From abaa71e2c5b406e4203e5862f21b0da390acdaae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz=20Sanchez?= Date: Wed, 6 Apr 2022 10:57:14 +0200 Subject: [PATCH 1/3] Update Sql Injection queries move java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll -> java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll --- .../semmle/code/java/security/SqlInjectionQuery.qll} | 10 ++++++++-- java/ql/src/Security/CWE/CWE-089/SqlTainted.ql | 2 +- java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql | 2 +- java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql | 2 +- 4 files changed, 11 insertions(+), 5 deletions(-) rename java/ql/{src/Security/CWE/CWE-089/SqlInjectionLib.qll => lib/semmle/code/java/security/SqlInjectionQuery.qll} (76%) diff --git a/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll similarity index 76% rename from java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll rename to java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll index febee9bcef9c..edd43ab5c316 100644 --- a/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll +++ b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll @@ -1,10 +1,16 @@ -/** Definitions used by the queries for database query injection. */ +/** + * Provides taint tracking and dataflow configurations to be used in Sql injection queries. + * + * Do not import this from a library file, in order to reduce the risk of + * unintentionally bringing a TaintTracking::Configuration into scope in an unrelated + * query. + */ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.QueryInjection -private class QueryInjectionFlowConfig extends TaintTracking::Configuration { +class QueryInjectionFlowConfig extends TaintTracking::Configuration { QueryInjectionFlowConfig() { this = "SqlInjectionLib::QueryInjectionFlowConfig" } override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource } diff --git a/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql b/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql index 28b09d37dbb1..50dfe9d725ae 100644 --- a/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql +++ b/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql @@ -14,7 +14,7 @@ import java import semmle.code.java.dataflow.FlowSources -import SqlInjectionLib +import semmle.code.java.security.SqlInjectionQuery import DataFlow::PathGraph from QueryInjectionSink query, DataFlow::PathNode source, DataFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql index df5807f3f5f7..acd4f9d8df5e 100644 --- a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql +++ b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql @@ -14,7 +14,7 @@ import semmle.code.java.Expr import semmle.code.java.dataflow.FlowSources -import SqlInjectionLib +import semmle.code.java.security.SqlInjectionQuery import DataFlow::PathGraph class LocalUserInputToQueryInjectionFlowConfig extends TaintTracking::Configuration { diff --git a/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql b/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql index e9e6cba37702..d73754e62029 100644 --- a/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql +++ b/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql @@ -14,7 +14,7 @@ import java import semmle.code.java.security.SqlUnescapedLib -import SqlInjectionLib +import semmle.code.java.security.SqlInjectionQuery class UncontrolledStringBuilderSource extends DataFlow::ExprNode { UncontrolledStringBuilderSource() { From 19b8d51c0bca20109b31e9e4cfe5caea5179b9e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz=20Sanchez?= Date: Wed, 6 Apr 2022 10:58:56 +0200 Subject: [PATCH 2/3] Update CommandLineQuery Make TaintTracking configuration public --- java/ql/lib/semmle/code/java/security/CommandLineQuery.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll index 80ec142f214b..3c422e83cffa 100644 --- a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll @@ -11,7 +11,7 @@ import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.ExternalProcess import semmle.code.java.security.CommandArguments -private class RemoteUserInputToArgumentToExecFlowConfig extends TaintTracking::Configuration { +class RemoteUserInputToArgumentToExecFlowConfig extends TaintTracking::Configuration { RemoteUserInputToArgumentToExecFlowConfig() { this = "ExecCommon::RemoteUserInputToArgumentToExecFlowConfig" } From 9ccd0e564bed702ed42ee5f9ea34881e50bcae10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz=20Sanchez?= Date: Wed, 6 Apr 2022 12:00:41 +0200 Subject: [PATCH 3/3] Add QLDocs --- java/ql/lib/semmle/code/java/security/CommandLineQuery.qll | 3 +++ java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll | 3 +++ 2 files changed, 6 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll index 3c422e83cffa..42768d024e80 100644 --- a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll @@ -11,6 +11,9 @@ import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.ExternalProcess import semmle.code.java.security.CommandArguments +/** + * A taint-tracking configuration for unvalidated user input that is used to run an external process. + */ class RemoteUserInputToArgumentToExecFlowConfig extends TaintTracking::Configuration { RemoteUserInputToArgumentToExecFlowConfig() { this = "ExecCommon::RemoteUserInputToArgumentToExecFlowConfig" diff --git a/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll index edd43ab5c316..33a80455db04 100644 --- a/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll @@ -10,6 +10,9 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.QueryInjection +/** + * A taint-tracking configuration for unvalidated user input that is used in SQL queries. + */ class QueryInjectionFlowConfig extends TaintTracking::Configuration { QueryInjectionFlowConfig() { this = "SqlInjectionLib::QueryInjectionFlowConfig" }