Skip to content

Commit 79209af

Browse files
Java: Refactor out flow steps for more frameworks.
1 parent 92fd8c4 commit 79209af

File tree

7 files changed

+74
-52
lines changed

7 files changed

+74
-52
lines changed

java/ql/src/semmle/code/java/dataflow/FlowSteps.qll

Lines changed: 29 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,10 +2,37 @@
22
* Provides classes representing various flow steps for taint tracking.
33
*/
44

5-
import java
5+
private import java
6+
private import semmle.code.java.dataflow.DataFlow
67

78
/**
8-
* A method that returns tainted data when one of its inputs (an argument or the qualifier) are tainted.
9+
* A module importing the frameworks that implement additional flow steps,
10+
* ensuring that they are visible to the taint tracking library.
11+
*/
12+
module Frameworks {
13+
private import semmle.code.java.frameworks.jackson.JacksonSerializability
14+
private import semmle.code.java.frameworks.android.Intent
15+
private import semmle.code.java.frameworks.android.SQLite
16+
private import semmle.code.java.frameworks.Guice
17+
private import semmle.code.java.frameworks.Protobuf
18+
}
19+
20+
/**
21+
* A unit class for adding additional taint steps.
22+
*
23+
* Extend this class to add additional taint steps that should apply to all
24+
* taint configurations.
25+
*/
26+
class AdditionalTaintStep extends Unit {
27+
/**
28+
* Holds if the step from `node1` to `node2` should be considered a taint
29+
* step for all configurations.
30+
*/
31+
abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
32+
}
33+
34+
/**
35+
* A method that returns tainted data when one of its inputs (an argument or the qualifier) is tainted.
936
*
1037
* Extend this class to add additional taint steps through a method that should
1138
* apply to all taint configurations.

java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingFrameworks.qll

Lines changed: 0 additions & 12 deletions
This file was deleted.

java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll

Lines changed: 3 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,9 @@ private import semmle.code.java.security.SecurityTests
77
private import semmle.code.java.security.Validation
88
private import semmle.code.java.Maps
99
private import semmle.code.java.dataflow.internal.ContainerFlow
10-
private import semmle.code.java.dataflow.FlowSteps
11-
private import semmle.code.java.dataflow.internal.TaintTrackingFrameworks
10+
private import semmle.code.java.frameworks.spring.SpringController
11+
private import semmle.code.java.frameworks.spring.SpringHttp
12+
import semmle.code.java.dataflow.FlowSteps
1213

1314
/**
1415
* Holds if taint can flow from `src` to `sink` in zero or more
@@ -50,20 +51,6 @@ predicate localAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
5051
)
5152
}
5253

53-
/**
54-
* A unit class for adding additional taint steps.
55-
*
56-
* Extend this class to add additional taint steps that should apply to all
57-
* taint configurations.
58-
*/
59-
class AdditionalTaintStep extends Unit {
60-
/**
61-
* Holds if the step from `node1` to `node2` should be considered a taint
62-
* step for all configurations.
63-
*/
64-
abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
65-
}
66-
6754
/**
6855
* Holds if the additional step from `src` to `sink` should be included in all
6956
* global taint flow configurations.
@@ -354,8 +341,6 @@ private predicate taintPreservingQualifierToMethod(Method m) {
354341
m.getDeclaringType().hasQualifiedName("javax.xml.transform.stream", "StreamSource") and
355342
m.hasName("getInputStream")
356343
or
357-
m instanceof IntentGetExtraMethod
358-
or
359344
m.getDeclaringType().hasQualifiedName("java.nio", "ByteBuffer") and
360345
m.hasName("get")
361346
or
@@ -365,10 +350,6 @@ private predicate taintPreservingQualifierToMethod(Method m) {
365350
m.getDeclaringType().hasQualifiedName("java.net", "URI") and
366351
m.hasName("toURL")
367352
or
368-
m = any(GuiceProvider gp).getAnOverridingGetMethod()
369-
or
370-
m = any(ProtobufMessageLite p).getAGetterMethod()
371-
or
372353
m instanceof GetterMethod and m.getDeclaringType() instanceof SpringUntrustedDataType
373354
or
374355
m.getDeclaringType() instanceof SpringHttpEntity and
@@ -525,25 +506,10 @@ private predicate taintPreservingArgumentToMethod(Method method, int arg) {
525506
method.hasName("sourceToInputSource") and
526507
arg = 0
527508
or
528-
exists(ProtobufParser p | method = p.getAParseFromMethod()) and
529-
arg = 0
530-
or
531-
exists(ProtobufMessageLite m | method = m.getAParseFromMethod()) and
532-
arg = 0
533-
or
534509
method.getDeclaringType().hasQualifiedName("java.io", "StringWriter") and
535510
method.hasName("append") and
536511
arg = 0
537512
or
538-
(
539-
method.getDeclaringType() instanceof AndroidContentProvider or
540-
method.getDeclaringType() instanceof AndroidContentResolver
541-
) and
542-
// Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder, CancellationSignal cancellationSignal)
543-
// Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder)
544-
method.hasName("query") and
545-
arg = 0
546-
or
547513
method.(TaintPreservingMethod).returnsTaint(arg)
548514
}
549515

java/ql/src/semmle/code/java/frameworks/Guice.qll

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
*/
44

55
import java
6+
import semmle.code.java.dataflow.FlowSteps
67

78
/**
89
* A `@com.google.inject.servlet.RequestParameters` annotation.
@@ -33,3 +34,9 @@ class GuiceProvider extends Interface {
3334
exists(Method m | m.getSourceDeclaration() = getGetMethod() | result.overrides*(m))
3435
}
3536
}
37+
38+
private class OverridingGetMethod extends TaintPreservingMethod {
39+
OverridingGetMethod() { this = any(GuiceProvider gp).getAnOverridingGetMethod() }
40+
41+
override predicate returnsTaint(int arg) { arg = -1 }
42+
}

java/ql/src/semmle/code/java/frameworks/Protobuf.qll

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
*/
44

55
import java
6+
import semmle.code.java.dataflow.FlowSteps
67

78
/**
89
* The interface `com.google.protobuf.Parser`.
@@ -54,3 +55,19 @@ class ProtobufMessageLite extends Interface {
5455
)
5556
}
5657
}
58+
59+
private class TaintPreservingGetterMethod extends TaintPreservingMethod {
60+
TaintPreservingGetterMethod() { this = any(ProtobufMessageLite p).getAGetterMethod() }
61+
62+
override predicate returnsTaint(int arg) { arg = -1 }
63+
}
64+
65+
private class TaintPreservingParseFromMethod extends TaintPreservingMethod {
66+
TaintPreservingParseFromMethod() {
67+
exists(ProtobufParser p | this = p.getAParseFromMethod())
68+
or
69+
exists(ProtobufMessageLite m | this = m.getAParseFromMethod())
70+
}
71+
72+
override predicate returnsTaint(int arg) { arg = 0 }
73+
}

java/ql/src/semmle/code/java/frameworks/android/Intent.qll

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
11
import java
2+
import semmle.code.java.dataflow.FlowSteps
23

34
class TypeIntent extends Class {
45
TypeIntent() { hasQualifiedName("android.content", "Intent") }
@@ -33,9 +34,11 @@ class ContextStartActivityMethod extends Method {
3334
}
3435
}
3536

36-
class IntentGetExtraMethod extends Method {
37+
class IntentGetExtraMethod extends Method, TaintPreservingMethod {
3738
IntentGetExtraMethod() {
3839
(getName().regexpMatch("get\\w+Extra") or hasName("getExtras")) and
3940
getDeclaringType() instanceof TypeIntent
4041
}
42+
43+
override predicate returnsTaint(int arg) { arg = -1 }
4144
}

java/ql/src/semmle/code/java/frameworks/android/SQLite.qll

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -283,3 +283,17 @@ private class UnsafeAppendUtilMethod extends TaintPreservingMethod {
283283

284284
override predicate returnsTaint(int arg) { arg = [0 .. getNumberOfParameters()] }
285285
}
286+
287+
private class TaintPreservingQueryMethod extends TaintPreservingMethod {
288+
TaintPreservingQueryMethod() {
289+
(
290+
this.getDeclaringType() instanceof AndroidContentProvider or
291+
this.getDeclaringType() instanceof AndroidContentResolver
292+
) and
293+
// Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder, CancellationSignal cancellationSignal)
294+
// Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder)
295+
this.hasName("query")
296+
}
297+
298+
override predicate returnsTaint(int arg) { arg = 0 }
299+
}

0 commit comments

Comments
 (0)