Merge pull request #10393 from zbazztian/uri-constructor-flow

Java: Model taint flow for java.net.URI constructors in tainted path queries
2026-05-05 13:45:19 +02:00 · 2022-09-16 15:10:40 +02:00
parent e6d4e87458 8c35803749
commit e140f04881
6 changed files with 83 additions and 1 deletions
--- a/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
+++ b/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
@@ -48,6 +48,10 @@ class TaintedPathConfig extends TaintTracking::Configuration {
    or
    node = DataFlow::BarrierGuard<containsDotDotSanitizer/3>::getABarrierNode()
  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
+    any(TaintedPathAdditionalTaintStep s).step(n1, n2)
+  }
 }

 /**
--- a/java/ql/src/Security/CWE/CWE-022/TaintedPathCommon.qll
+++ b/java/ql/src/Security/CWE/CWE-022/TaintedPathCommon.qll
@@ -5,6 +5,49 @@
 import java
 import semmle.code.java.controlflow.Guards
 import semmle.code.java.security.PathCreation
+import semmle.code.java.frameworks.Networking
+import semmle.code.java.dataflow.DataFlow
+
+/**
+ * A unit class for adding additional taint steps.
+ *
+ * Extend this class to add additional taint steps that should apply to tainted path flow configurations.
+ */
+class TaintedPathAdditionalTaintStep extends Unit {
+  abstract predicate step(DataFlow::Node n1, DataFlow::Node n2);
+}
+
+private class DefaultTaintedPathAdditionalTaintStep extends TaintedPathAdditionalTaintStep {
+  override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+    exists(Argument a |
+      a = n1.asExpr() and
+      a.getCall() = n2.asExpr() and
+      a = any(TaintPreservingUriCtorParam tpp).getAnArgument()
+    )
+  }
+}
+
+private class TaintPreservingUriCtorParam extends Parameter {
+  TaintPreservingUriCtorParam() {
+    exists(Constructor ctor, int idx, int nParams |
+      ctor.getDeclaringType() instanceof TypeUri and
+      this = ctor.getParameter(idx) and
+      nParams = ctor.getNumberOfParameters()
+    |
+      // URI(String scheme, String ssp, String fragment)
+      idx = 1 and nParams = 3
+      or
+      // URI(String scheme, String host, String path, String fragment)
+      idx = [1, 2] and nParams = 4
+      or
+      // URI(String scheme, String authority, String path, String query, String fragment)
+      idx = 2 and nParams = 5
+      or
+      // URI(String scheme, String userInfo, String host, int port, String path, String query, String fragment)
+      idx = 4 and nParams = 7
+    )
+  }
+}

 private predicate inWeakCheck(Expr e) {
  // None of these are sufficient to guarantee that a string is safe.
--- a/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql
@@ -27,6 +27,10 @@ class TaintedPathLocalConfig extends TaintTracking::Configuration {
  override predicate isSink(DataFlow::Node sink) {
    sink.asExpr() = any(PathCreation p).getAnInput()
  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
+    any(TaintedPathAdditionalTaintStep s).step(n1, n2)
+  }
 }

 from