From d786ea90a49bc5fbbb50a5ebfa474545af91f465 Mon Sep 17 00:00:00 2001 From: Tony Torralba Date: Tue, 26 Mar 2024 17:26:58 +0100 Subject: [PATCH 1/2] Java: Add more neutrals Adds more neutral models to help the model generator ignore certain callables. Also improves the precision of certain URL models by using synthetic fields so that the parts of a URL are tainted separately. --- .../2024-03-26-url-models-precision.md | 4 ++ java/ql/lib/ext/java.net.model.yml | 18 ++++++++- java/ql/lib/ext/java.nio.file.model.yml | 27 ++++++++++++- java/ql/lib/ext/java.security.cert.model.yml | 40 +++++++++++++++++++ java/ql/lib/ext/java.security.model.yml | 11 +++++ 5 files changed, 96 insertions(+), 4 deletions(-) create mode 100644 java/ql/lib/change-notes/2024-03-26-url-models-precision.md diff --git a/java/ql/lib/change-notes/2024-03-26-url-models-precision.md b/java/ql/lib/change-notes/2024-03-26-url-models-precision.md new file mode 100644 index 000000000000..d6fb561e725f --- /dev/null +++ b/java/ql/lib/change-notes/2024-03-26-url-models-precision.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Increased the precision of some dataflow models of the class `java.net.URL` by distinguishing the parts of a URL. diff --git a/java/ql/lib/ext/java.net.model.yml b/java/ql/lib/ext/java.net.model.yml index 5884c60e4e73..84614e96fe8a 100644 --- a/java/ql/lib/ext/java.net.model.yml +++ b/java/ql/lib/ext/java.net.model.yml @@ -18,6 +18,7 @@ extensions: - ["java.net", "DatagramSocket", True, "connect", "(SocketAddress)", "", "Argument[0]", "request-forgery", "ai-manual"] - ["java.net", "PasswordAuthentication", False, "PasswordAuthentication", "(String,char[])", "", "Argument[1]", "credentials-password", "hq-generated"] - ["java.net", "Socket", True, "Socket", "(String,int)", "", "Argument[0]", "request-forgery", "ai-manual"] + - ["java.net", "URL", False, "getContent", "", "", "Argument[this]", "request-forgery", "manual"] - ["java.net", "URL", False, "openConnection", "", "", "Argument[this]", "request-forgery", "manual"] - ["java.net", "URL", False, "openConnection", "(Proxy)", "", "Argument[0]", "request-forgery", "ai-manual"] - ["java.net", "URL", False, "openStream", "", "", "Argument[this]", "request-forgery", "manual"] @@ -52,9 +53,16 @@ extensions: - ["java.net", "URI", False, "toASCIIString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"] - ["java.net", "URI", False, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"] - ["java.net", "URI", False, "toURL", "", "", "Argument[this]", "ReturnValue", "taint", "manual"] - - ["java.net", "URL", False, "getFile", "()", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"] - - ["java.net", "URL", False, "getPath", "()", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"] + - ["java.net", "URL", False, "getFile", "()", "", "Argument[this].SyntheticField[java.net.URL.path]", "ReturnValue", "taint", "ai-manual"] + - ["java.net", "URL", False, "getPath", "()", "", "Argument[this].SyntheticField[java.net.URL.path]", "ReturnValue", "taint", "ai-manual"] + - ["java.net", "URL", False, "getQuery", "()", "", "Argument[this].SyntheticField[java.net.URL.path]", "ReturnValue", "taint", "df-manual"] # query is parth of the path - ["java.net", "URL", False, "URL", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"] + - ["java.net", "URL", False, "URL", "(String,String,int,String)", "", "Argument[1]", "Argument[this]", "taint", "df-manual"] + - ["java.net", "URL", False, "URL", "(String,String,int,String)", "", "Argument[3]", "Argument[this].SyntheticField[java.net.URL.path]", "taint", "df-manual"] + - ["java.net", "URL", False, "URL", "(String,String,int,String,URLStreamHandler)", "", "Argument[1]", "Argument[this]", "taint", "df-manual"] + - ["java.net", "URL", False, "URL", "(String,String,int,String,URLStreamHandler)", "", "Argument[3]", "Argument[this].SyntheticField[java.net.URL.path]", "taint", "df-manual"] + - ["java.net", "URL", False, "URL", "(String,String,String)", "", "Argument[1]", "Argument[this]", "taint", "df-manual"] + - ["java.net", "URL", False, "URL", "(String,String,String)", "", "Argument[2]", "Argument[this].SyntheticField[java.net.URL.path]", "taint", "df-manual"] - ["java.net", "URL", False, "URL", "(URL,String)", "", "Argument[0]", "Argument[this]", "taint", "ai-manual"] - ["java.net", "URL", False, "URL", "(URL,String)", "", "Argument[1]", "Argument[this]", "taint", "ai-manual"] - ["java.net", "URL", False, "toExternalForm", "", "", "Argument[this]", "ReturnValue", "taint", "manual"] @@ -69,3 +77,9 @@ extensions: - ["java.net", "Socket", "getOutputStream", "()", "summary", "df-manual"] - ["java.net", "Socket", "connect", "(SocketAddress)", "summary", "df-manual"] - ["java.net", "Socket", "connect", "(SocketAddress,int)", "summary", "df-manual"] + - ["java.net", "URL", "getContent", "()", "summary", "df-manual"] + - ["java.net", "URL", "getDefaultPort", "()", "summary", "df-manual"] + - ["java.net", "URL", "getPort", "()", "summary", "df-manual"] + - ["java.net", "URL", "getProtocol", "()", "summary", "df-manual"] + - ["java.net", "URL", "openConnection", "()", "summary", "df-manual"] + - ["java.net", "URL", "openStream", "()", "summary", "df-manual"] diff --git a/java/ql/lib/ext/java.nio.file.model.yml b/java/ql/lib/ext/java.nio.file.model.yml index 8f8db20a0c05..8d7db676e533 100644 --- a/java/ql/lib/ext/java.nio.file.model.yml +++ b/java/ql/lib/ext/java.nio.file.model.yml @@ -90,8 +90,31 @@ extensions: extensible: neutralModel data: # summary neutrals - - ["java.nio.file", "Files", "exists", "(Path,LinkOption[])", "summary", "manual"] - - ["java.nio.file", "Files", "newInputStream", "(Path,OpenOption[])", "summary", "df-manual"] + - ["java.nio.file", "Files", "copy", "", "summary", "df-manual"] + - ["java.nio.file", "Files", "createDirectories", "", "summary", "df-manual"] + - ["java.nio.file", "Files", "createDirectory", "", "summary", "df-manual"] + - ["java.nio.file", "Files", "createFile", "", "summary", "df-manual"] + - ["java.nio.file", "Files", "createLink", "", "summary", "df-manual"] + - ["java.nio.file", "Files", "createSymbolicLink", "", "summary", "df-manual"] + - ["java.nio.file", "Files", "createTempDirectory", "", "summary", "df-manual"] + - ["java.nio.file", "Files", "createTempFile", "", "summary", "df-manual"] + - ["java.nio.file", "Files", "delete", "", "summary", "df-manual"] + - ["java.nio.file", "Files", "deleteIfExists", "", "summary", "df-manual"] + - ["java.nio.file", "Files", "getFileStore", "", "summary", "df-manual"] + - ["java.nio.file", "Files", "exists", "", "summary", "df-manual"] + - ["java.nio.file", "Files", "lines", "", "summary", "df-manual"] + - ["java.nio.file", "Files", "move", "", summary, "df-manual"] + - ["java.nio.file", "Files", "newBufferedReader", "", "summary", "df-manual"] + - ["java.nio.file", "Files", "newBufferedWriter", "", summary, "df-manual"] + - ["java.nio.file", "Files", "newInputStream", "", "summary", "df-manual"] + - ["java.nio.file", "Files", "newOutputStream", "", summary, "df-manual"] + - ["java.nio.file", "Files", "notExists", "", "summary", "df-manual"] + - ["java.nio.file", "Files", "probeContentType", "", "summary", "df-manual"] + - ["java.nio.file", "Files", "readAllBytes", "", "summary", "df-manual"] + - ["java.nio.file", "Files", "readAllLines", "", "summary", "df-manual"] + - ["java.nio.file", "Files", "readString", "", "summary", "df-manual"] + - ["java.nio.file", "Files", "write", "", summary, "df-manual"] + - ["java.nio.file", "Files", "writeString", "", summary, "df-manual"] # sink neutrals - ["java.nio.file", "Files", "getLastModifiedTime", "", "sink", "hq-manual"] - ["java.nio.file", "Files", "getOwner", "", "sink", "hq-manual"] diff --git a/java/ql/lib/ext/java.security.cert.model.yml b/java/ql/lib/ext/java.security.cert.model.yml index e83168078839..503ad06cabfb 100644 --- a/java/ql/lib/ext/java.security.cert.model.yml +++ b/java/ql/lib/ext/java.security.cert.model.yml @@ -4,3 +4,43 @@ extensions: extensible: sinkModel data: - ["java.security.cert", "X509CertSelector", False, "setSubjectPublicKey", "(byte[])", "", "Argument[0]", "credentials-key", "hq-generated"] + - addsTo: + pack: codeql/java-all + extensible: neutralModel + data: + - ["java.security.cert", "CertificateFactory", "CertificateFactory", "(CertificateFactorySpi,Provider,String)", "summary", "df-manual"] + - ["java.security.cert", "CertificateFactory", "generateCertificate", "(InputStream)", "summary", "df-manual"] + - ["java.security.cert", "CertificateFactory", "generateCertificates", "(InputStream)", "summary", "df-manual"] + - ["java.security.cert", "CertificateFactory", "generateCertPath", "", "summary", "df-manual"] + - ["java.security.cert", "CertificateFactory", "generateCRL", "(InputStream)", "summary", "df-manual"] + - ["java.security.cert", "CertificateFactory", "generateCRLs", "(InputStream)", "summary", "df-manual"] + - ["java.security.cert", "CertificateFactory", "getCertPathEncodings", "()", "summary", "df-manual"] + - ["java.security.cert", "CertificateFactory", "getInstance", "", "summary", "df-manual"] + - ["java.security.cert", "CertificateFactory", "getProvider", "()", "summary", "df-manual"] + - ["java.security.cert", "CertificateFactory", "getType", "()", "summary", "df-manual"] + - ["java.security.cert", "CertStore", "CertStore", "(CertStoreSpi,Provider,String,CertStoreParameters)", "summary", "df-manual"] + - ["java.security.cert", "CertStore", "getCertificates", "(CertSelector)", "summary", "df-manual"] + - ["java.security.cert", "CertStore", "getCertStoreCertificates", "()", "summary", "df-manual"] + - ["java.security.cert", "CertStore", "getCRLs", "(CRLSelector)", "summary", "df-manual"] + - ["java.security.cert", "CertStore", "getDefaultType", "()", "summary", "df-manual"] + - ["java.security.cert", "CertStore", "getInstance", "", "summary", "df-manual"] + - ["java.security.cert", "CertStore", "getProvider", "()", "summary", "df-manual"] + - ["java.security.cert", "CertStore", "getType", "()", "summary", "df-manual"] + - ["java.security.cert", "PKIXParameters", "PKIXParameters", "", "summary", "df-manual"] + - ["java.security.cert", "PKIXParameters", "addCertPathChecker", "(PKIXCertPathChecker)", "summary", "df-manual"] + - ["java.security.cert", "PKIXParameters", "addCertStore", "(CertStore)", "summary", "df-manual"] + - ["java.security.cert", "PKIXParameters", "getCertPathCheckers", "()", "summary", "df-manual"] + - ["java.security.cert", "PKIXParameters", "getCertStores", "()", "summary", "df-manual"] + - ["java.security.cert", "PKIXParameters", "getDate", "()", "summary", "df-manual"] + - ["java.security.cert", "PKIXParameters", "getInitialPolicies", "()", "summary", "df-manual"] + - ["java.security.cert", "PKIXParameters", "getPolicyQualifiersRejected", "()", "summary", "df-manual"] + - ["java.security.cert", "PKIXParameters", "getSigProvider", "()", "summary", "df-manual"] + - ["java.security.cert", "PKIXParameters", "getTargetCertConstraints", "()", "summary", "df-manual"] + - ["java.security.cert", "PKIXParameters", "getTrustAnchors", "()", "summary", "df-manual"] + - ["java.security.cert", "PKIXParameters", "setAnyPolicyInhibited", "(boolean)", "summary", "df-manual"] + - ["java.security.cert", "PKIXParameters", "setCertPathCheckers", "(List)", "summary", "df-manual"] + - ["java.security.cert", "PKIXParameters", "setCertStores", "(List)", "summary", "df-manual"] + - ["java.security.cert", "PKIXParameters", "setDate", "(Date)", "summary", "df-manual"] + - ["java.security.cert", "PKIXParameters", "setSigProvider", "(String)", "summary", "df-manual"] + - ["java.security.cert", "PKIXParameters", "setTargetConstraints", "(CertSelector)", "summary", "df-manual"] + - ["java.security.cert", "PKIXParameters", "setTrustAnchors", "(Set)", "summary", "df-manual"] diff --git a/java/ql/lib/ext/java.security.model.yml b/java/ql/lib/ext/java.security.model.yml index a50c0b1d3fa6..6157c635fe6f 100644 --- a/java/ql/lib/ext/java.security.model.yml +++ b/java/ql/lib/ext/java.security.model.yml @@ -15,6 +15,17 @@ extensions: - ["java.security", "KeyStoreSpi", True, "engineSetKeyEntry", "(String,Key,char[],Certificate[])", "", "Argument[2]", "credentials-password", "hq-generated"] - ["java.security", "KeyStoreSpi", True, "engineStore", "(OutputStream,char[])", "", "Argument[1]", "credentials-password", "hq-generated"] - ["java.security", "KeyStoreSpi", True, "engineSetKeyEntry", "(String,byte[],Certificate[])", "", "Argument[1]", "credentials-key", "hq-generated"] + - addsTo: + pack: codeql/java-all + extensible: summaryModel + data: + - ["java.security", "CodeSource", False, "CodeSource", "(URL,Certificate[])", "", "Argument[0]", "Argument[this]", "taint", "df-manual"] + - ["java.security", "CodeSource", False, "CodeSource", "(URL,Certificate[])", "", "Argument[1].ArrayElement", "Argument[this].SyntheticField[java.security.CodeSource.certificates].ArrayElement", "value", "df-manual"] + - ["java.security", "CodeSource", False, "CodeSource", "(URL,CodeSigner[])", "", "Argument[0]", "Argument[this]", "taint", "df-manual"] + - ["java.security", "CodeSource", False, "CodeSource", "(URL,CodeSigner[])", "", "Argument[1].ArrayElement", "Argument[this].SyntheticField[java.security.CodeSource.codeSigners].ArrayElement", "value", "df-manual"] + - ["java.security", "CodeSource", False, "getCertificates", "()", "", "Argument[this].SyntheticField[java.security.CodeSource.certificates].ArrayElement", "ReturnValue.ArrayElement", "value", "df-manual"] + - ["java.security", "CodeSource", False, "getCodeSigners", "()", "", "Argument[this].SyntheticField[java.security.CodeSource.codeSigners].ArrayElement", "ReturnValue.ArrayElement", "value", "df-manual"] + - ["java.security", "CodeSource", False, "getLocation", "()", "", "Argument[this]", "ReturnValue", "taint", "df-manual"] - addsTo: pack: codeql/java-all extensible: neutralModel From 7a0446740b532ff0341dae2319767788ac69c61b Mon Sep 17 00:00:00 2001 From: Tony Torralba Date: Wed, 27 Mar 2024 09:09:48 +0100 Subject: [PATCH 2/2] Update java/ql/lib/ext/java.net.model.yml Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com> --- java/ql/lib/ext/java.net.model.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/lib/ext/java.net.model.yml b/java/ql/lib/ext/java.net.model.yml index 84614e96fe8a..f48acbeace13 100644 --- a/java/ql/lib/ext/java.net.model.yml +++ b/java/ql/lib/ext/java.net.model.yml @@ -55,7 +55,7 @@ extensions: - ["java.net", "URI", False, "toURL", "", "", "Argument[this]", "ReturnValue", "taint", "manual"] - ["java.net", "URL", False, "getFile", "()", "", "Argument[this].SyntheticField[java.net.URL.path]", "ReturnValue", "taint", "ai-manual"] - ["java.net", "URL", False, "getPath", "()", "", "Argument[this].SyntheticField[java.net.URL.path]", "ReturnValue", "taint", "ai-manual"] - - ["java.net", "URL", False, "getQuery", "()", "", "Argument[this].SyntheticField[java.net.URL.path]", "ReturnValue", "taint", "df-manual"] # query is parth of the path + - ["java.net", "URL", False, "getQuery", "()", "", "Argument[this].SyntheticField[java.net.URL.path]", "ReturnValue", "taint", "df-manual"] # query is part of the path - ["java.net", "URL", False, "URL", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"] - ["java.net", "URL", False, "URL", "(String,String,int,String)", "", "Argument[1]", "Argument[this]", "taint", "df-manual"] - ["java.net", "URL", False, "URL", "(String,String,int,String)", "", "Argument[3]", "Argument[this].SyntheticField[java.net.URL.path]", "taint", "df-manual"]