docs: add rst versions of java slide decks and improve a few c++ slides

Author: james

docs/language/ql-training-rst/_static-training/java-data-flow-code-example.svg

@@ -744,11 +744,7 @@ table tr:nth-child(odd) {
 table th {
   color: white;
   font-size: 1em;
-  background: url('data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4gPHN2ZyB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+PGRlZnM+PGxpbmVhckdyYWRpZW50IGlkPSJncmFkIiBncmFkaWVudFVuaXRzPSJvYmplY3RCb3VuZGluZ0JveCIgeDE9IjAuNSIgeTE9IjAuMCIgeDI9IjAuNSIgeTI9IjEuMCI+PHN0b3Agb2Zmc2V0PSI0MCUiIHN0b3AtY29sb3I9IiM0Mzg3ZmQiLz48c3RvcCBvZmZzZXQ9IjgwJSIgc3RvcC1jb2xvcj0iIzJhN2NkZiIvPjwvbGluZWFyR3JhZGllbnQ+PC9kZWZzPjxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSIxMDAlIiBoZWlnaHQ9IjEwMCUiIGZpbGw9InVybCgjZ3JhZCkiIC8+PC9zdmc+IA==') no-repeat;
-  background: -webkit-gradient(linear, 50% 0%, 50% 100%, color-stop(40%, #4387fd), color-stop(80%, #2a7cdf)) no-repeat;
-  background: -moz-linear-gradient(top, #4387fd 40%, #2a7cdf 80%) no-repeat;
-  background: -webkit-linear-gradient(top, #4387fd 40%, #2a7cdf 80%) no-repeat;
-  background: linear-gradient(to bottom, #4387fd 40%, #2a7cdf 80%) no-repeat;
+  background: grey;
 }
 /* line 494, ../scss/default.scss */
 table td, table th {
@@ -758,17 +754,16 @@ table td, table th {
 /* line 499, ../scss/default.scss */
 table td.highlight {
   color: #515151;
-  background: url('data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4gPHN2ZyB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+PGRlZnM+PGxpbmVhckdyYWRpZW50IGlkPSJncmFkIiBncmFkaWVudFVuaXRzPSJvYmplY3RCb3VuZGluZ0JveCIgeDE9IjAuNSIgeTE9IjAuMCIgeDI9IjAuNSIgeTI9IjEuMCI+PHN0b3Agb2Zmc2V0PSI0MCUiIHN0b3AtY29sb3I9IiNmZmQxNGQiLz48c3RvcCBvZmZzZXQ9IjgwJSIgc3RvcC1jb2xvcj0iI2Y2YzAwMCIvPjwvbGluZWFyR3JhZGllbnQ+PC9kZWZzPjxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSIxMDAlIiBoZWlnaHQ9IjEwMCUiIGZpbGw9InVybCgjZ3JhZCkiIC8+PC9zdmc+IA==') no-repeat;
-  background: -webkit-gradient(linear, 50% 0%, 50% 100%, color-stop(40%, #ffd14d), color-stop(80%, #f6c000)) no-repeat;
-  background: -moz-linear-gradient(top, #ffd14d 40%, #f6c000 80%) no-repeat;
-  background: -webkit-linear-gradient(top, #ffd14d 40%, #f6c000 80%) no-repeat;
-  background: linear-gradient(to bottom, #ffd14d 40%, #f6c000 80%) no-repeat;
+  background: grey;
 }
 /* line 504, ../scss/default.scss */
 table.rows {
   border-bottom: none;
   border-right: 1px solid #797979;
 }
+table td {
+  background: white;
+}
 
 /* line 510, ../scss/default.scss */
 q {
@@ -1469,6 +1464,15 @@ hgroup .pre {
   color: white;
 }
 
+.subheading {
+  position: absolute;
+  top: 62.5%;
+}
+
+.subheading p {
+  position: relative;
+}
+
 /* purple background slides (new section)*/
 
 .background2 {  
@@ -1593,7 +1597,7 @@ p.first.admonition-title {
   width: inherit;
 }
 
-/* images */
+/********* images ************/
 /* general styles to scale and centre images*/
 
 .image-box {
@@ -1606,7 +1610,7 @@ img {
   margin: auto;
 }
 
-/* deck-specific styles for individual images*/
+/********* deck-specific styles for individual images *********/
 /* intro to ql */
 img.analysis {
   width: 90%;
@@ -1619,6 +1623,26 @@ img.analysis {
   right: -10%;
 }
 
+.java-expression-ast {
+  background-image: url("../../java-expression-ast.svg");
+  background-size: cover;
+}
+
+/* java data flow code example */
+
+.java-data-flow-code-example {
+  background-image: url("../../java-data-flow-code-example.svg");
+  background-size: cover;
+}
+
+/* extra global data flow slies*/
+
+.mismatched-calls-and-returns {
+  background-image: url("../../mismatched-calls-and-returns.svg");
+  background-size: cover;
+}
+
+/******* Other custom styles *******/
 /* custom styles for lists*/
 
 ol {

docs/language/ql-training-rst/_static-training/java-expression-ast.svg

@@ -343,4 +343,4 @@ Beyond local data flow
 - Results are still underwhelming.
 - Dealing with parameter passing becomes cumbersome.
 - Instead, let’s turn the problem around and find user-controlled data that flows into a ``printf`` format argument, potentially through calls.
-- This needs :doc:`global data flow <global-data-flow-cpp>`.
+- This needs :doc:`global data flow <global-data-flow-cpp>`.

docs/language/ql-training-rst/_static-training/mismatched-calls-and-returns.svg

@@ -252,86 +252,4 @@ Data flow models
 Extra slides
 ============
 
-Exercise: How not to do global data flow
-========================================
-
-Implement a ``flowStep`` predicate extending ``localFlowStep`` with steps through function calls and returns. Why might we not want to use this?
-
-.. code-block:: ql
-
-   predicate stepIn(Call c, DataFlow::Node arg, DataFlow::ParameterNode parm) {
-     exists(int i | arg.asExpr() = c.getArgument(i) |
-       parm.asParameter() = c.getTarget().getParameter(i))
-   }
-   
-   predicate stepOut(Call c, DataFlow::Node ret, DataFlow::Node res) {
-     exists(ReturnStmt retStmt | retStmt.getEnclosingFunction() = c.getTarget() |
-       ret.asExpr() = retStmt.getExpr() and res.asExpr() = c)
-   }
-   
-   predicate flowStep(DataFlow::Node pred, DataFlow::Node succ) {
-     DataFlow::localFlowStep(pred, succ) or
-     stepIn(_, pred, succ) or
-     stepOut(_, pred, succ)
-   }
-
-Mismatched calls and returns
-============================
-
-.. container:: column-left
-
-   .. code-block:: ql
-
-      char *logFormat(char *fmt) {
-        log("Observed format string %s.", fmt);
-        return fmt;
-      }
-      
-      ...
-      char *dangerousFmt = unvalidatedUserData();
-      printf(logFormat(dangerousFmt), args);
-      ...
-      char *safeFmt = "Hello %s!";
-      printf(logFormat(safeFmt), name);
-
-.. container:: column-right
-
-  Infeasible path due to mismatched call/return pair!
-
-Balancing calls and returns
-===========================
-
-- If we simply take ``flowStep*``, we might mismatch calls and returns, causing imprecision, which in turn may cause false positives.
-
-- Instead, make sure that matching ``stepIn``/``stepOut`` pairs talk about the same call site:
-
-  .. code-block:: ql
-  
-     predicate balancedPath(DataFlow::Node src, DataFlow::Node snk) {
-       src = snk or DataFlow::localFlowStep(src, snk) or
-       exists(DataFlow::Node m | balancedPath(src, m) | balancedPath(m, snk)) or
-       exists(Call c, DataFlow::Node parm, DataFlow::Node ret |
-         stepIn(c, src, parm) and
-         balancedPath(parm, ret) and
-         stepOut(c, ret, snk)
-       )
-     }
-  
-Summary-based global data flow
-==============================
-
-- To avoid traversing the same paths many times, we compute *function summaries* that record if a function parameter flows into a return value:
-
-  .. code-block:: ql
-  
-     predicate returnsParameter(Function f, int i) {
-       exists (Parameter p, ReturnStmt retStmt, Expr ret |
-         p = f.getParameter(i) and
-         retStmt.getEnclosingFunction() = f and
-         ret = retStmt.getExpr() and
-         balancedPath(DataFlow::parameterNode(p), DataFlow::exprNode(ret))
-       )
-     }
-
-- Use this predicate in balancedPath instead of ``stepIn``/``stepOut`` pairs.
-
+.. include:: ../slide-snippets/global-data-flow-extra-slides.rst

docs/language/ql-training-rst/_static-training/slides-semmle-2/static/theme/css/default.css

@@ -10,17 +10,4 @@ QL training and variant analysis examples
    :maxdepth: 1
    :hidden:
 
-   ./cpp/intro-ql-cpp
-   ./cpp/bad-overflow-guard
-   ./cpp/program-representation-cpp
-   ./cpp/data-flow-cpp
-   ./cpp/snprintf
-   ./cpp/global-data-flow-cpp
-   ./cpp/control-flow-cpp
-   
-.. toctree::
-   :glob:
-   :maxdepth: 1
-   :hidden:
-
-   ./java/intro-ql-java
+   ./**/*

docs/language/ql-training-rst/cpp/data-flow-cpp.rst

@@ -0,0 +1,136 @@
+=======================
+Exercise: Apache Struts
+=======================
+
+.. container:: subheading
+
+   Unsafe deserialization leading to an RCE
+
+   CVE-2017-9805
+
+.. container:: semmle-logo
+
+   Semmle :sup:`TM`
+
+.. rst-class:: setup
+
+Setup
+=====
+
+For this example you should download:
+
+- `QL for Eclipse <https://help.semmle.com/ql-for-eclipse/Content/WebHelp/install-plugin-free.html>`__
+- `Apache Struts snapshot <https://downloads.lgtm.com/snapshots/java/apache/struts/apache-struts-7fd1622-CVE-2018-11776.zip>`__
+
+.. note::
+
+   For this example, we will be analyzing `Apache Struts <https://github.com/apache/struts>`__.
+
+   You can also query the project in `the query console <https://lgtm.com/query/project:1878521151/lang:java/>`__ on LGTM.com.
+
+   Note that results generated in the query console are likely to differ to those generated in the QL plugin as LGTM.com analyzes the most recent revisions of each project that has been added–the snapshot available to download above is based on an historical version of the code base.
+
+Unsafe deserialization in Struts
+================================
+
+Apache Struts provides a ContentTypeHandler interface, which can be implemented for specific content types. It defines the following interface method:
+
+.. code-block:: java
+
+  void toObject(Reader in, Object target);
+
+
+which is intended to populate the “target” object with data from the reader, usually through deserialization. However, the in parameter should be considered untrusted, and should not be deserialized without sanitization.
+
+RCE in Apache Struts
+====================
+
+- Vulnerable code looked like this (`original <https://lgtm.com/projects/g/apache/struts/snapshot/b434c23f95e0f9d5bde789bfa07f8fc1d5a8951d/files/plugins/rest/src/main/java/org/apache/struts2/rest/handler/XStreamHandler.java?sort=name&dir=ASC&mode=heatmap#L45>`__):
+
+.. code-block:: java
+
+   public void toObject(Reader in, Object target) {
+     XStream xstream = createXStream();
+     xstream.fromXML(in, target);
+   }
+
+- Xstream allows deserialization of **dynamic proxies**, which permit remote code execution.
+
+- Disclosed as `CVE-2017-9805 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805>`__
+
+- Blog post: https://lgtm.com/blog/apache_struts_CVE-2017-9805
+
+Finding the RCE yourself
+========================
+
+#. Create a QL class to find the interface ``org.apache.struts2.rest.handler.ContentTypeHandler``
+
+   **Hint**: Use predicate ``hasQualifiedName(...)``
+
+#. Identify methods called ``toObject``, which are defined on direct subtypes of ``ContentTypeHandler``
+
+   **Hint**: Use ``Method.getDeclaringType()`` and ``Type.getASupertype()``
+
+#. Implement a ``DataFlow::Configuration``, defining the source as the first parameter of a ``toObject`` method, and the sink as an instance of ``UnsafeDeserializationSink``.
+
+   **Hint**: Use ``Node::asParameter()``
+
+#. Construct the query as a path-problem query, and verify you find one result.
+
+Model answer, step 1
+====================
+
+.. code-block:: ql
+
+  import java
+
+  /** The interface `org.apache.struts2.rest.handler.ContentTypeHandler`. */
+  class ContentTypeHandler extends RefType {
+    ContentTypeHandler() {
+      this.hasQualifiedName("org.apache.struts2.rest.handler", "ContentTypeHandler")
+    }
+  }
+
+Model answer, step 2
+====================
+
+.. code-block:: ql
+
+   /** A `toObject` method on a subtype of `org.apache.struts2.rest.handler.ContentTypeHandler`. */
+   class ContentTypeHandlerDeserialization extends Method {
+     ContentTypeHandlerDeserialization() {
+       this.getDeclaringType().getASupertype() instanceof ContentTypeHandler and
+       this.hasName("toObject")
+
+Model answer, step 3
+====================
+
+.. code-block:: ql
+
+   import UnsafeDeserialization
+   import semmle.code.java.dataflow.DataFlow::DataFlow
+   /**
+    * Configuration that tracks the flow of taint from the first parameter of
+    * `ContentTypeHandler.toObject` to an instance of unsafe deserialization.
+    */
+   class StrutsUnsafeDeserializationConfig extends Configuration {
+     StrutsUnsafeDeserializationConfig() { this = "StrutsUnsafeDeserializationConfig" }
+     override predicate isSource(Node source) {
+       source.asParameter() = any(ContentTypeHandlerDeserialization des).getParameter(0)
+     }
+     override predicate isSink(Node sink) { sink instanceof UnsafeDeserializationSink }
+   }
+
+Model answer, step 4
+====================
+
+.. code-block:: ql
+
+   import PathGraph
+   ...
+   from PathNode source, PathNode sink, StrutsUnsafeDeserializationConfig conf
+   where conf.hasFlowPath(source, sink)
+     and sink.getNode() instanceof UnsafeDeserializationSink
+   select sink.getNode().(UnsafeDeserializationSink).getMethodAccess(), source, sink, "Unsafe    deserialization of $@.", source, "user input"
+
+More full-featured version: https://github.com/Semmle/demos/tree/master/ql_demos/java/Apache_Struts_CVE-2017-9805