hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Introduce TaintedPathAdditionalTaintStep

Browse Source 
Use separate configurations for tainted path and tainted path local again.
This commit is contained in:
Tony Torralba
2022-09-16 10:42:15 +02:00
parent 95478f1af6
commit fdc8453a59
4 changed files with 26 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
View File

@@ -29,7 +29,7 @@ predicate containsDotDotSanitizer(Guard g, Expr e, boolean branch) {
)
}
class TaintedPathConfig extends TaintedPathCommonConfig {
class TaintedPathConfig extends TaintTracking::Configuration {
TaintedPathConfig() { this = "TaintedPathConfig" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -48,6 +48,10 @@ class TaintedPathConfig extends TaintedPathCommonConfig {
or
node = DataFlow::BarrierGuard<containsDotDotSanitizer/3>::getABarrierNode()
}
override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
any(TaintedPathAdditionalTaintStep s).step(n1, n2)
}
}
/**

16
java/ql/src/Security/CWE/CWE-022/TaintedPathCommon.qll
View File

@@ -6,13 +6,19 @@ import java
import semmle.code.java.controlflow.Guards
import semmle.code.java.security.PathCreation
import semmle.code.java.frameworks.Networking
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.dataflow.DataFlow
abstract class TaintedPathCommonConfig extends TaintTracking::Configuration {
bindingset[this]
TaintedPathCommonConfig() { any() }
/**
* A unit class for adding additional taint steps.
*
* Extend this class to add additional taint steps that should apply to tainted path flow configurations.
*/
class TaintedPathAdditionalTaintStep extends Unit {
abstract predicate step(DataFlow::Node n1, DataFlow::Node n2);
}
final override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
private class DefaultTaintedPathAdditionalTaintStep extends TaintedPathAdditionalTaintStep {
override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
exists(Argument a |
a = n1.asExpr() and
a.getCall() = n2.asExpr() and

6
java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql
View File

@@ -19,7 +19,7 @@ import semmle.code.java.security.PathCreation
import DataFlow::PathGraph
import TaintedPathCommon
class TaintedPathLocalConfig extends TaintedPathCommonConfig {
class TaintedPathLocalConfig extends TaintTracking::Configuration {
TaintedPathLocalConfig() { this = "TaintedPathLocalConfig" }
override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
@@ -27,6 +27,10 @@ class TaintedPathLocalConfig extends TaintedPathCommonConfig {
override predicate isSink(DataFlow::Node sink) {
sink.asExpr() = any(PathCreation p).getAnInput()
}
override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
any(TaintedPathAdditionalTaintStep s).step(n1, n2)
}
}
from