Java: Simplified MvelInjectionLib

artem-smotrakov · artem-smotrakov · commit 2842aeee72cf · 2020-06-05T17:17:43.000+03:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/MvelInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/MvelInjectionLib.qll
@@ -1,7 +1,6 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
-import DataFlow::PathGraph
 
 /**
  * A taint-tracking configuration for unsafe user input
@@ -54,7 +53,7 @@ class MvelEvaluationSink extends DataFlow::ExprNode {
         m instanceof CompiledScriptEvaluationMethod or
         m instanceof MvelCompiledScriptEvaluationMethod
       ) and
-      (ma = asExpr() or ma.getQualifier() = asExpr())
+      ma.getQualifier() = asExpr()
     )
     or
     exists(StaticMethodAccess ma, Method m | m = ma.getMethod() |
@@ -73,7 +72,7 @@ predicate expressionCompilationStep(DataFlow::Node node1, DataFlow::Node node2)
     m.getDeclaringType() instanceof MVEL and
     m.hasName("compileExpression") and
     ma.getAnArgument() = node1.asExpr() and
-    (node2.asExpr() = ma.getQualifier() or node2.asExpr() = ma)
+    node2.asExpr() = ma
   )
 }
 
@@ -84,7 +83,7 @@ predicate expressionCompilationStep(DataFlow::Node node1, DataFlow::Node node2)
 predicate createExpressionCompilerStep(DataFlow::Node node1, DataFlow::Node node2) {
   exists(ConstructorCall cc |
     cc.getConstructedType() instanceof ExpressionCompiler and
-    (cc = node2.asExpr() or cc.getQualifier() = node2.asExpr()) and
+    cc = node2.asExpr() and
     cc.getArgument(0) = node1.asExpr()
   )
 }
@@ -96,7 +95,7 @@ predicate createExpressionCompilerStep(DataFlow::Node node1, DataFlow::Node node
 predicate createCompiledAccExpressionStep(DataFlow::Node node1, DataFlow::Node node2) {
   exists(ConstructorCall cc |
     cc.getConstructedType() instanceof CompiledAccExpression and
-    (cc = node2.asExpr() or cc.getQualifier() = node2.asExpr()) and
+    cc = node2.asExpr() and
     cc.getArgument(0) = node1.asExpr()
   )
 }
@@ -125,7 +124,7 @@ predicate expressionCompilerCompileStep(DataFlow::Node node1, DataFlow::Node nod
 predicate scriptCompileStep(DataFlow::Node node1, DataFlow::Node node2) {
   exists(MethodAccess ma, Method m | ma.getMethod() = m |
     m instanceof MvelScriptEngineCompilationMethod and
-    (ma = node2.asExpr() or ma.getQualifier() = node2.asExpr()) and
+    ma = node2.asExpr() and
     ma.getArgument(0) = node1.asExpr()
   )
 }
@@ -137,7 +136,7 @@ predicate scriptCompileStep(DataFlow::Node node1, DataFlow::Node node2) {
 predicate createMvelCompiledScriptStep(DataFlow::Node node1, DataFlow::Node node2) {
   exists(ConstructorCall cc |
     cc.getConstructedType() instanceof MvelCompiledScript and
-    (cc = node2.asExpr() or cc.getQualifier() = node2.asExpr()) and
+    cc = node2.asExpr() and
     cc.getArgument(1) = node1.asExpr()
   )
 }
@@ -149,7 +148,7 @@ predicate createMvelCompiledScriptStep(DataFlow::Node node1, DataFlow::Node node
 predicate createTemplateCompilerStep(DataFlow::Node node1, DataFlow::Node node2) {
   exists(ConstructorCall cc |
     cc.getConstructedType() instanceof TemplateCompiler and
-    (cc = node2.asExpr() or cc.getQualifier() = node2.asExpr()) and
+    cc = node2.asExpr() and
     cc.getArgument(0) = node1.asExpr()
   )
 }
@@ -167,7 +166,7 @@ predicate templateCompileStep(DataFlow::Node node1, DataFlow::Node node2) {
   or
   exists(StaticMethodAccess ma, Method m | ma.getMethod() = m |
     m instanceof TemplateCompilerCompileTemplateMethod and
-    (ma = node2.asExpr() or ma.getQualifier() = node2.asExpr()) and
+    ma = node2.asExpr() and
     ma.getArgument(0) = node1.asExpr()
   )
 }

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,6 @@`
`1`	`1`	`import java`
`2`	`2`	`import semmle.code.java.dataflow.FlowSources`
`3`	`3`	`import semmle.code.java.dataflow.TaintTracking`
`4`		`-import DataFlow::PathGraph`
`5`	`4`
`6`	`5`	`/**`
`7`	`6`	`* A taint-tracking configuration for unsafe user input`
`@@ -54,7 +53,7 @@ class MvelEvaluationSink extends DataFlow::ExprNode {`
`54`	`53`	`m instanceof CompiledScriptEvaluationMethod or`
`55`	`54`	`m instanceof MvelCompiledScriptEvaluationMethod`
`56`	`55`	`) and`
`57`		`- (ma = asExpr() or ma.getQualifier() = asExpr())`
	`56`	`+ ma.getQualifier() = asExpr()`
`58`	`57`	`)`
`59`	`58`	`or`
`60`	`59`	`exists(StaticMethodAccess ma, Method m \| m = ma.getMethod() \|`
`@@ -73,7 +72,7 @@ predicate expressionCompilationStep(DataFlow::Node node1, DataFlow::Node node2)`
`73`	`72`	`m.getDeclaringType() instanceof MVEL and`
`74`	`73`	`m.hasName("compileExpression") and`
`75`	`74`	`ma.getAnArgument() = node1.asExpr() and`
`76`		`- (node2.asExpr() = ma.getQualifier() or node2.asExpr() = ma)`
	`75`	`+ node2.asExpr() = ma`
`77`	`76`	`)`
`78`	`77`	`}`
`79`	`78`
`@@ -84,7 +83,7 @@ predicate expressionCompilationStep(DataFlow::Node node1, DataFlow::Node node2)`
`84`	`83`	`predicate createExpressionCompilerStep(DataFlow::Node node1, DataFlow::Node node2) {`
`85`	`84`	`exists(ConstructorCall cc \|`
`86`	`85`	`cc.getConstructedType() instanceof ExpressionCompiler and`
`87`		`- (cc = node2.asExpr() or cc.getQualifier() = node2.asExpr()) and`
	`86`	`+ cc = node2.asExpr() and`
`88`	`87`	`cc.getArgument(0) = node1.asExpr()`
`89`	`88`	`)`
`90`	`89`	`}`
`@@ -96,7 +95,7 @@ predicate createExpressionCompilerStep(DataFlow::Node node1, DataFlow::Node node`
`96`	`95`	`predicate createCompiledAccExpressionStep(DataFlow::Node node1, DataFlow::Node node2) {`
`97`	`96`	`exists(ConstructorCall cc \|`
`98`	`97`	`cc.getConstructedType() instanceof CompiledAccExpression and`
`99`		`- (cc = node2.asExpr() or cc.getQualifier() = node2.asExpr()) and`
	`98`	`+ cc = node2.asExpr() and`
`100`	`99`	`cc.getArgument(0) = node1.asExpr()`
`101`	`100`	`)`
`102`	`101`	`}`
`@@ -125,7 +124,7 @@ predicate expressionCompilerCompileStep(DataFlow::Node node1, DataFlow::Node nod`
`125`	`124`	`predicate scriptCompileStep(DataFlow::Node node1, DataFlow::Node node2) {`
`126`	`125`	`exists(MethodAccess ma, Method m \| ma.getMethod() = m \|`
`127`	`126`	`m instanceof MvelScriptEngineCompilationMethod and`
`128`		`- (ma = node2.asExpr() or ma.getQualifier() = node2.asExpr()) and`
	`127`	`+ ma = node2.asExpr() and`
`129`	`128`	`ma.getArgument(0) = node1.asExpr()`
`130`	`129`	`)`
`131`	`130`	`}`
`@@ -137,7 +136,7 @@ predicate scriptCompileStep(DataFlow::Node node1, DataFlow::Node node2) {`
`137`	`136`	`predicate createMvelCompiledScriptStep(DataFlow::Node node1, DataFlow::Node node2) {`
`138`	`137`	`exists(ConstructorCall cc \|`
`139`	`138`	`cc.getConstructedType() instanceof MvelCompiledScript and`
`140`		`- (cc = node2.asExpr() or cc.getQualifier() = node2.asExpr()) and`
	`139`	`+ cc = node2.asExpr() and`
`141`	`140`	`cc.getArgument(1) = node1.asExpr()`
`142`	`141`	`)`
`143`	`142`	`}`
`@@ -149,7 +148,7 @@ predicate createMvelCompiledScriptStep(DataFlow::Node node1, DataFlow::Node node`
`149`	`148`	`predicate createTemplateCompilerStep(DataFlow::Node node1, DataFlow::Node node2) {`
`150`	`149`	`exists(ConstructorCall cc \|`
`151`	`150`	`cc.getConstructedType() instanceof TemplateCompiler and`
`152`		`- (cc = node2.asExpr() or cc.getQualifier() = node2.asExpr()) and`
	`151`	`+ cc = node2.asExpr() and`
`153`	`152`	`cc.getArgument(0) = node1.asExpr()`
`154`	`153`	`)`
`155`	`154`	`}`
`@@ -167,7 +166,7 @@ predicate templateCompileStep(DataFlow::Node node1, DataFlow::Node node2) {`
`167`	`166`	`or`
`168`	`167`	`exists(StaticMethodAccess ma, Method m \| ma.getMethod() = m \|`
`169`	`168`	`m instanceof TemplateCompilerCompileTemplateMethod and`
`170`		`- (ma = node2.asExpr() or ma.getQualifier() = node2.asExpr()) and`
	`169`	`+ ma = node2.asExpr() and`
`171`	`170`	`ma.getArgument(0) = node1.asExpr()`
`172`	`171`	`)`
`173`	`172`	`}`