Convert trust boundary models to MaD

egregius313 · egregius313 · commit 2857bf987152 · 2023-06-08T10:56:03.000-04:00
diff --git a/java/ql/lib/ext/org.apache.struts2.dispatcher.model.yml b/java/ql/lib/ext/org.apache.struts2.dispatcher.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+    - ["org.apache.struts2.dispatcher", "SessionMap", False, "put", "", "", "Argument[0..1]", "trust-boundary", "manual"]
diff --git a/java/ql/lib/ext/org.apache.struts2.interceptor.model.yml b/java/ql/lib/ext/org.apache.struts2.interceptor.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+    - ["org.apache.struts2.interceptor", "SessionAware", False, "setSession", "", "", "Argument[0]", "trust-boundary", "manual"]
+    - ["org.apache.struts2.interceptor", "SessionAware", False, "withSession", "", "", "Argument[0]", "trust-boundary", "manual"]
diff --git a/java/ql/lib/ext/play.mvc.model.yml b/java/ql/lib/ext/play.mvc.model.yml
@@ -16,6 +16,11 @@ extensions:
       - ["play.mvc", "Http$RequestHeader", True, "queryString", "", "", "ReturnValue", "remote", "manual"]
       - ["play.mvc", "Http$RequestHeader", True, "remoteAddress", "", "", "ReturnValue", "remote", "manual"]
       - ["play.mvc", "Http$RequestHeader", True, "uri", "", "", "ReturnValue", "remote", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["play.mvc", "Result", False, "addingToSession", "", "", "Argument[1..2]", "trust-boundary", "manual"]
   - addsTo:
       pack: codeql/java-all
       extensible: summaryModel
diff --git a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll
@@ -7,11 +7,21 @@ private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.frameworks.Servlets
 
 class TrustBoundaryViolationSource extends DataFlow::Node {
-  TrustBoundaryViolationSource() {
-    this instanceof RemoteFlowSource and this.asExpr().getType() instanceof HttpServletRequest
-  }
+  TrustBoundaryViolationSource() { this.asExpr().getType() instanceof HttpServletRequest }
 }
 
 class TrustBoundaryViolationSink extends DataFlow::Node {
   TrustBoundaryViolationSink() { sinkNode(this, "trust-boundary") }
 }
+
+module TrustBoundaryConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof TrustBoundaryViolationSource }
+
+  predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
+    n2.asExpr().(MethodAccess).getQualifier() = n1.asExpr()
+  }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof TrustBoundaryViolationSink }
+}
+
+module TrustBoundaryFlow = TaintTracking::Global<TrustBoundaryConfig>;
diff --git a/java/ql/src/Security/CWE/CWE-501/TrustBoundaryViolation.ql b/java/ql/src/Security/CWE/CWE-501/TrustBoundaryViolation.ql
@@ -14,58 +14,6 @@ import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.TrustBoundaryViolationQuery
-
-/**
- * The `setAttribute` method of the `HttpSession` interface.
- */
-abstract class SessionSetAttributeMethod extends Method {
-  abstract int getArgumentIndex();
-}
-
-private class PlayMvcResultAddingToSessionMethod extends SessionSetAttributeMethod {
-  PlayMvcResultAddingToSessionMethod() {
-    this.getDeclaringType().hasQualifiedName("play.mvc", "Result") and
-    this.hasName("addingToSession")
-  }
-
-  override int getArgumentIndex() { result = [1, 2] }
-}
-
-private class Struts2SessionMapPutMethod extends SessionSetAttributeMethod {
-  Struts2SessionMapPutMethod() {
-    this.getDeclaringType().hasQualifiedName("org.apache.struts2.dispatcher", "SessionMap") and
-    this.hasName("put")
-  }
-
-  override int getArgumentIndex() { result = 1 }
-}
-
-private class Struts2SessionSetMethod extends SessionSetAttributeMethod {
-  Struts2SessionSetMethod() {
-    this.getDeclaringType().hasQualifiedName("org.apache.struts2.interceptor", "SessionAware") and
-    this.hasName(["setSession", "withSession"])
-  }
-
-  override int getArgumentIndex() { result = 0 }
-}
-
-module TrustBoundaryConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource and
-    source.asExpr().(MethodAccess).getQualifier().getType() instanceof HttpServletRequest
-  }
-
-  predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma, SessionSetAttributeMethod m | m = ma.getMethod() |
-      sink.asExpr() = ma.getArgument(m.getArgumentIndex())
-    )
-    or
-    sink instanceof TrustBoundaryViolationSink
-  }
-}
-
-module TrustBoundaryFlow = TaintTracking::Global<TrustBoundaryConfig>;
-
 import TrustBoundaryFlow::PathGraph
 
 from TrustBoundaryFlow::PathNode source, TrustBoundaryFlow::PathNode sink
