hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Optimize the query

Browse Source
This commit is contained in:
luchua-bc
2021-05-11 20:09:37 +00:00
parent d664aa6d6a
commit e4699f7fa9
5 changed files with 99 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.java
View File

@@ -1,3 +1,7 @@
import org.mozilla.javascript.ClassShutter;
import org.mozilla.javascript.Context;
import org.mozilla.javascript.Scriptable;
public class RhinoInjection extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
@@ -20,10 +24,7 @@ public class RhinoInjection extends HttpServlet {
Scriptable scope = ctx.initStandardObjects();
ctx.setClassShutter(new ClassShutter() {
public boolean visibleToScripts(String className) {
if(className.startsWith("com.example.")) {
return true;
}
return false;
return className.startsWith("com.example.");
}
});
}

33
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
View File

@@ -1,7 +1,7 @@
/**
* @name Injection in Java Script Engine
* @description Evaluation of a user-controlled malicious JavaScript or Java expression in
* Java Script Engine may lead to remote code execution.
* @description Evaluation of user-controlled data using the Java Script Engine may
* lead to remote code execution.
* @kind path-problem
* @problem.severity error
* @precision high
@@ -78,43 +78,37 @@ predicate scriptEngine(MethodAccess ma, Expr sink) {
}
/**
* Holds if a Rhino expression evaluation method has the code injection vulnerability.
* Holds if a Rhino expression evaluation method is vulnerable to code injection.
*/
predicate evaluateRhinoExpression(MethodAccess ma, Expr sink) {
exists(RhinoEvaluateExpressionMethod m | m = ma.getMethod() |
(
sink = ma.getArgument(1) and // The second argument is the JavaScript or Java input
not ma.getMethod().getName() = "compileReader"
or
sink = ma.getArgument(0) and // The first argument is the input reader
ma.getMethod().getName() = "compileReader"
if ma.getMethod().getName() = "compileReader"
then sink = ma.getArgument(0) // The first argument is the input reader
else sink = ma.getArgument(1) // The second argument is the JavaScript or Java input
) and
not exists(MethodAccess ca |
(
ca.getMethod().hasName("initSafeStandardObjects") // safe mode
or
ca.getMethod().hasName("setClassShutter") // `ClassShutter` constraint is enforced
) and
ca.getMethod().hasName(["initSafeStandardObjects", "setClassShutter"]) and // safe mode or `ClassShutter` constraint is enforced
ma.getQualifier() = ca.getQualifier().(VarAccess).getVariable().getAnAccess()
)
)
}
/**
* Holds if a Rhino expression compilation method has the code injection vulnerability.
* Holds if a Rhino expression compilation method is vulnerable to code injection.
*/
predicate compileScript(MethodAccess ma, Expr sink) {
exists(RhinoCompileClassMethod m | m = ma.getMethod() | sink = ma.getArgument(0))
}
/**
* Holds if a Rhino class loading method has the code injection vulnerability.
* Holds if a Rhino class loading method is vulnerable to code injection.
*/
predicate defineClass(MethodAccess ma, Expr sink) {
exists(RhinoDefineClassMethod m | m = ma.getMethod() | sink = ma.getArgument(1))
}
/** A sink of script injection. */
/** A script injection sink. */
class ScriptInjectionSink extends DataFlow::ExprNode {
ScriptInjectionSink() {
scriptEngine(_, this.getExpr()) or
@@ -123,6 +117,7 @@ class ScriptInjectionSink extends DataFlow::ExprNode {
defineClass(_, this.getExpr())
}
/** An access to the method associated with this sink. */
MethodAccess getMethodAccess() {
scriptEngine(result, this.getExpr()) or
evaluateRhinoExpression(result, this.getExpr()) or
@@ -134,11 +129,7 @@ class ScriptInjectionSink extends DataFlow::ExprNode {
class ScriptInjectionConfiguration extends TaintTracking::Configuration {
ScriptInjectionConfiguration() { this = "ScriptInjectionConfiguration" }
override predicate isSource(DataFlow::Node source) {
source instanceof RemoteFlowSource
or
source instanceof LocalUserInput
}
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { sink instanceof ScriptInjectionSink }
}

5
java/ql/test/experimental/query-tests/security/CWE-094/RhinoServlet.java
View File

@@ -63,10 +63,7 @@ public class RhinoServlet extends HttpServlet {
Scriptable scope = ctx.initStandardObjects();
ctx.setClassShutter(new ClassShutter() {
public boolean visibleToScripts(String className) {
if(className.startsWith("com.example.")) {
return true;
}
return false;
return className.startsWith("com.example.");
}
});

42
java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngineTest.java
View File

@@ -1,9 +1,21 @@
import javax.script.AbstractScriptEngine;
import javax.script.Compilable;
import javax.script.CompiledScript;
import javax.script.ScriptEngine;
import javax.script.ScriptEngineManager;
import javax.script.ScriptEngineFactory;
import javax.script.ScriptException;
import jdk.nashorn.api.scripting.NashornScriptEngine;
import jdk.nashorn.api.scripting.NashornScriptEngineFactory;
import javax.script.*;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class ScriptEngineTest {
public class ScriptEngineTest extends HttpServlet {
public void testWithScriptEngineReference(String input) throws ScriptException {
ScriptEngineManager scriptEngineManager = new ScriptEngineManager();
@@ -47,16 +59,7 @@ public class ScriptEngineTest {
String program = engine.getFactory().getProgram(input);
Object result = engine.eval(program);
}
public static void main(String[] args) throws ScriptException {
new ScriptEngineTest().testWithScriptEngineReference(args[0]);
new ScriptEngineTest().testNashornWithScriptEngineReference(args[0]);
new ScriptEngineTest().testNashornWithNashornScriptEngineReference(args[0]);
new ScriptEngineTest().testCustomScriptEngineReference(args[0]);
new ScriptEngineTest().testScriptEngineCompilable(args[0]);
new ScriptEngineTest().testScriptEngineGetProgram(args[0]);
}
private static class MyCustomScriptEngine extends AbstractScriptEngine {
public Object eval(String var1) throws ScriptException { return null; }
@@ -82,4 +85,19 @@ public class ScriptEngineTest {
@Override
public String getProgram(final String... statements) { return null; }
}
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
try {
String code = request.getParameter("code");
new ScriptEngineTest().testWithScriptEngineReference(code);
new ScriptEngineTest().testNashornWithScriptEngineReference(code);
new ScriptEngineTest().testNashornWithNashornScriptEngineReference(code);
new ScriptEngineTest().testCustomScriptEngineReference(code);
new ScriptEngineTest().testScriptEngineCompilable(code);
new ScriptEngineTest().testScriptEngineGetProgram(code);
} catch (ScriptException se) {
throw new IOException(se.getMessage());
}
}
}

102
java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.expected
View File

@@ -1,58 +1,58 @@
edges
| RhinoServlet.java:28:23:28:50 | getParameter(...) : String | RhinoServlet.java:32:55:32:58 | code |
| RhinoServlet.java:84:23:84:50 | getParameter(...) : String | RhinoServlet.java:86:54:86:57 | code |
| RhinoServlet.java:91:23:91:50 | getParameter(...) : String | RhinoServlet.java:92:74:92:88 | getBytes(...) |
| ScriptEngineTest.java:8:44:8:55 | input : String | ScriptEngineTest.java:12:37:12:41 | input |
| ScriptEngineTest.java:15:51:15:62 | input : String | ScriptEngineTest.java:19:31:19:35 | input |
| ScriptEngineTest.java:23:58:23:69 | input : String | ScriptEngineTest.java:27:31:27:35 | input |
| ScriptEngineTest.java:30:46:30:57 | input : String | ScriptEngineTest.java:34:31:34:35 | input |
| ScriptEngineTest.java:37:41:37:52 | input : String | ScriptEngineTest.java:40:42:40:46 | input |
| ScriptEngineTest.java:44:41:44:52 | input : String | ScriptEngineTest.java:47:51:47:55 | input |
| ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:52:56:52:62 | ...[...] : String |
| ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:53:63:53:69 | ...[...] : String |
| ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:54:70:54:76 | ...[...] : String |
| ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:55:58:55:64 | ...[...] : String |
| ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:56:53:56:59 | ...[...] : String |
| ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:57:53:57:59 | ...[...] : String |
| ScriptEngineTest.java:52:56:52:62 | ...[...] : String | ScriptEngineTest.java:8:44:8:55 | input : String |
| ScriptEngineTest.java:53:63:53:69 | ...[...] : String | ScriptEngineTest.java:15:51:15:62 | input : String |
| ScriptEngineTest.java:54:70:54:76 | ...[...] : String | ScriptEngineTest.java:23:58:23:69 | input : String |
| ScriptEngineTest.java:55:58:55:64 | ...[...] : String | ScriptEngineTest.java:30:46:30:57 | input : String |
| ScriptEngineTest.java:56:53:56:59 | ...[...] : String | ScriptEngineTest.java:37:41:37:52 | input : String |
| ScriptEngineTest.java:57:53:57:59 | ...[...] : String | ScriptEngineTest.java:44:41:44:52 | input : String |
| RhinoServlet.java:81:23:81:50 | getParameter(...) : String | RhinoServlet.java:83:54:83:57 | code |
| RhinoServlet.java:88:23:88:50 | getParameter(...) : String | RhinoServlet.java:89:74:89:88 | getBytes(...) |
| ScriptEngineTest.java:20:44:20:55 | input : String | ScriptEngineTest.java:24:37:24:41 | input |
| ScriptEngineTest.java:27:51:27:62 | input : String | ScriptEngineTest.java:31:31:31:35 | input |
| ScriptEngineTest.java:35:58:35:69 | input : String | ScriptEngineTest.java:39:31:39:35 | input |
| ScriptEngineTest.java:42:46:42:57 | input : String | ScriptEngineTest.java:46:31:46:35 | input |
| ScriptEngineTest.java:49:41:49:52 | input : String | ScriptEngineTest.java:52:42:52:46 | input |
| ScriptEngineTest.java:56:41:56:52 | input : String | ScriptEngineTest.java:59:51:59:55 | input |
| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:93:57:93:60 | code : String |
| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:94:64:94:67 | code : String |
| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:95:71:95:74 | code : String |
| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:96:59:96:62 | code : String |
| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:97:54:97:57 | code : String |
| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:98:54:98:57 | code : String |
| ScriptEngineTest.java:93:57:93:60 | code : String | ScriptEngineTest.java:20:44:20:55 | input : String |
| ScriptEngineTest.java:94:64:94:67 | code : String | ScriptEngineTest.java:27:51:27:62 | input : String |
| ScriptEngineTest.java:95:71:95:74 | code : String | ScriptEngineTest.java:35:58:35:69 | input : String |
| ScriptEngineTest.java:96:59:96:62 | code : String | ScriptEngineTest.java:42:46:42:57 | input : String |
| ScriptEngineTest.java:97:54:97:57 | code : String | ScriptEngineTest.java:49:41:49:52 | input : String |
| ScriptEngineTest.java:98:54:98:57 | code : String | ScriptEngineTest.java:56:41:56:52 | input : String |
nodes
| RhinoServlet.java:28:23:28:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RhinoServlet.java:32:55:32:58 | code | semmle.label | code |
| RhinoServlet.java:84:23:84:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RhinoServlet.java:86:54:86:57 | code | semmle.label | code |
| RhinoServlet.java:91:23:91:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RhinoServlet.java:92:74:92:88 | getBytes(...) | semmle.label | getBytes(...) |
| ScriptEngineTest.java:8:44:8:55 | input : String | semmle.label | input : String |
| ScriptEngineTest.java:12:37:12:41 | input | semmle.label | input |
| ScriptEngineTest.java:15:51:15:62 | input : String | semmle.label | input : String |
| ScriptEngineTest.java:19:31:19:35 | input | semmle.label | input |
| ScriptEngineTest.java:23:58:23:69 | input : String | semmle.label | input : String |
| ScriptEngineTest.java:27:31:27:35 | input | semmle.label | input |
| ScriptEngineTest.java:30:46:30:57 | input : String | semmle.label | input : String |
| ScriptEngineTest.java:34:31:34:35 | input | semmle.label | input |
| ScriptEngineTest.java:37:41:37:52 | input : String | semmle.label | input : String |
| ScriptEngineTest.java:40:42:40:46 | input | semmle.label | input |
| ScriptEngineTest.java:44:41:44:52 | input : String | semmle.label | input : String |
| ScriptEngineTest.java:47:51:47:55 | input | semmle.label | input |
| ScriptEngineTest.java:51:26:51:38 | args : String[] | semmle.label | args : String[] |
| ScriptEngineTest.java:52:56:52:62 | ...[...] : String | semmle.label | ...[...] : String |
| ScriptEngineTest.java:53:63:53:69 | ...[...] : String | semmle.label | ...[...] : String |
| ScriptEngineTest.java:54:70:54:76 | ...[...] : String | semmle.label | ...[...] : String |
| ScriptEngineTest.java:55:58:55:64 | ...[...] : String | semmle.label | ...[...] : String |
| ScriptEngineTest.java:56:53:56:59 | ...[...] : String | semmle.label | ...[...] : String |
| ScriptEngineTest.java:57:53:57:59 | ...[...] : String | semmle.label | ...[...] : String |
| RhinoServlet.java:81:23:81:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RhinoServlet.java:83:54:83:57 | code | semmle.label | code |
| RhinoServlet.java:88:23:88:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RhinoServlet.java:89:74:89:88 | getBytes(...) | semmle.label | getBytes(...) |
| ScriptEngineTest.java:20:44:20:55 | input : String | semmle.label | input : String |
| ScriptEngineTest.java:24:37:24:41 | input | semmle.label | input |
| ScriptEngineTest.java:27:51:27:62 | input : String | semmle.label | input : String |
| ScriptEngineTest.java:31:31:31:35 | input | semmle.label | input |
| ScriptEngineTest.java:35:58:35:69 | input : String | semmle.label | input : String |
| ScriptEngineTest.java:39:31:39:35 | input | semmle.label | input |
| ScriptEngineTest.java:42:46:42:57 | input : String | semmle.label | input : String |
| ScriptEngineTest.java:46:31:46:35 | input | semmle.label | input |
| ScriptEngineTest.java:49:41:49:52 | input : String | semmle.label | input : String |
| ScriptEngineTest.java:52:42:52:46 | input | semmle.label | input |
| ScriptEngineTest.java:56:41:56:52 | input : String | semmle.label | input : String |
| ScriptEngineTest.java:59:51:59:55 | input | semmle.label | input |
| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| ScriptEngineTest.java:93:57:93:60 | code : String | semmle.label | code : String |
| ScriptEngineTest.java:94:64:94:67 | code : String | semmle.label | code : String |
| ScriptEngineTest.java:95:71:95:74 | code : String | semmle.label | code : String |
| ScriptEngineTest.java:96:59:96:62 | code : String | semmle.label | code : String |
| ScriptEngineTest.java:97:54:97:57 | code : String | semmle.label | code : String |
| ScriptEngineTest.java:98:54:98:57 | code : String | semmle.label | code : String |
#select
| RhinoServlet.java:32:29:32:78 | evaluateString(...) | RhinoServlet.java:28:23:28:50 | getParameter(...) : String | RhinoServlet.java:32:55:32:58 | code | Java Script Engine evaluate $@. | RhinoServlet.java:28:23:28:50 | getParameter(...) | user input |
| RhinoServlet.java:86:25:86:97 | compileToClassFiles(...) | RhinoServlet.java:84:23:84:50 | getParameter(...) : String | RhinoServlet.java:86:54:86:57 | code | Java Script Engine evaluate $@. | RhinoServlet.java:84:23:84:50 | getParameter(...) | user input |
| RhinoServlet.java:92:23:92:89 | defineClass(...) | RhinoServlet.java:91:23:91:50 | getParameter(...) : String | RhinoServlet.java:92:74:92:88 | getBytes(...) | Java Script Engine evaluate $@. | RhinoServlet.java:91:23:91:50 | getParameter(...) | user input |
| ScriptEngineTest.java:12:19:12:42 | eval(...) | ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:12:37:12:41 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:51:26:51:38 | args | user input |
| ScriptEngineTest.java:19:19:19:36 | eval(...) | ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:19:31:19:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:51:26:51:38 | args | user input |
| ScriptEngineTest.java:27:19:27:36 | eval(...) | ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:27:31:27:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:51:26:51:38 | args | user input |
| ScriptEngineTest.java:34:19:34:36 | eval(...) | ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:34:31:34:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:51:26:51:38 | args | user input |
| ScriptEngineTest.java:40:27:40:47 | compile(...) | ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:40:42:40:46 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:51:26:51:38 | args | user input |
| ScriptEngineTest.java:47:20:47:56 | getProgram(...) | ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:47:51:47:55 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:51:26:51:38 | args | user input |
| RhinoServlet.java:83:25:83:97 | compileToClassFiles(...) | RhinoServlet.java:81:23:81:50 | getParameter(...) : String | RhinoServlet.java:83:54:83:57 | code | Java Script Engine evaluate $@. | RhinoServlet.java:81:23:81:50 | getParameter(...) | user input |
| RhinoServlet.java:89:23:89:89 | defineClass(...) | RhinoServlet.java:88:23:88:50 | getParameter(...) : String | RhinoServlet.java:89:74:89:88 | getBytes(...) | Java Script Engine evaluate $@. | RhinoServlet.java:88:23:88:50 | getParameter(...) | user input |
| ScriptEngineTest.java:24:19:24:42 | eval(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:24:37:24:41 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
| ScriptEngineTest.java:31:19:31:36 | eval(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:31:31:31:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
| ScriptEngineTest.java:39:19:39:36 | eval(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:39:31:39:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
| ScriptEngineTest.java:46:19:46:36 | eval(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:46:31:46:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
| ScriptEngineTest.java:52:27:52:47 | compile(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:52:42:52:46 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
| ScriptEngineTest.java:59:20:59:56 | getProgram(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:59:51:59:55 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |