From 2e6d9e6c757f15485b40f082b17b6d9e2dbec12f Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 16 Dec 2025 23:51:24 +0000 Subject: [PATCH 1/5] Allow query-specific MaD barriers This was implemented by Gemini 3 using the following prompt. In the commit with the hash 10c5a476625 the go language library was updated. I want you to do the same for the java language library. Here are the steps to follow: - Find all .ql files in the java folder which are not in java/ql/src/experimental which contain the string "@kind path-problem". - Note the query id, as specified by the "@id" metadata at the top of the .ql file. It should have this format: "java/sql-injection". - These are path queries, so the second and third arguments in the select statement should have type "XFlow::PathNode"s for some module "XFlow" that is defined as something like "TaintTracking::Global". Find the definition of the data flow config ("XFlowConfig" in my example code), which should be a module which implements `DataFlow::ConfigSig`. - If the module does not already define it, add a predicate like the following: `predicate isBarrier(DataFlow::Node node) { barrierNode(node, "Z") }` where "Z" should be the query id from earlier. - If the module already defines that predicate, add `or barrierNode(node, "Z")` to the end of the predicate body, where "Z" should be the query id. --- .../code/java/security/AndroidIntentRedirectionQuery.qll | 6 +++++- .../java/security/AndroidSensitiveCommunicationQuery.qll | 6 +++++- .../code/java/security/ArbitraryApkInstallationQuery.qll | 5 +++++ .../semmle/code/java/security/ArithmeticTaintedQuery.qll | 9 ++++++++- .../code/java/security/ArithmeticUncontrolledQuery.qll | 9 ++++++++- .../java/security/ArithmeticWithExtremeValuesQuery.qll | 9 ++++++++- .../code/java/security/BrokenCryptoAlgorithmQuery.qll | 6 +++++- .../lib/semmle/code/java/security/CommandLineQuery.qll | 5 ++++- .../semmle/code/java/security/ConditionalBypassQuery.qll | 3 +++ .../java/security/CsrfUnprotectedRequestTypeQuery.qll | 4 ++++ java/ql/lib/semmle/code/java/security/ExternalAPIs.qll | 5 +++++ .../security/ExternallyControlledFormatStringQuery.qll | 5 ++++- .../semmle/code/java/security/FragmentInjectionQuery.qll | 3 +++ .../semmle/code/java/security/GroovyInjectionQuery.qll | 3 +++ .../java/security/HardcodedCredentialsApiCallQuery.qll | 4 +++- .../security/HardcodedCredentialsSourceCallQuery.qll | 5 +++++ java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll | 6 +++++- .../code/java/security/ImplicitPendingIntentsQuery.qll | 6 +++++- .../ImproperValidationOfArrayIndexCodeSpecifiedQuery.qll | 5 +++++ .../security/ImproperValidationOfArrayIndexQuery.qll | 6 +++++- .../semmle/code/java/security/InsecureBasicAuthQuery.qll | 3 +++ .../code/java/security/InsecureBeanValidationQuery.qll | 2 ++ .../semmle/code/java/security/InsecureLdapAuthQuery.qll | 3 +++ .../code/java/security/InsecureRandomnessQuery.qll | 2 ++ .../code/java/security/InsecureTrustManagerQuery.qll | 3 +++ .../code/java/security/InsufficientKeySizeQuery.qll | 5 +++++ .../security/IntentUriPermissionManipulationQuery.qll | 4 +++- .../lib/semmle/code/java/security/JexlInjectionQuery.qll | 4 +++- .../lib/semmle/code/java/security/JndiInjectionQuery.qll | 4 +++- .../lib/semmle/code/java/security/LdapInjectionQuery.qll | 6 +++++- .../lib/semmle/code/java/security/LogInjectionQuery.qll | 6 +++++- .../java/security/MaybeBrokenCryptoAlgorithmQuery.qll | 4 +++- .../code/java/security/MissingJWTSignatureCheckQuery.qll | 3 +++ .../lib/semmle/code/java/security/MvelInjectionQuery.qll | 6 +++++- .../code/java/security/NumericCastTaintedQuery.qll | 4 +++- .../lib/semmle/code/java/security/OgnlInjectionQuery.qll | 6 +++++- .../code/java/security/PartialPathTraversalQuery.qll | 5 +++++ .../semmle/code/java/security/RequestForgeryConfig.qll | 6 +++++- .../semmle/code/java/security/ResponseSplittingQuery.qll | 3 +++ .../semmle/code/java/security/RsaWithoutOaepQuery.qll | 3 +++ .../semmle/code/java/security/SensitiveLoggingQuery.qll | 5 ++++- .../code/java/security/SensitiveResultReceiverQuery.qll | 5 +++++ .../lib/semmle/code/java/security/SpelInjectionQuery.qll | 3 +++ .../lib/semmle/code/java/security/SqlInjectionQuery.qll | 5 ++++- .../java/security/StaticInitializationVectorQuery.qll | 4 ++++ .../java/security/TaintedEnvironmentVariableQuery.qll | 5 ++++- .../lib/semmle/code/java/security/TaintedPathQuery.qll | 3 ++- .../code/java/security/TaintedPermissionsCheckQuery.qll | 3 +++ .../semmle/code/java/security/TemplateInjectionQuery.qll | 6 +++++- .../code/java/security/TrustBoundaryViolationQuery.qll | 3 ++- .../code/java/security/UnsafeAndroidAccessQuery.qll | 6 +++++- .../java/security/UnsafeContentUriResolutionQuery.qll | 4 +++- .../code/java/security/UnsafeDeserializationQuery.qll | 5 ++++- .../java/security/UnsafeHostnameVerificationQuery.qll | 2 ++ .../ql/lib/semmle/code/java/security/UrlForwardQuery.qll | 5 ++++- .../lib/semmle/code/java/security/UrlRedirectQuery.qll | 6 +++++- .../code/java/security/WebviewDebuggingEnabledQuery.qll | 3 +++ .../semmle/code/java/security/XPathInjectionQuery.qll | 3 +++ .../lib/semmle/code/java/security/XsltInjectionQuery.qll | 6 +++++- java/ql/lib/semmle/code/java/security/XssQuery.qll | 5 ++++- java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll | 6 +++++- java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll | 3 ++- .../code/java/security/regexp/PolynomialReDoSQuery.qll | 4 +++- .../code/java/security/regexp/RegexInjectionQuery.qll | 6 +++++- .../Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql | 4 +++- 65 files changed, 262 insertions(+), 40 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll index 7625f9d7da48..bb475047bb5d 100644 --- a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll @@ -4,6 +4,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.AndroidIntentRedirection +import semmle.code.java.dataflow.ExternalFlow /** A taint tracking configuration for tainted Intents being used to start Android components. */ module IntentRedirectionConfig implements DataFlow::ConfigSig { @@ -11,7 +12,10 @@ module IntentRedirectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof IntentRedirectionSink } - predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof IntentRedirectionSanitizer } + predicate isBarrier(DataFlow::Node sanitizer) { + sanitizer instanceof IntentRedirectionSanitizer or + barrierNode(sanitizer, "java/android/intent-redirection") + } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(IntentRedirectionAdditionalTaintStep c).step(node1, node2) diff --git a/java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll b/java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll index 9aa60e391dc4..26c4326c04f5 100644 --- a/java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll @@ -5,6 +5,7 @@ import semmle.code.java.dataflow.TaintTracking import semmle.code.java.frameworks.android.Intent import semmle.code.java.security.SensitiveActions private import semmle.code.java.dataflow.FlowSinks +import semmle.code.java.dataflow.ExternalFlow /** * Gets regular expression for matching names of Android variables that indicate the value being held contains sensitive information. @@ -144,7 +145,10 @@ module SensitiveCommunicationConfig implements DataFlow::ConfigSig { /** * Holds if broadcast doesn't specify receiving package name of the 3rd party app */ - predicate isBarrier(DataFlow::Node node) { node instanceof ExplicitIntentSanitizer } + predicate isBarrier(DataFlow::Node node) { + node instanceof ExplicitIntentSanitizer or + barrierNode(node, "java/android/sensitive-communication") + } predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) { isSink(node) and exists(c) diff --git a/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll b/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll index e907a9ffeaa8..1fa7b6b603de 100644 --- a/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll @@ -4,6 +4,7 @@ import java import semmle.code.java.dataflow.DataFlow import semmle.code.java.dataflow.TaintTracking private import semmle.code.java.security.ArbitraryApkInstallation +import semmle.code.java.dataflow.ExternalFlow /** * A dataflow configuration for flow from an external source of an APK to the @@ -24,6 +25,10 @@ module ApkInstallationConfig implements DataFlow::ConfigSig { ) } + predicate isBarrier(DataFlow::Node node) { + barrierNode(node, "java/android/arbitrary-apk-installation") + } + predicate observeDiffInformedIncrementalMode() { any() } } diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll index 65e73f841495..96785273649c 100644 --- a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll @@ -3,6 +3,7 @@ import java private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.security.ArithmeticCommon +import semmle.code.java.dataflow.ExternalFlow /** A taint-tracking configuration to reason about overflow from unvalidated input. */ module ArithmeticOverflowConfig implements DataFlow::ConfigSig { @@ -10,7 +11,10 @@ module ArithmeticOverflowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) } - predicate isBarrier(DataFlow::Node n) { overflowBarrier(n) } + predicate isBarrier(DataFlow::Node n) { + overflowBarrier(n) or + barrierNode(n, "java/tainted-arithmetic") + } predicate isBarrierIn(DataFlow::Node node) { isSource(node) } @@ -34,6 +38,9 @@ deprecated module RemoteUserInputOverflowConfig = ArithmeticOverflowConfig; module ArithmeticUnderflowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } + underflowBarrier(n) or + barrierNode(n, "java/tainted-arithmetic") + predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) } predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) } diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll index 3c1ceaddc2fe..5d72d110f9ef 100644 --- a/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll @@ -5,6 +5,7 @@ private import semmle.code.java.dataflow.TaintTracking private import semmle.code.java.security.RandomQuery private import semmle.code.java.security.SecurityTests private import semmle.code.java.security.ArithmeticCommon +import semmle.code.java.dataflow.ExternalFlow private class TaintSource extends DataFlow::ExprNode { TaintSource() { @@ -18,7 +19,10 @@ module ArithmeticUncontrolledOverflowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) } - predicate isBarrier(DataFlow::Node n) { overflowBarrier(n) } + predicate isBarrier(DataFlow::Node n) { + overflowBarrier(n) or + barrierNode(n, "java/uncontrolled-arithmetic") + } predicate observeDiffInformedIncrementalMode() { any() // merged with ArithmeticUncontrolledUnderflow in ArithmeticUncontrolled.ql @@ -39,6 +43,9 @@ module ArithmeticUncontrolledOverflowFlow = module ArithmeticUncontrolledUnderflowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof TaintSource } + underflowBarrier(n) or + barrierNode(n, "java/uncontrolled-arithmetic") + predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) } predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) } diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticWithExtremeValuesQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticWithExtremeValuesQuery.qll index 0a22619e6fa4..4ae368601e03 100644 --- a/java/ql/lib/semmle/code/java/security/ArithmeticWithExtremeValuesQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ArithmeticWithExtremeValuesQuery.qll @@ -3,6 +3,7 @@ import java private import semmle.code.java.dataflow.DataFlow private import semmle.code.java.security.ArithmeticCommon +import semmle.code.java.dataflow.ExternalFlow /** * A field representing an extreme value. @@ -38,7 +39,10 @@ module MaxValueFlowConfig implements DataFlow::ConfigSig { predicate isBarrierIn(DataFlow::Node n) { isSource(n) } - predicate isBarrier(DataFlow::Node n) { overflowBarrier(n) } + predicate isBarrier(DataFlow::Node n) { + overflowBarrier(n) or + barrierNode(n, "java/extreme-value-arithmetic") + } } /** Dataflow from maximum values to an underflow. */ @@ -52,6 +56,9 @@ module MinValueFlowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) } + underflowBarrier(n) or + barrierNode(n, "java/extreme-value-arithmetic") + predicate isBarrierIn(DataFlow::Node n) { isSource(n) } predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) } diff --git a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll index 60f1e179397c..390df3ea9772 100644 --- a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll +++ b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll @@ -4,6 +4,7 @@ import java private import semmle.code.java.security.Encryption private import semmle.code.java.dataflow.TaintTracking private import semmle.code.java.security.Sanitizers +import semmle.code.java.dataflow.ExternalFlow private class ShortStringLiteral extends StringLiteral { ShortStringLiteral() { this.getValue().length() < 100 } @@ -31,7 +32,10 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node n) { exists(CryptoAlgoSpec c | n.asExpr() = c.getAlgoSpec()) } - predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer } + predicate isBarrier(DataFlow::Node node) { + node instanceof SimpleTypeSanitizer or + barrierNode(node, "java/weak-cryptographic-algorithm") + } predicate observeDiffInformedIncrementalMode() { any() } diff --git a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll index b6b9d02e289d..2c1baccfc903 100644 --- a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll @@ -53,7 +53,10 @@ module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink } - predicate isBarrier(DataFlow::Node node) { node instanceof CommandInjectionSanitizer } + predicate isBarrier(DataFlow::Node node) { + node instanceof CommandInjectionSanitizer or + barrierNode(node, "java/command-line-injection") + } predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) { any(CommandInjectionAdditionalTaintStep s).step(n1, n2) diff --git a/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll b/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll index babf129f19e6..e10c09cca278 100644 --- a/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll @@ -7,6 +7,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.SensitiveActions import semmle.code.java.controlflow.Guards +import semmle.code.java.dataflow.ExternalFlow /** * Holds if `ma` is controlled by the condition expression `e`. @@ -44,6 +45,8 @@ module ConditionalBypassFlowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { conditionControlsMethod(_, sink.asExpr()) } + predicate isBarrier(DataFlow::Node node) { barrierNode(node, "java/user-controlled-bypass") } + predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { endsWithStep(node1, node2) } diff --git a/java/ql/lib/semmle/code/java/security/CsrfUnprotectedRequestTypeQuery.qll b/java/ql/lib/semmle/code/java/security/CsrfUnprotectedRequestTypeQuery.qll index 80d100d3d9e1..a53c61072ef4 100644 --- a/java/ql/lib/semmle/code/java/security/CsrfUnprotectedRequestTypeQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CsrfUnprotectedRequestTypeQuery.qll @@ -153,6 +153,10 @@ private module SqlExecuteConfig implements DataFlow::ConfigSig { m.hasName("execute") ) } + + predicate isBarrier(DataFlow::Node node) { + barrierNode(node, "java/csrf-unprotected-request-type") + } } /** diff --git a/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll b/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll index df941be97448..a3e4d4091c00 100644 --- a/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll +++ b/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll @@ -8,6 +8,7 @@ module; import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking +import semmle.code.java.dataflow.ExternalFlow /** * A `Method` that is considered a "safe" external API from a security perspective. @@ -102,6 +103,10 @@ module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode } + predicate isBarrier(DataFlow::Node node) { + barrierNode(node, "java/untrusted-data-to-external-api") + } + predicate observeDiffInformedIncrementalMode() { any() // Simple use in UntrustedDataToExternalAPI.ql; also used through ExternalApiUsedWithUntrustedData in ExternalAPIsUsedWithUntrustedData.ql } diff --git a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll index da440e0cd2c9..776ea7064f8f 100644 --- a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll @@ -4,6 +4,7 @@ import java private import semmle.code.java.dataflow.FlowSinks private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.StringFormat +import semmle.code.java.dataflow.ExternalFlow /** * A string format sink node. @@ -21,7 +22,9 @@ module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof StringFormatSink } predicate isBarrier(DataFlow::Node node) { - node.getType() instanceof NumericType or node.getType() instanceof BooleanType + node.getType() instanceof NumericType or + node.getType() instanceof BooleanType or + barrierNode(node, "java/tainted-format-string") } predicate observeDiffInformedIncrementalMode() { any() } diff --git a/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll index 40636ffd8c25..f9f3f4bbaa2a 100644 --- a/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll @@ -4,6 +4,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.FragmentInjection +import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for unsafe user input @@ -14,6 +15,8 @@ module FragmentInjectionTaintConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof FragmentInjectionSink } + predicate isBarrier(DataFlow::Node node) { barrierNode(node, "java/android/fragment-injection") } + predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) { any(FragmentInjectionAdditionalTaintStep c).step(n1, n2) } diff --git a/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll index b497873b9bb1..a409b7b9c7c6 100644 --- a/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll @@ -4,6 +4,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.GroovyInjection +import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for unsafe user input @@ -14,6 +15,8 @@ module GroovyInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof GroovyInjectionSink } + predicate isBarrier(DataFlow::Node node) { barrierNode(node, "java/groovy-injection") } + predicate isAdditionalFlowStep(DataFlow::Node fromNode, DataFlow::Node toNode) { any(GroovyInjectionAdditionalTaintStep c).step(fromNode, toNode) } diff --git a/java/ql/lib/semmle/code/java/security/HardcodedCredentialsApiCallQuery.qll b/java/ql/lib/semmle/code/java/security/HardcodedCredentialsApiCallQuery.qll index c0e04424ec68..215731e2b6f2 100644 --- a/java/ql/lib/semmle/code/java/security/HardcodedCredentialsApiCallQuery.qll +++ b/java/ql/lib/semmle/code/java/security/HardcodedCredentialsApiCallQuery.qll @@ -5,6 +5,7 @@ import java import semmle.code.java.dataflow.DataFlow import HardcodedCredentials +import semmle.code.java.dataflow.ExternalFlow /** * A data-flow configuration that tracks flow from a hard-coded credential in a call to a sensitive Java API which may compromise security. @@ -47,7 +48,8 @@ module HardcodedCredentialApiCallConfig implements DataFlow::ConfigSig { } predicate isBarrier(DataFlow::Node n) { - n.asExpr().(MethodCall).getMethod() instanceof MethodSystemGetenv + n.asExpr().(MethodCall).getMethod() instanceof MethodSystemGetenv or + barrierNode(n, "java/hardcoded-credential-api-call") } predicate observeDiffInformedIncrementalMode() { any() } diff --git a/java/ql/lib/semmle/code/java/security/HardcodedCredentialsSourceCallQuery.qll b/java/ql/lib/semmle/code/java/security/HardcodedCredentialsSourceCallQuery.qll index e3b5b235a4eb..22d473912060 100644 --- a/java/ql/lib/semmle/code/java/security/HardcodedCredentialsSourceCallQuery.qll +++ b/java/ql/lib/semmle/code/java/security/HardcodedCredentialsSourceCallQuery.qll @@ -5,6 +5,7 @@ import java import semmle.code.java.dataflow.DataFlow import HardcodedCredentials +import semmle.code.java.dataflow.ExternalFlow /** * A data-flow configuration that tracks hardcoded expressions flowing to a parameter whose name suggests @@ -15,6 +16,10 @@ module HardcodedCredentialSourceCallConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node n) { n.asExpr() instanceof FinalCredentialsSourceSink } + predicate isBarrier(DataFlow::Node node) { + barrierNode(node, "java/hardcoded-credential-sensitive-call") + } + predicate observeDiffInformedIncrementalMode() { any() } } diff --git a/java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll b/java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll index 1e67e3ca59a7..1ec3df9cbf7b 100644 --- a/java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll +++ b/java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll @@ -5,6 +5,7 @@ import semmle.code.java.dataflow.TaintTracking import semmle.code.java.frameworks.Networking import semmle.code.java.security.HttpsUrls private import semmle.code.java.security.Sanitizers +import semmle.code.java.dataflow.ExternalFlow /** * A taint tracking configuration for HTTP connections. @@ -18,7 +19,10 @@ module HttpStringToUrlOpenMethodFlowConfig implements DataFlow::ConfigSig { any(HttpUrlsAdditionalTaintStep c).step(node1, node2) } - predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer } + predicate isBarrier(DataFlow::Node node) { + node instanceof SimpleTypeSanitizer or + barrierNode(node, "java/non-https-url") + } predicate observeDiffInformedIncrementalMode() { any() } } diff --git a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll index f66309c97bec..61320a6c9ef8 100644 --- a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll @@ -7,6 +7,7 @@ import semmle.code.java.dataflow.TaintTracking import semmle.code.java.frameworks.android.Intent import semmle.code.java.frameworks.android.PendingIntent import semmle.code.java.security.ImplicitPendingIntents +import semmle.code.java.dataflow.ExternalFlow /** * A taint tracking configuration for implicit `PendingIntent`s @@ -23,7 +24,10 @@ module ImplicitPendingIntentStartConfig implements DataFlow::StateConfigSig { sink instanceof ImplicitPendingIntentSink and state instanceof MutablePendingIntent } - predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof ExplicitIntentSanitizer } + predicate isBarrier(DataFlow::Node sanitizer) { + sanitizer instanceof ExplicitIntentSanitizer or + barrierNode(sanitizer, "java/android/implicit-pendingintents") + } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(ImplicitPendingIntentAdditionalTaintStep c).step(node1, node2) diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexCodeSpecifiedQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexCodeSpecifiedQuery.qll index 01a924de78e4..5d79d1db1b8d 100644 --- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexCodeSpecifiedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexCodeSpecifiedQuery.qll @@ -4,6 +4,7 @@ import java private import semmle.code.java.security.internal.ArraySizing private import semmle.code.java.security.internal.BoundingChecks private import semmle.code.java.dataflow.DataFlow +import semmle.code.java.dataflow.ExternalFlow /** * A dataflow configuration to reason about improper validation of code-specified array index. @@ -15,6 +16,10 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig { exists(CheckableArrayAccess arrayAccess | arrayAccess.canThrowOutOfBounds(sink.asExpr())) } + predicate isBarrier(DataFlow::Node node) { + barrierNode(node, "java/improper-validation-of-array-index-code-specified") + } + predicate observeDiffInformedIncrementalMode() { any() } } diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll index 7cb3d1724830..ec16781527da 100644 --- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll @@ -3,6 +3,7 @@ import java private import semmle.code.java.security.internal.ArraySizing private import semmle.code.java.dataflow.FlowSources +import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration to reason about improper validation @@ -15,7 +16,10 @@ module ImproperValidationOfArrayIndexConfig implements DataFlow::ConfigSig { any(CheckableArrayAccess caa).canThrowOutOfBounds(sink.asExpr()) } - predicate isBarrier(DataFlow::Node node) { node.getType() instanceof BooleanType } + predicate isBarrier(DataFlow::Node node) { + node.getType() instanceof BooleanType or + barrierNode(node, "java/improper-validation-of-array-index") + } predicate isBarrierIn(DataFlow::Node node) { isSource(node) } diff --git a/java/ql/lib/semmle/code/java/security/InsecureBasicAuthQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureBasicAuthQuery.qll index e2c188d956b8..74ef4d77988a 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureBasicAuthQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureBasicAuthQuery.qll @@ -4,6 +4,7 @@ import java import semmle.code.java.security.HttpsUrls import semmle.code.java.security.InsecureBasicAuth import semmle.code.java.dataflow.TaintTracking +import semmle.code.java.dataflow.ExternalFlow /** * A taint tracking configuration for the Basic authentication scheme @@ -14,6 +15,8 @@ module BasicAuthFlowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof InsecureBasicAuthSink } + predicate isBarrier(DataFlow::Node node) { barrierNode(node, "java/insecure-basic-auth") } + predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(HttpUrlsAdditionalTaintStep c).step(node1, node2) } diff --git a/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll index e1c840ce2642..9d9311cd0a9b 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll @@ -50,6 +50,8 @@ module BeanValidationConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink } + predicate isBarrier(DataFlow::Node node) { barrierNode(node, "java/insecure-bean-validation") } + predicate observeDiffInformedIncrementalMode() { any() } } diff --git a/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll index a4cbf474dded..764ebc32ada3 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll @@ -5,6 +5,7 @@ import semmle.code.java.dataflow.DataFlow import semmle.code.java.dataflow.TaintTracking import semmle.code.java.frameworks.Jndi import semmle.code.java.security.InsecureLdapAuth +import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for `ldap://` URL in LDAP authentication. @@ -14,6 +15,8 @@ module InsecureLdapUrlConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof InsecureLdapUrlSink } + predicate isBarrier(DataFlow::Node node) { barrierNode(node, "java/insecure-ldap-auth") } + /** Method call of `env.put()`. */ predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { exists(MethodCall ma | diff --git a/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll index 77da25d35866..358ce0919290 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll @@ -68,6 +68,8 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof InsecureRandomnessSink } + predicate isBarrier(DataFlow::Node node) { barrierNode(node, "java/insecure-randomness") } + predicate isBarrierIn(DataFlow::Node n) { isSource(n) } predicate isBarrierOut(DataFlow::Node n) { isSink(n) } diff --git a/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll index 39420807a27e..6db2c2205add 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll @@ -3,6 +3,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.InsecureTrustManager +import semmle.code.java.dataflow.ExternalFlow /** * A configuration to model the flow of an insecure `TrustManager` @@ -13,6 +14,8 @@ module InsecureTrustManagerConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof InsecureTrustManagerSink } + predicate isBarrier(DataFlow::Node node) { barrierNode(node, "java/insecure-trustmanager") } + predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) { (isSink(node) or isAdditionalFlowStep(node, _)) and node.getType() instanceof Array and diff --git a/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll b/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll index d105db336101..6660d493d999 100644 --- a/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll @@ -4,6 +4,7 @@ module; import semmle.code.java.dataflow.DataFlow import semmle.code.java.security.InsufficientKeySize +import semmle.code.java.dataflow.ExternalFlow /** * A data flow configuration for tracking key sizes used in cryptographic algorithms. @@ -19,6 +20,10 @@ module KeySizeConfig implements DataFlow::StateConfigSig { sink.(InsufficientKeySizeSink).hasState(state) } + predicate isBarrier(DataFlow::Node node, KeySizeState state) { + barrierNode(node, "java/insufficient-key-size") + } + predicate observeDiffInformedIncrementalMode() { any() } } diff --git a/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll b/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll index 5ac8024d81f2..6d873cf9541e 100644 --- a/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll @@ -7,6 +7,7 @@ import java private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.dataflow.DataFlow private import IntentUriPermissionManipulation +import semmle.code.java.dataflow.ExternalFlow /** * A taint tracking configuration for user-provided Intents being returned to third party apps. @@ -17,7 +18,8 @@ module IntentUriPermissionManipulationConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof IntentUriPermissionManipulationSink } predicate isBarrier(DataFlow::Node barrier) { - barrier instanceof IntentUriPermissionManipulationSanitizer + barrier instanceof IntentUriPermissionManipulationSanitizer or + barrierNode(barrier, "java/android/intent-uri-permission-manipulation") } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { diff --git a/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll index 4ad1dd3ba310..8fb3edd5d725 100644 --- a/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll @@ -3,7 +3,7 @@ import java import semmle.code.java.dataflow.TaintTracking import semmle.code.java.dataflow.FlowSources -private import semmle.code.java.dataflow.ExternalFlow +import semmle.code.java.dataflow.ExternalFlow /** * A sink for Expresssion Language injection vulnerabilities via Jexl, @@ -48,6 +48,8 @@ module JexlInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink } + predicate isBarrier(DataFlow::Node node) { barrierNode(node, "java/jexl-expression-injection") } + predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(JexlInjectionAdditionalTaintStep c).step(node1, node2) } diff --git a/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll index f50787fef024..94ce78155346 100644 --- a/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll @@ -6,6 +6,7 @@ import semmle.code.java.frameworks.Jndi import semmle.code.java.frameworks.SpringLdap import semmle.code.java.security.JndiInjection private import semmle.code.java.security.Sanitizers +import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for unvalidated user input that is used in JNDI lookup. @@ -17,7 +18,8 @@ module JndiInjectionFlowConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer or - node instanceof JndiInjectionSanitizer + node instanceof JndiInjectionSanitizer or + barrierNode(node, "java/jndi-injection") } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { diff --git a/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll index ef27fa3cd16b..261699985f15 100644 --- a/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll @@ -3,6 +3,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.LdapInjection +import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for unvalidated user input that is used to construct LDAP queries. @@ -12,7 +13,10 @@ module LdapInjectionFlowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof LdapInjectionSink } - predicate isBarrier(DataFlow::Node node) { node instanceof LdapInjectionSanitizer } + predicate isBarrier(DataFlow::Node node) { + node instanceof LdapInjectionSanitizer or + barrierNode(node, "java/ldap-injection") + } predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { any(LdapInjectionAdditionalTaintStep a).step(pred, succ) diff --git a/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll index c34ba0e48499..cecda0d7579c 100644 --- a/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll @@ -3,6 +3,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.LogInjection +import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for tracking untrusted user input used in log entries. @@ -12,7 +13,10 @@ module LogInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof LogInjectionSink } - predicate isBarrier(DataFlow::Node node) { node instanceof LogInjectionSanitizer } + predicate isBarrier(DataFlow::Node node) { + node instanceof LogInjectionSanitizer or + barrierNode(node, "java/log-injection") + } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(LogInjectionAdditionalTaintStep c).step(node1, node2) diff --git a/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll b/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll index 22c7320a55aa..30f8583ed632 100644 --- a/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll +++ b/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll @@ -9,6 +9,7 @@ private import semmle.code.java.dataflow.TaintTracking private import semmle.code.java.dataflow.RangeUtils private import semmle.code.java.dispatch.VirtualDispatch private import semmle.code.java.frameworks.Properties +import semmle.code.java.dataflow.ExternalFlow /** A reference to an insecure cryptographic algorithm. */ abstract class InsecureAlgorithm extends Expr { @@ -75,7 +76,8 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node n) { objectToString(n.asExpr()) or - n.getType().getErasure() instanceof TypeObject + n.getType().getErasure() instanceof TypeObject or + barrierNode(n, "java/potentially-weak-cryptographic-algorithm") } predicate observeDiffInformedIncrementalMode() { any() } diff --git a/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll b/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll index 4f1f614dbc42..394561d2e22f 100644 --- a/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll +++ b/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll @@ -3,6 +3,7 @@ import java import semmle.code.java.dataflow.DataFlow import semmle.code.java.security.JWT +import semmle.code.java.dataflow.ExternalFlow /** * Models flow from signing keys assignments to qualifiers of JWT insecure parsers. @@ -13,6 +14,8 @@ module MissingJwtSignatureCheckConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof JwtParserWithInsecureParseSink } + predicate isBarrier(DataFlow::Node node) { barrierNode(node, "java/missing-jwt-signature-check") } + predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(JwtParserWithInsecureParseAdditionalFlowStep c).step(node1, node2) } diff --git a/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll index d0f6e02357b8..de33f0b563a4 100644 --- a/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll @@ -4,6 +4,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.MvelInjection +import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for unsafe user input @@ -14,7 +15,10 @@ module MvelInjectionFlowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof MvelEvaluationSink } - predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof MvelInjectionSanitizer } + predicate isBarrier(DataFlow::Node sanitizer) { + sanitizer instanceof MvelInjectionSanitizer or + barrierNode(sanitizer, "java/mvel-expression-injection") + } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(MvelInjectionAdditionalTaintStep c).step(node1, node2) diff --git a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll index 4b2d7709fbd9..368ee7cf3031 100644 --- a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll @@ -6,6 +6,7 @@ private import semmle.code.java.dataflow.SSA private import semmle.code.java.controlflow.Guards private import semmle.code.java.dataflow.RangeAnalysis private import semmle.code.java.dataflow.FlowSources +import semmle.code.java.dataflow.ExternalFlow /** * A `CastExpr` that is a narrowing cast. @@ -98,7 +99,8 @@ module NumericCastFlowConfig implements DataFlow::ConfigSig { node.getType() instanceof SmallType or smallExpr(node.asExpr()) or node.getEnclosingCallable() instanceof HashCodeMethod or - exists(RightShiftOp e | e.getShiftedVariable().getAnAccess() = node.asExpr()) + exists(RightShiftOp e | e.getShiftedVariable().getAnAccess() = node.asExpr()) or + barrierNode(node, "java/tainted-numeric-cast") } predicate isBarrierIn(DataFlow::Node node) { isSource(node) } diff --git a/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll index d9bfad412599..d9dad8ead4c0 100644 --- a/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll @@ -4,6 +4,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.OgnlInjection private import semmle.code.java.security.Sanitizers +import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for unvalidated user input that is used in OGNL EL evaluation. @@ -13,7 +14,10 @@ module OgnlInjectionFlowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof OgnlInjectionSink } - predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer } + predicate isBarrier(DataFlow::Node node) { + node instanceof SimpleTypeSanitizer or + barrierNode(node, "java/ognl-injection") + } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(OgnlInjectionAdditionalTaintStep c).step(node1, node2) diff --git a/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll b/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll index 78b9098beeef..6e720ccc37d5 100644 --- a/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll +++ b/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll @@ -5,6 +5,7 @@ import semmle.code.java.security.PartialPathTraversal import semmle.code.java.dataflow.DataFlow import semmle.code.java.dataflow.TaintTracking import semmle.code.java.dataflow.FlowSources +import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for unsafe user input @@ -18,6 +19,10 @@ module PartialPathTraversalFromRemoteConfig implements DataFlow::ConfigSig { any(PartialPathTraversalMethodCall ma).getQualifier() = node.asExpr() } + predicate isBarrier(DataFlow::Node node) { + barrierNode(node, "java/partial-path-traversal-from-remote") + } + predicate observeDiffInformedIncrementalMode() { any() } } diff --git a/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll b/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll index ec4bbaf8d091..58cd419ae083 100644 --- a/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll +++ b/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll @@ -6,6 +6,7 @@ import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.RequestForgery +import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration characterising request-forgery risks. @@ -25,7 +26,10 @@ module RequestForgeryConfig implements DataFlow::ConfigSig { any(RequestForgeryAdditionalTaintStep r).propagatesTaint(pred, succ) } - predicate isBarrier(DataFlow::Node node) { node instanceof RequestForgerySanitizer } + predicate isBarrier(DataFlow::Node node) { + node instanceof RequestForgerySanitizer or + barrierNode(node, "java/ssrf") + } predicate isBarrierIn(DataFlow::Node node) { isSource(node) } diff --git a/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll b/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll index 9bd96a51a68d..e7fd933bf411 100644 --- a/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll @@ -4,6 +4,7 @@ import java private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.security.Sanitizers import semmle.code.java.security.ResponseSplitting +import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for response splitting vulnerabilities. @@ -30,6 +31,8 @@ module ResponseSplittingConfig implements DataFlow::ConfigSig { target.getStringValue().regexpMatch(".*([\n\r]|\\[\\^[^\\]\r\n]*\\]).*") ) ) + or + barrierNode(node, "java/http-response-splitting") } predicate observeDiffInformedIncrementalMode() { any() } diff --git a/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll b/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll index 8fed05f2186b..737b10b12522 100644 --- a/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll +++ b/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll @@ -3,6 +3,7 @@ import java import Encryption import semmle.code.java.dataflow.DataFlow +import semmle.code.java.dataflow.ExternalFlow /** * A configuration for finding RSA ciphers initialized without using OAEP padding. @@ -21,6 +22,8 @@ module RsaWithoutOaepConfig implements DataFlow::ConfigSig { exists(CryptoAlgoSpec cr | sink.asExpr() = cr.getAlgoSpec()) } + predicate isBarrier(DataFlow::Node node) { barrierNode(node, "java/rsa-without-oaep") } + predicate observeDiffInformedIncrementalMode() { any() } } diff --git a/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll b/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll index 7058b844cbdb..1194b5426a24 100644 --- a/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll @@ -126,7 +126,10 @@ module SensitiveLoggerConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sinkNode(sink, "log-injection") } - predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof SensitiveLoggerBarrier } + predicate isBarrier(DataFlow::Node sanitizer) { + sanitizer instanceof SensitiveLoggerBarrier or + barrierNode(sanitizer, "java/sensitive-log") + } predicate isBarrierIn(DataFlow::Node node) { isSource(node) } diff --git a/java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll b/java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll index f3a07480cf06..d2d77f2edc2a 100644 --- a/java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll @@ -5,6 +5,7 @@ import semmle.code.java.dataflow.TaintTracking import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.SensitiveActions private import semmle.code.java.dataflow.FlowSinks +import semmle.code.java.dataflow.ExternalFlow private class ResultReceiverSendCall extends MethodCall { ResultReceiverSendCall() { @@ -49,6 +50,10 @@ private module SensitiveResultReceiverConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node node) { node instanceof SensitiveResultReceiverSink } + predicate isBarrier(DataFlow::Node node) { + barrierNode(node, "java/android/sensitive-result-receiver") + } + predicate allowImplicitRead(DataFlow::Node n, DataFlow::ContentSet c) { isSink(n) and exists(c) } } diff --git a/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll index a982b094ee49..5c8c305a8fa1 100644 --- a/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll @@ -5,6 +5,7 @@ private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.dataflow.TaintTracking private import semmle.code.java.frameworks.spring.SpringExpression private import semmle.code.java.security.SpelInjection +import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for unsafe user input @@ -15,6 +16,8 @@ module SpelInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof SpelExpressionEvaluationSink } + predicate isBarrier(DataFlow::Node node) { barrierNode(node, "java/spel-expression-injection") } + predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(SpelExpressionInjectionAdditionalTaintStep c).step(node1, node2) } diff --git a/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll index 67f0f1220433..e7a3a1f365f7 100644 --- a/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll @@ -10,6 +10,7 @@ import java import semmle.code.java.dataflow.FlowSources private import semmle.code.java.security.Sanitizers import semmle.code.java.security.QueryInjection +import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for unvalidated user input that is used in SQL queries. @@ -19,7 +20,9 @@ module QueryInjectionFlowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink } - predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer } + predicate isBarrier(DataFlow::Node node) { + node instanceof SimpleTypeSanitizer or barrierNode(node, "java/sql-injection") + } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(AdditionalQueryInjectionTaintStep s).step(node1, node2) diff --git a/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll b/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll index a03775990541..048a5d12a6a2 100644 --- a/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll +++ b/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll @@ -128,6 +128,10 @@ module StaticInitializationVectorConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof EncryptionInitializationSink } + predicate isBarrier(DataFlow::Node node) { + barrierNode(node, "java/static-initialization-vector") + } + predicate observeDiffInformedIncrementalMode() { any() } } diff --git a/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll index 2bc9dba92f01..9d7938a3a223 100644 --- a/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll @@ -28,7 +28,10 @@ abstract class ExecTaintedEnvironmentSanitizer extends DataFlow::Node { } module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } - predicate isBarrier(DataFlow::Node barrier) { barrier instanceof ExecTaintedEnvironmentSanitizer } + predicate isBarrier(DataFlow::Node barrier) { + barrier instanceof ExecTaintedEnvironmentSanitizer or + barrierNode(barrier, "java/exec-tainted-environment") + } predicate isSink(DataFlow::Node sink) { sinkNode(sink, "environment-injection") diff --git a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll index 6726bcc35086..b1a9411b15e1 100644 --- a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll @@ -66,7 +66,8 @@ module TaintedPathConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof SimpleTypeSanitizer or - sanitizer instanceof PathInjectionSanitizer + sanitizer instanceof PathInjectionSanitizer or + barrierNode(sanitizer, "java/path-injection") } predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) { diff --git a/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll index 7113c7036e4c..34d862ad57df 100644 --- a/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll @@ -3,6 +3,7 @@ import java private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.dataflow.TaintTracking +import semmle.code.java.dataflow.ExternalFlow /** * The `org.apache.shiro.subject.Subject` class. @@ -60,6 +61,8 @@ module TaintedPermissionsCheckFlowConfig implements DataFlow::ConfigSig { sink.asExpr() = any(PermissionsConstruction p).getInput() } + predicate isBarrier(DataFlow::Node node) { barrierNode(node, "java/tainted-permissions-check") } + predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { diff --git a/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll index 536c8f33dafb..e6c4e871cb4c 100644 --- a/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll @@ -4,6 +4,7 @@ import java import semmle.code.java.dataflow.TaintTracking import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.TemplateInjection +import semmle.code.java.dataflow.ExternalFlow /** A taint tracking configuration to reason about server-side template injection (SST) vulnerabilities */ module TemplateInjectionFlowConfig implements DataFlow::ConfigSig { @@ -11,7 +12,10 @@ module TemplateInjectionFlowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof TemplateInjectionSink } - predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof TemplateInjectionSanitizer } + predicate isBarrier(DataFlow::Node sanitizer) { + sanitizer instanceof TemplateInjectionSanitizer or + barrierNode(sanitizer, "java/server-side-template-injection") + } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(TemplateInjectionAdditionalTaintStep a).isAdditionalTaintStep(node1, node2) diff --git a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll index 477aeb48b64e..38292c1a95f2 100644 --- a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll @@ -40,7 +40,8 @@ module TrustBoundaryConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof TrustBoundaryValidationSanitizer or node.getType() instanceof HttpServletSession or - node instanceof SimpleTypeSanitizer + node instanceof SimpleTypeSanitizer or + barrierNode(node, "java/trust-boundary-violation") } predicate isSink(DataFlow::Node sink) { sink instanceof TrustBoundaryViolationSink } diff --git a/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccessQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccessQuery.qll index 6fe849c7983e..be5eaefef8cc 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccessQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccessQuery.qll @@ -5,6 +5,7 @@ import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.RequestForgery import semmle.code.java.security.UnsafeAndroidAccess +import semmle.code.java.dataflow.ExternalFlow /** * A taint configuration tracking flow from untrusted inputs to a resource fetching call. @@ -14,7 +15,10 @@ module FetchUntrustedResourceConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof UrlResourceSink } - predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof RequestForgerySanitizer } + predicate isBarrier(DataFlow::Node sanitizer) { + sanitizer instanceof RequestForgerySanitizer or + barrierNode(sanitizer, "java/android/unsafe-android-webview-fetch") + } predicate observeDiffInformedIncrementalMode() { any() } } diff --git a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll index d072de05c1c4..7714b56a74fb 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll @@ -4,6 +4,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.UnsafeContentUriResolution +import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration to find paths from remote sources to content URI resolutions. @@ -14,7 +15,8 @@ module UnsafeContentResolutionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof ContentUriResolutionSink } predicate isBarrier(DataFlow::Node sanitizer) { - sanitizer instanceof ContentUriResolutionSanitizer + sanitizer instanceof ContentUriResolutionSanitizer or + barrierNode(sanitizer, "java/android/unsafe-content-uri-resolution") } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { diff --git a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll index dc771a466063..1a27b9cf9b55 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll @@ -308,7 +308,10 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig { isUnsafeDeserializationTaintStep(pred, succ) } - predicate isBarrier(DataFlow::Node node) { isUnsafeDeserializationSanitizer(node) } + predicate isBarrier(DataFlow::Node node) { + isUnsafeDeserializationSanitizer(node) or + barrierNode(node, "java/unsafe-deserialization") + } predicate observeDiffInformedIncrementalMode() { any() } diff --git a/java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll index 60829f426f75..e33c77cccd74 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll @@ -64,6 +64,8 @@ module TrustAllHostnameVerifierConfig implements DataFlow::ConfigSig { .regexpMatch("^(?i)(_)*((no|ignore|disable)(strictssl|ssl|verify|verification|hostname)" + "|(set)?(accept|trust|ignore|allow)(all|every|any)" + "|(use|do|enable)insecure|(set|do|use)?no.*(check|validation|verify|verification)|disable).*$") + or + barrierNode(barrier, "java/unsafe-hostname-verification") } predicate observeDiffInformedIncrementalMode() { any() } diff --git a/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll b/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll index 895e824b3dbd..02da8dd5e424 100644 --- a/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll @@ -193,7 +193,10 @@ module UrlForwardFlowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof UrlForwardSink } - predicate isBarrier(DataFlow::Node node) { node instanceof UrlForwardBarrier } + predicate isBarrier(DataFlow::Node node) { + node instanceof UrlForwardBarrier or + barrierNode(node, "java/unvalidated-url-forward") + } DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext } diff --git a/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll b/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll index 26d133d4adb3..d192f7fcf3c1 100644 --- a/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll @@ -3,6 +3,7 @@ import java private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.security.UrlRedirect +import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for reasoning about URL redirections. @@ -12,7 +13,10 @@ module UrlRedirectConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink } - predicate isBarrier(DataFlow::Node node) { node instanceof UrlRedirectSanitizer } + predicate isBarrier(DataFlow::Node node) { + node instanceof UrlRedirectSanitizer or + barrierNode(node, "java/unvalidated-url-redirection") + } predicate observeDiffInformedIncrementalMode() { any() } } diff --git a/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll b/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll index 90e47521bf04..dd1a200c1089 100644 --- a/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll +++ b/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll @@ -5,6 +5,7 @@ import semmle.code.java.dataflow.DataFlow import semmle.code.java.controlflow.Guards import semmle.code.java.security.SecurityTests private import semmle.code.java.dataflow.FlowSinks +import semmle.code.java.dataflow.ExternalFlow /** Holds if `ex` looks like a check that this is a debug build. */ private predicate isDebugCheck(Expr ex) { @@ -43,6 +44,8 @@ module WebviewDebugEnabledConfig implements DataFlow::ConfigSig { exists(Guard debug | isDebugCheck(debug) and debug.controls(node.asExpr().getBasicBlock(), _)) or node.getEnclosingCallable().getDeclaringType() instanceof NonSecurityTestClass + or + barrierNode(node, "java/android/webview-debugging-enabled") } predicate observeDiffInformedIncrementalMode() { any() } diff --git a/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll index e387f0d0e118..7c95ea6205c0 100644 --- a/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll @@ -4,6 +4,7 @@ import java private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.dataflow.TaintTracking private import semmle.code.java.security.XPath +import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for reasoning about XPath injection vulnerabilities. @@ -13,6 +14,8 @@ module XPathInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink } + predicate isBarrier(DataFlow::Node node) { barrierNode(node, "java/xml/xpath-injection") } + predicate observeDiffInformedIncrementalMode() { any() } } diff --git a/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll index 7ff745a057ca..b5e093ceda59 100644 --- a/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll @@ -6,6 +6,7 @@ import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.XmlParsers import semmle.code.java.security.XsltInjection private import semmle.code.java.security.Sanitizers +import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for unvalidated user input that is used in XSLT transformation. @@ -15,7 +16,10 @@ module XsltInjectionFlowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof XsltInjectionSink } - predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer } + predicate isBarrier(DataFlow::Node node) { + node instanceof SimpleTypeSanitizer or + barrierNode(node, "java/xslt-injection") + } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(XsltInjectionAdditionalTaintStep c).step(node1, node2) diff --git a/java/ql/lib/semmle/code/java/security/XssQuery.qll b/java/ql/lib/semmle/code/java/security/XssQuery.qll index c0d7035a4f9a..ddb78b631fd8 100644 --- a/java/ql/lib/semmle/code/java/security/XssQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XssQuery.qll @@ -4,6 +4,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.XSS +import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for cross site scripting vulnerabilities. @@ -13,7 +14,9 @@ module XssConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof XssSink } - predicate isBarrier(DataFlow::Node node) { node instanceof XssSanitizer } + predicate isBarrier(DataFlow::Node node) { + node instanceof XssSanitizer or barrierNode(node, "java/xss") + } predicate isBarrierOut(DataFlow::Node node) { node instanceof XssSinkBarrier } diff --git a/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll b/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll index ecfdb7c4ae1c..79a1dd542e2d 100644 --- a/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll @@ -4,6 +4,7 @@ import java private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.dataflow.TaintTracking private import semmle.code.java.security.XxeQuery +import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for unvalidated remote user input that is used in XML external entity expansion. @@ -13,7 +14,10 @@ module XxeConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof XxeSink } - predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof XxeSanitizer } + predicate isBarrier(DataFlow::Node sanitizer) { + sanitizer instanceof XxeSanitizer or + barrierNode(sanitizer, "java/xxe") + } predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) { any(XxeAdditionalTaintStep s).step(n1, n2) diff --git a/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll b/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll index 9e2e5e4a6c7e..34d461548ce7 100644 --- a/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll @@ -41,7 +41,8 @@ module ZipSlipConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer or - node instanceof PathInjectionSanitizer + node instanceof PathInjectionSanitizer or + barrierNode(node, "java/zipslip") } predicate observeDiffInformedIncrementalMode() { any() } diff --git a/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll b/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll index 767ebc97437b..1125f0543649 100644 --- a/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll +++ b/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll @@ -6,6 +6,7 @@ import semmle.code.java.dataflow.DataFlow import semmle.code.java.regex.RegexFlowConfigs import semmle.code.java.dataflow.FlowSources private import semmle.code.java.security.Sanitizers +import semmle.code.java.dataflow.ExternalFlow /** A sink for polynomial redos queries, where a regex is matched. */ class PolynomialRedosSink extends DataFlow::Node { @@ -45,7 +46,8 @@ module PolynomialRedosConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer or - node.asExpr().(MethodCall).getMethod() instanceof LengthRestrictedMethod + node.asExpr().(MethodCall).getMethod() instanceof LengthRestrictedMethod or + barrierNode(node, "java/polynomial-redos") } predicate observeDiffInformedIncrementalMode() { any() } diff --git a/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll index 533482a8af14..970ddc035194 100644 --- a/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll @@ -4,6 +4,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.regexp.RegexInjection +import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for untrusted user input used to construct regular expressions. @@ -13,7 +14,10 @@ module RegexInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof RegexInjectionSink } - predicate isBarrier(DataFlow::Node node) { node instanceof RegexInjectionSanitizer } + predicate isBarrier(DataFlow::Node node) { + node instanceof RegexInjectionSanitizer or + barrierNode(node, "java/regex-injection") + } predicate observeDiffInformedIncrementalMode() { any() } } diff --git a/java/ql/src/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql index 494e851a5333..ff32a9b77e74 100644 --- a/java/ql/src/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql +++ b/java/ql/src/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql @@ -24,6 +24,7 @@ import java import semmle.code.java.dataflow.FlowSteps import semmle.code.java.frameworks.Servlets import semmle.code.java.dataflow.TaintTracking +import semmle.code.java.dataflow.ExternalFlow /** Gets a regular expression for matching common names of sensitive cookies. */ string getSensitiveCookieNameRegex() { result = "(?i).*(auth|session|token|key|credential).*" } @@ -174,7 +175,8 @@ module MissingHttpOnlyConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { // JAX-RS's `new NewCookie("session-access-key", accessKey, "/", null, null, 0, true, true)` and similar // Cookie constructors that set the `HttpOnly` flag are considered barriers to the flow of sensitive names. - setsHttpOnlyInNewCookie(node.asExpr()) + setsHttpOnlyInNewCookie(node.asExpr()) or + barrierNode(node, "java/sensitive-cookie-not-httponly") } predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { From f54f73ad238928c1feb466252e8f77eef4245fe7 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 16 Dec 2025 23:54:12 +0000 Subject: [PATCH 2/5] Make imports private --- .../java/security/AndroidIntentRedirectionQuery.qll | 2 +- .../security/AndroidSensitiveCommunicationQuery.qll | 2 +- .../java/security/ArbitraryApkInstallationQuery.qll | 2 +- .../code/java/security/ArithmeticTaintedQuery.qll | 10 +++++----- .../code/java/security/ArithmeticUncontrolledQuery.qll | 2 +- .../java/security/ArithmeticWithExtremeValuesQuery.qll | 2 +- .../code/java/security/BrokenCryptoAlgorithmQuery.qll | 2 +- .../code/java/security/ConditionalBypassQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/ExternalAPIs.qll | 2 +- .../security/ExternallyControlledFormatStringQuery.qll | 2 +- .../code/java/security/FragmentInjectionQuery.qll | 2 +- .../semmle/code/java/security/GroovyInjectionQuery.qll | 2 +- .../java/security/HardcodedCredentialsApiCallQuery.qll | 2 +- .../security/HardcodedCredentialsSourceCallQuery.qll | 2 +- .../lib/semmle/code/java/security/HttpsUrlsQuery.qll | 2 +- .../code/java/security/ImplicitPendingIntentsQuery.qll | 2 +- ...mproperValidationOfArrayIndexCodeSpecifiedQuery.qll | 2 +- .../security/ImproperValidationOfArrayIndexQuery.qll | 2 +- .../code/java/security/InsecureBasicAuthQuery.qll | 2 +- .../code/java/security/InsecureLdapAuthQuery.qll | 2 +- .../code/java/security/InsecureTrustManagerQuery.qll | 2 +- .../code/java/security/InsufficientKeySizeQuery.qll | 2 +- .../security/IntentUriPermissionManipulationQuery.qll | 2 +- .../semmle/code/java/security/JexlInjectionQuery.qll | 2 +- .../semmle/code/java/security/JndiInjectionQuery.qll | 2 +- .../semmle/code/java/security/LdapInjectionQuery.qll | 2 +- .../semmle/code/java/security/LogInjectionQuery.qll | 2 +- .../java/security/MaybeBrokenCryptoAlgorithmQuery.qll | 2 +- .../java/security/MissingJWTSignatureCheckQuery.qll | 2 +- .../semmle/code/java/security/MvelInjectionQuery.qll | 2 +- .../code/java/security/NumericCastTaintedQuery.qll | 2 +- .../semmle/code/java/security/OgnlInjectionQuery.qll | 2 +- .../code/java/security/PartialPathTraversalQuery.qll | 2 +- .../semmle/code/java/security/RequestForgeryConfig.qll | 2 +- .../code/java/security/ResponseSplittingQuery.qll | 2 +- .../semmle/code/java/security/RsaWithoutOaepQuery.qll | 2 +- .../java/security/SensitiveResultReceiverQuery.qll | 2 +- .../semmle/code/java/security/SpelInjectionQuery.qll | 2 +- .../semmle/code/java/security/SqlInjectionQuery.qll | 2 +- .../java/security/TaintedPermissionsCheckQuery.qll | 2 +- .../code/java/security/TemplateInjectionQuery.qll | 2 +- .../code/java/security/UnsafeAndroidAccessQuery.qll | 2 +- .../java/security/UnsafeContentUriResolutionQuery.qll | 2 +- .../lib/semmle/code/java/security/UrlRedirectQuery.qll | 2 +- .../java/security/WebviewDebuggingEnabledQuery.qll | 2 +- .../semmle/code/java/security/XPathInjectionQuery.qll | 2 +- .../semmle/code/java/security/XsltInjectionQuery.qll | 2 +- java/ql/lib/semmle/code/java/security/XssQuery.qll | 2 +- .../lib/semmle/code/java/security/XxeRemoteQuery.qll | 2 +- .../code/java/security/regexp/PolynomialReDoSQuery.qll | 1 - 50 files changed, 53 insertions(+), 54 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll index bb475047bb5d..98bae7259abe 100644 --- a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll @@ -4,7 +4,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.AndroidIntentRedirection -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** A taint tracking configuration for tainted Intents being used to start Android components. */ module IntentRedirectionConfig implements DataFlow::ConfigSig { diff --git a/java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll b/java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll index 26c4326c04f5..ed9acb06d569 100644 --- a/java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll @@ -4,8 +4,8 @@ import java import semmle.code.java.dataflow.TaintTracking import semmle.code.java.frameworks.android.Intent import semmle.code.java.security.SensitiveActions +private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.dataflow.FlowSinks -import semmle.code.java.dataflow.ExternalFlow /** * Gets regular expression for matching names of Android variables that indicate the value being held contains sensitive information. diff --git a/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll b/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll index 1fa7b6b603de..5e0e47873f26 100644 --- a/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll @@ -3,8 +3,8 @@ import java import semmle.code.java.dataflow.DataFlow import semmle.code.java.dataflow.TaintTracking +private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.security.ArbitraryApkInstallation -import semmle.code.java.dataflow.ExternalFlow /** * A dataflow configuration for flow from an external source of an APK to the diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll index 96785273649c..17e9d38c76df 100644 --- a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll @@ -1,9 +1,9 @@ /** Provides taint-tracking configurations to reason about arithmetic with unvalidated input. */ import java +private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.security.ArithmeticCommon -import semmle.code.java.dataflow.ExternalFlow /** A taint-tracking configuration to reason about overflow from unvalidated input. */ module ArithmeticOverflowConfig implements DataFlow::ConfigSig { @@ -38,12 +38,12 @@ deprecated module RemoteUserInputOverflowConfig = ArithmeticOverflowConfig; module ArithmeticUnderflowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } - underflowBarrier(n) or - barrierNode(n, "java/tainted-arithmetic") - predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) } - predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) } + predicate isBarrier(DataFlow::Node n) { + underflowBarrier(n) or + barrierNode(n, "java/tainted-arithmetic") + } predicate isBarrierIn(DataFlow::Node node) { isSource(node) } diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll index 5d72d110f9ef..7f454bb67ab5 100644 --- a/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll @@ -1,11 +1,11 @@ /** Provides taint-tracking configuration to reason about arithmetic with uncontrolled values. */ import java +private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.dataflow.TaintTracking private import semmle.code.java.security.RandomQuery private import semmle.code.java.security.SecurityTests private import semmle.code.java.security.ArithmeticCommon -import semmle.code.java.dataflow.ExternalFlow private class TaintSource extends DataFlow::ExprNode { TaintSource() { diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticWithExtremeValuesQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticWithExtremeValuesQuery.qll index 4ae368601e03..43d6daae491a 100644 --- a/java/ql/lib/semmle/code/java/security/ArithmeticWithExtremeValuesQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ArithmeticWithExtremeValuesQuery.qll @@ -1,9 +1,9 @@ /** Provides predicates and classes for reasoning about arithmetic with extreme values. */ import java +private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.dataflow.DataFlow private import semmle.code.java.security.ArithmeticCommon -import semmle.code.java.dataflow.ExternalFlow /** * A field representing an extreme value. diff --git a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll index 390df3ea9772..3699c398784f 100644 --- a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll +++ b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll @@ -2,9 +2,9 @@ import java private import semmle.code.java.security.Encryption +private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.dataflow.TaintTracking private import semmle.code.java.security.Sanitizers -import semmle.code.java.dataflow.ExternalFlow private class ShortStringLiteral extends StringLiteral { ShortStringLiteral() { this.getValue().length() < 100 } diff --git a/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll b/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll index e10c09cca278..15e2e61c75e0 100644 --- a/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll @@ -7,7 +7,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.SensitiveActions import semmle.code.java.controlflow.Guards -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** * Holds if `ma` is controlled by the condition expression `e`. diff --git a/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll b/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll index a3e4d4091c00..a6535a206db9 100644 --- a/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll +++ b/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll @@ -8,7 +8,7 @@ module; import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** * A `Method` that is considered a "safe" external API from a security perspective. diff --git a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll index 776ea7064f8f..ce8593987fe1 100644 --- a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll @@ -1,10 +1,10 @@ /** Provides a taint-tracking configuration to reason about externally controlled format string vulnerabilities. */ import java +private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.dataflow.FlowSinks private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.StringFormat -import semmle.code.java.dataflow.ExternalFlow /** * A string format sink node. diff --git a/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll index f9f3f4bbaa2a..c002a56c6909 100644 --- a/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll @@ -4,7 +4,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.FragmentInjection -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for unsafe user input diff --git a/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll index a409b7b9c7c6..e5eded766f8a 100644 --- a/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll @@ -4,7 +4,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.GroovyInjection -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for unsafe user input diff --git a/java/ql/lib/semmle/code/java/security/HardcodedCredentialsApiCallQuery.qll b/java/ql/lib/semmle/code/java/security/HardcodedCredentialsApiCallQuery.qll index 215731e2b6f2..e4f67ad71d78 100644 --- a/java/ql/lib/semmle/code/java/security/HardcodedCredentialsApiCallQuery.qll +++ b/java/ql/lib/semmle/code/java/security/HardcodedCredentialsApiCallQuery.qll @@ -5,7 +5,7 @@ import java import semmle.code.java.dataflow.DataFlow import HardcodedCredentials -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** * A data-flow configuration that tracks flow from a hard-coded credential in a call to a sensitive Java API which may compromise security. diff --git a/java/ql/lib/semmle/code/java/security/HardcodedCredentialsSourceCallQuery.qll b/java/ql/lib/semmle/code/java/security/HardcodedCredentialsSourceCallQuery.qll index 22d473912060..121cdb7fdd98 100644 --- a/java/ql/lib/semmle/code/java/security/HardcodedCredentialsSourceCallQuery.qll +++ b/java/ql/lib/semmle/code/java/security/HardcodedCredentialsSourceCallQuery.qll @@ -5,7 +5,7 @@ import java import semmle.code.java.dataflow.DataFlow import HardcodedCredentials -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** * A data-flow configuration that tracks hardcoded expressions flowing to a parameter whose name suggests diff --git a/java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll b/java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll index 1ec3df9cbf7b..3ebe97f80639 100644 --- a/java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll +++ b/java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll @@ -5,7 +5,7 @@ import semmle.code.java.dataflow.TaintTracking import semmle.code.java.frameworks.Networking import semmle.code.java.security.HttpsUrls private import semmle.code.java.security.Sanitizers -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** * A taint tracking configuration for HTTP connections. diff --git a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll index 61320a6c9ef8..3fb68ff12e78 100644 --- a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll @@ -7,7 +7,7 @@ import semmle.code.java.dataflow.TaintTracking import semmle.code.java.frameworks.android.Intent import semmle.code.java.frameworks.android.PendingIntent import semmle.code.java.security.ImplicitPendingIntents -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** * A taint tracking configuration for implicit `PendingIntent`s diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexCodeSpecifiedQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexCodeSpecifiedQuery.qll index 5d79d1db1b8d..441e8521c196 100644 --- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexCodeSpecifiedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexCodeSpecifiedQuery.qll @@ -4,7 +4,7 @@ import java private import semmle.code.java.security.internal.ArraySizing private import semmle.code.java.security.internal.BoundingChecks private import semmle.code.java.dataflow.DataFlow -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** * A dataflow configuration to reason about improper validation of code-specified array index. diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll index ec16781527da..5558ddea3ece 100644 --- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll @@ -2,8 +2,8 @@ import java private import semmle.code.java.security.internal.ArraySizing +private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.dataflow.FlowSources -import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration to reason about improper validation diff --git a/java/ql/lib/semmle/code/java/security/InsecureBasicAuthQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureBasicAuthQuery.qll index 74ef4d77988a..6e519f04b6a8 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureBasicAuthQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureBasicAuthQuery.qll @@ -4,7 +4,7 @@ import java import semmle.code.java.security.HttpsUrls import semmle.code.java.security.InsecureBasicAuth import semmle.code.java.dataflow.TaintTracking -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** * A taint tracking configuration for the Basic authentication scheme diff --git a/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll index 764ebc32ada3..a225d068bde1 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll @@ -5,7 +5,7 @@ import semmle.code.java.dataflow.DataFlow import semmle.code.java.dataflow.TaintTracking import semmle.code.java.frameworks.Jndi import semmle.code.java.security.InsecureLdapAuth -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for `ldap://` URL in LDAP authentication. diff --git a/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll index 6db2c2205add..4c96ee968c5f 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll @@ -3,7 +3,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.InsecureTrustManager -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** * A configuration to model the flow of an insecure `TrustManager` diff --git a/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll b/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll index 6660d493d999..6efd33873f3c 100644 --- a/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll @@ -4,7 +4,7 @@ module; import semmle.code.java.dataflow.DataFlow import semmle.code.java.security.InsufficientKeySize -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** * A data flow configuration for tracking key sizes used in cryptographic algorithms. diff --git a/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll b/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll index 6d873cf9541e..9fe120409475 100644 --- a/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll @@ -4,10 +4,10 @@ */ import java +private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.dataflow.DataFlow private import IntentUriPermissionManipulation -import semmle.code.java.dataflow.ExternalFlow /** * A taint tracking configuration for user-provided Intents being returned to third party apps. diff --git a/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll index 8fb3edd5d725..f8fafc846a84 100644 --- a/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll @@ -3,7 +3,7 @@ import java import semmle.code.java.dataflow.TaintTracking import semmle.code.java.dataflow.FlowSources -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** * A sink for Expresssion Language injection vulnerabilities via Jexl, diff --git a/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll index 94ce78155346..a81c0ea8e189 100644 --- a/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll @@ -5,8 +5,8 @@ import semmle.code.java.dataflow.FlowSources import semmle.code.java.frameworks.Jndi import semmle.code.java.frameworks.SpringLdap import semmle.code.java.security.JndiInjection +private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.security.Sanitizers -import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for unvalidated user input that is used in JNDI lookup. diff --git a/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll index 261699985f15..37ae49775e75 100644 --- a/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll @@ -3,7 +3,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.LdapInjection -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for unvalidated user input that is used to construct LDAP queries. diff --git a/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll index cecda0d7579c..2bf0e530fbae 100644 --- a/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll @@ -3,7 +3,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.LogInjection -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for tracking untrusted user input used in log entries. diff --git a/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll b/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll index 30f8583ed632..27fdb5c4aed9 100644 --- a/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll +++ b/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll @@ -5,11 +5,11 @@ import java private import semmle.code.configfiles.ConfigFiles private import semmle.code.java.security.Encryption +private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.dataflow.TaintTracking private import semmle.code.java.dataflow.RangeUtils private import semmle.code.java.dispatch.VirtualDispatch private import semmle.code.java.frameworks.Properties -import semmle.code.java.dataflow.ExternalFlow /** A reference to an insecure cryptographic algorithm. */ abstract class InsecureAlgorithm extends Expr { diff --git a/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll b/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll index 394561d2e22f..bd920c160b17 100644 --- a/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll +++ b/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll @@ -3,7 +3,7 @@ import java import semmle.code.java.dataflow.DataFlow import semmle.code.java.security.JWT -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** * Models flow from signing keys assignments to qualifiers of JWT insecure parsers. diff --git a/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll index de33f0b563a4..9a1996565ff7 100644 --- a/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll @@ -4,7 +4,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.MvelInjection -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for unsafe user input diff --git a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll index 368ee7cf3031..e2d8a65344d6 100644 --- a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll @@ -2,11 +2,11 @@ import java private import semmle.code.java.arithmetic.Overflow +private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.dataflow.SSA private import semmle.code.java.controlflow.Guards private import semmle.code.java.dataflow.RangeAnalysis private import semmle.code.java.dataflow.FlowSources -import semmle.code.java.dataflow.ExternalFlow /** * A `CastExpr` that is a narrowing cast. diff --git a/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll index d9dad8ead4c0..93f514da588b 100644 --- a/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll @@ -3,8 +3,8 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.OgnlInjection +private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.security.Sanitizers -import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for unvalidated user input that is used in OGNL EL evaluation. diff --git a/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll b/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll index 6e720ccc37d5..7a8d5831525b 100644 --- a/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll +++ b/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll @@ -5,7 +5,7 @@ import semmle.code.java.security.PartialPathTraversal import semmle.code.java.dataflow.DataFlow import semmle.code.java.dataflow.TaintTracking import semmle.code.java.dataflow.FlowSources -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for unsafe user input diff --git a/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll b/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll index 58cd419ae083..b9cd97b88913 100644 --- a/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll +++ b/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll @@ -6,7 +6,7 @@ import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.RequestForgery -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration characterising request-forgery risks. diff --git a/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll b/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll index e7fd933bf411..10b8e8dfd7bb 100644 --- a/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll @@ -1,10 +1,10 @@ /** Provides a taint tracking configuration to reason about response splitting vulnerabilities. */ import java +private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.security.Sanitizers import semmle.code.java.security.ResponseSplitting -import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for response splitting vulnerabilities. diff --git a/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll b/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll index 737b10b12522..57be82f77e6d 100644 --- a/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll +++ b/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll @@ -3,7 +3,7 @@ import java import Encryption import semmle.code.java.dataflow.DataFlow -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** * A configuration for finding RSA ciphers initialized without using OAEP padding. diff --git a/java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll b/java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll index d2d77f2edc2a..e062769d1b9c 100644 --- a/java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll @@ -4,8 +4,8 @@ import java import semmle.code.java.dataflow.TaintTracking import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.SensitiveActions +private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.dataflow.FlowSinks -import semmle.code.java.dataflow.ExternalFlow private class ResultReceiverSendCall extends MethodCall { ResultReceiverSendCall() { diff --git a/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll index 5c8c305a8fa1..b3c590f4a23e 100644 --- a/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll @@ -1,11 +1,11 @@ /** Provides taint tracking and dataflow configurations to be used in SpEL injection queries. */ import java +private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.dataflow.TaintTracking private import semmle.code.java.frameworks.spring.SpringExpression private import semmle.code.java.security.SpelInjection -import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for unsafe user input diff --git a/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll index e7a3a1f365f7..abd08d679b29 100644 --- a/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll @@ -7,10 +7,10 @@ */ import java +private import semmle.code.java.dataflow.ExternalFlow import semmle.code.java.dataflow.FlowSources private import semmle.code.java.security.Sanitizers import semmle.code.java.security.QueryInjection -import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for unvalidated user input that is used in SQL queries. diff --git a/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll index 34d862ad57df..b065a990adb9 100644 --- a/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll @@ -1,9 +1,9 @@ /** Provides classes to reason about tainted permissions check vulnerabilities. */ import java +private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.dataflow.TaintTracking -import semmle.code.java.dataflow.ExternalFlow /** * The `org.apache.shiro.subject.Subject` class. diff --git a/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll index e6c4e871cb4c..7b84da1756fb 100644 --- a/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll @@ -4,7 +4,7 @@ import java import semmle.code.java.dataflow.TaintTracking import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.TemplateInjection -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** A taint tracking configuration to reason about server-side template injection (SST) vulnerabilities */ module TemplateInjectionFlowConfig implements DataFlow::ConfigSig { diff --git a/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccessQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccessQuery.qll index be5eaefef8cc..ff92b79b1d77 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccessQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccessQuery.qll @@ -5,7 +5,7 @@ import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.RequestForgery import semmle.code.java.security.UnsafeAndroidAccess -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** * A taint configuration tracking flow from untrusted inputs to a resource fetching call. diff --git a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll index 7714b56a74fb..7a9cfb5ba12b 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll @@ -4,7 +4,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.UnsafeContentUriResolution -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration to find paths from remote sources to content URI resolutions. diff --git a/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll b/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll index d192f7fcf3c1..a815a536db8f 100644 --- a/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll @@ -1,9 +1,9 @@ /** Provides a taint-tracking configuration for reasoning about URL redirections. */ import java +private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.security.UrlRedirect -import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for reasoning about URL redirections. diff --git a/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll b/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll index dd1a200c1089..610a9dd10aa9 100644 --- a/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll +++ b/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll @@ -4,8 +4,8 @@ import java import semmle.code.java.dataflow.DataFlow import semmle.code.java.controlflow.Guards import semmle.code.java.security.SecurityTests +private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.dataflow.FlowSinks -import semmle.code.java.dataflow.ExternalFlow /** Holds if `ex` looks like a check that this is a debug build. */ private predicate isDebugCheck(Expr ex) { diff --git a/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll index 7c95ea6205c0..03efa8d696c4 100644 --- a/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll @@ -1,10 +1,10 @@ /** Provides taint-tracking flow to reason about XPath injection queries. */ import java +private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.dataflow.TaintTracking private import semmle.code.java.security.XPath -import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for reasoning about XPath injection vulnerabilities. diff --git a/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll index b5e093ceda59..95d16f1b2d9e 100644 --- a/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll @@ -5,8 +5,8 @@ import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.XmlParsers import semmle.code.java.security.XsltInjection +private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.security.Sanitizers -import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for unvalidated user input that is used in XSLT transformation. diff --git a/java/ql/lib/semmle/code/java/security/XssQuery.qll b/java/ql/lib/semmle/code/java/security/XssQuery.qll index ddb78b631fd8..37c3fe445b1d 100644 --- a/java/ql/lib/semmle/code/java/security/XssQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XssQuery.qll @@ -4,7 +4,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.XSS -import semmle.code.java.dataflow.ExternalFlow +private import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for cross site scripting vulnerabilities. diff --git a/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll b/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll index 79a1dd542e2d..85c58f9ac12a 100644 --- a/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll @@ -1,10 +1,10 @@ /** Provides taint tracking configurations to be used in remote XXE queries. */ import java +private import semmle.code.java.dataflow.ExternalFlow private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.dataflow.TaintTracking private import semmle.code.java.security.XxeQuery -import semmle.code.java.dataflow.ExternalFlow /** * A taint-tracking configuration for unvalidated remote user input that is used in XML external entity expansion. diff --git a/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll b/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll index 1125f0543649..40c8c3fefcf5 100644 --- a/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll +++ b/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll @@ -6,7 +6,6 @@ import semmle.code.java.dataflow.DataFlow import semmle.code.java.regex.RegexFlowConfigs import semmle.code.java.dataflow.FlowSources private import semmle.code.java.security.Sanitizers -import semmle.code.java.dataflow.ExternalFlow /** A sink for polynomial redos queries, where a regex is matched. */ class PolynomialRedosSink extends DataFlow::Node { From b7557e6e2820a0b08db1b7f0c4022edf564cf7e7 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 16 Dec 2025 23:55:22 +0000 Subject: [PATCH 3/5] Fix editing error to make valid QL --- .../code/java/security/ArithmeticUncontrolledQuery.qll | 8 ++++---- .../java/security/ArithmeticWithExtremeValuesQuery.qll | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll index 7f454bb67ab5..1b5da4d1bc42 100644 --- a/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll @@ -43,12 +43,12 @@ module ArithmeticUncontrolledOverflowFlow = module ArithmeticUncontrolledUnderflowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof TaintSource } - underflowBarrier(n) or - barrierNode(n, "java/uncontrolled-arithmetic") - predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) } - predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) } + predicate isBarrier(DataFlow::Node n) { + underflowBarrier(n) or + barrierNode(n, "java/uncontrolled-arithmetic") + } predicate observeDiffInformedIncrementalMode() { any() // merged with ArithmeticUncontrolledOverflow in ArithmeticUncontrolled.ql diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticWithExtremeValuesQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticWithExtremeValuesQuery.qll index 43d6daae491a..1b6ac19f02da 100644 --- a/java/ql/lib/semmle/code/java/security/ArithmeticWithExtremeValuesQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ArithmeticWithExtremeValuesQuery.qll @@ -56,12 +56,12 @@ module MinValueFlowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) } - underflowBarrier(n) or - barrierNode(n, "java/extreme-value-arithmetic") - predicate isBarrierIn(DataFlow::Node n) { isSource(n) } - predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) } + predicate isBarrier(DataFlow::Node n) { + underflowBarrier(n) or + barrierNode(n, "java/extreme-value-arithmetic") + } } /** Dataflow from minimum values to an underflow. */ From 31306468e17a880916e804c1494674e8b02d933b Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 17 Dec 2025 10:05:38 +0000 Subject: [PATCH 4/5] Fix compilation error --- .../semmle/code/java/security/InsufficientKeySizeQuery.qll | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll b/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll index 6efd33873f3c..a96d5587568a 100644 --- a/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll @@ -20,9 +20,7 @@ module KeySizeConfig implements DataFlow::StateConfigSig { sink.(InsufficientKeySizeSink).hasState(state) } - predicate isBarrier(DataFlow::Node node, KeySizeState state) { - barrierNode(node, "java/insufficient-key-size") - } + predicate isBarrier(DataFlow::Node node) { barrierNode(node, "java/insufficient-key-size") } predicate observeDiffInformedIncrementalMode() { any() } } From f9289439573bfc6e5431057b774d810f9d50bfcf Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 17 Dec 2025 10:47:45 +0000 Subject: [PATCH 5/5] Rename classes for external sanitizers --- java/ql/lib/semmle/code/java/security/PathSanitizer.qll | 4 ++-- java/ql/lib/semmle/code/java/security/RequestForgery.qll | 4 ++-- .../semmle/code/java/security/TrustBoundaryViolationQuery.qll | 4 ++-- java/ql/lib/semmle/code/java/security/XSS.qll | 4 ++-- .../lib/semmle/code/java/security/regexp/RegexInjection.qll | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll index 2018004a3fb5..4685f5e48f71 100644 --- a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll +++ b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll @@ -289,8 +289,8 @@ private Method getSourceMethod(Method m) { result = m } -private class DefaultPathInjectionSanitizer extends PathInjectionSanitizer { - DefaultPathInjectionSanitizer() { barrierNode(this, "path-injection") } +private class ExternalPathInjectionSanitizer extends PathInjectionSanitizer { + ExternalPathInjectionSanitizer() { barrierNode(this, "path-injection") } } /** Holds if `g` is a guard that checks for `..` components. */ diff --git a/java/ql/lib/semmle/code/java/security/RequestForgery.qll b/java/ql/lib/semmle/code/java/security/RequestForgery.qll index 690e4f9315b9..489b45dffa2c 100644 --- a/java/ql/lib/semmle/code/java/security/RequestForgery.qll +++ b/java/ql/lib/semmle/code/java/security/RequestForgery.qll @@ -118,8 +118,8 @@ private class ContainsUrlSanitizer extends RequestForgerySanitizer { } } -private class DefaultRequestForgerySanitizer extends RequestForgerySanitizer { - DefaultRequestForgerySanitizer() { barrierNode(this, "request-forgery") } +private class ExternalRequestForgerySanitizer extends RequestForgerySanitizer { + ExternalRequestForgerySanitizer() { barrierNode(this, "request-forgery") } } /** diff --git a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll index 38292c1a95f2..b670fe42883d 100644 --- a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll @@ -27,8 +27,8 @@ class TrustBoundaryViolationSink extends DataFlow::Node { */ abstract class TrustBoundaryValidationSanitizer extends DataFlow::Node { } -private class DefaultTrustBoundaryValidationSanitizer extends TrustBoundaryValidationSanitizer { - DefaultTrustBoundaryValidationSanitizer() { barrierNode(this, "trust-boundary-violation") } +private class ExternalTrustBoundaryValidationSanitizer extends TrustBoundaryValidationSanitizer { + ExternalTrustBoundaryValidationSanitizer() { barrierNode(this, "trust-boundary-violation") } } /** diff --git a/java/ql/lib/semmle/code/java/security/XSS.qll b/java/ql/lib/semmle/code/java/security/XSS.qll index c131f868f36c..0d52d480ae7b 100644 --- a/java/ql/lib/semmle/code/java/security/XSS.qll +++ b/java/ql/lib/semmle/code/java/security/XSS.qll @@ -54,8 +54,8 @@ private class DefaultXssSink extends XssSink { } } -private class DefaultXssSanitizer extends XssSanitizer { - DefaultXssSanitizer() { barrierNode(this, ["html-injection", "js-injection"]) } +private class ExternalXssSanitizer extends XssSanitizer { + ExternalXssSanitizer() { barrierNode(this, ["html-injection", "js-injection"]) } } /** A sanitizer that considers numeric and boolean typed data safe for writing to output. */ diff --git a/java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll b/java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll index d91b411b7978..944ffca803ae 100644 --- a/java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll +++ b/java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll @@ -21,8 +21,8 @@ private class DefaultRegexInjectionSink extends RegexInjectionSink { } } -private class DefaultRegexInjectionSanitizer extends RegexInjectionSanitizer { - DefaultRegexInjectionSanitizer() { barrierNode(this, "regex-use") } +private class ExternalRegexInjectionSanitizer extends RegexInjectionSanitizer { + ExternalRegexInjectionSanitizer() { barrierNode(this, "regex-use") } } /**