Merge branch 'main' into redosPrefix

2025-12-24 04:36:35 +01:00 · 2022-08-19 19:22:49 +02:00
parent d052b1e3c9 e39475d778
commit bcf4c57060
159 changed files with 1805 additions and 1575 deletions
--- a/java/ql/lib/change-notes/2022-08-19-java-19-support.md
+++ b/java/ql/lib/change-notes/2022-08-19-java-19-support.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Java 19 builds can now be extracted. There are no non-preview new language features in this release, so the only user-visible change is that the CodeQL extractor will now correctly trace compilations using the JDK 19 release of `javac`.
--- a/java/ql/lib/semmle/code/java/frameworks/android/SQLite.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/android/SQLite.qll
@@ -9,21 +9,23 @@ private import semmle.code.java.frameworks.android.Android
 * The class `android.database.sqlite.SQLiteDatabase`.
 */
 class TypeSQLiteDatabase extends Class {
-  TypeSQLiteDatabase() { hasQualifiedName("android.database.sqlite", "SQLiteDatabase") }
+  TypeSQLiteDatabase() { this.hasQualifiedName("android.database.sqlite", "SQLiteDatabase") }
 }

 /**
 * The class `android.database.sqlite.SQLiteQueryBuilder`.
 */
 class TypeSQLiteQueryBuilder extends Class {
-  TypeSQLiteQueryBuilder() { hasQualifiedName("android.database.sqlite", "SQLiteQueryBuilder") }
+  TypeSQLiteQueryBuilder() {
+    this.hasQualifiedName("android.database.sqlite", "SQLiteQueryBuilder")
+  }
 }

 /**
 * The class `android.database.DatabaseUtils`.
 */
 class TypeDatabaseUtils extends Class {
-  TypeDatabaseUtils() { hasQualifiedName("android.database", "DatabaseUtils") }
+  TypeDatabaseUtils() { this.hasQualifiedName("android.database", "DatabaseUtils") }
 }

 /**
--- a/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll
@@ -17,6 +17,14 @@ class CredentialExpr extends Expr {
  }
 }

+/** An instantiation of a (reflexive, transitive) subtype of `java.lang.reflect.Type`. */
+private class TypeType extends RefType {
+  pragma[nomagic]
+  TypeType() {
+    this.getSourceDeclaration().getASourceSupertype*().hasQualifiedName("java.lang.reflect", "Type")
+  }
+}
+
 /** A data-flow configuration for identifying potentially-sensitive data flowing to a log output. */
 class SensitiveLoggerConfiguration extends TaintTracking::Configuration {
  SensitiveLoggerConfiguration() { this = "SensitiveLoggerConfiguration" }
@@ -26,7 +34,11 @@ class SensitiveLoggerConfiguration extends TaintTracking::Configuration {
  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "logging") }

  override predicate isSanitizer(DataFlow::Node sanitizer) {
-    sanitizer.asExpr() instanceof LiveLiteral
+    sanitizer.asExpr() instanceof LiveLiteral or
+    sanitizer.getType() instanceof PrimitiveType or
+    sanitizer.getType() instanceof BoxedType or
+    sanitizer.getType() instanceof NumberType or
+    sanitizer.getType() instanceof TypeType
  }

  override predicate isSanitizerIn(Node node) { isSource(node) }
--- a/java/ql/src/Security/CWE/CWE-200/TempDirUtils.qll
+++ b/java/ql/src/Security/CWE/CWE-200/TempDirUtils.qll
@@ -53,7 +53,7 @@ private class FileSetRedableMethodAccess extends MethodAccess {
  private predicate isCallToSecondArgumentWithValue(boolean value) {
    this.getMethod().getNumberOfParameters() = 1 and value = true
    or
-    isCallWithArgument(1, value)
+    this.isCallWithArgument(1, value)
  }

  private predicate isCallWithArgument(int index, boolean arg) {
--- a/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql
+++ b/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql
@@ -23,7 +23,8 @@ private class NumericCastFlowConfig extends TaintTracking::Configuration {
  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }

  override predicate isSink(DataFlow::Node sink) {
-    sink.asExpr() = any(NumericNarrowingCastExpr cast).getExpr()
+    sink.asExpr() = any(NumericNarrowingCastExpr cast).getExpr() and
+    sink.asExpr() instanceof VarAccess
  }

  override predicate isSanitizer(DataFlow::Node node) {
@@ -31,18 +32,17 @@ private class NumericCastFlowConfig extends TaintTracking::Configuration {
    castCheck(node.asExpr()) or
    node.getType() instanceof SmallType or
    smallExpr(node.asExpr()) or
-    node.getEnclosingCallable() instanceof HashCodeMethod
+    node.getEnclosingCallable() instanceof HashCodeMethod or
+    exists(RightShiftOp e | e.getShiftedVariable().getAnAccess() = node.asExpr())
  }
 }

 from
  DataFlow::PathNode source, DataFlow::PathNode sink, NumericNarrowingCastExpr exp,
-  VarAccess tainted, NumericCastFlowConfig conf
+  NumericCastFlowConfig conf
 where
-  exp.getExpr() = tainted and
-  sink.getNode().asExpr() = tainted and
-  conf.hasFlowPath(source, sink) and
-  not exists(RightShiftOp e | e.getShiftedVariable() = tainted.getVariable())
+  sink.getNode().asExpr() = exp.getExpr() and
+  conf.hasFlowPath(source, sink)
 select exp, source, sink,
  "$@ flows to here and is cast to a narrower type, potentially causing truncation.",
  source.getNode(), "User-provided value"
--- a/java/ql/src/change-notes/2022-08-18-sensitive-log-sanitizer.md
+++ b/java/ql/src/change-notes/2022-08-18-sensitive-log-sanitizer.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improved sanitizers for `java/sensitive-log`, which removes some false positives and improves performance a bit.