Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 4aec302

Browse files
egregius313egregius313
committed
Create new sink kinds
1 parent c7b9e40 commit 4aec302

2 files changed

Lines changed: 40 additions & 9 deletions

File tree

java/ql/lib/semmle/code/java/security/SensitiveApi.qll

Lines changed: 38 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -3,17 +3,47 @@
33
*/
44

55
import java
6+
private import semmle.code.java.dataflow.DataFlow
7+
private import semmle.code.java.dataflow.ExternalFlow
8+
9+
/**
10+
* A node representing a password being passed to a method.
11+
*/
12+
class PasswordParameter extends DataFlow::Node {
13+
PasswordParameter() { sinkNode(this, "credential-password") }
14+
}
15+
16+
/**
17+
* A node representing a username being passed to a method.
18+
*/
19+
class UsernameParameter extends DataFlow::Node {
20+
UsernameParameter() { sinkNode(this, "credential-username") }
21+
}
22+
23+
/**
24+
* A node representing a cryptographic key being passed to a method.
25+
*/
26+
class CryptoKeyParameter extends DataFlow::Node {
27+
CryptoKeyParameter() { sinkNode(this, "crypto-parameter") }
28+
}
29+
30+
/**
31+
* A node representing a credential being passed to a method.
32+
*/
33+
class CredentialParameter extends DataFlow::Node {
34+
CredentialParameter() { sinkNode(this, "credential-other") }
35+
}
636

737
/**
838
* Holds if callable `c` from a standard Java API expects a password parameter at index `i`.
939
*/
10-
predicate javaApiCallablePasswordParam(Callable c, int i) {
40+
deprecated predicate javaApiCallablePasswordParam(Callable c, int i) {
1141
exists(c.getParameter(i)) and
1242
javaApiCallablePasswordParam(c.getDeclaringType().getQualifiedName() + ";" +
1343
c.getStringSignature() + ";" + i)
1444
}
1545

16-
private predicate javaApiCallablePasswordParam(string s) {
46+
deprecated private predicate javaApiCallablePasswordParam(string s) {
1747
// Auto-generated using an auxiliary query run on the JDK source code.
1848
s =
1949
[
@@ -133,13 +163,13 @@ private predicate javaApiCallablePasswordParam(string s) {
133163
/**
134164
* Holds if callable `c` from a standard Java API expects a username parameter at index `i`.
135165
*/
136-
predicate javaApiCallableUsernameParam(Callable c, int i) {
166+
deprecated predicate javaApiCallableUsernameParam(Callable c, int i) {
137167
exists(c.getParameter(i)) and
138168
javaApiCallableUsernameParam(c.getDeclaringType().getQualifiedName() + ";" +
139169
c.getStringSignature() + ";" + i)
140170
}
141171

142-
private predicate javaApiCallableUsernameParam(string s) {
172+
deprecated private predicate javaApiCallableUsernameParam(string s) {
143173
// Auto-generated using an auxiliary query run on the JDK source code.
144174
s =
145175
[
@@ -196,13 +226,13 @@ private predicate javaApiCallableUsernameParam(string s) {
196226
/**
197227
* Holds if callable `c` from a standard Java API expects a cryptographic key parameter at index `i`.
198228
*/
199-
predicate javaApiCallableCryptoKeyParam(Callable c, int i) {
229+
deprecated predicate javaApiCallableCryptoKeyParam(Callable c, int i) {
200230
exists(c.getParameter(i)) and
201231
javaApiCallableCryptoKeyParam(c.getDeclaringType().getQualifiedName() + ";" +
202232
c.getStringSignature() + ";" + i)
203233
}
204234

205-
private predicate javaApiCallableCryptoKeyParam(string s) {
235+
deprecated private predicate javaApiCallableCryptoKeyParam(string s) {
206236
// Auto-generated using an auxiliary query run on the JDK source code.
207237
s =
208238
[
@@ -424,13 +454,13 @@ private predicate javaApiCallableCryptoKeyParam(string s) {
424454
/**
425455
* Holds if callable `c` from a known API expects a credential parameter at index `i`.
426456
*/
427-
predicate otherApiCallableCredentialParam(Callable c, int i) {
457+
deprecated predicate otherApiCallableCredentialParam(Callable c, int i) {
428458
exists(c.getParameter(i)) and
429459
otherApiCallableCredentialParam(c.getDeclaringType().getQualifiedName() + ";" +
430460
c.getStringSignature() + ";" + i)
431461
}
432462

433-
private predicate otherApiCallableCredentialParam(string s) {
463+
deprecated private predicate otherApiCallableCredentialParam(string s) {
434464
s =
435465
[
436466
"javax.crypto.spec.IvParameterSpec;IvParameterSpec(byte[]);0",

shared/mad/codeql/mad/ModelValidation.qll

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,8 @@ module KindValidation<KindValidationConfigSig Config> {
3030
"js-injection", "ldap-injection", "log-injection", "path-injection", "request-forgery",
3131
"sql-injection", "url-redirection",
3232
// Java-only currently, but may be shared in the future
33-
"bean-validation", "fragment-injection", "groovy-injection", "hostname-verification",
33+
"bean-validation", "credential-other", "credential-password", "credential-username",
34+
"crypto-parameter", "fragment-injection", "groovy-injection", "hostname-verification",
3435
"information-leak", "intent-redirection", "jexl-injection", "jndi-injection",
3536
"mvel-injection", "ognl-injection", "pending-intents", "response-splitting",
3637
"trust-boundary-violation", "template-injection", "xpath-injection", "xslt-injection",

0 commit comments

Comments
 (0)