How codeql deal with java's interface invoke in Global Taint Tracking

[ox1234]

I write a query to find log4j2 RCE, but when i check the flow path I find the interface invoke is very wired.Here is my ql:

/**
 * @kind path-problem
 */

import java
import semmle.code.java.security.JndiInjection
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.dataflow.FlowSources
import DataFlow::PathGraph

class NoneCalledCall extends Callable{
    NoneCalledCall(){
        this.isPublic() and not
        this.getName().toLowerCase().indexOf("test") >= 0 and not
        this.getDeclaringType().getName().toLowerCase().indexOf("test") >= 0 and
        this.getName() = "info" and this.getNumberOfParameters() = 1 and 
        this.getDeclaringType().hasQualifiedName("org.apache.logging.log4j.spi", "AbstractLogger")
    }
}

predicate overTaint(Expr src, Expr dest) {
    exists(Call call| call.getAnArgument() = src and call = dest)
}


// predicate needSanitizer(Expr src) {
//     exists(Call call | call.getAnArgument() = src and call.getCallee().getName() = "isEnabled")
// }

class Log4jRCEConfiguration extends TaintTracking::Configuration{
    Log4jRCEConfiguration(){
        this = "Log4jRCEConfiguration"
    }

    override predicate isSource(DataFlow::Node source) {
        exists(NoneCalledCall api | api.getParameter(0).getType() instanceof TypeString and api.getParameter(0) = source.asParameter())
    }

    override predicate isSink(DataFlow::Node sink) {
        sink instanceof JndiInjectionSink
    }

    override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node dest) {
        overTaint(src.asExpr(), dest.asExpr())
    }

    // override predicate isSanitizer(DataFlow::Node src) {
    //     needSanitizer(src.asExpr())
    // }
}


from DataFlow::PathNode source, DataFlow::PathNode sink, Log4jRCEConfiguration config
where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "has poential JNDI Injection"

I run this query and get the following results:

Here is a interface invoke

This interface has many sub classes, but codeql data flow only pick the RoutingAppender to do data flow analyze

Here is the following data flow path:

So I'm confused why the data flow is only through RoutingAppender but not other sub classes? Can someone help?

[atorralba]

Normally, virtual dispatch will consider a valid target any method in the inheriting classes that is a viable implementation of the callable (append in this case), so the data flow library should be considering all implementations of the Appender interface.

What you are seeing here could probably be happening because the paths that go from source to sink only go through RoutingAppender, and not any other implementation of Appender. Alternatively, there are paths that go through the other implementations, but the flow is being lost in there for some reason, and thus the query isn't reporting the path. Have you reviewed those other implementations and confirmed whether they end up reaching the JNDI sink? If so, could there be a step in there that could cause the loss of flow? (e.g. a log message being converted to a LogEvent).

[ox1234]

Thanks for your reply. I found the default setting shows only four path in the result tab, so if I change the default settings it shows other paths. So this is my fault.

But i have another problem: there is too many paths flow to JNDI sink. It seems CodeQL data flow will go through all implementations of Appender interface and it makes many false positive. I want to limit the type of appender as a particular sub type of Appender interface.Is there any way to do this?

[atorralba]

If you want to prune all paths that go through Appender implementations you aren't interested in, you can try adding the parameter node of those append methods as a sanitizer in your taint tracking configuration.

[ox1234]

Thanks for your help, I will have a try.