Change method check to taint flow

luchua-bc · luchua-bc · commit fe0e7f5eac23 · 2021-03-25T01:45:13.000Z
diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
@@ -11,6 +11,7 @@ import java
 import semmle.code.java.dataflow.FlowSteps
 import semmle.code.java.frameworks.Servlets
 import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.TaintTracking2
 import DataFlow::PathGraph
 
 /** Gets a regular expression for matching common names of sensitive cookies. */
@@ -31,28 +32,6 @@ predicate isSensitiveCookieNameExpr(Expr expr) {
   isSensitiveCookieNameExpr(expr.(AddExpr).getAnOperand())
 }
 
-/** Holds if a string is concatenated with the `HttpOnly` flag. */
-predicate hasHttpOnlyExpr(Expr expr) {
-  (
-    expr.(CompileTimeConstantExpr).getStringValue().toLowerCase().matches("%httponly%")
-    or
-    exists(
-      StaticMethodAccess ma // String.format("%s=%s;HttpOnly", "sessionkey", sessionKey)
-    |
-      ma.getType().getName() = "String" and
-      ma.getMethod().getName() = "format" and
-      ma.getArgument(0)
-          .(CompileTimeConstantExpr)
-          .getStringValue()
-          .toLowerCase()
-          .matches("%httponly%") and
-      expr = ma
-    )
-  )
-  or
-  hasHttpOnlyExpr(expr.(AddExpr).getAnOperand())
-}
-
 /** The method call `Set-Cookie` of `addHeader` or `setHeader`. */
 class SetCookieMethodAccess extends MethodAccess {
   SetCookieMethodAccess() {
@@ -64,6 +43,22 @@ class SetCookieMethodAccess extends MethodAccess {
   }
 }
 
+/**
+ * A taint configuration tracking flow from the text `httponly` to argument 1 of
+ * `SetCookieMethodAccess`.
+ */
+class MatchesHttpOnlyConfiguration extends TaintTracking2::Configuration {
+  MatchesHttpOnlyConfiguration() { this = "MatchesHttpOnlyConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.asExpr().(CompileTimeConstantExpr).getStringValue().toLowerCase().matches("%httponly%")
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() = any(SetCookieMethodAccess ma).getArgument(1)
+  }
+}
+
 /** The cookie class of Java EE. */
 class CookieClass extends RefType {
   CookieClass() {
@@ -79,7 +74,7 @@ predicate isBooleanTrue(Expr expr) {
     true
 }
 
-/** Holds if the method or a wrapper method sets the `HttpOnly` flag. */
+/** Holds if the method call sets the `HttpOnly` flag. */
 predicate setHttpOnlyInCookie(MethodAccess ma) {
   ma.getMethod().getName() = "setHttpOnly" and
   (
@@ -93,14 +88,24 @@ predicate setHttpOnlyInCookie(MethodAccess ma) {
       isBooleanTrue(mpa.getArgument(i))
     )
   )
-  or
-  exists(MethodAccess mca |
-    ma.getMethod().calls(mca.getMethod()) and
-    setHttpOnlyInCookie(mca)
-  )
 }
 
-/** Holds if the method or a wrapper method removes a cookie. */
+/**
+ * A taint configuration tracking flow of a method or a wrapper method that sets
+ * the `HttpOnly` flag.
+ */
+class SetHttpOnlyInCookieConfiguration extends TaintTracking2::Configuration {
+  SetHttpOnlyInCookieConfiguration() { this = "SetHttpOnlyInCookieConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { any() }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() =
+      any(MethodAccess ma | ma.getMethod() instanceof ResponseAddCookieMethod).getArgument(0)
+  }
+}
+
+/** Holds if the method call removes a cookie. */
 predicate removeCookie(MethodAccess ma) {
   ma.getMethod().getName() = "setMaxAge" and
   ma.getArgument(0).(IntegerLiteral).getIntValue() = 0
@@ -125,15 +130,14 @@ class CookieResponseSink extends DataFlow::ExprNode {
             setHttpOnlyInCookie(ma2) or
             removeCookie(ma2)
           ) and
-          (
-            DataFlow::localExprFlow(ma2.getQualifier(), this.getExpr()) or
-            DataFlow::localExprFlow(ma2, this.getExpr())
+          exists(SetHttpOnlyInCookieConfiguration cc |
+            cc.hasFlow(DataFlow::exprNode(ma2.getQualifier()), this)
           )
         )
         or
         ma instanceof SetCookieMethodAccess and
         this.getExpr() = ma.getArgument(1) and
-        not hasHttpOnlyExpr(this.getExpr()) // response.addHeader("Set-Cookie", "token=" +authId + ";HttpOnly;Secure")
+        not exists(MatchesHttpOnlyConfiguration cc | cc.hasFlowToExpr(ma.getArgument(1))) // response.addHeader("Set-Cookie", "token=" +authId + ";HttpOnly;Secure")
       ) and
       not isTestMethod(ma) // Test class or method
     )
diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
@@ -8,8 +8,8 @@ edges
 | SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString |
 | SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString |
 | SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" : String | SensitiveCookieNotHttpOnly.java:91:16:91:21 | cookie : Cookie |
-| SensitiveCookieNotHttpOnly.java:91:16:91:21 | cookie : Cookie | SensitiveCookieNotHttpOnly.java:102:25:102:64 | createAuthenticationCookie(...) : Cookie |
-| SensitiveCookieNotHttpOnly.java:102:25:102:64 | createAuthenticationCookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:103:28:103:33 | cookie |
+| SensitiveCookieNotHttpOnly.java:91:16:91:21 | cookie : Cookie | SensitiveCookieNotHttpOnly.java:110:25:110:64 | createAuthenticationCookie(...) : Cookie |
+| SensitiveCookieNotHttpOnly.java:110:25:110:64 | createAuthenticationCookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:111:28:111:33 | cookie |
 nodes
 | SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" : String | semmle.label | "jwt_token" : String |
 | SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie | semmle.label | jwtCookie |
@@ -26,8 +26,8 @@ nodes
 | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | semmle.label | secString |
 | SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" : String | semmle.label | "Presto-UI-Token" : String |
 | SensitiveCookieNotHttpOnly.java:91:16:91:21 | cookie : Cookie | semmle.label | cookie : Cookie |
-| SensitiveCookieNotHttpOnly.java:102:25:102:64 | createAuthenticationCookie(...) : Cookie | semmle.label | createAuthenticationCookie(...) : Cookie |
-| SensitiveCookieNotHttpOnly.java:103:28:103:33 | cookie | semmle.label | cookie |
+| SensitiveCookieNotHttpOnly.java:110:25:110:64 | createAuthenticationCookie(...) : Cookie | semmle.label | createAuthenticationCookie(...) : Cookie |
+| SensitiveCookieNotHttpOnly.java:111:28:111:33 | cookie | semmle.label | cookie |
 #select
 | SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie | SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" : String | SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" | This sensitive cookie |
 | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" | This sensitive cookie |
@@ -38,4 +38,4 @@ nodes
 | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | SensitiveCookieNotHttpOnly.java:70:28:70:35 | "token=" : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:70:28:70:35 | "token=" | This sensitive cookie |
 | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... | This sensitive cookie |
 | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... | This sensitive cookie |
-| SensitiveCookieNotHttpOnly.java:103:28:103:33 | cookie | SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" : String | SensitiveCookieNotHttpOnly.java:103:28:103:33 | cookie | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:111:28:111:33 | cookie | SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" : String | SensitiveCookieNotHttpOnly.java:111:28:111:33 | cookie | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" | This sensitive cookie |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
@@ -91,6 +91,14 @@ public Cookie createAuthenticationCookie(HttpServletRequest request, String jwt)
         return cookie;
     }
 
+    public Cookie removeAuthenticationCookie(HttpServletRequest request, String jwt) {
+        String PRESTO_UI_COOKIE = "Presto-UI-Token";
+        Cookie cookie = new Cookie(PRESTO_UI_COOKIE, jwt);
+        cookie.setPath("/ui");
+        cookie.setMaxAge(0);
+        return cookie;
+    }
+
     // GOOD - Tests set a sensitive cookie header with the `HttpOnly` flag set using a wrapper method.
     public void addCookie11(HttpServletRequest request, HttpServletResponse response, String jwt) {
         Cookie cookie = createHttpOnlyAuthenticationCookie(request, jwt);
@@ -103,6 +111,12 @@ public void addCookie12(HttpServletRequest request, HttpServletResponse response
         response.addCookie(cookie);
     }
 
+    // GOOD - Tests remove a sensitive cookie header without the `HttpOnly` flag set using a wrapper method.
+    public void addCookie13(HttpServletRequest request, HttpServletResponse response, String jwt) {
+        Cookie cookie = removeAuthenticationCookie(request, jwt);
+        response.addCookie(cookie);
+    }
+
     private Cookie createCookie(String name, String value, Boolean httpOnly){
         Cookie cookie = null;
         cookie = new Cookie(name, value);
@@ -119,12 +133,12 @@ private Cookie createCookie(String name, String value, Boolean httpOnly){
     }
 
     // GOOD - Tests set a sensitive cookie header with the `HttpOnly` flag set through a boolean variable using a wrapper method.
-    public void addCookie13(HttpServletRequest request, HttpServletResponse response, String refreshToken) {
+    public void addCookie14(HttpServletRequest request, HttpServletResponse response, String refreshToken) {
         response.addCookie(createCookie("refresh_token", refreshToken, true));
     }
 
     // BAD - Tests set a sensitive cookie header with the `HttpOnly` flag not set through a boolean variable using a wrapper method.
-    public void addCookie14(HttpServletRequest request, HttpServletResponse response, String refreshToken) {
+    public void addCookie15(HttpServletRequest request, HttpServletResponse response, String refreshToken) {
         response.addCookie(createCookie("refresh_token", refreshToken, false));
     }
 
