Merge pull request github#5413 from smowton/smowton/feature/infer-fluent-method-taint-flow

aschackmull · web-flow · commit aa360c03787b · 2021-03-16T14:10:11.000+01:00
Add taint-preserving edges where a call also has a value-preserving edge
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -11,6 +11,7 @@ private import semmle.code.java.frameworks.spring.SpringController
 private import semmle.code.java.frameworks.spring.SpringHttp
 private import semmle.code.java.frameworks.Networking
 private import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.dataflow.internal.DataFlowPrivate
 import semmle.code.java.dataflow.FlowSteps
 
 /**
@@ -41,6 +42,12 @@ predicate localTaintStep(DataFlow::Node src, DataFlow::Node sink) {
  * different objects.
  */
 predicate localAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
+  localAdditionalBasicTaintStep(src, sink)
+  or
+  composedValueAndTaintModelStep(src, sink)
+}
+
+private predicate localAdditionalBasicTaintStep(DataFlow::Node src, DataFlow::Node sink) {
   localAdditionalTaintExprStep(src.asExpr(), sink.asExpr())
   or
   localAdditionalTaintUpdateStep(src.asExpr(),
@@ -56,6 +63,32 @@ predicate localAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
   )
 }
 
+/**
+ * Holds if an additional step from `src` to `sink` through a call can be inferred from the
+ * combination of a value-preserving step providing an alias between an input and the output
+ * and a taint step from `src` to one the aliased nodes. For example, if we know that `f(a, b)` returns
+ * the exact value of `a` and also propagates taint from `b` to its result, then we also know that
+ * `a` is tainted after `f` completes, and vice versa.
+ */
+private predicate composedValueAndTaintModelStep(ArgumentNode src, DataFlow::Node sink) {
+  exists(Call call, ArgumentNode valueSource, DataFlow::PostUpdateNode valueSourcePost |
+    src.argumentOf(call, _) and
+    valueSource.argumentOf(call, _) and
+    src != valueSource and
+    valueSourcePost.getPreUpdateNode() = valueSource and
+    DataFlow::localFlowStep(valueSource, DataFlow::exprNode(call)) and
+    (
+      // in-x -value-> out-y and in-z -taint-> out-y ==> in-z -taint-> in-x
+      localAdditionalBasicTaintStep(src, DataFlow::exprNode(call)) and
+      sink = valueSourcePost
+      or
+      // in-x -value-> out-y and in-z -taint-> in-x ==> in-z -taint-> out-y
+      localAdditionalBasicTaintStep(src, valueSourcePost) and
+      sink = DataFlow::exprNode(call)
+    )
+  )
+}
+
 /**
  * Holds if the additional step from `src` to `sink` should be included in all
  * global taint flow configurations.
