Optimize the TaintTracking

luchua-bc · luchua-bc · commit ff0dacf1d76a · 2020-08-03T00:52:47.000Z
diff --git a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureBasicAuth.ql b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureBasicAuth.ql
@@ -13,6 +13,14 @@ import semmle.code.java.frameworks.Networking
 import semmle.code.java.dataflow.TaintTracking
 import DataFlow::PathGraph
 
+/**
+ * Gets a regular expression for matching private hosts, which only matches the host portion therefore checking for port is not necessary.
+ */
+private string getPrivateHostRegex() {
+  result =
+    "(?i)localhost(?:[:/?#].*)?|127\\.0\\.0\\.1(?:[:/?#].*)?|10(?:\\.[0-9]+){3}(?:[:/?#].*)?|172\\.16(?:\\.[0-9]+){2}(?:[:/?#].*)?|192.168(?:\\.[0-9]+){2}(?:[:/?#].*)?|\\[0:0:0:0:0:0:0:1\\](?:[:/?#].*)?|\\[::1\\](?:[:/?#].*)?"
+}
+
 /**
  * The Java class `org.apache.http.client.methods.HttpRequestBase`. Popular subclasses include `HttpGet`, `HttpPost`, and `HttpPut`.
  * And the Java class `org.apache.http.message.BasicHttpRequest`.
@@ -35,16 +43,17 @@ class URLConstructor extends ClassInstanceExpr {
   predicate hasHttpStringArg() {
     this.getConstructor().getParameter(0).getType() instanceof TypeString and
     (
-      // URLs constructed with the string constructor `URL(String spec)`
-      this.getConstructor().getNumberOfParameters() = 1 and
-      this.getArgument(0) instanceof HttpString // First argument contains the whole spec.
-      or
       // URLs constructed with any of the three string constructors below:
       // `URL(String protocol, String host, int port, String file)`,
       // `URL(String protocol, String host, int port, String file, URLStreamHandler handler)`,
       // `URL(String protocol, String host, String file)`
       this.getConstructor().getNumberOfParameters() > 1 and
-      concatHttpString(getArgument(0), this.getArgument(1)) // First argument contains the protocol part and the second argument contains the host part.
+      concatHttpString(getArgument(0), this.getArgument(1))
+      or
+      // First argument contains the protocol part and the second argument contains the host part.
+      // URLs constructed with the string constructor `URL(String spec)`
+      this.getConstructor().getNumberOfParameters() = 1 and
+      this.getArgument(0) instanceof HttpString // First argument contains the whole spec.
     )
   }
 }
@@ -57,32 +66,29 @@ class URIConstructor extends ClassInstanceExpr {
 
   predicate hasHttpStringArg() {
     (
-      this.getNumArgument() = 1 // `URI(String str)`
+      this.getNumArgument() = 1 and
+      this.getArgument(0) instanceof HttpString // `URI(String str)`
       or
       this.getNumArgument() = 4 and
       concatHttpString(this.getArgument(0), this.getArgument(1)) // `URI(String scheme, String host, String path, String fragment)`
       or
+      this.getNumArgument() = 5 and
+      concatHttpString(this.getArgument(0), this.getArgument(1)) // `URI(String scheme, String authority, String path, String query, String fragment)` without user-info in authority
+      or
       this.getNumArgument() = 7 and
       concatHttpString(this.getArgument(0), this.getArgument(2)) // `URI(String scheme, String userInfo, String host, int port, String path, String query, String fragment)`
     )
   }
 }
 
-/**
- * Gets a regular expression for matching private hosts.
- */
-private string getPrivateHostRegex() {
-  result = "(?i)localhost([:/].*)?|127\\.0\\.0\\.1([:/].*)?|10(\\.[0-9]+){3}([:/].*)?|172\\.16(\\.[0-9]+){2}([:/].*)?|192.168(\\.[0-9]+){2}([:/].*)?|\\[0:0:0:0:0:0:0:1\\]([:/].*)?|\\[::1\\]([:/].*)?" 
-}
-
 /**
  * String of HTTP URLs not in private domains.
  */
 class HttpStringLiteral extends StringLiteral {
   HttpStringLiteral() {
     // Match URLs with the HTTP protocol and without private IP addresses to reduce false positives.
     exists(string s | this.getRepresentedString() = s |
-      s.regexpMatch("(?i)http://[a-zA-Z0-9].*") and
+      s.regexpMatch("(?i)http://[\\[a-zA-Z0-9].*") and
       not s.substring(7, s.length()).regexpMatch(getPrivateHostRegex())
     )
   }
@@ -121,15 +127,7 @@ class HttpString extends Expr {
   HttpString() {
     this instanceof HttpStringLiteral
     or
-    this.(VarAccess).getVariable().getAnAssignedValue() instanceof HttpStringLiteral
-    or
     concatHttpString(this.(AddExpr).getLeftOperand(), this.(AddExpr).getRightOperand())
-    or
-    concatHttpString(this.(AddExpr).getLeftOperand().(AddExpr).getLeftOperand(),
-      this.(AddExpr).getLeftOperand().(AddExpr).getRightOperand())
-    or
-    concatHttpString(this.(AddExpr).getLeftOperand(),
-      this.(AddExpr).getRightOperand().(AddExpr).getLeftOperand()) // First two elements of a string concatenated from an arbitrary number of elements.
   }
 }
 
@@ -170,16 +168,15 @@ predicate apacheHttpRequest(DataFlow::Node node1, DataFlow::Node node2) {
   )
 }
 
-/** Constructors of `URI` */
+/** `URI` methods */
 predicate createURI(DataFlow::Node node1, DataFlow::Node node2) {
-  exists(URIConstructor cc |
+  exists(URIConstructor cc |  // new URI
     node2.asExpr() = cc and
-    cc.getArgument(0) = node1.asExpr() and
-    cc.hasHttpStringArg()
+    cc.getArgument(0) = node1.asExpr()
   )
   or
   exists(
-    StaticMethodAccess ma // URI.create
+    StaticMethodAccess ma  // URI.create
   |
     ma.getMethod().getDeclaringType().hasQualifiedName("java.net", "URI") and
     ma.getMethod().hasName("create") and
@@ -192,8 +189,7 @@ predicate createURI(DataFlow::Node node1, DataFlow::Node node2) {
 predicate createURL(DataFlow::Node node1, DataFlow::Node node2) {
   exists(URLConstructor cc |
     node2.asExpr() = cc and
-    cc.getArgument(0) = node1.asExpr() and
-    cc.hasHttpStringArg()
+    cc.getArgument(0) = node1.asExpr()
   )
 }
 
@@ -257,4 +253,4 @@ class BasicAuthFlowConfig extends TaintTracking::Configuration {
 from DataFlow::PathNode source, DataFlow::PathNode sink, BasicAuthFlowConfig config
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Insecure basic authentication from $@.", source.getNode(),
-  "this user input"
+  "HTTP url"
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.expected b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.expected
@@ -1,53 +1,43 @@
 edges
 | InsecureBasicAuth.java:20:39:20:52 | ... + ... : String | InsecureBasicAuth.java:28:3:28:6 | post |
-| InsecureBasicAuth.java:20:39:20:81 | ... + ... : String | InsecureBasicAuth.java:28:3:28:6 | post |
-| InsecureBasicAuth.java:35:9:35:61 | "http://dashboardHost:dashboardPort/payment/retrieve" : String | InsecureBasicAuth.java:38:3:38:5 | get |
-| InsecureBasicAuth.java:36:29:36:31 | url : String | InsecureBasicAuth.java:38:3:38:5 | get |
+| InsecureBasicAuth.java:35:19:35:73 | "http://www.example.com:dashboardPort/payment/retrieve" : String | InsecureBasicAuth.java:38:3:38:5 | get |
 | InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:54:3:54:6 | post |
-| InsecureBasicAuth.java:46:50:46:55 | uriStr : String | InsecureBasicAuth.java:54:3:54:6 | post |
-| InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:70:3:70:6 | post |
-| InsecureBasicAuth.java:62:56:62:61 | uriStr : String | InsecureBasicAuth.java:70:3:70:6 | post |
-| InsecureBasicAuth.java:77:19:77:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:87:3:87:6 | post |
-| InsecureBasicAuth.java:78:58:78:63 | uriStr : String | InsecureBasicAuth.java:87:3:87:6 | post |
-| InsecureBasicAuth.java:94:19:94:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:98:28:98:67 | (...)... : URLConnection |
-| InsecureBasicAuth.java:97:21:97:26 | urlStr : String | InsecureBasicAuth.java:98:28:98:67 | (...)... : URLConnection |
-| InsecureBasicAuth.java:98:28:98:67 | (...)... : URLConnection | InsecureBasicAuth.java:101:3:101:6 | conn |
-| InsecureBasicAuth.java:113:21:113:28 | protocol : String | InsecureBasicAuth.java:114:28:114:67 | (...)... : URLConnection |
-| InsecureBasicAuth.java:114:28:114:67 | (...)... : URLConnection | InsecureBasicAuth.java:117:3:117:6 | conn |
+| InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:71:3:71:6 | post |
+| InsecureBasicAuth.java:78:47:78:52 | "http" : String | InsecureBasicAuth.java:86:3:86:6 | post |
+| InsecureBasicAuth.java:93:19:93:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:102:3:102:6 | post |
+| InsecureBasicAuth.java:109:19:109:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:119:3:119:6 | post |
+| InsecureBasicAuth.java:126:19:126:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:130:28:130:67 | (...)... : URLConnection |
+| InsecureBasicAuth.java:130:28:130:67 | (...)... : URLConnection | InsecureBasicAuth.java:133:3:133:6 | conn |
+| InsecureBasicAuth.java:145:21:145:28 | protocol : String | InsecureBasicAuth.java:146:28:146:67 | (...)... : URLConnection |
+| InsecureBasicAuth.java:146:28:146:67 | (...)... : URLConnection | InsecureBasicAuth.java:149:3:149:6 | conn |
 nodes
 | InsecureBasicAuth.java:20:39:20:52 | ... + ... : String | semmle.label | ... + ... : String |
-| InsecureBasicAuth.java:20:39:20:81 | ... + ... : String | semmle.label | ... + ... : String |
 | InsecureBasicAuth.java:28:3:28:6 | post | semmle.label | post |
-| InsecureBasicAuth.java:35:9:35:61 | "http://dashboardHost:dashboardPort/payment/retrieve" : String | semmle.label | "http://dashboardHost:dashboardPort/payment/retrieve" : String |
-| InsecureBasicAuth.java:36:29:36:31 | url : String | semmle.label | url : String |
+| InsecureBasicAuth.java:35:19:35:73 | "http://www.example.com:dashboardPort/payment/retrieve" : String | semmle.label | "http://www.example.com:dashboardPort/payment/retrieve" : String |
 | InsecureBasicAuth.java:38:3:38:5 | get | semmle.label | get |
 | InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String |
-| InsecureBasicAuth.java:46:50:46:55 | uriStr : String | semmle.label | uriStr : String |
 | InsecureBasicAuth.java:54:3:54:6 | post | semmle.label | post |
 | InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String |
-| InsecureBasicAuth.java:62:56:62:61 | uriStr : String | semmle.label | uriStr : String |
-| InsecureBasicAuth.java:70:3:70:6 | post | semmle.label | post |
-| InsecureBasicAuth.java:77:19:77:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String |
-| InsecureBasicAuth.java:78:58:78:63 | uriStr : String | semmle.label | uriStr : String |
-| InsecureBasicAuth.java:87:3:87:6 | post | semmle.label | post |
-| InsecureBasicAuth.java:94:19:94:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String |
-| InsecureBasicAuth.java:97:21:97:26 | urlStr : String | semmle.label | urlStr : String |
-| InsecureBasicAuth.java:98:28:98:67 | (...)... : URLConnection | semmle.label | (...)... : URLConnection |
-| InsecureBasicAuth.java:101:3:101:6 | conn | semmle.label | conn |
-| InsecureBasicAuth.java:113:21:113:28 | protocol : String | semmle.label | protocol : String |
-| InsecureBasicAuth.java:114:28:114:67 | (...)... : URLConnection | semmle.label | (...)... : URLConnection |
-| InsecureBasicAuth.java:117:3:117:6 | conn | semmle.label | conn |
+| InsecureBasicAuth.java:71:3:71:6 | post | semmle.label | post |
+| InsecureBasicAuth.java:78:47:78:52 | "http" : String | semmle.label | "http" : String |
+| InsecureBasicAuth.java:86:3:86:6 | post | semmle.label | post |
+| InsecureBasicAuth.java:93:19:93:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String |
+| InsecureBasicAuth.java:102:3:102:6 | post | semmle.label | post |
+| InsecureBasicAuth.java:109:19:109:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String |
+| InsecureBasicAuth.java:119:3:119:6 | post | semmle.label | post |
+| InsecureBasicAuth.java:126:19:126:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String |
+| InsecureBasicAuth.java:130:28:130:67 | (...)... : URLConnection | semmle.label | (...)... : URLConnection |
+| InsecureBasicAuth.java:133:3:133:6 | conn | semmle.label | conn |
+| InsecureBasicAuth.java:145:21:145:28 | protocol : String | semmle.label | protocol : String |
+| InsecureBasicAuth.java:146:28:146:67 | (...)... : URLConnection | semmle.label | (...)... : URLConnection |
+| InsecureBasicAuth.java:149:3:149:6 | conn | semmle.label | conn |
 #select
-| InsecureBasicAuth.java:28:3:28:6 | post | InsecureBasicAuth.java:20:39:20:52 | ... + ... : String | InsecureBasicAuth.java:28:3:28:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:20:39:20:52 | ... + ... | this user input |
-| InsecureBasicAuth.java:28:3:28:6 | post | InsecureBasicAuth.java:20:39:20:81 | ... + ... : String | InsecureBasicAuth.java:28:3:28:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:20:39:20:81 | ... + ... | this user input |
-| InsecureBasicAuth.java:38:3:38:5 | get | InsecureBasicAuth.java:35:9:35:61 | "http://dashboardHost:dashboardPort/payment/retrieve" : String | InsecureBasicAuth.java:38:3:38:5 | get | Insecure basic authentication from $@. | InsecureBasicAuth.java:35:9:35:61 | "http://dashboardHost:dashboardPort/payment/retrieve" | this user input |
-| InsecureBasicAuth.java:38:3:38:5 | get | InsecureBasicAuth.java:36:29:36:31 | url : String | InsecureBasicAuth.java:38:3:38:5 | get | Insecure basic authentication from $@. | InsecureBasicAuth.java:36:29:36:31 | url | this user input |
-| InsecureBasicAuth.java:54:3:54:6 | post | InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:54:3:54:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | this user input |
-| InsecureBasicAuth.java:54:3:54:6 | post | InsecureBasicAuth.java:46:50:46:55 | uriStr : String | InsecureBasicAuth.java:54:3:54:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:46:50:46:55 | uriStr | this user input |
-| InsecureBasicAuth.java:70:3:70:6 | post | InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:70:3:70:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | this user input |
-| InsecureBasicAuth.java:70:3:70:6 | post | InsecureBasicAuth.java:62:56:62:61 | uriStr : String | InsecureBasicAuth.java:70:3:70:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:62:56:62:61 | uriStr | this user input |
-| InsecureBasicAuth.java:87:3:87:6 | post | InsecureBasicAuth.java:77:19:77:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:87:3:87:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:77:19:77:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | this user input |
-| InsecureBasicAuth.java:87:3:87:6 | post | InsecureBasicAuth.java:78:58:78:63 | uriStr : String | InsecureBasicAuth.java:87:3:87:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:78:58:78:63 | uriStr | this user input |
-| InsecureBasicAuth.java:101:3:101:6 | conn | InsecureBasicAuth.java:94:19:94:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:101:3:101:6 | conn | Insecure basic authentication from $@. | InsecureBasicAuth.java:94:19:94:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | this user input |
-| InsecureBasicAuth.java:101:3:101:6 | conn | InsecureBasicAuth.java:97:21:97:26 | urlStr : String | InsecureBasicAuth.java:101:3:101:6 | conn | Insecure basic authentication from $@. | InsecureBasicAuth.java:97:21:97:26 | urlStr | this user input |
-| InsecureBasicAuth.java:117:3:117:6 | conn | InsecureBasicAuth.java:113:21:113:28 | protocol : String | InsecureBasicAuth.java:117:3:117:6 | conn | Insecure basic authentication from $@. | InsecureBasicAuth.java:113:21:113:28 | protocol | this user input |
+| InsecureBasicAuth.java:28:3:28:6 | post | InsecureBasicAuth.java:20:39:20:52 | ... + ... : String | InsecureBasicAuth.java:28:3:28:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:20:39:20:52 | ... + ... | HTTP url |
+| InsecureBasicAuth.java:38:3:38:5 | get | InsecureBasicAuth.java:35:19:35:73 | "http://www.example.com:dashboardPort/payment/retrieve" : String | InsecureBasicAuth.java:38:3:38:5 | get | Insecure basic authentication from $@. | InsecureBasicAuth.java:35:19:35:73 | "http://www.example.com:dashboardPort/payment/retrieve" | HTTP url |
+| InsecureBasicAuth.java:54:3:54:6 | post | InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:54:3:54:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | HTTP url |
+| InsecureBasicAuth.java:71:3:71:6 | post | InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:71:3:71:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | HTTP url |
+| InsecureBasicAuth.java:86:3:86:6 | post | InsecureBasicAuth.java:78:47:78:52 | "http" : String | InsecureBasicAuth.java:86:3:86:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:78:47:78:52 | "http" | HTTP url |
+| InsecureBasicAuth.java:102:3:102:6 | post | InsecureBasicAuth.java:93:19:93:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:102:3:102:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:93:19:93:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | HTTP url |
+| InsecureBasicAuth.java:119:3:119:6 | post | InsecureBasicAuth.java:109:19:109:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:119:3:119:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:109:19:109:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | HTTP url |
+| InsecureBasicAuth.java:133:3:133:6 | conn | InsecureBasicAuth.java:126:19:126:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:133:3:133:6 | conn | Insecure basic authentication from $@. | InsecureBasicAuth.java:126:19:126:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | HTTP url |
+| InsecureBasicAuth.java:149:3:149:6 | conn | InsecureBasicAuth.java:145:21:145:28 | protocol : String | InsecureBasicAuth.java:149:3:149:6 | conn | Insecure basic authentication from $@. | InsecureBasicAuth.java:145:21:145:28 | protocol | HTTP url |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.java b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.java
