-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Java: Refactor part of TaintTrackingUtil.qll #4430
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
joefarebrother
merged 16 commits into
github:main
from
joefarebrother:tainttrackingutils-refactor
Oct 15, 2020
Merged
Changes from all commits
Commits
Show all changes
16 commits
Select commit
Hold shift + click to select a range
551d86c
Java: Define classes for taint propagation methods
joefarebrother ff6c5c2
Java: Start TaintTrackingUtils refactor
joefarebrother ca60f2c
Java: Fix failing tests
joefarebrother 60a7666
Java: Refactor Android SQLite flow steps
joefarebrother 92fd8c4
Java: Move new definitions to new file
joefarebrother 79209af
Java: Refactor out flow steps for more frameworks.
joefarebrother 91ce02a
Java: Fix bug involving varadic parameters
joefarebrother a510f58
Java: Implement code review changes
joefarebrother 5d487b9
Java: Merge `TaintPreservingMethod` with `TaintTransferringMethod`
joefarebrother ca90383
Java: Add `this.` and fix mistake
joefarebrother 4a8b7f6
Java: Rename returnsTaint to returnsTaintFrom
joefarebrother 7e2c49f
Java: Fix a couple of flow step issues
joefarebrother eafde05
Java: Expand flow step refactoring to Callables
joefarebrother 3416911
Java: Refector out StringBuilder and Number taint preserving callables
joefarebrother aa8bacb
Java: Update test output
joefarebrother b2a2412
Java: Clean up the constructor flow steps
joefarebrother File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,141 @@ | ||
| /** | ||
| * Provides classes representing various flow steps for taint tracking. | ||
| */ | ||
|
|
||
| private import java | ||
| private import semmle.code.java.dataflow.DataFlow | ||
|
|
||
| /** | ||
| * A module importing the frameworks that implement additional flow steps, | ||
| * ensuring that they are visible to the taint tracking library. | ||
| */ | ||
| module Frameworks { | ||
| private import semmle.code.java.frameworks.jackson.JacksonSerializability | ||
| private import semmle.code.java.frameworks.android.Intent | ||
| private import semmle.code.java.frameworks.android.SQLite | ||
| private import semmle.code.java.frameworks.Guice | ||
| private import semmle.code.java.frameworks.Protobuf | ||
| } | ||
|
|
||
| /** | ||
| * A unit class for adding additional taint steps. | ||
| * | ||
| * Extend this class to add additional taint steps that should apply to all | ||
| * taint configurations. | ||
| */ | ||
| class AdditionalTaintStep extends Unit { | ||
| /** | ||
| * Holds if the step from `node1` to `node2` should be considered a taint | ||
| * step for all configurations. | ||
| */ | ||
| abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); | ||
| } | ||
|
|
||
| /** | ||
| * A method or constructor that preserves taint. | ||
| * | ||
| * Extend this class and override at least one of `returnsTaintFrom` or `transfersTaint` | ||
| * to add additional taint steps through a method that should apply to all taint configurations. | ||
| */ | ||
| abstract class TaintPreservingCallable extends Callable { | ||
| /** | ||
| * Holds if this callable returns tainted data when `arg` tainted. | ||
| * `arg` is a parameter index, or is -1 to indicate the qualifier. | ||
| */ | ||
| predicate returnsTaintFrom(int arg) { none() } | ||
|
|
||
| /** | ||
| * Holds if this callable writes tainted data to `sink` when `src` is tainted. | ||
| * `src` and `sink` are parameter indices, or -1 to indicate the qualifier. | ||
| */ | ||
| predicate transfersTaint(int src, int sink) { none() } | ||
| } | ||
|
|
||
| private class StringTaintPreservingMethod extends TaintPreservingCallable { | ||
| StringTaintPreservingMethod() { | ||
| this.getDeclaringType() instanceof TypeString and | ||
| this | ||
| .hasName(["concat", "copyValueOf", "endsWith", "format", "formatted", "getBytes", "indent", | ||
| "intern", "join", "repeat", "split", "strip", "stripIndent", "stripLeading", | ||
| "stripTrailing", "substring", "toCharArray", "toLowerCase", "toString", "toUpperCase", | ||
| "trim"]) | ||
| } | ||
|
|
||
| override predicate returnsTaintFrom(int arg) { | ||
| arg = -1 and not this.isStatic() | ||
| or | ||
| this.hasName(["concat", "copyValueOf"]) and arg = 0 | ||
| or | ||
| this.hasName(["format", "formatted", "join"]) and arg = [0 .. getNumberOfParameters()] | ||
| } | ||
| } | ||
|
|
||
| private class StringTaintPreservingConstructor extends Constructor, TaintPreservingCallable { | ||
| StringTaintPreservingConstructor() { this.getDeclaringType() instanceof TypeString } | ||
|
|
||
| override predicate returnsTaintFrom(int arg) { arg = 0 } | ||
| } | ||
|
|
||
| private class NumberTaintPreservingCallable extends TaintPreservingCallable { | ||
| int argument; | ||
|
|
||
| NumberTaintPreservingCallable() { | ||
| this.getDeclaringType().getASupertype*().hasQualifiedName("java.lang", "Number") and | ||
| ( | ||
| this instanceof Constructor and | ||
| argument = 0 | ||
| or | ||
| this.getName().matches(["to%String", "toByteArray", "%Value"]) and | ||
| argument = -1 | ||
| or | ||
| this.getName().matches(["parse%", "valueOf%", "to%String", "decode"]) and | ||
| argument = 0 | ||
| ) | ||
| } | ||
|
|
||
| override predicate returnsTaintFrom(int arg) { arg = argument } | ||
| } | ||
|
|
||
| /** Holds for the types `StringBuilder`, `StringBuffer`, and `StringWriter`. */ | ||
| private predicate stringBuilderType(RefType t) { | ||
| t.hasQualifiedName("java.lang", "StringBuilder") or | ||
| t.hasQualifiedName("java.lang", "StringBuffer") or | ||
| t.hasQualifiedName("java.io", "StringWriter") | ||
| } | ||
|
|
||
| private class StringBuilderTaintPreservingCallable extends TaintPreservingCallable { | ||
| StringBuilderTaintPreservingCallable() { | ||
| exists(Method m | | ||
| this.(Method).overrides*(m) and | ||
| stringBuilderType(m.getDeclaringType()) and | ||
| m.hasName(["append", "insert", "replace", "toString", "write"]) | ||
| ) | ||
| or | ||
| this.(Constructor).getParameterType(0) instanceof RefType and | ||
| stringBuilderType(this.getDeclaringType()) | ||
| } | ||
|
|
||
| override predicate returnsTaintFrom(int arg) { | ||
| arg = -1 and | ||
| not this instanceof Constructor | ||
| or | ||
| this instanceof Constructor and arg = 0 | ||
| or | ||
| this.hasName("append") and arg = 0 | ||
| or | ||
| this.hasName("insert") and arg = 1 | ||
| or | ||
| this.hasName("replace") and arg = 2 | ||
| } | ||
|
|
||
| override predicate transfersTaint(int src, int sink) { | ||
| returnsTaintFrom(src) and | ||
| sink = -1 and | ||
| src != -1 and | ||
| not this instanceof Constructor | ||
| or | ||
| this.hasName("write") and | ||
| src = 0 and | ||
| sink = -1 | ||
| } | ||
| } | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.