Compare commits

...

1 Commits

Author SHA1 Message Date
Jonas Jensen
2468bd978b Java: Make taint-tracking queries speculative
I've considered every query in the code-scanning suite (high-precision
security queries).

Taint-tracking queries made speculative:
- java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
- java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
- java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql
- java/ql/src/Security/CWE/CWE-074/JndiInjection.ql
- java/ql/src/Security/CWE/CWE-074/XsltInjection.ql
- java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
- java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
- java/ql/src/Security/CWE/CWE-079/XSS.ql
- java/ql/src/Security/CWE/CWE-089/SqlTainted.ql
- java/ql/src/Security/CWE/CWE-090/LdapInjection.ql
- java/ql/src/Security/CWE/CWE-094/GroovyInjection.ql
- java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
- java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
- java/ql/src/Security/CWE/CWE-094/MvelInjection.ql
- java/ql/src/Security/CWE/CWE-094/SpelInjection.ql
- java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql
- java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
- java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql
- java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql
- java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql
- java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
- java/ql/src/Security/CWE/CWE-330/InsecureRandomness.ql
- java/ql/src/Security/CWE/CWE-441/UnsafeContentUriResolution.ql
- java/ql/src/Security/CWE/CWE-470/FragmentInjection.ql
- java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
- java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql
- java/ql/src/Security/CWE/CWE-552/UrlForward.ql
- java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql
- java/ql/src/Security/CWE/CWE-611/XXE.ql
- java/ql/src/Security/CWE/CWE-643/XPathInjection.ql
- java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql
- java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.ql
- java/ql/src/Security/CWE/CWE-730/RegexInjection.ql
- java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql
- java/ql/src/Security/CWE/CWE-918/RequestForgery.ql
- java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.ql
- java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirection.ql

Skipped because they're problem queries, not path-problem, even though
they use taint tracking:
- java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
- java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql
- java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql
- java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql
- java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql

Skipped because they use data flow, not taint tracking
- java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql
- java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
- java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
- java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql
- java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
- java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql
- java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
- java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql
2024-11-13 11:20:39 +01:00
37 changed files with 56 additions and 36 deletions

View File

@@ -10,3 +10,6 @@
*/ */
import java import java
// For the hackathon, make speculative data flow tunable from a central location
int speculativity() { result = 5 }

View File

@@ -23,7 +23,8 @@ module IntentRedirectionConfig implements DataFlow::ConfigSig {
} }
/** Tracks the flow of tainted Intents being used to start Android components. */ /** Tracks the flow of tainted Intents being used to start Android components. */
module IntentRedirectionFlow = TaintTracking::Global<IntentRedirectionConfig>; module IntentRedirectionFlow =
TaintTracking::SpeculativeGlobal<IntentRedirectionConfig, speculativity/0>;
/** /**
* A sanitizer for sinks that receive the original incoming Intent, * A sanitizer for sinks that receive the original incoming Intent,

View File

@@ -36,4 +36,4 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig {
/** /**
* Taint-tracking flow for use of broken or risky cryptographic algorithms. * Taint-tracking flow for use of broken or risky cryptographic algorithms.
*/ */
module InsecureCryptoFlow = TaintTracking::Global<InsecureCryptoConfig>; module InsecureCryptoFlow = TaintTracking::SpeculativeGlobal<InsecureCryptoConfig, speculativity/0>;

View File

@@ -68,7 +68,8 @@ deprecated module RemoteUserInputToArgumentToExecFlowConfig = InputToArgumentToE
/** /**
* Taint-tracking flow for unvalidated input that is used to run an external process. * Taint-tracking flow for unvalidated input that is used to run an external process.
*/ */
module InputToArgumentToExecFlow = TaintTracking::Global<InputToArgumentToExecFlowConfig>; module InputToArgumentToExecFlow =
TaintTracking::SpeculativeGlobal<InputToArgumentToExecFlowConfig, speculativity/0>;
/** /**
* DEPRECATED: Use `InputToArgumentToExecFlow` instead. * DEPRECATED: Use `InputToArgumentToExecFlow` instead.

View File

@@ -31,4 +31,4 @@ module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig {
* Taint-tracking flow for externally controlled format string vulnerabilities. * Taint-tracking flow for externally controlled format string vulnerabilities.
*/ */
module ExternallyControlledFormatStringFlow = module ExternallyControlledFormatStringFlow =
TaintTracking::Global<ExternallyControlledFormatStringConfig>; TaintTracking::SpeculativeGlobal<ExternallyControlledFormatStringConfig, speculativity/0>;

View File

@@ -25,4 +25,5 @@ module FragmentInjectionTaintConfig implements DataFlow::ConfigSig {
* Taint-tracking flow for unsafe user input * Taint-tracking flow for unsafe user input
* that is used to create Android fragments dynamically. * that is used to create Android fragments dynamically.
*/ */
module FragmentInjectionTaintFlow = TaintTracking::Global<FragmentInjectionTaintConfig>; module FragmentInjectionTaintFlow =
TaintTracking::SpeculativeGlobal<FragmentInjectionTaintConfig, speculativity/0>;

View File

@@ -25,4 +25,5 @@ module GroovyInjectionConfig implements DataFlow::ConfigSig {
* Detect taint flow of unsafe user input * Detect taint flow of unsafe user input
* that is used to evaluate a Groovy expression. * that is used to evaluate a Groovy expression.
*/ */
module GroovyInjectionFlow = TaintTracking::Global<GroovyInjectionConfig>; module GroovyInjectionFlow =
TaintTracking::SpeculativeGlobal<GroovyInjectionConfig, speculativity/0>;

View File

@@ -53,4 +53,4 @@ module ImplicitPendingIntentStartConfig implements DataFlow::StateConfigSig {
} }
module ImplicitPendingIntentStartFlow = module ImplicitPendingIntentStartFlow =
TaintTracking::GlobalWithState<ImplicitPendingIntentStartConfig>; TaintTracking::SpeculativeGlobalWithState<ImplicitPendingIntentStartConfig, speculativity/0>;

View File

@@ -54,7 +54,7 @@ module BeanValidationConfig implements DataFlow::ConfigSig {
} }
/** Tracks flow from user input to the argument of a method that builds constraint error messages. */ /** Tracks flow from user input to the argument of a method that builds constraint error messages. */
module BeanValidationFlow = TaintTracking::Global<BeanValidationConfig>; module BeanValidationFlow = TaintTracking::SpeculativeGlobal<BeanValidationConfig, speculativity/0>;
/** /**
* A bean validation sink, such as method `buildConstraintViolationWithTemplate` * A bean validation sink, such as method `buildConstraintViolationWithTemplate`

View File

@@ -26,7 +26,8 @@ module InsecureLdapUrlConfig implements DataFlow::ConfigSig {
predicate observeDiffInformedIncrementalMode() { any() } predicate observeDiffInformedIncrementalMode() { any() }
} }
module InsecureLdapUrlFlow = TaintTracking::Global<InsecureLdapUrlConfig>; module InsecureLdapUrlFlow =
TaintTracking::SpeculativeGlobal<InsecureLdapUrlConfig, speculativity/0>;
/** /**
* A taint-tracking configuration for `simple` basic-authentication in LDAP configuration. * A taint-tracking configuration for `simple` basic-authentication in LDAP configuration.

View File

@@ -103,4 +103,5 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig {
/** /**
* Taint-tracking flow of a Insecurely random value into a sensitive sink. * Taint-tracking flow of a Insecurely random value into a sensitive sink.
*/ */
module InsecureRandomnessFlow = TaintTracking::Global<InsecureRandomnessConfig>; module InsecureRandomnessFlow =
TaintTracking::SpeculativeGlobal<InsecureRandomnessConfig, speculativity/0>;

View File

@@ -31,4 +31,4 @@ module IntentUriPermissionManipulationConfig implements DataFlow::ConfigSig {
* Taint tracking flow for user-provided Intents being returned to third party apps. * Taint tracking flow for user-provided Intents being returned to third party apps.
*/ */
module IntentUriPermissionManipulationFlow = module IntentUriPermissionManipulationFlow =
TaintTracking::Global<IntentUriPermissionManipulationConfig>; TaintTracking::SpeculativeGlobal<IntentUriPermissionManipulationConfig, speculativity/0>;

View File

@@ -59,7 +59,7 @@ module JexlInjectionConfig implements DataFlow::ConfigSig {
* Tracks unsafe user input that is used to construct and evaluate a JEXL expression. * Tracks unsafe user input that is used to construct and evaluate a JEXL expression.
* It supports both JEXL 2 and 3. * It supports both JEXL 2 and 3.
*/ */
module JexlInjectionFlow = TaintTracking::Global<JexlInjectionConfig>; module JexlInjectionFlow = TaintTracking::SpeculativeGlobal<JexlInjectionConfig, speculativity/0>;
/** /**
* Holds if `n1` to `n2` is a dataflow step that creates a JEXL script using an unsafe engine * Holds if `n1` to `n2` is a dataflow step that creates a JEXL script using an unsafe engine

View File

@@ -28,7 +28,8 @@ module JndiInjectionFlowConfig implements DataFlow::ConfigSig {
} }
/** Tracks flow of unvalidated user input that is used in JNDI lookup */ /** Tracks flow of unvalidated user input that is used in JNDI lookup */
module JndiInjectionFlow = TaintTracking::Global<JndiInjectionFlowConfig>; module JndiInjectionFlow =
TaintTracking::SpeculativeGlobal<JndiInjectionFlowConfig, speculativity/0>;
/** /**
* A method that does a JNDI lookup when it receives a `SearchControls` argument with `setReturningObjFlag` = `true` * A method that does a JNDI lookup when it receives a `SearchControls` argument with `setReturningObjFlag` = `true`

View File

@@ -22,4 +22,4 @@ module LdapInjectionFlowConfig implements DataFlow::ConfigSig {
} }
/** Tracks flow from remote sources to LDAP injection vulnerabilities. */ /** Tracks flow from remote sources to LDAP injection vulnerabilities. */
module LdapInjectionFlow = TaintTracking::Global<LdapInjectionFlowConfig>; module LdapInjectionFlow = TaintTracking::SpeculativeGlobal<LdapInjectionFlowConfig, speculativity/0>;

View File

@@ -24,4 +24,5 @@ module MvelInjectionFlowConfig implements DataFlow::ConfigSig {
} }
/** Tracks flow of unsafe user input that is used to construct and evaluate a MVEL expression. */ /** Tracks flow of unsafe user input that is used to construct and evaluate a MVEL expression. */
module MvelInjectionFlow = TaintTracking::Global<MvelInjectionFlowConfig>; module MvelInjectionFlow =
TaintTracking::SpeculativeGlobal<MvelInjectionFlowConfig, speculativity/0>;

View File

@@ -109,7 +109,7 @@ module NumericCastFlowConfig implements DataFlow::ConfigSig {
/** /**
* Taint-tracking flow for user input that is used in a numeric cast. * Taint-tracking flow for user input that is used in a numeric cast.
*/ */
module NumericCastFlow = TaintTracking::Global<NumericCastFlowConfig>; module NumericCastFlow = TaintTracking::SpeculativeGlobal<NumericCastFlowConfig, speculativity/0>;
/** /**
* A taint-tracking configuration for reasoning about local user input that is * A taint-tracking configuration for reasoning about local user input that is

View File

@@ -23,4 +23,5 @@ module OgnlInjectionFlowConfig implements DataFlow::ConfigSig {
} }
/** Tracks flow of unvalidated user input that is used in OGNL EL evaluation. */ /** Tracks flow of unvalidated user input that is used in OGNL EL evaluation. */
module OgnlInjectionFlow = TaintTracking::Global<OgnlInjectionFlowConfig>; module OgnlInjectionFlow =
TaintTracking::SpeculativeGlobal<OgnlInjectionFlowConfig, speculativity/0>;

View File

@@ -23,4 +23,4 @@ module PartialPathTraversalFromRemoteConfig implements DataFlow::ConfigSig {
/** Tracks flow of unsafe user input that is used to validate against path traversal, but is insufficient and remains vulnerable to Partial Path Traversal. */ /** Tracks flow of unsafe user input that is used to validate against path traversal, but is insufficient and remains vulnerable to Partial Path Traversal. */
module PartialPathTraversalFromRemoteFlow = module PartialPathTraversalFromRemoteFlow =
TaintTracking::Global<PartialPathTraversalFromRemoteConfig>; TaintTracking::SpeculativeGlobal<PartialPathTraversalFromRemoteConfig, speculativity/0>;

View File

@@ -32,4 +32,4 @@ module RequestForgeryConfig implements DataFlow::ConfigSig {
predicate observeDiffInformedIncrementalMode() { any() } predicate observeDiffInformedIncrementalMode() { any() }
} }
module RequestForgeryFlow = TaintTracking::Global<RequestForgeryConfig>; module RequestForgeryFlow = TaintTracking::SpeculativeGlobal<RequestForgeryConfig, speculativity/0>;

View File

@@ -38,4 +38,5 @@ module ResponseSplittingConfig implements DataFlow::ConfigSig {
/** /**
* Tracks flow from remote sources to response splitting vulnerabilities. * Tracks flow from remote sources to response splitting vulnerabilities.
*/ */
module ResponseSplittingFlow = TaintTracking::Global<ResponseSplittingConfig>; module ResponseSplittingFlow =
TaintTracking::SpeculativeGlobal<ResponseSplittingConfig, speculativity/0>;

View File

@@ -23,7 +23,7 @@ module SpelInjectionConfig implements DataFlow::ConfigSig {
} }
/** Tracks flow of unsafe user input that is used to construct and evaluate a SpEL expression. */ /** Tracks flow of unsafe user input that is used to construct and evaluate a SpEL expression. */
module SpelInjectionFlow = TaintTracking::Global<SpelInjectionConfig>; module SpelInjectionFlow = TaintTracking::SpeculativeGlobal<SpelInjectionConfig, speculativity/0>;
/** Default sink for SpEL injection vulnerabilities. */ /** Default sink for SpEL injection vulnerabilities. */
private class DefaultSpelExpressionEvaluationSink extends SpelExpressionEvaluationSink { private class DefaultSpelExpressionEvaluationSink extends SpelExpressionEvaluationSink {

View File

@@ -27,7 +27,7 @@ module QueryInjectionFlowConfig implements DataFlow::ConfigSig {
} }
/** Tracks flow of unvalidated user input that is used in SQL queries. */ /** Tracks flow of unvalidated user input that is used in SQL queries. */
module QueryInjectionFlow = TaintTracking::Global<QueryInjectionFlowConfig>; module QueryInjectionFlow = TaintTracking::SpeculativeGlobal<QueryInjectionFlowConfig, speculativity/0>;
/** /**
* Implementation of `SqlTainted.ql`. This is extracted to a QLL so that it * Implementation of `SqlTainted.ql`. This is extracted to a QLL so that it

View File

@@ -131,4 +131,5 @@ module StaticInitializationVectorConfig implements DataFlow::ConfigSig {
} }
/** Tracks the flow from a static initialization vector to the initialization of a cipher */ /** Tracks the flow from a static initialization vector to the initialization of a cipher */
module StaticInitializationVectorFlow = TaintTracking::Global<StaticInitializationVectorConfig>; module StaticInitializationVectorFlow =
TaintTracking::SpeculativeGlobal<StaticInitializationVectorConfig, speculativity/0>;

View File

@@ -77,7 +77,7 @@ module TaintedPathConfig implements DataFlow::ConfigSig {
} }
/** Tracks flow from remote sources to the creation of a path. */ /** Tracks flow from remote sources to the creation of a path. */
module TaintedPathFlow = TaintTracking::Global<TaintedPathConfig>; module TaintedPathFlow = TaintTracking::SpeculativeGlobal<TaintedPathConfig, speculativity/0>;
/** /**
* A taint-tracking configuration for tracking flow from local user input to the creation of a path. * A taint-tracking configuration for tracking flow from local user input to the creation of a path.

View File

@@ -21,4 +21,4 @@ module TemplateInjectionFlowConfig implements DataFlow::ConfigSig {
} }
/** Tracks server-side template injection (SST) vulnerabilities */ /** Tracks server-side template injection (SST) vulnerabilities */
module TemplateInjectionFlow = TaintTracking::Global<TemplateInjectionFlowConfig>; module TemplateInjectionFlow = TaintTracking::SpeculativeGlobal<TemplateInjectionFlowConfig, speculativity/0>;

View File

@@ -25,4 +25,5 @@ module UnsafeContentResolutionConfig implements DataFlow::ConfigSig {
} }
/** Taint-tracking flow to find paths from remote sources to content URI resolutions. */ /** Taint-tracking flow to find paths from remote sources to content URI resolutions. */
module UnsafeContentResolutionFlow = TaintTracking::Global<UnsafeContentResolutionConfig>; module UnsafeContentResolutionFlow =
TaintTracking::SpeculativeGlobal<UnsafeContentResolutionConfig, speculativity/0>;

View File

@@ -329,7 +329,10 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
predicate observeDiffInformedIncrementalMode() { any() } predicate observeDiffInformedIncrementalMode() { any() }
} }
module UnsafeDeserializationFlow = TaintTracking::Global<UnsafeDeserializationConfig>; int speculationLimit() { result = 10 }
module UnsafeDeserializationFlow =
TaintTracking::SpeculativeGlobal<UnsafeDeserializationConfig, speculationLimit/0>;
/** /**
* Gets a safe usage of the `use` method of Flexjson, which could be: * Gets a safe usage of the `use` method of Flexjson, which could be:

View File

@@ -202,4 +202,4 @@ module UrlForwardFlowConfig implements DataFlow::ConfigSig {
/** /**
* Taint-tracking flow for URL forwarding. * Taint-tracking flow for URL forwarding.
*/ */
module UrlForwardFlow = TaintTracking::Global<UrlForwardFlowConfig>; module UrlForwardFlow = TaintTracking::SpeculativeGlobal<UrlForwardFlowConfig, speculativity/0>;

View File

@@ -20,4 +20,4 @@ module UrlRedirectConfig implements DataFlow::ConfigSig {
/** /**
* Taint-tracking flow for URL redirections. * Taint-tracking flow for URL redirections.
*/ */
module UrlRedirectFlow = TaintTracking::Global<UrlRedirectConfig>; module UrlRedirectFlow = TaintTracking::SpeculativeGlobal<UrlRedirectConfig, speculativity/0>;

View File

@@ -19,4 +19,4 @@ module XPathInjectionConfig implements DataFlow::ConfigSig {
/** /**
* Taint-tracking flow for XPath injection vulnerabilities. * Taint-tracking flow for XPath injection vulnerabilities.
*/ */
module XPathInjectionFlow = TaintTracking::Global<XPathInjectionConfig>; module XPathInjectionFlow = TaintTracking::SpeculativeGlobal<XPathInjectionConfig, speculativity/0>;

View File

@@ -27,7 +27,8 @@ module XsltInjectionFlowConfig implements DataFlow::ConfigSig {
/** /**
* Tracks flow from unvalidated user input to XSLT transformation. * Tracks flow from unvalidated user input to XSLT transformation.
*/ */
module XsltInjectionFlow = TaintTracking::Global<XsltInjectionFlowConfig>; module XsltInjectionFlow =
TaintTracking::SpeculativeGlobal<XsltInjectionFlowConfig, speculativity/0>;
/** /**
* A set of additional taint steps to consider when taint tracking XSLT related data flows. * A set of additional taint steps to consider when taint tracking XSLT related data flows.

View File

@@ -25,4 +25,4 @@ module XssConfig implements DataFlow::ConfigSig {
} }
/** Tracks flow from remote sources to cross site scripting vulnerabilities. */ /** Tracks flow from remote sources to cross site scripting vulnerabilities. */
module XssFlow = TaintTracking::Global<XssConfig>; module XssFlow = TaintTracking::SpeculativeGlobal<XssConfig, speculativity/0>;

View File

@@ -25,4 +25,4 @@ module XxeConfig implements DataFlow::ConfigSig {
/** /**
* Detect taint flow of unvalidated remote user input that is used in XML external entity expansion. * Detect taint flow of unvalidated remote user input that is used in XML external entity expansion.
*/ */
module XxeFlow = TaintTracking::Global<XxeConfig>; module XxeFlow = TaintTracking::SpeculativeGlobal<XxeConfig, speculativity/0>;

View File

@@ -48,7 +48,7 @@ module ZipSlipConfig implements DataFlow::ConfigSig {
} }
/** Tracks flow from archive entries to file creation. */ /** Tracks flow from archive entries to file creation. */
module ZipSlipFlow = TaintTracking::Global<ZipSlipConfig>; module ZipSlipFlow = TaintTracking::SpeculativeGlobal<ZipSlipConfig, speculativity/0>;
/** /**
* A sink that represents a file creation, such as a file write, copy or move operation. * A sink that represents a file creation, such as a file write, copy or move operation.

View File

@@ -49,4 +49,5 @@ module PolynomialRedosConfig implements DataFlow::ConfigSig {
} }
} }
module PolynomialRedosFlow = TaintTracking::Global<PolynomialRedosConfig>; module PolynomialRedosFlow =
TaintTracking::SpeculativeGlobal<PolynomialRedosConfig, speculativity/0>;

View File

@@ -21,4 +21,4 @@ module RegexInjectionConfig implements DataFlow::ConfigSig {
/** /**
* Taint-tracking flow for untrusted user input used to construct regular expressions. * Taint-tracking flow for untrusted user input used to construct regular expressions.
*/ */
module RegexInjectionFlow = TaintTracking::Global<RegexInjectionConfig>; module RegexInjectionFlow = TaintTracking::SpeculativeGlobal<RegexInjectionConfig, speculativity/0>;