hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10393 from zbazztian/uri-constructor-flow

Browse Source 
Java: Model taint flow for java.net.URI constructors in tainted path queries
This commit is contained in:
Tony Torralba
2022-09-16 15:10:40 +02:00
committed by GitHub
parent e6d4e87458 8c35803749
commit e140f04881
6 changed files with 83 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
View File

@@ -48,6 +48,10 @@ class TaintedPathConfig extends TaintTracking::Configuration {
or
node = DataFlow::BarrierGuard<containsDotDotSanitizer/3>::getABarrierNode()
}
override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
any(TaintedPathAdditionalTaintStep s).step(n1, n2)
}
}
/**

43
java/ql/src/Security/CWE/CWE-022/TaintedPathCommon.qll
View File

@@ -5,6 +5,49 @@
import java
import semmle.code.java.controlflow.Guards
import semmle.code.java.security.PathCreation
import semmle.code.java.frameworks.Networking
import semmle.code.java.dataflow.DataFlow
/**
* A unit class for adding additional taint steps.
*
* Extend this class to add additional taint steps that should apply to tainted path flow configurations.
*/
class TaintedPathAdditionalTaintStep extends Unit {
abstract predicate step(DataFlow::Node n1, DataFlow::Node n2);
}
private class DefaultTaintedPathAdditionalTaintStep extends TaintedPathAdditionalTaintStep {
override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
exists(Argument a |
a = n1.asExpr() and
a.getCall() = n2.asExpr() and
a = any(TaintPreservingUriCtorParam tpp).getAnArgument()
)
}
}
private class TaintPreservingUriCtorParam extends Parameter {
TaintPreservingUriCtorParam() {
exists(Constructor ctor, int idx, int nParams |
ctor.getDeclaringType() instanceof TypeUri and
this = ctor.getParameter(idx) and
nParams = ctor.getNumberOfParameters()
|
// URI(String scheme, String ssp, String fragment)
idx = 1 and nParams = 3
or
// URI(String scheme, String host, String path, String fragment)
idx = [1, 2] and nParams = 4
or
// URI(String scheme, String authority, String path, String query, String fragment)
idx = 2 and nParams = 5
or
// URI(String scheme, String userInfo, String host, int port, String path, String query, String fragment)
idx = 4 and nParams = 7
)
}
}
private predicate inWeakCheck(Expr e) {
// None of these are sufficient to guarantee that a string is safe.

4
java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql
View File

@@ -27,6 +27,10 @@ class TaintedPathLocalConfig extends TaintTracking::Configuration {
override predicate isSink(DataFlow::Node sink) {
sink.asExpr() = any(PathCreation p).getAnInput()
}
override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
any(TaintedPathAdditionalTaintStep s).step(n1, n2)
}
}
from

4
java/ql/src/change-notes/2022-09-13-flow-model-for-uri-constructors.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added taint model for arguments of `java.net.URI` constructors to the queries `java/path-injection` and `java/path-injection-local`.

16
java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected
View File

@@ -9,6 +9,11 @@ edges
| Test.java:80:31:80:32 | br : BufferedReader | Test.java:80:31:80:43 | readLine(...) : String |
| Test.java:80:31:80:43 | readLine(...) : String | Test.java:82:67:82:81 | ... + ... |
| Test.java:88:17:88:37 | getHostName(...) : String | Test.java:90:26:90:29 | temp |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:12:97:33 | new URI(...) |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:12:98:33 | new URI(...) |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:12:99:33 | new URI(...) |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:100:12:100:45 | new URI(...) |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:101:12:101:54 | new URI(...) |
nodes
| Test.java:19:18:19:38 | getHostName(...) : String | semmle.label | getHostName(...) : String |
| Test.java:24:20:24:23 | temp | semmle.label | temp |
@@ -23,6 +28,12 @@ nodes
| Test.java:82:67:82:81 | ... + ... | semmle.label | ... + ... |
| Test.java:88:17:88:37 | getHostName(...) : String | semmle.label | getHostName(...) : String |
| Test.java:90:26:90:29 | temp | semmle.label | temp |
| Test.java:95:14:95:34 | getHostName(...) : String | semmle.label | getHostName(...) : String |
| Test.java:97:12:97:33 | new URI(...) | semmle.label | new URI(...) |
| Test.java:98:12:98:33 | new URI(...) | semmle.label | new URI(...) |
| Test.java:99:12:99:33 | new URI(...) | semmle.label | new URI(...) |
| Test.java:100:12:100:45 | new URI(...) | semmle.label | new URI(...) |
| Test.java:101:12:101:54 | new URI(...) | semmle.label | new URI(...) |
subpaths
#select
| Test.java:24:11:24:24 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:24:20:24:23 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
@@ -31,3 +42,8 @@ subpaths
| Test.java:34:12:34:25 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:34:21:34:24 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
| Test.java:82:52:82:88 | new FileWriter(...) | Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | Test.java:82:67:82:81 | ... + ... | $@ flows to here and is used in a path. | Test.java:79:74:79:97 | getInputStream(...) | User-provided value |
| Test.java:90:26:90:29 | temp | Test.java:88:17:88:37 | getHostName(...) : String | Test.java:90:26:90:29 | temp | $@ flows to here and is used in a path. | Test.java:88:17:88:37 | getHostName(...) | User-provided value |
| Test.java:97:3:97:34 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:12:97:33 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
| Test.java:98:3:98:34 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:12:98:33 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
| Test.java:99:3:99:34 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:12:99:33 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
| Test.java:100:3:100:46 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:100:12:100:45 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
| Test.java:101:3:101:55 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:101:12:101:54 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |

13
java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java
View File

@@ -6,7 +6,7 @@ import javax.servlet.http.*;
import javax.servlet.ServletException;
import java.io.*;
import java.net.InetAddress;
import java.net.*;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.FileSystems;
@@ -89,4 +89,15 @@ class Test {
// BAD: open a file based on user input, using a MaD-documented API
new LockableFileWriter(temp);
}
void doGet5(InetAddress address)
throws URISyntaxException {
String t = address.getHostName();
// BAD: construct a file path with user input
new File(new URI(null, t, null));
new File(new URI(t, t, null, t));
new File(new URI(t, null, t, t));
new File(new URI(null, null, t, null, null));
new File(new URI(null, null, null, 0, t, null, null));
}
}