Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
41 lines (36 sloc) 1.79 KB
import java
import lib.dataflow_extra.CollectionsEdges
/** General dataflow edges that are useful for hunting vulnerabilities but not included in the standard library.*/
/** Holds if `node1` is a tainted value assigned to a field and `node2` is an access to the field. This essentially
* says that if a field is assigned to a tainted value at some point, then any access to that field is considered tainted.
* This has high risk of producing FP, but worth a try to see what you get.
predicate isTaintedFieldStep(DataFlow::Node node1, DataFlow::Node node2) {
exists(Field f, RefType t | node1.asExpr() = f.getAnAssignedValue() and node2.asExpr() = f.getAnAccess() and
node1.asExpr().getEnclosingCallable().getDeclaringType() = t and
node2.asExpr().getEnclosingCallable().getDeclaringType() = t
/** Tracks an object once any of its field is assigned to something tainted. Can be risky in terms of FP.*/
predicate taintFieldFromQualifier(DataFlow::Node n1, DataFlow::Node n2) {
exists(Field f |
n1 = DataFlow::getFieldQualifier(n2.asExpr()) and
n2.asExpr() = f.getAnAccess()
/** Tracks from an object to the output of its `toString` method. */
predicate toStringStep(DataFlow::Node node1, DataFlow::Node node2) {
exists(MethodAccess ma | ma.getMethod().getName() = "toString" and
ma = node2.asExpr() and ma.getQualifier() = node1.asExpr()
/** Bundle up the less risky edges that are usually ok for bug hunting.*/
predicate standardExtraEdges(DataFlow::Node node1, DataFlow::Node node2) {
collectionsGetEdge(node1, node2) or
forLoopEdge(node1, node2) or
toStringStep(node1, node2) or
TaintTracking::localAdditionalTaintStep(node1, node2)
You can’t perform that action at this time.