Merge pull request #4042 from aschackmull/java/xsssink-extensible

codeql-ci · web-flow · commit 9d6b2e7684a4 · 2020-08-31T11:54:25.000+01:00
Approved by aibaars
diff --git a/java/ql/src/Security/CWE/CWE-079/XSS.ql b/java/ql/src/Security/CWE/CWE-079/XSS.ql
@@ -12,11 +12,10 @@
 
 import java
 import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.dataflow.TaintTracking2
 import semmle.code.java.security.XSS
-import DataFlow2::PathGraph
+import DataFlow::PathGraph
 
-class XSSConfig extends TaintTracking2::Configuration {
+class XSSConfig extends TaintTracking::Configuration {
   XSSConfig() { this = "XSSConfig" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -28,7 +27,7 @@ class XSSConfig extends TaintTracking2::Configuration {
   }
 }
 
-from DataFlow2::PathNode source, DataFlow2::PathNode sink, XSSConfig conf
+from DataFlow::PathNode source, DataFlow::PathNode sink, XSSConfig conf
 where conf.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
   source.getNode(), "user-provided value"
diff --git a/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql b/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql
@@ -12,19 +12,18 @@
 
 import java
 import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.dataflow.TaintTracking2
 import semmle.code.java.security.XSS
-import DataFlow2::PathGraph
+import DataFlow::PathGraph
 
-class XSSLocalConfig extends TaintTracking2::Configuration {
+class XSSLocalConfig extends TaintTracking::Configuration {
   XSSLocalConfig() { this = "XSSLocalConfig" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
 }
 
-from DataFlow2::PathNode source, DataFlow2::PathNode sink, XSSLocalConfig conf
+from DataFlow::PathNode source, DataFlow::PathNode sink, XSSLocalConfig conf
 where conf.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
   source.getNode(), "user-provided value"
diff --git a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
@@ -14,7 +14,7 @@
 
 import java
 import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.dataflow.TaintTracking2
+import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.XSS
 
 /**
@@ -84,7 +84,7 @@ predicate stackTraceExpr(Expr exception, MethodAccess stackTraceString) {
   )
 }
 
-class StackTraceStringToXssSinkFlowConfig extends TaintTracking2::Configuration {
+class StackTraceStringToXssSinkFlowConfig extends TaintTracking::Configuration {
   StackTraceStringToXssSinkFlowConfig() {
     this = "StackTraceExposure::StackTraceStringToXssSinkFlowConfig"
   }
@@ -124,7 +124,7 @@ class GetMessageFlowSource extends MethodAccess {
   }
 }
 
-class GetMessageFlowSourceToXssSinkFlowConfig extends TaintTracking2::Configuration {
+class GetMessageFlowSourceToXssSinkFlowConfig extends TaintTracking::Configuration {
   GetMessageFlowSourceToXssSinkFlowConfig() {
     this = "StackTraceExposure::GetMessageFlowSourceToXssSinkFlowConfig"
   }
diff --git a/java/ql/src/semmle/code/java/security/XSS.qll b/java/ql/src/semmle/code/java/security/XSS.qll
@@ -3,33 +3,36 @@ import semmle.code.java.frameworks.Servlets
 import semmle.code.java.frameworks.android.WebView
 import semmle.code.java.frameworks.spring.SpringController
 import semmle.code.java.frameworks.spring.SpringHttp
-import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.TaintTracking2
 
 /*
  * Definitions for XSS sinks
  */
 
-class XssSink extends DataFlow::ExprNode {
-  XssSink() {
+abstract class XssSink extends DataFlow::Node { }
+
+private class DefaultXssSink extends XssSink {
+  DefaultXssSink() {
     exists(HttpServletResponseSendErrorMethod m, MethodAccess ma |
       ma.getMethod() = m and
-      this.getExpr() = ma.getArgument(1)
+      this.asExpr() = ma.getArgument(1)
     )
     or
     exists(ServletWriterSourceToWritingMethodFlowConfig writer, MethodAccess ma |
       ma.getMethod() instanceof WritingMethod and
       writer.hasFlowToExpr(ma.getQualifier()) and
-      this.getExpr() = ma.getArgument(_)
+      this.asExpr() = ma.getArgument(_)
     )
     or
     exists(Method m |
       m.getDeclaringType() instanceof TypeWebView and
       (
-        m.getAReference().getArgument(0) = this.getExpr() and m.getName() = "loadData"
+        m.getAReference().getArgument(0) = this.asExpr() and m.getName() = "loadData"
         or
-        m.getAReference().getArgument(0) = this.getExpr() and m.getName() = "loadUrl"
+        m.getAReference().getArgument(0) = this.asExpr() and m.getName() = "loadUrl"
         or
-        m.getAReference().getArgument(1) = this.getExpr() and m.getName() = "loadDataWithBaseURL"
+        m.getAReference().getArgument(1) = this.asExpr() and m.getName() = "loadDataWithBaseURL"
       )
     )
     or
@@ -77,7 +80,7 @@ class XssSink extends DataFlow::ExprNode {
   }
 }
 
-class ServletWriterSourceToWritingMethodFlowConfig extends TaintTracking::Configuration {
+private class ServletWriterSourceToWritingMethodFlowConfig extends TaintTracking2::Configuration {
   ServletWriterSourceToWritingMethodFlowConfig() {
     this = "XSS::ServletWriterSourceToWritingMethodFlowConfig"
   }
@@ -91,7 +94,7 @@ class ServletWriterSourceToWritingMethodFlowConfig extends TaintTracking::Config
   }
 }
 
-class WritingMethod extends Method {
+private class WritingMethod extends Method {
   WritingMethod() {
     getDeclaringType().getASupertype*().hasQualifiedName("java.io", _) and
     (

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@`
`14`	`14`
`15`	`15`	`import java`
`16`	`16`	`import semmle.code.java.dataflow.DataFlow`
`17`		`-import semmle.code.java.dataflow.TaintTracking2`
	`17`	`+import semmle.code.java.dataflow.TaintTracking`
`18`	`18`	`import semmle.code.java.security.XSS`
`19`	`19`
`20`	`20`	`/**`
`@@ -84,7 +84,7 @@ predicate stackTraceExpr(Expr exception, MethodAccess stackTraceString) {`
`84`	`84`	`)`
`85`	`85`	`}`
`86`	`86`
`87`		`-class StackTraceStringToXssSinkFlowConfig extends TaintTracking2::Configuration {`
	`87`	`+class StackTraceStringToXssSinkFlowConfig extends TaintTracking::Configuration {`
`88`	`88`	`StackTraceStringToXssSinkFlowConfig() {`
`89`	`89`	`this = "StackTraceExposure::StackTraceStringToXssSinkFlowConfig"`
`90`	`90`	`}`
`@@ -124,7 +124,7 @@ class GetMessageFlowSource extends MethodAccess {`
`124`	`124`	`}`
`125`	`125`	`}`
`126`	`126`
`127`		`-class GetMessageFlowSourceToXssSinkFlowConfig extends TaintTracking2::Configuration {`
	`127`	`+class GetMessageFlowSourceToXssSinkFlowConfig extends TaintTracking::Configuration {`
`128`	`128`	`GetMessageFlowSourceToXssSinkFlowConfig() {`
`129`	`129`	`this = "StackTraceExposure::GetMessageFlowSourceToXssSinkFlowConfig"`
`130`	`130`	`}`
Original file line number	Diff line number	Diff line change
`@@ -3,33 +3,36 @@ import semmle.code.java.frameworks.Servlets`
`3`	`3`	`import semmle.code.java.frameworks.android.WebView`
`4`	`4`	`import semmle.code.java.frameworks.spring.SpringController`
`5`	`5`	`import semmle.code.java.frameworks.spring.SpringHttp`
`6`		`-import semmle.code.java.dataflow.TaintTracking`
	`6`	`+import semmle.code.java.dataflow.DataFlow`
	`7`	`+import semmle.code.java.dataflow.TaintTracking2`
`7`	`8`
`8`	`9`	`/*`
`9`	`10`	`* Definitions for XSS sinks`
`10`	`11`	`*/`
`11`	`12`
`12`		`-class XssSink extends DataFlow::ExprNode {`
`13`		`- XssSink() {`
	`13`	`+abstract class XssSink extends DataFlow::Node { }`
	`14`	`+`
	`15`	`+private class DefaultXssSink extends XssSink {`
	`16`	`+ DefaultXssSink() {`
`14`	`17`	`exists(HttpServletResponseSendErrorMethod m, MethodAccess ma \|`
`15`	`18`	`ma.getMethod() = m and`
`16`		`- this.getExpr() = ma.getArgument(1)`
	`19`	`+ this.asExpr() = ma.getArgument(1)`
`17`	`20`	`)`
`18`	`21`	`or`
`19`	`22`	`exists(ServletWriterSourceToWritingMethodFlowConfig writer, MethodAccess ma \|`
`20`	`23`	`ma.getMethod() instanceof WritingMethod and`
`21`	`24`	`writer.hasFlowToExpr(ma.getQualifier()) and`
`22`		`- this.getExpr() = ma.getArgument(_)`
	`25`	`+ this.asExpr() = ma.getArgument(_)`
`23`	`26`	`)`
`24`	`27`	`or`
`25`	`28`	`exists(Method m \|`
`26`	`29`	`m.getDeclaringType() instanceof TypeWebView and`
`27`	`30`	`(`
`28`		`- m.getAReference().getArgument(0) = this.getExpr() and m.getName() = "loadData"`
	`31`	`+ m.getAReference().getArgument(0) = this.asExpr() and m.getName() = "loadData"`
`29`	`32`	`or`
`30`		`- m.getAReference().getArgument(0) = this.getExpr() and m.getName() = "loadUrl"`
	`33`	`+ m.getAReference().getArgument(0) = this.asExpr() and m.getName() = "loadUrl"`
`31`	`34`	`or`
`32`		`- m.getAReference().getArgument(1) = this.getExpr() and m.getName() = "loadDataWithBaseURL"`
	`35`	`+ m.getAReference().getArgument(1) = this.asExpr() and m.getName() = "loadDataWithBaseURL"`
`33`	`36`	`)`
`34`	`37`	`)`
`35`	`38`	`or`
`@@ -77,7 +80,7 @@ class XssSink extends DataFlow::ExprNode {`
`77`	`80`	`}`
`78`	`81`	`}`
`79`	`82`
`80`		`-class ServletWriterSourceToWritingMethodFlowConfig extends TaintTracking::Configuration {`
	`83`	`+private class ServletWriterSourceToWritingMethodFlowConfig extends TaintTracking2::Configuration {`
`81`	`84`	`ServletWriterSourceToWritingMethodFlowConfig() {`
`82`	`85`	`this = "XSS::ServletWriterSourceToWritingMethodFlowConfig"`
`83`	`86`	`}`
`@@ -91,7 +94,7 @@ class ServletWriterSourceToWritingMethodFlowConfig extends TaintTracking::Config`
`91`	`94`	`}`
`92`	`95`	`}`
`93`	`96`
`94`		`-class WritingMethod extends Method {`
	`97`	`+private class WritingMethod extends Method {`
`95`	`98`	`WritingMethod() {`
`96`	`99`	`getDeclaringType().getASupertype*().hasQualifiedName("java.io", _) and`
`97`	`100`	`(`