mirror of
https://github.com/github/codeql.git
synced 2026-02-23 10:23:41 +01:00
Java: Improve the Api sources and sinks implementation.
This commit is contained in:
Michael Nebel
@@ -1,122 +1,39 @@
|
||||
/** Provides classes representing various flow sinks for data flow / taint tracking. */
|
||||
|
||||
private import semmle.code.java.dataflow.DataFlow
|
||||
private import semmle.code.java.dataflow.ExternalFlow
|
||||
private import semmle.code.java.dataflow.FlowSinks as FlowSinks
|
||||
|
||||
/**
|
||||
* A data flow sink node.
|
||||
*/
|
||||
abstract class SinkNode extends DataFlow::Node { }
|
||||
final class SinkNode = FlowSinks::ApiSinkNode;
|
||||
|
||||
/**
|
||||
* Module that adds all API like sinks to `SinkNode`, excluding sinks for cryptography based
|
||||
* queries, and queries where sinks are not succifiently defined (eg. using broad method name matching).
|
||||
*/
|
||||
private module ApiSinks {
|
||||
private import semmle.code.java.security.AndroidSensitiveCommunicationQuery as AndroidSensitiveCommunicationQuery
|
||||
private import semmle.code.java.security.ArbitraryApkInstallation as ArbitraryApkInstallation
|
||||
private import semmle.code.java.security.CleartextStorageAndroidDatabaseQuery as CleartextStorageAndroidDatabaseQuery
|
||||
private import semmle.code.java.security.CleartextStorageAndroidFilesystemQuery as CleartextStorageAndroidFilesystemQuery
|
||||
private import semmle.code.java.security.CleartextStorageCookieQuery as CleartextStorageCookieQuery
|
||||
private import semmle.code.java.security.CleartextStorageSharedPrefsQuery as CleartextStorageSharedPrefsQuery
|
||||
private import semmle.code.java.security.ExternallyControlledFormatStringQuery as ExternallyControlledFormatStringQuery
|
||||
private import semmle.code.java.security.InsecureBasicAuth as InsecureBasicAuth
|
||||
private import semmle.code.java.security.IntentUriPermissionManipulation as IntentUriPermissionManipulation
|
||||
private import semmle.code.java.security.InsecureLdapAuth as InsecureLdapAuth
|
||||
private import semmle.code.java.security.InsecureTrustManager as InsecureTrustManager
|
||||
private import semmle.code.java.security.JndiInjection as JndiInjection
|
||||
private import semmle.code.java.security.JWT as Jwt
|
||||
private import semmle.code.java.security.OgnlInjection as OgnlInjection
|
||||
private import semmle.code.java.security.SensitiveResultReceiverQuery as SensitiveResultReceiverQuery
|
||||
private import semmle.code.java.security.SensitiveUiQuery as SensitiveUiQuery
|
||||
private import semmle.code.java.security.SpelInjection as SpelInjection
|
||||
private import semmle.code.java.security.SpelInjectionQuery as SpelInjectionQuery
|
||||
private import semmle.code.java.security.QueryInjection as QueryInjection
|
||||
private import semmle.code.java.security.TempDirLocalInformationDisclosureQuery as TempDirLocalInformationDisclosureQuery
|
||||
private import semmle.code.java.security.UnsafeAndroidAccess as UnsafeAndroidAccess
|
||||
private import semmle.code.java.security.UnsafeContentUriResolution as UnsafeContentUriResolution
|
||||
private import semmle.code.java.security.UnsafeDeserializationQuery as UnsafeDeserializationQuery
|
||||
private import semmle.code.java.security.UrlRedirect as UrlRedirect
|
||||
private import semmle.code.java.security.WebviewDebuggingEnabledQuery as WebviewDebuggingEnabledQuery
|
||||
private import semmle.code.java.security.XPath as Xpath
|
||||
private import semmle.code.java.security.XSS as Xss
|
||||
|
||||
private class AndoidIntentRedirectionQuerySinks extends SinkNode instanceof AndroidSensitiveCommunicationQuery::SensitiveCommunicationSink
|
||||
{ }
|
||||
|
||||
private class ArbitraryApkInstallationSinks extends SinkNode instanceof ArbitraryApkInstallation::SetDataSink
|
||||
{ }
|
||||
|
||||
private class CleartextStorageAndroidDatabaseQuerySinks extends SinkNode instanceof CleartextStorageAndroidDatabaseQuery::LocalDatabaseSink
|
||||
{ }
|
||||
|
||||
private class CleartextStorageAndroidFilesystemQuerySinks extends SinkNode instanceof CleartextStorageAndroidFilesystemQuery::LocalFileSink
|
||||
{ }
|
||||
|
||||
private class CleartextStorageCookieQuerySinks extends SinkNode instanceof CleartextStorageCookieQuery::CookieStoreSink
|
||||
{ }
|
||||
|
||||
private class CleartextStorageSharedPrefsQuerySinks extends SinkNode instanceof CleartextStorageSharedPrefsQuery::SharedPreferencesSink
|
||||
{ }
|
||||
|
||||
private class ExternallyControlledFormatStringQuerySinks extends SinkNode instanceof ExternallyControlledFormatStringQuery::StringFormatSink
|
||||
{ }
|
||||
|
||||
private class InsecureBasicAuthSinks extends SinkNode instanceof InsecureBasicAuth::InsecureBasicAuthSink
|
||||
{ }
|
||||
|
||||
private class InsecureTrustManagerSinks extends SinkNode instanceof InsecureTrustManager::InsecureTrustManagerSink
|
||||
{ }
|
||||
|
||||
private class IntentUriPermissionManipulationSinks extends SinkNode instanceof IntentUriPermissionManipulation::IntentUriPermissionManipulationSink
|
||||
{ }
|
||||
|
||||
private class InsecureLdapAuthSinks extends SinkNode instanceof InsecureLdapAuth::InsecureLdapUrlSink
|
||||
{ }
|
||||
|
||||
private class JndiInjectionSinks extends SinkNode instanceof JndiInjection::JndiInjectionSink { }
|
||||
|
||||
private class JwtSinks extends SinkNode instanceof Jwt::JwtParserWithInsecureParseSink { }
|
||||
|
||||
private class OgnlInjectionSinks extends SinkNode instanceof OgnlInjection::OgnlInjectionSink { }
|
||||
|
||||
private class SensitiveResultReceiverQuerySinks extends SinkNode instanceof SensitiveResultReceiverQuery::SensitiveResultReceiverSink
|
||||
{ }
|
||||
|
||||
private class SensitiveUiQuerySinks extends SinkNode instanceof SensitiveUiQuery::TextFieldSink {
|
||||
}
|
||||
|
||||
private class SpelInjectionSinks extends SinkNode instanceof SpelInjection::SpelExpressionEvaluationSink
|
||||
{ }
|
||||
|
||||
private class QueryInjectionSinks extends SinkNode instanceof QueryInjection::QueryInjectionSink {
|
||||
}
|
||||
|
||||
private class TempDirLocalInformationDisclosureSinks extends SinkNode instanceof TempDirLocalInformationDisclosureQuery::MethodFileDirectoryCreationSink
|
||||
{ }
|
||||
|
||||
private class UnsafeAndroidAccessSinks extends SinkNode instanceof UnsafeAndroidAccess::UrlResourceSink
|
||||
{ }
|
||||
|
||||
private class UnsafeContentUriResolutionSinks extends SinkNode instanceof UnsafeContentUriResolution::ContentUriResolutionSink
|
||||
{ }
|
||||
|
||||
private class UnsafeDeserializationQuerySinks extends SinkNode instanceof UnsafeDeserializationQuery::UnsafeDeserializationSink
|
||||
{ }
|
||||
|
||||
private class UrlRedirectSinks extends SinkNode instanceof UrlRedirect::UrlRedirectSink { }
|
||||
|
||||
private class WebviewDebugEnabledQuery extends SinkNode instanceof WebviewDebuggingEnabledQuery::WebviewDebugSink
|
||||
{ }
|
||||
|
||||
private class XPathSinks extends SinkNode instanceof Xpath::XPathInjectionSink { }
|
||||
|
||||
private class XssSinks extends SinkNode instanceof Xss::XssSink { }
|
||||
|
||||
/**
|
||||
* Add all models as data sinks.
|
||||
*/
|
||||
private class SinkNodeExternal extends SinkNode {
|
||||
SinkNodeExternal() { sinkNode(this, _) }
|
||||
}
|
||||
private module AllApiSinks {
|
||||
private import semmle.code.java.security.AndroidSensitiveCommunicationQuery
|
||||
private import semmle.code.java.security.ArbitraryApkInstallation
|
||||
private import semmle.code.java.security.CleartextStorageAndroidDatabaseQuery
|
||||
private import semmle.code.java.security.CleartextStorageAndroidFilesystemQuery
|
||||
private import semmle.code.java.security.CleartextStorageCookieQuery
|
||||
private import semmle.code.java.security.CleartextStorageSharedPrefsQuery
|
||||
private import semmle.code.java.security.ExternallyControlledFormatStringQuery
|
||||
private import semmle.code.java.security.InsecureBasicAuth
|
||||
private import semmle.code.java.security.IntentUriPermissionManipulation
|
||||
private import semmle.code.java.security.InsecureLdapAuth
|
||||
private import semmle.code.java.security.InsecureTrustManager
|
||||
private import semmle.code.java.security.JndiInjection
|
||||
private import semmle.code.java.security.JWT
|
||||
private import semmle.code.java.security.OgnlInjection
|
||||
private import semmle.code.java.security.SensitiveResultReceiverQuery
|
||||
private import semmle.code.java.security.SensitiveUiQuery
|
||||
private import semmle.code.java.security.SpelInjection
|
||||
private import semmle.code.java.security.SpelInjectionQuery
|
||||
private import semmle.code.java.security.QueryInjection
|
||||
private import semmle.code.java.security.TempDirLocalInformationDisclosureQuery
|
||||
private import semmle.code.java.security.UnsafeAndroidAccess
|
||||
private import semmle.code.java.security.UnsafeContentUriResolution
|
||||
private import semmle.code.java.security.UnsafeDeserializationQuery
|
||||
private import semmle.code.java.security.UrlRedirect
|
||||
private import semmle.code.java.security.WebviewDebuggingEnabledQuery
|
||||
private import semmle.code.java.security.XPath
|
||||
private import semmle.code.java.security.XSS
|
||||
}
|
||||
|
||||
@@ -1,69 +1,23 @@
|
||||
/** Provides classes representing various flow sources for data flow / taint tracking. */
|
||||
|
||||
private import semmle.code.java.dataflow.DataFlow
|
||||
private import semmle.code.java.dataflow.ExternalFlow
|
||||
private import semmle.code.java.dataflow.FlowSources as FlowSources
|
||||
|
||||
/**
|
||||
* A data flow source node.
|
||||
*/
|
||||
abstract class SourceNode extends DataFlow::Node { }
|
||||
final class SourceNode = FlowSources::ApiSourceNode;
|
||||
|
||||
/**
|
||||
* Module that adds all API like sources to `SourceNode`, excluding some sources for cryptography based
|
||||
* queries, and queries where sources are not succifiently defined (eg. using broad method name matching).
|
||||
*/
|
||||
private module ApiSources {
|
||||
private import FlowSources as FlowSources
|
||||
private import semmle.code.java.security.ArbitraryApkInstallation as ArbitraryApkInstallation
|
||||
private import semmle.code.java.security.CleartextStorageAndroidDatabaseQuery as CleartextStorageAndroidDatabaseQuery
|
||||
private import semmle.code.java.security.CleartextStorageAndroidFilesystemQuery as CleartextStorageAndroidFilesystemQuery
|
||||
private import semmle.code.java.security.CleartextStorageCookieQuery as CleartextStorageCookieQuery
|
||||
private import semmle.code.java.security.CleartextStorageSharedPrefsQuery as CleartextStorageSharedPrefsQuery
|
||||
private import semmle.code.java.security.ImplicitPendingIntentsQuery as ImplicitPendingIntentsQuery
|
||||
private import semmle.code.java.security.ImproperIntentVerificationQuery as ImproperIntentVerificationQuery
|
||||
private import semmle.code.java.security.InsecureTrustManager as InsecureTrustManager
|
||||
private import semmle.code.java.security.JWT as Jwt
|
||||
private import semmle.code.java.security.StackTraceExposureQuery as StackTraceExposureQuery
|
||||
private import semmle.code.java.security.ZipSlipQuery as ZipSlipQuery
|
||||
|
||||
private class FlowSourcesSourceNode extends SourceNode instanceof FlowSources::SourceNode { }
|
||||
|
||||
private class ArbitraryApkInstallationSources extends SourceNode instanceof ArbitraryApkInstallation::ExternalApkSource
|
||||
{ }
|
||||
|
||||
private class CleartextStorageAndroidDatabaseQuerySources extends SourceNode instanceof CleartextStorageAndroidDatabaseQuery::LocalDatabaseOpenMethodCallSource
|
||||
{ }
|
||||
|
||||
private class CleartextStorageAndroidFilesystemQuerySources extends SourceNode instanceof CleartextStorageAndroidFilesystemQuery::LocalFileOpenCallSource
|
||||
{ }
|
||||
|
||||
private class CleartextStorageCookieQuerySources extends SourceNode instanceof CleartextStorageCookieQuery::CookieSource
|
||||
{ }
|
||||
|
||||
private class CleartextStorageSharedPrefsQuerySources extends SourceNode instanceof CleartextStorageSharedPrefsQuery::SharedPreferencesEditorMethodCallSource
|
||||
{ }
|
||||
|
||||
private class ImplicitPendingIntentsQuerySources extends SourceNode instanceof ImplicitPendingIntentsQuery::ImplicitPendingIntentSource
|
||||
{ }
|
||||
|
||||
private class ImproperIntentVerificationQuerySources extends SourceNode instanceof ImproperIntentVerificationQuery::VerifiedIntentConfigSource
|
||||
{ }
|
||||
|
||||
private class InsecureTrustManagerSources extends SourceNode instanceof InsecureTrustManager::InsecureTrustManagerSource
|
||||
{ }
|
||||
|
||||
private class JwtSources extends SourceNode instanceof Jwt::JwtParserWithInsecureParseSource { }
|
||||
|
||||
private class StackTraceExposureQuerySources extends SourceNode instanceof StackTraceExposureQuery::GetMessageFlowSource
|
||||
{ }
|
||||
|
||||
private class ZipSlipQuerySources extends SourceNode instanceof ZipSlipQuery::ArchiveEntryNameMethodSource
|
||||
{ }
|
||||
|
||||
/**
|
||||
* Add all models as data sources.
|
||||
*/
|
||||
private class SourceNodeExternal extends SourceNode {
|
||||
SourceNodeExternal() { sourceNode(this, _) }
|
||||
}
|
||||
private module AllApiSources {
|
||||
private import semmle.code.java.security.ArbitraryApkInstallation
|
||||
private import semmle.code.java.security.CleartextStorageAndroidDatabaseQuery
|
||||
private import semmle.code.java.security.CleartextStorageAndroidFilesystemQuery
|
||||
private import semmle.code.java.security.CleartextStorageCookieQuery
|
||||
private import semmle.code.java.security.CleartextStorageSharedPrefsQuery
|
||||
private import semmle.code.java.security.ImplicitPendingIntentsQuery
|
||||
private import semmle.code.java.security.ImproperIntentVerificationQuery
|
||||
private import semmle.code.java.security.InsecureTrustManager
|
||||
private import semmle.code.java.security.JWT
|
||||
private import semmle.code.java.security.StackTraceExposureQuery
|
||||
private import semmle.code.java.security.ZipSlipQuery
|
||||
}
|
||||
|
||||
18
java/ql/lib/semmle/code/java/dataflow/FlowSinks.qll
Normal file
18
java/ql/lib/semmle/code/java/dataflow/FlowSinks.qll
Normal file
@@ -0,0 +1,18 @@
|
||||
/** Provides classes representing various flow sinks for data flow / taint tracking. */
|
||||
|
||||
private import java
|
||||
private import semmle.code.java.dataflow.ExternalFlow
|
||||
private import semmle.code.java.dataflow.DataFlow
|
||||
|
||||
/**
|
||||
* A data flow sink node for an API, which should be considered
|
||||
* supported for a modeling perspective.
|
||||
*/
|
||||
abstract class ApiSinkNode extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* Add all models as data sinks.
|
||||
*/
|
||||
private class ApiSinkNodeExternal extends ApiSinkNode {
|
||||
ApiSinkNodeExternal() { sinkNode(this, _) }
|
||||
}
|
||||
@@ -387,3 +387,18 @@ class AndroidJavascriptInterfaceMethodParameter extends RemoteFlowSource {
|
||||
result = "Parameter of method with JavascriptInterface annotation"
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A data flow source node for an API, which should be considered
|
||||
* supported for a modeling perspective.
|
||||
*/
|
||||
abstract class ApiSourceNode extends DataFlow::Node { }
|
||||
|
||||
private class AddSourceNodes extends ApiSourceNode instanceof SourceNode { }
|
||||
|
||||
/**
|
||||
* Add all models as data sources.
|
||||
*/
|
||||
private class ApiSourceNodeExternal extends ApiSourceNode {
|
||||
ApiSourceNodeExternal() { sourceNode(this, _) }
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user