mirror of
https://github.com/github/codeql.git
synced 2026-01-21 18:34:46 +01:00
103 lines
3.4 KiB
Plaintext
103 lines
3.4 KiB
Plaintext
private import java
|
|
private import AutomodelEndpointTypes as AutomodelEndpointTypes
|
|
|
|
/**
|
|
* A helper class to represent a string value that can be returned by a query using $@ notation.
|
|
*
|
|
* It extends `string`, but adds a mock `hasLocationInfo` method that returns the string itself as the file name.
|
|
*
|
|
* Use this, when you want to return a string value from a query using $@ notation - the string value
|
|
* will be included in the sarif file.
|
|
*
|
|
*
|
|
* Background information on `hasLocationInfo`:
|
|
* https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/#providing-location-information
|
|
*/
|
|
class DollarAtString extends string {
|
|
bindingset[this]
|
|
DollarAtString() { any() }
|
|
|
|
bindingset[this]
|
|
predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
|
|
path = this and sl = 1 and sc = 1 and el = 1 and ec = 1
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Holds for all combinations of MaD kinds (`kind`) and their human readable
|
|
* descriptions.
|
|
*/
|
|
predicate isKnownKind(string kind, AutomodelEndpointTypes::EndpointType type) {
|
|
kind = "path-injection" and
|
|
type instanceof AutomodelEndpointTypes::PathInjectionSinkType
|
|
or
|
|
kind = "sql-injection" and
|
|
type instanceof AutomodelEndpointTypes::SqlInjectionSinkType
|
|
or
|
|
kind = "request-forgery" and
|
|
type instanceof AutomodelEndpointTypes::RequestForgerySinkType
|
|
or
|
|
kind = "command-injection" and
|
|
type instanceof AutomodelEndpointTypes::CommandInjectionSinkType
|
|
or
|
|
kind = "remote" and
|
|
type instanceof AutomodelEndpointTypes::RemoteSourceType
|
|
}
|
|
|
|
/**
|
|
* By convention, the subtypes property of the MaD declaration should only be
|
|
* true when there _can_ exist any subtypes with a different implementation.
|
|
*
|
|
* It would technically be ok to always use the value 'true', but this would
|
|
* break convention.
|
|
*/
|
|
pragma[nomagic]
|
|
boolean considerSubtypes(Callable callable) {
|
|
if
|
|
callable.isStatic() or
|
|
callable.getDeclaringType().isStatic() or
|
|
callable.isFinal() or
|
|
callable.getDeclaringType().isFinal()
|
|
then result = false
|
|
else result = true
|
|
}
|
|
|
|
/**
|
|
* Holds if the given package, type, name and signature is a candidate for automodeling.
|
|
*
|
|
* This predicate is extensible, so that different endpoints can be selected at runtime.
|
|
*/
|
|
extensible predicate automodelCandidateFilter(
|
|
string package, string type, string name, string signature
|
|
);
|
|
|
|
/**
|
|
* Holds if the given package, type, name and signature is a candidate for automodeling.
|
|
*
|
|
* This relies on an extensible predicate, and if that is not supplied then
|
|
* all endpoints are considered candidates.
|
|
*/
|
|
bindingset[package, type, name, signature]
|
|
predicate includeAutomodelCandidate(string package, string type, string name, string signature) {
|
|
not automodelCandidateFilter(_, _, _, _) or
|
|
automodelCandidateFilter(package, type, name, signature)
|
|
}
|
|
|
|
/**
|
|
* Holds if the given program element corresponds to a piece of source code,
|
|
* that is, it is not compiler-generated.
|
|
*
|
|
* Note: This is a stricter check than `Element::fromSource`, which simply
|
|
* checks whether the element is in a source file as opposed to a JAR file.
|
|
* There can be compiler-generated elements in source files (especially for
|
|
* Kotlin), which we also want to exclude.
|
|
*/
|
|
predicate isFromSource(Element e) {
|
|
// from a source file (not a JAR)
|
|
e.fromSource() and
|
|
// not explicitly marked as compiler-generated
|
|
not e.isCompilerGenerated() and
|
|
// does not have a dummy location
|
|
not e.hasLocationInfo(_, 0, 0, 0, 0)
|
|
}
|