Skip to content

Commit ed228cb

Browse files
joefarebrotherjoefarebrother
committed
Add sinks for URL Open Stream query
1 parent 3f3640f commit ed228cb

File tree

2 files changed

+25
-5
lines changed
  • java/ql/src

2 files changed

+25
-5
lines changed

java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@
88
import java
99
import semmle.code.java.dataflow.TaintTracking
1010
import semmle.code.java.dataflow.FlowSources
11+
import semmle.code.java.dataflow.ExternalFlow
1112
import DataFlow::PathGraph
1213

1314
class URLConstructor extends ClassInstanceExpr {
@@ -21,6 +22,13 @@ class URLConstructor extends ClassInstanceExpr {
2122
}
2223
}
2324

25+
class URLOpenStreamCsv extends SinkModelCsv {
26+
override predicate row(string row) {
27+
//"package;type;overrides;name;signature;ext;inputspec;kind",
28+
row = "java.net;URL;true;openStream;();;Argument[-1];url-open-stream"
29+
}
30+
}
31+
2432
class URLOpenStreamMethod extends Method {
2533
URLOpenStreamMethod() {
2634
this.getDeclaringType() instanceof TypeUrl and
@@ -33,11 +41,7 @@ class RemoteURLToOpenStreamFlowConfig extends TaintTracking::Configuration {
3341

3442
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
3543

36-
override predicate isSink(DataFlow::Node sink) {
37-
exists(MethodAccess m |
38-
sink.asExpr() = m.getQualifier() and m.getMethod() instanceof URLOpenStreamMethod
39-
)
40-
}
44+
override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "url-open-stream") }
4145

4246
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
4347
exists(URLConstructor u |

java/ql/src/semmle/code/java/frameworks/guava/IO.qll

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -80,3 +80,19 @@ private class GuavaIoCsv extends SummaryModelCsv {
8080
]
8181
}
8282
}
83+
84+
private class GuavaIoSinkCsv extends SinkModelCsv {
85+
override predicate row(string row) {
86+
row =
87+
[
88+
//"package;type;overrides;name;signature;ext;inputspec;kind",
89+
"com.google.common.io;Resources;false;asByteSource;(URL);;Argument[0];url-open-stream",
90+
"com.google.common.io;Resources;false;asCharSource;(URL,Charset);;Argument[0];url-open-stream",
91+
"com.google.common.io;Resources;false;copy;(URL,OutputStream);;Argument[0];url-open-stream",
92+
"com.google.common.io;Resources;false;asByteSource;(URL);;Argument[0];url-open-stream",
93+
"com.google.common.io;Resources;false;readLines;;;Argument[0];url-open-stream",
94+
"com.google.common.io;Resources;false;toByteArray;(URL);;Argument[0];url-open-stream",
95+
"com.google.common.io;Resources;false;toString;(URL,Charset);;Argument[0];url-open-stream"
96+
]
97+
}
98+
}

0 commit comments

Comments
 (0)