Skip to content

Commit fa4912f

Browse files
committed
Java: Improve the Api sources and sinks implementation.
1 parent b754706 commit fa4912f

34 files changed

+152
-209
lines changed
Lines changed: 30 additions & 112 deletions
Original file line numberDiff line numberDiff line change
@@ -1,122 +1,40 @@
11
/** Provides classes representing various flow sinks for data flow / taint tracking. */
22

33
private import semmle.code.java.dataflow.DataFlow
4-
private import semmle.code.java.dataflow.ExternalFlow
4+
private import semmle.code.java.dataflow.FlowSinks as FlowSinks
55

6-
/**
7-
* A data flow sink node.
8-
*/
9-
abstract class SinkNode extends DataFlow::Node { }
6+
final class SinkNode = FlowSinks::ApiSinkNode;
107

118
/**
129
* Module that adds all API like sinks to `SinkNode`, excluding sinks for cryptography based
1310
* queries, and queries where sinks are not succifiently defined (eg. using broad method name matching).
1411
*/
15-
private module ApiSinks {
16-
private import semmle.code.java.security.AndroidSensitiveCommunicationQuery as AndroidSensitiveCommunicationQuery
17-
private import semmle.code.java.security.ArbitraryApkInstallation as ArbitraryApkInstallation
18-
private import semmle.code.java.security.CleartextStorageAndroidDatabaseQuery as CleartextStorageAndroidDatabaseQuery
19-
private import semmle.code.java.security.CleartextStorageAndroidFilesystemQuery as CleartextStorageAndroidFilesystemQuery
20-
private import semmle.code.java.security.CleartextStorageCookieQuery as CleartextStorageCookieQuery
21-
private import semmle.code.java.security.CleartextStorageSharedPrefsQuery as CleartextStorageSharedPrefsQuery
22-
private import semmle.code.java.security.ExternallyControlledFormatStringQuery as ExternallyControlledFormatStringQuery
23-
private import semmle.code.java.security.InsecureBasicAuth as InsecureBasicAuth
24-
private import semmle.code.java.security.IntentUriPermissionManipulation as IntentUriPermissionManipulation
25-
private import semmle.code.java.security.InsecureLdapAuth as InsecureLdapAuth
26-
private import semmle.code.java.security.InsecureTrustManager as InsecureTrustManager
27-
private import semmle.code.java.security.JndiInjection as JndiInjection
28-
private import semmle.code.java.security.JWT as Jwt
29-
private import semmle.code.java.security.OgnlInjection as OgnlInjection
30-
private import semmle.code.java.security.SensitiveResultReceiverQuery as SensitiveResultReceiverQuery
31-
private import semmle.code.java.security.SensitiveUiQuery as SensitiveUiQuery
32-
private import semmle.code.java.security.SpelInjection as SpelInjection
33-
private import semmle.code.java.security.SpelInjectionQuery as SpelInjectionQuery
34-
private import semmle.code.java.security.QueryInjection as QueryInjection
35-
private import semmle.code.java.security.TempDirLocalInformationDisclosureQuery as TempDirLocalInformationDisclosureQuery
36-
private import semmle.code.java.security.UnsafeAndroidAccess as UnsafeAndroidAccess
37-
private import semmle.code.java.security.UnsafeContentUriResolution as UnsafeContentUriResolution
38-
private import semmle.code.java.security.UnsafeDeserializationQuery as UnsafeDeserializationQuery
39-
private import semmle.code.java.security.UrlRedirect as UrlRedirect
40-
private import semmle.code.java.security.WebviewDebuggingEnabledQuery as WebviewDebuggingEnabledQuery
41-
private import semmle.code.java.security.XPath as Xpath
42-
private import semmle.code.java.security.XSS as Xss
43-
44-
private class AndoidIntentRedirectionQuerySinks extends SinkNode instanceof AndroidSensitiveCommunicationQuery::SensitiveCommunicationSink
45-
{ }
46-
47-
private class ArbitraryApkInstallationSinks extends SinkNode instanceof ArbitraryApkInstallation::SetDataSink
48-
{ }
49-
50-
private class CleartextStorageAndroidDatabaseQuerySinks extends SinkNode instanceof CleartextStorageAndroidDatabaseQuery::LocalDatabaseSink
51-
{ }
52-
53-
private class CleartextStorageAndroidFilesystemQuerySinks extends SinkNode instanceof CleartextStorageAndroidFilesystemQuery::LocalFileSink
54-
{ }
55-
56-
private class CleartextStorageCookieQuerySinks extends SinkNode instanceof CleartextStorageCookieQuery::CookieStoreSink
57-
{ }
58-
59-
private class CleartextStorageSharedPrefsQuerySinks extends SinkNode instanceof CleartextStorageSharedPrefsQuery::SharedPreferencesSink
60-
{ }
61-
62-
private class ExternallyControlledFormatStringQuerySinks extends SinkNode instanceof ExternallyControlledFormatStringQuery::StringFormatSink
63-
{ }
64-
65-
private class InsecureBasicAuthSinks extends SinkNode instanceof InsecureBasicAuth::InsecureBasicAuthSink
66-
{ }
67-
68-
private class InsecureTrustManagerSinks extends SinkNode instanceof InsecureTrustManager::InsecureTrustManagerSink
69-
{ }
70-
71-
private class IntentUriPermissionManipulationSinks extends SinkNode instanceof IntentUriPermissionManipulation::IntentUriPermissionManipulationSink
72-
{ }
73-
74-
private class InsecureLdapAuthSinks extends SinkNode instanceof InsecureLdapAuth::InsecureLdapUrlSink
75-
{ }
76-
77-
private class JndiInjectionSinks extends SinkNode instanceof JndiInjection::JndiInjectionSink { }
78-
79-
private class JwtSinks extends SinkNode instanceof Jwt::JwtParserWithInsecureParseSink { }
80-
81-
private class OgnlInjectionSinks extends SinkNode instanceof OgnlInjection::OgnlInjectionSink { }
82-
83-
private class SensitiveResultReceiverQuerySinks extends SinkNode instanceof SensitiveResultReceiverQuery::SensitiveResultReceiverSink
84-
{ }
85-
86-
private class SensitiveUiQuerySinks extends SinkNode instanceof SensitiveUiQuery::TextFieldSink {
87-
}
88-
89-
private class SpelInjectionSinks extends SinkNode instanceof SpelInjection::SpelExpressionEvaluationSink
90-
{ }
91-
92-
private class QueryInjectionSinks extends SinkNode instanceof QueryInjection::QueryInjectionSink {
93-
}
94-
95-
private class TempDirLocalInformationDisclosureSinks extends SinkNode instanceof TempDirLocalInformationDisclosureQuery::MethodFileDirectoryCreationSink
96-
{ }
97-
98-
private class UnsafeAndroidAccessSinks extends SinkNode instanceof UnsafeAndroidAccess::UrlResourceSink
99-
{ }
100-
101-
private class UnsafeContentUriResolutionSinks extends SinkNode instanceof UnsafeContentUriResolution::ContentUriResolutionSink
102-
{ }
103-
104-
private class UnsafeDeserializationQuerySinks extends SinkNode instanceof UnsafeDeserializationQuery::UnsafeDeserializationSink
105-
{ }
106-
107-
private class UrlRedirectSinks extends SinkNode instanceof UrlRedirect::UrlRedirectSink { }
108-
109-
private class WebviewDebugEnabledQuery extends SinkNode instanceof WebviewDebuggingEnabledQuery::WebviewDebugSink
110-
{ }
111-
112-
private class XPathSinks extends SinkNode instanceof Xpath::XPathInjectionSink { }
113-
114-
private class XssSinks extends SinkNode instanceof Xss::XssSink { }
115-
116-
/**
117-
* Add all models as data sinks.
118-
*/
119-
private class SinkNodeExternal extends SinkNode {
120-
SinkNodeExternal() { sinkNode(this, _) }
121-
}
12+
private module AllApiSinks {
13+
private import semmle.code.java.security.AndroidSensitiveCommunicationQuery
14+
private import semmle.code.java.security.ArbitraryApkInstallation
15+
private import semmle.code.java.security.CleartextStorageAndroidDatabaseQuery
16+
private import semmle.code.java.security.CleartextStorageAndroidFilesystemQuery
17+
private import semmle.code.java.security.CleartextStorageCookieQuery
18+
private import semmle.code.java.security.CleartextStorageSharedPrefsQuery
19+
private import semmle.code.java.security.ExternallyControlledFormatStringQuery
20+
private import semmle.code.java.security.InsecureBasicAuth
21+
private import semmle.code.java.security.IntentUriPermissionManipulation
22+
private import semmle.code.java.security.InsecureLdapAuth
23+
private import semmle.code.java.security.InsecureTrustManager
24+
private import semmle.code.java.security.JndiInjection
25+
private import semmle.code.java.security.JWT
26+
private import semmle.code.java.security.OgnlInjection
27+
private import semmle.code.java.security.SensitiveResultReceiverQuery
28+
private import semmle.code.java.security.SensitiveUiQuery
29+
private import semmle.code.java.security.SpelInjection
30+
private import semmle.code.java.security.SpelInjectionQuery
31+
private import semmle.code.java.security.QueryInjection
32+
private import semmle.code.java.security.TempDirLocalInformationDisclosureQuery
33+
private import semmle.code.java.security.UnsafeAndroidAccess
34+
private import semmle.code.java.security.UnsafeContentUriResolution
35+
private import semmle.code.java.security.UnsafeDeserializationQuery
36+
private import semmle.code.java.security.UrlRedirect
37+
private import semmle.code.java.security.WebviewDebuggingEnabledQuery
38+
private import semmle.code.java.security.XPath
39+
private import semmle.code.java.security.XSS
12240
}

java/ql/lib/semmle/code/java/dataflow/ApiSources.qll

Lines changed: 14 additions & 58 deletions
Original file line numberDiff line numberDiff line change
@@ -2,68 +2,24 @@
22

33
private import semmle.code.java.dataflow.DataFlow
44
private import semmle.code.java.dataflow.ExternalFlow
5+
private import semmle.code.java.dataflow.FlowSources as FlowSources
56

6-
/**
7-
* A data flow source node.
8-
*/
9-
abstract class SourceNode extends DataFlow::Node { }
7+
class SourceNode = FlowSources::ApiSourceNode;
108

119
/**
1210
* Module that adds all API like sources to `SourceNode`, excluding some sources for cryptography based
1311
* queries, and queries where sources are not succifiently defined (eg. using broad method name matching).
1412
*/
15-
private module ApiSources {
16-
private import FlowSources as FlowSources
17-
private import semmle.code.java.security.ArbitraryApkInstallation as ArbitraryApkInstallation
18-
private import semmle.code.java.security.CleartextStorageAndroidDatabaseQuery as CleartextStorageAndroidDatabaseQuery
19-
private import semmle.code.java.security.CleartextStorageAndroidFilesystemQuery as CleartextStorageAndroidFilesystemQuery
20-
private import semmle.code.java.security.CleartextStorageCookieQuery as CleartextStorageCookieQuery
21-
private import semmle.code.java.security.CleartextStorageSharedPrefsQuery as CleartextStorageSharedPrefsQuery
22-
private import semmle.code.java.security.ImplicitPendingIntentsQuery as ImplicitPendingIntentsQuery
23-
private import semmle.code.java.security.ImproperIntentVerificationQuery as ImproperIntentVerificationQuery
24-
private import semmle.code.java.security.InsecureTrustManager as InsecureTrustManager
25-
private import semmle.code.java.security.JWT as Jwt
26-
private import semmle.code.java.security.StackTraceExposureQuery as StackTraceExposureQuery
27-
private import semmle.code.java.security.ZipSlipQuery as ZipSlipQuery
28-
29-
private class FlowSourcesSourceNode extends SourceNode instanceof FlowSources::SourceNode { }
30-
31-
private class ArbitraryApkInstallationSources extends SourceNode instanceof ArbitraryApkInstallation::ExternalApkSource
32-
{ }
33-
34-
private class CleartextStorageAndroidDatabaseQuerySources extends SourceNode instanceof CleartextStorageAndroidDatabaseQuery::LocalDatabaseOpenMethodCallSource
35-
{ }
36-
37-
private class CleartextStorageAndroidFilesystemQuerySources extends SourceNode instanceof CleartextStorageAndroidFilesystemQuery::LocalFileOpenCallSource
38-
{ }
39-
40-
private class CleartextStorageCookieQuerySources extends SourceNode instanceof CleartextStorageCookieQuery::CookieSource
41-
{ }
42-
43-
private class CleartextStorageSharedPrefsQuerySources extends SourceNode instanceof CleartextStorageSharedPrefsQuery::SharedPreferencesEditorMethodCallSource
44-
{ }
45-
46-
private class ImplicitPendingIntentsQuerySources extends SourceNode instanceof ImplicitPendingIntentsQuery::ImplicitPendingIntentSource
47-
{ }
48-
49-
private class ImproperIntentVerificationQuerySources extends SourceNode instanceof ImproperIntentVerificationQuery::VerifiedIntentConfigSource
50-
{ }
51-
52-
private class InsecureTrustManagerSources extends SourceNode instanceof InsecureTrustManager::InsecureTrustManagerSource
53-
{ }
54-
55-
private class JwtSources extends SourceNode instanceof Jwt::JwtParserWithInsecureParseSource { }
56-
57-
private class StackTraceExposureQuerySources extends SourceNode instanceof StackTraceExposureQuery::GetMessageFlowSource
58-
{ }
59-
60-
private class ZipSlipQuerySources extends SourceNode instanceof ZipSlipQuery::ArchiveEntryNameMethodSource
61-
{ }
62-
63-
/**
64-
* Add all models as data sources.
65-
*/
66-
private class SourceNodeExternal extends SourceNode {
67-
SourceNodeExternal() { sourceNode(this, _) }
68-
}
13+
private module AllApiSources {
14+
private import semmle.code.java.security.ArbitraryApkInstallation
15+
private import semmle.code.java.security.CleartextStorageAndroidDatabaseQuery
16+
private import semmle.code.java.security.CleartextStorageAndroidFilesystemQuery
17+
private import semmle.code.java.security.CleartextStorageCookieQuery
18+
private import semmle.code.java.security.CleartextStorageSharedPrefsQuery
19+
private import semmle.code.java.security.ImplicitPendingIntentsQuery
20+
private import semmle.code.java.security.ImproperIntentVerificationQuery
21+
private import semmle.code.java.security.InsecureTrustManager
22+
private import semmle.code.java.security.JWT
23+
private import semmle.code.java.security.StackTraceExposureQuery
24+
private import semmle.code.java.security.ZipSlipQuery
6925
}
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
/** Provides classes representing various flow sinks for data flow / taint tracking. */
2+
3+
private import java
4+
private import semmle.code.java.dataflow.ExternalFlow
5+
private import semmle.code.java.dataflow.DataFlow
6+
7+
/**
8+
* A data flow sink node for an API, which should be considered
9+
* supported for a modeling perspective.
10+
*/
11+
abstract class ApiSinkNode extends DataFlow::Node { }
12+
13+
/**
14+
* Add all models as data sinks.
15+
*/
16+
private class ApiSinkNodeExternal extends ApiSinkNode {
17+
ApiSinkNodeExternal() { sinkNode(this, _) }
18+
}

java/ql/lib/semmle/code/java/dataflow/FlowSources.qll

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -387,3 +387,18 @@ class AndroidJavascriptInterfaceMethodParameter extends RemoteFlowSource {
387387
result = "Parameter of method with JavascriptInterface annotation"
388388
}
389389
}
390+
391+
/**
392+
* A data flow source node for an API, which should be considered
393+
* supported for a modeling perspective.
394+
*/
395+
abstract class ApiSourceNode extends DataFlow::Node { }
396+
397+
private class AddSourceNodes extends ApiSourceNode instanceof SourceNode { }
398+
399+
/**
400+
* Add all models as data sources.
401+
*/
402+
private class ApiSourceNodeExternal extends ApiSourceNode {
403+
ApiSourceNodeExternal() { sourceNode(this, _) }
404+
}

java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ import java
44
import semmle.code.java.dataflow.TaintTracking
55
import semmle.code.java.frameworks.android.Intent
66
import semmle.code.java.security.SensitiveActions
7+
private import semmle.code.java.dataflow.FlowSinks
78

89
/**
910
* Gets regular expression for matching names of Android variables that indicate the value being held contains sensitive information.
@@ -154,7 +155,7 @@ deprecated class SensitiveCommunicationConfig extends TaintTracking::Configurati
154155
/**
155156
* A class of sensitive communication sink nodes.
156157
*/
157-
class SensitiveCommunicationSink extends DataFlow::Node {
158+
class SensitiveCommunicationSink extends ApiSinkNode {
158159
SensitiveCommunicationSink() {
159160
isSensitiveBroadcastSink(this)
160161
or

java/ql/lib/semmle/code/java/security/ArbitraryApkInstallation.qll

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ import java
44
import semmle.code.java.frameworks.android.Intent
55
import semmle.code.java.dataflow.DataFlow
66
private import semmle.code.java.dataflow.ExternalFlow
7+
private import semmle.code.java.dataflow.FlowSinks
78
private import semmle.code.java.dataflow.FlowSources
89

910
/** A string literal that represents the MIME type for Android APKs. */
@@ -48,7 +49,7 @@ class SetDataMethod extends Method {
4849
}
4950

5051
/** A dataflow sink for the URI of an intent. */
51-
class SetDataSink extends DataFlow::ExprNode {
52+
class SetDataSink extends ApiSinkNode, DataFlow::ExprNode {
5253
SetDataSink() {
5354
exists(MethodCall ma |
5455
this.getExpr() = ma.getQualifier() and
@@ -69,7 +70,7 @@ class UriConstructorMethod extends Method {
6970
* A dataflow source representing the URIs which an APK not controlled by the
7071
* application may come from. Including external storage and web URLs.
7172
*/
72-
class ExternalApkSource extends DataFlow::Node {
73+
class ExternalApkSource extends ApiSourceNode {
7374
ExternalApkSource() {
7475
sourceNode(this, "android-external-storage-dir") or
7576
this.asExpr().(MethodCall).getMethod() instanceof UriConstructorMethod or

java/ql/lib/semmle/code/java/security/CleartextStorageAndroidDatabaseQuery.qll

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,8 @@ import semmle.code.java.frameworks.android.ContentProviders
66
import semmle.code.java.frameworks.android.Intent
77
import semmle.code.java.frameworks.android.SQLite
88
import semmle.code.java.security.CleartextStorageQuery
9+
private import semmle.code.java.dataflow.FlowSinks
10+
private import semmle.code.java.dataflow.FlowSources
911

1012
private class LocalDatabaseCleartextStorageSink extends CleartextStorageSink {
1113
LocalDatabaseCleartextStorageSink() { localDatabaseInput(_, this.asExpr()) }
@@ -99,14 +101,14 @@ private predicate localDatabaseStore(DataFlow::Node database, MethodCall store)
99101
/**
100102
* A class of local database open method call source nodes.
101103
*/
102-
class LocalDatabaseOpenMethodCallSource extends DataFlow::Node {
104+
class LocalDatabaseOpenMethodCallSource extends ApiSourceNode {
103105
LocalDatabaseOpenMethodCallSource() { this.asExpr() instanceof LocalDatabaseOpenMethodCall }
104106
}
105107

106108
/**
107109
* A class of local database sink nodes.
108110
*/
109-
class LocalDatabaseSink extends DataFlow::Node {
111+
class LocalDatabaseSink extends ApiSinkNode {
110112
LocalDatabaseSink() { localDatabaseInput(this, _) or localDatabaseStore(this, _) }
111113
}
112114

java/ql/lib/semmle/code/java/security/CleartextStorageAndroidFilesystemQuery.qll

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,9 +5,11 @@
55

66
import java
77
import semmle.code.java.dataflow.DataFlow
8-
private import semmle.code.java.dataflow.ExternalFlow
98
import semmle.code.java.security.CleartextStorageQuery
109
import semmle.code.xml.AndroidManifest
10+
private import semmle.code.java.dataflow.ExternalFlow
11+
private import semmle.code.java.dataflow.FlowSinks
12+
private import semmle.code.java.dataflow.FlowSources
1113

1214
private class AndroidFilesystemCleartextStorageSink extends CleartextStorageSink {
1315
AndroidFilesystemCleartextStorageSink() {
@@ -82,14 +84,14 @@ private class CloseFileMethod extends Method {
8284
/**
8385
* A class of local file open call source nodes.
8486
*/
85-
class LocalFileOpenCallSource extends DataFlow::Node {
87+
class LocalFileOpenCallSource extends ApiSourceNode {
8688
LocalFileOpenCallSource() { this.asExpr() instanceof LocalFileOpenCall }
8789
}
8890

8991
/**
9092
* A class of local file sink nodes.
9193
*/
92-
class LocalFileSink extends DataFlow::Node {
94+
class LocalFileSink extends ApiSinkNode {
9395
LocalFileSink() {
9496
filesystemInput(this, _) or
9597
closesFile(this, _)

java/ql/lib/semmle/code/java/security/CleartextStorageCookieQuery.qll

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,8 @@ import java
44
import semmle.code.java.dataflow.DataFlow
55
deprecated import semmle.code.java.dataflow.DataFlow3
66
import semmle.code.java.security.CleartextStorageQuery
7+
private import semmle.code.java.dataflow.FlowSinks
8+
private import semmle.code.java.dataflow.FlowSources
79

810
private class CookieCleartextStorageSink extends CleartextStorageSink {
911
CookieCleartextStorageSink() { this.asExpr() = cookieInput(_) }
@@ -40,14 +42,14 @@ private predicate cookieStore(DataFlow::Node cookie, Expr store) {
4042
/**
4143
* A class of cookie source nodes.
4244
*/
43-
class CookieSource extends DataFlow::Node {
45+
class CookieSource extends ApiSourceNode {
4446
CookieSource() { this.asExpr() instanceof Cookie }
4547
}
4648

4749
/**
4850
* A class of cookie store sink nodes.
4951
*/
50-
class CookieStoreSink extends DataFlow::Node {
52+
class CookieStoreSink extends ApiSinkNode {
5153
CookieStoreSink() { cookieStore(this, _) }
5254
}
5355

0 commit comments

Comments
 (0)