Skip to content

Java: Update MaD Declarations after Triage #12366

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
atorralba merged 14 commits into from
Mar 21, 2023
Merged

Java: Update MaD Declarations after Triage #12366

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
ec1762e
Update MaD Declarations after Triage
Mar 2, 2023
74e2617
remove predicate
Mar 2, 2023
2236db4
sort the changed MaD declarations
Mar 2, 2023
b7ce0c2
fix: taint flow of ctor goes to Argument[-1], instead of ReturnValue
Mar 6, 2023
bd21dc9
remove nonexploitable sinks
Mar 14, 2023
4761c3a
remove duplicates
Mar 14, 2023
12bb0d9
move toFile back to its original location
Mar 14, 2023
bc99a44
Apply suggestions from code review
atorralba Mar 20, 2023
bc22717
Update java/ql/lib/ext/org.geogebra.web.full.main.model.yml
Mar 20, 2023
8802fbd
Update java/ql/lib/ext/java.nio.file.model.yml
Mar 20, 2023
0cab45e
update old data to current standard (stream creation arg is a sink)
Mar 20, 2023
a66b7ed
Fix incorrect model, add missing model
atorralba Mar 20, 2023
f685b93
Add change note
atorralba Mar 20, 2023
1258812
Fix Argument[this]
atorralba Mar 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions java/ql/lib/change-notes/2023-03-20-dataflow-models.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
category: minorAnalysis
---
* Added more sink and summary dataflow models for the following packages:
* `java.net`
* `java.nio.file`
* `javax.imageio.stream`
* `javax.naming`
* `javax.servlet`
* `org.geogebra.web.full.main`
2 changes: 1 addition & 1 deletion java/ql/lib/ext/hudson.model.model.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ extensions:
pack: codeql/java-all
extensible: summaryModel
data:
- ["hudson.model", "DirectoryBrowserSupport$Path", False, "Path", "(String,String,boolean,long,boolean,long)", "", "Argument[0]", "Argument[-1].SyntheticField[hudson.model.DirectoryBrowserSupport$Path.href]", "taint", "ai-generated"]
- ["hudson.model", "DirectoryBrowserSupport$Path", False, "Path", "(String,String,boolean,long,boolean,long)", "", "Argument[0]", "Argument[this].SyntheticField[hudson.model.DirectoryBrowserSupport$Path.href]", "taint", "ai-generated"]
- addsTo:
pack: codeql/java-all
extensible: sinkModel
Expand Down
2 changes: 1 addition & 1 deletion java/ql/lib/ext/io.netty.handler.codec.http.model.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@ extensions:
pack: codeql/java-all
extensible: summaryModel
data:
- ["io.netty.handler.codec.http", "QueryStringEncoder", True, "QueryStringEncoder", "(String)", "", "Argument[0]", "Argument[-1]", "taint", "ai-generated"]
- ["io.netty.handler.codec.http", "QueryStringEncoder", True, "QueryStringEncoder", "(String)", "", "Argument[0]", "Argument[this]", "taint", "ai-generated"]
14 changes: 10 additions & 4 deletions java/ql/lib/ext/java.net.model.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,23 +19,29 @@ extensions:
- ["java.net", "URLClassLoader", False, "URLClassLoader", "(URL[],ClassLoader)", "", "Argument[0]", "open-url", "manual"]
- ["java.net", "URLClassLoader", False, "URLClassLoader", "(URL[],ClassLoader,URLStreamHandlerFactory)", "", "Argument[0]", "open-url", "manual"]
- ["java.net", "URLClassLoader", False, "newInstance", "", "", "Argument[0]", "open-url", "manual"]
- ["java.net", "URLClassLoader", False, "URLClassLoader", "(String,URL[],ClassLoader,URLStreamHandlerFactory)", "", "Argument[1]", "open-url", "manual"]
- ["java.net", "URLClassLoader", False, "URLClassLoader", "(String,URL[],ClassLoader)", "", "Argument[1]", "open-url", "manual"]
- ["java.net", "URLClassLoader", False, "URLClassLoader", "(URL[],ClassLoader,URLStreamHandlerFactory)", "", "Argument[0]", "open-url", "manual"]
- ["java.net", "URLClassLoader", False, "URLClassLoader", "(URL[],ClassLoader)", "", "Argument[0]", "open-url", "manual"]
- ["java.net", "URLClassLoader", False, "URLClassLoader", "(URL[])", "", "Argument[0]", "open-url", "manual"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["java.net", "InetAddress", True, "getByName", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
- ["java.net", "InetAddress", True, "getAllByName", "(String)", "", "Argument[0]", "ReturnValue.ArrayElement", "taint", "ai-generated"]
- ["java.net", "InetSocketAddress", True, "createUnresolved", "(String,int)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
- ["java.net", "InetSocketAddress", True, "InetSocketAddress", "(String,int)", "", "Argument[0]", "Argument[this]", "taint", "ai-generated"]
- ["java.net", "URI", False, "resolve", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
- ["java.net", "URI", False, "resolve", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
- ["java.net", "URI", False, "URI", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["java.net", "URI", False, "create", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["java.net", "URI", False, "resolve", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
- ["java.net", "URI", False, "resolve", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
- ["java.net", "URI", False, "toASCIIString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.net", "URI", False, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.net", "URI", False, "toURL", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.net", "URL", False, "URL", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["java.net", "URL", False, "toURI", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.net", "URL", False, "toExternalForm", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.net", "URL", False, "URL", "(URL,String)", "", "Argument[0]", "Argument[this]", "taint", "ai-generated"]
- ["java.net", "URL", False, "URL", "(URL,String)", "", "Argument[1]", "Argument[this]", "taint", "ai-generated"] # @atorralba: review for consistency
- ["java.net", "URL", False, "toExternalForm", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.net", "URL", False, "toURI", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.net", "URLDecoder", False, "decode", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
Comment thread
kaeluka marked this conversation as resolved.
25 changes: 24 additions & 1 deletion java/ql/lib/ext/java.nio.file.model.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,18 +23,41 @@ extensions:
- ["java.nio.file", "Files", False, "write", "", "", "Argument[1]", "write-file", "manual"]
- ["java.nio.file", "Files", False, "writeString", "", "", "Argument[0]", "create-file", "manual"]
- ["java.nio.file", "Files", False, "writeString", "", "", "Argument[1]", "write-file", "manual"]
- ["java.nio.file", "Files", True, "move", "(Path,Path,CopyOption[])", "", "Argument[1]", "create-file", "ai-generated"]
- ["java.nio.file", "Files", True, "move", "(Path,Path,CopyOption[])", "", "Argument[0]", "create-file", "ai-generated"] # should be delete-file
- ["java.nio.file", "Files", True, "delete", "(Path)", "", "Argument[0]", "create-file", "ai-generated"] # should be delete-file
- ["java.nio.file", "Files", True, "newInputStream", "(Path,OpenOption[])", "", "Argument[0]", "read-file", "ai-generated"]
- ["java.nio.file", "Files", True, "newOutputStream", "(Path,OpenOption[])", "", "Argument[0]", "create-file", "ai-generated"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["java.nio.file", "Files", True, "newBufferedReader", "(Path,Charset)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
- ["java.nio.file", "Files", True, "newBufferedReader", "(Path)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
- ["java.nio.file", "Files", True, "newByteChannel", "(Path,OpenOption[])", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
- ["java.nio.file", "Files", True, "newByteChannel", "(Path,Set,FileAttribute[])", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
- ["java.nio.file", "Files", True, "newDirectoryStream", "(Path,Filter)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
- ["java.nio.file", "Files", True, "newDirectoryStream", "(Path)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
- ["java.nio.file", "Files", True, "walk", "(Path,FileVisitOption[])", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
- ["java.nio.file", "FileSystem", True, "getPath", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["java.nio.file", "FileSystem", True, "getPath", "(String,String[])", "", "Argument[1]", "ReturnValue", "taint", "ai-generated"]
- ["java.nio.file", "FileSystem", True, "getPathMatcher", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
- ["java.nio.file", "FileSystem", True, "getRootDirectories", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["java.nio.file", "Path", True, "getParent", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.nio.file", "Path", True, "normalize", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.nio.file", "Path", True, "resolve", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.nio.file", "Path", True, "of", "(String,String[])", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
Comment thread
kaeluka marked this conversation as resolved.
- ["java.nio.file", "Path", True, "of", "(String,String[])", "", "Argument[1]", "ReturnValue", "taint", "ai-generated"]
- ["java.nio.file", "Path", True, "of", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
- ["java.nio.file", "Path", True, "resolve", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["java.nio.file", "Path", True, "resolve", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.nio.file", "Path", True, "toAbsolutePath", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.nio.file", "Path", False, "toFile", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.nio.file", "Path", True, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.nio.file", "Path", True, "toUri", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.nio.file", "Paths", True, "get", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["java.nio.file", "Paths", True, "get", "", "", "Argument[1].ArrayElement", "ReturnValue", "taint", "manual"]
# Not supported by current lambda flow
# - ["java.nio.file", "Files", True, "walkFileTree", "(Path,FileVisitor)", "", "Argument[0]", "Argument[1].Method[postVisitDirectory(Path,IOException)].Parameter[0]", "taint", "ai-generated"]
# - ["java.nio.file", "Files", True, "walkFileTree", "(Path,FileVisitor)", "", "Argument[0]", "Argument[1].Method[preVisitDirectory(Path,BasicFileAttributes)].Parameter[0]", "taint", "ai-generated"]
# - ["java.nio.file", "Files", True, "walkFileTree", "(Path,FileVisitor)", "", "Argument[0]" "Argument[1].Method[visitFile(Path,BasicFileAttributes)].Parameter[0]", "taint", "ai-generated"]
# - ["java.nio.file", "Files", True, "walkFileTree", "(Path,FileVisitor)", "", "Argument[0]", "Argument[1].Method[visitFileFailed(Path,IOException)].Parameter[0]", "taint", "ai-generated"]
7 changes: 7 additions & 0 deletions java/ql/lib/ext/javax.imageio.stream.model.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
extensions:

- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["javax.imageio.stream", "FileCacheImageInputStream", True, "FileCacheImageInputStream", "(InputStream,File)", "", "Argument[0]", "Argument[this].Element", "taint", "ai-generated"]
6 changes: 6 additions & 0 deletions java/ql/lib/ext/javax.naming.model.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,9 @@ extensions:
- ["javax.naming", "Context", True, "lookupLink", "", "", "Argument[0]", "jndi-injection", "manual"]
- ["javax.naming", "Context", True, "rename", "", "", "Argument[0]", "jndi-injection", "manual"]
- ["javax.naming", "InitialContext", True, "doLookup", "", "", "Argument[0]", "jndi-injection", "manual"]

- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["javax.naming", "StringRefAddr", True, "StringRefAddr", "(String,String)", "", "Argument[1]", "Argument[this]", "taint", "ai-generated"]
6 changes: 6 additions & 0 deletions java/ql/lib/ext/javax.servlet.model.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,9 @@ extensions:
- ["javax.servlet", "ServletRequest", False, "getParameterNames", "()", "", "ReturnValue", "remote", "manual"]
- ["javax.servlet", "ServletRequest", False, "getParameterValues", "(String)", "", "ReturnValue", "remote", "manual"]
- ["javax.servlet", "ServletRequest", False, "getReader", "()", "", "ReturnValue", "remote", "manual"]

- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["javax.servlet", "ServletContext", True, "getResourceAsStream", "(String)", "", "Argument[0]", "read-file", "ai-generated"]
7 changes: 7 additions & 0 deletions java/ql/lib/ext/org.geogebra.web.full.main.model.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
extensions:

- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["org.geogebra.web.full.main", "FileManager", True, "open", "(String,String)", "", "Argument[0]", "url-redirect", "ai-generated"]