Add NumericCastTaintedQuery

egregius313 · egregius313 · commit f4a6f555b46a · 2023-05-04T10:25:13.000-04:00
diff --git a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll
@@ -0,0 +1,133 @@
+/** Provides classes to reason about possible truncation from casting of a user-provided value. */
+
+import java
+import semmle.code.java.arithmetic.Overflow
+import semmle.code.java.dataflow.SSA
+import semmle.code.java.controlflow.Guards
+import semmle.code.java.dataflow.RangeAnalysis
+import semmle.code.java.dataflow.FlowSources
+
+/**
+ * A `CastExpr` that is a narrowing cast.
+ */
+class NumericNarrowingCastExpr extends CastExpr {
+  NumericNarrowingCastExpr() {
+    exists(NumericType sourceType, NumericType targetType |
+      sourceType = this.getExpr().getType() and targetType = this.getType()
+    |
+      not targetType.(NumType).widerThanOrEqualTo(sourceType)
+    )
+  }
+}
+
+/**
+ * An expression that performs a right shift operation.
+ */
+class RightShiftOp extends Expr {
+  RightShiftOp() {
+    this instanceof RightShiftExpr or
+    this instanceof UnsignedRightShiftExpr or
+    this instanceof AssignRightShiftExpr or
+    this instanceof AssignUnsignedRightShiftExpr
+  }
+
+  private Expr getLhs() {
+    this.(BinaryExpr).getLeftOperand() = result or
+    this.(Assignment).getDest() = result
+  }
+
+  /**
+   * Gets the expression that is shifted.
+   */
+  Variable getShiftedVariable() {
+    this.getLhs() = result.getAnAccess() or
+    this.getLhs().(AndBitwiseExpr).getAnOperand() = result.getAnAccess()
+  }
+}
+
+private predicate boundedRead(RValue read) {
+  exists(SsaVariable v, ConditionBlock cb, ComparisonExpr comp, boolean testIsTrue |
+    read = v.getAUse() and
+    cb.controls(read.getBasicBlock(), testIsTrue) and
+    cb.getCondition() = comp
+  |
+    comp.getLesserOperand() = v.getAUse() and testIsTrue = true
+    or
+    comp.getGreaterOperand() = v.getAUse() and testIsTrue = false
+  )
+}
+
+private predicate castCheck(RValue read) {
+  exists(EqualityTest eq, CastExpr cast |
+    cast.getExpr() = read and
+    eq.hasOperands(cast, read.getVariable().getAnAccess())
+  )
+}
+
+private class SmallType extends Type {
+  SmallType() {
+    this instanceof BooleanType or
+    this.(PrimitiveType).hasName("byte") or
+    this.(BoxedType).getPrimitiveType().hasName("byte")
+  }
+}
+
+private predicate smallExpr(Expr e) {
+  exists(int low, int high |
+    bounded(e, any(ZeroBound zb), low, false, _) and
+    bounded(e, any(ZeroBound zb), high, true, _) and
+    high - low < 256
+  )
+}
+
+/**
+ * A taint-tracking configuration for reasoning about user input that is used in a
+ * numeric cast.
+ */
+module NumericCastFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() = any(NumericNarrowingCastExpr cast).getExpr() and
+    sink.asExpr() instanceof VarAccess
+  }
+
+  predicate isBarrier(DataFlow::Node node) {
+    boundedRead(node.asExpr()) or
+    castCheck(node.asExpr()) or
+    node.getType() instanceof SmallType or
+    smallExpr(node.asExpr()) or
+    node.getEnclosingCallable() instanceof HashCodeMethod or
+    exists(RightShiftOp e | e.getShiftedVariable().getAnAccess() = node.asExpr())
+  }
+}
+
+/**
+ * Taint-tracking flow for user input that is used in a numeric cast.
+ */
+module NumericCastFlow = TaintTracking::Global<NumericCastFlowConfig>;
+
+/**
+ * A taint-tracking configuration for reasoning about local user input that is
+ * used in a numeric cast.
+ */
+module NumericCastLocalFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
+
+  predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() = any(NumericNarrowingCastExpr cast).getExpr()
+  }
+
+  predicate isBarrier(DataFlow::Node node) {
+    boundedRead(node.asExpr()) or
+    castCheck(node.asExpr()) or
+    node.getType() instanceof SmallType or
+    smallExpr(node.asExpr()) or
+    node.getEnclosingCallable() instanceof HashCodeMethod
+  }
+}
+
+/**
+ * Taint-tracking flow for local user input that is used in a numeric cast.
+ */
+module NumericCastLocalFlow = TaintTracking::Global<NumericCastLocalFlowConfig>;
diff --git a/java/ql/src/Security/CWE/CWE-681/NumericCastCommon.qll b/java/ql/src/Security/CWE/CWE-681/NumericCastCommon.qll
diff --git a/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql b/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql
@@ -13,29 +13,7 @@
  */
 
 import java
-import semmle.code.java.dataflow.FlowSources
-import NumericCastCommon
-
-module NumericCastFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
-
-  predicate isSink(DataFlow::Node sink) {
-    sink.asExpr() = any(NumericNarrowingCastExpr cast).getExpr() and
-    sink.asExpr() instanceof VarAccess
-  }
-
-  predicate isBarrier(DataFlow::Node node) {
-    boundedRead(node.asExpr()) or
-    castCheck(node.asExpr()) or
-    node.getType() instanceof SmallType or
-    smallExpr(node.asExpr()) or
-    node.getEnclosingCallable() instanceof HashCodeMethod or
-    exists(RightShiftOp e | e.getShiftedVariable().getAnAccess() = node.asExpr())
-  }
-}
-
-module NumericCastFlow = TaintTracking::Global<NumericCastFlowConfig>;
-
+import semmle.code.java.security.NumericCastTaintedQuery
 import NumericCastFlow::PathGraph
 
 from NumericCastFlow::PathNode source, NumericCastFlow::PathNode sink, NumericNarrowingCastExpr exp
diff --git a/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql b/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql
@@ -13,36 +13,16 @@
  */
 
 import java
-import semmle.code.java.dataflow.FlowSources
-import NumericCastCommon
-
-module NumericCastFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
-
-  predicate isSink(DataFlow::Node sink) {
-    sink.asExpr() = any(NumericNarrowingCastExpr cast).getExpr()
-  }
-
-  predicate isBarrier(DataFlow::Node node) {
-    boundedRead(node.asExpr()) or
-    castCheck(node.asExpr()) or
-    node.getType() instanceof SmallType or
-    smallExpr(node.asExpr()) or
-    node.getEnclosingCallable() instanceof HashCodeMethod
-  }
-}
-
-module NumericCastFlow = TaintTracking::Global<NumericCastFlowConfig>;
-
-import NumericCastFlow::PathGraph
+import semmle.code.java.security.NumericCastTaintedQuery
+import NumericCastLocalFlow::PathGraph
 
 from
-  NumericCastFlow::PathNode source, NumericCastFlow::PathNode sink, NumericNarrowingCastExpr exp,
-  VarAccess tainted
+  NumericCastLocalFlow::PathNode source, NumericCastLocalFlow::PathNode sink,
+  NumericNarrowingCastExpr exp, VarAccess tainted
 where
   exp.getExpr() = tainted and
   sink.getNode().asExpr() = tainted and
-  NumericCastFlow::flowPath(source, sink) and
+  NumericCastLocalFlow::flowPath(source, sink) and
   not exists(RightShiftOp e | e.getShiftedVariable() = tainted.getVariable())
 select exp, source, sink,
   "This cast to a narrower type depends on a $@, potentially causing truncation.", source.getNode(),
