add stubs, upgrade test to inline test, update test files

2026-04-29 10:45:15 +02:00 · 2024-07-04 15:25:36 +02:00
parent 7df59ffe6c
commit fe1103d997
80 changed files with 2217 additions and 376 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.ql
@@ -12,24 +12,7 @@
 */

 import java
-import semmle.code.java.dataflow.FlowSources
-import experimental.semmle.code.java.security.FileAndFormRemoteSource
-import experimental.semmle.code.java.security.DecompressionBomb::DecompressionBomb
-import semmle.code.java.dataflow.TaintTracking
-
-module DecompressionBombsConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    any(AdditionalStep ads).step(nodeFrom, nodeTo)
-  }
-}
-
-module DecompressionBombsFlow = TaintTracking::Global<DecompressionBombsConfig>;
-
-import DecompressionBombsFlow::PathGraph
+import experimental.semmle.code.java.security.DecompressionBombQuery

 from DecompressionBombsFlow::PathNode source, DecompressionBombsFlow::PathNode sink
 where DecompressionBombsFlow::flowPath(source, sink)
--- a/java/ql/src/experimental/semmle/code/java/security/DecompressionBomb.qll
+++ b/java/ql/src/experimental/semmle/code/java/security/DecompressionBomb.qll
@@ -222,6 +222,29 @@ module ApacheCommons {
      }
    }

+    /**
+     * Gets `n1` and `n2` which `CompressorInputStream n2 = new CompressorStreamFactory().createCompressorInputStream(n1)`
+     * or `ArchiveInputStream n2 = new ArchiveStreamFactory().createArchiveInputStream(n1)` or
+     * `n1.read(n2)`,
+     * second one is added because of sanitizer, we want to compare return value of each `read` or similar method
+     * that whether there is a flow to a comparison between total read of decompressed stream and a constant value
+     */
+    private class CompressorsAndArchiversAdditionalTaintStep extends DecompressionBomb::AdditionalStep
+    {
+      override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+        exists(Call call |
+          // Constructors
+          (
+            call.getCallee().getDeclaringType() = any(TypeCompressors t)
+            or
+            call.getCallee().getDeclaringType() = any(TypeArchivers t)
+          ) and
+          call.getArgument(0) = n1.asExpr() and
+          call = n2.asExpr()
+        )
+      }
+    }
+
    /**
     * The methods that read bytes and belong to `CompressorInputStream` or `ArchiveInputStream` Types
     */
--- a/java/ql/src/experimental/semmle/code/java/security/DecompressionBombQuery.qll
+++ b/java/ql/src/experimental/semmle/code/java/security/DecompressionBombQuery.qll
@@ -0,0 +1,18 @@
+import semmle.code.java.dataflow.FlowSources
+import experimental.semmle.code.java.security.FileAndFormRemoteSource
+import semmle.code.java.dataflow.TaintTracking
+import experimental.semmle.code.java.security.DecompressionBomb::DecompressionBomb
+
+module DecompressionBombsConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    any(AdditionalStep ads).step(nodeFrom, nodeTo)
+  }
+}
+
+module DecompressionBombsFlow = TaintTracking::Global<DecompressionBombsConfig>;
+
+import DecompressionBombsFlow::PathGraph