Add improper validation of array size query libraries

Author: egregius313

java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll

@@ -0,0 +1,25 @@
+/** Provides a dataflow configuration to reason about improper validation of code-specified size used for array construction. */
+
+import java
+import semmle.code.java.security.internal.ArraySizing
+import semmle.code.java.dataflow.TaintTracking
+
+/**
+ * A dataflow configuration to reason about improper validation of code-specified size used for array construction.
+ */
+module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source instanceof BoundedFlowSource and
+    // There is not a fixed lower bound which is greater than zero.
+    not source.(BoundedFlowSource).lowerBound() > 0
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)
+  }
+}
+
+/**
+ * Dataflow flow for improper validation of code-specified size used for array construction.
+ */
+module BoundedFlowSourceFlow = DataFlow::Global<BoundedFlowSourceConfig>;

java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionLocalQuery.qll

@@ -0,0 +1,22 @@
+/** Provides a taint-tracking configuration to reason about improper validation of local user-provided size used for array construction. */
+
+import java
+import semmle.code.java.security.internal.ArraySizing
+import semmle.code.java.dataflow.FlowSources
+
+/**
+ * A taint-tracking configuration to reason about improper validation of local user-provided size used for array construction.
+ */
+module ImproperValidationOfArrayConstructionLocalConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
+
+  predicate isSink(DataFlow::Node sink) {
+    any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)
+  }
+}
+
+/**
+ * Taint-tracking flow for improper validation of local user-provided size used for array construction.
+ */
+module ImproperValidationOfArrayConstructionLocalFlow =
+  TaintTracking::Global<ImproperValidationOfArrayConstructionLocalConfig>;

java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll

@@ -0,0 +1,22 @@
+/** Provides a taint-tracking configuration to reason about improper validation of user-provided size used for array construction. */
+
+import java
+import semmle.code.java.security.internal.ArraySizing
+import semmle.code.java.dataflow.FlowSources
+
+/**
+ * A taint-tracking configuration to reason about improper validation of user-provided size used for array construction.
+ */
+private module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) {
+    any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)
+  }
+}
+
+/**
+ * Taint-tracking flow for improper validation of user-provided size used for array construction.
+ */
+module ImproperValidationOfArrayConstructionFlow =
+  TaintTracking::Global<ImproperValidationOfArrayConstructionConfig>;

java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexCodeSpecifiedQuery.qll

@@ -0,0 +1,22 @@
+/** Provides a dataflow configuration to reason about improper validation of code-specified array index. */
+
+import java
+import semmle.code.java.security.internal.ArraySizing
+import semmle.code.java.security.internal.BoundingChecks
+import semmle.code.java.dataflow.TaintTracking
+
+/**
+ * A dataflow configuration to reason about improper validation of code-specified array index.
+ */
+module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof BoundedFlowSource }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(CheckableArrayAccess arrayAccess | arrayAccess.canThrowOutOfBounds(sink.asExpr()))
+  }
+}
+
+/**
+ * Dataflow flow for improper validation of code-specified array index.
+ */
+module BoundedFlowSourceFlow = DataFlow::Global<BoundedFlowSourceConfig>;

java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexLocalQuery.qll

@@ -0,0 +1,22 @@
+/** Provides a taint-tracking configuration to reason about improper validation of local user-provided array index. */
+
+import java
+import semmle.code.java.security.internal.ArraySizing
+import semmle.code.java.dataflow.FlowSources
+
+/**
+ * A taint-tracking configuration to reason about improper validation of local user-provided array index.
+ */
+module ImproperValidationOfArrayIndexLocalConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
+
+  predicate isSink(DataFlow::Node sink) {
+    any(CheckableArrayAccess caa).canThrowOutOfBounds(sink.asExpr())
+  }
+}
+
+/**
+ * Taint-tracking flow for improper validation of local user-provided array index.
+ */
+module ImproperValidationOfArrayIndexLocalFlow =
+  TaintTracking::Global<ImproperValidationOfArrayIndexLocalConfig>;

java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll

@@ -0,0 +1,24 @@
+/** Provides a taint-tracking configuration to reason about improper validation of user-provided array index. */
+
+import java
+import semmle.code.java.security.internal.ArraySizing
+import semmle.code.java.dataflow.FlowSources
+
+/**
+ * A taint-tracking configuration to reason about improper validation of user-provided array index.
+ */
+module ImproperValidationOfArrayIndexConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) {
+    any(CheckableArrayAccess caa).canThrowOutOfBounds(sink.asExpr())
+  }
+
+  predicate isBarrier(DataFlow::Node node) { node.getType() instanceof BooleanType }
+}
+
+/**
+ * Taint-tracking flow for improper validation of user-provided array index.
+ */
+module ImproperValidationOfArrayIndexFlow =
+  TaintTracking::Global<ImproperValidationOfArrayIndexConfig>;

java/ql/src/Security/CWE/CWE-129/ArraySizing.qll renamed to java/ql/lib/semmle/code/java/security/internal/ArraySizing.qll

@@ -1,3 +1,5 @@
+/** Provides predicates and classes to reason about the sizing and indexing of arrays. */
+
 import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.DefUse

java/ql/src/Security/CWE/CWE-129/BoundingChecks.qll renamed to java/ql/lib/semmle/code/java/security/internal/BoundingChecks.qll

@@ -11,20 +11,7 @@
  */
 
 import java
-import ArraySizing
-import semmle.code.java.dataflow.FlowSources
-
-private module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  predicate isSink(DataFlow::Node sink) {
-    any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)
-  }
-}
-
-module ImproperValidationOfArrayConstructionFlow =
-  TaintTracking::Global<ImproperValidationOfArrayConstructionConfig>;
-
+import semmle.code.java.security.ImproperValidationOfArrayConstructionQuery
 import ImproperValidationOfArrayConstructionFlow::PathGraph
 
 from

java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql

@@ -12,23 +12,7 @@
  */
 
 import java
-import ArraySizing
-import semmle.code.java.dataflow.TaintTracking
-
-module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    source instanceof BoundedFlowSource and
-    // There is not a fixed lower bound which is greater than zero.
-    not source.(BoundedFlowSource).lowerBound() > 0
-  }
-
-  predicate isSink(DataFlow::Node sink) {
-    any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)
-  }
-}
-
-module BoundedFlowSourceFlow = DataFlow::Global<BoundedFlowSourceConfig>;
-
+import semmle.code.java.security.ImproperValidationOfArrayConstructionCodeSpecifiedQuery
 import BoundedFlowSourceFlow::PathGraph
 
 from