Files
codeql/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll
Jonas Jensen 2468bd978b Java: Make taint-tracking queries speculative
I've considered every query in the code-scanning suite (high-precision
security queries).

Taint-tracking queries made speculative:
- java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
- java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
- java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql
- java/ql/src/Security/CWE/CWE-074/JndiInjection.ql
- java/ql/src/Security/CWE/CWE-074/XsltInjection.ql
- java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
- java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
- java/ql/src/Security/CWE/CWE-079/XSS.ql
- java/ql/src/Security/CWE/CWE-089/SqlTainted.ql
- java/ql/src/Security/CWE/CWE-090/LdapInjection.ql
- java/ql/src/Security/CWE/CWE-094/GroovyInjection.ql
- java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
- java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
- java/ql/src/Security/CWE/CWE-094/MvelInjection.ql
- java/ql/src/Security/CWE/CWE-094/SpelInjection.ql
- java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql
- java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
- java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql
- java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql
- java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql
- java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
- java/ql/src/Security/CWE/CWE-330/InsecureRandomness.ql
- java/ql/src/Security/CWE/CWE-441/UnsafeContentUriResolution.ql
- java/ql/src/Security/CWE/CWE-470/FragmentInjection.ql
- java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
- java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql
- java/ql/src/Security/CWE/CWE-552/UrlForward.ql
- java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql
- java/ql/src/Security/CWE/CWE-611/XXE.ql
- java/ql/src/Security/CWE/CWE-643/XPathInjection.ql
- java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql
- java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.ql
- java/ql/src/Security/CWE/CWE-730/RegexInjection.ql
- java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql
- java/ql/src/Security/CWE/CWE-918/RequestForgery.ql
- java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.ql
- java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirection.ql

Skipped because they're problem queries, not path-problem, even though
they use taint tracking:
- java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
- java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql
- java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql
- java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql
- java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql

Skipped because they use data flow, not taint tracking
- java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql
- java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
- java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
- java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql
- java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
- java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql
- java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
- java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql
2024-11-13 11:20:39 +01:00

27 lines
1.1 KiB
Plaintext

/** Provides taint tracking configurations to be used in partial path traversal queries. */
import java
import semmle.code.java.security.PartialPathTraversal
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.dataflow.FlowSources
/**
* A taint-tracking configuration for unsafe user input
* that is used to validate against path traversal, but is insufficient
* and remains vulnerable to Partial Path Traversal.
*/
module PartialPathTraversalFromRemoteConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) { node instanceof ActiveThreatModelSource }
predicate isSink(DataFlow::Node node) {
any(PartialPathTraversalMethodCall ma).getQualifier() = node.asExpr()
}
predicate observeDiffInformedIncrementalMode() { any() }
}
/** Tracks flow of unsafe user input that is used to validate against path traversal, but is insufficient and remains vulnerable to Partial Path Traversal. */
module PartialPathTraversalFromRemoteFlow =
TaintTracking::SpeculativeGlobal<PartialPathTraversalFromRemoteConfig, speculativity/0>;