Merge pull request github#12530 from aschackmull/java/refactor-dataflow-queries-3

Java: Refactor more dataflow queries to the new API (take 3)

Author: aschackmull

java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll

@@ -122,9 +122,11 @@ private predicate isStartActivityOrServiceSink(DataFlow::Node arg) {
 }
 
 /**
+ * DEPRECATED: Use `SensitiveCommunicationFlow` instead.
+ *
  * Taint configuration tracking flow from variables containing sensitive information to broadcast Intents.
  */
-class SensitiveCommunicationConfig extends TaintTracking::Configuration {
+deprecated class SensitiveCommunicationConfig extends TaintTracking::Configuration {
   SensitiveCommunicationConfig() { this = "Sensitive Communication Configuration" }
 
   override predicate isSource(DataFlow::Node source) {
@@ -148,3 +150,27 @@ class SensitiveCommunicationConfig extends TaintTracking::Configuration {
     this.isSink(node)
   }
 }
+
+private module SensitiveCommunicationConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveInfoExpr }
+
+  predicate isSink(DataFlow::Node sink) {
+    isSensitiveBroadcastSink(sink)
+    or
+    isStartActivityOrServiceSink(sink)
+  }
+
+  /**
+   * Holds if broadcast doesn't specify receiving package name of the 3rd party app
+   */
+  predicate isBarrier(DataFlow::Node node) { node instanceof ExplicitIntentSanitizer }
+
+  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+    isSink(node) and exists(c)
+  }
+}
+
+/**
+ * Tracks taint flow from variables containing sensitive information to broadcast Intents.
+ */
+module SensitiveCommunicationFlow = TaintTracking::Make<SensitiveCommunicationConfig>;

java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll

@@ -6,10 +6,12 @@ import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.FragmentInjection
 
 /**
+ * DEPRECATED: Use `FragmentInjectionFlow` instead.
+ *
  * A taint-tracking configuration for unsafe user input
  * that is used to create Android fragments dynamically.
  */
-class FragmentInjectionTaintConf extends TaintTracking::Configuration {
+deprecated class FragmentInjectionTaintConf extends TaintTracking::Configuration {
   FragmentInjectionTaintConf() { this = "FragmentInjectionTaintConf" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -20,3 +22,19 @@ class FragmentInjectionTaintConf extends TaintTracking::Configuration {
     any(FragmentInjectionAdditionalTaintStep c).step(n1, n2)
   }
 }
+
+private module FragmentInjectionTaintConf implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof FragmentInjectionSink }
+
+  predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
+    any(FragmentInjectionAdditionalTaintStep c).step(n1, n2)
+  }
+}
+
+/**
+ * Taint-tracking flow for unsafe user input
+ * that is used to create Android fragments dynamically.
+ */
+module FragmentInjectionTaintFlow = TaintTracking::Make<FragmentInjectionTaintConf>;

java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll

@@ -9,9 +9,11 @@ private import semmle.code.java.dataflow.DataFlow
 private import IntentUriPermissionManipulation
 
 /**
+ * DEPRECATED: Use `IntentUriPermissionManipulationFlow` instead.
+ *
  * A taint tracking configuration for user-provided Intents being returned to third party apps.
  */
-class IntentUriPermissionManipulationConf extends TaintTracking::Configuration {
+deprecated class IntentUriPermissionManipulationConf extends TaintTracking::Configuration {
   IntentUriPermissionManipulationConf() { this = "UriPermissionManipulationConf" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -32,3 +34,23 @@ class IntentUriPermissionManipulationConf extends TaintTracking::Configuration {
     any(IntentUriPermissionManipulationAdditionalTaintStep c).step(node1, node2)
   }
 }
+
+private module IntentUriPermissionManipulationConf implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof IntentUriPermissionManipulationSink }
+
+  predicate isBarrier(DataFlow::Node barrier) {
+    barrier instanceof IntentUriPermissionManipulationSanitizer
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(IntentUriPermissionManipulationAdditionalTaintStep c).step(node1, node2)
+  }
+}
+
+/**
+ * Taint tracking flow for user-provided Intents being returned to third party apps.
+ */
+module IntentUriPermissionManipulationFlow =
+  TaintTracking::Make<IntentUriPermissionManipulationConf>;

java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll

@@ -5,9 +5,11 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.LogInjection
 
 /**
+ * DEPRECATED: Use `LogInjectionFlow` instead.
+ *
  * A taint-tracking configuration for tracking untrusted user input used in log entries.
  */
-class LogInjectionConfiguration extends TaintTracking::Configuration {
+deprecated class LogInjectionConfiguration extends TaintTracking::Configuration {
   LogInjectionConfiguration() { this = "LogInjectionConfiguration" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -20,3 +22,20 @@ class LogInjectionConfiguration extends TaintTracking::Configuration {
     any(LogInjectionAdditionalTaintStep c).step(node1, node2)
   }
 }
+
+private module LogInjectionConfiguration implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof LogInjectionSink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof LogInjectionSanitizer }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(LogInjectionAdditionalTaintStep c).step(node1, node2)
+  }
+}
+
+/**
+ * Taint-tracking flow for tracking untrusted user input used in log entries.
+ */
+module LogInjectionFlow = TaintTracking::Make<LogInjectionConfiguration>;

java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll

@@ -4,8 +4,12 @@ import java
 import Encryption
 import semmle.code.java.dataflow.DataFlow
 
-/** A configuration for finding RSA ciphers initialized without using OAEP padding. */
-class RsaWithoutOaepConfig extends DataFlow::Configuration {
+/**
+ * DEPRECATED: Use `RsaWithoutOaepFlow` instead.
+ *
+ * A configuration for finding RSA ciphers initialized without using OAEP padding.
+ */
+deprecated class RsaWithoutOaepConfig extends DataFlow::Configuration {
   RsaWithoutOaepConfig() { this = "RsaWithoutOaepConfig" }
 
   override predicate isSource(DataFlow::Node src) {
@@ -21,3 +25,21 @@ class RsaWithoutOaepConfig extends DataFlow::Configuration {
     exists(CryptoAlgoSpec cr | sink.asExpr() = cr.getAlgoSpec())
   }
 }
+
+private module RsaWithoutOaepConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) {
+    exists(CompileTimeConstantExpr specExpr, string spec |
+      specExpr.getStringValue() = spec and
+      specExpr = src.asExpr() and
+      spec.matches("RSA/%") and
+      not spec.matches("%OAEP%")
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(CryptoAlgoSpec cr | sink.asExpr() = cr.getAlgoSpec())
+  }
+}
+
+/** Flow for finding RSA ciphers initialized without using OAEP padding. */
+module RsaWithoutOaepFlow = DataFlow::Make<RsaWithoutOaepConfig>;

java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll

@@ -5,8 +5,12 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.UnsafeContentUriResolution
 
-/** A taint-tracking configuration to find paths from remote sources to content URI resolutions. */
-class UnsafeContentResolutionConf extends TaintTracking::Configuration {
+/**
+ * DEPRECATED: Use `UnsafeContentUriResolutionFlow` instead.
+ *
+ * A taint-tracking configuration to find paths from remote sources to content URI resolutions.
+ */
+deprecated class UnsafeContentResolutionConf extends TaintTracking::Configuration {
   UnsafeContentResolutionConf() { this = "UnsafeContentResolutionConf" }
 
   override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
@@ -21,3 +25,20 @@ class UnsafeContentResolutionConf extends TaintTracking::Configuration {
     any(ContentUriResolutionAdditionalTaintStep s).step(node1, node2)
   }
 }
+
+private module UnsafeContentResolutionConf implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof ContentUriResolutionSink }
+
+  predicate isBarrier(DataFlow::Node sanitizer) {
+    sanitizer instanceof ContentUriResolutionSanitizer
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(ContentUriResolutionAdditionalTaintStep s).step(node1, node2)
+  }
+}
+
+/** Taint-tracking flow to find paths from remote sources to content URI resolutions. */
+module UnsafeContentResolutionFlow = TaintTracking::Make<UnsafeContentResolutionConf>;

java/ql/src/Security/CWE/CWE-117/LogInjection.ql

@@ -13,9 +13,9 @@
 
 import java
 import semmle.code.java.security.LogInjectionQuery
-import DataFlow::PathGraph
+import LogInjectionFlow::PathGraph
 
-from LogInjectionConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from LogInjectionFlow::PathNode source, LogInjectionFlow::PathNode sink
+where LogInjectionFlow::hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "This log entry depends on a $@.", source.getNode(),
   "user-provided value"

java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql

@@ -15,10 +15,12 @@
 import java
 import semmle.code.java.security.IntentUriPermissionManipulationQuery
 import semmle.code.java.dataflow.DataFlow
-import DataFlow::PathGraph
+import IntentUriPermissionManipulationFlow::PathGraph
 
-from DataFlow::PathNode source, DataFlow::PathNode sink
-where any(IntentUriPermissionManipulationConf c).hasFlowPath(source, sink)
+from
+  IntentUriPermissionManipulationFlow::PathNode source,
+  IntentUriPermissionManipulationFlow::PathNode sink
+where IntentUriPermissionManipulationFlow::hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
   "This Intent can be set with arbitrary flags from a $@, " +
     "and used to give access to internal content providers.", source.getNode(),

java/ql/src/Security/CWE/CWE-441/UnsafeContentUriResolution.ql

@@ -14,10 +14,10 @@
 
 import java
 import semmle.code.java.security.UnsafeContentUriResolutionQuery
-import DataFlow::PathGraph
+import UnsafeContentResolutionFlow::PathGraph
 
-from DataFlow::PathNode src, DataFlow::PathNode sink
-where any(UnsafeContentResolutionConf c).hasFlowPath(src, sink)
+from UnsafeContentResolutionFlow::PathNode src, UnsafeContentResolutionFlow::PathNode sink
+where UnsafeContentResolutionFlow::hasFlowPath(src, sink)
 select sink.getNode(), src, sink,
   "This ContentResolver method that resolves a URI depends on a $@.", src.getNode(),
   "user-provided value"

java/ql/src/Security/CWE/CWE-470/FragmentInjection.ql

@@ -13,10 +13,10 @@
 
 import java
 import semmle.code.java.security.FragmentInjectionQuery
-import DataFlow::PathGraph
+import FragmentInjectionTaintFlow::PathGraph
 
-from DataFlow::PathNode source, DataFlow::PathNode sink
-where any(FragmentInjectionTaintConf conf).hasFlowPath(source, sink)
+from FragmentInjectionTaintFlow::PathNode source, FragmentInjectionTaintFlow::PathNode sink
+where FragmentInjectionTaintFlow::hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
   "Fragment depends on a $@, which may allow a malicious application to bypass access controls.",
   source.getNode(), "user-provided value"