mirror of
https://github.com/github/codeql.git
synced 2025-12-20 18:56:32 +01:00
Java: Rename references.
This commit is contained in:
Anders Schack-Mulligen
@@ -28,7 +28,7 @@ class OnActivityResultIncomingIntent extends DataFlow::Node {
|
||||
*/
|
||||
predicate isRemoteSource() {
|
||||
exists(RefType startingType, Expr startActivityForResultArg |
|
||||
ImplicitStartActivityForResult::hasFlowToExpr(startActivityForResultArg) and
|
||||
ImplicitStartActivityForResult::flowToExpr(startActivityForResultArg) and
|
||||
// startingType is the class enclosing the method that calls `startActivityForResult`.
|
||||
startingType = startActivityForResultArg.getEnclosingCallable().getDeclaringType()
|
||||
|
|
||||
@@ -104,7 +104,7 @@ private module ImplicitStartActivityForResultConfig implements DataFlow::ConfigS
|
||||
}
|
||||
|
||||
private module ImplicitStartActivityForResult =
|
||||
DataFlow::Make<ImplicitStartActivityForResultConfig>;
|
||||
DataFlow::Global<ImplicitStartActivityForResultConfig>;
|
||||
|
||||
/** An Android Activity or Fragment. */
|
||||
private class ActivityOrFragment extends Class {
|
||||
|
||||
@@ -21,10 +21,10 @@ private module TypeLiteralToParseAsFlowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
private module TypeLiteralToParseAsFlow = DataFlow::Make<TypeLiteralToParseAsFlowConfig>;
|
||||
private module TypeLiteralToParseAsFlow = DataFlow::Global<TypeLiteralToParseAsFlowConfig>;
|
||||
|
||||
private TypeLiteral getSourceWithFlowToParseAs() {
|
||||
TypeLiteralToParseAsFlow::hasFlow(DataFlow::exprNode(result), _)
|
||||
TypeLiteralToParseAsFlow::flow(DataFlow::exprNode(result), _)
|
||||
}
|
||||
|
||||
/** A field that is deserialized by `HttpResponse.parseAs`. */
|
||||
|
||||
@@ -108,10 +108,10 @@ private module TypeLiteralToJacksonDatabindFlowConfig implements DataFlow::Confi
|
||||
}
|
||||
|
||||
private module TypeLiteralToJacksonDatabindFlow =
|
||||
DataFlow::Make<TypeLiteralToJacksonDatabindFlowConfig>;
|
||||
DataFlow::Global<TypeLiteralToJacksonDatabindFlowConfig>;
|
||||
|
||||
private TypeLiteral getSourceWithFlowToJacksonDatabind() {
|
||||
TypeLiteralToJacksonDatabindFlow::hasFlow(DataFlow::exprNode(result), _)
|
||||
TypeLiteralToJacksonDatabindFlow::flow(DataFlow::exprNode(result), _)
|
||||
}
|
||||
|
||||
/** A type whose values are explicitly deserialized in a call to a Jackson method. */
|
||||
|
||||
@@ -173,4 +173,4 @@ private module SensitiveCommunicationConfig implements DataFlow::ConfigSig {
|
||||
/**
|
||||
* Tracks taint flow from variables containing sensitive information to broadcast Intents.
|
||||
*/
|
||||
module SensitiveCommunicationFlow = TaintTracking::Make<SensitiveCommunicationConfig>;
|
||||
module SensitiveCommunicationFlow = TaintTracking::Global<SensitiveCommunicationConfig>;
|
||||
|
||||
@@ -17,15 +17,15 @@ private module ApkInstallationConfig implements DataFlow::ConfigSig {
|
||||
ma.getMethod() instanceof SetDataMethod and
|
||||
ma.getArgument(0) = node.asExpr() and
|
||||
(
|
||||
PackageArchiveMimeTypeFlow::hasFlowToExpr(ma.getQualifier())
|
||||
PackageArchiveMimeTypeFlow::flowToExpr(ma.getQualifier())
|
||||
or
|
||||
InstallPackageActionFlow::hasFlowToExpr(ma.getQualifier())
|
||||
InstallPackageActionFlow::flowToExpr(ma.getQualifier())
|
||||
)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
module ApkInstallationFlow = DataFlow::Make<ApkInstallationConfig>;
|
||||
module ApkInstallationFlow = DataFlow::Global<ApkInstallationConfig>;
|
||||
|
||||
private newtype ActionState =
|
||||
ActionUnset() or
|
||||
@@ -72,7 +72,7 @@ private module InstallPackageActionConfig implements DataFlow::StateConfigSig {
|
||||
predicate isBarrier(DataFlow::Node node, FlowState state) { none() }
|
||||
}
|
||||
|
||||
private module InstallPackageActionFlow = TaintTracking::MakeWithState<InstallPackageActionConfig>;
|
||||
private module InstallPackageActionFlow = TaintTracking::GlobalWithState<InstallPackageActionConfig>;
|
||||
|
||||
private newtype MimeTypeState =
|
||||
MimeTypeUnset() or
|
||||
@@ -117,4 +117,4 @@ private module PackageArchiveMimeTypeConfig implements DataFlow::StateConfigSig
|
||||
}
|
||||
|
||||
private module PackageArchiveMimeTypeFlow =
|
||||
TaintTracking::MakeWithState<PackageArchiveMimeTypeConfig>;
|
||||
TaintTracking::GlobalWithState<PackageArchiveMimeTypeConfig>;
|
||||
|
||||
@@ -37,4 +37,4 @@ private module FragmentInjectionTaintConfig implements DataFlow::ConfigSig {
|
||||
* Taint-tracking flow for unsafe user input
|
||||
* that is used to create Android fragments dynamically.
|
||||
*/
|
||||
module FragmentInjectionTaintFlow = TaintTracking::Make<FragmentInjectionTaintConfig>;
|
||||
module FragmentInjectionTaintFlow = TaintTracking::Global<FragmentInjectionTaintConfig>;
|
||||
|
||||
@@ -53,4 +53,4 @@ private module IntentUriPermissionManipulationConfig implements DataFlow::Config
|
||||
* Taint tracking flow for user-provided Intents being returned to third party apps.
|
||||
*/
|
||||
module IntentUriPermissionManipulationFlow =
|
||||
TaintTracking::Make<IntentUriPermissionManipulationConfig>;
|
||||
TaintTracking::Global<IntentUriPermissionManipulationConfig>;
|
||||
|
||||
@@ -38,4 +38,4 @@ private module LogInjectionConfig implements DataFlow::ConfigSig {
|
||||
/**
|
||||
* Taint-tracking flow for tracking untrusted user input used in log entries.
|
||||
*/
|
||||
module LogInjectionFlow = TaintTracking::Make<LogInjectionConfig>;
|
||||
module LogInjectionFlow = TaintTracking::Global<LogInjectionConfig>;
|
||||
|
||||
@@ -53,4 +53,4 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig {
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof RequestForgerySanitizer }
|
||||
}
|
||||
|
||||
module RequestForgeryFlow = TaintTracking::Make<RequestForgeryConfig>;
|
||||
module RequestForgeryFlow = TaintTracking::Global<RequestForgeryConfig>;
|
||||
|
||||
@@ -42,4 +42,4 @@ private module RsaWithoutOaepConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
/** Flow for finding RSA ciphers initialized without using OAEP padding. */
|
||||
module RsaWithoutOaepFlow = DataFlow::Make<RsaWithoutOaepConfig>;
|
||||
module RsaWithoutOaepFlow = DataFlow::Global<RsaWithoutOaepConfig>;
|
||||
|
||||
@@ -65,4 +65,4 @@ private module SensitiveLoggerConfig implements DataFlow::ConfigSig {
|
||||
predicate isBarrierIn(Node node) { isSource(node) }
|
||||
}
|
||||
|
||||
module SensitiveLoggerFlow = TaintTracking::Make<SensitiveLoggerConfig>;
|
||||
module SensitiveLoggerFlow = TaintTracking::Global<SensitiveLoggerConfig>;
|
||||
|
||||
@@ -41,4 +41,4 @@ private module UnsafeContentResolutionConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
/** Taint-tracking flow to find paths from remote sources to content URI resolutions. */
|
||||
module UnsafeContentResolutionFlow = TaintTracking::Make<UnsafeContentResolutionConfig>;
|
||||
module UnsafeContentResolutionFlow = TaintTracking::Global<UnsafeContentResolutionConfig>;
|
||||
|
||||
@@ -43,7 +43,7 @@ private class DefaultXssSink extends XssSink {
|
||||
or
|
||||
exists(MethodAccess ma |
|
||||
ma.getMethod() instanceof WritingMethod and
|
||||
XssVulnerableWriterSourceToWritingMethodFlow::hasFlowToExpr(ma.getQualifier()) and
|
||||
XssVulnerableWriterSourceToWritingMethodFlow::flowToExpr(ma.getQualifier()) and
|
||||
this.asExpr() = ma.getArgument(_)
|
||||
)
|
||||
}
|
||||
@@ -71,7 +71,7 @@ private module XssVulnerableWriterSourceToWritingMethodFlowConfig implements Dat
|
||||
}
|
||||
|
||||
private module XssVulnerableWriterSourceToWritingMethodFlow =
|
||||
TaintTracking::Make<XssVulnerableWriterSourceToWritingMethodFlowConfig>;
|
||||
TaintTracking::Global<XssVulnerableWriterSourceToWritingMethodFlowConfig>;
|
||||
|
||||
/** A method that can be used to output data to an output stream or writer. */
|
||||
private class WritingMethod extends Method {
|
||||
|
||||
@@ -42,4 +42,4 @@ module XxeLocalConfig implements DataFlow::ConfigSig {
|
||||
/**
|
||||
* Detect taint flow of unvalidated local user input that is used in XML external entity expansion.
|
||||
*/
|
||||
module XxeLocalFlow = TaintTracking::Make<XxeLocalConfig>;
|
||||
module XxeLocalFlow = TaintTracking::Global<XxeLocalConfig>;
|
||||
|
||||
@@ -42,4 +42,4 @@ module XxeConfig implements DataFlow::ConfigSig {
|
||||
/**
|
||||
* Detect taint flow of unvalidated remote user input that is used in XML external entity expansion.
|
||||
*/
|
||||
module XxeFlow = TaintTracking::Make<XxeConfig>;
|
||||
module XxeFlow = TaintTracking::Global<XxeConfig>;
|
||||
|
||||
@@ -81,4 +81,4 @@ private module PolynomialRedosConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module PolynomialRedosFlow = TaintTracking::Make<PolynomialRedosConfig>;
|
||||
module PolynomialRedosFlow = TaintTracking::Global<PolynomialRedosConfig>;
|
||||
|
||||
@@ -41,7 +41,7 @@ module TaintedPathConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module TaintedPath = TaintTracking::Make<TaintedPathConfig>;
|
||||
module TaintedPath = TaintTracking::Global<TaintedPathConfig>;
|
||||
|
||||
import TaintedPath::PathGraph
|
||||
|
||||
@@ -53,13 +53,13 @@ import TaintedPath::PathGraph
|
||||
* continue to report there; otherwise we report directly at `sink`.
|
||||
*/
|
||||
DataFlow::Node getReportingNode(DataFlow::Node sink) {
|
||||
TaintedPath::hasFlowTo(sink) and
|
||||
TaintedPath::flowTo(sink) and
|
||||
if exists(PathCreation pc | pc.getAnInput() = sink.asExpr())
|
||||
then result.asExpr() = any(PathCreation pc | pc.getAnInput() = sink.asExpr())
|
||||
else result = sink
|
||||
}
|
||||
|
||||
from TaintedPath::PathNode source, TaintedPath::PathNode sink
|
||||
where TaintedPath::hasFlowPath(source, sink)
|
||||
where TaintedPath::flowPath(source, sink)
|
||||
select getReportingNode(sink.getNode()), source, sink, "This path depends on a $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -41,7 +41,7 @@ module TaintedPathLocalConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module TaintedPathLocalFlow = TaintTracking::Make<TaintedPathLocalConfig>;
|
||||
module TaintedPathLocalFlow = TaintTracking::Global<TaintedPathLocalConfig>;
|
||||
|
||||
import TaintedPathLocalFlow::PathGraph
|
||||
|
||||
@@ -53,13 +53,13 @@ import TaintedPathLocalFlow::PathGraph
|
||||
* continue to report there; otherwise we report directly at `sink`.
|
||||
*/
|
||||
DataFlow::Node getReportingNode(DataFlow::Node sink) {
|
||||
TaintedPathLocalFlow::hasFlowTo(sink) and
|
||||
TaintedPathLocalFlow::flowTo(sink) and
|
||||
if exists(PathCreation pc | pc.getAnInput() = sink.asExpr())
|
||||
then result.asExpr() = any(PathCreation pc | pc.getAnInput() = sink.asExpr())
|
||||
else result = sink
|
||||
}
|
||||
|
||||
from TaintedPathLocalFlow::PathNode source, TaintedPathLocalFlow::PathNode sink
|
||||
where TaintedPathLocalFlow::hasFlowPath(source, sink)
|
||||
where TaintedPathLocalFlow::flowPath(source, sink)
|
||||
select getReportingNode(sink.getNode()), source, sink, "This path depends on a $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -44,7 +44,7 @@ module ZipSlipConfig implements DataFlow::ConfigSig {
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof PathInjectionSanitizer }
|
||||
}
|
||||
|
||||
module ZipSlipFlow = TaintTracking::Make<ZipSlipConfig>;
|
||||
module ZipSlipFlow = TaintTracking::Global<ZipSlipConfig>;
|
||||
|
||||
import ZipSlipFlow::PathGraph
|
||||
|
||||
@@ -56,7 +56,7 @@ private class FileCreationSink extends DataFlow::Node {
|
||||
}
|
||||
|
||||
from ZipSlipFlow::PathNode source, ZipSlipFlow::PathNode sink
|
||||
where ZipSlipFlow::hasFlowPath(source, sink)
|
||||
where ZipSlipFlow::flowPath(source, sink)
|
||||
select source.getNode(), source, sink,
|
||||
"Unsanitized archive entry, which may contain '..', is used in a $@.", sink.getNode(),
|
||||
"file system operation"
|
||||
|
||||
@@ -32,7 +32,7 @@ module LocalUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
module LocalUserInputToArgumentToExecFlow =
|
||||
TaintTracking::Make<LocalUserInputToArgumentToExecFlowConfig>;
|
||||
TaintTracking::Global<LocalUserInputToArgumentToExecFlowConfig>;
|
||||
|
||||
import LocalUserInputToArgumentToExecFlow::PathGraph
|
||||
|
||||
@@ -40,7 +40,7 @@ from
|
||||
LocalUserInputToArgumentToExecFlow::PathNode source,
|
||||
LocalUserInputToArgumentToExecFlow::PathNode sink, ArgumentToExec execArg
|
||||
where
|
||||
LocalUserInputToArgumentToExecFlow::hasFlowPath(source, sink) and
|
||||
LocalUserInputToArgumentToExecFlow::flowPath(source, sink) and
|
||||
sink.getNode().asExpr() = execArg
|
||||
select execArg, source, sink, "This command line depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -29,11 +29,11 @@ module XssConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module XssFlow = TaintTracking::Make<XssConfig>;
|
||||
module XssFlow = TaintTracking::Global<XssConfig>;
|
||||
|
||||
import XssFlow::PathGraph
|
||||
|
||||
from XssFlow::PathNode source, XssFlow::PathNode sink
|
||||
where XssFlow::hasFlowPath(source, sink)
|
||||
where XssFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to a $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -21,11 +21,11 @@ module XssLocalConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
|
||||
}
|
||||
|
||||
module XssLocalFlow = TaintTracking::Make<XssLocalConfig>;
|
||||
module XssLocalFlow = TaintTracking::Global<XssLocalConfig>;
|
||||
|
||||
import XssLocalFlow::PathGraph
|
||||
|
||||
from XssLocalFlow::PathNode source, XssLocalFlow::PathNode sink
|
||||
where XssLocalFlow::hasFlowPath(source, sink)
|
||||
where XssLocalFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -36,7 +36,7 @@ module UncontrolledStringBuilderSourceFlowConfig implements DataFlow::ConfigSig
|
||||
}
|
||||
|
||||
module UncontrolledStringBuilderSourceFlow =
|
||||
TaintTracking::Make<UncontrolledStringBuilderSourceFlowConfig>;
|
||||
TaintTracking::Global<UncontrolledStringBuilderSourceFlowConfig>;
|
||||
|
||||
from QueryInjectionSink query, Expr uncontrolled
|
||||
where
|
||||
@@ -45,7 +45,7 @@ where
|
||||
or
|
||||
exists(StringBuilderVar sbv |
|
||||
uncontrolledStringBuilderQuery(sbv, uncontrolled) and
|
||||
UncontrolledStringBuilderSourceFlow::hasFlow(DataFlow::exprNode(sbv.getToStringCall()), query)
|
||||
UncontrolledStringBuilderSourceFlow::flow(DataFlow::exprNode(sbv.getToStringCall()), query)
|
||||
)
|
||||
) and
|
||||
not queryTaintedBy(query, _, _)
|
||||
|
||||
@@ -31,13 +31,13 @@ module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
module LocalUserInputToQueryInjectionFlow =
|
||||
TaintTracking::Make<LocalUserInputToQueryInjectionFlowConfig>;
|
||||
TaintTracking::Global<LocalUserInputToQueryInjectionFlowConfig>;
|
||||
|
||||
import LocalUserInputToQueryInjectionFlow::PathGraph
|
||||
|
||||
from
|
||||
LocalUserInputToQueryInjectionFlow::PathNode source,
|
||||
LocalUserInputToQueryInjectionFlow::PathNode sink
|
||||
where LocalUserInputToQueryInjectionFlow::hasFlowPath(source, sink)
|
||||
where LocalUserInputToQueryInjectionFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -17,6 +17,6 @@ import LdapInjectionLib
|
||||
import LdapInjectionFlow::PathGraph
|
||||
|
||||
from LdapInjectionFlow::PathNode source, LdapInjectionFlow::PathNode sink
|
||||
where LdapInjectionFlow::hasFlowPath(source, sink)
|
||||
where LdapInjectionFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "This LDAP query depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -17,4 +17,4 @@ module LdapInjectionFlowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module LdapInjectionFlow = TaintTracking::Make<LdapInjectionFlowConfig>;
|
||||
module LdapInjectionFlow = TaintTracking::Global<LdapInjectionFlowConfig>;
|
||||
|
||||
@@ -15,5 +15,5 @@ import semmle.code.java.security.ArbitraryApkInstallationQuery
|
||||
import ApkInstallationFlow::PathGraph
|
||||
|
||||
from ApkInstallationFlow::PathNode source, ApkInstallationFlow::PathNode sink
|
||||
where ApkInstallationFlow::hasFlowPath(source, sink)
|
||||
where ApkInstallationFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Arbitrary Android APK installation."
|
||||
|
||||
@@ -61,7 +61,7 @@ module BeanValidationConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink }
|
||||
}
|
||||
|
||||
module BeanValidationFlow = TaintTracking::Make<BeanValidationConfig>;
|
||||
module BeanValidationFlow = TaintTracking::Global<BeanValidationConfig>;
|
||||
|
||||
import BeanValidationFlow::PathGraph
|
||||
|
||||
@@ -80,6 +80,6 @@ where
|
||||
or
|
||||
exists(SetMessageInterpolatorCall c | not c.isSafe())
|
||||
) and
|
||||
BeanValidationFlow::hasFlowPath(source, sink)
|
||||
BeanValidationFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Custom constraint error message contains an unsanitized $@.",
|
||||
source, "user-provided value"
|
||||
|
||||
@@ -42,12 +42,12 @@ module ResponseSplittingConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module ResponseSplitting = TaintTracking::Make<ResponseSplittingConfig>;
|
||||
module ResponseSplitting = TaintTracking::Global<ResponseSplittingConfig>;
|
||||
|
||||
import ResponseSplitting::PathGraph
|
||||
|
||||
from ResponseSplitting::PathNode source, ResponseSplitting::PathNode sink
|
||||
where ResponseSplitting::hasFlowPath(source, sink)
|
||||
where ResponseSplitting::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"This header depends on a $@, which may cause a response-splitting vulnerability.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -26,12 +26,12 @@ module ResponseSplittingLocalConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module ResponseSplitting = TaintTracking::Make<ResponseSplittingLocalConfig>;
|
||||
module ResponseSplitting = TaintTracking::Global<ResponseSplittingLocalConfig>;
|
||||
|
||||
import ResponseSplitting::PathGraph
|
||||
|
||||
from ResponseSplitting::PathNode source, ResponseSplitting::PathNode sink
|
||||
where ResponseSplitting::hasFlowPath(source, sink)
|
||||
where ResponseSplitting::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"This header depends on a $@, which may cause a response-splitting vulnerability.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -16,6 +16,6 @@ import semmle.code.java.security.LogInjectionQuery
|
||||
import LogInjectionFlow::PathGraph
|
||||
|
||||
from LogInjectionFlow::PathNode source, LogInjectionFlow::PathNode sink
|
||||
where LogInjectionFlow::hasFlowPath(source, sink)
|
||||
where LogInjectionFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "This log entry depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -23,7 +23,7 @@ private module ImproperValidationOfArrayConstructionConfig implements DataFlow::
|
||||
}
|
||||
|
||||
module ImproperValidationOfArrayConstructionFlow =
|
||||
TaintTracking::Make<ImproperValidationOfArrayConstructionConfig>;
|
||||
TaintTracking::Global<ImproperValidationOfArrayConstructionConfig>;
|
||||
|
||||
import ImproperValidationOfArrayConstructionFlow::PathGraph
|
||||
|
||||
@@ -34,7 +34,7 @@ from
|
||||
where
|
||||
arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sizeExpr, arrayCreation) and
|
||||
sizeExpr = sink.getNode().asExpr() and
|
||||
ImproperValidationOfArrayConstructionFlow::hasFlowPath(source, sink)
|
||||
ImproperValidationOfArrayConstructionFlow::flowPath(source, sink)
|
||||
select arrayAccess.getIndexExpr(), source, sink,
|
||||
"This accesses the $@, but the array is initialized using a $@ which may be zero.", arrayCreation,
|
||||
"array", source.getNode(), "user-provided value"
|
||||
|
||||
@@ -27,7 +27,7 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module BoundedFlowSourceFlow = DataFlow::Make<BoundedFlowSourceConfig>;
|
||||
module BoundedFlowSourceFlow = DataFlow::Global<BoundedFlowSourceConfig>;
|
||||
|
||||
import BoundedFlowSourceFlow::PathGraph
|
||||
|
||||
@@ -39,7 +39,7 @@ where
|
||||
arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sizeExpr, arrayCreation) and
|
||||
sizeExpr = sink.getNode().asExpr() and
|
||||
boundedsource = source.getNode() and
|
||||
BoundedFlowSourceFlow::hasFlowPath(source, sink)
|
||||
BoundedFlowSourceFlow::flowPath(source, sink)
|
||||
select arrayAccess.getIndexExpr(), source, sink,
|
||||
"This accesses the $@, but the array is initialized using $@ which may be zero.", arrayCreation,
|
||||
"array", boundedsource, boundedsource.getDescription().toLowerCase()
|
||||
|
||||
@@ -24,7 +24,7 @@ module ImproperValidationOfArrayConstructionLocalConfig implements DataFlow::Con
|
||||
}
|
||||
|
||||
module ImproperValidationOfArrayConstructionLocalFlow =
|
||||
TaintTracking::Make<ImproperValidationOfArrayConstructionLocalConfig>;
|
||||
TaintTracking::Global<ImproperValidationOfArrayConstructionLocalConfig>;
|
||||
|
||||
import ImproperValidationOfArrayConstructionLocalFlow::PathGraph
|
||||
|
||||
@@ -35,7 +35,7 @@ from
|
||||
where
|
||||
arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sizeExpr, arrayCreation) and
|
||||
sizeExpr = sink.getNode().asExpr() and
|
||||
ImproperValidationOfArrayConstructionLocalFlow::hasFlowPath(source, sink)
|
||||
ImproperValidationOfArrayConstructionLocalFlow::flowPath(source, sink)
|
||||
select arrayAccess.getIndexExpr(), source, sink,
|
||||
"This accesses the $@, but the array is initialized using a $@ which may be zero.", arrayCreation,
|
||||
"array", source.getNode(), "user-provided value"
|
||||
|
||||
@@ -25,7 +25,7 @@ module ImproperValidationOfArrayIndexConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
module ImproperValidationOfArrayIndexFlow =
|
||||
TaintTracking::Make<ImproperValidationOfArrayIndexConfig>;
|
||||
TaintTracking::Global<ImproperValidationOfArrayIndexConfig>;
|
||||
|
||||
import ImproperValidationOfArrayIndexFlow::PathGraph
|
||||
|
||||
@@ -34,7 +34,7 @@ from
|
||||
ImproperValidationOfArrayIndexFlow::PathNode sink, CheckableArrayAccess arrayAccess
|
||||
where
|
||||
arrayAccess.canThrowOutOfBounds(sink.getNode().asExpr()) and
|
||||
ImproperValidationOfArrayIndexFlow::hasFlowPath(source, sink)
|
||||
ImproperValidationOfArrayIndexFlow::flowPath(source, sink)
|
||||
select arrayAccess.getIndexExpr(), source, sink,
|
||||
"This index depends on a $@ which can cause an ArrayIndexOutOfBoundsException.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -24,7 +24,7 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module BoundedFlowSourceFlow = DataFlow::Make<BoundedFlowSourceConfig>;
|
||||
module BoundedFlowSourceFlow = DataFlow::Global<BoundedFlowSourceConfig>;
|
||||
|
||||
import BoundedFlowSourceFlow::PathGraph
|
||||
|
||||
@@ -34,7 +34,7 @@ from
|
||||
where
|
||||
arrayAccess.canThrowOutOfBounds(sink.getNode().asExpr()) and
|
||||
boundedsource = source.getNode() and
|
||||
BoundedFlowSourceFlow::hasFlowPath(source, sink) and
|
||||
BoundedFlowSourceFlow::flowPath(source, sink) and
|
||||
boundedsource != sink.getNode() and
|
||||
not (
|
||||
(
|
||||
|
||||
@@ -24,7 +24,7 @@ module ImproperValidationOfArrayIndexLocalConfig implements DataFlow::ConfigSig
|
||||
}
|
||||
|
||||
module ImproperValidationOfArrayIndexLocalFlow =
|
||||
TaintTracking::Make<ImproperValidationOfArrayIndexLocalConfig>;
|
||||
TaintTracking::Global<ImproperValidationOfArrayIndexLocalConfig>;
|
||||
|
||||
import ImproperValidationOfArrayIndexLocalFlow::PathGraph
|
||||
|
||||
@@ -33,7 +33,7 @@ from
|
||||
ImproperValidationOfArrayIndexLocalFlow::PathNode sink, CheckableArrayAccess arrayAccess
|
||||
where
|
||||
arrayAccess.canThrowOutOfBounds(sink.getNode().asExpr()) and
|
||||
ImproperValidationOfArrayIndexLocalFlow::hasFlowPath(source, sink)
|
||||
ImproperValidationOfArrayIndexLocalFlow::flowPath(source, sink)
|
||||
select arrayAccess.getIndexExpr(), source, sink,
|
||||
"This index depends on a $@ which can cause an ArrayIndexOutOfBoundsException.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -27,7 +27,7 @@ module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
module ExternallyControlledFormatStringFlow =
|
||||
TaintTracking::Make<ExternallyControlledFormatStringConfig>;
|
||||
TaintTracking::Global<ExternallyControlledFormatStringConfig>;
|
||||
|
||||
import ExternallyControlledFormatStringFlow::PathGraph
|
||||
|
||||
@@ -35,7 +35,7 @@ from
|
||||
ExternallyControlledFormatStringFlow::PathNode source,
|
||||
ExternallyControlledFormatStringFlow::PathNode sink, StringFormat formatCall
|
||||
where
|
||||
ExternallyControlledFormatStringFlow::hasFlowPath(source, sink) and
|
||||
ExternallyControlledFormatStringFlow::flowPath(source, sink) and
|
||||
sink.getNode().asExpr() = formatCall.getFormatArgument()
|
||||
select formatCall.getFormatArgument(), source, sink, "Format string depends on a $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -23,7 +23,7 @@ module ExternallyControlledFormatStringLocalConfig implements DataFlow::ConfigSi
|
||||
}
|
||||
|
||||
module ExternallyControlledFormatStringLocalFlow =
|
||||
TaintTracking::Make<ExternallyControlledFormatStringLocalConfig>;
|
||||
TaintTracking::Global<ExternallyControlledFormatStringLocalConfig>;
|
||||
|
||||
import ExternallyControlledFormatStringLocalFlow::PathGraph
|
||||
|
||||
@@ -31,7 +31,7 @@ from
|
||||
ExternallyControlledFormatStringLocalFlow::PathNode source,
|
||||
ExternallyControlledFormatStringLocalFlow::PathNode sink, StringFormat formatCall
|
||||
where
|
||||
ExternallyControlledFormatStringLocalFlow::hasFlowPath(source, sink) and
|
||||
ExternallyControlledFormatStringLocalFlow::flowPath(source, sink) and
|
||||
sink.getNode().asExpr() = formatCall.getFormatArgument()
|
||||
select formatCall.getFormatArgument(), source, sink, "Format string depends on a $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -32,9 +32,9 @@ module RemoteUserInputUnderflowConfig implements DataFlow::ConfigSig {
|
||||
predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) }
|
||||
}
|
||||
|
||||
module RemoteUserInputOverflow = TaintTracking::Make<RemoteUserInputOverflowConfig>;
|
||||
module RemoteUserInputOverflow = TaintTracking::Global<RemoteUserInputOverflowConfig>;
|
||||
|
||||
module RemoteUserInputUnderflow = TaintTracking::Make<RemoteUserInputUnderflowConfig>;
|
||||
module RemoteUserInputUnderflow = TaintTracking::Global<RemoteUserInputUnderflowConfig>;
|
||||
|
||||
module Flow =
|
||||
DataFlow::MergePathGraph<RemoteUserInputOverflow::PathNode, RemoteUserInputUnderflow::PathNode,
|
||||
@@ -44,11 +44,11 @@ import Flow::PathGraph
|
||||
|
||||
from Flow::PathNode source, Flow::PathNode sink, ArithExpr exp, string effect
|
||||
where
|
||||
RemoteUserInputOverflow::hasFlowPath(source.asPathNode1(), sink.asPathNode1()) and
|
||||
RemoteUserInputOverflow::flowPath(source.asPathNode1(), sink.asPathNode1()) and
|
||||
overflowSink(exp, sink.getNode().asExpr()) and
|
||||
effect = "overflow"
|
||||
or
|
||||
RemoteUserInputUnderflow::hasFlowPath(source.asPathNode2(), sink.asPathNode2()) and
|
||||
RemoteUserInputUnderflow::flowPath(source.asPathNode2(), sink.asPathNode2()) and
|
||||
underflowSink(exp, sink.getNode().asExpr()) and
|
||||
effect = "underflow"
|
||||
select exp, source, sink,
|
||||
|
||||
@@ -25,7 +25,7 @@ module ArithmeticTaintedLocalOverflowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
module ArithmeticTaintedLocalOverflowFlow =
|
||||
TaintTracking::Make<ArithmeticTaintedLocalOverflowConfig>;
|
||||
TaintTracking::Global<ArithmeticTaintedLocalOverflowConfig>;
|
||||
|
||||
module ArithmeticTaintedLocalUnderflowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
|
||||
@@ -36,7 +36,7 @@ module ArithmeticTaintedLocalUnderflowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
module ArithmeticTaintedLocalUnderflowFlow =
|
||||
TaintTracking::Make<ArithmeticTaintedLocalUnderflowConfig>;
|
||||
TaintTracking::Global<ArithmeticTaintedLocalUnderflowConfig>;
|
||||
|
||||
module Flow =
|
||||
DataFlow::MergePathGraph<ArithmeticTaintedLocalOverflowFlow::PathNode,
|
||||
@@ -47,11 +47,11 @@ import Flow::PathGraph
|
||||
|
||||
from Flow::PathNode source, Flow::PathNode sink, ArithExpr exp, string effect
|
||||
where
|
||||
ArithmeticTaintedLocalOverflowFlow::hasFlowPath(source.asPathNode1(), sink.asPathNode1()) and
|
||||
ArithmeticTaintedLocalOverflowFlow::flowPath(source.asPathNode1(), sink.asPathNode1()) and
|
||||
overflowSink(exp, sink.getNode().asExpr()) and
|
||||
effect = "overflow"
|
||||
or
|
||||
ArithmeticTaintedLocalUnderflowFlow::hasFlowPath(source.asPathNode2(), sink.asPathNode2()) and
|
||||
ArithmeticTaintedLocalUnderflowFlow::flowPath(source.asPathNode2(), sink.asPathNode2()) and
|
||||
underflowSink(exp, sink.getNode().asExpr()) and
|
||||
effect = "underflow"
|
||||
select exp, source, sink,
|
||||
|
||||
@@ -33,7 +33,7 @@ module ArithmeticUncontrolledOverflowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
module ArithmeticUncontrolledOverflowFlow =
|
||||
TaintTracking::Make<ArithmeticUncontrolledOverflowConfig>;
|
||||
TaintTracking::Global<ArithmeticUncontrolledOverflowConfig>;
|
||||
|
||||
module ArithmeticUncontrolledUnderflowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof TaintSource }
|
||||
@@ -44,7 +44,7 @@ module ArithmeticUncontrolledUnderflowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
module ArithmeticUncontrolledUnderflowFlow =
|
||||
TaintTracking::Make<ArithmeticUncontrolledUnderflowConfig>;
|
||||
TaintTracking::Global<ArithmeticUncontrolledUnderflowConfig>;
|
||||
|
||||
module Flow =
|
||||
DataFlow::MergePathGraph<ArithmeticUncontrolledOverflowFlow::PathNode,
|
||||
@@ -55,11 +55,11 @@ import Flow::PathGraph
|
||||
|
||||
from Flow::PathNode source, Flow::PathNode sink, ArithExpr exp, string effect
|
||||
where
|
||||
ArithmeticUncontrolledOverflowFlow::hasFlowPath(source.asPathNode1(), sink.asPathNode1()) and
|
||||
ArithmeticUncontrolledOverflowFlow::flowPath(source.asPathNode1(), sink.asPathNode1()) and
|
||||
overflowSink(exp, sink.getNode().asExpr()) and
|
||||
effect = "overflow"
|
||||
or
|
||||
ArithmeticUncontrolledUnderflowFlow::hasFlowPath(source.asPathNode2(), sink.asPathNode2()) and
|
||||
ArithmeticUncontrolledUnderflowFlow::flowPath(source.asPathNode2(), sink.asPathNode2()) and
|
||||
underflowSink(exp, sink.getNode().asExpr()) and
|
||||
effect = "underflow"
|
||||
select exp, source, sink,
|
||||
|
||||
@@ -45,7 +45,7 @@ module MaxValueFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isBarrier(DataFlow::Node n) { overflowBarrier(n) }
|
||||
}
|
||||
|
||||
module MaxValueFlow = DataFlow::Make<MaxValueFlowConfig>;
|
||||
module MaxValueFlow = DataFlow::Global<MaxValueFlowConfig>;
|
||||
|
||||
module MinValueFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
@@ -59,7 +59,7 @@ module MinValueFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) }
|
||||
}
|
||||
|
||||
module MinValueFlow = DataFlow::Make<MinValueFlowConfig>;
|
||||
module MinValueFlow = DataFlow::Global<MinValueFlowConfig>;
|
||||
|
||||
module Flow =
|
||||
DataFlow::MergePathGraph<MaxValueFlow::PathNode, MinValueFlow::PathNode, MaxValueFlow::PathGraph,
|
||||
@@ -71,11 +71,11 @@ predicate query(
|
||||
Flow::PathNode source, Flow::PathNode sink, ArithExpr exp, string effect, Type srctyp
|
||||
) {
|
||||
(
|
||||
MaxValueFlow::hasFlowPath(source.asPathNode1(), sink.asPathNode1()) and
|
||||
MaxValueFlow::flowPath(source.asPathNode1(), sink.asPathNode1()) and
|
||||
overflowSink(exp, sink.getNode().asExpr()) and
|
||||
effect = "overflow"
|
||||
or
|
||||
MinValueFlow::hasFlowPath(source.asPathNode2(), sink.asPathNode2()) and
|
||||
MinValueFlow::flowPath(source.asPathNode2(), sink.asPathNode2()) and
|
||||
underflowSink(exp, sink.getNode().asExpr()) and
|
||||
effect = "underflow"
|
||||
) and
|
||||
|
||||
@@ -102,7 +102,7 @@ module WebViewDisallowContentAccessConfig implements DataFlow::StateConfigSig {
|
||||
}
|
||||
|
||||
module WebViewDisallowContentAccessFlow =
|
||||
TaintTracking::MakeWithState<WebViewDisallowContentAccessConfig>;
|
||||
TaintTracking::GlobalWithState<WebViewDisallowContentAccessConfig>;
|
||||
|
||||
from Expr e
|
||||
where
|
||||
@@ -116,7 +116,7 @@ where
|
||||
// implicit: no setAllowContentAccess(false)
|
||||
exists(WebViewSource source |
|
||||
source.asExpr() = e and
|
||||
not WebViewDisallowContentAccessFlow::hasFlow(source, _)
|
||||
not WebViewDisallowContentAccessFlow::flow(source, _)
|
||||
)
|
||||
select e,
|
||||
"Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView."
|
||||
|
||||
@@ -133,7 +133,7 @@ module TempDirSystemGetPropertyToCreateConfig implements DataFlow::ConfigSig {
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
sink instanceof FileCreationSink and
|
||||
not TempDirSystemGetPropertyDirectlyToMkdir::hasFlowTo(sink)
|
||||
not TempDirSystemGetPropertyDirectlyToMkdir::flowTo(sink)
|
||||
}
|
||||
|
||||
predicate isBarrier(DataFlow::Node sanitizer) {
|
||||
@@ -146,7 +146,7 @@ module TempDirSystemGetPropertyToCreateConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
module TempDirSystemGetPropertyToCreate =
|
||||
TaintTracking::Make<TempDirSystemGetPropertyToCreateConfig>;
|
||||
TaintTracking::Global<TempDirSystemGetPropertyToCreateConfig>;
|
||||
|
||||
/**
|
||||
* Configuration that tracks calls to to `mkdir` or `mkdirs` that are are directly on the temp directory system property.
|
||||
@@ -179,7 +179,7 @@ module TempDirSystemGetPropertyDirectlyToMkdirConfig implements DataFlow::Config
|
||||
}
|
||||
|
||||
module TempDirSystemGetPropertyDirectlyToMkdir =
|
||||
TaintTracking::Make<TempDirSystemGetPropertyDirectlyToMkdirConfig>;
|
||||
TaintTracking::Global<TempDirSystemGetPropertyDirectlyToMkdirConfig>;
|
||||
|
||||
//
|
||||
// Begin configuration for tracking single-method calls that are vulnerable.
|
||||
@@ -270,7 +270,7 @@ import Flow::PathGraph
|
||||
from Flow::PathNode source, Flow::PathNode sink, string message
|
||||
where
|
||||
(
|
||||
TempDirSystemGetPropertyToCreate::hasFlowPath(source.asPathNode1(), sink.asPathNode1()) and
|
||||
TempDirSystemGetPropertyToCreate::flowPath(source.asPathNode1(), sink.asPathNode1()) and
|
||||
message =
|
||||
"Local information disclosure vulnerability from $@ due to use of file or directory readable by other local users."
|
||||
or
|
||||
|
||||
@@ -42,7 +42,7 @@ module ServletWriterSourceToPrintStackTraceMethodFlowConfig implements DataFlow:
|
||||
}
|
||||
|
||||
module ServletWriterSourceToPrintStackTraceMethodFlow =
|
||||
TaintTracking::Make<ServletWriterSourceToPrintStackTraceMethodFlowConfig>;
|
||||
TaintTracking::Global<ServletWriterSourceToPrintStackTraceMethodFlowConfig>;
|
||||
|
||||
/**
|
||||
* A call that uses `Throwable.printStackTrace()` on a stream that is connected
|
||||
@@ -51,7 +51,7 @@ module ServletWriterSourceToPrintStackTraceMethodFlow =
|
||||
predicate printsStackToWriter(MethodAccess call) {
|
||||
exists(PrintStackTraceMethod printStackTrace |
|
||||
call.getMethod() = printStackTrace and
|
||||
ServletWriterSourceToPrintStackTraceMethodFlow::hasFlowToExpr(call.getAnArgument())
|
||||
ServletWriterSourceToPrintStackTraceMethodFlow::flowToExpr(call.getAnArgument())
|
||||
)
|
||||
}
|
||||
|
||||
@@ -87,7 +87,7 @@ module StackTraceStringToHttpResponseSinkFlowConfig implements DataFlow::ConfigS
|
||||
}
|
||||
|
||||
module StackTraceStringToHttpResponseSinkFlow =
|
||||
TaintTracking::Make<StackTraceStringToHttpResponseSinkFlowConfig>;
|
||||
TaintTracking::Global<StackTraceStringToHttpResponseSinkFlowConfig>;
|
||||
|
||||
/**
|
||||
* A write of stack trace data to an external stream.
|
||||
@@ -104,7 +104,7 @@ predicate printsStackExternally(MethodAccess call, Expr stackTrace) {
|
||||
predicate stringifiedStackFlowsExternally(DataFlow::Node externalExpr, Expr stackTrace) {
|
||||
exists(MethodAccess stackTraceString |
|
||||
stackTraceExpr(stackTrace, stackTraceString) and
|
||||
StackTraceStringToHttpResponseSinkFlow::hasFlow(DataFlow::exprNode(stackTraceString),
|
||||
StackTraceStringToHttpResponseSinkFlow::flow(DataFlow::exprNode(stackTraceString),
|
||||
externalExpr)
|
||||
)
|
||||
}
|
||||
@@ -127,13 +127,13 @@ module GetMessageFlowSourceToHttpResponseSinkFlowConfig implements DataFlow::Con
|
||||
}
|
||||
|
||||
module GetMessageFlowSourceToHttpResponseSinkFlow =
|
||||
TaintTracking::Make<GetMessageFlowSourceToHttpResponseSinkFlowConfig>;
|
||||
TaintTracking::Global<GetMessageFlowSourceToHttpResponseSinkFlowConfig>;
|
||||
|
||||
/**
|
||||
* A call to `getMessage()` that then flows to a servlet response.
|
||||
*/
|
||||
predicate getMessageFlowsExternally(DataFlow::Node externalExpr, GetMessageFlowSource getMessage) {
|
||||
GetMessageFlowSourceToHttpResponseSinkFlow::hasFlow(DataFlow::exprNode(getMessage), externalExpr)
|
||||
GetMessageFlowSourceToHttpResponseSinkFlow::flow(DataFlow::exprNode(getMessage), externalExpr)
|
||||
}
|
||||
|
||||
from Expr externalExpr, Expr errorInformation
|
||||
|
||||
@@ -20,7 +20,7 @@ import IntentUriPermissionManipulationFlow::PathGraph
|
||||
from
|
||||
IntentUriPermissionManipulationFlow::PathNode source,
|
||||
IntentUriPermissionManipulationFlow::PathNode sink
|
||||
where IntentUriPermissionManipulationFlow::hasFlowPath(source, sink)
|
||||
where IntentUriPermissionManipulationFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"This Intent can be set with arbitrary flags from a $@, " +
|
||||
"and used to give access to internal content providers.", source.getNode(),
|
||||
|
||||
@@ -77,7 +77,7 @@ module TrustAllHostnameVerifierConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module TrustAllHostnameVerifierFlow = DataFlow::Make<TrustAllHostnameVerifierConfig>;
|
||||
module TrustAllHostnameVerifierFlow = DataFlow::Global<TrustAllHostnameVerifierConfig>;
|
||||
|
||||
import TrustAllHostnameVerifierFlow::PathGraph
|
||||
|
||||
@@ -118,7 +118,7 @@ from
|
||||
TrustAllHostnameVerifierFlow::PathNode source, TrustAllHostnameVerifierFlow::PathNode sink,
|
||||
RefType verifier
|
||||
where
|
||||
TrustAllHostnameVerifierFlow::hasFlowPath(source, sink) and
|
||||
TrustAllHostnameVerifierFlow::flowPath(source, sink) and
|
||||
not isNodeGuardedByFlag(sink.getNode()) and
|
||||
verifier = source.getNode().asExpr().(ClassInstanceExpr).getConstructedType()
|
||||
select sink, source, sink,
|
||||
|
||||
@@ -38,7 +38,7 @@ module InsecureCryptoConfig implements ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module InsecureCryptoFlow = TaintTracking::Make<InsecureCryptoConfig>;
|
||||
module InsecureCryptoFlow = TaintTracking::Global<InsecureCryptoConfig>;
|
||||
|
||||
import InsecureCryptoFlow::PathGraph
|
||||
|
||||
@@ -48,6 +48,6 @@ from
|
||||
where
|
||||
sink.getNode().asExpr() = c.getAlgoSpec() and
|
||||
source.getNode().asExpr() = s and
|
||||
InsecureCryptoFlow::hasFlowPath(source, sink)
|
||||
InsecureCryptoFlow::flowPath(source, sink)
|
||||
select c, source, sink, "Cryptographic algorithm $@ is weak and should not be used.", s,
|
||||
s.getValue()
|
||||
|
||||
@@ -61,7 +61,7 @@ module InsecureCryptoConfig implements ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module InsecureCryptoFlow = TaintTracking::Make<InsecureCryptoConfig>;
|
||||
module InsecureCryptoFlow = TaintTracking::Global<InsecureCryptoConfig>;
|
||||
|
||||
import InsecureCryptoFlow::PathGraph
|
||||
|
||||
@@ -71,7 +71,7 @@ from
|
||||
where
|
||||
sink.getNode().asExpr() = c.getAlgoSpec() and
|
||||
source.getNode().asExpr() = s and
|
||||
InsecureCryptoFlow::hasFlowPath(source, sink)
|
||||
InsecureCryptoFlow::flowPath(source, sink)
|
||||
select c, source, sink,
|
||||
"Cryptographic algorithm $@ may not be secure, consider using a different algorithm.", s,
|
||||
s.getValue()
|
||||
|
||||
@@ -17,7 +17,7 @@ import semmle.code.java.security.UnsafeContentUriResolutionQuery
|
||||
import UnsafeContentResolutionFlow::PathGraph
|
||||
|
||||
from UnsafeContentResolutionFlow::PathNode src, UnsafeContentResolutionFlow::PathNode sink
|
||||
where UnsafeContentResolutionFlow::hasFlowPath(src, sink)
|
||||
where UnsafeContentResolutionFlow::flowPath(src, sink)
|
||||
select sink.getNode(), src, sink,
|
||||
"This ContentResolver method that resolves a URI depends on a $@.", src.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -16,7 +16,7 @@ import semmle.code.java.security.FragmentInjectionQuery
|
||||
import FragmentInjectionTaintFlow::PathGraph
|
||||
|
||||
from FragmentInjectionTaintFlow::PathNode source, FragmentInjectionTaintFlow::PathNode sink
|
||||
where FragmentInjectionTaintFlow::hasFlowPath(source, sink)
|
||||
where FragmentInjectionTaintFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"Fragment depends on a $@, which may allow a malicious application to bypass access controls.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -16,6 +16,6 @@ import semmle.code.java.security.SensitiveLoggingQuery
|
||||
import SensitiveLoggerFlow::PathGraph
|
||||
|
||||
from SensitiveLoggerFlow::PathNode source, SensitiveLoggerFlow::PathNode sink
|
||||
where SensitiveLoggerFlow::hasFlowPath(source, sink)
|
||||
where SensitiveLoggerFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "This $@ is written to a log file.", source.getNode(),
|
||||
"potentially sensitive information"
|
||||
|
||||
@@ -21,11 +21,11 @@ module UrlRedirectConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink }
|
||||
}
|
||||
|
||||
module UrlRedirectFlow = TaintTracking::Make<UrlRedirectConfig>;
|
||||
module UrlRedirectFlow = TaintTracking::Global<UrlRedirectConfig>;
|
||||
|
||||
import UrlRedirectFlow::PathGraph
|
||||
|
||||
from UrlRedirectFlow::PathNode source, UrlRedirectFlow::PathNode sink
|
||||
where UrlRedirectFlow::hasFlowPath(source, sink)
|
||||
where UrlRedirectFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Untrusted URL redirection depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -21,11 +21,11 @@ module UrlRedirectLocalConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink }
|
||||
}
|
||||
|
||||
module UrlRedirectLocalFlow = TaintTracking::Make<UrlRedirectLocalConfig>;
|
||||
module UrlRedirectLocalFlow = TaintTracking::Global<UrlRedirectLocalConfig>;
|
||||
|
||||
import UrlRedirectLocalFlow::PathGraph
|
||||
|
||||
from UrlRedirectLocalFlow::PathNode source, UrlRedirectLocalFlow::PathNode sink
|
||||
where UrlRedirectLocalFlow::hasFlowPath(source, sink)
|
||||
where UrlRedirectLocalFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Untrusted URL redirection depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -19,7 +19,7 @@ import semmle.code.java.security.XxeRemoteQuery
|
||||
import XxeFlow::PathGraph
|
||||
|
||||
from XxeFlow::PathNode source, XxeFlow::PathNode sink
|
||||
where XxeFlow::hasFlowPath(source, sink)
|
||||
where XxeFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"XML parsing depends on a $@ without guarding against external entity expansion.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -19,7 +19,7 @@ import semmle.code.java.security.XxeLocalQuery
|
||||
import XxeLocalFlow::PathGraph
|
||||
|
||||
from XxeLocalFlow::PathNode source, XxeLocalFlow::PathNode sink
|
||||
where XxeLocalFlow::hasFlowPath(source, sink)
|
||||
where XxeLocalFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"XML parsing depends on a $@ without guarding against external entity expansion.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -47,10 +47,10 @@ module SecureCookieConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module SecureCookieFlow = DataFlow::Make<SecureCookieConfig>;
|
||||
module SecureCookieFlow = DataFlow::Global<SecureCookieConfig>;
|
||||
|
||||
from MethodAccess add
|
||||
where
|
||||
add.getMethod() instanceof ResponseAddCookieMethod and
|
||||
not SecureCookieFlow::hasFlowToExpr(add.getArgument(0))
|
||||
not SecureCookieFlow::flowToExpr(add.getArgument(0))
|
||||
select add, "Cookie is added to response without the 'secure' flag being set."
|
||||
|
||||
@@ -22,11 +22,11 @@ module XPathInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
|
||||
}
|
||||
|
||||
module XPathInjectionFlow = TaintTracking::Make<XPathInjectionConfig>;
|
||||
module XPathInjectionFlow = TaintTracking::Global<XPathInjectionConfig>;
|
||||
|
||||
import XPathInjectionFlow::PathGraph
|
||||
|
||||
from XPathInjectionFlow::PathNode source, XPathInjectionFlow::PathNode sink
|
||||
where XPathInjectionFlow::hasFlowPath(source, sink)
|
||||
where XPathInjectionFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "XPath expression depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -34,14 +34,14 @@ module NumericCastFlowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module NumericCastFlow = TaintTracking::Make<NumericCastFlowConfig>;
|
||||
module NumericCastFlow = TaintTracking::Global<NumericCastFlowConfig>;
|
||||
|
||||
import NumericCastFlow::PathGraph
|
||||
|
||||
from NumericCastFlow::PathNode source, NumericCastFlow::PathNode sink, NumericNarrowingCastExpr exp
|
||||
where
|
||||
sink.getNode().asExpr() = exp.getExpr() and
|
||||
NumericCastFlow::hasFlowPath(source, sink)
|
||||
NumericCastFlow::flowPath(source, sink)
|
||||
select exp, source, sink,
|
||||
"This cast to a narrower type depends on a $@, potentially causing truncation.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -32,7 +32,7 @@ module NumericCastFlowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module NumericCastFlow = TaintTracking::Make<NumericCastFlowConfig>;
|
||||
module NumericCastFlow = TaintTracking::Global<NumericCastFlowConfig>;
|
||||
|
||||
import NumericCastFlow::PathGraph
|
||||
|
||||
@@ -42,7 +42,7 @@ from
|
||||
where
|
||||
exp.getExpr() = tainted and
|
||||
sink.getNode().asExpr() = tainted and
|
||||
NumericCastFlow::hasFlowPath(source, sink) and
|
||||
NumericCastFlow::flowPath(source, sink) and
|
||||
not exists(RightShiftOp e | e.getShiftedVariable() = tainted.getVariable())
|
||||
select exp, source, sink,
|
||||
"This cast to a narrower type depends on a $@, potentially causing truncation.", source.getNode(),
|
||||
|
||||
@@ -21,7 +21,7 @@ from
|
||||
PolynomialRedosFlow::PathNode source, PolynomialRedosFlow::PathNode sink,
|
||||
SuperlinearBackTracking::PolynomialBackTrackingTerm regexp
|
||||
where
|
||||
PolynomialRedosFlow::hasFlowPath(source, sink) and
|
||||
PolynomialRedosFlow::flowPath(source, sink) and
|
||||
regexp.getRootTerm() = sink.getNode().(PolynomialRedosSink).getRegExp()
|
||||
select sink, source, sink,
|
||||
"This $@ that depends on a $@ may run slow on strings " + regexp.getPrefixMessage() +
|
||||
|
||||
@@ -15,6 +15,6 @@ import semmle.code.java.security.RsaWithoutOaepQuery
|
||||
import RsaWithoutOaepFlow::PathGraph
|
||||
|
||||
from RsaWithoutOaepFlow::PathNode source, RsaWithoutOaepFlow::PathNode sink
|
||||
where RsaWithoutOaepFlow::hasFlowPath(source, sink)
|
||||
where RsaWithoutOaepFlow::flowPath(source, sink)
|
||||
select source, source, sink, "This specification is used to $@ without OAEP padding.", sink,
|
||||
"initialize an RSA cipher"
|
||||
|
||||
@@ -60,7 +60,7 @@ module TaintedPermissionsCheckFlowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module TaintedPermissionsCheckFlow = TaintTracking::Make<TaintedPermissionsCheckFlowConfig>;
|
||||
module TaintedPermissionsCheckFlow = TaintTracking::Global<TaintedPermissionsCheckFlowConfig>;
|
||||
|
||||
import TaintedPermissionsCheckFlow::PathGraph
|
||||
|
||||
@@ -68,6 +68,6 @@ from
|
||||
TaintedPermissionsCheckFlow::PathNode source, TaintedPermissionsCheckFlow::PathNode sink,
|
||||
PermissionsConstruction p
|
||||
where
|
||||
sink.getNode().asExpr() = p.getInput() and TaintedPermissionsCheckFlow::hasFlowPath(source, sink)
|
||||
sink.getNode().asExpr() = p.getInput() and TaintedPermissionsCheckFlow::flowPath(source, sink)
|
||||
select p, source, sink, "Permissions check depends on a $@.", source.getNode(),
|
||||
"user-controlled value"
|
||||
|
||||
@@ -16,6 +16,6 @@ import semmle.code.java.security.RequestForgeryConfig
|
||||
import RequestForgeryFlow::PathGraph
|
||||
|
||||
from RequestForgeryFlow::PathNode source, RequestForgeryFlow::PathNode sink
|
||||
where RequestForgeryFlow::hasFlowPath(source, sink)
|
||||
where RequestForgeryFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Potential server-side request forgery due to a $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -16,6 +16,6 @@ import semmle.code.java.security.AndroidSensitiveCommunicationQuery
|
||||
import SensitiveCommunicationFlow::PathGraph
|
||||
|
||||
from SensitiveCommunicationFlow::PathNode source, SensitiveCommunicationFlow::PathNode sink
|
||||
where SensitiveCommunicationFlow::hasFlowPath(source, sink)
|
||||
where SensitiveCommunicationFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "This call may leak $@.", source.getNode(),
|
||||
"sensitive information"
|
||||
|
||||
@@ -57,9 +57,9 @@ module DefaultFlowConfig implements DataFlow::ConfigSig {
|
||||
int fieldFlowBranchLimit() { result = 1000 }
|
||||
}
|
||||
|
||||
private module DefaultValueFlow = DataFlow::Make<DefaultFlowConfig>;
|
||||
private module DefaultValueFlow = DataFlow::Global<DefaultFlowConfig>;
|
||||
|
||||
private module DefaultTaintFlow = TaintTracking::Make<DefaultFlowConfig>;
|
||||
private module DefaultTaintFlow = TaintTracking::Global<DefaultFlowConfig>;
|
||||
|
||||
class DefaultValueFlowConf extends DataFlow::Configuration {
|
||||
DefaultValueFlowConf() { this = "qltest:defaultValueFlowConf" }
|
||||
@@ -118,13 +118,13 @@ class InlineFlowTest extends InlineExpectationsTest {
|
||||
predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) {
|
||||
if exists(EnableLegacyConfiguration e)
|
||||
then getValueFlowConfig().hasFlow(src, sink)
|
||||
else DefaultValueFlow::hasFlow(src, sink)
|
||||
else DefaultValueFlow::flow(src, sink)
|
||||
}
|
||||
|
||||
predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
|
||||
if exists(EnableLegacyConfiguration e)
|
||||
then getTaintFlowConfig().hasFlow(src, sink)
|
||||
else DefaultTaintFlow::hasFlow(src, sink)
|
||||
else DefaultTaintFlow::flow(src, sink)
|
||||
}
|
||||
|
||||
DataFlow::Configuration getValueFlowConfig() { result = any(DefaultValueFlowConf config) }
|
||||
|
||||
@@ -47,13 +47,13 @@ module Conf4 implements ConfigSig {
|
||||
}
|
||||
|
||||
predicate flow(Node src, Node sink, string s) {
|
||||
Make<Conf1>::hasFlow(src, sink) and s = "nobarrier"
|
||||
Global<Conf1>::flow(src, sink) and s = "nobarrier"
|
||||
or
|
||||
Make<Conf2>::hasFlow(src, sink) and s = "srcbarrier"
|
||||
Global<Conf2>::flow(src, sink) and s = "srcbarrier"
|
||||
or
|
||||
Make<Conf3>::hasFlow(src, sink) and s = "sinkbarrier"
|
||||
Global<Conf3>::flow(src, sink) and s = "sinkbarrier"
|
||||
or
|
||||
Make<Conf4>::hasFlow(src, sink) and s = "both"
|
||||
Global<Conf4>::flow(src, sink) and s = "both"
|
||||
}
|
||||
|
||||
from Node src, Node sink, string s
|
||||
|
||||
@@ -10,10 +10,10 @@ module Config implements ConfigSig {
|
||||
|
||||
int explorationLimit() { result = 10 }
|
||||
|
||||
module PartialFlow = Make<Config>::FlowExploration<explorationLimit/0>;
|
||||
module PartialFlow = Global<Config>::FlowExploration<explorationLimit/0>;
|
||||
|
||||
import PartialFlow::PartialPathGraph
|
||||
|
||||
from PartialFlow::PartialPathNode n, int dist
|
||||
where PartialFlow::hasPartialFlow(_, n, dist)
|
||||
where PartialFlow::partialFlow(_, n, dist)
|
||||
select dist, n
|
||||
|
||||
@@ -10,10 +10,10 @@ module Config implements ConfigSig {
|
||||
|
||||
int explorationLimit() { result = 10 }
|
||||
|
||||
module PartialFlow = Make<Config>::FlowExploration<explorationLimit/0>;
|
||||
module PartialFlow = Global<Config>::FlowExploration<explorationLimit/0>;
|
||||
|
||||
import PartialFlow::PartialPathGraph
|
||||
|
||||
from PartialFlow::PartialPathNode n, int dist
|
||||
where PartialFlow::hasPartialFlowRev(n, _, dist)
|
||||
where PartialFlow::partialFlowRev(n, _, dist)
|
||||
select dist, n
|
||||
|
||||
@@ -55,7 +55,7 @@ module Config implements DataFlow::StateConfigSig {
|
||||
|
||||
int explorationLimit() { result = 0 }
|
||||
|
||||
module Flow = TaintTracking::MakeWithState<Config>;
|
||||
module Flow = TaintTracking::GlobalWithState<Config>;
|
||||
|
||||
module PartialFlow = Flow::FlowExploration<explorationLimit/0>;
|
||||
|
||||
@@ -67,7 +67,7 @@ class HasFlowTest extends InlineExpectationsTest {
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "flow" and
|
||||
exists(Flow::PathNode src, Flow::PathNode sink |
|
||||
Flow::hasFlowPath(src, sink) and
|
||||
Flow::flowPath(src, sink) and
|
||||
sink.getNode().getLocation() = location and
|
||||
element = sink.toString() and
|
||||
value = src.getState()
|
||||
@@ -75,7 +75,7 @@ class HasFlowTest extends InlineExpectationsTest {
|
||||
or
|
||||
tag = "pFwd" and
|
||||
exists(PartialFlow::PartialPathNode src, PartialFlow::PartialPathNode node |
|
||||
PartialFlow::hasPartialFlow(src, node, _) and
|
||||
PartialFlow::partialFlow(src, node, _) and
|
||||
checkNode(node.getNode()) and
|
||||
node.getNode().getLocation() = location and
|
||||
element = node.toString() and
|
||||
@@ -84,7 +84,7 @@ class HasFlowTest extends InlineExpectationsTest {
|
||||
or
|
||||
tag = "pRev" and
|
||||
exists(PartialFlow::PartialPathNode node, PartialFlow::PartialPathNode sink |
|
||||
PartialFlow::hasPartialFlowRev(node, sink, _) and
|
||||
PartialFlow::partialFlowRev(node, sink, _) and
|
||||
checkNode(node.getNode()) and
|
||||
node.getNode().getLocation() = location and
|
||||
element = node.toString() and
|
||||
|
||||
@@ -10,7 +10,7 @@ class HasApkInstallationTest extends InlineExpectationsTest {
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "hasApkInstallation" and
|
||||
exists(DataFlow::Node sink | ApkInstallationFlow::hasFlowTo(sink) |
|
||||
exists(DataFlow::Node sink | ApkInstallationFlow::flowTo(sink) |
|
||||
sink.getLocation() = location and
|
||||
element = sink.toString() and
|
||||
value = ""
|
||||
|
||||
@@ -12,6 +12,6 @@ private class LogInjectionTest extends InlineFlowTest {
|
||||
override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
|
||||
|
||||
override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
|
||||
LogInjectionFlow::hasFlow(src, sink)
|
||||
LogInjectionFlow::flow(src, sink)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -6,6 +6,6 @@ class IntentUriPermissionManipulationTest extends InlineFlowTest {
|
||||
override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
|
||||
|
||||
override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
|
||||
IntentUriPermissionManipulationFlow::hasFlow(src, sink)
|
||||
IntentUriPermissionManipulationFlow::flow(src, sink)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -6,6 +6,6 @@ class Test extends InlineFlowTest {
|
||||
override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
|
||||
|
||||
override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
|
||||
UnsafeContentResolutionFlow::hasFlow(src, sink)
|
||||
UnsafeContentResolutionFlow::flow(src, sink)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -6,6 +6,6 @@ class Test extends InlineFlowTest {
|
||||
override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
|
||||
|
||||
override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
|
||||
FragmentInjectionTaintFlow::hasFlow(src, sink)
|
||||
FragmentInjectionTaintFlow::flow(src, sink)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -4,7 +4,7 @@ import semmle.code.java.security.SensitiveLoggingQuery
|
||||
|
||||
class HasFlowTest extends InlineFlowTest {
|
||||
override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
|
||||
SensitiveLoggerFlow::hasFlow(src, sink)
|
||||
SensitiveLoggerFlow::flow(src, sink)
|
||||
}
|
||||
|
||||
override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
|
||||
|
||||
@@ -9,7 +9,7 @@ class HasPolyRedos extends InlineExpectationsTest {
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "hasPolyRedos" and
|
||||
exists(DataFlow::Node sink |
|
||||
PolynomialRedosFlow::hasFlowTo(sink) and
|
||||
PolynomialRedosFlow::flowTo(sink) and
|
||||
location = sink.getLocation() and
|
||||
element = sink.toString() and
|
||||
value = ""
|
||||
|
||||
@@ -7,6 +7,6 @@ class HasFlowTest extends InlineFlowTest {
|
||||
override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
|
||||
|
||||
override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
|
||||
RsaWithoutOaepFlow::hasFlow(src, sink)
|
||||
RsaWithoutOaepFlow::flow(src, sink)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -10,7 +10,7 @@ class HasFlowTest extends InlineExpectationsTest {
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "SSRF" and
|
||||
exists(DataFlow::Node sink |
|
||||
RequestForgeryFlow::hasFlowTo(sink) and
|
||||
RequestForgeryFlow::flowTo(sink) and
|
||||
sink.getLocation() = location and
|
||||
element = sink.toString() and
|
||||
value = ""
|
||||
|
||||
@@ -7,6 +7,6 @@ class HasFlowTest extends InlineFlowTest {
|
||||
override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
|
||||
|
||||
override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
|
||||
SensitiveCommunicationFlow::hasFlow(src, sink)
|
||||
SensitiveCommunicationFlow::flow(src, sink)
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user