hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 19:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #13754 from aschackmull/java/remotesource-inbarrier

Browse Source 
Java: Exclude source-to-source flow in 5 queries.
This commit is contained in:
Anders Schack-Mulligen
2023-07-18 10:33:44 +02:00
committed by GitHub
parent b5a8a8d431 6770d2a49b
commit e72366194b
5 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll
View File

@@ -11,6 +11,8 @@ module RemoteUserInputOverflowConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) } predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) }
predicate isBarrier(DataFlow::Node n) { overflowBarrier(n) } predicate isBarrier(DataFlow::Node n) { overflowBarrier(n) }
predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
} }
/** A taint-tracking configuration to reason about underflow from unvalidated user input. */ /** A taint-tracking configuration to reason about underflow from unvalidated user input. */
@@ -20,6 +22,8 @@ module RemoteUserInputUnderflowConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) } predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) }
predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) } predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) }
predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
} }
/** Taint-tracking flow for overflow from unvalidated user input. */ /** Taint-tracking flow for overflow from unvalidated user input. */

2
java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll
View File

@@ -15,6 +15,8 @@ module ImproperValidationOfArrayIndexConfig implements DataFlow::ConfigSig {
} }
predicate isBarrier(DataFlow::Node node) { node.getType() instanceof BooleanType } predicate isBarrier(DataFlow::Node node) { node.getType() instanceof BooleanType }
predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
} }
/** /**

2
java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll
View File

@@ -36,6 +36,8 @@ module LogInjectionConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
any(LogInjectionAdditionalTaintStep c).step(node1, node2) any(LogInjectionAdditionalTaintStep c).step(node1, node2)
} }
predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
} }
/** /**

2
java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll
View File

@@ -100,6 +100,8 @@ module NumericCastFlowConfig implements DataFlow::ConfigSig {
node.getEnclosingCallable() instanceof HashCodeMethod or node.getEnclosingCallable() instanceof HashCodeMethod or
exists(RightShiftOp e | e.getShiftedVariable().getAnAccess() = node.asExpr()) exists(RightShiftOp e | e.getShiftedVariable().getAnAccess() = node.asExpr())
} }
predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
} }
/** /**

2
java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll
View File

@@ -51,6 +51,8 @@ module RequestForgeryConfig implements DataFlow::ConfigSig {
} }
predicate isBarrier(DataFlow::Node node) { node instanceof RequestForgerySanitizer } predicate isBarrier(DataFlow::Node node) { node instanceof RequestForgerySanitizer }
predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
} }
module RequestForgeryFlow = TaintTracking::Global<RequestForgeryConfig>; module RequestForgeryFlow = TaintTracking::Global<RequestForgeryConfig>;