Refactor to use CSV sink models

atorralba · atorralba · commit d8bb5273e71e · 2021-09-27T11:57:58.000+02:00
diff --git a/java/ql/src/Security/CWE/CWE-074/XsltInjection.ql b/java/ql/src/Security/CWE/CWE-074/XsltInjection.ql
@@ -12,9 +12,28 @@
 
 import java
 import semmle.code.java.dataflow.FlowSources
-import XsltInjectionLib
+import semmle.code.java.security.XsltInjection
 import DataFlow::PathGraph
 
+/**
+ * A taint-tracking configuration for unvalidated user input that is used in XSLT transformation.
+ */
+class XsltInjectionFlowConfig extends TaintTracking::Configuration {
+  XsltInjectionFlowConfig() { this = "XsltInjectionFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof XsltInjectionSink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(XsltInjectionAdditionalTaintStep c).step(node1, node2)
+  }
+}
+
 from DataFlow::PathNode source, DataFlow::PathNode sink, XsltInjectionFlowConfig conf
 where conf.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "XSLT transformation might include stylesheet from $@.",
diff --git a/java/ql/src/semmle/code/java/security/XsltInjection.qll b/java/ql/src/semmle/code/java/security/XsltInjection.qll
@@ -1,23 +1,51 @@
+/** Provides classes to reason about XSLT injection vulnerabilities. */
+
 import java
-import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.java.security.XmlParsers
-import DataFlow
+import semmle.code.java.dataflow.DataFlow
 
 /**
- * A taint-tracking configuration for unvalidated user input that is used in XSLT transformation.
+ * A data flow sink for unvalidated user input that is used in XSLT transformation.
+ * Extend this class to add your own XSLT Injection sinks.
  */
-class XsltInjectionFlowConfig extends TaintTracking::Configuration {
-  XsltInjectionFlowConfig() { this = "XsltInjectionFlowConfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+abstract class XsltInjectionSink extends DataFlow::Node { }
+
+private class DefaultXsltInjectionSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.xml.transform;Transformer;false;transform;;;Argument[-1];xslt",
+        "net.sf.saxon.s9api;XsltTransformer;false;transform;;;Argument[-1];xslt",
+        "net.sf.saxon.s9api;Xslt30Transformer;false;transform;;;Argument[-1];xslt",
+        "net.sf.saxon.s9api;Xslt30Transformer;false;applyTemplates;;;Argument[-1];xslt",
+        "net.sf.saxon.s9api;Xslt30Transformer;false;callFunction;;;Argument[-1];xslt",
+        "net.sf.saxon.s9api;Xslt30Transformer;false;callTemplate;;;Argument[-1];xslt"
+      ]
+  }
+}
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof XsltInjectionSink }
+/** A default sink representing methods susceptible to XSLT Injection attacks. */
+private class DefaultXsltInjectionSink extends XsltInjectionSink {
+  DefaultXsltInjectionSink() { sinkNode(this, "xslt") }
+}
 
-  override predicate isSanitizer(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
-  }
+/**
+ * A unit class for adding additional taint steps.
+ *
+ * Extend this class to add additional taint steps that should apply to the `XsltInjectionFlowConfig`.
+ */
+class XsltInjectionAdditionalTaintStep extends Unit {
+  /**
+   * Holds if the step from `node1` to `node2` should be considered a taint
+   * step for the `XsltInjectionFlowConfig` configuration.
+   */
+  abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
+}
 
-  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+/** A set of additional taint steps to consider when taint tracking XSLT related data flows. */
+private class DefaultXsltInjectionAdditionalTaintStep extends XsltInjectionAdditionalTaintStep {
+  override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
     xmlStreamReaderStep(node1, node2) or
     xmlEventReaderStep(node1, node2) or
     staxSourceStep(node1, node2) or
@@ -31,95 +59,11 @@ class XsltInjectionFlowConfig extends TaintTracking::Configuration {
   }
 }
 
-/** The class `javax.xml.transform.stax.StAXSource`. */
-class TypeStAXSource extends Class {
-  TypeStAXSource() { this.hasQualifiedName("javax.xml.transform.stax", "StAXSource") }
-}
-
-/** The class `javax.xml.transform.dom.DOMSource`. */
-class TypeDOMSource extends Class {
-  TypeDOMSource() { this.hasQualifiedName("javax.xml.transform.dom", "DOMSource") }
-}
-
-/** The interface `javax.xml.transform.Templates`. */
-class TypeTemplates extends Interface {
-  TypeTemplates() { this.hasQualifiedName("javax.xml.transform", "Templates") }
-}
-
-/** The method `net.sf.saxon.s9api.XsltTransformer.transform`. */
-class XsltTransformerTransformMethod extends Method {
-  XsltTransformerTransformMethod() {
-    this.getDeclaringType().hasQualifiedName("net.sf.saxon.s9api", "XsltTransformer") and
-    this.hasName("transform")
-  }
-}
-
-/** The method `net.sf.saxon.s9api.Xslt30Transformer.transform`. */
-class Xslt30TransformerTransformMethod extends Method {
-  Xslt30TransformerTransformMethod() {
-    this.getDeclaringType().hasQualifiedName("net.sf.saxon.s9api", "Xslt30Transformer") and
-    this.hasName("transform")
-  }
-}
-
-/** The method `net.sf.saxon.s9api.Xslt30Transformer.applyTemplates`. */
-class Xslt30TransformerApplyTemplatesMethod extends Method {
-  Xslt30TransformerApplyTemplatesMethod() {
-    this.getDeclaringType().hasQualifiedName("net.sf.saxon.s9api", "Xslt30Transformer") and
-    this.hasName("applyTemplates")
-  }
-}
-
-/** The method `net.sf.saxon.s9api.Xslt30Transformer.callFunction`. */
-class Xslt30TransformerCallFunctionMethod extends Method {
-  Xslt30TransformerCallFunctionMethod() {
-    this.getDeclaringType().hasQualifiedName("net.sf.saxon.s9api", "Xslt30Transformer") and
-    this.hasName("callFunction")
-  }
-}
-
-/** The method `net.sf.saxon.s9api.Xslt30Transformer.callTemplate`. */
-class Xslt30TransformerCallTemplateMethod extends Method {
-  Xslt30TransformerCallTemplateMethod() {
-    this.getDeclaringType().hasQualifiedName("net.sf.saxon.s9api", "Xslt30Transformer") and
-    this.hasName("callTemplate")
-  }
-}
-
-/** The class `net.sf.saxon.s9api.XsltCompiler`. */
-class TypeXsltCompiler extends Class {
-  TypeXsltCompiler() { this.hasQualifiedName("net.sf.saxon.s9api", "XsltCompiler") }
-}
-
-/** The class `net.sf.saxon.s9api.XsltExecutable`. */
-class TypeXsltExecutable extends Class {
-  TypeXsltExecutable() { this.hasQualifiedName("net.sf.saxon.s9api", "XsltExecutable") }
-}
-
-/** The class `net.sf.saxon.s9api.XsltPackage`. */
-class TypeXsltPackage extends Class {
-  TypeXsltPackage() { this.hasQualifiedName("net.sf.saxon.s9api", "XsltPackage") }
-}
-
-/** A data flow sink for unvalidated user input that is used in XSLT transformation. */
-class XsltInjectionSink extends DataFlow::ExprNode {
-  XsltInjectionSink() {
-    exists(MethodAccess ma, Method m | m = ma.getMethod() and ma.getQualifier() = this.getExpr() |
-      ma instanceof TransformerTransform or
-      m instanceof XsltTransformerTransformMethod or
-      m instanceof Xslt30TransformerTransformMethod or
-      m instanceof Xslt30TransformerApplyTemplatesMethod or
-      m instanceof Xslt30TransformerCallFunctionMethod or
-      m instanceof Xslt30TransformerCallTemplateMethod
-    )
-  }
-}
-
 /**
  * Holds if `n1` to `n2` is a dataflow step that converts between `InputStream` or `Reader` and
  * `XMLStreamReader`, i.e. `XMLInputFactory.createXMLStreamReader(tainted)`.
  */
-predicate xmlStreamReaderStep(ExprNode n1, ExprNode n2) {
+private predicate xmlStreamReaderStep(DataFlow::Node n1, DataFlow::Node n2) {
   exists(XmlInputFactoryStreamReader xmlStreamReader |
     n1.asExpr() = xmlStreamReader.getSink() and
     n2.asExpr() = xmlStreamReader
@@ -130,7 +74,7 @@ predicate xmlStreamReaderStep(ExprNode n1, ExprNode n2) {
  * Holds if `n1` to `n2` is a dataflow step that converts between `InputStream` or `Reader` and
  * `XMLEventReader`, i.e. `XMLInputFactory.createXMLEventReader(tainted)`.
  */
-predicate xmlEventReaderStep(ExprNode n1, ExprNode n2) {
+private predicate xmlEventReaderStep(DataFlow::Node n1, DataFlow::Node n2) {
   exists(XmlInputFactoryEventReader xmlEventReader |
     n1.asExpr() = xmlEventReader.getSink() and
     n2.asExpr() = xmlEventReader
@@ -141,7 +85,7 @@ predicate xmlEventReaderStep(ExprNode n1, ExprNode n2) {
  * Holds if `n1` to `n2` is a dataflow step that converts between `XMLStreamReader` or
  * `XMLEventReader` and `StAXSource`, i.e. `new StAXSource(tainted)`.
  */
-predicate staxSourceStep(ExprNode n1, ExprNode n2) {
+private predicate staxSourceStep(DataFlow::Node n1, DataFlow::Node n2) {
   exists(ConstructorCall cc | cc.getConstructedType() instanceof TypeStAXSource |
     n1.asExpr() = cc.getAnArgument() and
     n2.asExpr() = cc
@@ -152,7 +96,7 @@ predicate staxSourceStep(ExprNode n1, ExprNode n2) {
  * Holds if `n1` to `n2` is a dataflow step that converts between `InputStream` and `Document`,
  * i.e. `DocumentBuilder.parse(tainted)`.
  */
-predicate documentBuilderStep(ExprNode n1, ExprNode n2) {
+private predicate documentBuilderStep(DataFlow::Node n1, DataFlow::Node n2) {
   exists(DocumentBuilderParse documentBuilder |
     n1.asExpr() = documentBuilder.getSink() and
     n2.asExpr() = documentBuilder
@@ -163,13 +107,30 @@ predicate documentBuilderStep(ExprNode n1, ExprNode n2) {
  * Holds if `n1` to `n2` is a dataflow step that converts between `Document` and `DOMSource`, i.e.
  * `new DOMSource(tainted)`.
  */
-predicate domSourceStep(ExprNode n1, ExprNode n2) {
+private predicate domSourceStep(DataFlow::Node n1, DataFlow::Node n2) {
   exists(ConstructorCall cc | cc.getConstructedType() instanceof TypeDOMSource |
     n1.asExpr() = cc.getAnArgument() and
     n2.asExpr() = cc
   )
 }
 
+/**
+ * Holds if `n1` to `n2` is a dataflow step that converts between `Source` and `Transformer` or
+ * `Templates`, i.e. `TransformerFactory.newTransformer(tainted)` or
+ * `TransformerFactory.newTemplates(tainted)`.
+ */
+private predicate newTransformerOrTemplatesStep(DataFlow::Node n1, DataFlow::Node n2) {
+  exists(MethodAccess ma, Method m | ma.getMethod() = m |
+    n1.asExpr() = ma.getAnArgument() and
+    n2.asExpr() = ma and
+    m.getDeclaringType() instanceof TransformerFactory and
+    m.hasName(["newTransformer", "newTemplates"]) and
+    not exists(TransformerFactoryWithSecureProcessingFeatureFlowConfig conf |
+      conf.hasFlowToExpr(ma.getQualifier())
+    )
+  )
+}
+
 /**
  * A data flow configuration for secure processing feature that is enabled on `TransformerFactory`.
  */
@@ -207,31 +168,11 @@ private class TransformerFactoryFeatureConfig extends ParserConfig {
   }
 }
 
-/**
- * Holds if `n1` to `n2` is a dataflow step that converts between `Source` and `Transformer` or
- * `Templates`, i.e. `TransformerFactory.newTransformer(tainted)` or
- * `TransformerFactory.newTemplates(tainted)`.
- */
-predicate newTransformerOrTemplatesStep(ExprNode n1, ExprNode n2) {
-  exists(MethodAccess ma, Method m | ma.getMethod() = m |
-    n1.asExpr() = ma.getAnArgument() and
-    n2.asExpr() = ma and
-    (
-      m.getDeclaringType() instanceof TransformerFactory and m.hasName("newTransformer")
-      or
-      m.getDeclaringType() instanceof TransformerFactory and m.hasName("newTemplates")
-    ) and
-    not exists(TransformerFactoryWithSecureProcessingFeatureFlowConfig conf |
-      conf.hasFlowToExpr(ma.getQualifier())
-    )
-  )
-}
-
 /**
  * Holds if `n1` to `n2` is a dataflow step that converts between `Templates` and `Transformer`,
  * i.e. `tainted.newTransformer()`.
  */
-predicate newTransformerFromTemplatesStep(ExprNode n1, ExprNode n2) {
+private predicate newTransformerFromTemplatesStep(DataFlow::Node n1, DataFlow::Node n2) {
   exists(MethodAccess ma, Method m | ma.getMethod() = m |
     n1.asExpr() = ma.getQualifier() and
     n2.asExpr() = ma and
@@ -246,17 +187,12 @@ predicate newTransformerFromTemplatesStep(ExprNode n1, ExprNode n2) {
  * `XsltCompiler.loadExecutablePackage(tainted)` or `XsltCompiler.compilePackage(tainted)` or
  * `XsltCompiler.loadLibraryPackage(tainted)`.
  */
-predicate xsltCompilerStep(ExprNode n1, ExprNode n2) {
+private predicate xsltCompilerStep(DataFlow::Node n1, DataFlow::Node n2) {
   exists(MethodAccess ma, Method m | ma.getMethod() = m |
     n1.asExpr() = ma.getArgument(0) and
     n2.asExpr() = ma and
     m.getDeclaringType() instanceof TypeXsltCompiler and
-    (
-      m.hasName("compile") or
-      m.hasName("loadExecutablePackage") or
-      m.hasName("compilePackage") or
-      m.hasName("loadLibraryPackage")
-    )
+    m.hasName(["compile", "loadExecutablePackage", "compilePackage", "loadLibraryPackage"])
   )
 }
 
@@ -265,24 +201,54 @@ predicate xsltCompilerStep(ExprNode n1, ExprNode n2) {
  * `XsltTransformer` or `Xslt30Transformer`, i.e. `XsltExecutable.load()` or
  * `XsltExecutable.load30()`.
  */
-predicate xsltExecutableStep(ExprNode n1, ExprNode n2) {
+private predicate xsltExecutableStep(DataFlow::Node n1, DataFlow::Node n2) {
   exists(MethodAccess ma, Method m | ma.getMethod() = m |
     n1.asExpr() = ma.getQualifier() and
     n2.asExpr() = ma and
     m.getDeclaringType() instanceof TypeXsltExecutable and
-    (m.hasName("load") or m.hasName("load30"))
+    m.hasName(["load", "load30"])
   )
 }
 
 /**
  * Holds if `n1` to `n2` is a dataflow step that converts between `XsltPackage` and
  * `XsltExecutable`, i.e. `XsltPackage.link()`.
  */
-predicate xsltPackageStep(ExprNode n1, ExprNode n2) {
+private predicate xsltPackageStep(DataFlow::Node n1, DataFlow::Node n2) {
   exists(MethodAccess ma, Method m | ma.getMethod() = m |
     n1.asExpr() = ma.getQualifier() and
     n2.asExpr() = ma and
     m.getDeclaringType() instanceof TypeXsltPackage and
     m.hasName("link")
   )
 }
+
+/** The class `javax.xml.transform.stax.StAXSource`. */
+private class TypeStAXSource extends Class {
+  TypeStAXSource() { this.hasQualifiedName("javax.xml.transform.stax", "StAXSource") }
+}
+
+/** The class `javax.xml.transform.dom.DOMSource`. */
+private class TypeDOMSource extends Class {
+  TypeDOMSource() { this.hasQualifiedName("javax.xml.transform.dom", "DOMSource") }
+}
+
+/** The interface `javax.xml.transform.Templates`. */
+private class TypeTemplates extends Interface {
+  TypeTemplates() { this.hasQualifiedName("javax.xml.transform", "Templates") }
+}
+
+/** The class `net.sf.saxon.s9api.XsltCompiler`. */
+private class TypeXsltCompiler extends Class {
+  TypeXsltCompiler() { this.hasQualifiedName("net.sf.saxon.s9api", "XsltCompiler") }
+}
+
+/** The class `net.sf.saxon.s9api.XsltExecutable`. */
+private class TypeXsltExecutable extends Class {
+  TypeXsltExecutable() { this.hasQualifiedName("net.sf.saxon.s9api", "XsltExecutable") }
+}
+
+/** The class `net.sf.saxon.s9api.XsltPackage`. */
+private class TypeXsltPackage extends Class {
+  TypeXsltPackage() { this.hasQualifiedName("net.sf.saxon.s9api", "XsltPackage") }
+}
