hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Java: Refactor CaptureSinkModels into language specific and generic part.

Browse Source
This commit is contained in:
Michael Nebel
2022-03-18 13:43:09 +01:00
parent cc5fbbb7c5
commit fb2a7dfb48
3 changed files with 51 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
java/ql/src/utils/model-generator/CaptureSinkModels.ql
View File

@@ -4,51 +4,8 @@
* @id java/utils/model-generator/sink-models
*/
import java
private import semmle.code.java.dataflow.TaintTracking
private import semmle.code.java.dataflow.ExternalFlow
private import ModelGeneratorUtils
class PropagateToSinkConfiguration extends TaintTracking::Configuration {
PropagateToSinkConfiguration() { this = "parameters or fields flowing into sinks" }
override predicate isSource(DataFlow::Node source) {
(source.asExpr().(FieldAccess).isOwnFieldAccess() or source instanceof DataFlow::ParameterNode) and
source.getEnclosingCallable().isPublic() and
exists(RefType t |
t = source.getEnclosingCallable().getDeclaringType().getAnAncestor() and
not t instanceof TypeObject and
t.isPublic()
) and
isRelevantForModels(source.getEnclosingCallable())
}
override predicate isSink(DataFlow::Node sink) { sinkNode(sink, _) }
override DataFlow::FlowFeature getAFeature() {
result instanceof DataFlow::FeatureHasSourceCallContext
}
}
string asInputArgument(DataFlow::Node source) {
exists(int pos |
source.(DataFlow::ParameterNode).isParameterOf(_, pos) and
result = "Argument[" + pos + "]"
)
or
source.asExpr() instanceof FieldAccess and
result = "Argument[-1]"
}
string captureSink(TargetApi api) {
exists(DataFlow::Node src, DataFlow::Node sink, PropagateToSinkConfiguration config, string kind |
config.hasFlow(src, sink) and
sinkNode(sink, kind) and
api = src.getEnclosingCallable() and
not kind = "logging" and
result = asSinkModel(api, asInputArgument(src), kind)
)
}
private import CaptureSinkModels
from TargetApi api, string sink
where sink = captureSink(api)

21
java/ql/src/utils/model-generator/CaptureSinkModels.qll Normal file
View File

@@ -0,0 +1,21 @@
private import CaptureSinkModelsSpecific
class PropagateToSinkConfiguration extends PropagateToSinkConfigurationSpecific {
PropagateToSinkConfiguration() { this = "parameters or fields flowing into sinks" }
override predicate isSink(DataFlow::Node sink) { sinkNode(sink, _) }
override DataFlow::FlowFeature getAFeature() {
result instanceof DataFlow::FeatureHasSourceCallContext
}
}
string captureSink(TargetApi api) {
exists(DataFlow::Node src, DataFlow::Node sink, PropagateToSinkConfiguration config, string kind |
config.hasFlow(src, sink) and
sinkNode(sink, kind) and
api = src.getEnclosingCallable() and
not kind = "logging" and
result = asSinkModel(api, asInputArgument(src), kind)
)
}

29
java/ql/src/utils/model-generator/CaptureSinkModelsSpecific.qll Normal file
View File

@@ -0,0 +1,29 @@
import java
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.dataflow.ExternalFlow
import ModelGeneratorUtils
class PropagateToSinkConfigurationSpecific extends TaintTracking::Configuration {
PropagateToSinkConfigurationSpecific() { this = "parameters or fields flowing into sinks" }
override predicate isSource(DataFlow::Node source) {
(source.asExpr().(FieldAccess).isOwnFieldAccess() or source instanceof DataFlow::ParameterNode) and
source.getEnclosingCallable().isPublic() and
exists(RefType t |
t = source.getEnclosingCallable().getDeclaringType().getAnAncestor() and
not t instanceof TypeObject and
t.isPublic()
) and
isRelevantForModels(source.getEnclosingCallable())
}
}
string asInputArgument(DataFlow::Node source) {
exists(int pos |
source.(DataFlow::ParameterNode).isParameterOf(_, pos) and
result = "Argument[" + pos + "]"
)
or
source.asExpr() instanceof FieldAccess and
result = "Argument[-1]"
}