diff --git a/java/ql/lib/semmle/code/java/dataflow/ApiSinks.qll b/java/ql/lib/semmle/code/java/dataflow/ApiSinks.qll index 0dae848c15dae..51a633d532516 100644 --- a/java/ql/lib/semmle/code/java/dataflow/ApiSinks.qll +++ b/java/ql/lib/semmle/code/java/dataflow/ApiSinks.qll @@ -2,17 +2,15 @@ private import semmle.code.java.dataflow.DataFlow private import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.FlowSinks as FlowSinks -/** - * A data flow sink node. - */ -abstract class SinkNode extends DataFlow::Node { } +class SinkNode = FlowSinks::ApiSinkNode; /** * Module that adds all API like sinks to `SinkNode`, excluding sinks for cryptography based * queries, and queries where sinks are not succifiently defined (eg. using broad method name matching). */ -private module ApiSinks { +private module AllApiSinks { private import semmle.code.java.security.AndroidSensitiveCommunicationQuery as AndroidSensitiveCommunicationQuery private import semmle.code.java.security.ArbitraryApkInstallation as ArbitraryApkInstallation private import semmle.code.java.security.CleartextStorageAndroidDatabaseQuery as CleartextStorageAndroidDatabaseQuery @@ -41,82 +39,12 @@ private module ApiSinks { private import semmle.code.java.security.XPath as Xpath private import semmle.code.java.security.XSS as Xss - private class AndoidIntentRedirectionQuerySinks extends SinkNode instanceof AndroidSensitiveCommunicationQuery::SensitiveCommunicationSink - { } - - private class ArbitraryApkInstallationSinks extends SinkNode instanceof ArbitraryApkInstallation::SetDataSink - { } - - private class CleartextStorageAndroidDatabaseQuerySinks extends SinkNode instanceof CleartextStorageAndroidDatabaseQuery::LocalDatabaseSink - { } - - private class CleartextStorageAndroidFilesystemQuerySinks extends SinkNode instanceof CleartextStorageAndroidFilesystemQuery::LocalFileSink - { } - - private class CleartextStorageCookieQuerySinks extends SinkNode instanceof CleartextStorageCookieQuery::CookieStoreSink - { } - - private class CleartextStorageSharedPrefsQuerySinks extends SinkNode instanceof CleartextStorageSharedPrefsQuery::SharedPreferencesSink - { } - - private class ExternallyControlledFormatStringQuerySinks extends SinkNode instanceof ExternallyControlledFormatStringQuery::StringFormatSink - { } - - private class InsecureBasicAuthSinks extends SinkNode instanceof InsecureBasicAuth::InsecureBasicAuthSink - { } - - private class InsecureTrustManagerSinks extends SinkNode instanceof InsecureTrustManager::InsecureTrustManagerSink - { } - - private class IntentUriPermissionManipulationSinks extends SinkNode instanceof IntentUriPermissionManipulation::IntentUriPermissionManipulationSink - { } - - private class InsecureLdapAuthSinks extends SinkNode instanceof InsecureLdapAuth::InsecureLdapUrlSink - { } - - private class JndiInjectionSinks extends SinkNode instanceof JndiInjection::JndiInjectionSink { } - - private class JwtSinks extends SinkNode instanceof Jwt::JwtParserWithInsecureParseSink { } - - private class OgnlInjectionSinks extends SinkNode instanceof OgnlInjection::OgnlInjectionSink { } - - private class SensitiveResultReceiverQuerySinks extends SinkNode instanceof SensitiveResultReceiverQuery::SensitiveResultReceiverSink - { } - - private class SensitiveUiQuerySinks extends SinkNode instanceof SensitiveUiQuery::TextFieldSink { - } - - private class SpelInjectionSinks extends SinkNode instanceof SpelInjection::SpelExpressionEvaluationSink - { } - - private class QueryInjectionSinks extends SinkNode instanceof QueryInjection::QueryInjectionSink { - } - - private class TempDirLocalInformationDisclosureSinks extends SinkNode instanceof TempDirLocalInformationDisclosureQuery::MethodFileDirectoryCreationSink - { } - - private class UnsafeAndroidAccessSinks extends SinkNode instanceof UnsafeAndroidAccess::UrlResourceSink - { } - - private class UnsafeContentUriResolutionSinks extends SinkNode instanceof UnsafeContentUriResolution::ContentUriResolutionSink - { } - - private class UnsafeDeserializationQuerySinks extends SinkNode instanceof UnsafeDeserializationQuery::UnsafeDeserializationSink - { } - - private class UrlRedirectSinks extends SinkNode instanceof UrlRedirect::UrlRedirectSink { } - - private class WebviewDebugEnabledQuery extends SinkNode instanceof WebviewDebuggingEnabledQuery::WebviewDebugSink - { } - - private class XPathSinks extends SinkNode instanceof Xpath::XPathInjectionSink { } - private class XssSinks extends SinkNode instanceof Xss::XssSink { } /** * Add all models as data sinks. */ - private class SinkNodeExternal extends SinkNode { - SinkNodeExternal() { sinkNode(this, _) } + private class ApiSinkNodeExternal extends SinkNode { + ApiSinkNodeExternal() { sinkNode(this, _) } } } diff --git a/java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll b/java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll index 9773d00849fd1..607ced09b2cf0 100644 --- a/java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll @@ -4,6 +4,7 @@ import java import semmle.code.java.dataflow.TaintTracking import semmle.code.java.frameworks.android.Intent import semmle.code.java.security.SensitiveActions +private import semmle.code.java.dataflow.FlowSinks /** * Gets regular expression for matching names of Android variables that indicate the value being held contains sensitive information. @@ -154,7 +155,7 @@ deprecated class SensitiveCommunicationConfig extends TaintTracking::Configurati /** * A class of sensitive communication sink nodes. */ -class SensitiveCommunicationSink extends DataFlow::Node { +class SensitiveCommunicationSink extends ApiSinkNode { SensitiveCommunicationSink() { isSensitiveBroadcastSink(this) or diff --git a/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallation.qll b/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallation.qll index d5f4b224fa9df..d7c5fe94f28ac 100644 --- a/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallation.qll +++ b/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallation.qll @@ -4,6 +4,7 @@ import java import semmle.code.java.frameworks.android.Intent import semmle.code.java.dataflow.DataFlow private import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.FlowSinks private import semmle.code.java.dataflow.FlowSources /** A string literal that represents the MIME type for Android APKs. */ @@ -48,7 +49,7 @@ class SetDataMethod extends Method { } /** A dataflow sink for the URI of an intent. */ -class SetDataSink extends DataFlow::ExprNode { +class SetDataSink extends ApiSinkNode, DataFlow::ExprNode { SetDataSink() { exists(MethodCall ma | this.getExpr() = ma.getQualifier() and diff --git a/java/ql/lib/semmle/code/java/security/CleartextStorageAndroidDatabaseQuery.qll b/java/ql/lib/semmle/code/java/security/CleartextStorageAndroidDatabaseQuery.qll index 5fd6df58c0c7a..b4162f2c6957e 100644 --- a/java/ql/lib/semmle/code/java/security/CleartextStorageAndroidDatabaseQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CleartextStorageAndroidDatabaseQuery.qll @@ -6,6 +6,7 @@ import semmle.code.java.frameworks.android.ContentProviders import semmle.code.java.frameworks.android.Intent import semmle.code.java.frameworks.android.SQLite import semmle.code.java.security.CleartextStorageQuery +private import semmle.code.java.dataflow.FlowSinks private import semmle.code.java.dataflow.FlowSources private class LocalDatabaseCleartextStorageSink extends CleartextStorageSink { @@ -107,7 +108,7 @@ class LocalDatabaseOpenMethodCallSource extends ApiSourceNode { /** * A class of local database sink nodes. */ -class LocalDatabaseSink extends DataFlow::Node { +class LocalDatabaseSink extends ApiSinkNode { LocalDatabaseSink() { localDatabaseInput(this, _) or localDatabaseStore(this, _) } } diff --git a/java/ql/lib/semmle/code/java/security/CleartextStorageAndroidFilesystemQuery.qll b/java/ql/lib/semmle/code/java/security/CleartextStorageAndroidFilesystemQuery.qll index db360bc2e663e..8b1af7b4971fc 100644 --- a/java/ql/lib/semmle/code/java/security/CleartextStorageAndroidFilesystemQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CleartextStorageAndroidFilesystemQuery.qll @@ -5,10 +5,11 @@ import java import semmle.code.java.dataflow.DataFlow -private import semmle.code.java.dataflow.ExternalFlow -private import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.CleartextStorageQuery import semmle.code.xml.AndroidManifest +private import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.FlowSinks +private import semmle.code.java.dataflow.FlowSources private class AndroidFilesystemCleartextStorageSink extends CleartextStorageSink { AndroidFilesystemCleartextStorageSink() { @@ -90,7 +91,7 @@ class LocalFileOpenCallSource extends ApiSourceNode { /** * A class of local file sink nodes. */ -class LocalFileSink extends DataFlow::Node { +class LocalFileSink extends ApiSinkNode { LocalFileSink() { filesystemInput(this, _) or closesFile(this, _) diff --git a/java/ql/lib/semmle/code/java/security/CleartextStorageCookieQuery.qll b/java/ql/lib/semmle/code/java/security/CleartextStorageCookieQuery.qll index da7cb8aecacaf..c3684646bdd35 100644 --- a/java/ql/lib/semmle/code/java/security/CleartextStorageCookieQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CleartextStorageCookieQuery.qll @@ -4,6 +4,7 @@ import java import semmle.code.java.dataflow.DataFlow deprecated import semmle.code.java.dataflow.DataFlow3 import semmle.code.java.security.CleartextStorageQuery +private import semmle.code.java.dataflow.FlowSinks private import semmle.code.java.dataflow.FlowSources private class CookieCleartextStorageSink extends CleartextStorageSink { @@ -48,7 +49,7 @@ class CookieSource extends ApiSourceNode { /** * A class of cookie store sink nodes. */ -class CookieStoreSink extends DataFlow::Node { +class CookieStoreSink extends ApiSinkNode { CookieStoreSink() { cookieStore(this, _) } } diff --git a/java/ql/lib/semmle/code/java/security/CleartextStorageSharedPrefsQuery.qll b/java/ql/lib/semmle/code/java/security/CleartextStorageSharedPrefsQuery.qll index 1b0e61bbfaa29..80dc2fca1f4f1 100644 --- a/java/ql/lib/semmle/code/java/security/CleartextStorageSharedPrefsQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CleartextStorageSharedPrefsQuery.qll @@ -4,6 +4,7 @@ import java import semmle.code.java.dataflow.DataFlow import semmle.code.java.frameworks.android.SharedPreferences import semmle.code.java.security.CleartextStorageQuery +private import semmle.code.java.dataflow.FlowSinks private import semmle.code.java.dataflow.FlowSources private class SharedPrefsCleartextStorageSink extends CleartextStorageSink { @@ -80,7 +81,7 @@ class SharedPreferencesEditorMethodCallSource extends ApiSourceNode { /** * A class of shared preferences sink nodes. */ -class SharedPreferencesSink extends DataFlow::Node { +class SharedPreferencesSink extends ApiSinkNode { SharedPreferencesSink() { sharedPreferencesInput(this, _) or sharedPreferencesStore(this, _) diff --git a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll index 2fc622325deaf..8d6fe0426c3cd 100644 --- a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll @@ -1,13 +1,14 @@ /** Provides a taint-tracking configuration to reason about externally controlled format string vulnerabilities. */ import java +private import semmle.code.java.dataflow.FlowSinks private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.StringFormat /** * A class of string format sink nodes. */ -class StringFormatSink extends DataFlow::Node { +class StringFormatSink extends ApiSinkNode { StringFormatSink() { this.asExpr() = any(StringFormat formatCall).getFormatArgument() } } diff --git a/java/ql/lib/semmle/code/java/security/InsecureBasicAuth.qll b/java/ql/lib/semmle/code/java/security/InsecureBasicAuth.qll index df9b6bdf4a11a..b21492406adff 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureBasicAuth.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureBasicAuth.qll @@ -4,6 +4,7 @@ import java import semmle.code.java.dataflow.DataFlow import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.HttpsUrls +private import semmle.code.java.dataflow.FlowSinks /** * A source that represents HTTP URLs. @@ -20,7 +21,7 @@ private class DefaultInsecureBasicAuthSource extends InsecureBasicAuthSource { * A sink that represents a method that sets Basic Authentication. * Extend this class to add your own Insecure Basic Authentication sinks. */ -abstract class InsecureBasicAuthSink extends DataFlow::Node { } +abstract class InsecureBasicAuthSink extends ApiSinkNode { } /** A default sink representing methods that set an Authorization header. */ private class DefaultInsecureBasicAuthSink extends InsecureBasicAuthSink { diff --git a/java/ql/lib/semmle/code/java/security/InsecureLdapAuth.qll b/java/ql/lib/semmle/code/java/security/InsecureLdapAuth.qll index 9a8cd91b1fcf0..52d58afc9e76e 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureLdapAuth.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureLdapAuth.qll @@ -2,6 +2,7 @@ import java private import semmle.code.java.dataflow.DataFlow +private import semmle.code.java.dataflow.FlowSinks private import semmle.code.java.frameworks.Networking private import semmle.code.java.frameworks.Jndi @@ -32,7 +33,7 @@ class InsecureLdapUrl extends Expr { /** * A sink representing the construction of a `DirContextEnvironment`. */ -class InsecureLdapUrlSink extends DataFlow::Node { +class InsecureLdapUrlSink extends ApiSinkNode { InsecureLdapUrlSink() { exists(ConstructorCall cc | cc.getConstructedType().getAnAncestor() instanceof TypeDirContext and diff --git a/java/ql/lib/semmle/code/java/security/InsecureTrustManager.qll b/java/ql/lib/semmle/code/java/security/InsecureTrustManager.qll index 592aeaeb56579..f43fc9712ca04 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureTrustManager.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureTrustManager.qll @@ -1,8 +1,9 @@ /** Provides classes and predicates to reason about insecure `TrustManager`s. */ import java -private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.controlflow.Guards +private import semmle.code.java.dataflow.FlowSinks +private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.security.Encryption private import semmle.code.java.security.SecurityFlag @@ -19,7 +20,7 @@ private class DefaultInsecureTrustManagerSource extends InsecureTrustManagerSour * The use of a `TrustManager` in an SSL context. * Intentionally insecure connections are not considered sinks. */ -abstract class InsecureTrustManagerSink extends DataFlow::Node { +abstract class InsecureTrustManagerSink extends ApiSinkNode { InsecureTrustManagerSink() { not isGuardedByInsecureFlag(this) } } diff --git a/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulation.qll b/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulation.qll index 4309af8b3c808..2f9470f2bb9aa 100644 --- a/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulation.qll +++ b/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulation.qll @@ -6,6 +6,7 @@ import java private import semmle.code.java.controlflow.Guards private import semmle.code.java.dataflow.DataFlow +private import semmle.code.java.dataflow.FlowSinks private import semmle.code.java.dataflow.TaintTracking private import semmle.code.java.frameworks.android.Android private import semmle.code.java.frameworks.android.Intent @@ -14,7 +15,7 @@ private import semmle.code.java.frameworks.android.Intent * A sink for Intent URI permission manipulation vulnerabilities in Android, * that is, method calls that return an Intent as the result of an Activity. */ -abstract class IntentUriPermissionManipulationSink extends DataFlow::Node { } +abstract class IntentUriPermissionManipulationSink extends ApiSinkNode { } /** * A sanitizer that makes sure that an Intent is safe to be returned to another Activity. diff --git a/java/ql/lib/semmle/code/java/security/JWT.qll b/java/ql/lib/semmle/code/java/security/JWT.qll index eb60268864488..c84ebffabdbd0 100644 --- a/java/ql/lib/semmle/code/java/security/JWT.qll +++ b/java/ql/lib/semmle/code/java/security/JWT.qll @@ -2,6 +2,7 @@ import java private import semmle.code.java.dataflow.DataFlow +private import semmle.code.java.dataflow.FlowSinks private import semmle.code.java.dataflow.FlowSources /** A method access that assigns signing keys to a JWT parser. */ @@ -25,7 +26,7 @@ class JwtParserWithInsecureParseSource extends ApiSourceNode { * the qualifier of a call to a `parse(token, handler)` method * where the `handler` is considered insecure. */ -class JwtParserWithInsecureParseSink extends DataFlow::Node { +class JwtParserWithInsecureParseSink extends ApiSinkNode { MethodCall insecureParseMa; JwtParserWithInsecureParseSink() { diff --git a/java/ql/lib/semmle/code/java/security/JndiInjection.qll b/java/ql/lib/semmle/code/java/security/JndiInjection.qll index d7282996057d9..3df8d6df378eb 100644 --- a/java/ql/lib/semmle/code/java/security/JndiInjection.qll +++ b/java/ql/lib/semmle/code/java/security/JndiInjection.qll @@ -3,11 +3,12 @@ import java private import semmle.code.java.dataflow.DataFlow private import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.FlowSinks private import semmle.code.java.frameworks.Jndi private import semmle.code.java.frameworks.SpringLdap /** A data flow sink for unvalidated user input that is used in JNDI lookup. */ -abstract class JndiInjectionSink extends DataFlow::Node { } +abstract class JndiInjectionSink extends ApiSinkNode { } /** A sanitizer for JNDI injection vulnerabilities. */ abstract class JndiInjectionSanitizer extends DataFlow::Node { } diff --git a/java/ql/lib/semmle/code/java/security/OgnlInjection.qll b/java/ql/lib/semmle/code/java/security/OgnlInjection.qll index d5297702bef46..37f31618fc320 100644 --- a/java/ql/lib/semmle/code/java/security/OgnlInjection.qll +++ b/java/ql/lib/semmle/code/java/security/OgnlInjection.qll @@ -2,6 +2,7 @@ import java private import semmle.code.java.dataflow.DataFlow +private import semmle.code.java.dataflow.FlowSinks private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.frameworks.MyBatis @@ -10,7 +11,7 @@ private import semmle.code.java.frameworks.MyBatis * * Extend this class to add your own OGNL injection sinks. */ -abstract class OgnlInjectionSink extends DataFlow::Node { } +abstract class OgnlInjectionSink extends ApiSinkNode { } /** * A unit class for adding additional taint steps. diff --git a/java/ql/lib/semmle/code/java/security/QueryInjection.qll b/java/ql/lib/semmle/code/java/security/QueryInjection.qll index aa92aa16a14c3..df316155ba1a4 100644 --- a/java/ql/lib/semmle/code/java/security/QueryInjection.qll +++ b/java/ql/lib/semmle/code/java/security/QueryInjection.qll @@ -5,9 +5,10 @@ import semmle.code.java.dataflow.DataFlow import semmle.code.java.frameworks.javaee.Persistence private import semmle.code.java.frameworks.MyBatis private import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.FlowSinks /** A sink for database query language injection vulnerabilities. */ -abstract class QueryInjectionSink extends DataFlow::Node { } +abstract class QueryInjectionSink extends ApiSinkNode { } /** * A unit class for adding additional taint steps. diff --git a/java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll b/java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll index 13a4b562a50e3..c0179860a01d8 100644 --- a/java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll @@ -4,6 +4,7 @@ import java import semmle.code.java.dataflow.TaintTracking import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.SensitiveActions +private import semmle.code.java.dataflow.FlowSinks private class ResultReceiverSendCall extends MethodCall { ResultReceiverSendCall() { @@ -53,7 +54,7 @@ deprecated private class SensitiveResultReceiverConf extends TaintTracking::Conf /** * A class of sensitive result receiver sink nodes. */ -class SensitiveResultReceiverSink extends DataFlow::Node { +class SensitiveResultReceiverSink extends ApiSinkNode { SensitiveResultReceiverSink() { exists(ResultReceiverSendCall call | untrustedResultReceiverSend(_, call) and diff --git a/java/ql/lib/semmle/code/java/security/SensitiveUiQuery.qll b/java/ql/lib/semmle/code/java/security/SensitiveUiQuery.qll index 884ab40a3239c..63949f7e4ca18 100644 --- a/java/ql/lib/semmle/code/java/security/SensitiveUiQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SensitiveUiQuery.qll @@ -2,6 +2,7 @@ import java private import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.FlowSinks private import semmle.code.java.dataflow.TaintTracking private import semmle.code.java.security.SensitiveActions private import semmle.code.java.frameworks.android.Layout @@ -56,7 +57,7 @@ private class MaskCall extends MethodCall { /** * A class of test field sink nodes. */ -class TextFieldSink extends DataFlow::Node { +class TextFieldSink extends ApiSinkNode { TextFieldSink() { exists(SetTextCall call | this.asExpr() = call.getStringArgument() and diff --git a/java/ql/lib/semmle/code/java/security/SpelInjection.qll b/java/ql/lib/semmle/code/java/security/SpelInjection.qll index 1aed2049afe45..13eb195eae463 100644 --- a/java/ql/lib/semmle/code/java/security/SpelInjection.qll +++ b/java/ql/lib/semmle/code/java/security/SpelInjection.qll @@ -2,10 +2,11 @@ import java private import semmle.code.java.dataflow.DataFlow +private import semmle.code.java.dataflow.FlowSinks private import semmle.code.java.frameworks.spring.SpringExpression /** A data flow sink for unvalidated user input that is used to construct SpEL expressions. */ -abstract class SpelExpressionEvaluationSink extends DataFlow::ExprNode { } +abstract class SpelExpressionEvaluationSink extends ApiSinkNode, DataFlow::ExprNode { } /** * A unit class for adding additional taint steps. diff --git a/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll b/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll index 970363fe54397..96db99fe1b4a4 100644 --- a/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll @@ -1,6 +1,7 @@ /** Provides classes to reason about local information disclosure in a temporary directory. */ import java +private import semmle.code.java.dataflow.FlowSinks private import semmle.code.java.dataflow.TaintTracking private import semmle.code.java.os.OSCheck private import semmle.code.java.security.TempDirUtils @@ -156,7 +157,7 @@ module TempDirSystemGetPropertyToCreate = /** * A class of method file directory creation sink nodes. */ -class MethodFileDirectoryCreationSink extends DataFlow::Node { +class MethodFileDirectoryCreationSink extends ApiSinkNode { MethodFileDirectoryCreationSink() { exists(MethodCall ma | ma.getMethod() instanceof MethodFileDirectoryCreation | ma.getQualifier() = this.asExpr() diff --git a/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccess.qll b/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccess.qll index 499475cff3ec4..afd3af221bedf 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccess.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccess.qll @@ -4,6 +4,7 @@ import java private import semmle.code.java.dataflow.DataFlow +private import semmle.code.java.dataflow.FlowSinks private import semmle.code.java.frameworks.android.WebView private import semmle.code.java.frameworks.kotlin.Kotlin @@ -12,7 +13,7 @@ private import semmle.code.java.frameworks.kotlin.Kotlin * * Extend this class to add your own Unsafe Resource Fetching sinks. */ -abstract class UrlResourceSink extends DataFlow::Node { +abstract class UrlResourceSink extends ApiSinkNode { /** * Gets a description of this vulnerability. */ diff --git a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolution.qll b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolution.qll index 5537add5a2cac..b19d06bbf88c6 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolution.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolution.qll @@ -1,13 +1,14 @@ /** Provides classes to reason about vulnerabilites related to content URIs. */ import java +private import semmle.code.java.dataflow.FlowSinks private import semmle.code.java.dataflow.TaintTracking private import semmle.code.java.frameworks.android.Android private import semmle.code.java.security.PathSanitizer private import semmle.code.java.security.Sanitizers /** A URI that gets resolved by a `ContentResolver`. */ -abstract class ContentUriResolutionSink extends DataFlow::Node { } +abstract class ContentUriResolutionSink extends ApiSinkNode { } /** A sanitizer for content URIs. */ abstract class ContentUriResolutionSanitizer extends DataFlow::Node { } diff --git a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll index 272c483f7a21e..734ad4c89fe68 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll @@ -3,6 +3,7 @@ */ import semmle.code.java.dataflow.FlowSources +private import semmle.code.java.dataflow.FlowSinks private import semmle.code.java.dataflow.TaintTracking2 private import semmle.code.java.dispatch.VirtualDispatch private import semmle.code.java.frameworks.Kryo @@ -235,7 +236,7 @@ predicate unsafeDeserialization(MethodCall ma, Expr sink) { } /** A sink for unsafe deserialization. */ -class UnsafeDeserializationSink extends DataFlow::ExprNode { +class UnsafeDeserializationSink extends ApiSinkNode, DataFlow::ExprNode { UnsafeDeserializationSink() { unsafeDeserialization(_, this.getExpr()) } /** Gets a call that triggers unsafe deserialization. */ diff --git a/java/ql/lib/semmle/code/java/security/UrlRedirect.qll b/java/ql/lib/semmle/code/java/security/UrlRedirect.qll index e806905c16749..02f66e3f0e952 100644 --- a/java/ql/lib/semmle/code/java/security/UrlRedirect.qll +++ b/java/ql/lib/semmle/code/java/security/UrlRedirect.qll @@ -2,14 +2,15 @@ import java import semmle.code.java.dataflow.DataFlow -private import semmle.code.java.dataflow.ExternalFlow import semmle.code.java.frameworks.Servlets import semmle.code.java.frameworks.ApacheHttp +private import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.FlowSinks private import semmle.code.java.frameworks.JaxWS private import semmle.code.java.security.RequestForgery /** A URL redirection sink. */ -abstract class UrlRedirectSink extends DataFlow::Node { } +abstract class UrlRedirectSink extends ApiSinkNode { } /** A URL redirection sanitizer. */ abstract class UrlRedirectSanitizer extends DataFlow::Node { } diff --git a/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll b/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll index d2a21be95e0a6..c7fd51b1c367a 100644 --- a/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll +++ b/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll @@ -4,6 +4,7 @@ import java import semmle.code.java.dataflow.DataFlow import semmle.code.java.controlflow.Guards import semmle.code.java.security.SecurityTests +private import semmle.code.java.dataflow.FlowSinks /** Holds if `ex` looks like a check that this is a debug build. */ private predicate isDebugCheck(Expr ex) { @@ -47,7 +48,7 @@ deprecated class WebviewDebugEnabledConfig extends DataFlow::Configuration { /** * A class of webview debug sink nodes. */ -class WebviewDebugSink extends DataFlow::Node { +class WebviewDebugSink extends ApiSinkNode { WebviewDebugSink() { exists(MethodCall ma | ma.getMethod().hasQualifiedName("android.webkit", "WebView", "setWebContentsDebuggingEnabled") and diff --git a/java/ql/lib/semmle/code/java/security/XPath.qll b/java/ql/lib/semmle/code/java/security/XPath.qll index 573d6530b330a..c2992fdc272ad 100644 --- a/java/ql/lib/semmle/code/java/security/XPath.qll +++ b/java/ql/lib/semmle/code/java/security/XPath.qll @@ -3,12 +3,13 @@ import java import semmle.code.java.dataflow.DataFlow private import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.FlowSinks /** * A sink that represents a method that interprets XPath expressions. * Extend this class to add your own XPath Injection sinks. */ -abstract class XPathInjectionSink extends DataFlow::Node { } +abstract class XPathInjectionSink extends ApiSinkNode { } /** A default sink representing methods susceptible to XPath Injection attacks. */ private class DefaultXPathInjectionSink extends XPathInjectionSink { diff --git a/java/ql/lib/semmle/code/java/security/XSS.qll b/java/ql/lib/semmle/code/java/security/XSS.qll index aa69e5e7865f7..43986361ebe7f 100644 --- a/java/ql/lib/semmle/code/java/security/XSS.qll +++ b/java/ql/lib/semmle/code/java/security/XSS.qll @@ -10,9 +10,10 @@ private import semmle.code.java.frameworks.hudson.Hudson import semmle.code.java.dataflow.DataFlow import semmle.code.java.dataflow.TaintTracking private import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.FlowSinks /** A sink that represent a method that outputs data without applying contextual output encoding. */ -abstract class XssSink extends DataFlow::Node { } +abstract class XssSink extends ApiSinkNode { } /** A sanitizer that neutralizes dangerous characters that can be used to perform a XSS attack. */ abstract class XssSanitizer extends DataFlow::Node { }