From cf448946db90b9aac7680cab872df9a5070959f1 Mon Sep 17 00:00:00 2001 From: Chuan-kai Lin Date: Fri, 9 Aug 2024 09:49:41 -0700 Subject: [PATCH] Java: apply query alert restrictions --- .../java/security/CleartextStorageQuery.qll | 3 +- .../java/security/StackTraceExposureQuery.qll | 16 ++++++++--- .../security/UnsafeDeserializationQuery.qll | 2 +- .../Likely Bugs/Arithmetic/InformationLoss.ql | 1 + .../Security/CWE/CWE-020/OverlyLargeRange.ql | 2 ++ .../src/Security/CWE/CWE-022/TaintedPath.ql | 4 +++ java/ql/src/Security/CWE/CWE-022/ZipSlip.ql | 4 +++ .../CWE-023/PartialPathTraversalFromRemote.ql | 5 ++++ .../src/Security/CWE/CWE-074/JndiInjection.ql | 4 +++ .../src/Security/CWE/CWE-074/XsltInjection.ql | 4 +++ .../src/Security/CWE/CWE-078/ExecTainted.ql | 13 +++++++++ .../src/Security/CWE/CWE-078/ExecUnescaped.ql | 1 + java/ql/src/Security/CWE/CWE-079/XSS.ql | 4 +++ .../ql/src/Security/CWE/CWE-089/SqlTainted.ql | 10 +++++++ .../src/Security/CWE/CWE-090/LdapInjection.ql | 4 +++ .../Security/CWE/CWE-094/GroovyInjection.ql | 4 +++ .../CWE/CWE-094/InsecureBeanValidation.ql | 4 +++ .../src/Security/CWE/CWE-094/JexlInjection.ql | 4 +++ .../src/Security/CWE/CWE-094/MvelInjection.ql | 4 +++ .../src/Security/CWE/CWE-094/SpelInjection.ql | 6 +++- .../Security/CWE/CWE-094/TemplateInjection.ql | 4 +++ .../CWE/CWE-113/NettyResponseSplitting.ql | 1 + .../Security/CWE/CWE-113/ResponseSplitting.ql | 4 +++ .../CWE-1204/StaticInitializationVector.ql | 5 ++++ .../ExternallyControlledFormatString.ql | 6 ++++ .../CWE/CWE-209/StackTraceExposure.ql | 28 +++++++++++++++++++ .../IntentUriPermissionManipulation.ql | 7 ++++- .../AndroidInsecureLocalAuthentication.ql | 4 ++- .../ImproperWebViewCertificateValidation.ql | 4 ++- .../CWE/CWE-295/InsecureTrustManager.ql | 4 +++ .../CWE/CWE-297/UnsafeHostnameVerification.ql | 6 ++++ .../CWE/CWE-326/InsufficientKeySize.ql | 4 +++ .../CWE/CWE-327/BrokenCryptoAlgorithm.ql | 5 ++++ .../CWE/CWE-330/InsecureRandomness.ql | 5 ++++ .../CWE/CWE-338/JHipsterGeneratedPRNG.ql | 1 + .../CWE/CWE-347/MissingJWTSignatureCheck.ql | 5 ++++ .../CWE/CWE-352/SpringCSRFProtection.ql | 4 ++- .../CWE/CWE-441/UnsafeContentUriResolution.ql | 5 ++++ .../Security/CWE/CWE-470/FragmentInjection.ql | 5 ++++ .../FragmentInjectionInPreferenceActivity.ql | 4 ++- .../CWE/CWE-489/WebviewDebuggingEnabled.ql | 4 +++ .../CWE/CWE-502/UnsafeDeserialization.ql | 5 ++++ .../Security/CWE/CWE-522/InsecureLdapAuth.ql | 4 +++ .../ql/src/Security/CWE/CWE-552/UrlForward.ql | 5 ++++ .../src/Security/CWE/CWE-601/UrlRedirect.ql | 5 ++++ java/ql/src/Security/CWE/CWE-611/XXE.ql | 5 ++++ .../Security/CWE/CWE-614/InsecureCookie.ql | 1 + .../Security/CWE/CWE-643/XPathInjection.ql | 5 ++++ .../CWE/CWE-681/NumericCastTainted.ql | 5 ++++ .../Security/CWE/CWE-730/PolynomialReDoS.ql | 4 +++ java/ql/src/Security/CWE/CWE-730/ReDoS.ql | 2 ++ .../Security/CWE/CWE-730/RegexInjection.ql | 4 +++ .../CWE-732/ReadingFromWorldWritableFile.ql | 3 ++ .../Security/CWE/CWE-780/RsaWithoutOaep.ql | 4 +++ .../CWE/CWE-807/TaintedPermissionsCheck.ql | 6 ++++ .../src/Security/CWE/CWE-917/OgnlInjection.ql | 4 +++ .../Security/CWE/CWE-918/RequestForgery.ql | 4 +++ .../CWE/CWE-925/ImproperIntentVerification.ql | 4 ++- .../CWE/CWE-927/ImplicitPendingIntents.ql | 5 ++++ .../CWE/CWE-940/AndroidIntentRedirection.ql | 4 +++ 60 files changed, 280 insertions(+), 13 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll b/java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll index a607fd8c8d2b..6cbe768fcb73 100644 --- a/java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll @@ -36,7 +36,8 @@ abstract class Storable extends Call { abstract Expr getAStore(); } -private module SensitiveSourceFlowConfig implements DataFlow::ConfigSig { +/** Flow configuration for sensitive data flowing into cleartext storage. */ +module SensitiveSourceFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SensitiveExpr } predicate isSink(DataFlow::Node sink) { sink instanceof CleartextStorageSink } diff --git a/java/ql/lib/semmle/code/java/security/StackTraceExposureQuery.qll b/java/ql/lib/semmle/code/java/security/StackTraceExposureQuery.qll index 0eb069a06c20..38e7b5c301bb 100644 --- a/java/ql/lib/semmle/code/java/security/StackTraceExposureQuery.qll +++ b/java/ql/lib/semmle/code/java/security/StackTraceExposureQuery.qll @@ -7,7 +7,7 @@ private import semmle.code.java.security.InformationLeak /** * One of the `printStackTrace()` overloads on `Throwable`. */ -private class PrintStackTraceMethod extends Method { +class PrintStackTraceMethod extends Method { PrintStackTraceMethod() { this.getDeclaringType() .getSourceDeclaration() @@ -17,7 +17,11 @@ private class PrintStackTraceMethod extends Method { } } -private module ServletWriterSourceToPrintStackTraceMethodFlowConfig implements DataFlow::ConfigSig { +/** + * Flow configuration for xss vulnerable writer source flowing to `Throwable.printStackTrace()` on + * a stream that is connected to external output. + */ +module ServletWriterSourceToPrintStackTraceMethodFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node src) { src instanceof XssVulnerableWriterSourceNode } predicate isSink(DataFlow::Node sink) { @@ -55,7 +59,10 @@ private predicate printWriterOnStringWriter(Expr printWriter, Variable stringWri ) } -private predicate stackTraceExpr(Expr exception, MethodCall stackTraceString) { +/** + * Holds if `stackTraceString` writes the stack trace from `exception` to a string. + */ +predicate stackTraceExpr(Expr exception, MethodCall stackTraceString) { exists(Expr printWriter, Variable stringWriterVar, MethodCall printStackCall | printWriterOnStringWriter(printWriter, stringWriterVar) and printStackCall.getMethod() instanceof PrintStackTraceMethod and @@ -66,7 +73,8 @@ private predicate stackTraceExpr(Expr exception, MethodCall stackTraceString) { ) } -private module StackTraceStringToHttpResponseSinkFlowConfig implements DataFlow::ConfigSig { +/** Flow configuration for stack trace flowing to http response. */ +module StackTraceStringToHttpResponseSinkFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node src) { stackTraceExpr(_, src.asExpr()) } predicate isSink(DataFlow::Node sink) { sink instanceof InformationLeakSink } diff --git a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll index 734ad4c89fe6..8127a5f2fe09 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll @@ -334,7 +334,7 @@ deprecated class UnsafeDeserializationConfig extends TaintTracking::Configuratio } /** Tracks flows from remote user input to a deserialization sink. */ -private module UnsafeDeserializationConfig implements DataFlow::ConfigSig { +module UnsafeDeserializationConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserializationSink } diff --git a/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql b/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql index 7d97af12b710..80cd3472cc28 100644 --- a/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql +++ b/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql @@ -35,6 +35,7 @@ Variable getVariable(Expr dest) { from DangerousAssignOpExpr a, Expr e, Top v where + AlertFiltering::filterByLocation(a.getLocation()) and e = a.getSource() and problematicCasting(a.getDest().getType(), e) and ( diff --git a/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql b/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql index b8ea3e52dbd0..273b5fc67d2e 100644 --- a/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql +++ b/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql @@ -12,6 +12,7 @@ * external/cwe/cwe-020 */ +private import semmle.code.java.AlertFiltering private import semmle.code.java.regex.RegexTreeView::RegexTreeView as TreeView import codeql.regex.OverlyLargeRangeQuery::Make @@ -22,6 +23,7 @@ TreeView::RegExpCharacterClass potentialMisparsedCharClass() { from TreeView::RegExpCharacterRange range, string reason where + AlertFiltering::filterByLocation(range.getLocation()) and problem(range, reason) and not range.getParent() = potentialMisparsedCharClass() select range, "Suspicious character range that " + reason + "." diff --git a/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql b/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql index 3963442d6489..da337b2f32b4 100644 --- a/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql +++ b/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql @@ -16,6 +16,10 @@ import java import semmle.code.java.security.PathCreation import semmle.code.java.security.TaintedPathQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module TaintedPathFlow = TaintTracking::Global>; + import TaintedPathFlow::PathGraph from TaintedPathFlow::PathNode source, TaintedPathFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql b/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql index 0d165a73521d..90651a4ae92c 100644 --- a/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql +++ b/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql @@ -14,6 +14,10 @@ import java import semmle.code.java.security.ZipSlipQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module ZipSlipFlow = TaintTracking::Global>; + import ZipSlipFlow::PathGraph from ZipSlipFlow::PathNode source, ZipSlipFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql b/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql index ef62f433ae6c..47a381381e31 100644 --- a/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql +++ b/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql @@ -11,6 +11,11 @@ */ import semmle.code.java.security.PartialPathTraversalQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module PartialPathTraversalFromRemoteFlow = + TaintTracking::Global>; + import PartialPathTraversalFromRemoteFlow::PathGraph from diff --git a/java/ql/src/Security/CWE/CWE-074/JndiInjection.ql b/java/ql/src/Security/CWE/CWE-074/JndiInjection.ql index 900f3d923b36..8583f6f3647e 100644 --- a/java/ql/src/Security/CWE/CWE-074/JndiInjection.ql +++ b/java/ql/src/Security/CWE/CWE-074/JndiInjection.ql @@ -13,6 +13,10 @@ import java import semmle.code.java.security.JndiInjectionQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module JndiInjectionFlow = TaintTracking::Global>; + import JndiInjectionFlow::PathGraph from JndiInjectionFlow::PathNode source, JndiInjectionFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-074/XsltInjection.ql b/java/ql/src/Security/CWE/CWE-074/XsltInjection.ql index 9cf98aea259d..f4f75ca78c42 100644 --- a/java/ql/src/Security/CWE/CWE-074/XsltInjection.ql +++ b/java/ql/src/Security/CWE/CWE-074/XsltInjection.ql @@ -13,6 +13,10 @@ import java import semmle.code.java.security.XsltInjectionQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module XsltInjectionFlow = TaintTracking::Global>; + import XsltInjectionFlow::PathGraph from XsltInjectionFlow::PathNode source, XsltInjectionFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql b/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql index b6f2894ad67a..e1b3e93332f7 100644 --- a/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql +++ b/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql @@ -14,8 +14,21 @@ import java import semmle.code.java.security.CommandLineQuery +private import semmle.code.java.dataflow.DataFlowFiltering +private import semmle.code.java.dataflow.TaintTracking + +module InputToArgumentToExecFlow = + TaintTracking::Global>; + import InputToArgumentToExecFlow::PathGraph +predicate execIsTainted( + InputToArgumentToExecFlow::PathNode source, InputToArgumentToExecFlow::PathNode sink, Expr execArg +) { + InputToArgumentToExecFlow::flowPath(source, sink) and + argumentToExec(execArg, sink.getNode()) +} + from InputToArgumentToExecFlow::PathNode source, InputToArgumentToExecFlow::PathNode sink, Expr execArg where execIsTainted(source, sink, execArg) diff --git a/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql b/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql index d50f583bbfe3..9808113ecd66 100644 --- a/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql +++ b/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql @@ -47,6 +47,7 @@ predicate builtFromUncontrolledConcat(Expr expr) { from StringArgumentToExec argument where + AlertFiltering::filterByLocation(argument.getLocation()) and builtFromUncontrolledConcat(argument) and not execIsTainted(_, _, argument) select argument, "Command line is built with string concatenation." diff --git a/java/ql/src/Security/CWE/CWE-079/XSS.ql b/java/ql/src/Security/CWE/CWE-079/XSS.ql index 9ae92a7e362e..d176d838f16d 100644 --- a/java/ql/src/Security/CWE/CWE-079/XSS.ql +++ b/java/ql/src/Security/CWE/CWE-079/XSS.ql @@ -13,6 +13,10 @@ import java import semmle.code.java.security.XssQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module XssFlow = TaintTracking::Global>; + import XssFlow::PathGraph from XssFlow::PathNode source, XssFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql b/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql index 3549621c48d0..dbe5358beb6d 100644 --- a/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql +++ b/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql @@ -15,8 +15,18 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.SqlInjectionQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module QueryInjectionFlow = TaintTracking::Global>; + import QueryInjectionFlow::PathGraph +predicate queryIsTaintedBy( + QueryInjectionSink query, QueryInjectionFlow::PathNode source, QueryInjectionFlow::PathNode sink +) { + QueryInjectionFlow::flowPath(source, sink) and sink.getNode() = query +} + from QueryInjectionSink query, QueryInjectionFlow::PathNode source, QueryInjectionFlow::PathNode sink where queryIsTaintedBy(query, source, sink) diff --git a/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql b/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql index e511cb8819ce..c69b920b8b33 100644 --- a/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql +++ b/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql @@ -14,6 +14,10 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.LdapInjectionQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module LdapInjectionFlow = TaintTracking::Global>; + import LdapInjectionFlow::PathGraph from LdapInjectionFlow::PathNode source, LdapInjectionFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-094/GroovyInjection.ql b/java/ql/src/Security/CWE/CWE-094/GroovyInjection.ql index 98ae9f2fef39..b2d1456526b2 100644 --- a/java/ql/src/Security/CWE/CWE-094/GroovyInjection.ql +++ b/java/ql/src/Security/CWE/CWE-094/GroovyInjection.ql @@ -13,6 +13,10 @@ import java import semmle.code.java.security.GroovyInjectionQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module GroovyInjectionFlow = TaintTracking::Global>; + import GroovyInjectionFlow::PathGraph from GroovyInjectionFlow::PathNode source, GroovyInjectionFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql b/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql index 2dd0bf617bae..9b712827d69f 100644 --- a/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql +++ b/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql @@ -12,6 +12,10 @@ import java import semmle.code.java.security.InsecureBeanValidationQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module BeanValidationFlow = TaintTracking::Global>; + import BeanValidationFlow::PathGraph from BeanValidationFlow::PathNode source, BeanValidationFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql b/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql index 5335235d7481..b8920d574e9a 100644 --- a/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql +++ b/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql @@ -13,6 +13,10 @@ import java import semmle.code.java.security.JexlInjectionQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module JexlInjectionFlow = TaintTracking::Global>; + import JexlInjectionFlow::PathGraph from JexlInjectionFlow::PathNode source, JexlInjectionFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-094/MvelInjection.ql b/java/ql/src/Security/CWE/CWE-094/MvelInjection.ql index d7b033cabeab..768f2a5c8bff 100644 --- a/java/ql/src/Security/CWE/CWE-094/MvelInjection.ql +++ b/java/ql/src/Security/CWE/CWE-094/MvelInjection.ql @@ -13,6 +13,10 @@ import java import semmle.code.java.security.MvelInjectionQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module MvelInjectionFlow = TaintTracking::Global>; + import MvelInjectionFlow::PathGraph from MvelInjectionFlow::PathNode source, MvelInjectionFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-094/SpelInjection.ql b/java/ql/src/Security/CWE/CWE-094/SpelInjection.ql index fe1a434cd71f..6a6040b6c349 100644 --- a/java/ql/src/Security/CWE/CWE-094/SpelInjection.ql +++ b/java/ql/src/Security/CWE/CWE-094/SpelInjection.ql @@ -13,7 +13,11 @@ import java import semmle.code.java.security.SpelInjectionQuery -import semmle.code.java.dataflow.DataFlow +import semmle.code.java.dataflow.TaintTracking +private import semmle.code.java.dataflow.DataFlowFiltering + +module SpelInjectionFlow = TaintTracking::Global>; + import SpelInjectionFlow::PathGraph from SpelInjectionFlow::PathNode source, SpelInjectionFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql b/java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql index 6e405cf9b824..4c53b082bac9 100644 --- a/java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql +++ b/java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql @@ -13,6 +13,10 @@ import java import semmle.code.java.security.TemplateInjectionQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module TemplateInjectionFlow = TaintTracking::Global>; + import TemplateInjectionFlow::PathGraph from TemplateInjectionFlow::PathNode source, TemplateInjectionFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql index 7376aa51e584..cc4066d750ce 100644 --- a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql +++ b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql @@ -93,4 +93,5 @@ private class InsecureDefaultFullHttpRequestClassInstantiation extends RequestSp } from InsecureNettyObjectCreation new +where AlertFiltering::filterByLocation(new.getLocation()) select new, new.splittingType() + " vulnerability due to header value verification being disabled." diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql index 2138d9187a19..109f90a051d5 100644 --- a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql +++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql @@ -13,6 +13,10 @@ import java import semmle.code.java.security.ResponseSplittingQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module ResponseSplittingFlow = TaintTracking::Global>; + import ResponseSplittingFlow::PathGraph from ResponseSplittingFlow::PathNode source, ResponseSplittingFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql b/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql index 258e0f871123..d30cce3f5b3a 100644 --- a/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql +++ b/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql @@ -13,6 +13,11 @@ import java import semmle.code.java.security.StaticInitializationVectorQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module StaticInitializationVectorFlow = + TaintTracking::Global>; + import StaticInitializationVectorFlow::PathGraph from StaticInitializationVectorFlow::PathNode source, StaticInitializationVectorFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql index fc5af977a331..bddb42e25821 100644 --- a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql +++ b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql @@ -11,8 +11,14 @@ */ import java +import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.ExternallyControlledFormatStringQuery import semmle.code.java.StringFormat +private import semmle.code.java.dataflow.DataFlowFiltering + +module ExternallyControlledFormatStringFlow = + TaintTracking::Global>; + import ExternallyControlledFormatStringFlow::PathGraph from diff --git a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql index a52a65e95c4f..717259c65361 100644 --- a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql +++ b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql @@ -15,7 +15,35 @@ import java import semmle.code.java.dataflow.DataFlow +import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.StackTraceExposureQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +private module ServletWriterSourceToPrintStackTraceMethodFlow = + TaintTracking::Global>; + +private predicate printsStackToWriter(MethodCall call) { + exists(PrintStackTraceMethod printStackTrace | + call.getMethod() = printStackTrace and + ServletWriterSourceToPrintStackTraceMethodFlow::flowToExpr(call.getAnArgument()) + ) +} + +predicate printsStackExternally(MethodCall call, Expr stackTrace) { + printsStackToWriter(call) and + call.getQualifier() = stackTrace and + not call.getQualifier() instanceof SuperAccess +} + +private module StackTraceStringToHttpResponseSinkFlow = + TaintTracking::Global>; + +predicate stringifiedStackFlowsExternally(DataFlow::Node externalExpr, Expr stackTrace) { + exists(MethodCall stackTraceString | + stackTraceExpr(stackTrace, stackTraceString) and + StackTraceStringToHttpResponseSinkFlow::flow(DataFlow::exprNode(stackTraceString), externalExpr) + ) +} from Expr externalExpr, Expr errorInformation where diff --git a/java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql b/java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql index d79abd6e4178..d557af96600c 100644 --- a/java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql +++ b/java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql @@ -14,7 +14,12 @@ import java import semmle.code.java.security.IntentUriPermissionManipulationQuery -import semmle.code.java.dataflow.DataFlow +import semmle.code.java.dataflow.TaintTracking +private import semmle.code.java.dataflow.DataFlowFiltering + +module IntentUriPermissionManipulationFlow = + TaintTracking::Global>; + import IntentUriPermissionManipulationFlow::PathGraph from diff --git a/java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql b/java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql index 92256a2b779c..ebffc77eb7cd 100644 --- a/java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql +++ b/java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql @@ -14,5 +14,7 @@ import java import semmle.code.java.security.AndroidLocalAuthQuery from AuthenticationSuccessCallback c -where not exists(c.getAResultUse()) +where + AlertFiltering::filterByLocation(c.getLocation()) and + not exists(c.getAResultUse()) select c, "This authentication callback does not use its result for a cryptographic operation." diff --git a/java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql b/java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql index aac3a99be4c2..fac4fb7c252b 100644 --- a/java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql +++ b/java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql @@ -14,5 +14,7 @@ import java import semmle.code.java.security.AndroidWebViewCertificateValidationQuery from OnReceivedSslErrorMethod m -where trustsAllCerts(m) +where + AlertFiltering::filterByLocation(m.getLocation()) and + trustsAllCerts(m) select m, "This handler accepts all SSL certificates." diff --git a/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql b/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql index 4904c08b195f..882ae1a7419e 100644 --- a/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql +++ b/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql @@ -13,6 +13,10 @@ import java import semmle.code.java.dataflow.DataFlow import semmle.code.java.security.InsecureTrustManagerQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module InsecureTrustManagerFlow = DataFlow::Global>; + import InsecureTrustManagerFlow::PathGraph from InsecureTrustManagerFlow::PathNode source, InsecureTrustManagerFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql b/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql index afc902dcad0c..b6b2b79cf81d 100644 --- a/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql +++ b/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql @@ -12,6 +12,12 @@ import java import semmle.code.java.security.UnsafeHostnameVerificationQuery +private import semmle.code.java.dataflow.DataFlow +private import semmle.code.java.dataflow.DataFlowFiltering + +module TrustAllHostnameVerifierFlow = + DataFlow::Global>; + import TrustAllHostnameVerifierFlow::PathGraph from diff --git a/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql b/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql index 39e4c3e64e5a..6410732220c4 100644 --- a/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql +++ b/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql @@ -13,6 +13,10 @@ import java import semmle.code.java.security.InsufficientKeySizeQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module KeySizeFlow = DataFlow::GlobalWithState>; + import KeySizeFlow::PathGraph from KeySizeFlow::PathNode source, KeySizeFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql b/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql index a848419aaa3c..5536475a3c3f 100644 --- a/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql +++ b/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql @@ -14,6 +14,11 @@ import java import semmle.code.java.security.Encryption import semmle.code.java.security.BrokenCryptoAlgorithmQuery +private import semmle.code.java.dataflow.DataFlowFiltering +private import semmle.code.java.dataflow.TaintTracking + +module InsecureCryptoFlow = TaintTracking::Global>; + import InsecureCryptoFlow::PathGraph from diff --git a/java/ql/src/Security/CWE/CWE-330/InsecureRandomness.ql b/java/ql/src/Security/CWE/CWE-330/InsecureRandomness.ql index 2b916fef1b6b..fb254d960ff9 100644 --- a/java/ql/src/Security/CWE/CWE-330/InsecureRandomness.ql +++ b/java/ql/src/Security/CWE/CWE-330/InsecureRandomness.ql @@ -15,6 +15,11 @@ import java import semmle.code.java.security.InsecureRandomnessQuery +private import semmle.code.java.dataflow.DataFlowFiltering +private import semmle.code.java.dataflow.TaintTracking + +module InsecureRandomnessFlow = TaintTracking::Global>; + import InsecureRandomnessFlow::PathGraph from InsecureRandomnessFlow::PathNode source, InsecureRandomnessFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql b/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql index c51e5d4acc57..ede19c1b46f8 100644 --- a/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql +++ b/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql @@ -47,5 +47,6 @@ private class VulnerableJHipsterRandomUtilMethod extends Method { } from VulnerableJHipsterRandomUtilMethod method +where AlertFiltering::filterByLocation(method.getLocation()) select method, "Weak random number generator used in security sensitive method (JHipster CVE-2019-16303)." diff --git a/java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql b/java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql index cd6af9a8462f..309d31b38d17 100644 --- a/java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql +++ b/java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql @@ -12,6 +12,11 @@ import java import semmle.code.java.security.MissingJWTSignatureCheckQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module MissingJwtSignatureCheckFlow = + DataFlow::Global>; + import MissingJwtSignatureCheckFlow::PathGraph from MissingJwtSignatureCheckFlow::PathNode source, MissingJwtSignatureCheckFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql b/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql index dfb6fbbd5956..21f884a6b787 100644 --- a/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql +++ b/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql @@ -15,5 +15,7 @@ import java import semmle.code.java.security.SpringCsrfProtection from MethodCall call -where disablesSpringCsrfProtection(call) +where + AlertFiltering::filterByLocation(call.getLocation()) and + disablesSpringCsrfProtection(call) select call, "CSRF vulnerability due to protection being disabled." diff --git a/java/ql/src/Security/CWE/CWE-441/UnsafeContentUriResolution.ql b/java/ql/src/Security/CWE/CWE-441/UnsafeContentUriResolution.ql index 4a8c9bc3ad11..7c0f4cdea4d0 100644 --- a/java/ql/src/Security/CWE/CWE-441/UnsafeContentUriResolution.ql +++ b/java/ql/src/Security/CWE/CWE-441/UnsafeContentUriResolution.ql @@ -14,6 +14,11 @@ import java import semmle.code.java.security.UnsafeContentUriResolutionQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module UnsafeContentResolutionFlow = + TaintTracking::Global>; + import UnsafeContentResolutionFlow::PathGraph from UnsafeContentResolutionFlow::PathNode src, UnsafeContentResolutionFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-470/FragmentInjection.ql b/java/ql/src/Security/CWE/CWE-470/FragmentInjection.ql index 6ff9a15eca4b..7d26e4f3a1f3 100644 --- a/java/ql/src/Security/CWE/CWE-470/FragmentInjection.ql +++ b/java/ql/src/Security/CWE/CWE-470/FragmentInjection.ql @@ -13,6 +13,11 @@ import java import semmle.code.java.security.FragmentInjectionQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module FragmentInjectionTaintFlow = + TaintTracking::Global>; + import FragmentInjectionTaintFlow::PathGraph from FragmentInjectionTaintFlow::PathNode source, FragmentInjectionTaintFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql b/java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql index a75f0b3eca53..f37be416a031 100644 --- a/java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql +++ b/java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql @@ -16,7 +16,9 @@ import java import semmle.code.java.security.FragmentInjection from IsValidFragmentMethod m -where m.isUnsafe() +where + AlertFiltering::filterByLocation(m.getLocation()) and + m.isUnsafe() select m, "The 'isValidFragment' method always returns true. This makes the exported Activity $@ vulnerable to Fragment Injection.", m.getDeclaringType(), m.getDeclaringType().getName() diff --git a/java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql b/java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql index c34a40358d97..85786caf41d6 100644 --- a/java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql +++ b/java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql @@ -12,6 +12,10 @@ import java import semmle.code.java.security.WebviewDebuggingEnabledQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module WebviewDebugEnabledFlow = DataFlow::Global>; + import WebviewDebugEnabledFlow::PathGraph from WebviewDebugEnabledFlow::PathNode source, WebviewDebugEnabledFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql index a5ebd206752b..a5a60486c5db 100644 --- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql +++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql @@ -13,6 +13,11 @@ import java import semmle.code.java.security.UnsafeDeserializationQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module UnsafeDeserializationFlow = + TaintTracking::Global>; + import UnsafeDeserializationFlow::PathGraph from UnsafeDeserializationFlow::PathNode source, UnsafeDeserializationFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql b/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql index fb7848bb05ec..68f46d10046f 100644 --- a/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql +++ b/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql @@ -13,6 +13,10 @@ import java import semmle.code.java.security.InsecureLdapAuthQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module InsecureLdapUrlFlow = TaintTracking::Global>; + import InsecureLdapUrlFlow::PathGraph from InsecureLdapUrlFlow::PathNode source, InsecureLdapUrlFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-552/UrlForward.ql b/java/ql/src/Security/CWE/CWE-552/UrlForward.ql index 91e244a81522..432c3ddfb7b8 100644 --- a/java/ql/src/Security/CWE/CWE-552/UrlForward.ql +++ b/java/ql/src/Security/CWE/CWE-552/UrlForward.ql @@ -13,6 +13,11 @@ import java import semmle.code.java.security.UrlForwardQuery +private import semmle.code.java.dataflow.DataFlowFiltering +private import semmle.code.java.dataflow.TaintTracking + +module UrlForwardFlow = TaintTracking::Global>; + import UrlForwardFlow::PathGraph from UrlForwardFlow::PathNode source, UrlForwardFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql b/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql index 3ce7ca9119fd..d10a9b14a925 100644 --- a/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql +++ b/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql @@ -13,6 +13,11 @@ import java import semmle.code.java.security.UrlRedirectQuery +private import semmle.code.java.dataflow.DataFlowFiltering +private import semmle.code.java.dataflow.TaintTracking + +module UrlRedirectFlow = TaintTracking::Global>; + import UrlRedirectFlow::PathGraph from UrlRedirectFlow::PathNode source, UrlRedirectFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-611/XXE.ql b/java/ql/src/Security/CWE/CWE-611/XXE.ql index 5520d332ed6e..aec960a3adf2 100644 --- a/java/ql/src/Security/CWE/CWE-611/XXE.ql +++ b/java/ql/src/Security/CWE/CWE-611/XXE.ql @@ -16,6 +16,11 @@ import java import semmle.code.java.dataflow.DataFlow import semmle.code.java.security.XxeRemoteQuery +private import semmle.code.java.dataflow.DataFlowFiltering +private import semmle.code.java.dataflow.TaintTracking + +module XxeFlow = TaintTracking::Global>; + import XxeFlow::PathGraph from XxeFlow::PathNode source, XxeFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql b/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql index b8d64d22e295..8f4d57424025 100644 --- a/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql +++ b/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql @@ -17,6 +17,7 @@ import semmle.code.java.security.InsecureCookieQuery from MethodCall add where + AlertFiltering::filterByLocation(add.getLocation()) and add.getMethod() instanceof ResponseAddCookieMethod and not SecureCookieFlow::flowToExpr(add.getArgument(0)) select add, "Cookie is added to response without the 'secure' flag being set." diff --git a/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql b/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql index 4b245e2dc69a..2e573913d442 100644 --- a/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql +++ b/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql @@ -13,6 +13,11 @@ import java import semmle.code.java.security.XPathInjectionQuery +private import semmle.code.java.dataflow.DataFlowFiltering +private import semmle.code.java.dataflow.TaintTracking + +module XPathInjectionFlow = TaintTracking::Global>; + import XPathInjectionFlow::PathGraph from XPathInjectionFlow::PathNode source, XPathInjectionFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql b/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql index ce71e0929bfc..e0069008a860 100644 --- a/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql +++ b/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql @@ -14,6 +14,11 @@ import java import semmle.code.java.security.NumericCastTaintedQuery +private import semmle.code.java.dataflow.DataFlowFiltering +private import semmle.code.java.dataflow.TaintTracking + +module NumericCastFlow = TaintTracking::Global>; + import NumericCastFlow::PathGraph from NumericCastFlow::PathNode source, NumericCastFlow::PathNode sink, NumericNarrowingCastExpr exp diff --git a/java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.ql b/java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.ql index 2ba45ca083ca..279103b75653 100644 --- a/java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.ql +++ b/java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.ql @@ -15,6 +15,10 @@ import java import semmle.code.java.security.regexp.PolynomialReDoSQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module PolynomialRedosFlow = TaintTracking::Global>; + import PolynomialRedosFlow::PathGraph from diff --git a/java/ql/src/Security/CWE/CWE-730/ReDoS.ql b/java/ql/src/Security/CWE/CWE-730/ReDoS.ql index ca4750fc8588..8e7c4d79d928 100644 --- a/java/ql/src/Security/CWE/CWE-730/ReDoS.ql +++ b/java/ql/src/Security/CWE/CWE-730/ReDoS.ql @@ -14,11 +14,13 @@ * external/cwe/cwe-400 */ +private import semmle.code.java.AlertFiltering private import semmle.code.java.regex.RegexTreeView::RegexTreeView as TreeView import codeql.regex.nfa.ExponentialBackTracking::Make as ExponentialBackTracking from TreeView::RegExpTerm t, string pump, ExponentialBackTracking::State s, string prefixMsg where + AlertFiltering::filterByLocation(t.getLocation()) and ExponentialBackTracking::hasReDoSResult(t, pump, s, prefixMsg) and // exclude verbose mode regexes for now not t.getRegex().getAMode() = "VERBOSE" diff --git a/java/ql/src/Security/CWE/CWE-730/RegexInjection.ql b/java/ql/src/Security/CWE/CWE-730/RegexInjection.ql index 64fe906658ba..64f9a3dfdfb8 100644 --- a/java/ql/src/Security/CWE/CWE-730/RegexInjection.ql +++ b/java/ql/src/Security/CWE/CWE-730/RegexInjection.ql @@ -15,6 +15,10 @@ import java import semmle.code.java.security.regexp.RegexInjectionQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module RegexInjectionFlow = TaintTracking::Global>; + import RegexInjectionFlow::PathGraph from RegexInjectionFlow::PathNode source, RegexInjectionFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql b/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql index 46a7d5abc109..211d3c19a330 100644 --- a/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql +++ b/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql @@ -17,6 +17,9 @@ import semmle.code.java.security.FileWritable from Variable fileVariable, FileReadExpr readFrom, SetFileWorldWritable setWorldWritable where + AlertFiltering::filterByLocation(any(Location l | + l = setWorldWritable.getLocation() or l = readFrom.getLocation() + )) and // The file variable must be both read from and set to world writable. This is not flow-sensitive. fileVariable.getAnAccess() = readFrom.getFileVarAccess() and fileVariable.getAnAccess() = setWorldWritable.getFileVarAccess() and diff --git a/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql b/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql index 2191a4a74010..e7b3c0f1458e 100644 --- a/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql +++ b/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql @@ -12,6 +12,10 @@ import java import semmle.code.java.security.RsaWithoutOaepQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module RsaWithoutOaepFlow = DataFlow::Global>; + import RsaWithoutOaepFlow::PathGraph from RsaWithoutOaepFlow::PathNode source, RsaWithoutOaepFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql b/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql index 72b2fdbd3d78..17cd8077f473 100644 --- a/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql +++ b/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql @@ -14,6 +14,12 @@ import java import semmle.code.java.security.TaintedPermissionsCheckQuery +private import semmle.code.java.dataflow.DataFlowFiltering +private import semmle.code.java.dataflow.TaintTracking + +module TaintedPermissionsCheckFlow = + TaintTracking::Global>; + import TaintedPermissionsCheckFlow::PathGraph from diff --git a/java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql b/java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql index 964360a96bf3..429f8a292712 100644 --- a/java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql +++ b/java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql @@ -13,6 +13,10 @@ import java import semmle.code.java.security.OgnlInjectionQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module OgnlInjectionFlow = TaintTracking::Global>; + import OgnlInjectionFlow::PathGraph from OgnlInjectionFlow::PathNode source, OgnlInjectionFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-918/RequestForgery.ql b/java/ql/src/Security/CWE/CWE-918/RequestForgery.ql index 570a7af54cc3..7d4d2b38afdf 100644 --- a/java/ql/src/Security/CWE/CWE-918/RequestForgery.ql +++ b/java/ql/src/Security/CWE/CWE-918/RequestForgery.ql @@ -13,6 +13,10 @@ import java import semmle.code.java.security.RequestForgeryConfig +private import semmle.code.java.dataflow.DataFlowFiltering + +module RequestForgeryFlow = TaintTracking::Global>; + import RequestForgeryFlow::PathGraph from RequestForgeryFlow::PathNode source, RequestForgeryFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql b/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql index 605fabc25b51..fd1eb7ae0337 100644 --- a/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql +++ b/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql @@ -14,6 +14,8 @@ import java import semmle.code.java.security.ImproperIntentVerificationQuery from AndroidReceiverXmlElement reg, Method orm, SystemActionName sa -where unverifiedSystemReceiver(reg, orm, sa) +where + AlertFiltering::filterByLocation(orm.getLocation()) and + unverifiedSystemReceiver(reg, orm, sa) select orm, "This reciever doesn't verify intents it receives, and $@ to receive $@.", reg, "it is registered", sa, "the system action " + sa.getName() diff --git a/java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.ql b/java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.ql index f4065ceeae69..374b7ef4289e 100644 --- a/java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.ql +++ b/java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.ql @@ -15,6 +15,11 @@ import java import semmle.code.java.dataflow.DataFlow import semmle.code.java.security.ImplicitPendingIntentsQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module ImplicitPendingIntentStartFlow = + TaintTracking::GlobalWithState>; + import ImplicitPendingIntentStartFlow::PathGraph from ImplicitPendingIntentStartFlow::PathNode source, ImplicitPendingIntentStartFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirection.ql b/java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirection.ql index 5fac8c7ecc13..e8849c12dffa 100644 --- a/java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirection.ql +++ b/java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirection.ql @@ -15,6 +15,10 @@ import java import semmle.code.java.security.AndroidIntentRedirectionQuery +private import semmle.code.java.dataflow.DataFlowFiltering + +module IntentRedirectionFlow = TaintTracking::Global>; + import IntentRedirectionFlow::PathGraph from IntentRedirectionFlow::PathNode source, IntentRedirectionFlow::PathNode sink