Java: Convert unsafe URL opening sinks to CSV format

tamasvajk · tamasvajk · commit b9ce1aefc09f · 2021-04-09T11:43:29.000+02:00
diff --git a/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql b/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql
@@ -13,6 +13,7 @@ import java
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.frameworks.Networking
 import DataFlow::PathGraph
+private import semmle.code.java.dataflow.ExternalFlow
 
 class HTTPString extends StringLiteral {
   HTTPString() {
@@ -30,26 +31,12 @@ class HTTPString extends StringLiteral {
   }
 }
 
-class URLOpenMethod extends Method {
-  URLOpenMethod() {
-    this.getDeclaringType().getQualifiedName() = "java.net.URL" and
-    (
-      this.getName() = "openConnection" or
-      this.getName() = "openStream"
-    )
-  }
-}
-
 class HTTPStringToURLOpenMethodFlowConfig extends TaintTracking::Configuration {
   HTTPStringToURLOpenMethodFlowConfig() { this = "HttpsUrls::HTTPStringToURLOpenMethodFlowConfig" }
 
   override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof HTTPString }
 
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess m |
-      sink.asExpr() = m.getQualifier() and m.getMethod() instanceof URLOpenMethod
-    )
-  }
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "open-url") }
 
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
     exists(UrlConstructorCall u |
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -184,7 +184,14 @@ private predicate sourceModelCsv(string row) {
     ]
 }
 
-private predicate sinkModelCsv(string row) { none() }
+private predicate sinkModelCsv(string row) {
+  row =
+    [
+      // Open URL
+      "java.net;URL;false;openConnection;;;Argument[-1];open-url",
+      "java.net;URL;false;openStream;;;Argument[-1];open-url"
+    ]
+}
 
 private predicate summaryModelCsv(string row) {
   row =

Original file line number	Diff line number	Diff line change
`@@ -184,7 +184,14 @@ private predicate sourceModelCsv(string row) {`
`184`	`184`	`]`
`185`	`185`	`}`
`186`	`186`
`187`		`-private predicate sinkModelCsv(string row) { none() }`
	`187`	`+private predicate sinkModelCsv(string row) {`
	`188`	`+ row =`
	`189`	`+ [`
	`190`	`+ // Open URL`
	`191`	`+ "java.net;URL;false;openConnection;;;Argument[-1];open-url",`
	`192`	`+ "java.net;URL;false;openStream;;;Argument[-1];open-url"`
	`193`	`+ ]`
	`194`	`+}`
`188`	`195`
`189`	`196`	`private predicate summaryModelCsv(string row) {`
`190`	`197`	`row =`