Optimize flow steps

luchua-bc · luchua-bc · commit 919c6b4b0aae · 2021-03-05T02:50:54.000Z
diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
@@ -8,6 +8,7 @@
  */
 
 import java
+import semmle.code.java.dataflow.FlowSteps
 import semmle.code.java.frameworks.Servlets
 import semmle.code.java.dataflow.TaintTracking
 import DataFlow::PathGraph
@@ -41,18 +42,31 @@ class SetCookieMethodAccess extends MethodAccess {
   }
 }
 
+/** The cookie class of Java EE. */
+class CookieClass extends RefType {
+  CookieClass() {
+    this.getASupertype*()
+        .hasQualifiedName(["javax.servlet.http", "javax.ws.rs.core", "jakarta.ws.rs.core"], "Cookie")
+  }
+}
+
+/** The method call `toString` to get a stringified cookie representation. */
+class CookieInstanceExpr extends TaintPreservingCallable {
+  CookieInstanceExpr() {
+    this.getDeclaringType() instanceof CookieClass and
+    this.hasName("toString")
+  }
+
+  override predicate returnsTaintFrom(int arg) { arg = -1 }
+}
+
 /** Sensitive cookie name used in a `Cookie` constructor or a `Set-Cookie` call. */
 class SensitiveCookieNameExpr extends Expr {
   SensitiveCookieNameExpr() {
     exists(
       ClassInstanceExpr cie // new Cookie("jwt_token", token)
     |
-      (
-        cie.getConstructedType().hasQualifiedName("javax.servlet.http", "Cookie") or
-        cie.getConstructedType()
-            .getASupertype*()
-            .hasQualifiedName(["javax.ws.rs.core", "jakarta.ws.rs.core"], "Cookie")
-      ) and
+      cie.getConstructedType() instanceof CookieClass and
       this = cie and
       isSensitiveCookieNameExpr(cie.getArgument(0))
     )
@@ -169,16 +183,6 @@ class MissingHttpOnlyConfiguration extends TaintTracking::Configuration {
     // Test class or method
     isTestMethod(node)
   }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(
-      MethodAccess ma // `toString` call on a cookie object
-    |
-      ma.getQualifier() = pred.asExpr() and
-      ma.getMethod().hasName("toString") and
-      ma = succ.asExpr()
-    )
-  }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, MissingHttpOnlyConfiguration c
diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
@@ -1,13 +1,17 @@
 edges
-| SensitiveCookieNotHttpOnly.java:22:27:22:60 | new Cookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie |
+| SensitiveCookieNotHttpOnly.java:22:28:22:61 | new Cookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie |
 | SensitiveCookieNotHttpOnly.java:49:42:49:113 | new NewCookie(...) : NewCookie | SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) |
+| SensitiveCookieNotHttpOnly.java:60:37:60:115 | new NewCookie(...) : NewCookie | SensitiveCookieNotHttpOnly.java:62:42:62:47 | keyStr |
 nodes
-| SensitiveCookieNotHttpOnly.java:22:27:22:60 | new Cookie(...) : Cookie | semmle.label | new Cookie(...) : Cookie |
+| SensitiveCookieNotHttpOnly.java:22:28:22:61 | new Cookie(...) : Cookie | semmle.label | new Cookie(...) : Cookie |
 | SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie | semmle.label | jwtCookie |
 | SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | semmle.label | ... + ... |
 | SensitiveCookieNotHttpOnly.java:49:42:49:113 | new NewCookie(...) : NewCookie | semmle.label | new NewCookie(...) : NewCookie |
 | SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) | semmle.label | toString(...) |
+| SensitiveCookieNotHttpOnly.java:60:37:60:115 | new NewCookie(...) : NewCookie | semmle.label | new NewCookie(...) : NewCookie |
+| SensitiveCookieNotHttpOnly.java:62:42:62:47 | keyStr | semmle.label | keyStr |
 #select
-| SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie | SensitiveCookieNotHttpOnly.java:22:27:22:60 | new Cookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:22:27:22:60 | new Cookie(...) | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie | SensitiveCookieNotHttpOnly.java:22:28:22:61 | new Cookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:22:28:22:61 | new Cookie(...) | This sensitive cookie |
 | SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | This sensitive cookie |
 | SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) | SensitiveCookieNotHttpOnly.java:49:42:49:113 | new NewCookie(...) : NewCookie | SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:49:42:49:113 | new NewCookie(...) | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:62:42:62:47 | keyStr | SensitiveCookieNotHttpOnly.java:60:37:60:115 | new NewCookie(...) : NewCookie | SensitiveCookieNotHttpOnly.java:62:42:62:47 | keyStr | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:60:37:60:115 | new NewCookie(...) | This sensitive cookie |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
@@ -10,7 +10,7 @@
 class SensitiveCookieNotHttpOnly {
     // GOOD - Tests adding a sensitive cookie with the `HttpOnly` flag set.
     public void addCookie(String jwt_token, HttpServletRequest request, HttpServletResponse response) {
-        Cookie jwtCookie =new Cookie("jwt_token", jwt_token);
+        Cookie jwtCookie = new Cookie("jwt_token", jwt_token);
         jwtCookie.setPath("/");
         jwtCookie.setMaxAge(3600*24*7);
         jwtCookie.setHttpOnly(true);
@@ -19,8 +19,8 @@ public void addCookie(String jwt_token, HttpServletRequest request, HttpServletR
 
     // BAD - Tests adding a sensitive cookie without the `HttpOnly` flag set.
     public void addCookie2(String jwt_token, String userId, HttpServletRequest request, HttpServletResponse response) {
-        Cookie jwtCookie =new Cookie("jwt_token", jwt_token);
-        Cookie userIdCookie =new Cookie("user_id", userId.toString());
+        Cookie jwtCookie = new Cookie("jwt_token", jwt_token);
+        Cookie userIdCookie = new Cookie("user_id", userId);
         jwtCookie.setPath("/");
         userIdCookie.setPath("/");
         jwtCookie.setMaxAge(3600*24*7);
@@ -54,4 +54,11 @@ public void addCookie7(String accessKey, HttpServletRequest request, HttpServlet
         NewCookie accessKeyCookie = new NewCookie("session-access-key", accessKey, "/", null, null, 0, true, true);
         response.setHeader("Set-Cookie", accessKeyCookie.toString());
     }
+
+    // BAD - Tests set a sensitive cookie header using the class `javax.ws.rs.core.Cookie` without the `HttpOnly` flag set.
+    public void addCookie8(String accessKey, HttpServletRequest request, HttpServletResponse response) {
+        NewCookie accessKeyCookie = new NewCookie("session-access-key", accessKey, "/", null, 0, null, 86400, true);
+        String keyStr = accessKeyCookie.toString();
+        response.setHeader("Set-Cookie", keyStr);
+    }
 }
