Java: Add Overlay version of TaintedPath and XXE.

github · Sep 13, 2024 · ff2a408 · ff2a408
1 parent 72114ec
commit ff2a408
Show file tree

Hide file tree

Showing 2 changed files with 126 additions and 0 deletions.
diff --git a/java/ql/src/Security/CWE/CWE-022/TaintedPathOverlay.ql b/java/ql/src/Security/CWE/CWE-022/TaintedPathOverlay.ql
@@ -0,0 +1,62 @@
+/**
+ * @name Uncontrolled data used in path expression
+ * @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision high
+ * @id java/path-injection
+ * @tags security
+ *       external/cwe/cwe-022
+ *       external/cwe/cwe-023
+ *       external/cwe/cwe-036
+ *       external/cwe/cwe-073
+ */
+
+base import semmle.code.java.security.TaintedPathQuery as BaseTaintedPathQuery
+base import semmle.code.java.security.Sanitizers as BaseSanitizers
+overlay import semmle.code.java.security.TaintedPathQuery as OverlayTaintedPathQuery
+overlay import semmle.code.java.security.Sanitizers as OverlaySanitizers
+import semmle.code.java.dataflow.OverlayDataFlow
+
+/**
+ * A taint-tracking configuration for tracking flow from remote sources to the creation of a path.
+ */
+module TaintedPathConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source.asBase() instanceof BaseTaintedPathQuery::ThreatModelFlowSource and
+    exists(OverlayTaintedPathQuery::TaintedPathSink sink)
+    or
+    source.asOverlay() instanceof OverlayTaintedPathQuery::ThreatModelFlowSource
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    sink.asBase() instanceof BaseTaintedPathQuery::TaintedPathSink and
+    exists(OverlayTaintedPathQuery::ThreatModelFlowSource source)
+    or
+    sink.asOverlay() instanceof OverlayTaintedPathQuery::TaintedPathSink
+  }
+
+  predicate isBarrier(DataFlow::Node sanitizer) {
+    sanitizer.asBase() instanceof BaseSanitizers::SimpleTypeSanitizer or
+    sanitizer.asBase() instanceof BaseTaintedPathQuery::PathInjectionSanitizer or
+    sanitizer.asOverlay() instanceof OverlaySanitizers::SimpleTypeSanitizer or
+    sanitizer.asOverlay() instanceof OverlayTaintedPathQuery::PathInjectionSanitizer
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
+    any(BaseTaintedPathQuery::TaintedPathAdditionalTaintStep s).step(n1.asBase(), n2.asBase()) or
+    any(OverlayTaintedPathQuery::TaintedPathAdditionalTaintStep s)
+        .step(n1.asOverlay(), n2.asOverlay())
+  }
+}
+
+/** Tracks flow from remote sources to the creation of a path. */
+module TaintedPathFlow = TaintTracking::Global<TaintedPathConfig>;
+
+import TaintedPathFlow::PathGraph
+
+from TaintedPathFlow::PathNode source, TaintedPathFlow::PathNode sink
+where TaintedPathFlow::flowPath(source, sink)
+select sink.getNode(), source, sink, "This path depends on a $@.", source.getNode(),
+  "user-provided value"
diff --git a/java/ql/src/Security/CWE/CWE-611/XXEOverlay.ql b/java/ql/src/Security/CWE/CWE-611/XXEOverlay.ql
@@ -0,0 +1,64 @@
+/**
+ * @name Resolving XML external entity in user-controlled data
+ * @description Parsing user-controlled XML documents and allowing expansion of external entity
+ * references may lead to disclosure of confidential data or denial of service.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9.1
+ * @precision high
+ * @id java/xxe
+ * @tags security
+ *       external/cwe/cwe-611
+ *       external/cwe/cwe-776
+ *       external/cwe/cwe-827
+ */
+
+base import semmle.code.java.dataflow.FlowSources as BaseFlowSources
+base import semmle.code.java.dataflow.TaintTracking as BaseTaintTracking
+base import semmle.code.java.security.XxeQuery as BaseXxeQuery
+overlay import semmle.code.java.dataflow.FlowSources as OverlayFlowSources
+overlay import semmle.code.java.dataflow.TaintTracking as OverlayTaintTracking
+overlay import semmle.code.java.security.XxeQuery as OverlayXxeQuery
+import semmle.code.java.dataflow.OverlayDataFlow
+
+/**
+ * A taint-tracking configuration for unvalidated remote user input that is used in XML external entity expansion.
+ */
+module XxeConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source.asBase() instanceof BaseFlowSources::ThreatModelFlowSource and
+    exists(OverlayXxeQuery::XxeSink sink)
+    or
+    source.asOverlay() instanceof OverlayFlowSources::ThreatModelFlowSource
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    sink.asBase() instanceof BaseXxeQuery::XxeSink and
+    exists(OverlayFlowSources::ThreatModelFlowSource source)
+    or
+    sink.asOverlay() instanceof OverlayXxeQuery::XxeSink
+  }
+
+  predicate isBarrier(DataFlow::Node sanitizer) {
+    sanitizer.asBase() instanceof BaseXxeQuery::XxeSanitizer or
+    sanitizer.asOverlay() instanceof OverlayXxeQuery::XxeSanitizer
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
+    any(BaseXxeQuery::XxeAdditionalTaintStep s).step(n1.asBase(), n2.asBase()) or
+    any(OverlayXxeQuery::XxeAdditionalTaintStep s).step(n1.asOverlay(), n2.asOverlay())
+  }
+}
+
+/**
+ * Detect taint flow of unvalidated remote user input that is used in XML external entity expansion.
+ */
+module XxeFlow = TaintTracking::Global<XxeConfig>;
+
+import XxeFlow::PathGraph
+
+from XxeFlow::PathNode source, XxeFlow::PathNode sink
+where XxeFlow::flowPath(source, sink)
+select sink.getNode(), source, sink,
+  "XML parsing depends on a $@ without guarding against external entity expansion.",
+  source.getNode(), "user-provided value"