Java: Convert insecure bean validation sink to CSV format

tamasvajk · tamasvajk · commit f329c3fdab60 · 2021-04-09T13:06:04.000+02:00
diff --git a/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql b/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
@@ -13,6 +13,7 @@ import java
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
 import DataFlow::PathGraph
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A message interpolator Type that perform Expression Language (EL) evaluations
@@ -50,19 +51,6 @@ class SetMessageInterpolatorCall extends MethodAccess {
   predicate isSafe() { not this.getAnArgument().getType() instanceof ELMessageInterpolatorType }
 }
 
-/**
- * A method named `buildConstraintViolationWithTemplate` declared on a subtype
- * of `javax.validation.ConstraintValidatorContext`.
- */
-class BuildConstraintViolationWithTemplateMethod extends Method {
-  BuildConstraintViolationWithTemplateMethod() {
-    this.getDeclaringType()
-        .getASupertype*()
-        .hasQualifiedName("javax.validation", "ConstraintValidatorContext") and
-    this.hasName("buildConstraintViolationWithTemplate")
-  }
-}
-
 /**
  * Taint tracking BeanValidationConfiguration describing the flow of data from user input
  * to the argument of a method that builds constraint error messages.
@@ -72,12 +60,7 @@ class BeanValidationConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma |
-      ma.getMethod() instanceof BuildConstraintViolationWithTemplateMethod and
-      sink.asExpr() = ma.getArgument(0)
-    )
-  }
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "bean-validation") }
 }
 
 from BeanValidationConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -203,7 +203,9 @@ private predicate sinkModelCsv(string row) {
       "java.nio.file;Files;false;createLink;;;Argument[0];create-file",
       "java.nio.file;Files;false;createSymbolicLink;;;Argument[0];create-file",
       "java.nio.file;Files;false;createTempDirectory;;;Argument[0];create-file",
-      "java.nio.file;Files;false;createTempFile;;;Argument[0];create-file"
+      "java.nio.file;Files;false;createTempFile;;;Argument[0];create-file",
+      // Bean validation
+      "javax.validation;ConstraintValidatorContext;true;buildConstraintViolationWithTemplate;;;Argument[0];bean-validation"
     ]
 }
 

Original file line number	Diff line number	Diff line change
`@@ -203,7 +203,9 @@ private predicate sinkModelCsv(string row) {`
`203`	`203`	`"java.nio.file;Files;false;createLink;;;Argument[0];create-file",`
`204`	`204`	`"java.nio.file;Files;false;createSymbolicLink;;;Argument[0];create-file",`
`205`	`205`	`"java.nio.file;Files;false;createTempDirectory;;;Argument[0];create-file",`
`206`		`- "java.nio.file;Files;false;createTempFile;;;Argument[0];create-file"`
	`206`	`+ "java.nio.file;Files;false;createTempFile;;;Argument[0];create-file",`
	`207`	`+ // Bean validation`
	`208`	`+ "javax.validation;ConstraintValidatorContext;true;buildConstraintViolationWithTemplate;;;Argument[0];bean-validation"`
`207`	`209`	`]`
`208`	`210`	`}`
`209`	`211`