Convert trust boundary violation barrier and barrier guard to MaD

2025-12-16 00:33:11 +01:00 · 2025-12-09 12:24:43 +00:00
parent dcf6041dca
commit f6e40bd49d
3 changed files with 39 additions and 63 deletions
--- a/java/ql/lib/ext/org.owasp.esapi.model.yml
+++ b/java/ql/lib/ext/org.owasp.esapi.model.yml
@@ -1,6 +1,42 @@
 extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: barrierGuardModel
+    data:
+      - ["org.owasp.esapi", "Validator", true, "isValidCreditCard", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "isValidDate", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "isValidDirectoryPath", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "isValidDouble", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "isValidFileContent", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "isValidFileName", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "isValidInput", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "isValidInteger", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "isValidListItem", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "isValidNumber", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "isValidPrintable", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "isValidRedirectLocation", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "isValidSafeHTML", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "isValidURI", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: barrierModel
+    data:
+      - ["org.owasp.esapi", "Validator", true, "getValidCreditCard", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "getValidDate", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "getValidDirectoryPath", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "getValidDouble", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "getValidFileContent", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "getValidFileName", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "getValidInput", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "getValidInteger", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "getValidListItem", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "getValidNumber", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "getValidPrintable", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "getValidRedirectLocation", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "getValidSafeHTML", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
+      - ["org.owasp.esapi", "Validator", true, "getValidURI", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
  - addsTo:
      pack: codeql/java-all
      extensible: summaryModel
    data:
-      - ["org.owasp.esapi", "Encoder", true, "encodeForHTML", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["org.owasp.esapi", "Encoder", true, "encodeForHTML", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
--- a/java/ql/lib/semmle/code/java/frameworks/owasp/Esapi.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/owasp/Esapi.qll
@@ -1,42 +0,0 @@
-/** Classes and predicates for reasoning about the `owasp.easpi` package. */
-overlay[local?]
-module;
-
-import java
-
-/**
- * The `org.owasp.esapi.Validator` interface.
- */
-class EsapiValidator extends RefType {
-  EsapiValidator() { this.hasQualifiedName("org.owasp.esapi", "Validator") }
-}
-
-/**
- * The methods of `org.owasp.esapi.Validator` which validate data.
- */
-class EsapiIsValidMethod extends Method {
-  EsapiIsValidMethod() {
-    this.getDeclaringType() instanceof EsapiValidator and
-    this.hasName([
-        "isValidCreditCard", "isValidDate", "isValidDirectoryPath", "isValidDouble",
-        "isValidFileContent", "isValidFileName", "isValidInput", "isValidInteger",
-        "isValidListItem", "isValidNumber", "isValidPrintable", "isValidRedirectLocation",
-        "isValidSafeHTML", "isValidURI"
-      ])
-  }
-}
-
-/**
- * The methods of `org.owasp.esapi.Validator` which return validated data.
- */
-class EsapiGetValidMethod extends Method {
-  EsapiGetValidMethod() {
-    this.getDeclaringType() instanceof EsapiValidator and
-    this.hasName([
-        "getValidCreditCard", "getValidDate", "getValidDirectoryPath", "getValidDouble",
-        "getValidFileContent", "getValidFileName", "getValidInput", "getValidInteger",
-        "getValidListItem", "getValidNumber", "getValidPrintable", "getValidRedirectLocation",
-        "getValidSafeHTML", "getValidURI"
-      ])
-  }
-}
--- a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll
@@ -5,7 +5,6 @@ private import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.controlflow.Guards
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.FlowSources
-private import semmle.code.java.frameworks.owasp.Esapi
 private import semmle.code.java.security.Sanitizers

 /**
@@ -28,25 +27,8 @@ class TrustBoundaryViolationSink extends DataFlow::Node {
 */
 abstract class TrustBoundaryValidationSanitizer extends DataFlow::Node { }

-/**
- * A node validated by an OWASP ESAPI validation method.
- */
-private class EsapiValidatedInputSanitizer extends TrustBoundaryValidationSanitizer {
-  EsapiValidatedInputSanitizer() {
-    this = DataFlow::BarrierGuard<esapiIsValidData/3>::getABarrierNode() or
-    this.asExpr().(MethodCall).getMethod() instanceof EsapiGetValidMethod
-  }
-}
-
-/**
- * Holds if `g` is a guard that checks that `e` is valid data according to an OWASP ESAPI validation method.
- */
-private predicate esapiIsValidData(Guard g, Expr e, boolean branch) {
-  branch = true and
-  exists(MethodCall ma | ma.getMethod() instanceof EsapiIsValidMethod |
-    g = ma and
-    e = ma.getArgument(1)
-  )
+private class DefaultTrustBoundaryValidationSanitizer extends TrustBoundaryValidationSanitizer {
+  DefaultTrustBoundaryValidationSanitizer() { barrierNode(this, "trust-boundary-violation") }
 }

 /**