From 39ac4979bfd29a257ff8fabefd6e758f2f9b4336 Mon Sep 17 00:00:00 2001 From: Kasper Svendsen Date: Thu, 3 Jul 2025 12:11:36 +0200 Subject: [PATCH 1/5] Overlay: Mark RefType.getAStrictAncestor global --- java/ql/lib/semmle/code/java/Type.qll | 3 +++ 1 file changed, 3 insertions(+) diff --git a/java/ql/lib/semmle/code/java/Type.qll b/java/ql/lib/semmle/code/java/Type.qll index c30dd7012bfb..c11d250317ae 100644 --- a/java/ql/lib/semmle/code/java/Type.qll +++ b/java/ql/lib/semmle/code/java/Type.qll @@ -422,6 +422,9 @@ class RefType extends Type, Annotatable, Modifiable, @reftype { * This does not include itself, unless this type is part of a cycle * in the type hierarchy. */ + // This is marked global to avoid regressing queries that rely on magic + // bounds for efficient use of getAStrictAncestor. + overlay[global] RefType getAStrictAncestor() { result = this.getASupertype().getAnAncestor() } /** From 5dc95742f24fd8b4a0557716d014e39835c351a4 Mon Sep 17 00:00:00 2001 From: Kasper Svendsen Date: Mon, 23 Jun 2025 09:02:02 +0200 Subject: [PATCH 2/5] Java lib qlpack: Enable overlay compilation --- java/ql/lib/qlpack.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml index d6884627794b..f29904e14c56 100644 --- a/java/ql/lib/qlpack.yml +++ b/java/ql/lib/qlpack.yml @@ -23,3 +23,4 @@ dataExtensions: - ext/generated/*.model.yml - ext/experimental/*.model.yml warnOnImplicitThis: true +compileForOverlayEval: true From 8efa1d56b6ad9fa8ba58c8885db50ad281e36439 Mon Sep 17 00:00:00 2001 From: Kasper Svendsen Date: Thu, 3 Jul 2025 12:13:40 +0200 Subject: [PATCH 3/5] Virtual dispatch must be local --- java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll | 1 + 1 file changed, 1 insertion(+) diff --git a/java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll b/java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll index 877a62fb9455..edd634a84c6d 100644 --- a/java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll +++ b/java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll @@ -36,6 +36,7 @@ Callable exactCallable(Call c) { private predicate implCount(MethodCall m, int c) { strictcount(viableImpl(m)) = c } /** Gets a viable implementation of the target of the given `Call`. */ +overlay[local] Callable viableCallable(Call c) { result = viableImpl(c) or From 508fd22bc8b58bea968f0e1a6805b457b3ca7af4 Mon Sep 17 00:00:00 2001 From: Kasper Svendsen Date: Tue, 1 Jul 2025 09:16:07 +0200 Subject: [PATCH 4/5] Fix java/netty-http-request-or-response-splitting overlay compilation regression --- .../src/Security/CWE/CWE-113/NettyResponseSplitting.ql | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql index fb7a40052f0b..9257808dce49 100644 --- a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql +++ b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql @@ -16,6 +16,7 @@ import java import semmle.code.java.dataflow.FlowSources +overlay[local?] abstract private class InsecureNettyObjectCreation extends ClassInstanceExpr { int vulnerableArgumentIndex; @@ -27,6 +28,7 @@ abstract private class InsecureNettyObjectCreation extends ClassInstanceExpr { abstract string splittingType(); } +overlay[local?] abstract private class RequestOrResponseSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation { override string splittingType() { result = "Request splitting or response splitting" } @@ -35,6 +37,7 @@ abstract private class RequestOrResponseSplittingInsecureNettyObjectCreation ext /** * Request splitting can allowing an attacker to inject/smuggle an additional HTTP request into the socket connection. */ +overlay[local?] abstract private class RequestSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation { override string splittingType() { result = "Request splitting" } @@ -43,11 +46,13 @@ abstract private class RequestSplittingInsecureNettyObjectCreation extends Insec /** * Response splitting can lead to HTTP vulnerabilities like XSS and cache poisoning. */ +overlay[local?] abstract private class ResponseSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation { override string splittingType() { result = "Response splitting" } } +overlay[local?] private class InsecureDefaultHttpHeadersClassInstantiation extends RequestOrResponseSplittingInsecureNettyObjectCreation { InsecureDefaultHttpHeadersClassInstantiation() { @@ -58,6 +63,7 @@ private class InsecureDefaultHttpHeadersClassInstantiation extends RequestOrResp } } +overlay[local?] private class InsecureDefaultHttpResponseClassInstantiation extends ResponseSplittingInsecureNettyObjectCreation { InsecureDefaultHttpResponseClassInstantiation() { @@ -66,6 +72,7 @@ private class InsecureDefaultHttpResponseClassInstantiation extends ResponseSpli } } +overlay[local?] private class InsecureDefaultHttpRequestClassInstantiation extends RequestSplittingInsecureNettyObjectCreation { InsecureDefaultHttpRequestClassInstantiation() { @@ -74,6 +81,7 @@ private class InsecureDefaultHttpRequestClassInstantiation extends RequestSplitt } } +overlay[local?] private class InsecureDefaultFullHttpResponseClassInstantiation extends ResponseSplittingInsecureNettyObjectCreation { InsecureDefaultFullHttpResponseClassInstantiation() { @@ -83,6 +91,7 @@ private class InsecureDefaultFullHttpResponseClassInstantiation extends Response } } +overlay[local?] private class InsecureDefaultFullHttpRequestClassInstantiation extends RequestSplittingInsecureNettyObjectCreation { InsecureDefaultFullHttpRequestClassInstantiation() { From 8ff13dd7f3a01e7778cde621b3571b637806b072 Mon Sep 17 00:00:00 2001 From: Kasper Svendsen Date: Wed, 2 Jul 2025 09:30:04 +0200 Subject: [PATCH 5/5] Fix java/local-temp-file-or-directory-information-disclosure overlay compilation regression --- .../java/security/TempDirLocalInformationDisclosureQuery.qll | 3 +++ 1 file changed, 3 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll b/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll index 97ae75988b3b..1caadd3f8acd 100644 --- a/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll @@ -203,6 +203,7 @@ module TempDirSystemGetPropertyDirectlyToMkdir = /** * A `MethodCall` against a method that creates a temporary file or directory in a shared temporary directory. */ +overlay[local?] abstract class MethodCallInsecureFileCreation extends MethodCall { /** * Gets the type of entity created (e.g. `file`, `directory`, ...). @@ -218,6 +219,7 @@ abstract class MethodCallInsecureFileCreation extends MethodCall { /** * An insecure call to `java.io.File.createTempFile`. */ +overlay[local?] class MethodCallInsecureFileCreateTempFile extends MethodCallInsecureFileCreation { MethodCallInsecureFileCreateTempFile() { this.getMethod() instanceof MethodFileCreateTempFile and @@ -246,6 +248,7 @@ class MethodGuavaFilesCreateTempFile extends Method { /** * A call to the `com.google.common.io.Files.createTempDir` method. */ +overlay[local?] class MethodCallInsecureGuavaFilesCreateTempFile extends MethodCallInsecureFileCreation { MethodCallInsecureGuavaFilesCreateTempFile() { this.getMethod() instanceof MethodGuavaFilesCreateTempFile