Skip to content

Commit 33deff9

Browse files
committed
Java: Deprecate BarrierGuard class.
1 parent c478287 commit 33deff9

18 files changed

+224
-172
lines changed

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll

Lines changed: 34 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -90,14 +90,20 @@ abstract class Configuration extends string {
9090
/** Holds if data flow out of `node` is prohibited. */
9191
predicate isBarrierOut(Node node) { none() }
9292

93-
/** Holds if data flow through nodes guarded by `guard` is prohibited. */
94-
predicate isBarrierGuard(BarrierGuard guard) { none() }
93+
/**
94+
* DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
95+
*
96+
* Holds if data flow through nodes guarded by `guard` is prohibited.
97+
*/
98+
deprecated predicate isBarrierGuard(BarrierGuard guard) { none() }
9599

96100
/**
101+
* DEPRECATED: Use `isBarrier` and `BarrierGuard` module instead.
102+
*
97103
* Holds if data flow through nodes guarded by `guard` is prohibited when
98104
* the flow state is `state`
99105
*/
100-
predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
106+
deprecated predicate isBarrierGuard(BarrierGuard guard, FlowState state) { none() }
101107

102108
/**
103109
* Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
@@ -335,6 +341,29 @@ private predicate outBarrier(NodeEx node, Configuration config) {
335341
)
336342
}
337343

344+
/** A bridge class to access the deprecated `isBarrierGuard`. */
345+
private class BarrierGuardGuardedNodeBridge extends Unit {
346+
abstract predicate guardedNode(Node n, Configuration config);
347+
348+
abstract predicate guardedNode(Node n, FlowState state, Configuration config);
349+
}
350+
351+
private class BarrierGuardGuardedNode extends BarrierGuardGuardedNodeBridge {
352+
deprecated override predicate guardedNode(Node n, Configuration config) {
353+
exists(BarrierGuard g |
354+
config.isBarrierGuard(g) and
355+
n = g.getAGuardedNode()
356+
)
357+
}
358+
359+
deprecated override predicate guardedNode(Node n, FlowState state, Configuration config) {
360+
exists(BarrierGuard g |
361+
config.isBarrierGuard(g, state) and
362+
n = g.getAGuardedNode()
363+
)
364+
}
365+
}
366+
338367
pragma[nomagic]
339368
private predicate fullBarrier(NodeEx node, Configuration config) {
340369
exists(Node n | node.asNode() = n |
@@ -348,10 +377,7 @@ private predicate fullBarrier(NodeEx node, Configuration config) {
348377
not config.isSink(n) and
349378
not config.isSink(n, _)
350379
or
351-
exists(BarrierGuard g |
352-
config.isBarrierGuard(g) and
353-
n = g.getAGuardedNode()
354-
)
380+
any(BarrierGuardGuardedNodeBridge b).guardedNode(n, config)
355381
)
356382
}
357383

@@ -360,10 +386,7 @@ private predicate stateBarrier(NodeEx node, FlowState state, Configuration confi
360386
exists(Node n | node.asNode() = n |
361387
config.isBarrier(n, state)
362388
or
363-
exists(BarrierGuard g |
364-
config.isBarrierGuard(g, state) and
365-
n = g.getAGuardedNode()
366-
)
389+
any(BarrierGuardGuardedNodeBridge b).guardedNode(n, state, config)
367390
)
368391
}
369392

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -332,6 +332,8 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
332332
}
333333

334334
/**
335+
* DEPRECATED: Use `BarrierGuard` module instead.
336+
*
335337
* A guard that validates some expression.
336338
*
337339
* To use this in a configuration, extend the class and provide a
@@ -340,7 +342,7 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
340342
*
341343
* It is important that all extending classes in scope are disjoint.
342344
*/
343-
class BarrierGuard extends Guard {
345+
deprecated class BarrierGuard extends Guard {
344346
/** Holds if this guard validates `e` upon evaluating to `branch`. */
345347
abstract predicate checks(Expr e, boolean branch);
346348

java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -112,12 +112,6 @@ private module Cached {
112112
}
113113
}
114114

115-
/**
116-
* Holds if `guard` should be a sanitizer guard in all global taint flow configurations
117-
* but not in local taint.
118-
*/
119-
predicate defaultTaintSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
120-
121115
import Cached
122116

123117
private RefType getElementType(RefType container) {

java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -116,20 +116,30 @@ abstract class Configuration extends DataFlow::Configuration {
116116

117117
final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
118118

119-
/** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
120-
predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
119+
/**
120+
* DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
121+
*
122+
* Holds if taint propagation through nodes guarded by `guard` is prohibited.
123+
*/
124+
deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
121125

122-
final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
123-
this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
126+
deprecated final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
127+
this.isSanitizerGuard(guard)
124128
}
125129

126130
/**
131+
* DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
132+
*
127133
* Holds if taint propagation through nodes guarded by `guard` is prohibited
128134
* when the flow state is `state`.
129135
*/
130-
predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }
136+
deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
137+
none()
138+
}
131139

132-
final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
140+
deprecated final override predicate isBarrierGuard(
141+
DataFlow::BarrierGuard guard, DataFlow::FlowState state
142+
) {
133143
this.isSanitizerGuard(guard, state)
134144
}
135145

java/ql/lib/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -116,20 +116,30 @@ abstract class Configuration extends DataFlow::Configuration {
116116

117117
final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
118118

119-
/** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
120-
predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
119+
/**
120+
* DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
121+
*
122+
* Holds if taint propagation through nodes guarded by `guard` is prohibited.
123+
*/
124+
deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
121125

122-
final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
123-
this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
126+
deprecated final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
127+
this.isSanitizerGuard(guard)
124128
}
125129

126130
/**
131+
* DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
132+
*
127133
* Holds if taint propagation through nodes guarded by `guard` is prohibited
128134
* when the flow state is `state`.
129135
*/
130-
predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }
136+
deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
137+
none()
138+
}
131139

132-
final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
140+
deprecated final override predicate isBarrierGuard(
141+
DataFlow::BarrierGuard guard, DataFlow::FlowState state
142+
) {
133143
this.isSanitizerGuard(guard, state)
134144
}
135145

java/ql/lib/semmle/code/java/dataflow/internal/tainttracking3/TaintTrackingImpl.qll

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -116,20 +116,30 @@ abstract class Configuration extends DataFlow::Configuration {
116116

117117
final override predicate isBarrierOut(DataFlow::Node node) { this.isSanitizerOut(node) }
118118

119-
/** Holds if taint propagation through nodes guarded by `guard` is prohibited. */
120-
predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
119+
/**
120+
* DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
121+
*
122+
* Holds if taint propagation through nodes guarded by `guard` is prohibited.
123+
*/
124+
deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
121125

122-
final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
123-
this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
126+
deprecated final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
127+
this.isSanitizerGuard(guard)
124128
}
125129

126130
/**
131+
* DEPRECATED: Use `isSanitizer` and `BarrierGuard` module instead.
132+
*
127133
* Holds if taint propagation through nodes guarded by `guard` is prohibited
128134
* when the flow state is `state`.
129135
*/
130-
predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) { none() }
136+
deprecated predicate isSanitizerGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
137+
none()
138+
}
131139

132-
final override predicate isBarrierGuard(DataFlow::BarrierGuard guard, DataFlow::FlowState state) {
140+
deprecated final override predicate isBarrierGuard(
141+
DataFlow::BarrierGuard guard, DataFlow::FlowState state
142+
) {
133143
this.isSanitizerGuard(guard, state)
134144
}
135145

java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulation.qll

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -24,12 +24,14 @@ abstract class IntentUriPermissionManipulationSink extends DataFlow::Node { }
2424
abstract class IntentUriPermissionManipulationSanitizer extends DataFlow::Node { }
2525

2626
/**
27+
* DEPRECATED: Use `IntentUriPermissionManipulationSanitizer` instead.
28+
*
2729
* A guard that makes sure that an Intent is safe to be returned to another Activity.
2830
*
2931
* Usually, this is done by checking that the Intent's data URI and/or its flags contain
3032
* expected values.
3133
*/
32-
abstract class IntentUriPermissionManipulationGuard extends DataFlow::BarrierGuard { }
34+
abstract deprecated class IntentUriPermissionManipulationGuard extends DataFlow::BarrierGuard { }
3335

3436
/**
3537
* An additional taint step for flows related to Intent URI permission manipulation
@@ -95,10 +97,10 @@ private class IntentFlagsOrDataChangedSanitizer extends IntentUriPermissionManip
9597
* intent.getFlags() & Intent.FLAG_GRANT_WRITE_URI_PERMISSION != 0) {}
9698
* ```
9799
*/
98-
private class IntentFlagsOrDataCheckedGuard extends IntentUriPermissionManipulationGuard {
99-
IntentFlagsOrDataCheckedGuard() { intentFlagsOrDataChecked(this, _, _) }
100-
101-
override predicate checks(Expr e, boolean branch) { intentFlagsOrDataChecked(this, e, branch) }
100+
private class IntentFlagsOrDataCheckedSanitizer extends IntentUriPermissionManipulationSanitizer {
101+
IntentFlagsOrDataCheckedSanitizer() {
102+
this = DataFlow::BarrierGuard<intentFlagsOrDataChecked/3>::getABarrierNode()
103+
}
102104
}
103105

104106
/**

java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ class IntentUriPermissionManipulationConf extends TaintTracking::Configuration {
2424
barrier instanceof IntentUriPermissionManipulationSanitizer
2525
}
2626

27-
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
27+
deprecated override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
2828
guard instanceof IntentUriPermissionManipulationGuard
2929
}
3030

java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -30,10 +30,8 @@ class InjectFilePathConfig extends TaintTracking::Configuration {
3030

3131
override predicate isSanitizer(DataFlow::Node node) {
3232
exists(Type t | t = node.getType() | t instanceof BoxedType or t instanceof PrimitiveType)
33-
}
34-
35-
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
36-
guard instanceof PathTraversalBarrierGuard
33+
or
34+
node instanceof PathTraversalSanitizer
3735
}
3836
}
3937

java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -24,9 +24,7 @@ class InsecureWebResourceResponseConfig extends TaintTracking::Configuration {
2424

2525
override predicate isSink(DataFlow::Node sink) { sink instanceof WebResourceResponseSink }
2626

27-
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
28-
guard instanceof PathTraversalBarrierGuard
29-
}
27+
override predicate isSanitizer(DataFlow::Node node) { node instanceof PathTraversalSanitizer }
3028
}
3129

3230
from DataFlow::PathNode source, DataFlow::PathNode sink, InsecureWebResourceResponseConfig conf

0 commit comments

Comments
 (0)