Merge branch 'main' into 17052-second-try-do-not-expose-error-message

This commit is contained in:
RobbingDaHood
2024-07-25 18:13:49 +02:00
committed by GitHub
66 changed files with 3208 additions and 1281 deletions

View File

@@ -22,6 +22,7 @@ private module Frameworks {
private import semmle.code.java.frameworks.IoJsonWebToken
private import semmle.code.java.frameworks.jackson.JacksonSerializability
private import semmle.code.java.frameworks.InputStream
private import semmle.code.java.frameworks.Networking
private import semmle.code.java.frameworks.Properties
private import semmle.code.java.frameworks.Protobuf
private import semmle.code.java.frameworks.ThreadLocal

View File

@@ -356,8 +356,12 @@ RefType getErasedRepr(Type t) {
t instanceof NullType and result instanceof TypeObject
}
class DataFlowType extends SrcRefType {
final private class SrcRefTypeFinal = SrcRefType;
class DataFlowType extends SrcRefTypeFinal {
DataFlowType() { this = getErasedRepr(_) }
string toString() { result = ppReprType(this) }
}
pragma[nomagic]
@@ -371,7 +375,7 @@ DataFlowType getNodeType(Node n) {
}
/** Gets a string representation of a type returned by `getErasedRepr`. */
string ppReprType(DataFlowType t) {
private string ppReprType(SrcRefType t) {
if t.(BoxedType).getPrimitiveType().getName() = "double"
then result = "Number"
else result = t.toString()

View File

@@ -3,6 +3,8 @@
*/
import semmle.code.java.Type
private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.dataflow.FlowSteps
/** The type `java.net.URLConnection`. */
class TypeUrlConnection extends RefType {
@@ -24,6 +26,11 @@ class TypeUrl extends RefType {
TypeUrl() { this.hasQualifiedName("java.net", "URL") }
}
/** Specifies that if a `URL` is tainted, then so are its synthetic fields. */
private class UrlFieldsInheritTaint extends DataFlow::SyntheticFieldContent, TaintInheritingContent {
UrlFieldsInheritTaint() { this.getField().matches("java.net.URL.%") }
}
/** The type `java.net.URLDecoder`. */
class TypeUrlDecoder extends RefType {
TypeUrlDecoder() { this.hasQualifiedName("java.net", "URLDecoder") }

View File

@@ -13,9 +13,15 @@ private class ExploitableStringLiteral extends StringLiteral {
/**
* Holds if `kind` is an external sink kind that is relevant for regex flow.
* `full` is true if sinks with this kind match against the full string of its input.
* `strArg` is the index of the argument to methods with this sink kind that contan the string to be matched against,
* where -1 is the qualifier; or -2 if no such argument exists.
* `full` is true if sinks with this kind match against the full string of its
* input.
* `strArg` is the index of the argument to methods with this sink kind that
* contain the string to be matched against, where -1 is the qualifier; or -2
* if no such argument exists.
*
* Note that `regex-use` is deliberately not a possible value for `kind` here,
* as it is used for regular expression injection sinks that should not be used
* as polynomial ReDoS sinks.
*/
private predicate regexSinkKindInfo(string kind, boolean full, int strArg) {
sinkModel(_, _, _, _, _, _, _, kind, _, _) and