Add TaintedPermissionsCheckQuery

egregius313 · egregius313 · commit 1af6d5f7b304 · 2023-05-04T10:14:59.000-04:00
diff --git a/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md b/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added the `TaintedPermissionQuery.qll` library to provide the `TaintedPermissionFlow` taint-tracking module to reason about tainted permission vulnerabilities.
diff --git a/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll
@@ -0,0 +1,65 @@
+/** Provides classes to reason about tainted permissions check vulnerabilities. */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
+
+/**
+ * The `org.apache.shiro.subject.Subject` class.
+ */
+private class TypeShiroSubject extends RefType {
+  TypeShiroSubject() { this.getQualifiedName() = "org.apache.shiro.subject.Subject" }
+}
+
+/**
+ * The `org.apache.shiro.authz.permission.WildcardPermission` class.
+ */
+private class TypeShiroWildCardPermission extends RefType {
+  TypeShiroWildCardPermission() {
+    this.getQualifiedName() = "org.apache.shiro.authz.permission.WildcardPermission"
+  }
+}
+
+/**
+ * An expression that constructs a permission.
+ */
+abstract class PermissionsConstruction extends Top {
+  /** Gets the input to this permission construction. */
+  abstract Expr getInput();
+}
+
+private class PermissionsCheckMethodAccess extends MethodAccess, PermissionsConstruction {
+  PermissionsCheckMethodAccess() {
+    exists(Method m | m = this.getMethod() |
+      m.getDeclaringType() instanceof TypeShiroSubject and
+      m.getName() = "isPermitted"
+      or
+      m.getName().toLowerCase().matches("%permitted%") and
+      m.getNumberOfParameters() = 1
+    )
+  }
+
+  override Expr getInput() { result = this.getArgument(0) }
+}
+
+private class WildCardPermissionConstruction extends ClassInstanceExpr, PermissionsConstruction {
+  WildCardPermissionConstruction() {
+    this.getConstructor().getDeclaringType() instanceof TypeShiroWildCardPermission
+  }
+
+  override Expr getInput() { result = this.getArgument(0) }
+}
+
+/**
+ * A configuration for tracking flow from user input to a permissions check.
+ */
+module TaintedPermissionsCheckFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof UserInput }
+
+  predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() = any(PermissionsConstruction p).getInput()
+  }
+}
+
+/** Tracks flow from user input to a permissions check. */
+module TaintedPermissionsCheckFlow = TaintTracking::Global<TaintedPermissionsCheckFlowConfig>;
diff --git a/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql b/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql
@@ -13,55 +13,7 @@
  */
 
 import java
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.dataflow.TaintTracking
-
-class TypeShiroSubject extends RefType {
-  TypeShiroSubject() { this.getQualifiedName() = "org.apache.shiro.subject.Subject" }
-}
-
-class TypeShiroWCPermission extends RefType {
-  TypeShiroWCPermission() {
-    this.getQualifiedName() = "org.apache.shiro.authz.permission.WildcardPermission"
-  }
-}
-
-abstract class PermissionsConstruction extends Top {
-  abstract Expr getInput();
-}
-
-class PermissionsCheckMethodAccess extends MethodAccess, PermissionsConstruction {
-  PermissionsCheckMethodAccess() {
-    exists(Method m | m = this.getMethod() |
-      m.getDeclaringType() instanceof TypeShiroSubject and
-      m.getName() = "isPermitted"
-      or
-      m.getName().toLowerCase().matches("%permitted%") and
-      m.getNumberOfParameters() = 1
-    )
-  }
-
-  override Expr getInput() { result = this.getArgument(0) }
-}
-
-class WCPermissionConstruction extends ClassInstanceExpr, PermissionsConstruction {
-  WCPermissionConstruction() {
-    this.getConstructor().getDeclaringType() instanceof TypeShiroWCPermission
-  }
-
-  override Expr getInput() { result = this.getArgument(0) }
-}
-
-module TaintedPermissionsCheckFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof UserInput }
-
-  predicate isSink(DataFlow::Node sink) {
-    sink.asExpr() = any(PermissionsConstruction p).getInput()
-  }
-}
-
-module TaintedPermissionsCheckFlow = TaintTracking::Global<TaintedPermissionsCheckFlowConfig>;
-
+import semmle.code.java.security.TaintedPermissionsCheckQuery
 import TaintedPermissionsCheckFlow::PathGraph
 
 from

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added the `TaintedPermissionQuery.qll` library to provide the `TaintedPermissionFlow` taint-tracking module to reason about tainted permission vulnerabilities.