Skip to content

Java: Review changes for https://github.com/github/codeql/pull/3653 #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Jul 7, 2020
Merged

Java: Review changes for https://github.com/github/codeql/pull/3653 #1

merged 11 commits into from
Jul 7, 2020

Conversation

aschackmull
Copy link

No description provided.

@aschackmull aschackmull mentioned this pull request Jul 6, 2020
Merged
3 tasks
lcartey
lcartey approved these changes Jul 7, 2020
View reviewed changes
Copy link
Owner

@lcartey lcartey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are some gaps between the removed container modeling, and the default container modeling, although I do not think they are critical for Spring support.

java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -377,34 +377,19 @@ private predicate taintPreservingQualifierToMethod(Method m) {
or
m = any(ProtobufMessageLite p).getAGetterMethod()
or
m instanceof MapMethod and
(
m.getName().regexpMatch("get|entrySet|keySet|values")
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just noting that keySet is not covered in ContainerFlow (unlike the others). However, I believe this is fine for Spring, because a Map type parameter to a @RequestMapping method will be unlikely to contain tainted keys, and ContainerFlow only taints Maps via the value not the key parameter.

(ref: https://docs.spring.io/spring/docs/current/spring-framework-reference/web.html#mvc-ann-arguments)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

keySet is excluded on purpose as we currently otherwise won't be able to distinguish keys and values in a tainted map. If at some point tainted keys become important to track, then we'll most likely attempt this through a more precise modelling via container-content-as-field-flow.

java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
(
m.getName().regexpMatch("get|toArray|subList|spliterator|set|iterator|listIterator") or
(m.getName().regexpMatch("remove") and not m.getReturnType() instanceof BooleanType)
)
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

spliterator, set and listIterator are not covered by ContainerFlow.

@lcartey lcartey merged commit 3fef5ca into lcartey:java/improve-spring-support Jul 7, 2020
@aschackmull aschackmull deleted the java/spring-3653 branch July 8, 2020 13:00
lcartey pushed a commit that referenced this pull request Sep 11, 2020
@yoff
Merge pull request #1 from RasmusWL/RasmusWL-python-more-complete-dat…
8997799 
…aflow-tests

Small fixups to your PR to my PR
lcartey pushed a commit that referenced this pull request Apr 1, 2021
@ihsinme
Merge pull request #1 from github/main
cf56597 
update fork
lcartey pushed a commit that referenced this pull request Apr 10, 2021
@haby0
Merge pull request #1 from smowton/smowton/admin/rewrite-xquery
42f55e1 
Rewrite XQuery injection to use an additional taint step instead of multiple configurations
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lcartey lcartey lcartey approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aschackmull @lcartey