-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathSensitiveGetQuery.ql
More file actions
85 lines (74 loc) · 2.93 KB
/
Copy pathSensitiveGetQuery.ql
File metadata and controls
85 lines (74 loc) · 2.93 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
/**
* @name Sensitive GET Query
* @description Use of GET request method with sensitive query strings.
* @kind path-problem
* @problem.severity warning
* @precision medium
* @id java/sensitive-query-with-get
* @tags security
* experimental
* external/cwe/cwe-598
*/
import java
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.security.SensitiveActions
import SensitiveGetQueryFlow::PathGraph
/** A variable that holds sensitive information judging by its name. */
class SensitiveInfoExpr extends Expr {
SensitiveInfoExpr() {
exists(Variable v | this = v.getAnAccess() |
v.getName().regexpMatch(getCommonSensitiveInfoRegex()) and
not v.getName().matches("token%") // exclude ^token.* since sensitive tokens are usually in the form of accessToken, authToken, ...
)
}
}
/** Holds if `m` is a method of some override of `HttpServlet.doGet`. */
private predicate isGetServletMethod(Method m) {
isServletRequestMethod(m) and m.getName() = "doGet"
}
/** The `doGet` method of `HttpServlet`. */
class DoGetServletMethod extends Method {
DoGetServletMethod() { isGetServletMethod(this) }
}
/** Holds if `ma` is (perhaps indirectly) called from the `doGet` method of `HttpServlet`. */
predicate isReachableFromServletDoGet(MethodCall ma) {
ma.getEnclosingCallable() instanceof DoGetServletMethod
or
exists(Method pm, MethodCall pma |
ma.getEnclosingCallable() = pm and
pma.getMethod() = pm and
isReachableFromServletDoGet(pma)
)
}
/** Source of GET servlet requests. */
class RequestGetParamSource extends DataFlow::ExprNode {
RequestGetParamSource() {
exists(MethodCall ma |
isRequestGetParamMethod(ma) and
ma = this.asExpr() and
isReachableFromServletDoGet(ma)
)
}
}
/** A taint configuration tracking flow from the `ServletRequest` of a GET request handler to an expression whose name suggests it holds security-sensitive data. */
module SensitiveGetQueryConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RequestGetParamSource }
predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof SensitiveInfoExpr }
/** Holds if the node is in a servlet method other than `doGet`. */
predicate isBarrier(DataFlow::Node node) {
isServletRequestMethod(node.getEnclosingCallable()) and
not isGetServletMethod(node.getEnclosingCallable())
}
}
module SensitiveGetQueryFlow = TaintTracking::Global<SensitiveGetQueryConfig>;
deprecated query predicate problems(
DataFlow::Node sinkNode, SensitiveGetQueryFlow::PathNode source,
SensitiveGetQueryFlow::PathNode sink, string message1, DataFlow::Node sourceNode, string message2
) {
SensitiveGetQueryFlow::flowPath(source, sink) and
sinkNode = sink.getNode() and
message1 = "$@ uses the GET request method to transmit sensitive information." and
sourceNode = source.getNode() and
message2 = "This request"
}