mirror of
https://github.com/github/codeql.git
synced 2025-12-21 03:06:31 +01:00
Merge pull request #9294 from aschackmull/java/barrierguard-parammod
Java: Add support for BarrierGuards as parameterised modules.
This commit is contained in:
Anders Schack-Mulligen
@@ -304,6 +304,33 @@ class ContentSet instanceof Content {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Holds if the guard `g` validates the expression `e` upon evaluating to `branch`.
|
||||||
|
*
|
||||||
|
* The expression `e` is expected to be a syntactic part of the guard `g`.
|
||||||
|
* For example, the guard `g` might be a call `isSafe(x)` and the expression `e`
|
||||||
|
* the argument `x`.
|
||||||
|
*/
|
||||||
|
signature predicate guardChecksSig(Guard g, Expr e, boolean branch);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Provides a set of barrier nodes for a guard that validates an expression.
|
||||||
|
*
|
||||||
|
* This is expected to be used in `isBarrier`/`isSanitizer` definitions
|
||||||
|
* in data flow and taint tracking.
|
||||||
|
*/
|
||||||
|
module BarrierGuard<guardChecksSig/3 guardChecks> {
|
||||||
|
/** Gets a node that is safely guarded by the given guard check. */
|
||||||
|
Node getABarrierNode() {
|
||||||
|
exists(Guard g, SsaVariable v, boolean branch, RValue use |
|
||||||
|
guardChecks(g, v.getAUse(), branch) and
|
||||||
|
use = v.getAUse() and
|
||||||
|
g.controls(use.getBasicBlock(), branch) and
|
||||||
|
result.asExpr() = use
|
||||||
|
)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A guard that validates some expression.
|
* A guard that validates some expression.
|
||||||
*
|
*
|
||||||
|
|||||||
@@ -19,15 +19,13 @@ import semmle.code.java.security.PathCreation
|
|||||||
import DataFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
import TaintedPathCommon
|
import TaintedPathCommon
|
||||||
|
|
||||||
class ContainsDotDotSanitizer extends DataFlow::BarrierGuard {
|
predicate containsDotDotSanitizer(Guard g, Expr e, boolean branch) {
|
||||||
ContainsDotDotSanitizer() {
|
exists(MethodAccess contains | g = contains |
|
||||||
this.(MethodAccess).getMethod().hasName("contains") and
|
contains.getMethod().hasName("contains") and
|
||||||
this.(MethodAccess).getAnArgument().(StringLiteral).getValue() = ".."
|
contains.getAnArgument().(StringLiteral).getValue() = ".." and
|
||||||
}
|
e = contains.getQualifier() and
|
||||||
|
branch = false
|
||||||
override predicate checks(Expr e, boolean branch) {
|
)
|
||||||
e = this.(MethodAccess).getQualifier() and branch = false
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
class TaintedPathConfig extends TaintTracking::Configuration {
|
class TaintedPathConfig extends TaintTracking::Configuration {
|
||||||
@@ -41,10 +39,8 @@ class TaintedPathConfig extends TaintTracking::Configuration {
|
|||||||
|
|
||||||
override predicate isSanitizer(DataFlow::Node node) {
|
override predicate isSanitizer(DataFlow::Node node) {
|
||||||
exists(Type t | t = node.getType() | t instanceof BoxedType or t instanceof PrimitiveType)
|
exists(Type t | t = node.getType() | t instanceof BoxedType or t instanceof PrimitiveType)
|
||||||
}
|
or
|
||||||
|
node = DataFlow::BarrierGuard<containsDotDotSanitizer/3>::getABarrierNode()
|
||||||
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
|
|
||||||
guard instanceof ContainsDotDotSanitizer
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user