Skip to content

Java: add some neutral models discovered with heuristics #12249

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jcogs33 merged 6 commits into from
Jun 1, 2023
Merged

Java: add some neutral models discovered with heuristics #12249

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
65dd7eb
Java: add neutral models discovered with path-inj and ssrf heuristics
May 11, 2023
60b0708
Java: add 'sink' kind
May 11, 2023
7e6913a
Java: update provenance to 'hq-manual'
May 11, 2023
f255b6a
Java: fix typos
May 22, 2023
24fc4ba
Java: add tests
May 26, 2023
82f208c
Java: add isNeutralSink test case
May 31, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions java/ql/lib/ext/java.io.model.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,7 @@ extensions:
pack: codeql/java-all
extensible: neutralModel
data:
# summary neutrals
- ["java.io", "Closeable", "close", "()", "summary", "manual"]
- ["java.io", "DataOutput", "writeBoolean", "(boolean)", "summary", "manual"]
- ["java.io", "File", "delete", "()", "summary", "manual"]
Expand All @@ -117,3 +118,7 @@ extensions:
- ["java.io", "DataInput", "readLong", "()", "summary", "manual"] # taint-numeric
- ["java.io", "DataOutput", "writeInt", "(int)", "summary", "manual"] # taint-numeric
- ["java.io", "DataOutput", "writeLong", "(long)", "summary", "manual"] # taint-numeric

# sink neutrals
- ["java.io", "File", "compareTo", "", "sink", "hq-manual"]
- ["java.io", "File", "exists", "()", "sink", "hq-manual"]
18 changes: 18 additions & 0 deletions java/ql/lib/ext/java.nio.file.model.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,4 +81,22 @@ extensions:
pack: codeql/java-all
extensible: neutralModel
data:
# summary neutrals
- ["java.nio.file", "Files", "exists", "(Path,LinkOption[])", "summary", "manual"]

# sink neutrals
- ["java.nio.file", "Files", "exists", "", "sink", "hq-manual"]
- ["java.nio.file", "Files", "getLastModifiedTime", "", "sink", "hq-manual"]
- ["java.nio.file", "Files", "getOwner", "", "sink", "hq-manual"]
- ["java.nio.file", "Files", "getPosixFilePermissions", "", "sink", "hq-manual"]
- ["java.nio.file", "Files", "isDirectory", "", "sink", "hq-manual"]
- ["java.nio.file", "Files", "isExecutable", "", "sink", "hq-manual"]
- ["java.nio.file", "Files", "isHidden", "", "sink", "hq-manual"]
- ["java.nio.file", "Files", "isReadable", "", "sink", "hq-manual"]
- ["java.nio.file", "Files", "isRegularFile", "", "sink", "hq-manual"]
- ["java.nio.file", "Files", "isSameFile", "", "sink", "hq-manual"]
- ["java.nio.file", "Files", "isSymbolicLink", "", "sink", "hq-manual"]
- ["java.nio.file", "Files", "isWritable", "", "sink", "hq-manual"]
- ["java.nio.file", "Files", "notExists", "", "sink", "hq-manual"]
- ["java.nio.file", "Files", "setLastModifiedTime", "", "sink", "hq-manual"]
- ["java.nio.file", "Files", "size", "", "sink", "hq-manual"]
8 changes: 8 additions & 0 deletions java/ql/lib/ext/java.nio.file.spi.model.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: neutralModel
data:
# sink neutrals
- ["java.nio.file.spi", "FileSystemProvider", "isHidden", "", "sink", "hq-manual"]
- ["java.nio.file.spi", "FileSystemProvider", "isSameFile", "", "sink", "hq-manual"]
6 changes: 6 additions & 0 deletions java/ql/lib/ext/java.text.model.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,14 @@ extensions:
pack: codeql/java-all
extensible: neutralModel
data:
# summary neutrals
# The below APIs have numeric flow and are currently being stored as neutral models.
# These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
- ["java.text", "DateFormat", "format", "(Date)", "summary", "manual"] # taint-numeric
- ["java.text", "DateFormat", "parse", "(String)", "summary", "manual"] # taint-numeric
- ["java.text", "SimpleDateFormat", "SimpleDateFormat", "(String)", "summary", "manual"] # taint-numeric

# sink neutrals
- ["java.text", "Collator", "compare", "", "sink", "hq-manual"]
- ["java.text", "Collator", "equals", "", "sink", "hq-manual"]
- ["java.text", "RuleBasedCollator", "compare", "", "sink", "hq-manual"]
8 changes: 8 additions & 0 deletions java/ql/lib/ext/java.util.prefs.model.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: neutralModel
data:
# sink neutrals
- ["java.util.prefs", "AbstractPreferences", "nodeExists", "", "sink", "hq-manual"]
- ["java.util.prefs", "Preferences", "nodeExists", "", "sink", "hq-manual"]
7 changes: 7 additions & 0 deletions java/ql/lib/ext/org.apache.hc.client5.http.protocol.model.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: neutralModel
data:
# sink neutrals
- ["org.apache.hc.client5.http.protocol", "RedirectLocations", "contains", "", "sink", "hq-manual"]
Empty file added java/ql/test/library-tests/neutrals/neutralsinks/NeutralSinksTest.expected
View file
Open in desktop
Empty file.
40 changes: 40 additions & 0 deletions java/ql/test/library-tests/neutrals/neutralsinks/NeutralSinksTest.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
import java
import TestUtilities.InlineExpectationsTest
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.ExternalFlow
import semmle.code.java.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl

class SinkTest extends InlineExpectationsTest {
SinkTest() { this = "SinkTest" }

override string getARelevantTag() { result = "isSink" }

override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "isSink" and
exists(DataFlow::Node sink |
sinkNode(sink, _) and
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}

class NeutralSinkTest extends InlineExpectationsTest {
NeutralSinkTest() { this = "NeutralSinkTest" }

override string getARelevantTag() { result = "isNeutralSink" }

override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "isNeutralSink" and
exists(Call call, Callable callable |
call.getCallee() = callable and
neutralModel(callable.getDeclaringType().getCompilationUnit().getPackage().getName(),
callable.getDeclaringType().getSourceDeclaration().nestedName(), callable.getName(),
[paramsString(callable), ""], "sink", _) and
call.getLocation() = location and
element = call.toString() and
value = ""
)
}
}
61 changes: 61 additions & 0 deletions java/ql/test/library-tests/neutrals/neutralsinks/Test.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
import java.io.File;
import java.nio.file.Files;
import java.nio.file.spi.FileSystemProvider;
import java.nio.file.LinkOption;
import java.text.Collator;
import java.text.RuleBasedCollator;
import java.util.prefs.AbstractPreferences;
import java.util.prefs.Preferences;
import org.apache.hc.client5.http.protocol.RedirectLocations;

public class Test {

public void test() throws Exception {

// java.io
File file = null;
file.exists(); // $ isNeutralSink
file.compareTo(null); // $ isNeutralSink

// java.nio.file
Files.exists(null, (LinkOption[])null); // $ isNeutralSink
Files.getLastModifiedTime(null, (LinkOption[])null); // $ isNeutralSink
Files.getOwner(null, (LinkOption[])null); // $ isNeutralSink
Files.getPosixFilePermissions(null, (LinkOption[])null); // $ isNeutralSink
Files.isDirectory(null, (LinkOption[])null); // $ isNeutralSink
Files.isExecutable(null); // $ isNeutralSink
Files.isHidden(null); // $ isNeutralSink
Files.isReadable(null); // $ isNeutralSink
Files.isRegularFile(null, (LinkOption[])null); // $ isNeutralSink
Files.isSameFile(null, null); // $ isNeutralSink
Files.isSymbolicLink(null); // $ isNeutralSink
Files.isWritable(null); // $ isNeutralSink
Files.notExists(null, (LinkOption[])null); // $ isNeutralSink
Files.setLastModifiedTime(null, null); // $ isNeutralSink
Files.size(null); // $ isNeutralSink

// java.nio.file.spi
FileSystemProvider fsp = null;
fsp.isHidden(null); // $ isNeutralSink
fsp.isSameFile(null, null); // $ isNeutralSink

// java.text
Collator c = null;
c.compare(null, null); // $ isNeutralSink
c.equals(null); // $ isNeutralSink
c.equals(null, null); // $ isNeutralSink
RuleBasedCollator rbc = null;
rbc.compare(null, null); // $ isNeutralSink

// java.util.prefs
AbstractPreferences ap = null;
ap.nodeExists(null); // $ isNeutralSink
Preferences p = null;
p.nodeExists(null); // $ isNeutralSink

// org.apache.hc.client5.http.protocol
RedirectLocations rl = null;
rl.contains(null); // $ isNeutralSink
}

}
1 change: 1 addition & 0 deletions java/ql/test/library-tests/neutrals/neutralsinks/options
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/apache-http-5
111 changes: 111 additions & 0 deletions java/ql/test/stubs/apache-http-5/org/apache/hc/client5/http/protocol/RedirectLocations.java
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.