hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-24 02:43:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

Java: Improve the Api sources and sinks implementation.

Browse Source
This commit is contained in:
Michael Nebel
2024-04-25 16:44:55 +02:00
parent b754706e44
commit f95b33049e
34 changed files with 154 additions and 214 deletions
Download Patch File Download Diff File Expand all files Collapse all files

143
java/ql/lib/semmle/code/java/dataflow/ApiSinks.qll
View File

@@ -1,122 +1,39 @@
/** Provides classes representing various flow sinks for data flow / taint tracking. */
private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.dataflow.FlowSinks as FlowSinks
/**
* A data flow sink node.
*/
abstract class SinkNode extends DataFlow::Node { }
final class SinkNode = FlowSinks::ApiSinkNode;
/**
* Module that adds all API like sinks to `SinkNode`, excluding sinks for cryptography based
* queries, and queries where sinks are not succifiently defined (eg. using broad method name matching).
*/
private module ApiSinks {
private import semmle.code.java.security.AndroidSensitiveCommunicationQuery as AndroidSensitiveCommunicationQuery
private import semmle.code.java.security.ArbitraryApkInstallation as ArbitraryApkInstallation
private import semmle.code.java.security.CleartextStorageAndroidDatabaseQuery as CleartextStorageAndroidDatabaseQuery
private import semmle.code.java.security.CleartextStorageAndroidFilesystemQuery as CleartextStorageAndroidFilesystemQuery
private import semmle.code.java.security.CleartextStorageCookieQuery as CleartextStorageCookieQuery
private import semmle.code.java.security.CleartextStorageSharedPrefsQuery as CleartextStorageSharedPrefsQuery
private import semmle.code.java.security.ExternallyControlledFormatStringQuery as ExternallyControlledFormatStringQuery
private import semmle.code.java.security.InsecureBasicAuth as InsecureBasicAuth
private import semmle.code.java.security.IntentUriPermissionManipulation as IntentUriPermissionManipulation
private import semmle.code.java.security.InsecureLdapAuth as InsecureLdapAuth
private import semmle.code.java.security.InsecureTrustManager as InsecureTrustManager
private import semmle.code.java.security.JndiInjection as JndiInjection
private import semmle.code.java.security.JWT as Jwt
private import semmle.code.java.security.OgnlInjection as OgnlInjection
private import semmle.code.java.security.SensitiveResultReceiverQuery as SensitiveResultReceiverQuery
private import semmle.code.java.security.SensitiveUiQuery as SensitiveUiQuery
private import semmle.code.java.security.SpelInjection as SpelInjection
private import semmle.code.java.security.SpelInjectionQuery as SpelInjectionQuery
private import semmle.code.java.security.QueryInjection as QueryInjection
private import semmle.code.java.security.TempDirLocalInformationDisclosureQuery as TempDirLocalInformationDisclosureQuery
private import semmle.code.java.security.UnsafeAndroidAccess as UnsafeAndroidAccess
private import semmle.code.java.security.UnsafeContentUriResolution as UnsafeContentUriResolution
private import semmle.code.java.security.UnsafeDeserializationQuery as UnsafeDeserializationQuery
private import semmle.code.java.security.UrlRedirect as UrlRedirect
private import semmle.code.java.security.WebviewDebuggingEnabledQuery as WebviewDebuggingEnabledQuery
private import semmle.code.java.security.XPath as Xpath
private import semmle.code.java.security.XSS as Xss
private class AndoidIntentRedirectionQuerySinks extends SinkNode instanceof AndroidSensitiveCommunicationQuery::SensitiveCommunicationSink
{ }
private class ArbitraryApkInstallationSinks extends SinkNode instanceof ArbitraryApkInstallation::SetDataSink
{ }
private class CleartextStorageAndroidDatabaseQuerySinks extends SinkNode instanceof CleartextStorageAndroidDatabaseQuery::LocalDatabaseSink
{ }
private class CleartextStorageAndroidFilesystemQuerySinks extends SinkNode instanceof CleartextStorageAndroidFilesystemQuery::LocalFileSink
{ }
private class CleartextStorageCookieQuerySinks extends SinkNode instanceof CleartextStorageCookieQuery::CookieStoreSink
{ }
private class CleartextStorageSharedPrefsQuerySinks extends SinkNode instanceof CleartextStorageSharedPrefsQuery::SharedPreferencesSink
{ }
private class ExternallyControlledFormatStringQuerySinks extends SinkNode instanceof ExternallyControlledFormatStringQuery::StringFormatSink
{ }
private class InsecureBasicAuthSinks extends SinkNode instanceof InsecureBasicAuth::InsecureBasicAuthSink
{ }
private class InsecureTrustManagerSinks extends SinkNode instanceof InsecureTrustManager::InsecureTrustManagerSink
{ }
private class IntentUriPermissionManipulationSinks extends SinkNode instanceof IntentUriPermissionManipulation::IntentUriPermissionManipulationSink
{ }
private class InsecureLdapAuthSinks extends SinkNode instanceof InsecureLdapAuth::InsecureLdapUrlSink
{ }
private class JndiInjectionSinks extends SinkNode instanceof JndiInjection::JndiInjectionSink { }
private class JwtSinks extends SinkNode instanceof Jwt::JwtParserWithInsecureParseSink { }
private class OgnlInjectionSinks extends SinkNode instanceof OgnlInjection::OgnlInjectionSink { }
private class SensitiveResultReceiverQuerySinks extends SinkNode instanceof SensitiveResultReceiverQuery::SensitiveResultReceiverSink
{ }
private class SensitiveUiQuerySinks extends SinkNode instanceof SensitiveUiQuery::TextFieldSink {
}
private class SpelInjectionSinks extends SinkNode instanceof SpelInjection::SpelExpressionEvaluationSink
{ }
private class QueryInjectionSinks extends SinkNode instanceof QueryInjection::QueryInjectionSink {
}
private class TempDirLocalInformationDisclosureSinks extends SinkNode instanceof TempDirLocalInformationDisclosureQuery::MethodFileDirectoryCreationSink
{ }
private class UnsafeAndroidAccessSinks extends SinkNode instanceof UnsafeAndroidAccess::UrlResourceSink
{ }
private class UnsafeContentUriResolutionSinks extends SinkNode instanceof UnsafeContentUriResolution::ContentUriResolutionSink
{ }
private class UnsafeDeserializationQuerySinks extends SinkNode instanceof UnsafeDeserializationQuery::UnsafeDeserializationSink
{ }
private class UrlRedirectSinks extends SinkNode instanceof UrlRedirect::UrlRedirectSink { }
private class WebviewDebugEnabledQuery extends SinkNode instanceof WebviewDebuggingEnabledQuery::WebviewDebugSink
{ }
private class XPathSinks extends SinkNode instanceof Xpath::XPathInjectionSink { }
private class XssSinks extends SinkNode instanceof Xss::XssSink { }
/**
* Add all models as data sinks.
*/
private class SinkNodeExternal extends SinkNode {
SinkNodeExternal() { sinkNode(this, _) }
}
private module AllApiSinks {
private import semmle.code.java.security.AndroidSensitiveCommunicationQuery
private import semmle.code.java.security.ArbitraryApkInstallation
private import semmle.code.java.security.CleartextStorageAndroidDatabaseQuery
private import semmle.code.java.security.CleartextStorageAndroidFilesystemQuery
private import semmle.code.java.security.CleartextStorageCookieQuery
private import semmle.code.java.security.CleartextStorageSharedPrefsQuery
private import semmle.code.java.security.ExternallyControlledFormatStringQuery
private import semmle.code.java.security.InsecureBasicAuth
private import semmle.code.java.security.IntentUriPermissionManipulation
private import semmle.code.java.security.InsecureLdapAuth
private import semmle.code.java.security.InsecureTrustManager
private import semmle.code.java.security.JndiInjection
private import semmle.code.java.security.JWT
private import semmle.code.java.security.OgnlInjection
private import semmle.code.java.security.SensitiveResultReceiverQuery
private import semmle.code.java.security.SensitiveUiQuery
private import semmle.code.java.security.SpelInjection
private import semmle.code.java.security.SpelInjectionQuery
private import semmle.code.java.security.QueryInjection
private import semmle.code.java.security.TempDirLocalInformationDisclosureQuery
private import semmle.code.java.security.UnsafeAndroidAccess
private import semmle.code.java.security.UnsafeContentUriResolution
private import semmle.code.java.security.UnsafeDeserializationQuery
private import semmle.code.java.security.UrlRedirect
private import semmle.code.java.security.WebviewDebuggingEnabledQuery
private import semmle.code.java.security.XPath
private import semmle.code.java.security.XSS
}

74
java/ql/lib/semmle/code/java/dataflow/ApiSources.qll
View File

@@ -1,69 +1,23 @@
/** Provides classes representing various flow sources for data flow / taint tracking. */
private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.dataflow.FlowSources as FlowSources
/**
* A data flow source node.
*/
abstract class SourceNode extends DataFlow::Node { }
final class SourceNode = FlowSources::ApiSourceNode;
/**
* Module that adds all API like sources to `SourceNode`, excluding some sources for cryptography based
* queries, and queries where sources are not succifiently defined (eg. using broad method name matching).
*/
private module ApiSources {
private import FlowSources as FlowSources
private import semmle.code.java.security.ArbitraryApkInstallation as ArbitraryApkInstallation
private import semmle.code.java.security.CleartextStorageAndroidDatabaseQuery as CleartextStorageAndroidDatabaseQuery
private import semmle.code.java.security.CleartextStorageAndroidFilesystemQuery as CleartextStorageAndroidFilesystemQuery
private import semmle.code.java.security.CleartextStorageCookieQuery as CleartextStorageCookieQuery
private import semmle.code.java.security.CleartextStorageSharedPrefsQuery as CleartextStorageSharedPrefsQuery
private import semmle.code.java.security.ImplicitPendingIntentsQuery as ImplicitPendingIntentsQuery
private import semmle.code.java.security.ImproperIntentVerificationQuery as ImproperIntentVerificationQuery
private import semmle.code.java.security.InsecureTrustManager as InsecureTrustManager
private import semmle.code.java.security.JWT as Jwt
private import semmle.code.java.security.StackTraceExposureQuery as StackTraceExposureQuery
private import semmle.code.java.security.ZipSlipQuery as ZipSlipQuery
private class FlowSourcesSourceNode extends SourceNode instanceof FlowSources::SourceNode { }
private class ArbitraryApkInstallationSources extends SourceNode instanceof ArbitraryApkInstallation::ExternalApkSource
{ }
private class CleartextStorageAndroidDatabaseQuerySources extends SourceNode instanceof CleartextStorageAndroidDatabaseQuery::LocalDatabaseOpenMethodCallSource
{ }
private class CleartextStorageAndroidFilesystemQuerySources extends SourceNode instanceof CleartextStorageAndroidFilesystemQuery::LocalFileOpenCallSource
{ }
private class CleartextStorageCookieQuerySources extends SourceNode instanceof CleartextStorageCookieQuery::CookieSource
{ }
private class CleartextStorageSharedPrefsQuerySources extends SourceNode instanceof CleartextStorageSharedPrefsQuery::SharedPreferencesEditorMethodCallSource
{ }
private class ImplicitPendingIntentsQuerySources extends SourceNode instanceof ImplicitPendingIntentsQuery::ImplicitPendingIntentSource
{ }
private class ImproperIntentVerificationQuerySources extends SourceNode instanceof ImproperIntentVerificationQuery::VerifiedIntentConfigSource
{ }
private class InsecureTrustManagerSources extends SourceNode instanceof InsecureTrustManager::InsecureTrustManagerSource
{ }
private class JwtSources extends SourceNode instanceof Jwt::JwtParserWithInsecureParseSource { }
private class StackTraceExposureQuerySources extends SourceNode instanceof StackTraceExposureQuery::GetMessageFlowSource
{ }
private class ZipSlipQuerySources extends SourceNode instanceof ZipSlipQuery::ArchiveEntryNameMethodSource
{ }
/**
* Add all models as data sources.
*/
private class SourceNodeExternal extends SourceNode {
SourceNodeExternal() { sourceNode(this, _) }
}
private module AllApiSources {
private import semmle.code.java.security.ArbitraryApkInstallation
private import semmle.code.java.security.CleartextStorageAndroidDatabaseQuery
private import semmle.code.java.security.CleartextStorageAndroidFilesystemQuery
private import semmle.code.java.security.CleartextStorageCookieQuery
private import semmle.code.java.security.CleartextStorageSharedPrefsQuery
private import semmle.code.java.security.ImplicitPendingIntentsQuery
private import semmle.code.java.security.ImproperIntentVerificationQuery
private import semmle.code.java.security.InsecureTrustManager
private import semmle.code.java.security.JWT
private import semmle.code.java.security.StackTraceExposureQuery
private import semmle.code.java.security.ZipSlipQuery
}

18
java/ql/lib/semmle/code/java/dataflow/FlowSinks.qll Normal file
View File

@@ -0,0 +1,18 @@
/** Provides classes representing various flow sinks for data flow / taint tracking. */
private import java
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.dataflow.DataFlow
/**
* A data flow sink node for an API, which should be considered
* supported for a modeling perspective.
*/
abstract class ApiSinkNode extends DataFlow::Node { }
/**
* Add all models as data sinks.
*/
private class ApiSinkNodeExternal extends ApiSinkNode {
ApiSinkNodeExternal() { sinkNode(this, _) }
}

15
java/ql/lib/semmle/code/java/dataflow/FlowSources.qll
View File

@@ -387,3 +387,18 @@ class AndroidJavascriptInterfaceMethodParameter extends RemoteFlowSource {
result = "Parameter of method with JavascriptInterface annotation"
}
}
/**
* A data flow source node for an API, which should be considered
* supported for a modeling perspective.
*/
abstract class ApiSourceNode extends DataFlow::Node { }
private class AddSourceNodes extends ApiSourceNode instanceof SourceNode { }
/**
* Add all models as data sources.
*/
private class ApiSourceNodeExternal extends ApiSourceNode {
ApiSourceNodeExternal() { sourceNode(this, _) }
}

3
java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll
View File

@@ -4,6 +4,7 @@ import java
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.frameworks.android.Intent
import semmle.code.java.security.SensitiveActions
private import semmle.code.java.dataflow.FlowSinks
/**
* Gets regular expression for matching names of Android variables that indicate the value being held contains sensitive information.
@@ -154,7 +155,7 @@ deprecated class SensitiveCommunicationConfig extends TaintTracking::Configurati
/**
* A class of sensitive communication sink nodes.
*/
class SensitiveCommunicationSink extends DataFlow::Node {
class SensitiveCommunicationSink extends ApiSinkNode {
SensitiveCommunicationSink() {
isSensitiveBroadcastSink(this)
or

5
java/ql/lib/semmle/code/java/security/ArbitraryApkInstallation.qll
View File

@@ -4,6 +4,7 @@ import java
import semmle.code.java.frameworks.android.Intent
import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.dataflow.FlowSinks
private import semmle.code.java.dataflow.FlowSources
/** A string literal that represents the MIME type for Android APKs. */
@@ -48,7 +49,7 @@ class SetDataMethod extends Method {
}
/** A dataflow sink for the URI of an intent. */
class SetDataSink extends DataFlow::ExprNode {
class SetDataSink extends ApiSinkNode, DataFlow::ExprNode {
SetDataSink() {
exists(MethodCall ma |
this.getExpr() = ma.getQualifier() and
@@ -69,7 +70,7 @@ class UriConstructorMethod extends Method {
* A dataflow source representing the URIs which an APK not controlled by the
* application may come from. Including external storage and web URLs.
*/
class ExternalApkSource extends DataFlow::Node {
class ExternalApkSource extends ApiSourceNode {
ExternalApkSource() {
sourceNode(this, "android-external-storage-dir") or
this.asExpr().(MethodCall).getMethod() instanceof UriConstructorMethod or

6
java/ql/lib/semmle/code/java/security/CleartextStorageAndroidDatabaseQuery.qll
View File

@@ -6,6 +6,8 @@ import semmle.code.java.frameworks.android.ContentProviders
import semmle.code.java.frameworks.android.Intent
import semmle.code.java.frameworks.android.SQLite
import semmle.code.java.security.CleartextStorageQuery
private import semmle.code.java.dataflow.FlowSinks
private import semmle.code.java.dataflow.FlowSources
private class LocalDatabaseCleartextStorageSink extends CleartextStorageSink {
LocalDatabaseCleartextStorageSink() { localDatabaseInput(_, this.asExpr()) }
@@ -99,14 +101,14 @@ private predicate localDatabaseStore(DataFlow::Node database, MethodCall store)
/**
* A class of local database open method call source nodes.
*/
class LocalDatabaseOpenMethodCallSource extends DataFlow::Node {
class LocalDatabaseOpenMethodCallSource extends ApiSourceNode {
LocalDatabaseOpenMethodCallSource() { this.asExpr() instanceof LocalDatabaseOpenMethodCall }
}
/**
* A class of local database sink nodes.
*/
class LocalDatabaseSink extends DataFlow::Node {
class LocalDatabaseSink extends ApiSinkNode {
LocalDatabaseSink() { localDatabaseInput(this, _) or localDatabaseStore(this, _) }
}

8
java/ql/lib/semmle/code/java/security/CleartextStorageAndroidFilesystemQuery.qll
View File

@@ -5,9 +5,11 @@
import java
import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.dataflow.ExternalFlow
import semmle.code.java.security.CleartextStorageQuery
import semmle.code.xml.AndroidManifest
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.dataflow.FlowSinks
private import semmle.code.java.dataflow.FlowSources
private class AndroidFilesystemCleartextStorageSink extends CleartextStorageSink {
AndroidFilesystemCleartextStorageSink() {
@@ -82,14 +84,14 @@ private class CloseFileMethod extends Method {
/**
* A class of local file open call source nodes.
*/
class LocalFileOpenCallSource extends DataFlow::Node {
class LocalFileOpenCallSource extends ApiSourceNode {
LocalFileOpenCallSource() { this.asExpr() instanceof LocalFileOpenCall }
}
/**
* A class of local file sink nodes.
*/
class LocalFileSink extends DataFlow::Node {
class LocalFileSink extends ApiSinkNode {
LocalFileSink() {
filesystemInput(this, _) or
closesFile(this, _)

6
java/ql/lib/semmle/code/java/security/CleartextStorageCookieQuery.qll
View File

@@ -4,6 +4,8 @@ import java
import semmle.code.java.dataflow.DataFlow
deprecated import semmle.code.java.dataflow.DataFlow3
import semmle.code.java.security.CleartextStorageQuery
private import semmle.code.java.dataflow.FlowSinks
private import semmle.code.java.dataflow.FlowSources
private class CookieCleartextStorageSink extends CleartextStorageSink {
CookieCleartextStorageSink() { this.asExpr() = cookieInput(_) }
@@ -40,14 +42,14 @@ private predicate cookieStore(DataFlow::Node cookie, Expr store) {
/**
* A class of cookie source nodes.
*/
class CookieSource extends DataFlow::Node {
class CookieSource extends ApiSourceNode {
CookieSource() { this.asExpr() instanceof Cookie }
}
/**
* A class of cookie store sink nodes.
*/
class CookieStoreSink extends DataFlow::Node {
class CookieStoreSink extends ApiSinkNode {
CookieStoreSink() { cookieStore(this, _) }
}

6
java/ql/lib/semmle/code/java/security/CleartextStorageSharedPrefsQuery.qll
View File

@@ -4,6 +4,8 @@ import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.frameworks.android.SharedPreferences
import semmle.code.java.security.CleartextStorageQuery
private import semmle.code.java.dataflow.FlowSinks
private import semmle.code.java.dataflow.FlowSources
private class SharedPrefsCleartextStorageSink extends CleartextStorageSink {
SharedPrefsCleartextStorageSink() {
@@ -70,7 +72,7 @@ private predicate sharedPreferencesStore(DataFlow::Node editor, MethodCall m) {
/**
* A shared preferences editor method call source nodes.
*/
class SharedPreferencesEditorMethodCallSource extends DataFlow::Node {
class SharedPreferencesEditorMethodCallSource extends ApiSourceNode {
SharedPreferencesEditorMethodCallSource() {
this.asExpr() instanceof SharedPreferencesEditorMethodCall
}
@@ -79,7 +81,7 @@ class SharedPreferencesEditorMethodCallSource extends DataFlow::Node {
/**
* A class of shared preferences sink nodes.
*/
class SharedPreferencesSink extends DataFlow::Node {
class SharedPreferencesSink extends ApiSinkNode {
SharedPreferencesSink() {
sharedPreferencesInput(this, _) or
sharedPreferencesStore(this, _)

3
java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll
View File

@@ -1,13 +1,14 @@
/** Provides a taint-tracking configuration to reason about externally controlled format string vulnerabilities. */
import java
private import semmle.code.java.dataflow.FlowSinks
private import semmle.code.java.dataflow.FlowSources
private import semmle.code.java.StringFormat
/**
* A class of string format sink nodes.
*/
class StringFormatSink extends DataFlow::Node {
class StringFormatSink extends ApiSinkNode {
StringFormatSink() { this.asExpr() = any(StringFormat formatCall).getFormatArgument() }
}

3
java/ql/lib/semmle/code/java/security/ImplicitPendingIntents.qll
View File

@@ -2,6 +2,7 @@
import java
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.dataflow.FlowSources
private import semmle.code.java.dataflow.TaintTracking
private import semmle.code.java.frameworks.android.Intent
private import semmle.code.java.frameworks.android.PendingIntent
@@ -27,7 +28,7 @@ class NoState extends PendingIntentState, TNoState {
}
/** A source for an implicit `PendingIntent` flow. */
abstract class ImplicitPendingIntentSource extends DataFlow::Node {
abstract class ImplicitPendingIntentSource extends ApiSourceNode {
/**
* DEPRECATED: Open-ended flow state is not intended to be part of the extension points.
*

3
java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll
View File

@@ -4,6 +4,7 @@ import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.xml.AndroidManifest
import semmle.code.java.frameworks.android.Intent
private import semmle.code.java.dataflow.FlowSources
/** An `onReceive` method of a `BroadcastReceiver` */
private class OnReceiveMethod extends Method {
@@ -16,7 +17,7 @@ private class OnReceiveMethod extends Method {
/**
* A class of verified intent source nodes.
*/
class VerifiedIntentConfigSource extends DataFlow::Node {
class VerifiedIntentConfigSource extends ApiSourceNode {
VerifiedIntentConfigSource() {
this.asParameter() = any(OnReceiveMethod orm).getIntentParameter()
}

3
java/ql/lib/semmle/code/java/security/InsecureBasicAuth.qll
View File

@@ -4,6 +4,7 @@ import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.security.HttpsUrls
private import semmle.code.java.dataflow.FlowSinks
/**
* A source that represents HTTP URLs.
@@ -20,7 +21,7 @@ private class DefaultInsecureBasicAuthSource extends InsecureBasicAuthSource {
* A sink that represents a method that sets Basic Authentication.
* Extend this class to add your own Insecure Basic Authentication sinks.
*/
abstract class InsecureBasicAuthSink extends DataFlow::Node { }
abstract class InsecureBasicAuthSink extends ApiSinkNode { }
/** A default sink representing methods that set an Authorization header. */
private class DefaultInsecureBasicAuthSink extends InsecureBasicAuthSink {

3
java/ql/lib/semmle/code/java/security/InsecureLdapAuth.qll
View File

@@ -2,6 +2,7 @@
import java
private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.dataflow.FlowSinks
private import semmle.code.java.frameworks.Networking
private import semmle.code.java.frameworks.Jndi
@@ -32,7 +33,7 @@ class InsecureLdapUrl extends Expr {
/**
* A sink representing the construction of a `DirContextEnvironment`.
*/
class InsecureLdapUrlSink extends DataFlow::Node {
class InsecureLdapUrlSink extends ApiSinkNode {
InsecureLdapUrlSink() {
exists(ConstructorCall cc |
cc.getConstructedType().getAnAncestor() instanceof TypeDirContext and

5
java/ql/lib/semmle/code/java/security/InsecureTrustManager.qll
View File

@@ -2,11 +2,12 @@
import java
private import semmle.code.java.controlflow.Guards
private import semmle.code.java.dataflow.FlowSinks
private import semmle.code.java.security.Encryption
private import semmle.code.java.security.SecurityFlag
/** The creation of an insecure `TrustManager`. */
abstract class InsecureTrustManagerSource extends DataFlow::Node { }
abstract class InsecureTrustManagerSource extends ApiSourceNode { }
private class DefaultInsecureTrustManagerSource extends InsecureTrustManagerSource {
DefaultInsecureTrustManagerSource() {
@@ -18,7 +19,7 @@ private class DefaultInsecureTrustManagerSource extends InsecureTrustManagerSour
* The use of a `TrustManager` in an SSL context.
* Intentionally insecure connections are not considered sinks.
*/
abstract class InsecureTrustManagerSink extends DataFlow::Node {
abstract class InsecureTrustManagerSink extends ApiSinkNode {
InsecureTrustManagerSink() { not isGuardedByInsecureFlag(this) }
}

3
java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulation.qll
View File

@@ -6,6 +6,7 @@
import java
private import semmle.code.java.controlflow.Guards
private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.dataflow.FlowSinks
private import semmle.code.java.dataflow.TaintTracking
private import semmle.code.java.frameworks.android.Android
private import semmle.code.java.frameworks.android.Intent
@@ -14,7 +15,7 @@ private import semmle.code.java.frameworks.android.Intent
* A sink for Intent URI permission manipulation vulnerabilities in Android,
* that is, method calls that return an Intent as the result of an Activity.
*/
abstract class IntentUriPermissionManipulationSink extends DataFlow::Node { }
abstract class IntentUriPermissionManipulationSink extends ApiSinkNode { }
/**
* A sanitizer that makes sure that an Intent is safe to be returned to another Activity.

6
java/ql/lib/semmle/code/java/security/JWT.qll
View File

@@ -2,9 +2,11 @@
import java
private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.dataflow.FlowSinks
private import semmle.code.java.dataflow.FlowSources
/** A method access that assigns signing keys to a JWT parser. */
class JwtParserWithInsecureParseSource extends DataFlow::Node {
class JwtParserWithInsecureParseSource extends ApiSourceNode {
JwtParserWithInsecureParseSource() {
exists(MethodCall ma, Method m |
m.getDeclaringType().getAnAncestor() instanceof TypeJwtParser or
@@ -24,7 +26,7 @@ class JwtParserWithInsecureParseSource extends DataFlow::Node {
* the qualifier of a call to a `parse(token, handler)` method
* where the `handler` is considered insecure.
*/
class JwtParserWithInsecureParseSink extends DataFlow::Node {
class JwtParserWithInsecureParseSink extends ApiSinkNode {
MethodCall insecureParseMa;
JwtParserWithInsecureParseSink() {

3
java/ql/lib/semmle/code/java/security/JndiInjection.qll
View File

@@ -3,11 +3,12 @@
import java
private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.dataflow.FlowSinks
private import semmle.code.java.frameworks.Jndi
private import semmle.code.java.frameworks.SpringLdap
/** A data flow sink for unvalidated user input that is used in JNDI lookup. */
abstract class JndiInjectionSink extends DataFlow::Node { }
abstract class JndiInjectionSink extends ApiSinkNode { }
/** A sanitizer for JNDI injection vulnerabilities. */
abstract class JndiInjectionSanitizer extends DataFlow::Node { }

3
java/ql/lib/semmle/code/java/security/OgnlInjection.qll
View File

@@ -2,6 +2,7 @@
import java
private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.dataflow.FlowSinks
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.frameworks.MyBatis
@@ -10,7 +11,7 @@ private import semmle.code.java.frameworks.MyBatis
*
* Extend this class to add your own OGNL injection sinks.
*/
abstract class OgnlInjectionSink extends DataFlow::Node { }
abstract class OgnlInjectionSink extends ApiSinkNode { }
/**
* A unit class for adding additional taint steps.

3
java/ql/lib/semmle/code/java/security/QueryInjection.qll
View File

@@ -5,9 +5,10 @@ import semmle.code.java.dataflow.DataFlow
import semmle.code.java.frameworks.javaee.Persistence
private import semmle.code.java.frameworks.MyBatis
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.dataflow.FlowSinks
/** A sink for database query language injection vulnerabilities. */
abstract class QueryInjectionSink extends DataFlow::Node { }
abstract class QueryInjectionSink extends ApiSinkNode { }
/**
* A unit class for adding additional taint steps.

3
java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll
View File

@@ -4,6 +4,7 @@ import java
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.SensitiveActions
private import semmle.code.java.dataflow.FlowSinks
private class ResultReceiverSendCall extends MethodCall {
ResultReceiverSendCall() {
@@ -53,7 +54,7 @@ deprecated private class SensitiveResultReceiverConf extends TaintTracking::Conf
/**
* A class of sensitive result receiver sink nodes.
*/
class SensitiveResultReceiverSink extends DataFlow::Node {
class SensitiveResultReceiverSink extends ApiSinkNode {
SensitiveResultReceiverSink() {
exists(ResultReceiverSendCall call |
untrustedResultReceiverSend(_, call) and

5
java/ql/lib/semmle/code/java/security/SensitiveUiQuery.qll
View File

@@ -2,6 +2,7 @@
import java
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.dataflow.FlowSinks
private import semmle.code.java.dataflow.TaintTracking
private import semmle.code.java.security.SensitiveActions
private import semmle.code.java.frameworks.android.Layout
@@ -54,9 +55,9 @@ private class MaskCall extends MethodCall {
}
/**
* A class of test field sink nodes.
* A class of text field sink nodes.
*/
class TextFieldSink extends DataFlow::Node {
class TextFieldSink extends ApiSinkNode {
TextFieldSink() {
exists(SetTextCall call |
this.asExpr() = call.getStringArgument() and

3
java/ql/lib/semmle/code/java/security/SpelInjection.qll
View File

@@ -2,10 +2,11 @@
import java
private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.dataflow.FlowSinks
private import semmle.code.java.frameworks.spring.SpringExpression
/** A data flow sink for unvalidated user input that is used to construct SpEL expressions. */
abstract class SpelExpressionEvaluationSink extends DataFlow::ExprNode { }
abstract class SpelExpressionEvaluationSink extends ApiSinkNode, DataFlow::ExprNode { }
/**
* A unit class for adding additional taint steps.

3
java/ql/lib/semmle/code/java/security/StackTraceExposureQuery.qll
View File

@@ -2,6 +2,7 @@
import java
private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.dataflow.FlowSources
private import semmle.code.java.dataflow.TaintTracking
private import semmle.code.java.security.InformationLeak
@@ -98,7 +99,7 @@ predicate stringifiedStackFlowsExternally(DataFlow::Node externalExpr, Expr stac
/**
* A class of get message source nodes.
*/
class GetMessageFlowSource extends DataFlow::Node {
class GetMessageFlowSource extends ApiSourceNode {
GetMessageFlowSource() {
exists(Method method | this.asExpr().(MethodCall).getMethod() = method |
method.hasName("getMessage") and

3
java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll
View File

@@ -1,6 +1,7 @@
/** Provides classes to reason about local information disclosure in a temporary directory. */
import java
private import semmle.code.java.dataflow.FlowSinks
private import semmle.code.java.dataflow.TaintTracking
private import semmle.code.java.os.OSCheck
private import semmle.code.java.security.TempDirUtils
@@ -156,7 +157,7 @@ module TempDirSystemGetPropertyToCreate =
/**
* A class of method file directory creation sink nodes.
*/
class MethodFileDirectoryCreationSink extends DataFlow::Node {
class MethodFileDirectoryCreationSink extends ApiSinkNode {
MethodFileDirectoryCreationSink() {
exists(MethodCall ma | ma.getMethod() instanceof MethodFileDirectoryCreation |
ma.getQualifier() = this.asExpr()

3
java/ql/lib/semmle/code/java/security/UnsafeAndroidAccess.qll
View File

@@ -4,6 +4,7 @@
import java
private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.dataflow.FlowSinks
private import semmle.code.java.frameworks.android.WebView
private import semmle.code.java.frameworks.kotlin.Kotlin
@@ -12,7 +13,7 @@ private import semmle.code.java.frameworks.kotlin.Kotlin
*
* Extend this class to add your own Unsafe Resource Fetching sinks.
*/
abstract class UrlResourceSink extends DataFlow::Node {
abstract class UrlResourceSink extends ApiSinkNode {
/**
* Gets a description of this vulnerability.
*/

3
java/ql/lib/semmle/code/java/security/UnsafeContentUriResolution.qll
View File

@@ -1,13 +1,14 @@
/** Provides classes to reason about vulnerabilites related to content URIs. */
import java
private import semmle.code.java.dataflow.FlowSinks
private import semmle.code.java.dataflow.TaintTracking
private import semmle.code.java.frameworks.android.Android
private import semmle.code.java.security.PathSanitizer
private import semmle.code.java.security.Sanitizers
/** A URI that gets resolved by a `ContentResolver`. */
abstract class ContentUriResolutionSink extends DataFlow::Node { }
abstract class ContentUriResolutionSink extends ApiSinkNode { }
/** A sanitizer for content URIs. */
abstract class ContentUriResolutionSanitizer extends DataFlow::Node { }

3
java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll
View File

@@ -3,6 +3,7 @@
*/
import semmle.code.java.dataflow.FlowSources
private import semmle.code.java.dataflow.FlowSinks
private import semmle.code.java.dataflow.TaintTracking2
private import semmle.code.java.dispatch.VirtualDispatch
private import semmle.code.java.frameworks.Kryo
@@ -235,7 +236,7 @@ predicate unsafeDeserialization(MethodCall ma, Expr sink) {
}
/** A sink for unsafe deserialization. */
class UnsafeDeserializationSink extends DataFlow::ExprNode {
class UnsafeDeserializationSink extends ApiSinkNode, DataFlow::ExprNode {
UnsafeDeserializationSink() { unsafeDeserialization(_, this.getExpr()) }
/** Gets a call that triggers unsafe deserialization. */

5
java/ql/lib/semmle/code/java/security/UrlRedirect.qll
View File

@@ -2,14 +2,15 @@
import java
import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.dataflow.ExternalFlow
import semmle.code.java.frameworks.Servlets
import semmle.code.java.frameworks.ApacheHttp
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.dataflow.FlowSinks
private import semmle.code.java.frameworks.JaxWS
private import semmle.code.java.security.RequestForgery
/** A URL redirection sink. */
abstract class UrlRedirectSink extends DataFlow::Node { }
abstract class UrlRedirectSink extends ApiSinkNode { }
/** A URL redirection sanitizer. */
abstract class UrlRedirectSanitizer extends DataFlow::Node { }

3
java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll
View File

@@ -4,6 +4,7 @@ import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.controlflow.Guards
import semmle.code.java.security.SecurityTests
private import semmle.code.java.dataflow.FlowSinks
/** Holds if `ex` looks like a check that this is a debug build. */
private predicate isDebugCheck(Expr ex) {
@@ -47,7 +48,7 @@ deprecated class WebviewDebugEnabledConfig extends DataFlow::Configuration {
/**
* A class of webview debug sink nodes.
*/
class WebviewDebugSink extends DataFlow::Node {
class WebviewDebugSink extends ApiSinkNode {
WebviewDebugSink() {
exists(MethodCall ma |
ma.getMethod().hasQualifiedName("android.webkit", "WebView", "setWebContentsDebuggingEnabled") and

3
java/ql/lib/semmle/code/java/security/XPath.qll
View File

@@ -3,12 +3,13 @@
import java
import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.dataflow.FlowSinks
/**
* A sink that represents a method that interprets XPath expressions.
* Extend this class to add your own XPath Injection sinks.
*/
abstract class XPathInjectionSink extends DataFlow::Node { }
abstract class XPathInjectionSink extends ApiSinkNode { }
/** A default sink representing methods susceptible to XPath Injection attacks. */
private class DefaultXPathInjectionSink extends XPathInjectionSink {

6
java/ql/lib/semmle/code/java/security/XSS.qll
View File

@@ -10,9 +10,11 @@ private import semmle.code.java.frameworks.hudson.Hudson
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.TaintTracking
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.dataflow.FlowSources
private import semmle.code.java.dataflow.FlowSinks
/** A sink that represent a method that outputs data without applying contextual output encoding. */
abstract class XssSink extends DataFlow::Node { }
abstract class XssSink extends ApiSinkNode { }
/** A sanitizer that neutralizes dangerous characters that can be used to perform a XSS attack. */
abstract class XssSanitizer extends DataFlow::Node { }
@@ -108,7 +110,7 @@ class XssVulnerableWriterSource extends MethodCall {
/**
* A class of xss vulnerable writer source nodes.
*/
class XssVulnerableWriterSourceNode extends DataFlow::Node {
class XssVulnerableWriterSourceNode extends ApiSourceNode {
XssVulnerableWriterSourceNode() { this.asExpr() instanceof XssVulnerableWriterSource }
}

3
java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll
View File

@@ -4,6 +4,7 @@ import java
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.security.PathSanitizer
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.dataflow.FlowSources
private import semmle.code.java.security.PathCreation
/**
@@ -24,7 +25,7 @@ private class ArchiveEntryNameMethod extends Method {
/**
* A class of entry name method source nodes.
*/
class ArchiveEntryNameMethodSource extends DataFlow::Node {
class ArchiveEntryNameMethodSource extends ApiSourceNode {
ArchiveEntryNameMethodSource() {
this.asExpr().(MethodCall).getMethod() instanceof ArchiveEntryNameMethod
}