Skip to content

Commit fbee6bb

Browse files
d10cd10c
authored
Merge pull request #20077 from d10c/d10c/diff-informed-phase-3-java
Java: Diff-informed queries: phase 3 (non-trivial locations)
2 parents 937e3dc + 05df1d3 commit fbee6bb

File tree

53 files changed

+10491
-2071
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

53 files changed

+10491
-2071
lines changed

java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -149,6 +149,8 @@ module SensitiveCommunicationConfig implements DataFlow::ConfigSig {
149149
predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
150150
isSink(node) and exists(c)
151151
}
152+
153+
predicate observeDiffInformedIncrementalMode() { any() }
152154
}
153155

154156
/**

java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,14 @@ module ArithmeticOverflowConfig implements DataFlow::ConfigSig {
1313
predicate isBarrier(DataFlow::Node n) { overflowBarrier(n) }
1414

1515
predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
16+
17+
predicate observeDiffInformedIncrementalMode() {
18+
any() // merged with ArithmeticUnderflow in ArithmeticTainted.ql
19+
}
20+
21+
Location getASelectedSinkLocation(DataFlow::Node sink) {
22+
exists(ArithExpr exp | result = exp.getLocation() | overflowSink(exp, sink.asExpr()))
23+
}
1624
}
1725

1826
/**
@@ -29,6 +37,14 @@ module ArithmeticUnderflowConfig implements DataFlow::ConfigSig {
2937
predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) }
3038

3139
predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
40+
41+
predicate observeDiffInformedIncrementalMode() {
42+
any() // merged with ArithmeticOverflow in ArithmeticTainted.ql
43+
}
44+
45+
Location getASelectedSinkLocation(DataFlow::Node sink) {
46+
exists(ArithExpr exp | result = exp.getLocation() | underflowSink(exp, sink.asExpr()))
47+
}
3248
}
3349

3450
/**

java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,14 @@ module ArithmeticUncontrolledOverflowConfig implements DataFlow::ConfigSig {
1919
predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) }
2020

2121
predicate isBarrier(DataFlow::Node n) { overflowBarrier(n) }
22+
23+
predicate observeDiffInformedIncrementalMode() {
24+
any() // merged with ArithmeticUncontrolledUnderflow in ArithmeticUncontrolled.ql
25+
}
26+
27+
Location getASelectedSinkLocation(DataFlow::Node sink) {
28+
exists(ArithExpr exp | result = exp.getLocation() | overflowSink(exp, sink.asExpr()))
29+
}
2230
}
2331

2432
/** Taint-tracking flow to reason about overflow from arithmetic with uncontrolled values. */
@@ -32,6 +40,14 @@ module ArithmeticUncontrolledUnderflowConfig implements DataFlow::ConfigSig {
3240
predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) }
3341

3442
predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) }
43+
44+
predicate observeDiffInformedIncrementalMode() {
45+
any() // merged with ArithmeticUncontrolledOverflow in ArithmeticUncontrolled.ql
46+
}
47+
48+
Location getASelectedSinkLocation(DataFlow::Node sink) {
49+
exists(ArithExpr exp | result = exp.getLocation() | underflowSink(exp, sink.asExpr()))
50+
}
3551
}
3652

3753
/** Taint-tracking flow to reason about underflow from arithmetic with uncontrolled values. */

java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,15 @@ module ConditionalBypassFlowConfig implements DataFlow::ConfigSig {
4747
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
4848
endsWithStep(node1, node2)
4949
}
50+
51+
predicate observeDiffInformedIncrementalMode() { any() }
52+
53+
Location getASelectedSinkLocation(DataFlow::Node sink) {
54+
exists(MethodCall m, Expr e | result = [m, e].getLocation() |
55+
conditionControlsMethod(m, e) and
56+
sink.asExpr() = e
57+
)
58+
}
5059
}
5160

5261
/**

java/ql/lib/semmle/code/java/security/ExternalAPIs.qll

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -101,6 +101,10 @@ module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
101101
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
102102

103103
predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
104+
105+
predicate observeDiffInformedIncrementalMode() {
106+
any() // Simple use in UntrustedDataToExternalAPI.ql; also used through ExternalApiUsedWithUntrustedData in ExternalAPIsUsedWithUntrustedData.ql
107+
}
104108
}
105109

106110
/**

java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,15 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
1717
predicate isSink(DataFlow::Node sink) {
1818
any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)
1919
}
20+
21+
predicate observeDiffInformedIncrementalMode() { any() }
22+
23+
Location getASelectedSinkLocation(DataFlow::Node sink) {
24+
exists(ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess |
25+
result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() and
26+
arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), arrayCreation)
27+
)
28+
}
2029
}
2130

2231
/**

java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,15 @@ module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSi
1414
predicate isSink(DataFlow::Node sink) {
1515
any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)
1616
}
17+
18+
predicate observeDiffInformedIncrementalMode() { any() }
19+
20+
Location getASelectedSinkLocation(DataFlow::Node sink) {
21+
exists(ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess |
22+
result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() and
23+
arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), arrayCreation)
24+
)
25+
}
1726
}
1827

1928
/**

java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexCodeSpecifiedQuery.qll

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,8 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
1414
predicate isSink(DataFlow::Node sink) {
1515
exists(CheckableArrayAccess arrayAccess | arrayAccess.canThrowOutOfBounds(sink.asExpr()))
1616
}
17+
18+
predicate observeDiffInformedIncrementalMode() { any() }
1719
}
1820

1921
/**

java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,8 @@ module ImproperValidationOfArrayIndexConfig implements DataFlow::ConfigSig {
1818
predicate isBarrier(DataFlow::Node node) { node.getType() instanceof BooleanType }
1919

2020
predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
21+
22+
predicate observeDiffInformedIncrementalMode() { any() }
2123
}
2224

2325
/**

java/ql/lib/semmle/code/java/security/InsecureCookieQuery.qll

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,10 @@ module SecureCookieConfig implements DataFlow::ConfigSig {
3535
sink.asExpr() =
3636
any(MethodCall add | add.getMethod() instanceof ResponseAddCookieMethod).getArgument(0)
3737
}
38+
39+
predicate observeDiffInformedIncrementalMode() {
40+
none() // only used negatively in InsecureCookie.ql
41+
}
3842
}
3943

4044
/** Data flow to reason about the failure to use secure cookies. */

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy