hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-05 07:06:47 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
ef972159a615c13a5a29d9e884fd3ae18512d636
codeql/java/ql/src/utils/model-generator/CaptureSourceModels.ql
Benjamin Muskalla 739fe75194 Support flow for factory and strategy pattern 
* Support models for factories that create
new instances of an object while tainting it with incoming data
* Support models to infer super types for
private implementations to expose the models
at the right level
2021-11-10 16:30:24 +01:00

63 lines
1.9 KiB
Plaintext
Raw Blame History

/**
* @name Capture source models.
* @description Finds APIs that act as sources as they expose already known sources.
* @id java/utils/model-generator/sink-models
*/
import java
private import Telemetry.ExternalAPI
private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.dataflow.TaintTracking
private import semmle.code.java.dataflow.ExternalFlow
private import ModelGeneratorUtils
private import semmle.code.java.dataflow.internal.FlowSummaryImplSpecific
private import semmle.code.java.dataflow.internal.FlowSummaryImpl
private import semmle.code.java.dataflow.internal.DataFlowImplCommon
private import semmle.code.java.dataflow.internal.DataFlowNodes::Private
class FromSourceConfiguration extends TaintTracking::Configuration {
FromSourceConfiguration() { this = "FromSourceConfiguration" }
override predicate isSource(DataFlow::Node source) { sourceNode(source, _) }
override predicate isSink(DataFlow::Node sink) {
exists(Callable c |
sink instanceof ReturnNodeExt and
sink.getEnclosingCallable() = c and
c.isPublic() and
c.fromSource()
)
or
exists(MethodAccess c | sink.asExpr() = c.getAnArgument())
}
}
string asOutput(DataFlow::Node node) {
if node instanceof ReturnNodeExt
then result = "ReturnValue"
else
result =
"Parameter[" +
node.(ArgumentNode)
.getCall()
.asCall()
.getQualifier()
.(VarAccess)
.getVariable()
.(Parameter)
.getPosition() + "]"
}
string captureSource(Callable api) {
exists(DataFlow::Node source, DataFlow::Node sink, FromSourceConfiguration config, string kind |
config.hasFlow(source, sink) and
sourceNode(source, kind) and
api = source.getEnclosingCallable() and
result = asSourceModel(api, asOutput(sink), kind)
)
}
from TargetAPI api, string sink
where sink = captureSource(api)
select sink order by sink
Reference in New Issue View Git Blame Copy Permalink