|
| 1 | +/** |
| 2 | + * @name Tainttrack Context lookup |
| 3 | + * @description from https://mp.weixin.qq.com/s/JYco8DysQNszMohH6zJEGw |
| 4 | + * @kind path-problem |
| 5 | + * |
| 6 | + */ |
| 7 | + |
| 8 | +import java |
| 9 | +import semmle.code.java.dataflow.FlowSources |
| 10 | +import DataFlow::PathGraph |
| 11 | + |
| 12 | +class Context extends RefType { |
| 13 | + Context() { |
| 14 | + this.hasQualifiedName("javax.naming", "Context") |
| 15 | + or |
| 16 | + this.hasQualifiedName("javax.naming", "InitialContext") |
| 17 | + or |
| 18 | + this.hasQualifiedName("org.springframework.jndi", "JndiCallback") |
| 19 | + or |
| 20 | + this.hasQualifiedName("org.springframework.jndi", "JndiTemplate") |
| 21 | + or |
| 22 | + this.hasQualifiedName("org.springframework.jndi", "JndiLocatorDelegate") |
| 23 | + or |
| 24 | + this.hasQualifiedName("org.apache.shiro.jndi", "JndiCallback") |
| 25 | + or |
| 26 | + this.getQualifiedName().matches("%JndiCallback") |
| 27 | + or |
| 28 | + this.getQualifiedName().matches("%JndiLocatorDelegate") |
| 29 | + or |
| 30 | + this.getQualifiedName().matches("%JndiTemplate") |
| 31 | + } |
| 32 | +} |
| 33 | + |
| 34 | +class Logger extends RefType { |
| 35 | + Logger() { this.hasQualifiedName("org.apache.logging.log4j.spi", "AbstractLogger") } |
| 36 | +} |
| 37 | + |
| 38 | +class LoggerInput extends Method { |
| 39 | + LoggerInput() { |
| 40 | + this.getDeclaringType() instanceof Logger and |
| 41 | + this.hasName("error") and |
| 42 | + this.getNumberOfParameters() = 1 |
| 43 | + } |
| 44 | + |
| 45 | + Parameter getAnUntrustedParameter() { result = this.getParameter(0) } |
| 46 | +} |
| 47 | + |
| 48 | +predicate isLookup(Expr arg) { |
| 49 | + exists(MethodAccess ma | |
| 50 | + ma.getMethod().getName() = "lookup" and |
| 51 | + ma.getMethod().getDeclaringType() instanceof Context and |
| 52 | + arg = ma.getArgument(0) |
| 53 | + ) |
| 54 | +} |
| 55 | + |
| 56 | +class TainttrackLookup extends TaintTracking::Configuration { |
| 57 | + TainttrackLookup() { this = "TainttrackLookup" } |
| 58 | + |
| 59 | + override predicate isSource(DataFlow::Node source) { |
| 60 | + exists(LoggerInput LoggerMethod | source.asParameter() = LoggerMethod.getAnUntrustedParameter()) |
| 61 | + } |
| 62 | + |
| 63 | + override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) { |
| 64 | + exists(MethodAccess ma, MethodAccess ma2 | |
| 65 | + ma.getMethod() |
| 66 | + .getDeclaringType() |
| 67 | + .hasQualifiedName("org.apache.logging.log4j.core.impl", "ReusableLogEventFactory") and |
| 68 | + ma.getMethod().hasName("createEvent") and |
| 69 | + fromNode.asExpr() = ma.getArgument(5) and |
| 70 | + ma2.getMethod() |
| 71 | + .getDeclaringType() |
| 72 | + .hasQualifiedName("org.apache.logging.log4j.core.config", "LoggerConfig") and |
| 73 | + ma2.getMethod().hasName("log") and |
| 74 | + ma2.getMethod().getNumberOfParameters() = 2 and |
| 75 | + toNode.asExpr() = ma2.getArgument(0) |
| 76 | + ) |
| 77 | + } |
| 78 | + |
| 79 | + override predicate isSink(DataFlow::Node sink) { |
| 80 | + exists(Expr arg | |
| 81 | + isLookup(arg) and |
| 82 | + sink.asExpr() = arg |
| 83 | + ) |
| 84 | + } |
| 85 | +} |
| 86 | + |
| 87 | +from TainttrackLookup config, DataFlow::PathNode source, DataFlow::PathNode sink |
| 88 | +where config.hasFlowPath(source, sink) |
| 89 | +select sink.getNode(), source, sink, "unsafe lookup", source.getNode(), "this is user input" |
0 commit comments