hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-03 14:29:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Cleanup helper dataflow configuration

Browse Source
This commit is contained in:
Ed Minnix
2023-11-07 16:19:15 -05:00
parent f05f16116b
commit d4e2b84348
1 changed files with 4 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll
View File

@@ -7,10 +7,8 @@ private import semmle.code.java.Maps
private import semmle.code.java.JDK
private module ProcessBuilderEnvironmentConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source.getType() instanceof TypeProcessBuilder }
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
exists(MethodCall mc | mc.getQualifier() = node1.asExpr() and mc = node2.asExpr() |
predicate isSource(DataFlow::Node source) {
exists(MethodCall mc | mc = source.asExpr() |
mc.getMethod().hasQualifiedName("java.lang", "ProcessBuilder", "environment")
)
}
@@ -18,8 +16,7 @@ private module ProcessBuilderEnvironmentConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(MapPutCall mpc).getQualifier() }
}
private module ProcessBuilderEnvironmentFlow =
TaintTracking::Global<ProcessBuilderEnvironmentConfig>;
private module ProcessBuilderEnvironmentFlow = DataFlow::Global<ProcessBuilderEnvironmentConfig>;
module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
@@ -28,7 +25,7 @@ module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig {
sinkNode(sink, "environment-injection")
or
exists(MapPutCall mpc | mpc.getAnArgument() = sink.asExpr() |
ProcessBuilderEnvironmentFlow::flow(_, DataFlow::exprNode(mpc.getQualifier()))
ProcessBuilderEnvironmentFlow::flowToExpr(mpc.getQualifier())
)
}
}