feat(java): Update to Java CmdExec queries

GeekMasher · GeekMasher · commit 5a439518acfe · 2024-06-13T19:41:38.000+01:00
diff --git a/java/lib/codeql-pack.lock.yml b/java/lib/codeql-pack.lock.yml
@@ -2,19 +2,27 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.0.3
+    version: 1.0.0
   codeql/java-all:
-    version: 0.7.4
+    version: 1.0.0
   codeql/mad:
-    version: 0.1.4
+    version: 1.0.0
+  codeql/rangeanalysis:
+    version: 1.0.0
   codeql/regex:
-    version: 0.1.4
+    version: 1.0.0
   codeql/ssa:
-    version: 0.1.4
+    version: 1.0.0
+  codeql/threat-models:
+    version: 1.0.0
   codeql/tutorial:
-    version: 0.1.4
+    version: 1.0.0
+  codeql/typeflow:
+    version: 1.0.0
   codeql/typetracking:
-    version: 0.1.4
+    version: 1.0.0
   codeql/util:
-    version: 0.1.4
+    version: 1.0.0
+  codeql/xml:
+    version: 1.0.0
 compiled: false
diff --git a/java/lib/ghsl/CommandInjectionRuntimeExec.qll b/java/lib/ghsl/CommandInjectionRuntimeExec.qll
@@ -4,124 +4,111 @@ import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
 
+abstract class Source extends DataFlow::Node {
+  Source() { this = this }
+}
 
-// a static string of an unsafe executable tainting arg 0 of Runtime.exec()
-class ExecTaintConfiguration extends TaintTracking::Configuration {
-    ExecTaintConfiguration() { this = "ExecTaintConfiguration" }
-
-    override
-    predicate
-    isSource(DataFlow::Node source) {
-        source.asExpr() instanceof StringLiteral
-        and source.asExpr().(StringLiteral).getValue() instanceof UnSafeExecutable
+module RuntimeExec {
+  // a static string of an unsafe executable tainting arg 0 of Runtime.exec()
+  module RuntimeExecConfiguration implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) {
+      source.asExpr() instanceof StringLiteral and
+      source.asExpr().(StringLiteral).getValue() instanceof UnSafeExecutable
     }
 
-    override
-    predicate
-    isSink(DataFlow::Node sink) {
-        exists(RuntimeExecMethod method, MethodAccess call |
-            call.getMethod() = method
-            and sink.asExpr() = call.getArgument(0)
-            and sink.asExpr().getType() instanceof Array
-        )
+    predicate isSink(DataFlow::Node sink) {
+      exists(RuntimeExecMethod method, MethodCall call |
+        call.getMethod() = method and
+        sink.asExpr() = call.getArgument(0) and
+        sink.asExpr().getType() instanceof Array
+      )
     }
 
-    override
-    predicate
-    isSanitizer(DataFlow::Node node) {
-        node.asExpr().getFile().isSourceFile() and
-        (
-            node instanceof AssignToNonZeroIndex
-            or node instanceof ArrayInitAtNonZeroIndex
-            or node instanceof StreamConcatAtNonZeroIndex
-            or node.getType() instanceof PrimitiveType
-            or node.getType() instanceof BoxedType
-        )
+    predicate isBarrier(DataFlow::Node node) {
+      node.asExpr().getFile().isSourceFile() and
+      (
+        node instanceof AssignToNonZeroIndex or
+        node instanceof ArrayInitAtNonZeroIndex or
+        node instanceof StreamConcatAtNonZeroIndex or
+        node.getType() instanceof PrimitiveType or
+        node.getType() instanceof BoxedType
+      )
     }
-}
+  }
 
-abstract class Source extends DataFlow::Node {
-    Source() {
-        this = this
-    }
-}
+  module RuntimeExecFlow = TaintTracking::Global<RuntimeExecConfiguration>;
 
+  import RuntimeExecFlow::PathGraph
+}
 
 // taint flow from user data to args of the command
-class ExecTaintConfiguration2 extends TaintTracking::Configuration {
-    ExecTaintConfiguration2() { this = "ExecTaintConfiguration2" }
-
-    override
-    predicate
-    isSource(DataFlow::Node source) {
-        source instanceof Source
+module ExecTaint {
+  module ExecTaintConfiguration implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    predicate isSink(DataFlow::Node sink) {
+      exists(RuntimeExecMethod method, MethodCall call, int index |
+        call.getMethod() = method and
+        sink.asExpr() = call.getArgument(index) and
+        sink.asExpr().getType() instanceof Array
+      )
     }
 
-    override
-    predicate
-    isSink(DataFlow::Node sink) {
-        exists(RuntimeExecMethod method, MethodAccess call, int index |
-            call.getMethod() = method
-            and sink.asExpr() = call.getArgument(index)
-            and sink.asExpr().getType() instanceof Array
-        )
+    predicate isBarrier(DataFlow::Node node) {
+      node.asExpr().getFile().isSourceFile() and
+      (
+        node.getType() instanceof PrimitiveType or
+        node.getType() instanceof BoxedType
+      )
     }
+  }
 
-    override
-    predicate
-    isSanitizer(DataFlow::Node node) {
-        node.asExpr().getFile().isSourceFile() and
-        (
-            node.getType() instanceof PrimitiveType
-            or node.getType() instanceof BoxedType
-        )
-    }
-}
+  module ExecTaintFlow = TaintTracking::Global<ExecTaintConfiguration>;
 
+  import ExecTaintFlow::PathGraph
+}
 
 // array[3] = node
 class AssignToNonZeroIndex extends DataFlow::Node {
-    AssignExpr assign;
-    ArrayAccess access;
-
-    AssignToNonZeroIndex() {
-        assign.getDest() = access
-        and access.getIndexExpr().(IntegerLiteral).getValue() != "0"
-        and assign.getSource() = this.asExpr()
-    }
+  AssignExpr assign;
+  ArrayAccess access;
+
+  AssignToNonZeroIndex() {
+    assign.getDest() = access and
+    access.getIndexExpr().(IntegerLiteral).getValue() != "0" and
+    assign.getSource() = this.asExpr()
+  }
 }
 
-
 // String[] array = {"a", "b, "c"};
 class ArrayInitAtNonZeroIndex extends DataFlow::Node {
-    ArrayInit init;
-    int index;
+  ArrayInit init;
+  int index;
 
-    ArrayInitAtNonZeroIndex() {
-        init.getInit(index) = this.asExpr()
-        and index != 0
-    }
+  ArrayInitAtNonZeroIndex() {
+    init.getInit(index) = this.asExpr() and
+    index != 0
+  }
 }
 
 // Stream.concat(Arrays.stream(array_1), Arrays.stream(array_2))
 class StreamConcatAtNonZeroIndex extends DataFlow::Node {
-    MethodAccess call;
-    int index;
-
-    StreamConcatAtNonZeroIndex() {
-        call.getMethod().getQualifiedName() = "java.util.stream.Stream.concat"
-        and call.getArgument(index) = this.asExpr()
-        and index != 0
-    }
+  MethodCall call;
+  int index;
+
+  StreamConcatAtNonZeroIndex() {
+    call.getMethod().getQualifiedName() = "java.util.stream.Stream.concat" and
+    call.getArgument(index) = this.asExpr() and
+    index != 0
+  }
 }
 
-
 // allow list of executables that execute their arguments
 // TODO: extend with data extensions
 class UnSafeExecutable extends string {
-    bindingset[this]
-    UnSafeExecutable() {
-        this.regexpMatch("^(|.*/)([a-z]*sh|javac?|python[23]?|perl|[Pp]ower[Ss]hell|php|node|deno|bun|ruby|osascript|cmd|Rscript|groovy)(\\.exe)?$")
-        and not this.matches("netsh.exe")
-    }
+  bindingset[this]
+  UnSafeExecutable() {
+    this.regexpMatch("^(|.*/)([a-z]*sh|javac?|python[23]?|perl|[Pp]ower[Ss]hell|php|node|deno|bun|ruby|osascript|cmd|Rscript|groovy)(\\.exe)?$") and
+    not this.matches("netsh.exe")
+  }
 }
diff --git a/java/lib/qlpack.yml b/java/lib/qlpack.yml
@@ -2,4 +2,5 @@ library: true
 name: githubsecuritylab/codeql-java-libs
 version: 0.0.1
 dependencies:
-  codeql/java-all: '*'
+  codeql/java-all: '1.0.0'
+
diff --git a/java/src/codeql-pack.lock.yml b/java/src/codeql-pack.lock.yml
@@ -2,19 +2,27 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.0.3
+    version: 1.0.0
   codeql/java-all:
-    version: 0.7.4
+    version: 1.0.0
   codeql/mad:
-    version: 0.1.4
+    version: 1.0.0
+  codeql/rangeanalysis:
+    version: 1.0.0
   codeql/regex:
-    version: 0.1.4
+    version: 1.0.0
   codeql/ssa:
-    version: 0.1.4
+    version: 1.0.0
+  codeql/threat-models:
+    version: 1.0.0
   codeql/tutorial:
-    version: 0.1.4
+    version: 1.0.0
+  codeql/typeflow:
+    version: 1.0.0
   codeql/typetracking:
-    version: 0.1.4
+    version: 1.0.0
   codeql/util:
-    version: 0.1.4
+    version: 1.0.0
+  codeql/xml:
+    version: 1.0.0
 compiled: false
diff --git a/java/src/qlpack.yml b/java/src/qlpack.yml
@@ -4,5 +4,5 @@ version: 0.0.5
 suites: suites
 defaultSuiteFile: suites/java.qls
 dependencies:
-  codeql/java-all: "*"
+  codeql/java-all: '1.0.0'
   githubsecuritylab/codeql-java-libs: 0.0.1
diff --git a/java/src/security/CWE-078/CommandInjectionRuntimeExec.ql b/java/src/security/CWE-078/CommandInjectionRuntimeExec.ql
@@ -10,29 +10,46 @@
  *       external/cwe/cwe-078
  */
 
-import DataFlow::PathGraph
 import ghsl.CommandInjectionRuntimeExec
 
 class RemoteSource extends Source {
   RemoteSource() { this instanceof RemoteFlowSource }
 }
 
-from
-  DataFlow::PathNode source, DataFlow::PathNode sink, ExecTaintConfiguration2 conf,
-  MethodAccess call, DataFlow::Node sourceCmd, DataFlow::Node sinkCmd,
-  ExecTaintConfiguration confCmd
+module Flow = TaintTracking::Global<RuntimeExec::RuntimeExecConfiguration>;
+
+module Flow2 = TaintTracking::Global<ExecTaint::ExecTaintConfiguration>;
+
+module FlowGraph =
+  DataFlow::MergePathGraph<Flow::PathNode, Flow2::PathNode, Flow::PathGraph, Flow2::PathGraph>;
+
+import FlowGraph::PathGraph
+
+from FlowGraph::PathNode source, FlowGraph::PathNode sink
 where
-  call.getMethod() instanceof RuntimeExecMethod and
-  // this is a command-accepting call to exec, e.g. rt.exec(new String[]{"/bin/sh", ...})
-  (
-    confCmd.hasFlow(sourceCmd, sinkCmd) and
-    sinkCmd.asExpr() = call.getArgument(0)
-  ) and
-  // it is tainted by untrusted user input
-  (
-    conf.hasFlow(source.getNode(), sink.getNode()) and
-    sink.getNode().asExpr() = call.getArgument(0)
-  )
+  Flow::flowPath(source.asPathNode1(), sink.asPathNode1()) or
+  Flow2::flowPath(source.asPathNode2(), sink.asPathNode2())
 select sink, source, sink,
   "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
-  sourceCmd, sourceCmd.toString(), source.getNode(), source.toString()
+  source, source.toString(), source.getNode(), source.toString()
+//
+//
+// from
+//   DataFlow::PathNode source, DataFlow::PathNode sink, ExecTaintConfiguration2 conf,
+//   MethodAccess call, DataFlow::Node sourceCmd, DataFlow::Node sinkCmd,
+//   ExecTaintConfiguration confCmd
+// where
+//   call.getMethod() instanceof RuntimeExecMethod and
+//   // this is a command-accepting call to exec, e.g. rt.exec(new String[]{"/bin/sh", ...})
+//   (
+//     confCmd.hasFlow(sourceCmd, sinkCmd) and
+//     sinkCmd.asExpr() = call.getArgument(0)
+//   ) and
+//   // it is tainted by untrusted user input
+//   (
+//     conf.hasFlow(source.getNode(), sink.getNode()) and
+//     sink.getNode().asExpr() = call.getArgument(0)
+//   )
+// select sink, source, sink,
+//   "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
+//   sourceCmd, sourceCmd.toString(), source.getNode(), source.toString()
diff --git a/java/test/codeql-pack.lock.yml b/java/test/codeql-pack.lock.yml
@@ -2,23 +2,31 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.0.3
+    version: 1.0.0
   codeql/java-all:
-    version: 0.7.4
+    version: 1.0.0
   codeql/java-queries:
-    version: 0.7.4
+    version: 1.0.0
   codeql/mad:
-    version: 0.1.4
+    version: 1.0.0
+  codeql/rangeanalysis:
+    version: 1.0.0
   codeql/regex:
-    version: 0.1.4
+    version: 1.0.0
   codeql/ssa:
-    version: 0.1.4
+    version: 1.0.0
   codeql/suite-helpers:
-    version: 0.6.4
+    version: 1.0.0
+  codeql/threat-models:
+    version: 1.0.0
   codeql/tutorial:
-    version: 0.1.4
+    version: 1.0.0
+  codeql/typeflow:
+    version: 1.0.0
   codeql/typetracking:
-    version: 0.1.4
+    version: 1.0.0
   codeql/util:
-    version: 0.1.4
+    version: 1.0.0
+  codeql/xml:
+    version: 1.0.0
 compiled: false
diff --git a/java/test/qlpack.yml b/java/test/qlpack.yml
