Revert "Java: Convert other sinks"

This reverts commit 87d42b0.

Author: tamasvajk

java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql

@@ -16,7 +16,6 @@ import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.XSS
-private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * One of the `printStackTrace()` overloads on `Throwable`.
@@ -38,12 +37,10 @@ class ServletWriterSourceToPrintStackTraceMethodFlowConfig extends TaintTracking
 
   override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof ServletWriterSource }
 
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "print-stack-trace") }
-}
-
-private class PrintStackTraceSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row = ["java.lang;Throwable;true;printStackTrace;;;Argument;print-stack-trace"]
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma |
+      sink.asExpr() = ma.getAnArgument() and ma.getMethod() instanceof PrintStackTraceMethod
+    )
   }
 }
 

java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql

@@ -15,7 +15,6 @@ import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.ExternalFlow
 import DataFlow::PathGraph
-private import semmle.code.java.dataflow.ExternalFlow
 
 class URLConstructor extends ClassInstanceExpr {
   URLConstructor() { this.getConstructor().getDeclaringType() instanceof TypeUrl }
@@ -40,7 +39,13 @@ class RemoteURLToOpenStreamFlowConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "url-open-stream") }
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess m |
+      sink.asExpr() = m.getQualifier() and m.getMethod() instanceof URLOpenStreamMethod
+    )
+    or
+    sinkNode(sink, "url-open-stream")
+  }
 
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
     exists(URLConstructor u |
@@ -50,12 +55,6 @@ class RemoteURLToOpenStreamFlowConfig extends TaintTracking::Configuration {
   }
 }
 
-private class URLOpenStreamSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row = ["java.net;URL;false;openStream;;;Argument[-1];url-open-stream"]
-  }
-}
-
 from DataFlow::PathNode source, DataFlow::PathNode sink, MethodAccess call
 where
   sink.getNode().asExpr() = call.getQualifier() and

java/ql/src/experimental/Security/CWE/CWE-074/XsltInjectionLib.qll

@@ -2,7 +2,6 @@ import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.XmlParsers
 import DataFlow
-private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A taint-tracking configuration for unvalidated user input that is used in XSLT transformation.
@@ -104,20 +103,15 @@ class TypeXsltPackage extends Class {
 
 /** A data flow sink for unvalidated user input that is used in XSLT transformation. */
 class XsltInjectionSink extends DataFlow::ExprNode {
-  XsltInjectionSink() { sinkNode(this, "xslt") }
-}
-
-private class XsltInjectionSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "net.sf.saxon.s9api;XsltTransformer;false;transform;;;Argument[-1];xslt",
-        "net.sf.saxon.s9api;Xslt30Transformer;false;transform;;;Argument[-1];xslt",
-        "net.sf.saxon.s9api;Xslt30Transformer;false;applyTemplates;;;Argument[-1];xslt",
-        "net.sf.saxon.s9api;Xslt30Transformer;false;callFunction;;;Argument[-1];xslt",
-        "net.sf.saxon.s9api;Xslt30Transformer;false;callTemplate;;;Argument[-1];xslt",
-        "javax.xml.transform;Transformer;false;transform;;;Argument[-1];xslt"
-      ]
+  XsltInjectionSink() {
+    exists(MethodAccess ma, Method m | m = ma.getMethod() and ma.getQualifier() = this.getExpr() |
+      ma instanceof TransformerTransform or
+      m instanceof XsltTransformerTransformMethod or
+      m instanceof Xslt30TransformerTransformMethod or
+      m instanceof Xslt30TransformerApplyTemplatesMethod or
+      m instanceof Xslt30TransformerCallFunctionMethod or
+      m instanceof Xslt30TransformerCallTemplateMethod
+    )
   }
 }
 
@@ -192,21 +186,16 @@ private class TransformerFactoryWithSecureProcessingFeatureFlowConfig extends Da
     )
   }
 
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "xslt-transformer") }
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma |
+      sink.asExpr() = ma.getQualifier() and
+      ma.getMethod().getDeclaringType() instanceof TransformerFactory
+    )
+  }
 
   override int fieldFlowBranchLimit() { result = 0 }
 }
 
-private class TransformerFactorySinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "javax.xml.transform;TransformerFactory;false;;;;Argument[-1];xslt-transformer",
-        "javax.xml.transform.sax;SAXTransformerFactory;false;;;;Argument[-1];xslt-transformer"
-      ]
-  }
-}
-
 /** A `ParserConfig` specific to `TransformerFactory`. */
 private class TransformerFactoryFeatureConfig extends ParserConfig {
   TransformerFactoryFeatureConfig() {

java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll

@@ -1,7 +1,6 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
-private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A taint-tracking configuration for unsafe user input
@@ -22,7 +21,7 @@ class JexlInjectionConfig extends TaintTracking::Configuration {
 }
 
 /**
- * A sink for Expression Language injection vulnerabilities via Jexl,
+ * A sink for Expresssion Language injection vulnerabilities via Jexl,
  * i.e. method calls that run evaluation of a JEXL expression.
  *
  * Creating a `Callable` from a tainted JEXL expression or script is considered as a sink
@@ -31,41 +30,18 @@ class JexlInjectionConfig extends TaintTracking::Configuration {
  * maybe stored in an object field and then reached by a different flow.
  */
 private class JexlEvaluationSink extends DataFlow::ExprNode {
-  JexlEvaluationSink() { sinkNode(this, "jexl") }
-}
-
-private class JexlEvaluationSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        // Direct JEXL evaluation
-        "org.apache.commons.jexl2;Expression;false;evaluate;;;Argument[-1];jexl",
-        "org.apache.commons.jexl3;JexlExpression;false;evaluate;;;Argument[-1];jexl",
-        "org.apache.commons.jexl2;Script;false;execute;;;Argument[-1];jexl",
-        "org.apache.commons.jexl3;JexlScript;false;execute;;;Argument[-1];jexl",
-        "org.apache.commons.jexl2;JxltEngine$Expression;false;evaluate;;;Argument[-1];jexl",
-        "org.apache.commons.jexl3;JxltEngine$Expression;false;evaluate;;;Argument[-1];jexl",
-        "org.apache.commons.jexl2;JxltEngine$Expression;false;prepare;;;Argument[-1];jexl",
-        "org.apache.commons.jexl3;JxltEngine$Expression;false;prepare;;;Argument[-1];jexl",
-        "org.apache.commons.jexl2;JxltEngine$Template;false;evaluate;;;Argument[-1];jexl",
-        "org.apache.commons.jexl3;JxltEngine$Template;false;evaluate;;;Argument[-1];jexl",
-        "org.apache.commons.jexl2;UnifiedJEXL$Expression;false;evaluate;;;Argument[-1];jexl",
-        "org.apache.commons.jexl3;UnifiedJEXL$Expression;false;evaluate;;;Argument[-1];jexl",
-        "org.apache.commons.jexl2;UnifiedJEXL$Expression;false;prepare;;;Argument[-1];jexl",
-        "org.apache.commons.jexl3;UnifiedJEXL$Expression;false;prepare;;;Argument[-1];jexl",
-        "org.apache.commons.jexl2;UnifiedJEXL$Template;false;evaluate;;;Argument[-1];jexl",
-        "org.apache.commons.jexl3;UnifiedJEXL$Template;false;evaluate;;;Argument[-1];jexl",
-        // JEXL callable
-        "org.apache.commons.jexl2;Expression;false;callable;;;Argument[-1];jexl",
-        "org.apache.commons.jexl3;JexlExpression;false;callable;;;Argument[-1];jexl",
-        "org.apache.commons.jexl2;Script;false;callable;;;Argument[-1];jexl",
-        "org.apache.commons.jexl3;JexlScript;false;callable;;;Argument[-1];jexl",
-        // Methods in the `JexlEngine` class that gets or sets a property with a JEXL expression.
-        "org.apache.commons.jexl2;JexlEngine;false;getProperty;;;Argument[1..2];jexl",
-        "org.apache.commons.jexl3;JexlEngine;false;getProperty;;;Argument[1..2];jexl",
-        "org.apache.commons.jexl2;JexlEngine;false;setProperty;;;Argument[1];jexl",
-        "org.apache.commons.jexl3;JexlEngine;false;setProperty;;;Argument[1];jexl"
-      ]
+  JexlEvaluationSink() {
+    exists(MethodAccess ma, Method m, Expr taintFrom |
+      ma.getMethod() = m and taintFrom = this.asExpr()
+    |
+      m instanceof DirectJexlEvaluationMethod and ma.getQualifier() = taintFrom
+      or
+      m instanceof CreateJexlCallableMethod and ma.getQualifier() = taintFrom
+      or
+      m instanceof JexlEngineGetSetPropertyMethod and
+      taintFrom.getType() instanceof TypeString and
+      ma.getAnArgument() = taintFrom
+    )
   }
 }
 
@@ -122,36 +98,22 @@ private class SandboxedJexlFlowConfig extends DataFlow2::Configuration {
 
   override predicate isSource(DataFlow::Node node) { node instanceof SandboxedJexlSource }
 
-  override predicate isSink(DataFlow::Node node) { sinkNode(node, "sandboxed-jexl") }
+  override predicate isSink(DataFlow::Node node) {
+    exists(MethodAccess ma, Method m | ma.getMethod() = m |
+      (
+        m instanceof CreateJexlScriptMethod or
+        m instanceof CreateJexlExpressionMethod or
+        m instanceof CreateJexlTemplateMethod
+      ) and
+      ma.getQualifier() = node.asExpr()
+    )
+  }
 
   override predicate isAdditionalFlowStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
     createsJexlEngine(fromNode, toNode)
   }
 }
 
-private class SandboxedJexlEvaluationSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        // CreateJexlScriptMethod
-        "org.apache.commons.jexl2;JexlEngine;false;createScript;;;Argument[-1];sandboxed-jexl",
-        "org.apache.commons.jexl3;JexlEngine;false;createScript;;;Argument[-1];sandboxed-jexl",
-        // CreateJexlExpressionMethod
-        "org.apache.commons.jexl2;UnifiedJEXL;false;parse;;;Argument[-1];sandboxed-jexl",
-        "org.apache.commons.jexl3;UnifiedJEXL;false;parse;;;Argument[-1];sandboxed-jexl",
-        "org.apache.commons.jexl2;JxltEngine;false;createExpression;;;Argument[-1];sandboxed-jexl",
-        "org.apache.commons.jexl3;JxltEngine;false;createExpression;;;Argument[-1];sandboxed-jexl",
-        "org.apache.commons.jexl2;JexlEngine;false;createExpression;;;Argument[-1];sandboxed-jexl",
-        "org.apache.commons.jexl3;JexlEngine;false;createExpression;;;Argument[-1];sandboxed-jexl",
-        // CreateJexlTemplateMethod
-        "org.apache.commons.jexl2;JxltEngine;false;createTemplate;;;Argument[-1];sandboxed-jexl",
-        "org.apache.commons.jexl3;JxltEngine;false;createTemplate;;;Argument[-1];sandboxed-jexl",
-        "org.apache.commons.jexl2;UnifiedJEXL;false;createTemplate;;;Argument[-1];sandboxed-jexl",
-        "org.apache.commons.jexl3;UnifiedJEXL;false;createTemplate;;;Argument[-1];sandboxed-jexl"
-      ]
-  }
-}
-
 /**
  * Defines a data flow source for JEXL engines configured with a sandbox.
  */
@@ -202,13 +164,52 @@ private predicate returnsDataFromBean(DataFlow::Node fromNode, DataFlow::Node to
   )
 }
 
+/**
+ * A methods in the `JexlEngine` class that gets or sets a property with a JEXL expression.
+ */
+private class JexlEngineGetSetPropertyMethod extends Method {
+  JexlEngineGetSetPropertyMethod() {
+    getDeclaringType() instanceof JexlEngine and
+    hasName(["getProperty", "setProperty"])
+  }
+}
+
+/**
+ * A method that triggers direct evaluation of JEXL expressions.
+ */
+private class DirectJexlEvaluationMethod extends Method {
+  DirectJexlEvaluationMethod() {
+    getDeclaringType() instanceof JexlExpression and hasName("evaluate")
+    or
+    getDeclaringType() instanceof JexlScript and hasName("execute")
+    or
+    getDeclaringType() instanceof JxltEngineExpression and hasName(["evaluate", "prepare"])
+    or
+    getDeclaringType() instanceof JxltEngineTemplate and hasName("evaluate")
+    or
+    getDeclaringType() instanceof UnifiedJexlExpression and hasName(["evaluate", "prepare"])
+    or
+    getDeclaringType() instanceof UnifiedJexlTemplate and hasName("evaluate")
+  }
+}
+
 /**
  * A method that creates a JEXL script.
  */
 private class CreateJexlScriptMethod extends Method {
   CreateJexlScriptMethod() { getDeclaringType() instanceof JexlEngine and hasName("createScript") }
 }
 
+/**
+ * A method that creates a `Callable` for a JEXL expression or script.
+ */
+private class CreateJexlCallableMethod extends Method {
+  CreateJexlCallableMethod() {
+    (getDeclaringType() instanceof JexlExpression or getDeclaringType() instanceof JexlScript) and
+    hasName("callable")
+  }
+}
+
 /**
  * A method that creates a JEXL template.
  */
@@ -266,6 +267,22 @@ private class JexlUberspect extends Interface {
   }
 }
 
+private class JxltEngineExpression extends NestedType {
+  JxltEngineExpression() { getEnclosingType() instanceof JxltEngine and hasName("Expression") }
+}
+
+private class JxltEngineTemplate extends NestedType {
+  JxltEngineTemplate() { getEnclosingType() instanceof JxltEngine and hasName("Template") }
+}
+
+private class UnifiedJexlExpression extends NestedType {
+  UnifiedJexlExpression() { getEnclosingType() instanceof UnifiedJexl and hasName("Expression") }
+}
+
+private class UnifiedJexlTemplate extends NestedType {
+  UnifiedJexlTemplate() { getEnclosingType() instanceof UnifiedJexl and hasName("Template") }
+}
+
 private class Reader extends RefType {
   Reader() { hasQualifiedName("java.io", "Reader") }
 }

java/ql/src/experimental/Security/CWE/CWE-094/MvelInjectionLib.qll

@@ -1,7 +1,6 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
-private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A taint-tracking configuration for unsafe user input
@@ -31,31 +30,36 @@ class MvelInjectionConfig extends TaintTracking::Configuration {
  * i.e. methods that run evaluation of a MVEL expression.
  */
 class MvelEvaluationSink extends DataFlow::ExprNode {
-  MvelEvaluationSink() { sinkNode(this, "mvel") }
-}
-
-private class MvelEvaluationSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "org.mvel2.jsr223;MvelScriptEngine;false;evaluate;;;Argument[0];mvel",
-        "org.mvel2.jsr223;MvelScriptEngine;false;eval;;;Argument[0];mvel",
-        "org.mvel2.compiler;ExecutableStatement;false;getValue;;;Argument[-1];mvel",
-        "org.mvel2.compiler;CompiledExpression;false;getDirectValue;;;Argument[-1];mvel",
-        "org.mvel2.compiler;CompiledAccExpression;false;getValue;;;Argument[-1];mvel",
-        "org.mvel2.compiler;Accessor;false;getValue;;;Argument[-1];mvel",
-        "javax.script;CompiledScript;false;eval;;;Argument[-1];mvel",
-        "org.mvel2.jsr223;MvelCompiledScript;false;eval;;;Argument[-1];mvel",
-        "org.mvel2;MVEL;false;eval;;;Argument[0];mvel",
-        "org.mvel2;MVEL;false;executeExpression;;;Argument[0];mvel",
-        "org.mvel2;MVEL;false;evalToBoolean;;;Argument[0];mvel",
-        "org.mvel2;MVEL;false;evalToString;;;Argument[0];mvel",
-        "org.mvel2;MVEL;false;executeAllExpression;;;Argument[0];mvel",
-        "org.mvel2;MVEL;false;executeSetExpression;;;Argument[0];mvel",
-        "org.mvel2.templates;TemplateRuntime;false;eval;;;Argument[0];mvel",
-        "org.mvel2.templates;TemplateRuntime;false;execute;;;Argument[0];mvel",
-        "org.mvel2;MVELRuntime;false;execute;;;Argument[1];mvel"
-      ]
+  MvelEvaluationSink() {
+    exists(StaticMethodAccess ma, Method m | m = ma.getMethod() |
+      (
+        m instanceof MvelEvalMethod or
+        m instanceof TemplateRuntimeEvaluationMethod
+      ) and
+      ma.getArgument(0) = asExpr()
+    )
+    or
+    exists(MethodAccess ma, Method m | m = ma.getMethod() |
+      m instanceof MvelScriptEngineEvaluationMethod and
+      ma.getArgument(0) = asExpr()
+    )
+    or
+    exists(MethodAccess ma, Method m | m = ma.getMethod() |
+      (
+        m instanceof ExecutableStatementEvaluationMethod or
+        m instanceof CompiledExpressionEvaluationMethod or
+        m instanceof CompiledAccExpressionEvaluationMethod or
+        m instanceof AccessorEvaluationMethod or
+        m instanceof CompiledScriptEvaluationMethod or
+        m instanceof MvelCompiledScriptEvaluationMethod
+      ) and
+      ma.getQualifier() = asExpr()
+    )
+    or
+    exists(StaticMethodAccess ma, Method m | m = ma.getMethod() |
+      m instanceof MvelRuntimeEvaluationMethod and
+      ma.getArgument(1) = asExpr()
+    )
   }
 }