From 93ba79aa0fe3ef076e99bfa438f648948ffc34b2 Mon Sep 17 00:00:00 2001 From: Chuan-kai Lin Date: Wed, 11 Sep 2024 11:53:29 -0700 Subject: [PATCH] Java: apply query alert restrictions --- .../code/java/security/AndroidIntentRedirectionQuery.qll | 2 ++ .../semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll | 2 ++ java/ql/lib/semmle/code/java/security/CommandLineQuery.qll | 2 ++ .../java/security/ExternallyControlledFormatStringQuery.qll | 2 ++ .../lib/semmle/code/java/security/FragmentInjectionQuery.qll | 2 ++ .../ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll | 2 ++ .../semmle/code/java/security/ImplicitPendingIntentsQuery.qll | 2 ++ .../semmle/code/java/security/InsecureBeanValidationQuery.qll | 2 ++ .../lib/semmle/code/java/security/InsecureLdapAuthQuery.qll | 2 ++ .../lib/semmle/code/java/security/InsecureRandomnessQuery.qll | 2 ++ .../semmle/code/java/security/InsecureTrustManagerQuery.qll | 2 ++ .../semmle/code/java/security/InsufficientKeySizeQuery.qll | 2 ++ .../java/security/IntentUriPermissionManipulationQuery.qll | 2 ++ java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll | 2 ++ java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll | 2 ++ java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll | 2 ++ .../code/java/security/MissingJWTSignatureCheckQuery.qll | 2 ++ java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll | 2 ++ .../lib/semmle/code/java/security/NumericCastTaintedQuery.qll | 2 ++ java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll | 2 ++ .../semmle/code/java/security/PartialPathTraversalQuery.qll | 2 ++ .../ql/lib/semmle/code/java/security/RequestForgeryConfig.qll | 2 ++ .../lib/semmle/code/java/security/ResponseSplittingQuery.qll | 2 ++ java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll | 2 ++ java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll | 2 ++ java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll | 2 ++ .../code/java/security/StaticInitializationVectorQuery.qll | 2 ++ java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll | 2 ++ .../code/java/security/TaintedPermissionsCheckQuery.qll | 2 ++ .../lib/semmle/code/java/security/TemplateInjectionQuery.qll | 2 ++ .../code/java/security/UnsafeContentUriResolutionQuery.qll | 2 ++ .../semmle/code/java/security/UnsafeDeserializationQuery.qll | 2 ++ .../code/java/security/UnsafeHostnameVerificationQuery.qll | 2 ++ java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll | 2 ++ java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll | 2 ++ .../code/java/security/WebviewDebuggingEnabledQuery.qll | 2 ++ java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll | 2 ++ java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll | 2 ++ java/ql/lib/semmle/code/java/security/XssQuery.qll | 2 ++ java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll | 2 ++ java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll | 2 ++ .../semmle/code/java/security/regexp/PolynomialReDoSQuery.qll | 2 ++ .../semmle/code/java/security/regexp/RegexInjectionQuery.qll | 2 ++ java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql | 1 + java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql | 2 ++ java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql | 1 + java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql | 1 + .../CWE/CWE-287/AndroidInsecureLocalAuthentication.ql | 4 +++- .../CWE/CWE-295/ImproperWebViewCertificateValidation.ql | 4 +++- java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql | 1 + java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql | 4 +++- .../CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql | 4 +++- java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql | 1 + java/ql/src/Security/CWE/CWE-730/ReDoS.ql | 2 ++ .../src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql | 3 +++ .../ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql | 4 +++- 56 files changed, 113 insertions(+), 5 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll index b179a4f92e074..0b0d557656ca3 100644 --- a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll @@ -18,6 +18,8 @@ module IntentRedirectionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(IntentRedirectionAdditionalTaintStep c).step(node1, node2) } + + predicate filterForSourceOrSinkAlerts() { any() } } /** Tracks the flow of tainted Intents being used to start Android components. */ diff --git a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll index bfd48b24e80a0..efd8657f1f452 100644 --- a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll +++ b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll @@ -31,6 +31,8 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node n) { exists(CryptoAlgoSpec c | n.asExpr() = c.getAlgoSpec()) } predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer } + + predicate filterForSourceOrSinkAlerts() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll index 692bdfc1a708f..eefff3a868857 100644 --- a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll @@ -58,6 +58,8 @@ module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) { any(CommandInjectionAdditionalTaintStep s).step(n1, n2) } + + predicate filterForSourceOrSinkAlerts() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll index 606e31a07cb71..cb8feb6879e20 100644 --- a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll @@ -23,6 +23,8 @@ module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node.getType() instanceof NumericType or node.getType() instanceof BooleanType } + + predicate filterForSourceOrSinkAlerts() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll index f625807470df6..aae00cddaea0d 100644 --- a/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll @@ -17,6 +17,8 @@ module FragmentInjectionTaintConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) { any(FragmentInjectionAdditionalTaintStep c).step(n1, n2) } + + predicate filterForSourceOrSinkAlerts() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll index 3af836cac97ad..b45b7b8f1ad9e 100644 --- a/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll @@ -17,6 +17,8 @@ module GroovyInjectionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node fromNode, DataFlow::Node toNode) { any(GroovyInjectionAdditionalTaintStep c).step(fromNode, toNode) } + + predicate filterForSourceOrSinkAlerts() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll index 0a8e0686549d4..1433270c0efde 100644 --- a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll @@ -48,6 +48,8 @@ module ImplicitPendingIntentStartConfig implements DataFlow::StateConfigSig { node.getType().(Array).getElementType() instanceof TypeIntent and c instanceof DataFlow::ArrayContent } + + predicate filterForSourceOrSinkAlerts() { any() } } module ImplicitPendingIntentStartFlow = diff --git a/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll index 1ad0677ca615d..b93557c231966 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll @@ -49,6 +49,8 @@ module BeanValidationConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink } + + predicate filterForSourceOrSinkAlerts() { any() } } /** Tracks flow from user input to the argument of a method that builds constraint error messages. */ diff --git a/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll index 498a9401071aa..25011487f065e 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll @@ -22,6 +22,8 @@ module InsecureLdapUrlConfig implements DataFlow::ConfigSig { succ.asExpr() = ma.getQualifier() ) } + + predicate filterForSourceOrSinkAlerts() { any() } } module InsecureLdapUrlFlow = TaintTracking::Global; diff --git a/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll index 423046b6746ef..6b495d9035f61 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll @@ -96,6 +96,8 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig { n2.asExpr() = c ) } + + predicate filterForSourceOrSinkAlerts() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll index d732716ec2e5d..ba79234d17e4c 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll @@ -18,6 +18,8 @@ module InsecureTrustManagerConfig implements DataFlow::ConfigSig { node.getType() instanceof Array and c instanceof DataFlow::ArrayContent } + + predicate filterForSourceOrSinkAlerts() { any() } } module InsecureTrustManagerFlow = DataFlow::Global; diff --git a/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll b/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll index e08cd50cdb3ff..2845df9c28c1b 100644 --- a/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll @@ -16,6 +16,8 @@ module KeySizeConfig implements DataFlow::StateConfigSig { predicate isSink(DataFlow::Node sink, KeySizeState state) { sink.(InsufficientKeySizeSink).hasState(state) } + + predicate filterForSourceOrSinkAlerts() { any() } } /** Tracks key sizes used in cryptographic algorithms. */ diff --git a/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll b/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll index 740ce24bf62bd..9ceaf347116fd 100644 --- a/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll @@ -23,6 +23,8 @@ module IntentUriPermissionManipulationConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(IntentUriPermissionManipulationAdditionalTaintStep c).step(node1, node2) } + + predicate filterForSourceOrSinkAlerts() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll index de49560e7792e..f84e18cffd1f1 100644 --- a/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll @@ -51,6 +51,8 @@ module JexlInjectionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(JexlInjectionAdditionalTaintStep c).step(node1, node2) } + + predicate filterForSourceOrSinkAlerts() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll index 3c1f4b8e68eb9..e9adaa36095fa 100644 --- a/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll @@ -23,6 +23,8 @@ module JndiInjectionFlowConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(JndiInjectionAdditionalTaintStep c).step(node1, node2) } + + predicate filterForSourceOrSinkAlerts() { any() } } /** Tracks flow of unvalidated user input that is used in JNDI lookup */ diff --git a/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll index 5c055c0051671..7a1ab3afb49c4 100644 --- a/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll @@ -17,6 +17,8 @@ module LdapInjectionFlowConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { any(LdapInjectionAdditionalTaintStep a).step(pred, succ) } + + predicate filterForSourceOrSinkAlerts() { any() } } /** Tracks flow from remote sources to LDAP injection vulnerabilities. */ diff --git a/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll b/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll index eaa4c6320c1d1..8e4b9d9f47bea 100644 --- a/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll +++ b/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll @@ -16,6 +16,8 @@ module MissingJwtSignatureCheckConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(JwtParserWithInsecureParseAdditionalFlowStep c).step(node1, node2) } + + predicate filterForSourceOrSinkAlerts() { any() } } module MissingJwtSignatureCheckFlow = DataFlow::Global; diff --git a/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll index 4bf81804f8277..84d69b98fa674 100644 --- a/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll @@ -19,6 +19,8 @@ module MvelInjectionFlowConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(MvelInjectionAdditionalTaintStep c).step(node1, node2) } + + predicate filterForSourceOrSinkAlerts() { any() } } /** Tracks flow of unsafe user input that is used to construct and evaluate a MVEL expression. */ diff --git a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll index b6bd505c38b86..21f6767c8a162 100644 --- a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll @@ -102,6 +102,8 @@ module NumericCastFlowConfig implements DataFlow::ConfigSig { } predicate isBarrierIn(DataFlow::Node node) { isSource(node) } + + predicate filterForSourceOrSinkAlerts() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll index 3acf18c453cec..f80b1589a1e9e 100644 --- a/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll @@ -18,6 +18,8 @@ module OgnlInjectionFlowConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(OgnlInjectionAdditionalTaintStep c).step(node1, node2) } + + predicate filterForSourceOrSinkAlerts() { any() } } /** Tracks flow of unvalidated user input that is used in OGNL EL evaluation. */ diff --git a/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll b/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll index c4c3e6b093cb6..0aed8382bb82e 100644 --- a/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll +++ b/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll @@ -17,6 +17,8 @@ module PartialPathTraversalFromRemoteConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node node) { any(PartialPathTraversalMethodCall ma).getQualifier() = node.asExpr() } + + predicate filterForSourceOrSinkAlerts() { any() } } /** Tracks flow of unsafe user input that is used to validate against path traversal, but is insufficient and remains vulnerable to Partial Path Traversal. */ diff --git a/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll b/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll index e8415cc197868..ac6a9f42ce18d 100644 --- a/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll +++ b/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll @@ -28,6 +28,8 @@ module RequestForgeryConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof RequestForgerySanitizer } predicate isBarrierIn(DataFlow::Node node) { isSource(node) } + + predicate filterForSourceOrSinkAlerts() { any() } } module RequestForgeryFlow = TaintTracking::Global; diff --git a/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll b/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll index 40e1ec1b4dbb4..e5da757ccc725 100644 --- a/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll @@ -31,6 +31,8 @@ module ResponseSplittingConfig implements DataFlow::ConfigSig { ) ) } + + predicate filterForSourceOrSinkAlerts() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll b/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll index 66e4a0537d2c9..f16c3ebf00411 100644 --- a/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll +++ b/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll @@ -20,6 +20,8 @@ module RsaWithoutOaepConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(CryptoAlgoSpec cr | sink.asExpr() = cr.getAlgoSpec()) } + + predicate filterForSourceOrSinkAlerts() { any() } } /** Flow for finding RSA ciphers initialized without using OAEP padding. */ diff --git a/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll index 848aae8da30a3..eca7c0aa90677 100644 --- a/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll @@ -18,6 +18,8 @@ module SpelInjectionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(SpelExpressionInjectionAdditionalTaintStep c).step(node1, node2) } + + predicate filterForSourceOrSinkAlerts() { any() } } /** Tracks flow of unsafe user input that is used to construct and evaluate a SpEL expression. */ diff --git a/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll index c4638538a6354..5643569d50b9c 100644 --- a/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll @@ -24,6 +24,8 @@ module QueryInjectionFlowConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(AdditionalQueryInjectionTaintStep s).step(node1, node2) } + + predicate filterForSourceOrSinkAlerts() { any() } } /** Tracks flow of unvalidated user input that is used in SQL queries. */ diff --git a/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll b/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll index 9ba848d1e0df0..444f79c6db116 100644 --- a/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll +++ b/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll @@ -126,6 +126,8 @@ module StaticInitializationVectorConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof StaticInitializationVectorSource } predicate isSink(DataFlow::Node sink) { sink instanceof EncryptionInitializationSink } + + predicate filterForSourceOrSinkAlerts() { any() } } /** Tracks the flow from a static initialization vector to the initialization of a cipher */ diff --git a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll index c396b48a7b88b..663985327b5c6 100644 --- a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll @@ -72,6 +72,8 @@ module TaintedPathConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) { any(TaintedPathAdditionalTaintStep s).step(n1, n2) } + + predicate filterForSourceOrSinkAlerts() { any() } } /** Tracks flow from remote sources to the creation of a path. */ diff --git a/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll index 132e8a3fadf21..c8c2770f64b45 100644 --- a/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll @@ -59,6 +59,8 @@ module TaintedPermissionsCheckFlowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(PermissionsConstruction p).getInput() } + + predicate filterForSourceOrSinkAlerts() { any() } } /** Tracks flow from user input to a permissions check. */ diff --git a/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll index a9595b0f6f19d..1ca6fd8bbfdfc 100644 --- a/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll @@ -16,6 +16,8 @@ module TemplateInjectionFlowConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(TemplateInjectionAdditionalTaintStep a).isAdditionalTaintStep(node1, node2) } + + predicate filterForSourceOrSinkAlerts() { any() } } /** Tracks server-side template injection (SST) vulnerabilities */ diff --git a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll index db629143d5ce3..44cccba4f2644 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll @@ -20,6 +20,8 @@ module UnsafeContentResolutionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(ContentUriResolutionAdditionalTaintStep s).step(node1, node2) } + + predicate filterForSourceOrSinkAlerts() { any() } } /** Taint-tracking flow to find paths from remote sources to content URI resolutions. */ diff --git a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll index 739b2713780b2..2420efc2430ce 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll @@ -325,6 +325,8 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig { } predicate isBarrier(DataFlow::Node node) { isUnsafeDeserializationSanitizer(node) } + + predicate filterForSourceOrSinkAlerts() { any() } } module UnsafeDeserializationFlow = TaintTracking::Global; diff --git a/java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll index 1b44121591c64..ac4c751e0b1b2 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll @@ -65,6 +65,8 @@ module TrustAllHostnameVerifierConfig implements DataFlow::ConfigSig { "|(set)?(accept|trust|ignore|allow)(all|every|any)" + "|(use|do|enable)insecure|(set|do|use)?no.*(check|validation|verify|verification)|disable).*$") } + + predicate filterForSourceOrSinkAlerts() { any() } } /** Data flow to model the flow of a `TrustAllHostnameVerifier` to a `set(Default)HostnameVerifier` call. */ diff --git a/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll b/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll index 2ca38d6955122..021ca9df17238 100644 --- a/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll @@ -195,6 +195,8 @@ module UrlForwardFlowConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof UrlForwardBarrier } DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext } + + predicate filterForSourceOrSinkAlerts() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll b/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll index 675937985c481..ba0b91433b23c 100644 --- a/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll @@ -13,6 +13,8 @@ module UrlRedirectConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink } predicate isBarrier(DataFlow::Node node) { node instanceof UrlRedirectSanitizer } + + predicate filterForSourceOrSinkAlerts() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll b/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll index 8e5b177268df3..c57b0013224ba 100644 --- a/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll +++ b/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll @@ -44,6 +44,8 @@ module WebviewDebugEnabledConfig implements DataFlow::ConfigSig { or node.getEnclosingCallable().getDeclaringType() instanceof NonSecurityTestClass } + + predicate filterForSourceOrSinkAlerts() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll index 38dc1ff993c40..d716e670c97b2 100644 --- a/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll @@ -12,6 +12,8 @@ module XPathInjectionConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink } + + predicate filterForSourceOrSinkAlerts() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll index d437ca860d5f7..04e63acc718e1 100644 --- a/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll @@ -20,6 +20,8 @@ module XsltInjectionFlowConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(XsltInjectionAdditionalTaintStep c).step(node1, node2) } + + predicate filterForSourceOrSinkAlerts() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/XssQuery.qll b/java/ql/lib/semmle/code/java/security/XssQuery.qll index 6fec86a78dd69..d754ecb4cb965 100644 --- a/java/ql/lib/semmle/code/java/security/XssQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XssQuery.qll @@ -20,6 +20,8 @@ module XssConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(XssAdditionalTaintStep s).step(node1, node2) } + + predicate filterForSourceOrSinkAlerts() { any() } } /** Tracks flow from remote sources to cross site scripting vulnerabilities. */ diff --git a/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll b/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll index 58b1e5bfed1a9..4d52b8965524f 100644 --- a/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll @@ -18,6 +18,8 @@ module XxeConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) { any(XxeAdditionalTaintStep s).step(n1, n2) } + + predicate filterForSourceOrSinkAlerts() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll b/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll index 0055670d895cc..0a57edbe5821c 100644 --- a/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll @@ -43,6 +43,8 @@ module ZipSlipConfig implements DataFlow::ConfigSig { node instanceof SimpleTypeSanitizer or node instanceof PathInjectionSanitizer } + + predicate filterForSourceOrSinkAlerts() { any() } } /** Tracks flow from archive entries to file creation. */ diff --git a/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll b/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll index 55c1a043230ad..95157bd33808a 100644 --- a/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll +++ b/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll @@ -47,6 +47,8 @@ module PolynomialRedosConfig implements DataFlow::ConfigSig { node instanceof SimpleTypeSanitizer or node.asExpr().(MethodCall).getMethod() instanceof LengthRestrictedMethod } + + predicate filterForSourceOrSinkAlerts() { any() } } module PolynomialRedosFlow = TaintTracking::Global; diff --git a/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll index 8871006181965..1694679246821 100644 --- a/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll @@ -14,6 +14,8 @@ module RegexInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof RegexInjectionSink } predicate isBarrier(DataFlow::Node node) { node instanceof RegexInjectionSanitizer } + + predicate filterForSourceOrSinkAlerts() { any() } } /** diff --git a/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql b/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql index 7d97af12b7106..a6738b1bef296 100644 --- a/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql +++ b/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql @@ -35,6 +35,7 @@ Variable getVariable(Expr dest) { from DangerousAssignOpExpr a, Expr e, Top v where + AlertFiltering::filterByLocatable(a) and e = a.getSource() and problematicCasting(a.getDest().getType(), e) and ( diff --git a/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql b/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql index b8ea3e52dbd06..359240a1b1683 100644 --- a/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql +++ b/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql @@ -12,6 +12,7 @@ * external/cwe/cwe-020 */ +import java private import semmle.code.java.regex.RegexTreeView::RegexTreeView as TreeView import codeql.regex.OverlyLargeRangeQuery::Make @@ -22,6 +23,7 @@ TreeView::RegExpCharacterClass potentialMisparsedCharClass() { from TreeView::RegExpCharacterRange range, string reason where + AlertFiltering::filterByLocation(range.getLocation()) and problem(range, reason) and not range.getParent() = potentialMisparsedCharClass() select range, "Suspicious character range that " + reason + "." diff --git a/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql b/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql index d50f583bbfe36..6455f9043035c 100644 --- a/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql +++ b/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql @@ -47,6 +47,7 @@ predicate builtFromUncontrolledConcat(Expr expr) { from StringArgumentToExec argument where + AlertFiltering::filterByLocatable(argument) and builtFromUncontrolledConcat(argument) and not execIsTainted(_, _, argument) select argument, "Command line is built with string concatenation." diff --git a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql index 7376aa51e5842..9437a3230e900 100644 --- a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql +++ b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql @@ -93,4 +93,5 @@ private class InsecureDefaultFullHttpRequestClassInstantiation extends RequestSp } from InsecureNettyObjectCreation new +where AlertFiltering::filterByLocatable(new) select new, new.splittingType() + " vulnerability due to header value verification being disabled." diff --git a/java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql b/java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql index 92256a2b779c1..2da04ac4923a7 100644 --- a/java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql +++ b/java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql @@ -14,5 +14,7 @@ import java import semmle.code.java.security.AndroidLocalAuthQuery from AuthenticationSuccessCallback c -where not exists(c.getAResultUse()) +where + AlertFiltering::filterByLocatable(c) and + not exists(c.getAResultUse()) select c, "This authentication callback does not use its result for a cryptographic operation." diff --git a/java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql b/java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql index aac3a99be4c22..8d0e943d24332 100644 --- a/java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql +++ b/java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql @@ -14,5 +14,7 @@ import java import semmle.code.java.security.AndroidWebViewCertificateValidationQuery from OnReceivedSslErrorMethod m -where trustsAllCerts(m) +where + AlertFiltering::filterByLocatable(m) and + trustsAllCerts(m) select m, "This handler accepts all SSL certificates." diff --git a/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql b/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql index c51e5d4acc57a..74d4d8788fa9d 100644 --- a/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql +++ b/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql @@ -47,5 +47,6 @@ private class VulnerableJHipsterRandomUtilMethod extends Method { } from VulnerableJHipsterRandomUtilMethod method +where AlertFiltering::filterByLocatable(method) select method, "Weak random number generator used in security sensitive method (JHipster CVE-2019-16303)." diff --git a/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql b/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql index dfb6fbbd59561..6ad271c57b50b 100644 --- a/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql +++ b/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql @@ -15,5 +15,7 @@ import java import semmle.code.java.security.SpringCsrfProtection from MethodCall call -where disablesSpringCsrfProtection(call) +where + AlertFiltering::filterByLocatable(call) and + disablesSpringCsrfProtection(call) select call, "CSRF vulnerability due to protection being disabled." diff --git a/java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql b/java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql index a75f0b3eca53a..9d7a345ea3c84 100644 --- a/java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql +++ b/java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql @@ -16,7 +16,9 @@ import java import semmle.code.java.security.FragmentInjection from IsValidFragmentMethod m -where m.isUnsafe() +where + AlertFiltering::filterByLocatable(m) and + m.isUnsafe() select m, "The 'isValidFragment' method always returns true. This makes the exported Activity $@ vulnerable to Fragment Injection.", m.getDeclaringType(), m.getDeclaringType().getName() diff --git a/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql b/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql index b8d64d22e2952..80488c89b7476 100644 --- a/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql +++ b/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql @@ -17,6 +17,7 @@ import semmle.code.java.security.InsecureCookieQuery from MethodCall add where + AlertFiltering::filterByLocatable(add) and add.getMethod() instanceof ResponseAddCookieMethod and not SecureCookieFlow::flowToExpr(add.getArgument(0)) select add, "Cookie is added to response without the 'secure' flag being set." diff --git a/java/ql/src/Security/CWE/CWE-730/ReDoS.ql b/java/ql/src/Security/CWE/CWE-730/ReDoS.ql index ca4750fc8588d..09c24fa730298 100644 --- a/java/ql/src/Security/CWE/CWE-730/ReDoS.ql +++ b/java/ql/src/Security/CWE/CWE-730/ReDoS.ql @@ -14,11 +14,13 @@ * external/cwe/cwe-400 */ +import java private import semmle.code.java.regex.RegexTreeView::RegexTreeView as TreeView import codeql.regex.nfa.ExponentialBackTracking::Make as ExponentialBackTracking from TreeView::RegExpTerm t, string pump, ExponentialBackTracking::State s, string prefixMsg where + AlertFiltering::filterByLocation(t.getLocation()) and ExponentialBackTracking::hasReDoSResult(t, pump, s, prefixMsg) and // exclude verbose mode regexes for now not t.getRegex().getAMode() = "VERBOSE" diff --git a/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql b/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql index 46a7d5abc109b..211d3c19a3308 100644 --- a/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql +++ b/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql @@ -17,6 +17,9 @@ import semmle.code.java.security.FileWritable from Variable fileVariable, FileReadExpr readFrom, SetFileWorldWritable setWorldWritable where + AlertFiltering::filterByLocation(any(Location l | + l = setWorldWritable.getLocation() or l = readFrom.getLocation() + )) and // The file variable must be both read from and set to world writable. This is not flow-sensitive. fileVariable.getAnAccess() = readFrom.getFileVarAccess() and fileVariable.getAnAccess() = setWorldWritable.getFileVarAccess() and diff --git a/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql b/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql index 605fabc25b51b..d7ac0d9c08098 100644 --- a/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql +++ b/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql @@ -14,6 +14,8 @@ import java import semmle.code.java.security.ImproperIntentVerificationQuery from AndroidReceiverXmlElement reg, Method orm, SystemActionName sa -where unverifiedSystemReceiver(reg, orm, sa) +where + AlertFiltering::filterByLocatable(orm) and + unverifiedSystemReceiver(reg, orm, sa) select orm, "This reciever doesn't verify intents it receives, and $@ to receive $@.", reg, "it is registered", sa, "the system action " + sa.getName()