Convert experimental queries' isBarrier to use instanceof SimpleScalarSanitizer

egregius313 · egregius313 · commit 3311b3be8e39 · 2024-01-22T23:38:29.000-05:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql
@@ -19,6 +19,7 @@ import java
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.security.dataflow.CommonSanitizers
 import Log4jInjectionFlow::PathGraph
 
 private class ActivateModels extends ActiveExperimentalModels {
@@ -33,11 +34,7 @@ class Log4jInjectionSink extends DataFlow::Node {
 /**
  * A node that sanitizes a message before logging to avoid log injection.
  */
-class Log4jInjectionSanitizer extends DataFlow::Node {
-  Log4jInjectionSanitizer() {
-    this.getType() instanceof BoxedType or this.getType() instanceof PrimitiveType
-  }
-}
+class Log4jInjectionSanitizer extends DataFlow::Node instanceof SimpleScalarSanitizer { }
 
 /**
  * A taint-tracking configuration for tracking untrusted user input used in log entries.
diff --git a/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql
@@ -18,6 +18,7 @@ import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.java.dataflow.FlowSources
 import JFinalController
 import semmle.code.java.security.PathSanitizer
+private import semmle.code.java.security.dataflow.CommonSanitizers
 import InjectFilePathFlow::PathGraph
 
 private class ActivateModels extends ActiveExperimentalModels {
@@ -56,7 +57,7 @@ module InjectFilePathConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrier(DataFlow::Node node) {
-    exists(Type t | t = node.getType() | t instanceof BoxedType or t instanceof PrimitiveType)
+    node instanceof SimpleScalarSanitizer
     or
     node instanceof PathInjectionSanitizer
   }
diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll b/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll
@@ -2,6 +2,7 @@ import java
 import semmle.code.java.frameworks.javaee.ejb.EJBRestrictions
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.FlowSources
+private import semmle.code.java.security.dataflow.CommonSanitizers
 
 module ExecCmdFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
@@ -20,8 +21,7 @@ module ExecCmdFlowConfig implements DataFlow::ConfigSig {
     node instanceof AssignToNonZeroIndex or
     node instanceof ArrayInitAtNonZeroIndex or
     node instanceof StreamConcatAtNonZeroIndex or
-    node.getType() instanceof PrimitiveType or
-    node.getType() instanceof BoxedType
+    node instanceof SimpleScalarSanitizer
   }
 }
 
@@ -41,10 +41,7 @@ module ExecUserFlowConfig implements DataFlow::ConfigSig {
     )
   }
 
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or
-    node.getType() instanceof BoxedType
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer }
 }
 
 /** Tracks flow of unvalidated user input that is used in Runtime.Exec */
diff --git a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql
@@ -17,18 +17,15 @@ import MyBatisCommonLib
 import MyBatisAnnotationSqlInjectionLib
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.security.dataflow.CommonSanitizers
 import MyBatisAnnotationSqlInjectionFlow::PathGraph
 
 private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisAnnotatedMethodCallArgument }
 
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or
-    node.getType() instanceof BoxedType or
-    node.getType() instanceof NumberType
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer }
 
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     exists(MethodCall ma |
diff --git a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql
@@ -17,18 +17,15 @@ import MyBatisCommonLib
 import MyBatisMapperXmlSqlInjectionLib
 import semmle.code.xml.MyBatisMapperXML
 import semmle.code.java.dataflow.FlowSources
+private import semmle.code.java.security.dataflow.CommonSanitizers
 import MyBatisMapperXmlSqlInjectionFlow::PathGraph
 
 private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisMapperMethodCallAnArgument }
 
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or
-    node.getType() instanceof BoxedType or
-    node.getType() instanceof NumberType
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer }
 
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     exists(MethodCall ma |
diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql b/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql
@@ -14,6 +14,7 @@
 import java
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.dataflow.CommonSanitizers
 import ClientSuppliedIpUsedInSecurityCheckLib
 import ClientSuppliedIpUsedInSecurityCheckFlow::PathGraph
 
@@ -38,9 +39,7 @@ module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::ConfigSig
       not aa.getIndexExpr().(CompileTimeConstantExpr).getIntValue() = 0
     )
     or
-    node.getType() instanceof PrimitiveType
-    or
-    node.getType() instanceof BoxedType
+    node instanceof SimpleScalarSanitizer
   }
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll
@@ -5,6 +5,7 @@ private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.dataflow.StringPrefixes
 private import semmle.code.java.frameworks.javaee.ejb.EJBRestrictions
 private import experimental.semmle.code.java.frameworks.SpringResource
+private import semmle.code.java.security.dataflow.CommonSanitizers
 
 private class ActiveModels extends ActiveExperimentalModels {
   ActiveModels() { this = "unsafe-url-forward" }
@@ -128,12 +129,7 @@ private class SpringModelAndViewSink extends UnsafeUrlForwardSink {
   }
 }
 
-private class PrimitiveSanitizer extends UnsafeUrlForwardSanitizer {
-  PrimitiveSanitizer() {
-    this.getType() instanceof PrimitiveType or
-    this.getType() instanceof BoxedType or
-    this.getType() instanceof NumberType
-  }
+private class PrimitiveSanitizer extends UnsafeUrlForwardSanitizer instanceof SimpleScalarSanitizer {
 }
 
 private class SanitizingPrefix extends InterestingPrefix {

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ import semmle.code.java.dataflow.ExternalFlow`
`18`	`18`	`import semmle.code.java.dataflow.FlowSources`
`19`	`19`	`import JFinalController`
`20`	`20`	`import semmle.code.java.security.PathSanitizer`
	`21`	`+private import semmle.code.java.security.dataflow.CommonSanitizers`
`21`	`22`	`import InjectFilePathFlow::PathGraph`
`22`	`23`
`23`	`24`	`private class ActivateModels extends ActiveExperimentalModels {`
`@@ -56,7 +57,7 @@ module InjectFilePathConfig implements DataFlow::ConfigSig {`
`56`	`57`	`}`
`57`	`58`
`58`	`59`	`predicate isBarrier(DataFlow::Node node) {`
`59`		`- exists(Type t \| t = node.getType() \| t instanceof BoxedType or t instanceof PrimitiveType)`
	`60`	`+ node instanceof SimpleScalarSanitizer`
`60`	`61`	`or`
`61`	`62`	`node instanceof PathInjectionSanitizer`
`62`	`63`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@ import java`
`2`	`2`	`import semmle.code.java.frameworks.javaee.ejb.EJBRestrictions`
`3`	`3`	`import semmle.code.java.dataflow.DataFlow`
`4`	`4`	`import semmle.code.java.dataflow.FlowSources`
	`5`	`+private import semmle.code.java.security.dataflow.CommonSanitizers`
`5`	`6`
`6`	`7`	`module ExecCmdFlowConfig implements DataFlow::ConfigSig {`
`7`	`8`	`predicate isSource(DataFlow::Node source) {`
`@@ -20,8 +21,7 @@ module ExecCmdFlowConfig implements DataFlow::ConfigSig {`
`20`	`21`	`node instanceof AssignToNonZeroIndex or`
`21`	`22`	`node instanceof ArrayInitAtNonZeroIndex or`
`22`	`23`	`node instanceof StreamConcatAtNonZeroIndex or`
`23`		`- node.getType() instanceof PrimitiveType or`
`24`		`- node.getType() instanceof BoxedType`
	`24`	`+ node instanceof SimpleScalarSanitizer`
`25`	`25`	`}`
`26`	`26`	`}`
`27`	`27`
`@@ -41,10 +41,7 @@ module ExecUserFlowConfig implements DataFlow::ConfigSig {`
`41`	`41`	`)`
`42`	`42`	`}`
`43`	`43`
`44`		`- predicate isBarrier(DataFlow::Node node) {`
`45`		`- node.getType() instanceof PrimitiveType or`
`46`		`- node.getType() instanceof BoxedType`
`47`		`- }`
	`44`	`+ predicate isBarrier(DataFlow::Node node) { node instanceof SimpleScalarSanitizer }`
`48`	`45`	`}`
`49`	`46`
`50`	`47`	`/** Tracks flow of unvalidated user input that is used in Runtime.Exec */`
Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,7 @@`
`14`	`14`	`import java`
`15`	`15`	`import semmle.code.java.dataflow.TaintTracking`
`16`	`16`	`import semmle.code.java.dataflow.FlowSources`
	`17`	`+import semmle.code.java.security.dataflow.CommonSanitizers`
`17`	`18`	`import ClientSuppliedIpUsedInSecurityCheckLib`
`18`	`19`	`import ClientSuppliedIpUsedInSecurityCheckFlow::PathGraph`
`19`	`20`
`@@ -38,9 +39,7 @@ module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::ConfigSig`
`38`	`39`	`not aa.getIndexExpr().(CompileTimeConstantExpr).getIntValue() = 0`
`39`	`40`	`)`
`40`	`41`	`or`
`41`		`- node.getType() instanceof PrimitiveType`
`42`		`- or`
`43`		`- node.getType() instanceof BoxedType`
	`42`	`+ node instanceof SimpleScalarSanitizer`
`44`	`43`	`}`
`45`	`44`	`}`
`46`	`45`
Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@ private import semmle.code.java.dataflow.FlowSources`
`5`	`5`	`private import semmle.code.java.dataflow.StringPrefixes`
`6`	`6`	`private import semmle.code.java.frameworks.javaee.ejb.EJBRestrictions`
`7`	`7`	`private import experimental.semmle.code.java.frameworks.SpringResource`
	`8`	`+private import semmle.code.java.security.dataflow.CommonSanitizers`
`8`	`9`
`9`	`10`	`private class ActiveModels extends ActiveExperimentalModels {`
`10`	`11`	`ActiveModels() { this = "unsafe-url-forward" }`
`@@ -128,12 +129,7 @@ private class SpringModelAndViewSink extends UnsafeUrlForwardSink {`
`128`	`129`	`}`
`129`	`130`	`}`
`130`	`131`
`131`		`-private class PrimitiveSanitizer extends UnsafeUrlForwardSanitizer {`
`132`		`- PrimitiveSanitizer() {`
`133`		`- this.getType() instanceof PrimitiveType or`
`134`		`- this.getType() instanceof BoxedType or`
`135`		`- this.getType() instanceof NumberType`
`136`		`- }`
	`132`	`+private class PrimitiveSanitizer extends UnsafeUrlForwardSanitizer instanceof SimpleScalarSanitizer {`
`137`	`133`	`}`
`138`	`134`
`139`	`135`	`private class SanitizingPrefix extends InterestingPrefix {`