hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-29 06:12:58 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
aa1337db86c87571e4b1428aee5e54defe0f53cd
codeql/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll
Tony Torralba 21079a1315 Fix conditionControlsMethod predicate 
Exceptions for throw and return statements were missing the appropriate condition
2021-09-15 17:51:51 +02:00

36 lines
1.3 KiB
Plaintext
Raw Blame History

/**
* Provides classes to be used in queries related to vulnerabilities
* about unstrusted input being used in security decisions.
*/
import java
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.SensitiveActions
import semmle.code.java.controlflow.Guards
/**
* Holds if `ma` is controlled by the condition expression `e`.
*/
predicate conditionControlsMethod(MethodAccess ma, Expr e) {
exists(ConditionBlock cb, SensitiveExecutionMethod m, boolean cond |
ma.getMethod() = m and
cb.controls(ma.getBasicBlock(), cond) and
not cb.controls(any(SensitiveExecutionMethod sem).getAReference().getBasicBlock(),
cond.booleanNot()) and
not cb.controls(any(ThrowStmt t).getBasicBlock(), cond.booleanNot()) and
not cb.controls(any(ReturnStmt r).getBasicBlock(), cond.booleanNot()) and
e = cb.getCondition()
)
}
/**
* A taint tracking configuration for untrusted data flowing to sensitive conditions.
*/
class ConditionalBypassFlowConfig extends TaintTracking::Configuration {
ConditionalBypassFlowConfig() { this = "ConditionalBypassFlowConfig" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { conditionControlsMethod(_, sink.asExpr()) }
}
Reference in New Issue View Git Blame Copy Permalink