From 91db2b6c9c95c756a6174133888af5ad880ebe79 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 14 Jun 2024 13:23:17 +0100 Subject: [PATCH 01/15] Make new threat model kind "reverse-dns" --- .../semmle/code/java/dataflow/FlowSources.qll | 33 ++++++++++--------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll b/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll index f2b2f8c20086..93a3a4a322b9 100644 --- a/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll +++ b/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll @@ -119,21 +119,6 @@ private predicate variableStep(Expr tracked, VarAccess sink) { ) } -private class ReverseDnsSource extends RemoteFlowSource { - ReverseDnsSource() { - // Try not to trigger on `localhost`. - exists(MethodCall m | m = this.asExpr() | - m.getMethod() instanceof ReverseDnsMethod and - not exists(MethodCall l | - (variableStep(l, m.getQualifier()) or l = m.getQualifier()) and - (l.getMethod().getName() = "getLocalHost" or l.getMethod().getName() = "getLoopbackAddress") - ) - ) - } - - override string getSourceType() { result = "reverse DNS lookup" } -} - private class MessageBodyReaderParameterSource extends RemoteFlowSource { MessageBodyReaderParameterSource() { exists(MessageBodyReaderRead m | @@ -388,6 +373,24 @@ class AndroidJavascriptInterfaceMethodParameter extends RemoteFlowSource { } } +/** A node with input that may be controlled by a local user. */ +abstract class ReverseDnsUserInput extends UserInput { + override string getThreatModel() { result = "reverse-dns" } +} + +private class ReverseDnsSource extends ReverseDnsUserInput { + ReverseDnsSource() { + // Try not to trigger on `localhost`. + exists(MethodCall m | m = this.asExpr() | + m.getMethod() instanceof ReverseDnsMethod and + not exists(MethodCall l | + (variableStep(l, m.getQualifier()) or l = m.getQualifier()) and + (l.getMethod().getName() = "getLocalHost" or l.getMethod().getName() = "getLoopbackAddress") + ) + ) + } +} + /** * A data flow source node for an API, which should be considered * supported for a modeling perspective. From 878867205ef42614cc230fd53abdc32eb3e99e2b Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 14 Jun 2024 15:47:15 +0100 Subject: [PATCH 02/15] Fix taintsources test --- .../dataflow/taintsources/A.java | 2 +- .../dataflow/taintsources/local.ql | 8 +--- .../dataflow/taintsources/reversedns.expected | 2 + .../dataflow/taintsources/reversedns.ql | 47 +++++++++++++++++++ 4 files changed, 52 insertions(+), 7 deletions(-) create mode 100644 java/ql/test/library-tests/dataflow/taintsources/reversedns.expected create mode 100644 java/ql/test/library-tests/dataflow/taintsources/reversedns.ql diff --git a/java/ql/test/library-tests/dataflow/taintsources/A.java b/java/ql/test/library-tests/dataflow/taintsources/A.java index 25320b315ad5..6b91a4ca1bfe 100644 --- a/java/ql/test/library-tests/dataflow/taintsources/A.java +++ b/java/ql/test/library-tests/dataflow/taintsources/A.java @@ -43,7 +43,7 @@ public void test(ResultSet rs) throws SQLException { }; sink(new URL("test").openConnection().getInputStream()); // $hasRemoteValueFlow sink(new Socket("test", 1234).getInputStream()); // $hasRemoteValueFlow - sink(InetAddress.getByName("test").getHostName()); // $hasRemoteValueFlow + sink(InetAddress.getByName("test").getHostName()); // $hasReverseDnsValueFlow sink(System.in); // $hasLocalValueFlow sink(new FileInputStream("test")); // $hasLocalValueFlow diff --git a/java/ql/test/library-tests/dataflow/taintsources/local.ql b/java/ql/test/library-tests/dataflow/taintsources/local.ql index 1cbe8dbbf6c4..d4a08d836bb6 100644 --- a/java/ql/test/library-tests/dataflow/taintsources/local.ql +++ b/java/ql/test/library-tests/dataflow/taintsources/local.ql @@ -2,16 +2,12 @@ import java import semmle.code.java.dataflow.FlowSources import TestUtilities.InlineExpectationsTest -class LocalSource extends DataFlow::Node instanceof UserInput { - LocalSource() { not this instanceof RemoteFlowSource } -} - predicate isTestSink(DataFlow::Node n) { exists(MethodCall ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument()) } module LocalValueConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node n) { n instanceof LocalSource } + predicate isSource(DataFlow::Node n) { n instanceof LocalUserInput } predicate isSink(DataFlow::Node n) { isTestSink(n) } } @@ -19,7 +15,7 @@ module LocalValueConfig implements DataFlow::ConfigSig { module LocalValueFlow = DataFlow::Global; module LocalTaintConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node n) { n instanceof LocalSource } + predicate isSource(DataFlow::Node n) { n instanceof LocalUserInput } predicate isSink(DataFlow::Node n) { isTestSink(n) } } diff --git a/java/ql/test/library-tests/dataflow/taintsources/reversedns.expected b/java/ql/test/library-tests/dataflow/taintsources/reversedns.expected new file mode 100644 index 000000000000..48de9172b362 --- /dev/null +++ b/java/ql/test/library-tests/dataflow/taintsources/reversedns.expected @@ -0,0 +1,2 @@ +failures +testFailures diff --git a/java/ql/test/library-tests/dataflow/taintsources/reversedns.ql b/java/ql/test/library-tests/dataflow/taintsources/reversedns.ql new file mode 100644 index 000000000000..8ec5acab5e54 --- /dev/null +++ b/java/ql/test/library-tests/dataflow/taintsources/reversedns.ql @@ -0,0 +1,47 @@ +import java +import semmle.code.java.dataflow.FlowSources +import TestUtilities.InlineExpectationsTest + +predicate isTestSink(DataFlow::Node n) { + exists(MethodCall ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument()) +} + +module ReverseDnsValueConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node n) { n instanceof ReverseDnsUserInput } + + predicate isSink(DataFlow::Node n) { isTestSink(n) } +} + +module ReverseDnsValueFlow = DataFlow::Global; + +module ReverseDnsTaintConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node n) { n instanceof ReverseDnsUserInput } + + predicate isSink(DataFlow::Node n) { isTestSink(n) } +} + +module ReverseDnsTaintFlow = TaintTracking::Global; + +module ReverseDnsFlowTest implements TestSig { + string getARelevantTag() { result = ["hasReverseDnsValueFlow", "hasReverseDnsTaintFlow"] } + + predicate hasActualResult(Location location, string element, string tag, string value) { + tag = "hasReverseDnsValueFlow" and + exists(DataFlow::Node sink | ReverseDnsValueFlow::flowTo(sink) | + sink.getLocation() = location and + element = sink.toString() and + value = "" + ) + or + tag = "hasReverseDnsTaintFlow" and + exists(DataFlow::Node src, DataFlow::Node sink | + ReverseDnsTaintFlow::flow(src, sink) and not ReverseDnsValueFlow::flow(src, sink) + | + sink.getLocation() = location and + element = sink.toString() and + value = "" + ) + } +} + +import MakeTest From 059ef42f412ce25216b49267c41ff9d3564d411d Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 14 Jun 2024 13:35:27 +0100 Subject: [PATCH 03/15] Add change note --- .../2024-06-14-reverse-dns-separate-threat-model-kind.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 java/ql/lib/change-notes/2024-06-14-reverse-dns-separate-threat-model-kind.md diff --git a/java/ql/lib/change-notes/2024-06-14-reverse-dns-separate-threat-model-kind.md b/java/ql/lib/change-notes/2024-06-14-reverse-dns-separate-threat-model-kind.md new file mode 100644 index 000000000000..81048da7221b --- /dev/null +++ b/java/ql/lib/change-notes/2024-06-14-reverse-dns-separate-threat-model-kind.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* We previously considered reverse DNS resolutions (IP address -> domain name) as sources of untrusted data, since compromised/malicious DNS servers could potentially return malicious responses to arbitrary requests. We have now removed this source from the default set of untrusted sources and made a new threat model kind for them, called "reverse-dns". From 162245fb9a4c05da5824d6e3f3c9235fd7293a05 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 14 Jun 2024 16:08:32 +0100 Subject: [PATCH 04/15] Fix unrelated test using reverse DNS as source --- .../security/CWE-022/semmle/tests/Test.java | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java index f8b37428e25b..d8cd210b70cf 100644 --- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java +++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java @@ -5,12 +5,14 @@ import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; -import java.net.InetAddress; import java.net.URL; import java.nio.charset.Charset; import java.nio.file.Files; import java.nio.file.Path; + +import javax.servlet.http.HttpServletRequest; import javax.xml.transform.stream.StreamResult; + import org.apache.commons.io.FileUtils; import org.apache.tools.ant.AntClassLoader; import org.apache.tools.ant.DirectoryScanner; @@ -24,10 +26,10 @@ public class Test { - private InetAddress address; + private HttpServletRequest request; public Object source() { - return address.getHostName(); + return request.getParameter("source"); } void test() throws IOException { @@ -166,8 +168,8 @@ void test(AntClassLoader acl) { new LargeText((File) source(), null, false, false); // $ hasTaintFlow } - void doGet6(String root, InetAddress address) throws IOException { - String temp = address.getHostName(); + void doGet6(String root, HttpServletRequest request) throws IOException { + String temp = request.getParameter("source"); // GOOD: Use `contains` and `startsWith` to check if the path is safe if (!temp.contains("..") && temp.startsWith(root + "/")) { File file = new File(temp); From 9e25279cb82837a35f6057cb57c0a9bf6b7a849f Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 14 Jun 2024 16:34:04 +0100 Subject: [PATCH 05/15] Change category in change note to "majorAnalysis" --- .../2024-06-14-reverse-dns-separate-threat-model-kind.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/lib/change-notes/2024-06-14-reverse-dns-separate-threat-model-kind.md b/java/ql/lib/change-notes/2024-06-14-reverse-dns-separate-threat-model-kind.md index 81048da7221b..b19e90a307ff 100644 --- a/java/ql/lib/change-notes/2024-06-14-reverse-dns-separate-threat-model-kind.md +++ b/java/ql/lib/change-notes/2024-06-14-reverse-dns-separate-threat-model-kind.md @@ -1,4 +1,4 @@ --- -category: minorAnalysis +category: majorAnalysis --- * We previously considered reverse DNS resolutions (IP address -> domain name) as sources of untrusted data, since compromised/malicious DNS servers could potentially return malicious responses to arbitrary requests. We have now removed this source from the default set of untrusted sources and made a new threat model kind for them, called "reverse-dns". From 8458bde51e7a81e33165906d71c97116f7e9fbde Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Sun, 23 Jun 2024 07:09:11 +0100 Subject: [PATCH 06/15] Add comment that "reverse-dns" is an ungrouped threat model --- shared/threat-models/ext/threat-model-grouping.model.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/shared/threat-models/ext/threat-model-grouping.model.yml b/shared/threat-models/ext/threat-model-grouping.model.yml index 7cc650d33415..70493c253866 100644 --- a/shared/threat-models/ext/threat-model-grouping.model.yml +++ b/shared/threat-models/ext/threat-model-grouping.model.yml @@ -21,3 +21,6 @@ extensions: # Android threat models - ["android-external-storage-dir", "android"] - ["contentprovider", "android"] + + # Threat models that are not grouped with any other threat models + # "reverse-dns" From 60b9d19d72683cb12735a94d1dbae6a366836d4c Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Sat, 29 Jun 2024 21:29:21 +0100 Subject: [PATCH 07/15] Add explicit relation between "reverse-dns" and "all" --- shared/threat-models/ext/threat-model-grouping.model.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/shared/threat-models/ext/threat-model-grouping.model.yml b/shared/threat-models/ext/threat-model-grouping.model.yml index 70493c253866..b4f67c104454 100644 --- a/shared/threat-models/ext/threat-model-grouping.model.yml +++ b/shared/threat-models/ext/threat-model-grouping.model.yml @@ -22,5 +22,7 @@ extensions: - ["android-external-storage-dir", "android"] - ["contentprovider", "android"] - # Threat models that are not grouped with any other threat models - # "reverse-dns" + # Threat models that are not grouped with any other threat models. + # (Note that all threat models are a child of "all" implicitly, and we + # make it explicit here just to make sure all threat models are listed.) + - ["reverse-dns", "all"] From 8526510783e450716616f16596b48f6a7c30fb1e Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Mon, 8 Jul 2024 15:15:40 +0100 Subject: [PATCH 08/15] Add ungrouped threat models to threat-model-grouping.model.yml --- shared/threat-models/ext/threat-model-grouping.model.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/shared/threat-models/ext/threat-model-grouping.model.yml b/shared/threat-models/ext/threat-model-grouping.model.yml index b4f67c104454..fcd27205d62b 100644 --- a/shared/threat-models/ext/threat-model-grouping.model.yml +++ b/shared/threat-models/ext/threat-model-grouping.model.yml @@ -25,4 +25,6 @@ extensions: # Threat models that are not grouped with any other threat models. # (Note that all threat models are a child of "all" implicitly, and we # make it explicit here just to make sure all threat models are listed.) + - ["database-access-result", "all"] + - ["file-write", "all"] - ["reverse-dns", "all"] From 64432215a99572ec1f20902a3136ddb7aa872988 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Mon, 8 Jul 2024 15:16:14 +0100 Subject: [PATCH 09/15] Make "reverse-dns" pass validation --- shared/mad/codeql/mad/ModelValidation.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/mad/codeql/mad/ModelValidation.qll b/shared/mad/codeql/mad/ModelValidation.qll index d403ecdb0532..bd2c497ea4c2 100644 --- a/shared/mad/codeql/mad/ModelValidation.qll +++ b/shared/mad/codeql/mad/ModelValidation.qll @@ -118,7 +118,7 @@ module KindValidation { this = [ // shared - "local", "remote", "file", "commandargs", "database", "environment", + "local", "remote", "file", "commandargs", "database", "environment", "reverse-dns", // Java "android-external-storage-dir", "contentprovider", // C# From 07a25a233de85845e822f6cd9d1c05cf78087980 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Mon, 8 Jul 2024 15:32:47 +0100 Subject: [PATCH 10/15] Update threat model documentation --- docs/codeql/reusables/threat-model-description.rst | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/docs/codeql/reusables/threat-model-description.rst b/docs/codeql/reusables/threat-model-description.rst index 53a872487bfa..e35db8b21c22 100644 --- a/docs/codeql/reusables/threat-model-description.rst +++ b/docs/codeql/reusables/threat-model-description.rst @@ -4,7 +4,16 @@ A threat model is a named class of dataflow sources that can be enabled or disab The ``kind`` property of the ``sourceModel`` determines which threat model a source is associated with. There are two main categories: -- ``remote`` which represents requests and responses from the network. -- ``local`` which represents data from local files (``file``), command-line arguments (``commandargs``), database reads (``database``), and environment variables(``environment``). +- ``remote`` which represents requests (``request``) and responses (``response``) from the network. +- ``local`` which represents data from local files (``file``), command-line arguments (``commandargs``), database reads (``database``), environment variables(``environment``) and Windows registry values ("windows-registry"). + +Note that subcategories can be turned included or excluded separately, so you can specify ``local`` without ``database``, or just ``commandargs`` and ``environment`` without the rest of ``local``. + +The less commonly used categories are: + +- ``android`` which represents reads from external files in Android (``android-external-storage-dir``) and parameter of an entry-point method declared in a ``ContentProvider`` class (``contentprovider``). +- ``database-access-result`` which represents a database access (currently only used by javascript). +- ``file-write`` which represents opening a file in write mode (currently only used in C#). +- ``reverse-dns`` which represents reverse DNS lookups (currently only used in java). When running a CodeQL analysis, the ``remote`` threat model is included by default. You can optionally include other threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see `Analyzing your code with CodeQL queries `__ and `Customizing your advanced setup for code scanning `__. From 8241d0b7efff45087a1105a1b0061ad286b06b93 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Mon, 8 Jul 2024 15:33:39 +0100 Subject: [PATCH 11/15] Update QLDoc for ReverseDnsUserInput --- java/ql/lib/semmle/code/java/dataflow/FlowSources.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll b/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll index 93a3a4a322b9..c97a97f27972 100644 --- a/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll +++ b/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll @@ -373,7 +373,7 @@ class AndroidJavascriptInterfaceMethodParameter extends RemoteFlowSource { } } -/** A node with input that may be controlled by a local user. */ +/** A node with input that comes from a reverse DNS lookup. */ abstract class ReverseDnsUserInput extends UserInput { override string getThreatModel() { result = "reverse-dns" } } From b83147fa44e909b0855d6a06061b40ca34ce27df Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Mon, 8 Jul 2024 15:39:27 +0100 Subject: [PATCH 12/15] Add links on threat models to change note --- .../2024-06-14-reverse-dns-separate-threat-model-kind.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/lib/change-notes/2024-06-14-reverse-dns-separate-threat-model-kind.md b/java/ql/lib/change-notes/2024-06-14-reverse-dns-separate-threat-model-kind.md index b19e90a307ff..f5e39a0b5ea5 100644 --- a/java/ql/lib/change-notes/2024-06-14-reverse-dns-separate-threat-model-kind.md +++ b/java/ql/lib/change-notes/2024-06-14-reverse-dns-separate-threat-model-kind.md @@ -1,4 +1,4 @@ --- category: majorAnalysis --- -* We previously considered reverse DNS resolutions (IP address -> domain name) as sources of untrusted data, since compromised/malicious DNS servers could potentially return malicious responses to arbitrary requests. We have now removed this source from the default set of untrusted sources and made a new threat model kind for them, called "reverse-dns". +* We previously considered reverse DNS resolutions (IP address -> domain name) as sources of untrusted data, since compromised/malicious DNS servers could potentially return malicious responses to arbitrary requests. We have now removed this source from the default set of untrusted sources and made a new threat model kind for them, called "reverse-dns". You can optionally include other threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see [Analyzing your code with CodeQL queries](https://docs.github.com/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#including-model-packs-to-add-potential-sources-of-tainted-data>) and [Customizing your advanced setup for code scanning](https://docs.github.com/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models). From d4bfab47352868e3313b66a3d724135a25110865 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 9 Jul 2024 07:00:01 +0100 Subject: [PATCH 13/15] Accept minor copy-editing suggestions. --- docs/codeql/reusables/threat-model-description.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/codeql/reusables/threat-model-description.rst b/docs/codeql/reusables/threat-model-description.rst index e35db8b21c22..bc21e7ad170b 100644 --- a/docs/codeql/reusables/threat-model-description.rst +++ b/docs/codeql/reusables/threat-model-description.rst @@ -5,15 +5,15 @@ A threat model is a named class of dataflow sources that can be enabled or disab The ``kind`` property of the ``sourceModel`` determines which threat model a source is associated with. There are two main categories: - ``remote`` which represents requests (``request``) and responses (``response``) from the network. -- ``local`` which represents data from local files (``file``), command-line arguments (``commandargs``), database reads (``database``), environment variables(``environment``) and Windows registry values ("windows-registry"). +- ``local`` which represents data from local files (``file``), command-line arguments (``commandargs``), database reads (``database``), environment variables(``environment``) and Windows registry values ("windows-registry"). Currently, Windows registry values are used by C# only. Note that subcategories can be turned included or excluded separately, so you can specify ``local`` without ``database``, or just ``commandargs`` and ``environment`` without the rest of ``local``. The less commonly used categories are: -- ``android`` which represents reads from external files in Android (``android-external-storage-dir``) and parameter of an entry-point method declared in a ``ContentProvider`` class (``contentprovider``). -- ``database-access-result`` which represents a database access (currently only used by javascript). -- ``file-write`` which represents opening a file in write mode (currently only used in C#). -- ``reverse-dns`` which represents reverse DNS lookups (currently only used in java). +- ``android`` which represents reads from external files in Android (``android-external-storage-dir``) and parameter of an entry-point method declared in a ``ContentProvider`` class (``contentprovider``). Currently only used by Java/Kotlin. +- ``database-access-result`` which represents a database access. Currently only used by JavaScript. +- ``file-write`` which represents opening a file in write mode. Currently only used in C#. +- ``reverse-dns`` which represents reverse DNS lookups. Currently only used in Java. When running a CodeQL analysis, the ``remote`` threat model is included by default. You can optionally include other threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see `Analyzing your code with CodeQL queries `__ and `Customizing your advanced setup for code scanning `__. From a64eafca2b634bd94b49be774d1c59a2a997afd4 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Sat, 20 Jul 2024 21:31:08 +0100 Subject: [PATCH 14/15] Do not mention subcategories of `remote` They are not in use by any language yet. --- docs/codeql/reusables/threat-model-description.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/reusables/threat-model-description.rst b/docs/codeql/reusables/threat-model-description.rst index bc21e7ad170b..45fe03174563 100644 --- a/docs/codeql/reusables/threat-model-description.rst +++ b/docs/codeql/reusables/threat-model-description.rst @@ -4,7 +4,7 @@ A threat model is a named class of dataflow sources that can be enabled or disab The ``kind`` property of the ``sourceModel`` determines which threat model a source is associated with. There are two main categories: -- ``remote`` which represents requests (``request``) and responses (``response``) from the network. +- ``remote`` which represents requests and responses from the network. - ``local`` which represents data from local files (``file``), command-line arguments (``commandargs``), database reads (``database``), environment variables(``environment``) and Windows registry values ("windows-registry"). Currently, Windows registry values are used by C# only. Note that subcategories can be turned included or excluded separately, so you can specify ``local`` without ``database``, or just ``commandargs`` and ``environment`` without the rest of ``local``. From 2a5144d9d9a41c0d698d3d3693b8a78f6049bd43 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Sat, 20 Jul 2024 21:40:02 +0100 Subject: [PATCH 15/15] Improve tests for reverse DNS sources --- java/ql/test/library-tests/dataflow/taintsources/A.java | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/java/ql/test/library-tests/dataflow/taintsources/A.java b/java/ql/test/library-tests/dataflow/taintsources/A.java index 6b91a4ca1bfe..f28834e58375 100644 --- a/java/ql/test/library-tests/dataflow/taintsources/A.java +++ b/java/ql/test/library-tests/dataflow/taintsources/A.java @@ -44,6 +44,11 @@ public void test(ResultSet rs) throws SQLException { sink(new URL("test").openConnection().getInputStream()); // $hasRemoteValueFlow sink(new Socket("test", 1234).getInputStream()); // $hasRemoteValueFlow sink(InetAddress.getByName("test").getHostName()); // $hasReverseDnsValueFlow + sink(InetAddress.getLocalHost().getHostName()); + sink(InetAddress.getLoopbackAddress().getHostName()); + sink(InetAddress.getByName("test").getCanonicalHostName()); // $hasReverseDnsValueFlow + sink(InetAddress.getLocalHost().getCanonicalHostName()); + sink(InetAddress.getLoopbackAddress().getCanonicalHostName()); sink(System.in); // $hasLocalValueFlow sink(new FileInputStream("test")); // $hasLocalValueFlow