From 7f7c49d6ce01f41b80cc3ac52f033ed693893cd8 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Tue, 9 Jan 2024 12:07:30 -0500 Subject: [PATCH 01/10] Add the `SimpleScalarSanitizer` class The `SimpleScalarSanitizer` class represents common scalar types which cannot realistically carry taint (e.g. primitives/numbers, and eventually UUIDs and Dates) --- .../java/security/dataflow/CommonSanitizers.qll | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 java/ql/lib/semmle/code/java/security/dataflow/CommonSanitizers.qll diff --git a/java/ql/lib/semmle/code/java/security/dataflow/CommonSanitizers.qll b/java/ql/lib/semmle/code/java/security/dataflow/CommonSanitizers.qll new file mode 100644 index 000000000000..0c05fa3e1ad9 --- /dev/null +++ b/java/ql/lib/semmle/code/java/security/dataflow/CommonSanitizers.qll @@ -0,0 +1,15 @@ +/** Classes to represent sanitizers commonly used in dataflow and taint tracking configurations. */ + +import java +import semmle.code.java.dataflow.DataFlow + +/** + * A node whose type is a common scalar type, such as primitives or their boxed counterparts. + */ +class SimpleScalarSanitizer extends DataFlow::Node { + SimpleScalarSanitizer() { + this.getType() instanceof PrimitiveType or + this.getType() instanceof BoxedType or + this.getType() instanceof NumberType + } +} From 67dfca2e58d65fa3a5140a2b5a5e12289d6187c5 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Wed, 10 Jan 2024 13:31:42 -0500 Subject: [PATCH 02/10] Convert libraries to use `instanceof SimpleScalarSanitizer` --- .../code/java/security/BrokenCryptoAlgorithmQuery.qll | 5 ++--- .../lib/semmle/code/java/security/CommandLineQuery.qll | 7 ++----- .../code/java/security/ExecTaintedLocalQuery.qll | 5 ++--- .../lib/semmle/code/java/security/HttpsUrlsQuery.qll | 5 ++--- .../semmle/code/java/security/JndiInjectionQuery.qll | 7 +++---- .../ql/lib/semmle/code/java/security/LdapInjection.qll | 7 ++----- java/ql/lib/semmle/code/java/security/LogInjection.qll | 10 +++------- .../semmle/code/java/security/OgnlInjectionQuery.qll | 5 ++--- .../lib/semmle/code/java/security/RequestForgery.qll | 8 ++------ .../code/java/security/ResponseSplittingQuery.qll | 5 ++--- .../code/java/security/SensitiveLoggingQuery.qll | 5 ++--- .../semmle/code/java/security/SqlConcatenatedQuery.qll | 5 ++--- .../semmle/code/java/security/SqlInjectionQuery.qll | 7 ++----- .../semmle/code/java/security/SqlTaintedLocalQuery.qll | 7 ++----- .../lib/semmle/code/java/security/TaintedPathQuery.qll | 9 +++------ .../semmle/code/java/security/TemplateInjection.qll | 10 +++------- .../code/java/security/TrustBoundaryViolationQuery.qll | 5 ++--- .../code/java/security/UnsafeContentUriResolution.qll | 10 +++------- .../semmle/code/java/security/XsltInjectionQuery.qll | 5 ++--- .../code/java/security/regexp/PolynomialReDoSQuery.qll | 4 ++-- 20 files changed, 45 insertions(+), 86 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll index a78f33e1ac6d..79824036fde3 100644 --- a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll +++ b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll @@ -3,6 +3,7 @@ import java private import semmle.code.java.security.Encryption private import semmle.code.java.dataflow.TaintTracking +private import semmle.code.java.security.dataflow.CommonSanitizers private class ShortStringLiteral extends StringLiteral { ShortStringLiteral() { this.getValue().length() < 100 } @@ -27,9 +28,7 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node n) { exists(CryptoAlgoSpec c | n.asExpr() = c.getAlgoSpec()) } - predicate isBarrier(DataFlow::Node node) { - node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType - } + predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer } } /** diff --git a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll index cc0ed2a88102..ea73277a464a 100644 --- a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll @@ -12,6 +12,7 @@ private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.security.CommandArguments private import semmle.code.java.security.ExternalProcess +private import semmle.code.java.security.dataflow.CommonSanitizers /** A sink for command injection vulnerabilities. */ abstract class CommandInjectionSink extends DataFlow::Node { } @@ -38,11 +39,7 @@ private class DefaultCommandInjectionSink extends CommandInjectionSink { private class DefaultCommandInjectionSanitizer extends CommandInjectionSanitizer { DefaultCommandInjectionSanitizer() { - this.getType() instanceof PrimitiveType - or - this.getType() instanceof BoxedType - or - this.getType() instanceof NumberType + this instanceof SimpleScalarSanitizer or isSafeCommandArgument(this.asExpr()) } diff --git a/java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll b/java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll index 3a00bf9a83a0..50f2904c1f04 100644 --- a/java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll @@ -4,6 +4,7 @@ import java private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.security.ExternalProcess private import semmle.code.java.security.CommandArguments +private import semmle.code.java.security.dataflow.CommonSanitizers /** A taint-tracking configuration to reason about use of externally controlled strings to make command line commands. */ module ExecTaintedLocalConfig implements DataFlow::ConfigSig { @@ -12,9 +13,7 @@ module ExecTaintedLocalConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof ArgumentToExec } predicate isBarrier(DataFlow::Node node) { - node.getType() instanceof PrimitiveType - or - node.getType() instanceof BoxedType + node instanceof SimpleScalarSanitizer or isSafeCommandArgument(node.asExpr()) } diff --git a/java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll b/java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll index cc827d34d467..6106a01be93b 100644 --- a/java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll +++ b/java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll @@ -4,6 +4,7 @@ import java import semmle.code.java.dataflow.TaintTracking import semmle.code.java.frameworks.Networking import semmle.code.java.security.HttpsUrls +private import semmle.code.java.security.dataflow.CommonSanitizers /** * DEPRECATED: Use `HttpsStringToUrlOpenMethodFlow` instead. @@ -38,9 +39,7 @@ module HttpStringToUrlOpenMethodFlowConfig implements DataFlow::ConfigSig { any(HttpUrlsAdditionalTaintStep c).step(node1, node2) } - predicate isBarrier(DataFlow::Node node) { - node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType - } + predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer } } /** diff --git a/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll index 0f97261eb4f9..b334ae0bda32 100644 --- a/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll @@ -5,6 +5,7 @@ import semmle.code.java.dataflow.FlowSources import semmle.code.java.frameworks.Jndi import semmle.code.java.frameworks.SpringLdap import semmle.code.java.security.JndiInjection +private import semmle.code.java.security.dataflow.CommonSanitizers /** * DEPRECATED: Use `JndiInjectionFlow` instead. @@ -19,8 +20,7 @@ deprecated class JndiInjectionFlowConfig extends TaintTracking::Configuration { override predicate isSink(DataFlow::Node sink) { sink instanceof JndiInjectionSink } override predicate isSanitizer(DataFlow::Node node) { - node.getType() instanceof PrimitiveType or - node.getType() instanceof BoxedType or + node instanceof SimpleScalarSanitizer or node instanceof JndiInjectionSanitizer } @@ -38,8 +38,7 @@ module JndiInjectionFlowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof JndiInjectionSink } predicate isBarrier(DataFlow::Node node) { - node.getType() instanceof PrimitiveType or - node.getType() instanceof BoxedType or + node instanceof SimpleScalarSanitizer or node instanceof JndiInjectionSanitizer } diff --git a/java/ql/lib/semmle/code/java/security/LdapInjection.qll b/java/ql/lib/semmle/code/java/security/LdapInjection.qll index d6b1066c21c9..3d928dd10b7f 100644 --- a/java/ql/lib/semmle/code/java/security/LdapInjection.qll +++ b/java/ql/lib/semmle/code/java/security/LdapInjection.qll @@ -7,6 +7,7 @@ import semmle.code.java.frameworks.UnboundId import semmle.code.java.frameworks.SpringLdap import semmle.code.java.frameworks.ApacheLdap private import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.security.dataflow.CommonSanitizers /** A data flow sink for unvalidated user input that is used to construct LDAP queries. */ abstract class LdapInjectionSink extends DataFlow::Node { } @@ -33,11 +34,7 @@ private class DefaultLdapInjectionSink extends LdapInjectionSink { } /** A sanitizer that clears the taint on (boxed) primitive types. */ -private class DefaultLdapSanitizer extends LdapInjectionSanitizer { - DefaultLdapSanitizer() { - this.getType() instanceof PrimitiveType or - this.getType() instanceof BoxedType - } +private class DefaultLdapSanitizer extends LdapInjectionSanitizer instanceof SimpleScalarSanitizer { } /** diff --git a/java/ql/lib/semmle/code/java/security/LogInjection.qll b/java/ql/lib/semmle/code/java/security/LogInjection.qll index ae7e8c61f4c3..d5419c10a448 100644 --- a/java/ql/lib/semmle/code/java/security/LogInjection.qll +++ b/java/ql/lib/semmle/code/java/security/LogInjection.qll @@ -4,6 +4,7 @@ import java private import semmle.code.java.dataflow.DataFlow private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.controlflow.Guards +private import semmle.code.java.security.dataflow.CommonSanitizers /** A data flow sink for unvalidated user input that is used to log messages. */ abstract class LogInjectionSink extends DataFlow::Node { } @@ -30,13 +31,8 @@ private class DefaultLogInjectionSink extends LogInjectionSink { DefaultLogInjectionSink() { sinkNode(this, "log-injection") } } -private class DefaultLogInjectionSanitizer extends LogInjectionSanitizer { - DefaultLogInjectionSanitizer() { - this.getType() instanceof BoxedType or - this.getType() instanceof PrimitiveType or - this.getType() instanceof NumericType - } -} +private class DefaultLogInjectionSanitizer extends LogInjectionSanitizer instanceof SimpleScalarSanitizer +{ } private class LineBreaksLogInjectionSanitizer extends LogInjectionSanitizer { LineBreaksLogInjectionSanitizer() { diff --git a/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll index 19995e2a25b0..cfe9993d18ec 100644 --- a/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll @@ -3,6 +3,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.OgnlInjection +private import semmle.code.java.security.dataflow.CommonSanitizers /** * DEPRECATED: Use `OgnlInjectionFlow` instead. @@ -33,9 +34,7 @@ module OgnlInjectionFlowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof OgnlInjectionSink } - predicate isBarrier(DataFlow::Node node) { - node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType - } + predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(OgnlInjectionAdditionalTaintStep c).step(node1, node2) diff --git a/java/ql/lib/semmle/code/java/security/RequestForgery.qll b/java/ql/lib/semmle/code/java/security/RequestForgery.qll index a01f354953bc..be0a2ade96ea 100644 --- a/java/ql/lib/semmle/code/java/security/RequestForgery.qll +++ b/java/ql/lib/semmle/code/java/security/RequestForgery.qll @@ -10,6 +10,7 @@ import semmle.code.java.dataflow.DataFlow import semmle.code.java.frameworks.Properties private import semmle.code.java.dataflow.StringPrefixes private import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.security.dataflow.CommonSanitizers /** * A unit class for adding additional taint steps that are specific to server-side request forgery (SSRF) attacks. @@ -59,12 +60,7 @@ private class DefaultRequestForgerySink extends RequestForgerySink { /** A sanitizer for request forgery vulnerabilities. */ abstract class RequestForgerySanitizer extends DataFlow::Node { } -private class PrimitiveSanitizer extends RequestForgerySanitizer { - PrimitiveSanitizer() { - this.getType() instanceof PrimitiveType or - this.getType() instanceof BoxedType or - this.getType() instanceof NumberType - } +private class PrimitiveSanitizer extends RequestForgerySanitizer instanceof SimpleScalarSanitizer { } private class HostnameSanitizingPrefix extends InterestingPrefix { diff --git a/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll b/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll index 87613795b85c..9c46e1bfba8d 100644 --- a/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll @@ -2,6 +2,7 @@ import java private import semmle.code.java.dataflow.FlowSources +private import semmle.code.java.security.dataflow.CommonSanitizers import semmle.code.java.security.ResponseSplitting /** @@ -16,9 +17,7 @@ module ResponseSplittingConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink } predicate isBarrier(DataFlow::Node node) { - node.getType() instanceof PrimitiveType - or - node.getType() instanceof BoxedType + node instanceof SimpleScalarSanitizer or exists(MethodCall ma, string methodName, CompileTimeConstantExpr target | node.asExpr() = ma and diff --git a/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll b/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll index eb40a045c1fd..1924bc5cb5da 100644 --- a/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll @@ -5,6 +5,7 @@ private import semmle.code.java.dataflow.ExternalFlow import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.SensitiveActions import semmle.code.java.frameworks.android.Compose +private import semmle.code.java.security.dataflow.CommonSanitizers /** A variable that may hold sensitive information, judging by its name. */ class CredentialExpr extends Expr { @@ -55,9 +56,7 @@ module SensitiveLoggerConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node sanitizer) { sanitizer.asExpr() instanceof LiveLiteral or - sanitizer.getType() instanceof PrimitiveType or - sanitizer.getType() instanceof BoxedType or - sanitizer.getType() instanceof NumberType or + sanitizer instanceof SimpleScalarSanitizer or sanitizer.getType() instanceof TypeType } diff --git a/java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll b/java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll index 88919efbe128..1367478d54d2 100644 --- a/java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll @@ -4,6 +4,7 @@ import java private import semmle.code.java.dataflow.TaintTracking private import semmle.code.java.security.SqlConcatenatedLib private import semmle.code.java.security.SqlInjectionQuery +private import semmle.code.java.security.dataflow.CommonSanitizers private class UncontrolledStringBuilderSource extends DataFlow::ExprNode { UncontrolledStringBuilderSource() { @@ -22,9 +23,7 @@ module UncontrolledStringBuilderSourceFlowConfig implements DataFlow::ConfigSig predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink } - predicate isBarrier(DataFlow::Node node) { - node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType - } + predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer } } /** diff --git a/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll index 091240763eca..3efa5357d71d 100644 --- a/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll @@ -8,6 +8,7 @@ import java import semmle.code.java.dataflow.FlowSources +private import semmle.code.java.security.dataflow.CommonSanitizers import semmle.code.java.security.QueryInjection /** @@ -41,11 +42,7 @@ module QueryInjectionFlowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink } - predicate isBarrier(DataFlow::Node node) { - node.getType() instanceof PrimitiveType or - node.getType() instanceof BoxedType or - node.getType() instanceof NumberType - } + predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(AdditionalQueryInjectionTaintStep s).step(node1, node2) diff --git a/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll b/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll index eeab7f7f6cd0..84fe99420aff 100644 --- a/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll @@ -6,6 +6,7 @@ import java private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.security.SqlInjectionQuery +private import semmle.code.java.security.dataflow.CommonSanitizers /** * A taint-tracking configuration for reasoning about local user input that is @@ -16,11 +17,7 @@ module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink } - predicate isBarrier(DataFlow::Node node) { - node.getType() instanceof PrimitiveType or - node.getType() instanceof BoxedType or - node.getType() instanceof NumberType - } + predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(AdditionalQueryInjectionTaintStep s).step(node1, node2) diff --git a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll index 23166bc17c36..cd52d8d56f9b 100644 --- a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll @@ -6,6 +6,7 @@ import semmle.code.java.dataflow.DataFlow import semmle.code.java.dataflow.FlowSources private import semmle.code.java.dataflow.ExternalFlow import semmle.code.java.security.PathSanitizer +private import semmle.code.java.security.dataflow.CommonSanitizers /** * A unit class for adding additional taint steps. @@ -57,9 +58,7 @@ module TaintedPathConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sinkNode(sink, "path-injection") } predicate isBarrier(DataFlow::Node sanitizer) { - sanitizer.getType() instanceof BoxedType or - sanitizer.getType() instanceof PrimitiveType or - sanitizer.getType() instanceof NumberType or + sanitizer instanceof SimpleScalarSanitizer or sanitizer instanceof PathInjectionSanitizer } @@ -80,9 +79,7 @@ module TaintedPathLocalConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sinkNode(sink, "path-injection") } predicate isBarrier(DataFlow::Node sanitizer) { - sanitizer.getType() instanceof BoxedType or - sanitizer.getType() instanceof PrimitiveType or - sanitizer.getType() instanceof NumberType or + sanitizer instanceof SimpleScalarSanitizer or sanitizer instanceof PathInjectionSanitizer } diff --git a/java/ql/lib/semmle/code/java/security/TemplateInjection.qll b/java/ql/lib/semmle/code/java/security/TemplateInjection.qll index bb212d39c7d6..333482915a43 100644 --- a/java/ql/lib/semmle/code/java/security/TemplateInjection.qll +++ b/java/ql/lib/semmle/code/java/security/TemplateInjection.qll @@ -4,6 +4,7 @@ import java private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.dataflow.TaintTracking +private import semmle.code.java.security.dataflow.CommonSanitizers /** * A source for server-side template injection (SST) vulnerabilities. @@ -89,10 +90,5 @@ private class DefaultTemplateInjectionSink extends TemplateInjectionSink { DefaultTemplateInjectionSink() { sinkNode(this, "template-injection") } } -private class DefaultTemplateInjectionSanitizer extends TemplateInjectionSanitizer { - DefaultTemplateInjectionSanitizer() { - this.getType() instanceof PrimitiveType or - this.getType() instanceof BoxedType or - this.getType() instanceof NumericType - } -} +private class DefaultTemplateInjectionSanitizer extends TemplateInjectionSanitizer instanceof SimpleScalarSanitizer +{ } diff --git a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll index fecd7e593a65..caa2a5e3e586 100644 --- a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll @@ -6,6 +6,7 @@ private import semmle.code.java.controlflow.Guards private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.frameworks.owasp.Esapi +private import semmle.code.java.security.dataflow.CommonSanitizers /** * A source of data that crosses a trust boundary. @@ -57,9 +58,7 @@ module TrustBoundaryConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof TrustBoundaryValidationSanitizer or node.getType() instanceof HttpServletSession or - node.getType() instanceof NumberType or - node.getType() instanceof PrimitiveType or - node.getType() instanceof BoxedType + node instanceof SimpleScalarSanitizer } predicate isSink(DataFlow::Node sink) { sink instanceof TrustBoundaryViolationSink } diff --git a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolution.qll b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolution.qll index 23652a8151eb..91748d275ea1 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolution.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolution.qll @@ -4,6 +4,7 @@ import java private import semmle.code.java.dataflow.TaintTracking private import semmle.code.java.frameworks.android.Android private import semmle.code.java.security.PathSanitizer +private import semmle.code.java.security.dataflow.CommonSanitizers /** A URI that gets resolved by a `ContentResolver`. */ abstract class ContentUriResolutionSink extends DataFlow::Node { } @@ -42,13 +43,8 @@ private class UriOpeningContentResolverMethod extends Method { } } -private class UninterestingTypeSanitizer extends ContentUriResolutionSanitizer { - UninterestingTypeSanitizer() { - this.getType() instanceof BoxedType or - this.getType() instanceof PrimitiveType or - this.getType() instanceof NumberType - } -} +private class UninterestingTypeSanitizer extends ContentUriResolutionSanitizer instanceof SimpleScalarSanitizer +{ } private class PathSanitizer extends ContentUriResolutionSanitizer instanceof PathInjectionSanitizer { } diff --git a/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll index 9d54a90974ae..3bdf38615c9d 100644 --- a/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll @@ -5,6 +5,7 @@ import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.XmlParsers import semmle.code.java.security.XsltInjection +private import semmle.code.java.security.dataflow.CommonSanitizers /** * DEPRECATED: Use `XsltInjectionFlow` instead. @@ -35,9 +36,7 @@ module XsltInjectionFlowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof XsltInjectionSink } - predicate isBarrier(DataFlow::Node node) { - node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType - } + predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(XsltInjectionAdditionalTaintStep c).step(node1, node2) diff --git a/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll b/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll index b5998f86aab7..0721461646d2 100644 --- a/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll +++ b/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll @@ -5,6 +5,7 @@ import codeql.regex.nfa.SuperlinearBackTracking::Make as SuperlinearBa import semmle.code.java.dataflow.DataFlow import semmle.code.java.regex.RegexFlowConfigs import semmle.code.java.dataflow.FlowSources +private import semmle.code.java.security.dataflow.CommonSanitizers /** A sink for polynomial redos queries, where a regex is matched. */ class PolynomialRedosSink extends DataFlow::Node { @@ -75,8 +76,7 @@ module PolynomialRedosConfig implements DataFlow::ConfigSig { } predicate isBarrier(DataFlow::Node node) { - node.getType() instanceof PrimitiveType or - node.getType() instanceof BoxedType or + node instanceof SimpleScalarSanitizer or node.asExpr().(MethodCall).getMethod() instanceof LengthRestrictedMethod } } From 3311b3be8e39d46cf417574797fbff2d19b384a7 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Wed, 10 Jan 2024 20:53:27 -0500 Subject: [PATCH 03/10] Convert experimental queries' `isBarrier` to use `instanceof SimpleScalarSanitizer` --- .../Security/CWE/CWE-020/Log4jJndiInjection.ql | 7 ++----- .../Security/CWE/CWE-073/FilePathInjection.ql | 3 ++- .../Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll | 9 +++------ .../CWE/CWE-089/MyBatisAnnotationSqlInjection.ql | 7 ++----- .../Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql | 7 ++----- .../CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql | 5 ++--- .../Security/CWE/CWE-552/UnsafeUrlForward.qll | 8 ++------ 7 files changed, 15 insertions(+), 31 deletions(-) diff --git a/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql index 33d060de6917..cb8cf6bce37f 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql @@ -19,6 +19,7 @@ import java import semmle.code.java.dataflow.TaintTracking import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.security.dataflow.CommonSanitizers import Log4jInjectionFlow::PathGraph private class ActivateModels extends ActiveExperimentalModels { @@ -33,11 +34,7 @@ class Log4jInjectionSink extends DataFlow::Node { /** * A node that sanitizes a message before logging to avoid log injection. */ -class Log4jInjectionSanitizer extends DataFlow::Node { - Log4jInjectionSanitizer() { - this.getType() instanceof BoxedType or this.getType() instanceof PrimitiveType - } -} +class Log4jInjectionSanitizer extends DataFlow::Node instanceof SimpleScalarSanitizer { } /** * A taint-tracking configuration for tracking untrusted user input used in log entries. diff --git a/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql index 52d74145e6a4..77137b76638d 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql @@ -18,6 +18,7 @@ import semmle.code.java.dataflow.ExternalFlow import semmle.code.java.dataflow.FlowSources import JFinalController import semmle.code.java.security.PathSanitizer +private import semmle.code.java.security.dataflow.CommonSanitizers import InjectFilePathFlow::PathGraph private class ActivateModels extends ActiveExperimentalModels { @@ -56,7 +57,7 @@ module InjectFilePathConfig implements DataFlow::ConfigSig { } predicate isBarrier(DataFlow::Node node) { - exists(Type t | t = node.getType() | t instanceof BoxedType or t instanceof PrimitiveType) + node instanceof SimpleScalarSanitizer or node instanceof PathInjectionSanitizer } diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll b/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll index a042eb5779f5..dd3dc328222b 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll @@ -2,6 +2,7 @@ import java import semmle.code.java.frameworks.javaee.ejb.EJBRestrictions import semmle.code.java.dataflow.DataFlow import semmle.code.java.dataflow.FlowSources +private import semmle.code.java.security.dataflow.CommonSanitizers module ExecCmdFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { @@ -20,8 +21,7 @@ module ExecCmdFlowConfig implements DataFlow::ConfigSig { node instanceof AssignToNonZeroIndex or node instanceof ArrayInitAtNonZeroIndex or node instanceof StreamConcatAtNonZeroIndex or - node.getType() instanceof PrimitiveType or - node.getType() instanceof BoxedType + node instanceof SimpleScalarSanitizer } } @@ -41,10 +41,7 @@ module ExecUserFlowConfig implements DataFlow::ConfigSig { ) } - predicate isBarrier(DataFlow::Node node) { - node.getType() instanceof PrimitiveType or - node.getType() instanceof BoxedType - } + predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer } } /** Tracks flow of unvalidated user input that is used in Runtime.Exec */ diff --git a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql index 4ac75ed8dafb..c3b06601d3b6 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql @@ -17,6 +17,7 @@ import MyBatisCommonLib import MyBatisAnnotationSqlInjectionLib import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking +private import semmle.code.java.security.dataflow.CommonSanitizers import MyBatisAnnotationSqlInjectionFlow::PathGraph private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSig { @@ -24,11 +25,7 @@ private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSi predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisAnnotatedMethodCallArgument } - predicate isBarrier(DataFlow::Node node) { - node.getType() instanceof PrimitiveType or - node.getType() instanceof BoxedType or - node.getType() instanceof NumberType - } + predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { exists(MethodCall ma | diff --git a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql index ce403e791cce..7335199ec96c 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql @@ -17,6 +17,7 @@ import MyBatisCommonLib import MyBatisMapperXmlSqlInjectionLib import semmle.code.xml.MyBatisMapperXML import semmle.code.java.dataflow.FlowSources +private import semmle.code.java.security.dataflow.CommonSanitizers import MyBatisMapperXmlSqlInjectionFlow::PathGraph private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig { @@ -24,11 +25,7 @@ private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisMapperMethodCallAnArgument } - predicate isBarrier(DataFlow::Node node) { - node.getType() instanceof PrimitiveType or - node.getType() instanceof BoxedType or - node.getType() instanceof NumberType - } + predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { exists(MethodCall ma | diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql b/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql index a548af9f83ba..19db99594131 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql @@ -14,6 +14,7 @@ import java import semmle.code.java.dataflow.TaintTracking import semmle.code.java.dataflow.FlowSources +import semmle.code.java.security.dataflow.CommonSanitizers import ClientSuppliedIpUsedInSecurityCheckLib import ClientSuppliedIpUsedInSecurityCheckFlow::PathGraph @@ -38,9 +39,7 @@ module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::ConfigSig not aa.getIndexExpr().(CompileTimeConstantExpr).getIntValue() = 0 ) or - node.getType() instanceof PrimitiveType - or - node.getType() instanceof BoxedType + node instanceof SimpleScalarSanitizer } } diff --git a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll index 5fe073d5320d..f327a6523b51 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll @@ -5,6 +5,7 @@ private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.dataflow.StringPrefixes private import semmle.code.java.frameworks.javaee.ejb.EJBRestrictions private import experimental.semmle.code.java.frameworks.SpringResource +private import semmle.code.java.security.dataflow.CommonSanitizers private class ActiveModels extends ActiveExperimentalModels { ActiveModels() { this = "unsafe-url-forward" } @@ -128,12 +129,7 @@ private class SpringModelAndViewSink extends UnsafeUrlForwardSink { } } -private class PrimitiveSanitizer extends UnsafeUrlForwardSanitizer { - PrimitiveSanitizer() { - this.getType() instanceof PrimitiveType or - this.getType() instanceof BoxedType or - this.getType() instanceof NumberType - } +private class PrimitiveSanitizer extends UnsafeUrlForwardSanitizer instanceof SimpleScalarSanitizer { } private class SanitizingPrefix extends InterestingPrefix { From 32fe8e02fb06cbb80cdf5cb42eea21a2ad374fb6 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Wed, 10 Jan 2024 21:13:51 -0500 Subject: [PATCH 04/10] Change note --- ...oduce-simplescalarsanitizer-class-for-common-sanitizer.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 java/ql/lib/change-notes/2024-01-10-introduce-simplescalarsanitizer-class-for-common-sanitizer.md diff --git a/java/ql/lib/change-notes/2024-01-10-introduce-simplescalarsanitizer-class-for-common-sanitizer.md b/java/ql/lib/change-notes/2024-01-10-introduce-simplescalarsanitizer-class-for-common-sanitizer.md new file mode 100644 index 000000000000..3aedbe738efb --- /dev/null +++ b/java/ql/lib/change-notes/2024-01-10-introduce-simplescalarsanitizer-class-for-common-sanitizer.md @@ -0,0 +1,5 @@ +--- +category: minorAnalysis +--- +* Added a new library `semmle.code.java.security.dataflow.CommonSanitizers` which contains a new sanitizer class `SimpleScalarSanitizer`, which represents nodes which cannot realistically carry taint for most queries (e.g. primitives, their boxed equivalents, and numeric types). +* Converted definitions of `isBarrier` and sanitizer classes to use `SimpleScalarSanitizer` instead of checking if `node.getType()` is `PrimitiveType` or `BoxedType`. From 38828672a951b071bf2b3684b6f7e2366328ef3a Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Tue, 16 Jan 2024 19:35:59 -0500 Subject: [PATCH 05/10] Update change note --- ...introduce-simplescalarsanitizer-class-for-common-sanitizer.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename java/ql/lib/change-notes/{2024-01-10-introduce-simplescalarsanitizer-class-for-common-sanitizer.md => 2024-01-20-introduce-simplescalarsanitizer-class-for-common-sanitizer.md} (100%) diff --git a/java/ql/lib/change-notes/2024-01-10-introduce-simplescalarsanitizer-class-for-common-sanitizer.md b/java/ql/lib/change-notes/2024-01-20-introduce-simplescalarsanitizer-class-for-common-sanitizer.md similarity index 100% rename from java/ql/lib/change-notes/2024-01-10-introduce-simplescalarsanitizer-class-for-common-sanitizer.md rename to java/ql/lib/change-notes/2024-01-20-introduce-simplescalarsanitizer-class-for-common-sanitizer.md From ec3d6831864e281966e32c674a3411331aae73e4 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Mon, 22 Jan 2024 23:39:23 -0500 Subject: [PATCH 06/10] Change change note category to `feature` --- ...ntroduce-simplescalarsanitizer-class-for-common-sanitizer.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/lib/change-notes/2024-01-20-introduce-simplescalarsanitizer-class-for-common-sanitizer.md b/java/ql/lib/change-notes/2024-01-20-introduce-simplescalarsanitizer-class-for-common-sanitizer.md index 3aedbe738efb..11e446502f75 100644 --- a/java/ql/lib/change-notes/2024-01-20-introduce-simplescalarsanitizer-class-for-common-sanitizer.md +++ b/java/ql/lib/change-notes/2024-01-20-introduce-simplescalarsanitizer-class-for-common-sanitizer.md @@ -1,5 +1,5 @@ --- -category: minorAnalysis +category: feature --- * Added a new library `semmle.code.java.security.dataflow.CommonSanitizers` which contains a new sanitizer class `SimpleScalarSanitizer`, which represents nodes which cannot realistically carry taint for most queries (e.g. primitives, their boxed equivalents, and numeric types). * Converted definitions of `isBarrier` and sanitizer classes to use `SimpleScalarSanitizer` instead of checking if `node.getType()` is `PrimitiveType` or `BoxedType`. From bb4427709063c2e6a8490df7ca3792cdd8756e7a Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Mon, 22 Jan 2024 23:40:24 -0500 Subject: [PATCH 07/10] Make import of dataflow `private` --- .../lib/semmle/code/java/security/dataflow/CommonSanitizers.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/lib/semmle/code/java/security/dataflow/CommonSanitizers.qll b/java/ql/lib/semmle/code/java/security/dataflow/CommonSanitizers.qll index 0c05fa3e1ad9..b97740f52da6 100644 --- a/java/ql/lib/semmle/code/java/security/dataflow/CommonSanitizers.qll +++ b/java/ql/lib/semmle/code/java/security/dataflow/CommonSanitizers.qll @@ -1,7 +1,7 @@ /** Classes to represent sanitizers commonly used in dataflow and taint tracking configurations. */ import java -import semmle.code.java.dataflow.DataFlow +private import semmle.code.java.dataflow.DataFlow /** * A node whose type is a common scalar type, such as primitives or their boxed counterparts. From 696788e5b22181daf5d08e5d5695a4cfd57a3236 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Mon, 22 Jan 2024 23:52:19 -0500 Subject: [PATCH 08/10] Rename `semmle.code.java.security.dataflow.CommonSanitizers` to `semmle.code.java.security.Sanitizers` --- .../semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/CommandLineQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/LdapInjection.qll | 2 +- java/ql/lib/semmle/code/java/security/LogInjection.qll | 2 +- java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/RequestForgery.qll | 2 +- .../ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll | 2 +- .../security/{dataflow/CommonSanitizers.qll => Sanitizers.qll} | 0 java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/TemplateInjection.qll | 2 +- .../semmle/code/java/security/TrustBoundaryViolationQuery.qll | 2 +- .../semmle/code/java/security/UnsafeContentUriResolution.qll | 2 +- java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll | 2 +- .../semmle/code/java/security/regexp/PolynomialReDoSQuery.qll | 2 +- .../src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql | 2 +- .../src/experimental/Security/CWE/CWE-073/FilePathInjection.ql | 2 +- .../Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll | 2 +- .../Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql | 2 +- .../Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql | 2 +- .../Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql | 2 +- .../src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll | 2 +- 28 files changed, 27 insertions(+), 27 deletions(-) rename java/ql/lib/semmle/code/java/security/{dataflow/CommonSanitizers.qll => Sanitizers.qll} (100%) diff --git a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll index 79824036fde3..512e4142b451 100644 --- a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll +++ b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll @@ -3,7 +3,7 @@ import java private import semmle.code.java.security.Encryption private import semmle.code.java.dataflow.TaintTracking -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers private class ShortStringLiteral extends StringLiteral { ShortStringLiteral() { this.getValue().length() < 100 } diff --git a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll index ea73277a464a..74290de3f83d 100644 --- a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll @@ -12,7 +12,7 @@ private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.security.CommandArguments private import semmle.code.java.security.ExternalProcess -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers /** A sink for command injection vulnerabilities. */ abstract class CommandInjectionSink extends DataFlow::Node { } diff --git a/java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll b/java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll index 50f2904c1f04..10411a48351c 100644 --- a/java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll @@ -4,7 +4,7 @@ import java private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.security.ExternalProcess private import semmle.code.java.security.CommandArguments -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers /** A taint-tracking configuration to reason about use of externally controlled strings to make command line commands. */ module ExecTaintedLocalConfig implements DataFlow::ConfigSig { diff --git a/java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll b/java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll index 6106a01be93b..22ce78b87b48 100644 --- a/java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll +++ b/java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll @@ -4,7 +4,7 @@ import java import semmle.code.java.dataflow.TaintTracking import semmle.code.java.frameworks.Networking import semmle.code.java.security.HttpsUrls -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers /** * DEPRECATED: Use `HttpsStringToUrlOpenMethodFlow` instead. diff --git a/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll index b334ae0bda32..ecfffcd9b175 100644 --- a/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll @@ -5,7 +5,7 @@ import semmle.code.java.dataflow.FlowSources import semmle.code.java.frameworks.Jndi import semmle.code.java.frameworks.SpringLdap import semmle.code.java.security.JndiInjection -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers /** * DEPRECATED: Use `JndiInjectionFlow` instead. diff --git a/java/ql/lib/semmle/code/java/security/LdapInjection.qll b/java/ql/lib/semmle/code/java/security/LdapInjection.qll index 3d928dd10b7f..c1fad32eca45 100644 --- a/java/ql/lib/semmle/code/java/security/LdapInjection.qll +++ b/java/ql/lib/semmle/code/java/security/LdapInjection.qll @@ -7,7 +7,7 @@ import semmle.code.java.frameworks.UnboundId import semmle.code.java.frameworks.SpringLdap import semmle.code.java.frameworks.ApacheLdap private import semmle.code.java.dataflow.ExternalFlow -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers /** A data flow sink for unvalidated user input that is used to construct LDAP queries. */ abstract class LdapInjectionSink extends DataFlow::Node { } diff --git a/java/ql/lib/semmle/code/java/security/LogInjection.qll b/java/ql/lib/semmle/code/java/security/LogInjection.qll index d5419c10a448..2e3bf8dd492c 100644 --- a/java/ql/lib/semmle/code/java/security/LogInjection.qll +++ b/java/ql/lib/semmle/code/java/security/LogInjection.qll @@ -4,7 +4,7 @@ import java private import semmle.code.java.dataflow.DataFlow private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.controlflow.Guards -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers /** A data flow sink for unvalidated user input that is used to log messages. */ abstract class LogInjectionSink extends DataFlow::Node { } diff --git a/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll index cfe9993d18ec..f15b9e9ae862 100644 --- a/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll @@ -3,7 +3,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.OgnlInjection -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers /** * DEPRECATED: Use `OgnlInjectionFlow` instead. diff --git a/java/ql/lib/semmle/code/java/security/RequestForgery.qll b/java/ql/lib/semmle/code/java/security/RequestForgery.qll index be0a2ade96ea..57e095ecce26 100644 --- a/java/ql/lib/semmle/code/java/security/RequestForgery.qll +++ b/java/ql/lib/semmle/code/java/security/RequestForgery.qll @@ -10,7 +10,7 @@ import semmle.code.java.dataflow.DataFlow import semmle.code.java.frameworks.Properties private import semmle.code.java.dataflow.StringPrefixes private import semmle.code.java.dataflow.ExternalFlow -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers /** * A unit class for adding additional taint steps that are specific to server-side request forgery (SSRF) attacks. diff --git a/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll b/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll index 9c46e1bfba8d..59709221d0b1 100644 --- a/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll @@ -2,7 +2,7 @@ import java private import semmle.code.java.dataflow.FlowSources -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers import semmle.code.java.security.ResponseSplitting /** diff --git a/java/ql/lib/semmle/code/java/security/dataflow/CommonSanitizers.qll b/java/ql/lib/semmle/code/java/security/Sanitizers.qll similarity index 100% rename from java/ql/lib/semmle/code/java/security/dataflow/CommonSanitizers.qll rename to java/ql/lib/semmle/code/java/security/Sanitizers.qll diff --git a/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll b/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll index 1924bc5cb5da..0f0b44905833 100644 --- a/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll @@ -5,7 +5,7 @@ private import semmle.code.java.dataflow.ExternalFlow import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.SensitiveActions import semmle.code.java.frameworks.android.Compose -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers /** A variable that may hold sensitive information, judging by its name. */ class CredentialExpr extends Expr { diff --git a/java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll b/java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll index 1367478d54d2..06db59c4a296 100644 --- a/java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll @@ -4,7 +4,7 @@ import java private import semmle.code.java.dataflow.TaintTracking private import semmle.code.java.security.SqlConcatenatedLib private import semmle.code.java.security.SqlInjectionQuery -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers private class UncontrolledStringBuilderSource extends DataFlow::ExprNode { UncontrolledStringBuilderSource() { diff --git a/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll index 3efa5357d71d..2ae8b55054b2 100644 --- a/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll @@ -8,7 +8,7 @@ import java import semmle.code.java.dataflow.FlowSources -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers import semmle.code.java.security.QueryInjection /** diff --git a/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll b/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll index 84fe99420aff..5f4d69db1b26 100644 --- a/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll @@ -6,7 +6,7 @@ import java private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.security.SqlInjectionQuery -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers /** * A taint-tracking configuration for reasoning about local user input that is diff --git a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll index cd52d8d56f9b..d4f0570bacef 100644 --- a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll @@ -6,7 +6,7 @@ import semmle.code.java.dataflow.DataFlow import semmle.code.java.dataflow.FlowSources private import semmle.code.java.dataflow.ExternalFlow import semmle.code.java.security.PathSanitizer -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers /** * A unit class for adding additional taint steps. diff --git a/java/ql/lib/semmle/code/java/security/TemplateInjection.qll b/java/ql/lib/semmle/code/java/security/TemplateInjection.qll index 333482915a43..92427a26b0f8 100644 --- a/java/ql/lib/semmle/code/java/security/TemplateInjection.qll +++ b/java/ql/lib/semmle/code/java/security/TemplateInjection.qll @@ -4,7 +4,7 @@ import java private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.dataflow.TaintTracking -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers /** * A source for server-side template injection (SST) vulnerabilities. diff --git a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll index caa2a5e3e586..e56a15cb98cd 100644 --- a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll @@ -6,7 +6,7 @@ private import semmle.code.java.controlflow.Guards private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.frameworks.owasp.Esapi -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers /** * A source of data that crosses a trust boundary. diff --git a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolution.qll b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolution.qll index 91748d275ea1..34522f0cd4d4 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolution.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolution.qll @@ -4,7 +4,7 @@ import java private import semmle.code.java.dataflow.TaintTracking private import semmle.code.java.frameworks.android.Android private import semmle.code.java.security.PathSanitizer -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers /** A URI that gets resolved by a `ContentResolver`. */ abstract class ContentUriResolutionSink extends DataFlow::Node { } diff --git a/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll index 3bdf38615c9d..ebcb40adedb6 100644 --- a/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll @@ -5,7 +5,7 @@ import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.XmlParsers import semmle.code.java.security.XsltInjection -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers /** * DEPRECATED: Use `XsltInjectionFlow` instead. diff --git a/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll b/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll index 0721461646d2..3161474fb90b 100644 --- a/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll +++ b/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll @@ -5,7 +5,7 @@ import codeql.regex.nfa.SuperlinearBackTracking::Make as SuperlinearBa import semmle.code.java.dataflow.DataFlow import semmle.code.java.regex.RegexFlowConfigs import semmle.code.java.dataflow.FlowSources -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers /** A sink for polynomial redos queries, where a regex is matched. */ class PolynomialRedosSink extends DataFlow::Node { diff --git a/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql index cb8cf6bce37f..4e46e6773ca5 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql @@ -19,7 +19,7 @@ import java import semmle.code.java.dataflow.TaintTracking import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.ExternalFlow -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers import Log4jInjectionFlow::PathGraph private class ActivateModels extends ActiveExperimentalModels { diff --git a/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql index 77137b76638d..aa87cf22c2b6 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql @@ -18,7 +18,7 @@ import semmle.code.java.dataflow.ExternalFlow import semmle.code.java.dataflow.FlowSources import JFinalController import semmle.code.java.security.PathSanitizer -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers import InjectFilePathFlow::PathGraph private class ActivateModels extends ActiveExperimentalModels { diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll b/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll index dd3dc328222b..c28305606600 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll @@ -2,7 +2,7 @@ import java import semmle.code.java.frameworks.javaee.ejb.EJBRestrictions import semmle.code.java.dataflow.DataFlow import semmle.code.java.dataflow.FlowSources -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers module ExecCmdFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { diff --git a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql index c3b06601d3b6..bb5a59f5e2be 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql @@ -17,7 +17,7 @@ import MyBatisCommonLib import MyBatisAnnotationSqlInjectionLib import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers import MyBatisAnnotationSqlInjectionFlow::PathGraph private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSig { diff --git a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql index 7335199ec96c..5f7612be2952 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql @@ -17,7 +17,7 @@ import MyBatisCommonLib import MyBatisMapperXmlSqlInjectionLib import semmle.code.xml.MyBatisMapperXML import semmle.code.java.dataflow.FlowSources -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers import MyBatisMapperXmlSqlInjectionFlow::PathGraph private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig { diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql b/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql index 19db99594131..65756c249fc7 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql @@ -14,7 +14,7 @@ import java import semmle.code.java.dataflow.TaintTracking import semmle.code.java.dataflow.FlowSources -import semmle.code.java.security.dataflow.CommonSanitizers +import semmle.code.java.security.Sanitizers import ClientSuppliedIpUsedInSecurityCheckLib import ClientSuppliedIpUsedInSecurityCheckFlow::PathGraph diff --git a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll index f327a6523b51..5d50f9de539e 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll @@ -5,7 +5,7 @@ private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.dataflow.StringPrefixes private import semmle.code.java.frameworks.javaee.ejb.EJBRestrictions private import experimental.semmle.code.java.frameworks.SpringResource -private import semmle.code.java.security.dataflow.CommonSanitizers +private import semmle.code.java.security.Sanitizers private class ActiveModels extends ActiveExperimentalModels { ActiveModels() { this = "unsafe-url-forward" } From fb80c5ea84fc1b8535b82565044b533d958b79d5 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Mon, 22 Jan 2024 23:55:29 -0500 Subject: [PATCH 09/10] Rename `SimpleScalarSanitizer` to `SimpleTypeSanitizer` --- .../code/java/security/BrokenCryptoAlgorithmQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/CommandLineQuery.qll | 2 +- .../lib/semmle/code/java/security/ExecTaintedLocalQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll | 2 +- .../ql/lib/semmle/code/java/security/JndiInjectionQuery.qll | 4 ++-- java/ql/lib/semmle/code/java/security/LdapInjection.qll | 3 +-- java/ql/lib/semmle/code/java/security/LogInjection.qll | 2 +- .../ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/RequestForgery.qll | 3 +-- .../semmle/code/java/security/ResponseSplittingQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/Sanitizers.qll | 6 +++--- .../lib/semmle/code/java/security/SensitiveLoggingQuery.qll | 2 +- .../lib/semmle/code/java/security/SqlConcatenatedQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll | 2 +- .../lib/semmle/code/java/security/SqlTaintedLocalQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll | 4 ++-- java/ql/lib/semmle/code/java/security/TemplateInjection.qll | 2 +- .../code/java/security/TrustBoundaryViolationQuery.qll | 2 +- .../code/java/security/UnsafeContentUriResolution.qll | 2 +- .../ql/lib/semmle/code/java/security/XsltInjectionQuery.qll | 2 +- .../code/java/security/regexp/PolynomialReDoSQuery.qll | 2 +- .../experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql | 2 +- .../experimental/Security/CWE/CWE-073/FilePathInjection.ql | 2 +- .../Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll | 4 ++-- .../Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql | 2 +- .../Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql | 2 +- .../CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql | 2 +- .../experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll | 2 +- 28 files changed, 33 insertions(+), 35 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll index 512e4142b451..150e8809b45e 100644 --- a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll +++ b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll @@ -28,7 +28,7 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node n) { exists(CryptoAlgoSpec c | n.asExpr() = c.getAlgoSpec()) } - predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer } + predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer } } /** diff --git a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll index 74290de3f83d..7aa602bf3c74 100644 --- a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll @@ -39,7 +39,7 @@ private class DefaultCommandInjectionSink extends CommandInjectionSink { private class DefaultCommandInjectionSanitizer extends CommandInjectionSanitizer { DefaultCommandInjectionSanitizer() { - this instanceof SimpleScalarSanitizer + this instanceof SimpleTypeSanitizer or isSafeCommandArgument(this.asExpr()) } diff --git a/java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll b/java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll index 10411a48351c..ea36338fcb9c 100644 --- a/java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll @@ -13,7 +13,7 @@ module ExecTaintedLocalConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof ArgumentToExec } predicate isBarrier(DataFlow::Node node) { - node instanceof SimpleScalarSanitizer + node instanceof SimpleTypeSanitizer or isSafeCommandArgument(node.asExpr()) } diff --git a/java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll b/java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll index 22ce78b87b48..ae9d3d6201e4 100644 --- a/java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll +++ b/java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll @@ -39,7 +39,7 @@ module HttpStringToUrlOpenMethodFlowConfig implements DataFlow::ConfigSig { any(HttpUrlsAdditionalTaintStep c).step(node1, node2) } - predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer } + predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer } } /** diff --git a/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll index ecfffcd9b175..c7343172016b 100644 --- a/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll @@ -20,7 +20,7 @@ deprecated class JndiInjectionFlowConfig extends TaintTracking::Configuration { override predicate isSink(DataFlow::Node sink) { sink instanceof JndiInjectionSink } override predicate isSanitizer(DataFlow::Node node) { - node instanceof SimpleScalarSanitizer or + node instanceof SimpleTypeSanitizer or node instanceof JndiInjectionSanitizer } @@ -38,7 +38,7 @@ module JndiInjectionFlowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof JndiInjectionSink } predicate isBarrier(DataFlow::Node node) { - node instanceof SimpleScalarSanitizer or + node instanceof SimpleTypeSanitizer or node instanceof JndiInjectionSanitizer } diff --git a/java/ql/lib/semmle/code/java/security/LdapInjection.qll b/java/ql/lib/semmle/code/java/security/LdapInjection.qll index c1fad32eca45..d76d6f5f8572 100644 --- a/java/ql/lib/semmle/code/java/security/LdapInjection.qll +++ b/java/ql/lib/semmle/code/java/security/LdapInjection.qll @@ -34,8 +34,7 @@ private class DefaultLdapInjectionSink extends LdapInjectionSink { } /** A sanitizer that clears the taint on (boxed) primitive types. */ -private class DefaultLdapSanitizer extends LdapInjectionSanitizer instanceof SimpleScalarSanitizer { -} +private class DefaultLdapSanitizer extends LdapInjectionSanitizer instanceof SimpleTypeSanitizer { } /** * Holds if `n1` to `n2` is a dataflow step that converts between `String` and `LdapName`, diff --git a/java/ql/lib/semmle/code/java/security/LogInjection.qll b/java/ql/lib/semmle/code/java/security/LogInjection.qll index 2e3bf8dd492c..554aa8e4ebc9 100644 --- a/java/ql/lib/semmle/code/java/security/LogInjection.qll +++ b/java/ql/lib/semmle/code/java/security/LogInjection.qll @@ -31,7 +31,7 @@ private class DefaultLogInjectionSink extends LogInjectionSink { DefaultLogInjectionSink() { sinkNode(this, "log-injection") } } -private class DefaultLogInjectionSanitizer extends LogInjectionSanitizer instanceof SimpleScalarSanitizer +private class DefaultLogInjectionSanitizer extends LogInjectionSanitizer instanceof SimpleTypeSanitizer { } private class LineBreaksLogInjectionSanitizer extends LogInjectionSanitizer { diff --git a/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll index f15b9e9ae862..259f344205eb 100644 --- a/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll @@ -34,7 +34,7 @@ module OgnlInjectionFlowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof OgnlInjectionSink } - predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer } + predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(OgnlInjectionAdditionalTaintStep c).step(node1, node2) diff --git a/java/ql/lib/semmle/code/java/security/RequestForgery.qll b/java/ql/lib/semmle/code/java/security/RequestForgery.qll index 57e095ecce26..7a72faeb5e4d 100644 --- a/java/ql/lib/semmle/code/java/security/RequestForgery.qll +++ b/java/ql/lib/semmle/code/java/security/RequestForgery.qll @@ -60,8 +60,7 @@ private class DefaultRequestForgerySink extends RequestForgerySink { /** A sanitizer for request forgery vulnerabilities. */ abstract class RequestForgerySanitizer extends DataFlow::Node { } -private class PrimitiveSanitizer extends RequestForgerySanitizer instanceof SimpleScalarSanitizer { -} +private class PrimitiveSanitizer extends RequestForgerySanitizer instanceof SimpleTypeSanitizer { } private class HostnameSanitizingPrefix extends InterestingPrefix { int offset; diff --git a/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll b/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll index 59709221d0b1..40e1ec1b4dbb 100644 --- a/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll @@ -17,7 +17,7 @@ module ResponseSplittingConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink } predicate isBarrier(DataFlow::Node node) { - node instanceof SimpleScalarSanitizer + node instanceof SimpleTypeSanitizer or exists(MethodCall ma, string methodName, CompileTimeConstantExpr target | node.asExpr() = ma and diff --git a/java/ql/lib/semmle/code/java/security/Sanitizers.qll b/java/ql/lib/semmle/code/java/security/Sanitizers.qll index b97740f52da6..f9cb886b2cc0 100644 --- a/java/ql/lib/semmle/code/java/security/Sanitizers.qll +++ b/java/ql/lib/semmle/code/java/security/Sanitizers.qll @@ -4,10 +4,10 @@ import java private import semmle.code.java.dataflow.DataFlow /** - * A node whose type is a common scalar type, such as primitives or their boxed counterparts. + * A node whose type is a simple type unlikely to carry taint, such as primitives or their boxed counterparts. */ -class SimpleScalarSanitizer extends DataFlow::Node { - SimpleScalarSanitizer() { +class SimpleTypeSanitizer extends DataFlow::Node { + SimpleTypeSanitizer() { this.getType() instanceof PrimitiveType or this.getType() instanceof BoxedType or this.getType() instanceof NumberType diff --git a/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll b/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll index 0f0b44905833..a404690d408f 100644 --- a/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll @@ -56,7 +56,7 @@ module SensitiveLoggerConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node sanitizer) { sanitizer.asExpr() instanceof LiveLiteral or - sanitizer instanceof SimpleScalarSanitizer or + sanitizer instanceof SimpleTypeSanitizer or sanitizer.getType() instanceof TypeType } diff --git a/java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll b/java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll index 06db59c4a296..fe6e31900e1f 100644 --- a/java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll @@ -23,7 +23,7 @@ module UncontrolledStringBuilderSourceFlowConfig implements DataFlow::ConfigSig predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink } - predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer } + predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer } } /** diff --git a/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll index 2ae8b55054b2..4e21af713322 100644 --- a/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll @@ -42,7 +42,7 @@ module QueryInjectionFlowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink } - predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer } + predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(AdditionalQueryInjectionTaintStep s).step(node1, node2) diff --git a/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll b/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll index 5f4d69db1b26..9f32bd00b57c 100644 --- a/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll @@ -17,7 +17,7 @@ module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink } - predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer } + predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(AdditionalQueryInjectionTaintStep s).step(node1, node2) diff --git a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll index d4f0570bacef..85265f6b169b 100644 --- a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll @@ -58,7 +58,7 @@ module TaintedPathConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sinkNode(sink, "path-injection") } predicate isBarrier(DataFlow::Node sanitizer) { - sanitizer instanceof SimpleScalarSanitizer or + sanitizer instanceof SimpleTypeSanitizer or sanitizer instanceof PathInjectionSanitizer } @@ -79,7 +79,7 @@ module TaintedPathLocalConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sinkNode(sink, "path-injection") } predicate isBarrier(DataFlow::Node sanitizer) { - sanitizer instanceof SimpleScalarSanitizer or + sanitizer instanceof SimpleTypeSanitizer or sanitizer instanceof PathInjectionSanitizer } diff --git a/java/ql/lib/semmle/code/java/security/TemplateInjection.qll b/java/ql/lib/semmle/code/java/security/TemplateInjection.qll index 92427a26b0f8..f2cc980a0d81 100644 --- a/java/ql/lib/semmle/code/java/security/TemplateInjection.qll +++ b/java/ql/lib/semmle/code/java/security/TemplateInjection.qll @@ -90,5 +90,5 @@ private class DefaultTemplateInjectionSink extends TemplateInjectionSink { DefaultTemplateInjectionSink() { sinkNode(this, "template-injection") } } -private class DefaultTemplateInjectionSanitizer extends TemplateInjectionSanitizer instanceof SimpleScalarSanitizer +private class DefaultTemplateInjectionSanitizer extends TemplateInjectionSanitizer instanceof SimpleTypeSanitizer { } diff --git a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll index e56a15cb98cd..b93b3f0ca1a9 100644 --- a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll @@ -58,7 +58,7 @@ module TrustBoundaryConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof TrustBoundaryValidationSanitizer or node.getType() instanceof HttpServletSession or - node instanceof SimpleScalarSanitizer + node instanceof SimpleTypeSanitizer } predicate isSink(DataFlow::Node sink) { sink instanceof TrustBoundaryViolationSink } diff --git a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolution.qll b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolution.qll index 34522f0cd4d4..5537add5a2ca 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolution.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolution.qll @@ -43,7 +43,7 @@ private class UriOpeningContentResolverMethod extends Method { } } -private class UninterestingTypeSanitizer extends ContentUriResolutionSanitizer instanceof SimpleScalarSanitizer +private class UninterestingTypeSanitizer extends ContentUriResolutionSanitizer instanceof SimpleTypeSanitizer { } private class PathSanitizer extends ContentUriResolutionSanitizer instanceof PathInjectionSanitizer { diff --git a/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll index ebcb40adedb6..028ef4863d36 100644 --- a/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll @@ -36,7 +36,7 @@ module XsltInjectionFlowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof XsltInjectionSink } - predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer } + predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(XsltInjectionAdditionalTaintStep c).step(node1, node2) diff --git a/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll b/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll index 3161474fb90b..d08374e0318f 100644 --- a/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll +++ b/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll @@ -76,7 +76,7 @@ module PolynomialRedosConfig implements DataFlow::ConfigSig { } predicate isBarrier(DataFlow::Node node) { - node instanceof SimpleScalarSanitizer or + node instanceof SimpleTypeSanitizer or node.asExpr().(MethodCall).getMethod() instanceof LengthRestrictedMethod } } diff --git a/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql index 4e46e6773ca5..442c45f4328b 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql @@ -34,7 +34,7 @@ class Log4jInjectionSink extends DataFlow::Node { /** * A node that sanitizes a message before logging to avoid log injection. */ -class Log4jInjectionSanitizer extends DataFlow::Node instanceof SimpleScalarSanitizer { } +class Log4jInjectionSanitizer extends DataFlow::Node instanceof SimpleTypeSanitizer { } /** * A taint-tracking configuration for tracking untrusted user input used in log entries. diff --git a/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql index aa87cf22c2b6..d0b59bf1136d 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql @@ -57,7 +57,7 @@ module InjectFilePathConfig implements DataFlow::ConfigSig { } predicate isBarrier(DataFlow::Node node) { - node instanceof SimpleScalarSanitizer + node instanceof SimpleTypeSanitizer or node instanceof PathInjectionSanitizer } diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll b/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll index c28305606600..a9ea1049187b 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll @@ -21,7 +21,7 @@ module ExecCmdFlowConfig implements DataFlow::ConfigSig { node instanceof AssignToNonZeroIndex or node instanceof ArrayInitAtNonZeroIndex or node instanceof StreamConcatAtNonZeroIndex or - node instanceof SimpleScalarSanitizer + node instanceof SimpleTypeSanitizer } } @@ -41,7 +41,7 @@ module ExecUserFlowConfig implements DataFlow::ConfigSig { ) } - predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer } + predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer } } /** Tracks flow of unvalidated user input that is used in Runtime.Exec */ diff --git a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql index bb5a59f5e2be..e57795431257 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql @@ -25,7 +25,7 @@ private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSi predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisAnnotatedMethodCallArgument } - predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer } + predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { exists(MethodCall ma | diff --git a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql index 5f7612be2952..32cd2904dcee 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql @@ -25,7 +25,7 @@ private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisMapperMethodCallAnArgument } - predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer } + predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { exists(MethodCall ma | diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql b/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql index 65756c249fc7..91d3fc28744e 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql @@ -39,7 +39,7 @@ module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::ConfigSig not aa.getIndexExpr().(CompileTimeConstantExpr).getIntValue() = 0 ) or - node instanceof SimpleScalarSanitizer + node instanceof SimpleTypeSanitizer } } diff --git a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll index 5d50f9de539e..1baec2dd1fa5 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll @@ -129,7 +129,7 @@ private class SpringModelAndViewSink extends UnsafeUrlForwardSink { } } -private class PrimitiveSanitizer extends UnsafeUrlForwardSanitizer instanceof SimpleScalarSanitizer { +private class PrimitiveSanitizer extends UnsafeUrlForwardSanitizer instanceof SimpleTypeSanitizer { } private class SanitizingPrefix extends InterestingPrefix { From fcbee1994b980829152c119b701463ca8ecc18d4 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Mon, 22 Jan 2024 23:57:31 -0500 Subject: [PATCH 10/10] Update change note --- ...roduce-simplescalarsanitizer-class-for-common-sanitizer.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/java/ql/lib/change-notes/2024-01-20-introduce-simplescalarsanitizer-class-for-common-sanitizer.md b/java/ql/lib/change-notes/2024-01-20-introduce-simplescalarsanitizer-class-for-common-sanitizer.md index 11e446502f75..f40fa257685a 100644 --- a/java/ql/lib/change-notes/2024-01-20-introduce-simplescalarsanitizer-class-for-common-sanitizer.md +++ b/java/ql/lib/change-notes/2024-01-20-introduce-simplescalarsanitizer-class-for-common-sanitizer.md @@ -1,5 +1,5 @@ --- category: feature --- -* Added a new library `semmle.code.java.security.dataflow.CommonSanitizers` which contains a new sanitizer class `SimpleScalarSanitizer`, which represents nodes which cannot realistically carry taint for most queries (e.g. primitives, their boxed equivalents, and numeric types). -* Converted definitions of `isBarrier` and sanitizer classes to use `SimpleScalarSanitizer` instead of checking if `node.getType()` is `PrimitiveType` or `BoxedType`. +* Added a new library `semmle.code.java.security.Sanitizers` which contains a new sanitizer class `SimpleTypeSanitizer`, which represents nodes which cannot realistically carry taint for most queries (e.g. primitives, their boxed equivalents, and numeric types). +* Converted definitions of `isBarrier` and sanitizer classes to use `SimpleTypeSanitizer` instead of checking if `node.getType()` is `PrimitiveType` or `BoxedType`.