hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Refactor SensitiveResultReceiver

Browse Source
This commit is contained in:
Ed Minnix
2023-04-03 14:01:54 -04:00
parent 735a7383c6
commit cd661f1d9f
2 changed files with 23 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll
View File

@@ -17,45 +17,44 @@ private class ResultReceiverSendCall extends MethodAccess {
Expr getSentData() { result = this.getArgument(1) }
}
private class UntrustedResultReceiverConf extends TaintTracking2::Configuration {
UntrustedResultReceiverConf() { this = "UntrustedResultReceiverConf" }
private module UntrustedResultReceiverConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
override predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node node) {
predicate isSink(DataFlow::Node node) {
node.asExpr() = any(ResultReceiverSendCall c).getReceiver()
}
}
private module UntrustedResultReceiverFlow = TaintTracking::Global<UntrustedResultReceiverConfig>;
private predicate untrustedResultReceiverSend(DataFlow::Node src, ResultReceiverSendCall call) {
any(UntrustedResultReceiverConf c).hasFlow(src, DataFlow::exprNode(call.getReceiver()))
UntrustedResultReceiverFlow::flow(src, DataFlow::exprNode(call.getReceiver()))
}
private class SensitiveResultReceiverConf extends TaintTracking::Configuration {
SensitiveResultReceiverConf() { this = "SensitiveResultReceiverConf" }
private module SensitiveResultReceiverConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }
override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }
override predicate isSink(DataFlow::Node node) {
predicate isSink(DataFlow::Node node) {
exists(ResultReceiverSendCall call |
untrustedResultReceiverSend(_, call) and
node.asExpr() = call.getSentData()
)
}
override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
super.allowImplicitRead(node, c)
or
this.isSink(node)
}
predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) { isSink(node) }
}
/** Holds if there is a path from sensitive data at `src` to a result receiver at `sink`, and the receiver was obtained from an untrusted source `recSrc`. */
module SensitiveResultReceiverFlow = TaintTracking::Global<SensitiveResultReceiverConfig>;
/**
* Holds if there is a path from sensitive data at `src` to a result receiver at `sink`, and the receiver was obtained from an untrusted source `recSrc`.
*/
predicate sensitiveResultReceiver(
DataFlow::PathNode src, DataFlow::PathNode sink, DataFlow::Node recSrc
SensitiveResultReceiverFlow::PathNode src, SensitiveResultReceiverFlow::PathNode sink,
DataFlow::Node recSrc
) {
exists(ResultReceiverSendCall call, SensitiveResultReceiverConf conf |
conf.hasFlowPath(src, sink) and
exists(ResultReceiverSendCall call |
SensitiveResultReceiverFlow::flowPath(src, sink) and
sink.getNode().asExpr() = call.getSentData() and
untrustedResultReceiverSend(recSrc, call)
)