CodeQL-Community-Packs/java/lib/ghsl/Utils.qll at 486a8a763c40318bd87373ad670264871c4188be · GitHubSecurityLab/CodeQL-Community-Packs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
/**
 * A collection of utility predicates and classes for the Java library.
 */

private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.dataflow.FlowSources
// Sinks
private import semmle.code.java.security.QueryInjection
private import semmle.code.java.security.CommandLineQuery
private import semmle.code.java.security.LdapInjection
private import semmle.code.java.security.LogInjection
private import semmle.code.java.security.OgnlInjection
private import semmle.code.java.security.RequestForgery
private import semmle.code.java.security.TemplateInjection

/**
 * Filter nodes by its location (relative path or base name).
 */
bindingset[relative_path]
predicate findByLocation(DataFlow::Node node, string relative_path, int linenumber) {
  node.getLocation().getFile().getRelativePath().matches(relative_path) and
  node.getLocation().getStartLine() = linenumber
}

/**
 * This will only show sinks that are callable (method calls)
 */
predicate isCallable(DataFlow::Node sink) { sink.asExpr() instanceof MethodCall }

/**
 * Check if the source node is a method parameter.
 */
predicate checkSource(DataFlow::Node source) {
  // TODO: fix this
  source.asParameter() instanceof Parameter
  or
  source.asExpr() instanceof MethodCall
}

/**
 * Local sources
 */
class LocalSources = LocalUserInput;

/**
 * List of all the souces
 */
class AllSources extends DataFlow::Node {
    private string threadmodel;

  AllSources() {
    this instanceof LocalUserInput and
    threadmodel = "local"
    or
    this instanceof RemoteFlowSource and
    threadmodel = "remote"
    or
    this instanceof ActiveThreatModelSource
    and
    threadmodel = this.(SourceNode).getThreatModel()
  }

  /**
   * Gets the source threat model.
   */
  string getThreatModel() {
    result = threadmodel
  }
}

/**
 * List of all the sinks that we want to check.
 */
class AllSinks extends DataFlow::Node {
  private string sink;

  AllSinks() {
    this instanceof QueryInjectionSink
    and
    sink = "QueryInjectionSink"
    or
    this instanceof CommandInjectionSink
    and
    sink = "CommandInjectionSink"
    or
    this instanceof LdapInjectionSink
    and
    sink = "LdapInjectionSink"
    or
    this instanceof LogInjectionSink
    and
    sink = "LogInjectionSink"
    or
    this instanceof OgnlInjectionSink
    and
    sink = "OgnlInjectionSink"
    or
    this instanceof RequestForgerySink
    and
    sink = "RequestForgerySink"
    or
    this instanceof TemplateInjectionSink
    and
    sink = "TemplateInjectionSink"
    or
    // All MaD sinks
    sinkNode(this, _)
    and
    sink = "MaD"
  }

  /**
   * Gets the sink sink type.
   */
  string sinkType() {
    result = sink
  }
}