Merge pull request github#6203 from smowton/smowton/admin/avoid-config-imports-from-qlls

Java: Reduce DataFlow Configuration pollution from Random.qll and JexlInjection.qll

Author: smowton

java/change-notes/2021-07-02-split-queries.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Library `semmle.code.java.security.Random` is split into `RandomQuery`, for use by randomness-related queries, and `RandomValueSource`, for use by libraries wishing to augment the built-in set of random value sources. Any code importing `Random` will need changing to import one or other of these.

java/ql/src/Likely Bugs/Arithmetic/BadAbsOfRandom.ql

@@ -11,7 +11,7 @@
  */
 
 import java
-import semmle.code.java.security.Random
+import semmle.code.java.security.RandomQuery
 
 from MethodAccess ma, Method abs, Method nextIntOrLong, RandomDataSource nma
 where

java/ql/src/Likely Bugs/Arithmetic/RandomUsedOnce.ql

@@ -13,7 +13,7 @@
  */
 
 import java
-import semmle.code.java.security.Random
+import semmle.code.java.security.RandomQuery
 
 from RandomDataSource ma
 where ma.getQualifier() instanceof ClassInstanceExpr

java/ql/src/Security/CWE/CWE-094/JexlInjection.ql

@@ -12,27 +12,9 @@
  */
 
 import java
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.JexlInjection
+import semmle.code.java.security.JexlInjectionQuery
 import DataFlow::PathGraph
 
-/**
- * A taint-tracking configuration for unsafe user input
- * that is used to construct and evaluate a JEXL expression.
- * It supports both JEXL 2 and 3.
- */
-class JexlInjectionConfig extends TaintTracking::Configuration {
-  JexlInjectionConfig() { this = "JexlInjectionConfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    any(JexlInjectionAdditionalTaintStep c).step(node1, node2)
-  }
-}
-
 from DataFlow::PathNode source, DataFlow::PathNode sink, JexlInjectionConfig conf
 where conf.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "JEXL injection from $@.", source.getNode(), "this user input"

java/ql/src/Security/CWE/CWE-129/ArraySizing.qll

@@ -1,7 +1,7 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.DefUse
-import semmle.code.java.security.Random
+import semmle.code.java.security.RandomDataSource
 private import BoundingChecks
 
 /**

java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql

@@ -14,7 +14,7 @@
 
 import java
 import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.security.Random
+import semmle.code.java.security.RandomQuery
 import semmle.code.java.security.SecurityTests
 import ArithmeticCommon
 import DataFlow::PathGraph

java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql

@@ -11,7 +11,7 @@
  */
 
 import java
-import semmle.code.java.security.Random
+import semmle.code.java.security.RandomQuery
 
 from GetRandomData da, RValue use, PredictableSeedExpr source
 where

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

@@ -77,6 +77,7 @@ private import FlowSummary
  */
 private module Frameworks {
   private import internal.ContainerFlow
+  private import semmle.code.java.frameworks.android.XssSinks
   private import semmle.code.java.frameworks.ApacheHttp
   private import semmle.code.java.frameworks.apache.Collections
   private import semmle.code.java.frameworks.apache.Lang
@@ -91,10 +92,9 @@ private module Frameworks {
   private import semmle.code.java.frameworks.spring.SpringBeans
   private import semmle.code.java.security.ResponseSplitting
   private import semmle.code.java.security.InformationLeak
-  private import semmle.code.java.security.XSS
+  private import semmle.code.java.security.JexlInjectionSinkModels
   private import semmle.code.java.security.LdapInjection
   private import semmle.code.java.security.XPath
-  private import semmle.code.java.security.JexlInjection
   private import semmle.code.java.frameworks.android.SQLite
   private import semmle.code.java.frameworks.Jdbc
   private import semmle.code.java.frameworks.SpringJdbc

java/ql/src/semmle/code/java/dataflow/RangeAnalysis.qll

@@ -68,7 +68,7 @@ private import SSA
 private import RangeUtils
 private import semmle.code.java.dataflow.internal.rangeanalysis.SsaReadPositionCommon
 private import semmle.code.java.controlflow.internal.GuardsLogic
-private import semmle.code.java.security.Random
+private import semmle.code.java.security.RandomDataSource
 private import SignAnalysis
 private import ModulusAnalysis
 private import semmle.code.java.Reflection

java/ql/src/semmle/code/java/frameworks/android/XssSinks.qll

@@ -0,0 +1,16 @@
+/** Provides XSS sink models relating to the `android.webkit.WebView` class. */
+
+import java
+private import semmle.code.java.dataflow.ExternalFlow
+
+/** CSV sink models representing methods susceptible to XSS attacks. */
+private class DefaultXssSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "android.webkit;WebView;false;loadData;;;Argument[0];xss",
+        "android.webkit;WebView;false;loadUrl;;;Argument[0];xss",
+        "android.webkit;WebView;false;loadDataWithBaseURL;;;Argument[1];xss"
+      ]
+  }
+}