java import ArraySizing import semmle.code.java.dataflow.FlowSources -import DataFlow::PathGraph -class Conf extends TaintTracking::Configuration { - Conf() { this = "RemoteUserInputTocanThrowOutOfBoundsDueToEmptyArrayConfig" } +private module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - - override predicate isSink(DataFlow::Node sink) { + predicate isSink(DataFlow::Node sink) { any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _) } } +module ImproperValidationOfArrayConstructionFlow = + TaintTracking::Make; + +import ImproperValidationOfArrayConstructionFlow::PathGraph + from - DataFlow::PathNode source, DataFlow::PathNode sink, Expr sizeExpr, + ImproperValidationOfArrayConstructionFlow::PathNode source, + ImproperValidationOfArrayConstructionFlow::PathNode sink, Expr sizeExpr, ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess where arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sizeExpr, arrayCreation) and sizeExpr = sink.getNode().asExpr() and - any(Conf conf).hasFlowPath(source, sink) + ImproperValidationOfArrayConstructionFlow::hasFlowPath(source, sink) select arrayAccess.getIndexExpr(), source, sink, "This accesses the $@, but the array is initialized using a $@ which may be zero.", arrayCreation, "array", source.getNode(), "user-provided value" diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql index 3d07f044a7c..a4335eeb2fe 100644 --- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql +++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql @@ -13,30 +13,33 @@ import java import ArraySizing -import DataFlow::PathGraph +import semmle.code.java.dataflow.TaintTracking -class BoundedFlowSourceConf extends DataFlow::Configuration { - BoundedFlowSourceConf() { this = "BoundedFlowSource" } - - override predicate isSource(DataFlow::Node source) { +module BoundedFlowSourceConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof BoundedFlowSource and // There is not a fixed lower bound which is greater than zero. not source.(BoundedFlowSource).lowerBound() > 0 } - override predicate isSink(DataFlow::Node sink) { + predicate isSink(DataFlow::Node sink) { any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _) } } +module BoundedFlowSourceFlow = DataFlow::Make; + +import BoundedFlowSourceFlow::PathGraph + from - DataFlow::PathNode source, DataFlow::PathNode sink, BoundedFlowSource boundedsource, - Expr sizeExpr, ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess + BoundedFlowSourceFlow::PathNode source, BoundedFlowSourceFlow::PathNode sink, + BoundedFlowSource boundedsource, Expr sizeExpr, ArrayCreationExpr arrayCreation, + CheckableArrayAccess arrayAccess where arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sizeExpr, arrayCreation) and sizeExpr = sink.getNode().asExpr() and boundedsource = source.getNode() and - any(BoundedFlowSourceConf conf).hasFlowPath(source, sink) + BoundedFlowSourceFlow::hasFlowPath(source, sink) select arrayAccess.getIndexExpr(), source, sink, "This accesses the $@, but the array is initialized using $@ which may be zero.", arrayCreation, "array", boundedsource, boundedsource.getDescription().toLowerCase() diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql index ebb91acbc24..a1d13c3d8db 100644 --- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql +++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql @@ -14,25 +14,28 @@ import java import ArraySizing import semmle.code.java.dataflow.FlowSources -import DataFlow::PathGraph -class Conf extends TaintTracking::Configuration { - Conf() { this = "LocalUserInputTocanThrowOutOfBoundsDueToEmptyArrayConfig" } +module ImproperValidationOfArrayConstructionLocalConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput } - override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput } - - override predicate isSink(DataFlow::Node sink) { + predicate isSink(DataFlow::Node sink) { any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _) } } +module ImproperValidationOfArrayConstructionLocalFlow = + TaintTracking::Make; + +import ImproperValidationOfArrayConstructionLocalFlow::PathGraph + from - DataFlow::PathNode source, DataFlow::PathNode sink, Expr sizeExpr, + ImproperValidationOfArrayConstructionLocalFlow::PathNode source, + ImproperValidationOfArrayConstructionLocalFlow::PathNode sink, Expr sizeExpr, ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess where arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sizeExpr, arrayCreation) and sizeExpr = sink.getNode().asExpr() and - any(Conf conf).hasFlowPath(source, sink) + ImproperValidationOfArrayConstructionLocalFlow::hasFlowPath(source, sink) select arrayAccess.getIndexExpr(), source, sink, "This accesses the $@, but the array is initialized using a $@ which may be zero.", arrayCreation, "array", source.getNode(), "user-provided value" diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql index d3a78f1ab96..70b23e058a5 100644 --- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql +++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql @@ -13,24 +13,28 @@ import java import ArraySizing import semmle.code.java.dataflow.FlowSources -import DataFlow::PathGraph -class Conf extends TaintTracking::Configuration { - Conf() { this = "RemoteUserInputTocanThrowOutOfBoundsDueToEmptyArrayConfig" } +module ImproperValidationOfArrayIndexConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - - override predicate isSink(DataFlow::Node sink) { + predicate isSink(DataFlow::Node sink) { any(CheckableArrayAccess caa).canThrowOutOfBounds(sink.asExpr()) } - override predicate isSanitizer(DataFlow::Node node) { node.getType() instanceof BooleanType } + predicate isBarrier(DataFlow::Node node) { node.getType() instanceof BooleanType } } -from DataFlow::PathNode source, DataFlow::PathNode sink, CheckableArrayAccess arrayAccess +module ImproperValidationOfArrayIndexFlow = + TaintTracking::Make; + +import ImproperValidationOfArrayIndexFlow::PathGraph + +from + ImproperValidationOfArrayIndexFlow::PathNode source, + ImproperValidationOfArrayIndexFlow::PathNode sink, CheckableArrayAccess arrayAccess where arrayAccess.canThrowOutOfBounds(sink.getNode().asExpr()) and - any(Conf conf).hasFlowPath(source, sink) + ImproperValidationOfArrayIndexFlow::hasFlowPath(source, sink) select arrayAccess.getIndexExpr(), source, sink, "This index depends on a $@ which can cause an ArrayIndexOutOfBoundsException.", source.getNode(), "user-provided value" diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql index 79911f5422d..fd07e39b6ba 100644 --- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql +++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql @@ -14,25 +14,27 @@ import java import ArraySizing import BoundingChecks -import DataFlow::PathGraph +import semmle.code.java.dataflow.TaintTracking -class BoundedFlowSourceConf extends DataFlow::Configuration { - BoundedFlowSourceConf() { this = "BoundedFlowSource" } +module BoundedFlowSourceConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof BoundedFlowSource } - override predicate isSource(DataFlow::Node source) { source instanceof BoundedFlowSource } - - override predicate isSink(DataFlow::Node sink) { + predicate isSink(DataFlow::Node sink) { exists(CheckableArrayAccess arrayAccess | arrayAccess.canThrowOutOfBounds(sink.asExpr())) } } +module BoundedFlowSourceFlow = DataFlow::Make; + +import BoundedFlowSourceFlow::PathGraph + from - DataFlow::PathNode source, DataFlow::PathNode sink, BoundedFlowSource boundedsource, - CheckableArrayAccess arrayAccess + BoundedFlowSourceFlow::PathNode source, BoundedFlowSourceFlow::PathNode sink, + BoundedFlowSource boundedsource, CheckableArrayAccess arrayAccess where arrayAccess.canThrowOutOfBounds(sink.getNode().asExpr()) and boundedsource = source.getNode() and - any(BoundedFlowSourceConf conf).hasFlowPath(source, sink) and + BoundedFlowSourceFlow::hasFlowPath(source, sink) and boundedsource != sink.getNode() and not ( ( diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql index 1b5576f14e8..d57df422287 100644 --- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql +++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql @@ -14,22 +14,26 @@ import java import ArraySizing import semmle.code.java.dataflow.FlowSources -import DataFlow::PathGraph -class Conf extends TaintTracking::Configuration { - Conf() { this = "LocalUserInputTocanThrowOutOfBoundsDueToEmptyArrayConfig" } +module ImproperValidationOfArrayIndexLocalConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput } - override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput } - - override predicate isSink(DataFlow::Node sink) { + predicate isSink(DataFlow::Node sink) { any(CheckableArrayAccess caa).canThrowOutOfBounds(sink.asExpr()) } } -from DataFlow::PathNode source, DataFlow::PathNode sink, CheckableArrayAccess arrayAccess +module ImproperValidationOfArrayIndexLocalFlow = + TaintTracking::Make; + +import ImproperValidationOfArrayIndexLocalFlow::PathGraph + +from + ImproperValidationOfArrayIndexLocalFlow::PathNode source, + ImproperValidationOfArrayIndexLocalFlow::PathNode sink, CheckableArrayAccess arrayAccess where arrayAccess.canThrowOutOfBounds(sink.getNode().asExpr()) and - any(Conf conf).hasFlowPath(source, sink) + ImproperValidationOfArrayIndexLocalFlow::hasFlowPath(source, sink) select arrayAccess.getIndexExpr(), source, sink, "This index depends on a $@ which can cause an ArrayIndexOutOfBoundsException.", source.getNode(), "user-provided value" diff --git a/java/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql b/java/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql index 72801f205aa..5070283780b 100644 --- a/java/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql +++ b/java/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql @@ -33,7 +33,7 @@ class ExtremeSource extends VarAccess { ExtremeSource() { this.getVariable() instanceof ExtremeValueField } } -private module MaxValueFlowConfig implements DataFlow::ConfigSig { +module MaxValueFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source.asExpr().(ExtremeSource).getVariable() instanceof MaxValueField } @@ -47,7 +47,7 @@ private module MaxValueFlowConfig implements DataFlow::ConfigSig { module MaxValueFlow = DataFlow::Make; -private module MinValueFlowConfig implements DataFlow::ConfigSig { +module MinValueFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source.asExpr().(ExtremeSource).getVariable() instanceof MinValueField } diff --git a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql index 02934e98840..be5d3dad848 100644 --- a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql +++ b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql @@ -120,22 +120,20 @@ class GetMessageFlowSource extends MethodAccess { } } -class GetMessageFlowSourceToHttpResponseSinkFlowConfig extends TaintTracking::Configuration { - GetMessageFlowSourceToHttpResponseSinkFlowConfig() { - this = "StackTraceExposure::GetMessageFlowSourceToHttpResponseSinkFlowConfig" - } +module GetMessageFlowSourceToHttpResponseSinkFlowConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node src) { src.asExpr() instanceof GetMessageFlowSource } - override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof GetMessageFlowSource } - - override predicate isSink(DataFlow::Node sink) { sink instanceof InformationLeakSink } + predicate isSink(DataFlow::Node sink) { sink instanceof InformationLeakSink } } +module GetMessageFlowSourceToHttpResponseSinkFlow = + TaintTracking::Make; + /** * A call to `getMessage()` that then flows to a servlet response. */ predicate getMessageFlowsExternally(DataFlow::Node externalExpr, GetMessageFlowSource getMessage) { - any(GetMessageFlowSourceToHttpResponseSinkFlowConfig conf) - .hasFlow(DataFlow::exprNode(getMessage), externalExpr) + GetMessageFlowSourceToHttpResponseSinkFlow::hasFlow(DataFlow::exprNode(getMessage), externalExpr) } from Expr externalExpr, Expr errorInformation diff --git a/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql b/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql index 0766ee07134..807ef383dee 100644 --- a/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql +++ b/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql @@ -26,10 +26,8 @@ predicate isSafeSecureCookieSetting(Expr e) { ) } -class SecureCookieConfiguration extends DataFlow::Configuration { - SecureCookieConfiguration() { this = "SecureCookieConfiguration" } - - override predicate isSource(DataFlow::Node source) { +module SecureCookieConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { exists(MethodAccess ma, Method m | ma.getMethod() = m | m.getDeclaringType() instanceof TypeCookie and m.getName() = "setSecure" and @@ -43,14 +41,16 @@ class SecureCookieConfiguration extends DataFlow::Configuration { ) } - override predicate isSink(DataFlow::Node sink) { + predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(MethodAccess add | add.getMethod() instanceof ResponseAddCookieMethod).getArgument(0) } } +module SecureCookieFlow = DataFlow::Make; + from MethodAccess add where add.getMethod() instanceof ResponseAddCookieMethod and - not any(SecureCookieConfiguration df).hasFlowToExpr(add.getArgument(0)) + not SecureCookieFlow::hasFlowToExpr(add.getArgument(0)) select add, "Cookie is added to response without the 'secure' flag being set."