@@ -239,13 +239,7 @@ module ApplicationCandidatesImpl implements SharedCharacteristics::CandidateSig
239
239
// Sanitizers are currently not modeled in MaD. TODO: check if this has large negative impact.
240
240
predicate isSanitizer ( Endpoint e , EndpointType t ) {
241
241
exists ( t ) and
242
- (
243
- e .asNode ( ) .getType ( ) instanceof BoxedType
244
- or
245
- e .asNode ( ) .getType ( ) instanceof PrimitiveType
246
- or
247
- e .asNode ( ) .getType ( ) instanceof NumberType
248
- )
242
+ AutomodelJavaUtil:: isUnexploitableType ( e .asNode ( ) .getType ( ) )
249
243
or
250
244
t instanceof AutomodelEndpointTypes:: PathInjectionSinkType and
251
245
e .asNode ( ) instanceof PathSanitizer:: PathInjectionSanitizer
@@ -377,57 +371,39 @@ class ApplicationModeMetadataExtractor extends string {
377
371
*/
378
372
379
373
/**
380
- * A negative characteristic that indicates that parameters of an is-style boolean method should not be considered sinks,
381
- * and its return value should not be considered a source.
374
+ * A negative characteristic that indicates that parameters of an is-style boolean method should not be considered sinks.
382
375
*
383
376
* A sink is highly unlikely to be exploitable if its callable's name starts with `is` and the callable has a boolean return
384
377
* type (e.g. `isDirectory`). These kinds of calls normally do only checks, and appear before the proper call that does
385
378
* the dangerous/interesting thing, so we want the latter to be modeled as the sink.
386
379
*
387
380
* TODO: this might filter too much, it's possible that methods with more than one parameter contain interesting sinks
388
381
*/
389
- private class UnexploitableIsCharacteristic extends CharacteristicsImpl:: NeitherSourceNorSinkCharacteristic
390
- {
382
+ private class UnexploitableIsCharacteristic extends CharacteristicsImpl:: NotASinkCharacteristic {
391
383
UnexploitableIsCharacteristic ( ) { this = "unexploitable (is-style boolean method)" }
392
384
393
385
override predicate appliesToEndpoint ( Endpoint e ) {
394
386
e .getCallable ( ) .getName ( ) .matches ( "is%" ) and
395
387
e .getCallable ( ) .getReturnType ( ) instanceof BooleanType and
396
- (
397
- e .getExtensibleType ( ) = "sinkModel" and
398
- not ApplicationCandidatesImpl:: isSink ( e , _, _)
399
- or
400
- e .getExtensibleType ( ) = "sourceModel" and
401
- not ApplicationCandidatesImpl:: isSource ( e , _, _) and
402
- e .getMaDOutput ( ) = "ReturnValue"
403
- )
388
+ not ApplicationCandidatesImpl:: isSink ( e , _, _)
404
389
}
405
390
}
406
391
407
392
/**
408
393
* A negative characteristic that indicates that parameters of an existence-checking boolean method should not be
409
- * considered sinks, and its return value should not be considered a source .
394
+ * considered sinks.
410
395
*
411
396
* A sink is highly unlikely to be exploitable if its callable's name is `exists` or `notExists` and the callable has a
412
397
* boolean return type. These kinds of calls normally do only checks, and appear before the proper call that does the
413
398
* dangerous/interesting thing, so we want the latter to be modeled as the sink.
414
399
*/
415
- private class UnexploitableExistsCharacteristic extends CharacteristicsImpl:: NeitherSourceNorSinkCharacteristic
416
- {
400
+ private class UnexploitableExistsCharacteristic extends CharacteristicsImpl:: NotASinkCharacteristic {
417
401
UnexploitableExistsCharacteristic ( ) { this = "unexploitable (existence-checking boolean method)" }
418
402
419
403
override predicate appliesToEndpoint ( Endpoint e ) {
420
- exists ( Callable callable |
421
- callable = e .getCallable ( ) and
404
+ exists ( Callable callable | callable = e .getCallable ( ) |
422
405
callable .getName ( ) .toLowerCase ( ) = [ "exists" , "notexists" ] and
423
406
callable .getReturnType ( ) instanceof BooleanType
424
- |
425
- e .getExtensibleType ( ) = "sinkModel" and
426
- not ApplicationCandidatesImpl:: isSink ( e , _, _)
427
- or
428
- e .getExtensibleType ( ) = "sourceModel" and
429
- not ApplicationCandidatesImpl:: isSource ( e , _, _) and
430
- e .getMaDOutput ( ) = "ReturnValue"
431
407
)
432
408
}
433
409
}
0 commit comments