Optimize the query

luchua-bc · luchua-bc · commit e4699f7fa9a1 · 2021-05-18T16:12:22.000Z
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.java b/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.java
@@ -1,3 +1,7 @@
+import org.mozilla.javascript.ClassShutter;
+import org.mozilla.javascript.Context;
+import org.mozilla.javascript.Scriptable;
+
 public class RhinoInjection extends HttpServlet {
 
   protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
@@ -20,10 +24,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t
         Scriptable scope = ctx.initStandardObjects();
         ctx.setClassShutter(new ClassShutter() {
             public boolean visibleToScripts(String className) {
-                if(className.startsWith("com.example.")) {
-                    return true;
-                }
-                return false;
+              return className.startsWith("com.example.");
             }
         });
       }
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
@@ -1,7 +1,7 @@
 /**
  * @name Injection in Java Script Engine
- * @description Evaluation of a user-controlled malicious JavaScript or Java expression in
- *              Java Script Engine may lead to remote code execution.
+ * @description Evaluation of user-controlled data using the Java Script Engine may
+ *              lead to remote code execution.
  * @kind path-problem
  * @problem.severity error
  * @precision high
@@ -78,43 +78,37 @@ predicate scriptEngine(MethodAccess ma, Expr sink) {
 }
 
 /**
- * Holds if a Rhino expression evaluation method has the code injection vulnerability.
+ * Holds if a Rhino expression evaluation method is vulnerable to code injection.
  */
 predicate evaluateRhinoExpression(MethodAccess ma, Expr sink) {
   exists(RhinoEvaluateExpressionMethod m | m = ma.getMethod() |
     (
-      sink = ma.getArgument(1) and // The second argument is the JavaScript or Java input
-      not ma.getMethod().getName() = "compileReader"
-      or
-      sink = ma.getArgument(0) and // The first argument is the input reader
-      ma.getMethod().getName() = "compileReader"
+      if ma.getMethod().getName() = "compileReader"
+      then sink = ma.getArgument(0) // The first argument is the input reader
+      else sink = ma.getArgument(1) // The second argument is the JavaScript or Java input
     ) and
     not exists(MethodAccess ca |
-      (
-        ca.getMethod().hasName("initSafeStandardObjects") // safe mode
-        or
-        ca.getMethod().hasName("setClassShutter") // `ClassShutter` constraint is enforced
-      ) and
+      ca.getMethod().hasName(["initSafeStandardObjects", "setClassShutter"]) and // safe mode or `ClassShutter` constraint is enforced
       ma.getQualifier() = ca.getQualifier().(VarAccess).getVariable().getAnAccess()
     )
   )
 }
 
 /**
- * Holds if a Rhino expression compilation method has the code injection vulnerability.
+ * Holds if a Rhino expression compilation method is vulnerable to code injection.
  */
 predicate compileScript(MethodAccess ma, Expr sink) {
   exists(RhinoCompileClassMethod m | m = ma.getMethod() | sink = ma.getArgument(0))
 }
 
 /**
- * Holds if a Rhino class loading method has the code injection vulnerability.
+ * Holds if a Rhino class loading method is vulnerable to code injection.
  */
 predicate defineClass(MethodAccess ma, Expr sink) {
   exists(RhinoDefineClassMethod m | m = ma.getMethod() | sink = ma.getArgument(1))
 }
 
-/** A sink of script injection. */
+/** A script injection sink. */
 class ScriptInjectionSink extends DataFlow::ExprNode {
   ScriptInjectionSink() {
     scriptEngine(_, this.getExpr()) or
@@ -123,6 +117,7 @@ class ScriptInjectionSink extends DataFlow::ExprNode {
     defineClass(_, this.getExpr())
   }
 
+  /** An access to the method associated with this sink. */
   MethodAccess getMethodAccess() {
     scriptEngine(result, this.getExpr()) or
     evaluateRhinoExpression(result, this.getExpr()) or
@@ -134,11 +129,7 @@ class ScriptInjectionSink extends DataFlow::ExprNode {
 class ScriptInjectionConfiguration extends TaintTracking::Configuration {
   ScriptInjectionConfiguration() { this = "ScriptInjectionConfiguration" }
 
-  override predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource
-    or
-    source instanceof LocalUserInput
-  }
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof ScriptInjectionSink }
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/RhinoServlet.java b/java/ql/test/experimental/query-tests/security/CWE-094/RhinoServlet.java
@@ -63,10 +63,7 @@ protected void doPut(HttpServletRequest request, HttpServletResponse response) t
             Scriptable scope = ctx.initStandardObjects();
             ctx.setClassShutter(new ClassShutter() {
                 public boolean visibleToScripts(String className) {
-                    if(className.startsWith("com.example.")) {
-                        return true;
-                    }
-                    return false;
+                    return className.startsWith("com.example.");
                 }
             });
 
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngineTest.java b/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngineTest.java
@@ -1,9 +1,21 @@
+import javax.script.AbstractScriptEngine;
+import javax.script.Compilable;
+import javax.script.CompiledScript;
+import javax.script.ScriptEngine;
+import javax.script.ScriptEngineManager;
+import javax.script.ScriptEngineFactory;
+import javax.script.ScriptException;
+
 import jdk.nashorn.api.scripting.NashornScriptEngine;
 import jdk.nashorn.api.scripting.NashornScriptEngineFactory;
-import javax.script.*;
 
+import java.io.IOException;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 
-public class ScriptEngineTest {
+public class ScriptEngineTest extends HttpServlet {
 
 	public void testWithScriptEngineReference(String input) throws ScriptException {
 		ScriptEngineManager scriptEngineManager = new ScriptEngineManager();
@@ -47,16 +59,7 @@ public void testScriptEngineGetProgram(String input) throws ScriptException {
 		String program = engine.getFactory().getProgram(input);
 		Object result = engine.eval(program);
 	}
-	
-	public static void main(String[] args) throws ScriptException {
-		new ScriptEngineTest().testWithScriptEngineReference(args[0]);
-		new ScriptEngineTest().testNashornWithScriptEngineReference(args[0]);
-		new ScriptEngineTest().testNashornWithNashornScriptEngineReference(args[0]);
-		new ScriptEngineTest().testCustomScriptEngineReference(args[0]);
-		new ScriptEngineTest().testScriptEngineCompilable(args[0]);
-		new ScriptEngineTest().testScriptEngineGetProgram(args[0]);
-	}
-	
+
 	private static class MyCustomScriptEngine extends AbstractScriptEngine {
 		public Object eval(String var1) throws ScriptException { return null; }
 
@@ -82,4 +85,19 @@ public MyCustomFactory() {
 		@Override
 		public String getProgram(final String... statements) { return null; }
 	}
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+		try {
+			String code = request.getParameter("code");
+
+			new ScriptEngineTest().testWithScriptEngineReference(code);
+			new ScriptEngineTest().testNashornWithScriptEngineReference(code);
+			new ScriptEngineTest().testNashornWithNashornScriptEngineReference(code);
+			new ScriptEngineTest().testCustomScriptEngineReference(code);
+			new ScriptEngineTest().testScriptEngineCompilable(code);
+			new ScriptEngineTest().testScriptEngineGetProgram(code);
+		} catch (ScriptException se) {
+			throw new IOException(se.getMessage());
+		}
+	}
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.expected
@@ -1,58 +1,58 @@
 edges
 | RhinoServlet.java:28:23:28:50 | getParameter(...) : String | RhinoServlet.java:32:55:32:58 | code |
-| RhinoServlet.java:84:23:84:50 | getParameter(...) : String | RhinoServlet.java:86:54:86:57 | code |
-| RhinoServlet.java:91:23:91:50 | getParameter(...) : String | RhinoServlet.java:92:74:92:88 | getBytes(...) |
-| ScriptEngineTest.java:8:44:8:55 | input : String | ScriptEngineTest.java:12:37:12:41 | input |
-| ScriptEngineTest.java:15:51:15:62 | input : String | ScriptEngineTest.java:19:31:19:35 | input |
-| ScriptEngineTest.java:23:58:23:69 | input : String | ScriptEngineTest.java:27:31:27:35 | input |
-| ScriptEngineTest.java:30:46:30:57 | input : String | ScriptEngineTest.java:34:31:34:35 | input |
-| ScriptEngineTest.java:37:41:37:52 | input : String | ScriptEngineTest.java:40:42:40:46 | input |
-| ScriptEngineTest.java:44:41:44:52 | input : String | ScriptEngineTest.java:47:51:47:55 | input |
-| ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:52:56:52:62 | ...[...] : String |
-| ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:53:63:53:69 | ...[...] : String |
-| ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:54:70:54:76 | ...[...] : String |
-| ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:55:58:55:64 | ...[...] : String |
-| ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:56:53:56:59 | ...[...] : String |
-| ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:57:53:57:59 | ...[...] : String |
-| ScriptEngineTest.java:52:56:52:62 | ...[...] : String | ScriptEngineTest.java:8:44:8:55 | input : String |
-| ScriptEngineTest.java:53:63:53:69 | ...[...] : String | ScriptEngineTest.java:15:51:15:62 | input : String |
-| ScriptEngineTest.java:54:70:54:76 | ...[...] : String | ScriptEngineTest.java:23:58:23:69 | input : String |
-| ScriptEngineTest.java:55:58:55:64 | ...[...] : String | ScriptEngineTest.java:30:46:30:57 | input : String |
-| ScriptEngineTest.java:56:53:56:59 | ...[...] : String | ScriptEngineTest.java:37:41:37:52 | input : String |
-| ScriptEngineTest.java:57:53:57:59 | ...[...] : String | ScriptEngineTest.java:44:41:44:52 | input : String |
+| RhinoServlet.java:81:23:81:50 | getParameter(...) : String | RhinoServlet.java:83:54:83:57 | code |
+| RhinoServlet.java:88:23:88:50 | getParameter(...) : String | RhinoServlet.java:89:74:89:88 | getBytes(...) |
+| ScriptEngineTest.java:20:44:20:55 | input : String | ScriptEngineTest.java:24:37:24:41 | input |
+| ScriptEngineTest.java:27:51:27:62 | input : String | ScriptEngineTest.java:31:31:31:35 | input |
+| ScriptEngineTest.java:35:58:35:69 | input : String | ScriptEngineTest.java:39:31:39:35 | input |
+| ScriptEngineTest.java:42:46:42:57 | input : String | ScriptEngineTest.java:46:31:46:35 | input |
+| ScriptEngineTest.java:49:41:49:52 | input : String | ScriptEngineTest.java:52:42:52:46 | input |
+| ScriptEngineTest.java:56:41:56:52 | input : String | ScriptEngineTest.java:59:51:59:55 | input |
+| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:93:57:93:60 | code : String |
+| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:94:64:94:67 | code : String |
+| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:95:71:95:74 | code : String |
+| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:96:59:96:62 | code : String |
+| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:97:54:97:57 | code : String |
+| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:98:54:98:57 | code : String |
+| ScriptEngineTest.java:93:57:93:60 | code : String | ScriptEngineTest.java:20:44:20:55 | input : String |
+| ScriptEngineTest.java:94:64:94:67 | code : String | ScriptEngineTest.java:27:51:27:62 | input : String |
+| ScriptEngineTest.java:95:71:95:74 | code : String | ScriptEngineTest.java:35:58:35:69 | input : String |
+| ScriptEngineTest.java:96:59:96:62 | code : String | ScriptEngineTest.java:42:46:42:57 | input : String |
+| ScriptEngineTest.java:97:54:97:57 | code : String | ScriptEngineTest.java:49:41:49:52 | input : String |
+| ScriptEngineTest.java:98:54:98:57 | code : String | ScriptEngineTest.java:56:41:56:52 | input : String |
 nodes
 | RhinoServlet.java:28:23:28:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | RhinoServlet.java:32:55:32:58 | code | semmle.label | code |
-| RhinoServlet.java:84:23:84:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RhinoServlet.java:86:54:86:57 | code | semmle.label | code |
-| RhinoServlet.java:91:23:91:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RhinoServlet.java:92:74:92:88 | getBytes(...) | semmle.label | getBytes(...) |
-| ScriptEngineTest.java:8:44:8:55 | input : String | semmle.label | input : String |
-| ScriptEngineTest.java:12:37:12:41 | input | semmle.label | input |
-| ScriptEngineTest.java:15:51:15:62 | input : String | semmle.label | input : String |
-| ScriptEngineTest.java:19:31:19:35 | input | semmle.label | input |
-| ScriptEngineTest.java:23:58:23:69 | input : String | semmle.label | input : String |
-| ScriptEngineTest.java:27:31:27:35 | input | semmle.label | input |
-| ScriptEngineTest.java:30:46:30:57 | input : String | semmle.label | input : String |
-| ScriptEngineTest.java:34:31:34:35 | input | semmle.label | input |
-| ScriptEngineTest.java:37:41:37:52 | input : String | semmle.label | input : String |
-| ScriptEngineTest.java:40:42:40:46 | input | semmle.label | input |
-| ScriptEngineTest.java:44:41:44:52 | input : String | semmle.label | input : String |
-| ScriptEngineTest.java:47:51:47:55 | input | semmle.label | input |
-| ScriptEngineTest.java:51:26:51:38 | args : String[] | semmle.label | args : String[] |
-| ScriptEngineTest.java:52:56:52:62 | ...[...] : String | semmle.label | ...[...] : String |
-| ScriptEngineTest.java:53:63:53:69 | ...[...] : String | semmle.label | ...[...] : String |
-| ScriptEngineTest.java:54:70:54:76 | ...[...] : String | semmle.label | ...[...] : String |
-| ScriptEngineTest.java:55:58:55:64 | ...[...] : String | semmle.label | ...[...] : String |
-| ScriptEngineTest.java:56:53:56:59 | ...[...] : String | semmle.label | ...[...] : String |
-| ScriptEngineTest.java:57:53:57:59 | ...[...] : String | semmle.label | ...[...] : String |
+| RhinoServlet.java:81:23:81:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RhinoServlet.java:83:54:83:57 | code | semmle.label | code |
+| RhinoServlet.java:88:23:88:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RhinoServlet.java:89:74:89:88 | getBytes(...) | semmle.label | getBytes(...) |
+| ScriptEngineTest.java:20:44:20:55 | input : String | semmle.label | input : String |
+| ScriptEngineTest.java:24:37:24:41 | input | semmle.label | input |
+| ScriptEngineTest.java:27:51:27:62 | input : String | semmle.label | input : String |
+| ScriptEngineTest.java:31:31:31:35 | input | semmle.label | input |
+| ScriptEngineTest.java:35:58:35:69 | input : String | semmle.label | input : String |
+| ScriptEngineTest.java:39:31:39:35 | input | semmle.label | input |
+| ScriptEngineTest.java:42:46:42:57 | input : String | semmle.label | input : String |
+| ScriptEngineTest.java:46:31:46:35 | input | semmle.label | input |
+| ScriptEngineTest.java:49:41:49:52 | input : String | semmle.label | input : String |
+| ScriptEngineTest.java:52:42:52:46 | input | semmle.label | input |
+| ScriptEngineTest.java:56:41:56:52 | input : String | semmle.label | input : String |
+| ScriptEngineTest.java:59:51:59:55 | input | semmle.label | input |
+| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| ScriptEngineTest.java:93:57:93:60 | code : String | semmle.label | code : String |
+| ScriptEngineTest.java:94:64:94:67 | code : String | semmle.label | code : String |
+| ScriptEngineTest.java:95:71:95:74 | code : String | semmle.label | code : String |
+| ScriptEngineTest.java:96:59:96:62 | code : String | semmle.label | code : String |
+| ScriptEngineTest.java:97:54:97:57 | code : String | semmle.label | code : String |
+| ScriptEngineTest.java:98:54:98:57 | code : String | semmle.label | code : String |
 #select
 | RhinoServlet.java:32:29:32:78 | evaluateString(...) | RhinoServlet.java:28:23:28:50 | getParameter(...) : String | RhinoServlet.java:32:55:32:58 | code | Java Script Engine evaluate $@. | RhinoServlet.java:28:23:28:50 | getParameter(...) | user input |
-| RhinoServlet.java:86:25:86:97 | compileToClassFiles(...) | RhinoServlet.java:84:23:84:50 | getParameter(...) : String | RhinoServlet.java:86:54:86:57 | code | Java Script Engine evaluate $@. | RhinoServlet.java:84:23:84:50 | getParameter(...) | user input |
-| RhinoServlet.java:92:23:92:89 | defineClass(...) | RhinoServlet.java:91:23:91:50 | getParameter(...) : String | RhinoServlet.java:92:74:92:88 | getBytes(...) | Java Script Engine evaluate $@. | RhinoServlet.java:91:23:91:50 | getParameter(...) | user input |
-| ScriptEngineTest.java:12:19:12:42 | eval(...) | ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:12:37:12:41 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:51:26:51:38 | args | user input |
-| ScriptEngineTest.java:19:19:19:36 | eval(...) | ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:19:31:19:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:51:26:51:38 | args | user input |
-| ScriptEngineTest.java:27:19:27:36 | eval(...) | ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:27:31:27:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:51:26:51:38 | args | user input |
-| ScriptEngineTest.java:34:19:34:36 | eval(...) | ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:34:31:34:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:51:26:51:38 | args | user input |
-| ScriptEngineTest.java:40:27:40:47 | compile(...) | ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:40:42:40:46 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:51:26:51:38 | args | user input |
-| ScriptEngineTest.java:47:20:47:56 | getProgram(...) | ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:47:51:47:55 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:51:26:51:38 | args | user input |
+| RhinoServlet.java:83:25:83:97 | compileToClassFiles(...) | RhinoServlet.java:81:23:81:50 | getParameter(...) : String | RhinoServlet.java:83:54:83:57 | code | Java Script Engine evaluate $@. | RhinoServlet.java:81:23:81:50 | getParameter(...) | user input |
+| RhinoServlet.java:89:23:89:89 | defineClass(...) | RhinoServlet.java:88:23:88:50 | getParameter(...) : String | RhinoServlet.java:89:74:89:88 | getBytes(...) | Java Script Engine evaluate $@. | RhinoServlet.java:88:23:88:50 | getParameter(...) | user input |
+| ScriptEngineTest.java:24:19:24:42 | eval(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:24:37:24:41 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
+| ScriptEngineTest.java:31:19:31:36 | eval(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:31:31:31:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
+| ScriptEngineTest.java:39:19:39:36 | eval(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:39:31:39:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
+| ScriptEngineTest.java:46:19:46:36 | eval(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:46:31:46:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
+| ScriptEngineTest.java:52:27:52:47 | compile(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:52:42:52:46 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
+| ScriptEngineTest.java:59:20:59:56 | getProgram(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:59:51:59:55 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
