delete IfStmt

Author: haby0

java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql

@@ -36,14 +36,6 @@ class UseOfLessTrustedSourceConfig extends TaintTracking::Configuration {
       not aa.getIndexExpr().(CompileTimeConstantExpr).getIntValue() = 0
     )
   }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node prod, DataFlow::Node succ) {
-    exists(MethodAccess ma |
-      ma.getAnArgument() = prod.asExpr() and
-      ma = succ.asExpr() and
-      ma.getMethod().getReturnType() instanceof BooleanType
-    )
-  }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, UseOfLessTrustedSourceConfig conf

java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll

@@ -27,66 +27,59 @@ class UseOfLessTrustedSource extends DataFlow::Node {
 abstract class UseOfLessTrustedSink extends DataFlow::Node { }
 
 /**
- * A data flow sink for the if condition, which does not include the null judgment of the remote client ip address.
+ * A data flow sink for remote client ip comparison.
  *
  * For example: `if (!StringUtils.startsWith(ipAddr, "192.168.")){...` determine whether the client ip starts
  * with `192.168.`, and the program can be deceived by forging the ip address.
- * `if (remoteAddr == null || "".equals(remoteAddr)) {...` judging whether the client ip is a null value,
- * it needs to be excluded
  */
-private class IfConditionSink extends UseOfLessTrustedSink {
-  IfConditionSink() {
-    exists(IfStmt is |
-      is.getCondition() = this.asExpr() and
+private class CompareSink extends UseOfLessTrustedSink {
+  CompareSink() {
+    exists(MethodAccess ma |
+      ma.getMethod().getName() in ["equals", "equalsIgnoreCase"] and
+      ma.getMethod().getDeclaringType() instanceof TypeString and
+      ma.getMethod().getNumberOfParameters() = 1 and
       (
-        exists(MethodAccess ma |
-          ma.getMethod().getName() in ["equals", "equalsIgnoreCase"] and
-          ma.getMethod().getDeclaringType() instanceof TypeString and
-          ma.getMethod().getNumberOfParameters() = 1 and
-          not ma.getQualifier().(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
-              "", "unknown", ":"
-            ] and
-          not ma.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
-              "", "unknown", ":"
-            ] and
-          is.getCondition() = ma.getParent*()
-        )
-        or
-        exists(MethodAccess ma |
-          ma.getMethod().hasName("contains") and
-          ma.getMethod().getDeclaringType() instanceof TypeString and
-          ma.getMethod().getNumberOfParameters() = 1 and
-          ma.getAnArgument().(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
-              "", "unknown"
-            ] and
-          is.getCondition() = ma.getParent*()
-        )
+        ma.getArgument(0) = this.asExpr() and
+        not ma.getQualifier().(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
+            "", "unknown", ":"
+          ]
         or
-        exists(MethodAccess ma |
-          ma.getMethod().hasName("startsWith") and
-          ma.getMethod()
-              .getDeclaringType()
-              .hasQualifiedName(["org.apache.commons.lang3", "org.apache.commons.lang"],
-                "StringUtils") and
-          ma.getMethod().getNumberOfParameters() = 2 and
-          ma.getAnArgument().(CompileTimeConstantExpr).getStringValue() != "" and
-          is.getCondition() = ma.getParent*()
-        )
-        or
-        exists(MethodAccess ma |
-          ma.getMethod().getName() in ["equals", "equalsIgnoreCase"] and
-          ma.getMethod()
-              .getDeclaringType()
-              .hasQualifiedName(["org.apache.commons.lang3", "org.apache.commons.lang"],
-                "StringUtils") and
-          ma.getMethod().getNumberOfParameters() = 2 and
-          not ma.getAnArgument().(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
-              "", "unknown", ":"
-            ] and
-          is.getCondition() = ma.getParent*()
-        )
+        ma.getQualifier() = this.asExpr() and
+        not ma.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
+            "", "unknown", ":"
+          ]
       )
     )
+    or
+    exists(MethodAccess ma |
+      ma.getMethod().hasName("contains") and
+      ma.getMethod().getDeclaringType() instanceof TypeString and
+      ma.getMethod().getNumberOfParameters() = 1 and
+      ma.getQualifier() = this.asExpr() and
+      ma.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() in ["", "unknown"]
+    )
+    or
+    exists(MethodAccess ma, int i |
+      ma.getMethod().hasName("startsWith") and
+      ma.getMethod()
+          .getDeclaringType()
+          .hasQualifiedName(["org.apache.commons.lang3", "org.apache.commons.lang"], "StringUtils") and
+      ma.getMethod().getNumberOfParameters() = 2 and
+      ma.getArgument(i) = this.asExpr() and
+      ma.getArgument(1 - i).(CompileTimeConstantExpr).getStringValue() != ""
+    )
+    or
+    exists(MethodAccess ma, int i |
+      ma.getMethod().getName() in ["equals", "equalsIgnoreCase"] and
+      ma.getMethod()
+          .getDeclaringType()
+          .hasQualifiedName(["org.apache.commons.lang3", "org.apache.commons.lang"], "StringUtils") and
+      ma.getMethod().getNumberOfParameters() = 2 and
+      ma.getArgument(i) = this.asExpr() and
+      not ma.getArgument(1 - i).(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
+          "", "unknown", ":"
+        ]
+    )
   }
 }
 

java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected

@@ -11,7 +11,7 @@ edges
 | UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... |
 | UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) : String | UseOfLessTrustedSource.java:42:58:42:59 | ip |
 | UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... |
-| UseOfLessTrustedSource.java:53:21:53:33 | getClientIP(...) : String | UseOfLessTrustedSource.java:54:13:54:51 | !... |
+| UseOfLessTrustedSource.java:53:21:53:33 | getClientIP(...) : String | UseOfLessTrustedSource.java:54:37:54:38 | ip |
 | UseOfLessTrustedSource.java:74:27:74:62 | getHeader(...) : String | UseOfLessTrustedSource.java:78:16:78:37 | ...[...] : String |
 | UseOfLessTrustedSource.java:78:16:78:37 | ...[...] : String | UseOfLessTrustedSource.java:53:21:53:33 | getClientIP(...) : String |
 nodes
@@ -29,7 +29,7 @@ nodes
 | UseOfLessTrustedSource.java:42:58:42:59 | ip | semmle.label | ip |
 | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | semmle.label | ... + ... |
 | UseOfLessTrustedSource.java:53:21:53:33 | getClientIP(...) : String | semmle.label | getClientIP(...) : String |
-| UseOfLessTrustedSource.java:54:13:54:51 | !... | semmle.label | !... |
+| UseOfLessTrustedSource.java:54:37:54:38 | ip | semmle.label | ip |
 | UseOfLessTrustedSource.java:74:27:74:62 | getHeader(...) : String | semmle.label | getHeader(...) : String |
 | UseOfLessTrustedSource.java:78:16:78:37 | ...[...] : String | semmle.label | ...[...] : String |
 #select
@@ -45,4 +45,4 @@ nodes
 | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | UseOfLessTrustedSource.java:33:18:33:52 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:33:18:33:52 | getHeader(...) | this user input |
 | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) | this user input |
 | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) | this user input |
-| UseOfLessTrustedSource.java:54:13:54:51 | !... | UseOfLessTrustedSource.java:74:27:74:62 | getHeader(...) : String | UseOfLessTrustedSource.java:54:13:54:51 | !... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:74:27:74:62 | getHeader(...) | this user input |
+| UseOfLessTrustedSource.java:54:37:54:38 | ip | UseOfLessTrustedSource.java:74:27:74:62 | getHeader(...) : String | UseOfLessTrustedSource.java:54:37:54:38 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:74:27:74:62 | getHeader(...) | this user input |