mirror of
https://github.com/github/codeql.git
synced 2026-07-05 11:35:30 +02:00
I've considered every query in the code-scanning suite (high-precision security queries). Taint-tracking queries made speculative: - java/ql/src/Security/CWE/CWE-022/TaintedPath.ql - java/ql/src/Security/CWE/CWE-022/ZipSlip.ql - java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql - java/ql/src/Security/CWE/CWE-074/JndiInjection.ql - java/ql/src/Security/CWE/CWE-074/XsltInjection.ql - java/ql/src/Security/CWE/CWE-078/ExecTainted.ql - java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql - java/ql/src/Security/CWE/CWE-079/XSS.ql - java/ql/src/Security/CWE/CWE-089/SqlTainted.ql - java/ql/src/Security/CWE/CWE-090/LdapInjection.ql - java/ql/src/Security/CWE/CWE-094/GroovyInjection.ql - java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql - java/ql/src/Security/CWE/CWE-094/JexlInjection.ql - java/ql/src/Security/CWE/CWE-094/MvelInjection.ql - java/ql/src/Security/CWE/CWE-094/SpelInjection.ql - java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql - java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql - java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql - java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql - java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql - java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql - java/ql/src/Security/CWE/CWE-330/InsecureRandomness.ql - java/ql/src/Security/CWE/CWE-441/UnsafeContentUriResolution.ql - java/ql/src/Security/CWE/CWE-470/FragmentInjection.ql - java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql - java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql - java/ql/src/Security/CWE/CWE-552/UrlForward.ql - java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql - java/ql/src/Security/CWE/CWE-611/XXE.ql - java/ql/src/Security/CWE/CWE-643/XPathInjection.ql - java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql - java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.ql - java/ql/src/Security/CWE/CWE-730/RegexInjection.ql - java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql - java/ql/src/Security/CWE/CWE-918/RequestForgery.ql - java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.ql - java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirection.ql Skipped because they're problem queries, not path-problem, even though they use taint tracking: - java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql - java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql - java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql - java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql - java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql Skipped because they use data flow, not taint tracking - java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql - java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql - java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql - java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql - java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql - java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql - java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql - java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql
25 lines
1.1 KiB
Plaintext
25 lines
1.1 KiB
Plaintext
/** Provides a taint tracking configuration for server-side template injection (SST) vulnerabilities */
|
|
|
|
import java
|
|
import semmle.code.java.dataflow.TaintTracking
|
|
import semmle.code.java.dataflow.FlowSources
|
|
import semmle.code.java.security.TemplateInjection
|
|
|
|
/** A taint tracking configuration to reason about server-side template injection (SST) vulnerabilities */
|
|
module TemplateInjectionFlowConfig implements DataFlow::ConfigSig {
|
|
predicate isSource(DataFlow::Node source) { source instanceof TemplateInjectionSource }
|
|
|
|
predicate isSink(DataFlow::Node sink) { sink instanceof TemplateInjectionSink }
|
|
|
|
predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof TemplateInjectionSanitizer }
|
|
|
|
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
|
|
any(TemplateInjectionAdditionalTaintStep a).isAdditionalTaintStep(node1, node2)
|
|
}
|
|
|
|
predicate observeDiffInformedIncrementalMode() { any() }
|
|
}
|
|
|
|
/** Tracks server-side template injection (SST) vulnerabilities */
|
|
module TemplateInjectionFlow = TaintTracking::SpeculativeGlobal<TemplateInjectionFlowConfig, speculativity/0>;
|