Merge pull request #14582 from github/dbartol/threat-models-2

Java: Threat model implementation with priorities.
This commit is contained in:
Dave Bartolomeo
2023-10-27 09:33:53 -04:00
committed by GitHub
21 changed files with 189 additions and 89 deletions

View File

@@ -1,7 +0,0 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: supportedThreatModels
data:
- ["default"] # The "default" threat model is always included.

View File

@@ -1,22 +0,0 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: threatModelGrouping
data:
# Default threat model
- ["remote", "default"]
# Remote threat models
- ["request", "remote"]
- ["response", "remote"]
# Local threat models
- ["database", "local"]
- ["commandargs", "local"]
- ["environment", "local"]
- ["file", "local"]
# Android threat models
- ["android-external-storage-dir", "android"]
- ["contentprovider", "android"]

View File

@@ -10,6 +10,7 @@ dependencies:
codeql/mad: ${workspace}
codeql/rangeanalysis: ${workspace}
codeql/regex: ${workspace}
codeql/threat-models: ${workspace}
codeql/tutorial: ${workspace}
codeql/typetracking: ${workspace}
codeql/util: ${workspace}
@@ -17,5 +18,4 @@ dataExtensions:
- ext/*.model.yml
- ext/generated/*.model.yml
- ext/experimental/*.model.yml
- ext/threatmodels/*.model.yml
warnOnImplicitThis: true

View File

@@ -1,31 +0,0 @@
/**
* INTERNAL use only. This is an experimental API subject to change without notice.
*
* This module provides extensible predicates for configuring which kinds of MaD models
* are applicable to generic queries.
*/
private import ExternalFlowExtensions
/**
* Holds if the specified kind of source model is supported for the current query.
*/
extensible private predicate supportedThreatModels(string kind);
/**
* Holds if the specified kind of source model is containted within the specified group.
*/
extensible private predicate threatModelGrouping(string kind, string group);
/**
* Gets the threat models that are direct descendants of the specified kind/group.
*/
private string getChildThreatModel(string group) { threatModelGrouping(result, group) }
/**
* Holds if the source model kind `kind` is relevant for generic queries
* under the current threat model configuration.
*/
predicate currentThreatModel(string kind) {
exists(string group | supportedThreatModels(group) and kind = getChildThreatModel*(group))
}

View File

@@ -29,7 +29,7 @@ import semmle.code.java.frameworks.struts.StrutsActions
import semmle.code.java.frameworks.Thrift
import semmle.code.java.frameworks.javaee.jsf.JSFRenderer
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.dataflow.ExternalFlowConfiguration
private import codeql.threatmodels.ThreatModels
/**
* A data flow source.
@@ -47,10 +47,6 @@ abstract class SourceNode extends DataFlow::Node {
*/
class ThreatModelFlowSource extends DataFlow::Node {
ThreatModelFlowSource() {
// Expansive threat model.
currentThreatModel("all") and
(this instanceof SourceNode or sourceNode(this, _))
or
exists(string kind |
// Specific threat model.
currentThreatModel(kind) and

View File

@@ -1,10 +1,10 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: supportedThreatModels
pack: codeql/threat-models
extensible: threatModelConfiguration
data:
- ["database"]
- ["database", true, 0]
- addsTo:
pack: codeql/java-all

View File

@@ -1,10 +1,10 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: supportedThreatModels
pack: codeql/threat-models
extensible: threatModelConfiguration
data:
- ["local"]
- ["local", true, 0]
- addsTo:
pack: codeql/java-all

View File

@@ -1,10 +1,10 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: supportedThreatModels
pack: codeql/threat-models
extensible: threatModelConfiguration
data:
- ["all"]
- ["all", true, 0]
- addsTo:
pack: codeql/java-all

View File

@@ -1,11 +1,11 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: supportedThreatModels
pack: codeql/threat-models
extensible: threatModelConfiguration
data:
- ["environment"]
- ["commandargs"]
- ["environment", true, 0]
- ["commandargs", true, 0]
- addsTo:
pack: codeql/java-all

View File

@@ -0,0 +1,54 @@
edges
| Test.java:10:31:10:41 | data : byte[] | Test.java:11:23:11:26 | data : byte[] |
| Test.java:11:23:11:26 | data : byte[] | Test.java:11:12:11:51 | new String(...) : String |
| Test.java:19:5:19:25 | getInputStream(...) : InputStream | Test.java:19:32:19:35 | data [post update] : byte[] |
| Test.java:19:32:19:35 | data [post update] : byte[] | Test.java:22:49:22:52 | data : byte[] |
| Test.java:19:32:19:35 | data [post update] : byte[] | Test.java:25:69:25:72 | data : byte[] |
| Test.java:22:49:22:52 | data : byte[] | Test.java:10:31:10:41 | data : byte[] |
| Test.java:22:49:22:52 | data : byte[] | Test.java:22:36:22:53 | byteToString(...) |
| Test.java:25:56:25:73 | byteToString(...) : String | Test.java:25:26:25:80 | ... + ... |
| Test.java:25:69:25:72 | data : byte[] | Test.java:10:31:10:41 | data : byte[] |
| Test.java:25:69:25:72 | data : byte[] | Test.java:25:56:25:73 | byteToString(...) : String |
| Test.java:30:21:30:61 | executeQuery(...) : String | Test.java:33:26:33:68 | ... + ... |
| Test.java:30:21:30:61 | executeQuery(...) : String | Test.java:36:36:36:41 | result |
| Test.java:64:5:64:13 | System.in : InputStream | Test.java:64:20:64:23 | data [post update] : byte[] |
| Test.java:64:20:64:23 | data [post update] : byte[] | Test.java:67:69:67:72 | data : byte[] |
| Test.java:64:20:64:23 | data [post update] : byte[] | Test.java:70:49:70:52 | data : byte[] |
| Test.java:67:56:67:73 | byteToString(...) : String | Test.java:67:26:67:80 | ... + ... |
| Test.java:67:69:67:72 | data : byte[] | Test.java:10:31:10:41 | data : byte[] |
| Test.java:67:69:67:72 | data : byte[] | Test.java:67:56:67:73 | byteToString(...) : String |
| Test.java:70:49:70:52 | data : byte[] | Test.java:10:31:10:41 | data : byte[] |
| Test.java:70:49:70:52 | data : byte[] | Test.java:70:36:70:53 | byteToString(...) |
nodes
| Test.java:10:31:10:41 | data : byte[] | semmle.label | data : byte[] |
| Test.java:11:12:11:51 | new String(...) : String | semmle.label | new String(...) : String |
| Test.java:11:23:11:26 | data : byte[] | semmle.label | data : byte[] |
| Test.java:19:5:19:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| Test.java:19:32:19:35 | data [post update] : byte[] | semmle.label | data [post update] : byte[] |
| Test.java:22:36:22:53 | byteToString(...) | semmle.label | byteToString(...) |
| Test.java:22:49:22:52 | data : byte[] | semmle.label | data : byte[] |
| Test.java:25:26:25:80 | ... + ... | semmle.label | ... + ... |
| Test.java:25:56:25:73 | byteToString(...) : String | semmle.label | byteToString(...) : String |
| Test.java:25:69:25:72 | data : byte[] | semmle.label | data : byte[] |
| Test.java:30:21:30:61 | executeQuery(...) : String | semmle.label | executeQuery(...) : String |
| Test.java:33:26:33:68 | ... + ... | semmle.label | ... + ... |
| Test.java:36:36:36:41 | result | semmle.label | result |
| Test.java:64:5:64:13 | System.in : InputStream | semmle.label | System.in : InputStream |
| Test.java:64:20:64:23 | data [post update] : byte[] | semmle.label | data [post update] : byte[] |
| Test.java:67:26:67:80 | ... + ... | semmle.label | ... + ... |
| Test.java:67:56:67:73 | byteToString(...) : String | semmle.label | byteToString(...) : String |
| Test.java:67:69:67:72 | data : byte[] | semmle.label | data : byte[] |
| Test.java:70:36:70:53 | byteToString(...) | semmle.label | byteToString(...) |
| Test.java:70:49:70:52 | data : byte[] | semmle.label | data : byte[] |
subpaths
| Test.java:22:49:22:52 | data : byte[] | Test.java:10:31:10:41 | data : byte[] | Test.java:11:12:11:51 | new String(...) : String | Test.java:22:36:22:53 | byteToString(...) |
| Test.java:25:69:25:72 | data : byte[] | Test.java:10:31:10:41 | data : byte[] | Test.java:11:12:11:51 | new String(...) : String | Test.java:25:56:25:73 | byteToString(...) : String |
| Test.java:67:69:67:72 | data : byte[] | Test.java:10:31:10:41 | data : byte[] | Test.java:11:12:11:51 | new String(...) : String | Test.java:67:56:67:73 | byteToString(...) : String |
| Test.java:70:49:70:52 | data : byte[] | Test.java:10:31:10:41 | data : byte[] | Test.java:11:12:11:51 | new String(...) : String | Test.java:70:36:70:53 | byteToString(...) |
#select
| Test.java:19:5:19:25 | getInputStream(...) : InputStream | Test.java:22:36:22:53 | byteToString(...) |
| Test.java:19:5:19:25 | getInputStream(...) : InputStream | Test.java:25:26:25:80 | ... + ... |
| Test.java:30:21:30:61 | executeQuery(...) : String | Test.java:33:26:33:68 | ... + ... |
| Test.java:30:21:30:61 | executeQuery(...) : String | Test.java:36:36:36:41 | result |
| Test.java:64:5:64:13 | System.in : InputStream | Test.java:67:26:67:80 | ... + ... |
| Test.java:64:5:64:13 | System.in : InputStream | Test.java:70:36:70:53 | byteToString(...) |

View File

@@ -0,0 +1,16 @@
extensions:
- addsTo:
pack: codeql/threat-models
extensible: threatModelConfiguration
data:
- ["local", true, 0]
- ["environment", false, 1]
- addsTo:
pack: codeql/java-all
extensible: sourceModel
data:
- ["testlib", "TestSources", False, "executeQuery", "(String)", "", "ReturnValue", "database", "manual"]
- ["testlib", "TestSources", False, "readEnv", "(String)", "", "ReturnValue", "environment", "manual"]
- ["testlib", "TestSources", False, "getCustom", "(String)", "", "ReturnValue", "custom", "manual"]

View File

@@ -0,0 +1,12 @@
/**
* This is a dataflow test using the "default" threat model with the
* addition of the threat model group "local", but without the
* "environment" threat model.
*/
import Test
import ThreatModel::PathGraph
from ThreatModel::PathNode source, ThreatModel::PathNode sink
where ThreatModel::flowPath(source, sink)
select source, sink

View File

@@ -1,4 +0,0 @@
| default |
| remote |
| request |
| response |

View File

@@ -1,5 +0,0 @@
import semmle.code.java.dataflow.ExternalFlowConfiguration as ExternalFlowConfiguration
query predicate supportedThreatModels(string kind) {
ExternalFlowConfiguration::currentThreatModel(kind)
}

View File

@@ -1,9 +0,0 @@
| commandargs |
| database |
| default |
| environment |
| file |
| local |
| remote |
| request |
| response |

View File

@@ -1,7 +0,0 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: supportedThreatModels
data:
- ["local"] # Add the "local" group threat model.

View File

@@ -1,5 +0,0 @@
import semmle.code.java.dataflow.ExternalFlowConfiguration as ExternalFlowConfiguration
query predicate supportedThreatModels(string kind) {
ExternalFlowConfiguration::currentThreatModel(kind)
}