hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 11:16:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Refactor Security.CWE.CWE-134.ExternallyControlledFormatString

Browse Source
This commit is contained in:
Ed Minnix
2023-03-15 13:39:19 -04:00
parent ac223ea57f
commit d34dbbc96f
2 changed files with 27 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql
View File

@@ -13,25 +13,29 @@
import java
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.StringFormat
import DataFlow::PathGraph
class ExternallyControlledFormatStringConfig extends TaintTracking::Configuration {
ExternallyControlledFormatStringConfig() { this = "ExternallyControlledFormatStringConfig" }
module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
sink.asExpr() = any(StringFormat formatCall).getFormatArgument()
}
override predicate isSanitizer(DataFlow::Node node) {
predicate isBarrier(DataFlow::Node node) {
node.getType() instanceof NumericType or node.getType() instanceof BooleanType
}
}
module ExternallyControlledFormatStringFlow =
TaintTracking::Make<ExternallyControlledFormatStringConfig>;
import ExternallyControlledFormatStringFlow::PathGraph
from
DataFlow::PathNode source, DataFlow::PathNode sink, StringFormat formatCall,
ExternallyControlledFormatStringConfig conf
where conf.hasFlowPath(source, sink) and sink.getNode().asExpr() = formatCall.getFormatArgument()
ExternallyControlledFormatStringFlow::PathNode source,
ExternallyControlledFormatStringFlow::PathNode sink, StringFormat formatCall
where
ExternallyControlledFormatStringFlow::hasFlowPath(source, sink) and
sink.getNode().asExpr() = formatCall.getFormatArgument()
select formatCall.getFormatArgument(), source, sink, "Format string depends on a $@.",
source.getNode(), "user-provided value"

24
java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql
View File

@@ -13,23 +13,25 @@
import java
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.StringFormat
import DataFlow::PathGraph
class ExternallyControlledFormatStringLocalConfig extends TaintTracking::Configuration {
ExternallyControlledFormatStringLocalConfig() {
this = "ExternallyControlledFormatStringLocalConfig"
}
private module ExternallyControlledFormatStringLocalConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
sink.asExpr() = any(StringFormat formatCall).getFormatArgument()
}
}
module ExternallyControlledFormatStringLocalFlow =
TaintTracking::Make<ExternallyControlledFormatStringLocalConfig>;
import ExternallyControlledFormatStringLocalFlow::PathGraph
from
DataFlow::PathNode source, DataFlow::PathNode sink, StringFormat formatCall,
ExternallyControlledFormatStringLocalConfig conf
where conf.hasFlowPath(source, sink) and sink.getNode().asExpr() = formatCall.getFormatArgument()
ExternallyControlledFormatStringLocalFlow::PathNode source,
ExternallyControlledFormatStringLocalFlow::PathNode sink, StringFormat formatCall
where
ExternallyControlledFormatStringLocalFlow::hasFlowPath(source, sink) and
sink.getNode().asExpr() = formatCall.getFormatArgument()
select formatCall.getFormatArgument(), source, sink, "Format string depends on a $@.",
source.getNode(), "user-provided value"