Skip to content

Commit 5f660c4

Browse files
michaelnebelmichaelnebel
committed
Java: Improve the Api sinks implementation.
1 parent 1308759 commit 5f660c4

28 files changed

+96
-136
lines changed

java/ql/lib/semmle/code/java/dataflow/ApiSinks.qll

Lines changed: 32 additions & 106 deletions
Original file line numberDiff line numberDiff line change
@@ -2,121 +2,47 @@
22

33
private import semmle.code.java.dataflow.DataFlow
44
private import semmle.code.java.dataflow.ExternalFlow
5+
private import semmle.code.java.dataflow.FlowSinks as FlowSinks
56

6-
/**
7-
* A data flow sink node.
8-
*/
9-
abstract class SinkNode extends DataFlow::Node { }
7+
class SinkNode = FlowSinks::ApiSinkNode;
108

119
/**
1210
* Module that adds all API like sinks to `SinkNode`, excluding sinks for cryptography based
1311
* queries, and queries where sinks are not succifiently defined (eg. using broad method name matching).
1412
*/
15-
private module ApiSinks {
16-
private import semmle.code.java.security.AndroidSensitiveCommunicationQuery as AndroidSensitiveCommunicationQuery
17-
private import semmle.code.java.security.ArbitraryApkInstallation as ArbitraryApkInstallation
18-
private import semmle.code.java.security.CleartextStorageAndroidDatabaseQuery as CleartextStorageAndroidDatabaseQuery
19-
private import semmle.code.java.security.CleartextStorageAndroidFilesystemQuery as CleartextStorageAndroidFilesystemQuery
20-
private import semmle.code.java.security.CleartextStorageCookieQuery as CleartextStorageCookieQuery
21-
private import semmle.code.java.security.CleartextStorageSharedPrefsQuery as CleartextStorageSharedPrefsQuery
22-
private import semmle.code.java.security.ExternallyControlledFormatStringQuery as ExternallyControlledFormatStringQuery
23-
private import semmle.code.java.security.InsecureBasicAuth as InsecureBasicAuth
24-
private import semmle.code.java.security.IntentUriPermissionManipulation as IntentUriPermissionManipulation
25-
private import semmle.code.java.security.InsecureLdapAuth as InsecureLdapAuth
26-
private import semmle.code.java.security.InsecureTrustManager as InsecureTrustManager
27-
private import semmle.code.java.security.JndiInjection as JndiInjection
28-
private import semmle.code.java.security.JWT as Jwt
29-
private import semmle.code.java.security.OgnlInjection as OgnlInjection
30-
private import semmle.code.java.security.SensitiveResultReceiverQuery as SensitiveResultReceiverQuery
31-
private import semmle.code.java.security.SensitiveUiQuery as SensitiveUiQuery
32-
private import semmle.code.java.security.SpelInjection as SpelInjection
33-
private import semmle.code.java.security.SpelInjectionQuery as SpelInjectionQuery
34-
private import semmle.code.java.security.QueryInjection as QueryInjection
35-
private import semmle.code.java.security.TempDirLocalInformationDisclosureQuery as TempDirLocalInformationDisclosureQuery
36-
private import semmle.code.java.security.UnsafeAndroidAccess as UnsafeAndroidAccess
37-
private import semmle.code.java.security.UnsafeContentUriResolution as UnsafeContentUriResolution
38-
private import semmle.code.java.security.UnsafeDeserializationQuery as UnsafeDeserializationQuery
39-
private import semmle.code.java.security.UrlRedirect as UrlRedirect
40-
private import semmle.code.java.security.WebviewDebuggingEnabledQuery as WebviewDebuggingEnabledQuery
41-
private import semmle.code.java.security.XPath as Xpath
42-
private import semmle.code.java.security.XSS as Xss
43-
44-
private class AndoidIntentRedirectionQuerySinks extends SinkNode instanceof AndroidSensitiveCommunicationQuery::SensitiveCommunicationSink
45-
{ }
46-
47-
private class ArbitraryApkInstallationSinks extends SinkNode instanceof ArbitraryApkInstallation::SetDataSink
48-
{ }
49-
50-
private class CleartextStorageAndroidDatabaseQuerySinks extends SinkNode instanceof CleartextStorageAndroidDatabaseQuery::LocalDatabaseSink
51-
{ }
52-
53-
private class CleartextStorageAndroidFilesystemQuerySinks extends SinkNode instanceof CleartextStorageAndroidFilesystemQuery::LocalFileSink
54-
{ }
55-
56-
private class CleartextStorageCookieQuerySinks extends SinkNode instanceof CleartextStorageCookieQuery::CookieStoreSink
57-
{ }
58-
59-
private class CleartextStorageSharedPrefsQuerySinks extends SinkNode instanceof CleartextStorageSharedPrefsQuery::SharedPreferencesSink
60-
{ }
61-
62-
private class ExternallyControlledFormatStringQuerySinks extends SinkNode instanceof ExternallyControlledFormatStringQuery::StringFormatSink
63-
{ }
64-
65-
private class InsecureBasicAuthSinks extends SinkNode instanceof InsecureBasicAuth::InsecureBasicAuthSink
66-
{ }
67-
68-
private class InsecureTrustManagerSinks extends SinkNode instanceof InsecureTrustManager::InsecureTrustManagerSink
69-
{ }
70-
71-
private class IntentUriPermissionManipulationSinks extends SinkNode instanceof IntentUriPermissionManipulation::IntentUriPermissionManipulationSink
72-
{ }
73-
74-
private class InsecureLdapAuthSinks extends SinkNode instanceof InsecureLdapAuth::InsecureLdapUrlSink
75-
{ }
76-
77-
private class JndiInjectionSinks extends SinkNode instanceof JndiInjection::JndiInjectionSink { }
78-
79-
private class JwtSinks extends SinkNode instanceof Jwt::JwtParserWithInsecureParseSink { }
80-
81-
private class OgnlInjectionSinks extends SinkNode instanceof OgnlInjection::OgnlInjectionSink { }
82-
83-
private class SensitiveResultReceiverQuerySinks extends SinkNode instanceof SensitiveResultReceiverQuery::SensitiveResultReceiverSink
84-
{ }
85-
86-
private class SensitiveUiQuerySinks extends SinkNode instanceof SensitiveUiQuery::TextFieldSink {
87-
}
88-
89-
private class SpelInjectionSinks extends SinkNode instanceof SpelInjection::SpelExpressionEvaluationSink
90-
{ }
91-
92-
private class QueryInjectionSinks extends SinkNode instanceof QueryInjection::QueryInjectionSink {
93-
}
94-
95-
private class TempDirLocalInformationDisclosureSinks extends SinkNode instanceof TempDirLocalInformationDisclosureQuery::MethodFileDirectoryCreationSink
96-
{ }
97-
98-
private class UnsafeAndroidAccessSinks extends SinkNode instanceof UnsafeAndroidAccess::UrlResourceSink
99-
{ }
100-
101-
private class UnsafeContentUriResolutionSinks extends SinkNode instanceof UnsafeContentUriResolution::ContentUriResolutionSink
102-
{ }
103-
104-
private class UnsafeDeserializationQuerySinks extends SinkNode instanceof UnsafeDeserializationQuery::UnsafeDeserializationSink
105-
{ }
106-
107-
private class UrlRedirectSinks extends SinkNode instanceof UrlRedirect::UrlRedirectSink { }
108-
109-
private class WebviewDebugEnabledQuery extends SinkNode instanceof WebviewDebuggingEnabledQuery::WebviewDebugSink
110-
{ }
111-
112-
private class XPathSinks extends SinkNode instanceof Xpath::XPathInjectionSink { }
113-
114-
private class XssSinks extends SinkNode instanceof Xss::XssSink { }
13+
private module AllApiSinks {
14+
private import semmle.code.java.security.AndroidSensitiveCommunicationQuery
15+
private import semmle.code.java.security.ArbitraryApkInstallation
16+
private import semmle.code.java.security.CleartextStorageAndroidDatabaseQuery
17+
private import semmle.code.java.security.CleartextStorageAndroidFilesystemQuery
18+
private import semmle.code.java.security.CleartextStorageCookieQuery
19+
private import semmle.code.java.security.CleartextStorageSharedPrefsQuery
20+
private import semmle.code.java.security.ExternallyControlledFormatStringQuery
21+
private import semmle.code.java.security.InsecureBasicAuth
22+
private import semmle.code.java.security.IntentUriPermissionManipulation
23+
private import semmle.code.java.security.InsecureLdapAuth
24+
private import semmle.code.java.security.InsecureTrustManager
25+
private import semmle.code.java.security.JndiInjection
26+
private import semmle.code.java.security.JWT
27+
private import semmle.code.java.security.OgnlInjection
28+
private import semmle.code.java.security.SensitiveResultReceiverQuery
29+
private import semmle.code.java.security.SensitiveUiQuery
30+
private import semmle.code.java.security.SpelInjection
31+
private import semmle.code.java.security.SpelInjectionQuery
32+
private import semmle.code.java.security.QueryInjection
33+
private import semmle.code.java.security.TempDirLocalInformationDisclosureQuery
34+
private import semmle.code.java.security.UnsafeAndroidAccess
35+
private import semmle.code.java.security.UnsafeContentUriResolution
36+
private import semmle.code.java.security.UnsafeDeserializationQuery
37+
private import semmle.code.java.security.UrlRedirect
38+
private import semmle.code.java.security.WebviewDebuggingEnabledQuery
39+
private import semmle.code.java.security.XPath
40+
private import semmle.code.java.security.XSS
11541

11642
/**
11743
* Add all models as data sinks.
11844
*/
119-
private class SinkNodeExternal extends SinkNode {
120-
SinkNodeExternal() { sinkNode(this, _) }
45+
private class ApiSinkNodeExternal extends SinkNode {
46+
ApiSinkNodeExternal() { sinkNode(this, _) }
12147
}
12248
}

java/ql/lib/semmle/code/java/dataflow/FlowSinks.qll

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
private import java
2+
private import semmle.code.java.dataflow.DataFlow
3+
4+
/**
5+
* A data flow sink node for an API, which should be considered
6+
* supported for a modelling perspective.
7+
*/
8+
abstract class ApiSinkNode extends DataFlow::Node { }

java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ import java
44
import semmle.code.java.dataflow.TaintTracking
55
import semmle.code.java.frameworks.android.Intent
66
import semmle.code.java.security.SensitiveActions
7+
private import semmle.code.java.dataflow.FlowSinks
78

89
/**
910
* Gets regular expression for matching names of Android variables that indicate the value being held contains sensitive information.
@@ -154,7 +155,7 @@ deprecated class SensitiveCommunicationConfig extends TaintTracking::Configurati
154155
/**
155156
* A class of sensitive communication sink nodes.
156157
*/
157-
class SensitiveCommunicationSink extends DataFlow::Node {
158+
class SensitiveCommunicationSink extends ApiSinkNode {
158159
SensitiveCommunicationSink() {
159160
isSensitiveBroadcastSink(this)
160161
or

java/ql/lib/semmle/code/java/security/ArbitraryApkInstallation.qll

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ import java
44
import semmle.code.java.frameworks.android.Intent
55
import semmle.code.java.dataflow.DataFlow
66
private import semmle.code.java.dataflow.ExternalFlow
7+
private import semmle.code.java.dataflow.FlowSinks
78
private import semmle.code.java.dataflow.FlowSources
89

910
/** A string literal that represents the MIME type for Android APKs. */
@@ -48,7 +49,7 @@ class SetDataMethod extends Method {
4849
}
4950

5051
/** A dataflow sink for the URI of an intent. */
51-
class SetDataSink extends DataFlow::ExprNode {
52+
class SetDataSink extends ApiSinkNode, DataFlow::ExprNode {
5253
SetDataSink() {
5354
exists(MethodCall ma |
5455
this.getExpr() = ma.getQualifier() and

java/ql/lib/semmle/code/java/security/CleartextStorageAndroidDatabaseQuery.qll

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import semmle.code.java.frameworks.android.ContentProviders
66
import semmle.code.java.frameworks.android.Intent
77
import semmle.code.java.frameworks.android.SQLite
88
import semmle.code.java.security.CleartextStorageQuery
9+
private import semmle.code.java.dataflow.FlowSinks
910
private import semmle.code.java.dataflow.FlowSources
1011

1112
private class LocalDatabaseCleartextStorageSink extends CleartextStorageSink {
@@ -107,7 +108,7 @@ class LocalDatabaseOpenMethodCallSource extends ApiSourceNode {
107108
/**
108109
* A class of local database sink nodes.
109110
*/
110-
class LocalDatabaseSink extends DataFlow::Node {
111+
class LocalDatabaseSink extends ApiSinkNode {
111112
LocalDatabaseSink() { localDatabaseInput(this, _) or localDatabaseStore(this, _) }
112113
}
113114

java/ql/lib/semmle/code/java/security/CleartextStorageAndroidFilesystemQuery.qll

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,10 +5,11 @@
55

66
import java
77
import semmle.code.java.dataflow.DataFlow
8-
private import semmle.code.java.dataflow.ExternalFlow
9-
private import semmle.code.java.dataflow.FlowSources
108
import semmle.code.java.security.CleartextStorageQuery
119
import semmle.code.xml.AndroidManifest
10+
private import semmle.code.java.dataflow.ExternalFlow
11+
private import semmle.code.java.dataflow.FlowSinks
12+
private import semmle.code.java.dataflow.FlowSources
1213

1314
private class AndroidFilesystemCleartextStorageSink extends CleartextStorageSink {
1415
AndroidFilesystemCleartextStorageSink() {
@@ -90,7 +91,7 @@ class LocalFileOpenCallSource extends ApiSourceNode {
9091
/**
9192
* A class of local file sink nodes.
9293
*/
93-
class LocalFileSink extends DataFlow::Node {
94+
class LocalFileSink extends ApiSinkNode {
9495
LocalFileSink() {
9596
filesystemInput(this, _) or
9697
closesFile(this, _)

java/ql/lib/semmle/code/java/security/CleartextStorageCookieQuery.qll

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ import java
44
import semmle.code.java.dataflow.DataFlow
55
deprecated import semmle.code.java.dataflow.DataFlow3
66
import semmle.code.java.security.CleartextStorageQuery
7+
private import semmle.code.java.dataflow.FlowSinks
78
private import semmle.code.java.dataflow.FlowSources
89

910
private class CookieCleartextStorageSink extends CleartextStorageSink {
@@ -48,7 +49,7 @@ class CookieSource extends ApiSourceNode {
4849
/**
4950
* A class of cookie store sink nodes.
5051
*/
51-
class CookieStoreSink extends DataFlow::Node {
52+
class CookieStoreSink extends ApiSinkNode {
5253
CookieStoreSink() { cookieStore(this, _) }
5354
}
5455

java/ql/lib/semmle/code/java/security/CleartextStorageSharedPrefsQuery.qll

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ import java
44
import semmle.code.java.dataflow.DataFlow
55
import semmle.code.java.frameworks.android.SharedPreferences
66
import semmle.code.java.security.CleartextStorageQuery
7+
private import semmle.code.java.dataflow.FlowSinks
78
private import semmle.code.java.dataflow.FlowSources
89

910
private class SharedPrefsCleartextStorageSink extends CleartextStorageSink {
@@ -80,7 +81,7 @@ class SharedPreferencesEditorMethodCallSource extends ApiSourceNode {
8081
/**
8182
* A class of shared preferences sink nodes.
8283
*/
83-
class SharedPreferencesSink extends DataFlow::Node {
84+
class SharedPreferencesSink extends ApiSinkNode {
8485
SharedPreferencesSink() {
8586
sharedPreferencesInput(this, _) or
8687
sharedPreferencesStore(this, _)

java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,14 @@
11
/** Provides a taint-tracking configuration to reason about externally controlled format string vulnerabilities. */
22

33
import java
4+
private import semmle.code.java.dataflow.FlowSinks
45
private import semmle.code.java.dataflow.FlowSources
56
private import semmle.code.java.StringFormat
67

78
/**
89
* A class of string format sink nodes.
910
*/
10-
class StringFormatSink extends DataFlow::Node {
11+
class StringFormatSink extends ApiSinkNode {
1112
StringFormatSink() { this.asExpr() = any(StringFormat formatCall).getFormatArgument() }
1213
}
1314

java/ql/lib/semmle/code/java/security/InsecureBasicAuth.qll

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ import java
44
import semmle.code.java.dataflow.DataFlow
55
import semmle.code.java.dataflow.TaintTracking
66
import semmle.code.java.security.HttpsUrls
7+
private import semmle.code.java.dataflow.FlowSinks
78

89
/**
910
* A source that represents HTTP URLs.
@@ -20,7 +21,7 @@ private class DefaultInsecureBasicAuthSource extends InsecureBasicAuthSource {
2021
* A sink that represents a method that sets Basic Authentication.
2122
* Extend this class to add your own Insecure Basic Authentication sinks.
2223
*/
23-
abstract class InsecureBasicAuthSink extends DataFlow::Node { }
24+
abstract class InsecureBasicAuthSink extends ApiSinkNode { }
2425

2526
/** A default sink representing methods that set an Authorization header. */
2627
private class DefaultInsecureBasicAuthSink extends InsecureBasicAuthSink {

0 commit comments

Comments
 (0)