From f6e40bd49d2c75666c35c37801ed8c6b581932d0 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 9 Dec 2025 12:24:43 +0000 Subject: [PATCH] Convert trust boundary violation barrier and barrier guard to MaD --- java/ql/lib/ext/org.owasp.esapi.model.yml | 38 ++++++++++++++++- .../code/java/frameworks/owasp/Esapi.qll | 42 ------------------- .../security/TrustBoundaryViolationQuery.qll | 22 +--------- 3 files changed, 39 insertions(+), 63 deletions(-) delete mode 100644 java/ql/lib/semmle/code/java/frameworks/owasp/Esapi.qll diff --git a/java/ql/lib/ext/org.owasp.esapi.model.yml b/java/ql/lib/ext/org.owasp.esapi.model.yml index 30578debe58..70890d7e03b 100644 --- a/java/ql/lib/ext/org.owasp.esapi.model.yml +++ b/java/ql/lib/ext/org.owasp.esapi.model.yml @@ -1,6 +1,42 @@ extensions: + - addsTo: + pack: codeql/java-all + extensible: barrierGuardModel + data: + - ["org.owasp.esapi", "Validator", true, "isValidCreditCard", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "isValidDate", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "isValidDirectoryPath", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "isValidDouble", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "isValidFileContent", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "isValidFileName", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "isValidInput", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "isValidInteger", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "isValidListItem", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "isValidNumber", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "isValidPrintable", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "isValidRedirectLocation", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "isValidSafeHTML", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "isValidURI", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"] + - addsTo: + pack: codeql/java-all + extensible: barrierModel + data: + - ["org.owasp.esapi", "Validator", true, "getValidCreditCard", "", "", "ReturnValue", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "getValidDate", "", "", "ReturnValue", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "getValidDirectoryPath", "", "", "ReturnValue", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "getValidDouble", "", "", "ReturnValue", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "getValidFileContent", "", "", "ReturnValue", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "getValidFileName", "", "", "ReturnValue", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "getValidInput", "", "", "ReturnValue", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "getValidInteger", "", "", "ReturnValue", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "getValidListItem", "", "", "ReturnValue", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "getValidNumber", "", "", "ReturnValue", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "getValidPrintable", "", "", "ReturnValue", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "getValidRedirectLocation", "", "", "ReturnValue", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "getValidSafeHTML", "", "", "ReturnValue", "trust-boundary-violation", "manual"] + - ["org.owasp.esapi", "Validator", true, "getValidURI", "", "", "ReturnValue", "trust-boundary-violation", "manual"] - addsTo: pack: codeql/java-all extensible: summaryModel data: - - ["org.owasp.esapi", "Encoder", true, "encodeForHTML", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"] \ No newline at end of file + - ["org.owasp.esapi", "Encoder", true, "encodeForHTML", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"] diff --git a/java/ql/lib/semmle/code/java/frameworks/owasp/Esapi.qll b/java/ql/lib/semmle/code/java/frameworks/owasp/Esapi.qll deleted file mode 100644 index fe95cd0d39d..00000000000 --- a/java/ql/lib/semmle/code/java/frameworks/owasp/Esapi.qll +++ /dev/null @@ -1,42 +0,0 @@ -/** Classes and predicates for reasoning about the `owasp.easpi` package. */ -overlay[local?] -module; - -import java - -/** - * The `org.owasp.esapi.Validator` interface. - */ -class EsapiValidator extends RefType { - EsapiValidator() { this.hasQualifiedName("org.owasp.esapi", "Validator") } -} - -/** - * The methods of `org.owasp.esapi.Validator` which validate data. - */ -class EsapiIsValidMethod extends Method { - EsapiIsValidMethod() { - this.getDeclaringType() instanceof EsapiValidator and - this.hasName([ - "isValidCreditCard", "isValidDate", "isValidDirectoryPath", "isValidDouble", - "isValidFileContent", "isValidFileName", "isValidInput", "isValidInteger", - "isValidListItem", "isValidNumber", "isValidPrintable", "isValidRedirectLocation", - "isValidSafeHTML", "isValidURI" - ]) - } -} - -/** - * The methods of `org.owasp.esapi.Validator` which return validated data. - */ -class EsapiGetValidMethod extends Method { - EsapiGetValidMethod() { - this.getDeclaringType() instanceof EsapiValidator and - this.hasName([ - "getValidCreditCard", "getValidDate", "getValidDirectoryPath", "getValidDouble", - "getValidFileContent", "getValidFileName", "getValidInput", "getValidInteger", - "getValidListItem", "getValidNumber", "getValidPrintable", "getValidRedirectLocation", - "getValidSafeHTML", "getValidURI" - ]) - } -} diff --git a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll index b2f49834b5a..477aeb48b64 100644 --- a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll @@ -5,7 +5,6 @@ private import semmle.code.java.dataflow.DataFlow private import semmle.code.java.controlflow.Guards private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.dataflow.FlowSources -private import semmle.code.java.frameworks.owasp.Esapi private import semmle.code.java.security.Sanitizers /** @@ -28,25 +27,8 @@ class TrustBoundaryViolationSink extends DataFlow::Node { */ abstract class TrustBoundaryValidationSanitizer extends DataFlow::Node { } -/** - * A node validated by an OWASP ESAPI validation method. - */ -private class EsapiValidatedInputSanitizer extends TrustBoundaryValidationSanitizer { - EsapiValidatedInputSanitizer() { - this = DataFlow::BarrierGuard::getABarrierNode() or - this.asExpr().(MethodCall).getMethod() instanceof EsapiGetValidMethod - } -} - -/** - * Holds if `g` is a guard that checks that `e` is valid data according to an OWASP ESAPI validation method. - */ -private predicate esapiIsValidData(Guard g, Expr e, boolean branch) { - branch = true and - exists(MethodCall ma | ma.getMethod() instanceof EsapiIsValidMethod | - g = ma and - e = ma.getArgument(1) - ) +private class DefaultTrustBoundaryValidationSanitizer extends TrustBoundaryValidationSanitizer { + DefaultTrustBoundaryValidationSanitizer() { barrierNode(this, "trust-boundary-violation") } } /**