hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
52e4076684b7b1c1cf838b5a158852481bd18694
codeql/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql
Anders Schack-Mulligen 4408482699 Java: Refactor NumericCastTainted, NumericCastTaintedLocal
2023-03-07 10:42:00 +01:00

50 lines
1.6 KiB
Plaintext
Raw Blame History

/**
* @name Local-user-controlled data in numeric cast
* @description Casting user-controlled numeric data to a narrower type without validation
* can cause unexpected truncation.
* @kind path-problem
* @problem.severity recommendation
* @security-severity 9.0
* @precision medium
* @id java/tainted-numeric-cast-local
* @tags security
* external/cwe/cwe-197
* external/cwe/cwe-681
*/
import java
import semmle.code.java.dataflow.FlowSources
import NumericCastCommon
module NumericCastFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
predicate isSink(DataFlow::Node sink) {
sink.asExpr() = any(NumericNarrowingCastExpr cast).getExpr()
}
predicate isBarrier(DataFlow::Node node) {
boundedRead(node.asExpr()) or
castCheck(node.asExpr()) or
node.getType() instanceof SmallType or
smallExpr(node.asExpr()) or
node.getEnclosingCallable() instanceof HashCodeMethod
}
}
module NumericCastFlow = TaintTracking::Make<NumericCastFlowConfig>;
import NumericCastFlow::PathGraph
from
NumericCastFlow::PathNode source, NumericCastFlow::PathNode sink, NumericNarrowingCastExpr exp,
VarAccess tainted
where
exp.getExpr() = tainted and
sink.getNode().asExpr() = tainted and
NumericCastFlow::hasFlowPath(source, sink) and
not exists(RightShiftOp e | e.getShiftedVariable() = tainted.getVariable())
select exp, source, sink,
"This cast to a narrower type depends on a $@, potentially causing truncation.", source.getNode(),
"user-provided value"
Reference in New Issue View Git Blame Copy Permalink