|
| 1 | +import java |
| 2 | +import semmle.code.java.dataflow.FlowSources |
| 3 | +import semmle.code.java.security.XmlParsers |
| 4 | +import DataFlow |
| 5 | + |
| 6 | +/** |
| 7 | + * A taint-tracking configuration for unvalidated user input that is used in XSLT transformation. |
| 8 | + */ |
| 9 | +class XsltInjectionFlowConfig extends TaintTracking::Configuration { |
| 10 | + XsltInjectionFlowConfig() { this = "XsltInjectionFlowConfig" } |
| 11 | + |
| 12 | + override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } |
| 13 | + |
| 14 | + override predicate isSink(DataFlow::Node sink) { sink instanceof XsltInjectionSink } |
| 15 | + |
| 16 | + override predicate isSanitizer(DataFlow::Node node) { |
| 17 | + node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType |
| 18 | + } |
| 19 | + |
| 20 | + override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { |
| 21 | + xmlStreamReaderStep(node1, node2) or |
| 22 | + xmlEventReaderStep(node1, node2) or |
| 23 | + staxSourceStep(node1, node2) or |
| 24 | + documentBuilderStep(node1, node2) or |
| 25 | + domSourceStep(node1, node2) or |
| 26 | + newTransformerOrTemplatesStep(node1, node2) or |
| 27 | + newTransformerFromTemplatesStep(node1, node2) |
| 28 | + } |
| 29 | +} |
| 30 | + |
| 31 | +/** The class `javax.xml.transform.stax.StAXSource`. */ |
| 32 | +class TypeStAXSource extends Class { |
| 33 | + TypeStAXSource() { this.hasQualifiedName("javax.xml.transform.stax", "StAXSource") } |
| 34 | +} |
| 35 | + |
| 36 | +/** The class `javax.xml.transform.dom.DOMSource`. */ |
| 37 | +class TypeDOMSource extends Class { |
| 38 | + TypeDOMSource() { this.hasQualifiedName("javax.xml.transform.dom", "DOMSource") } |
| 39 | +} |
| 40 | + |
| 41 | +/** The interface `javax.xml.transform.Templates`. */ |
| 42 | +class TypeTemplates extends Interface { |
| 43 | + TypeTemplates() { this.hasQualifiedName("javax.xml.transform", "Templates") } |
| 44 | +} |
| 45 | + |
| 46 | +/** A data flow sink for unvalidated user input that is used in XSLT transformation. */ |
| 47 | +class XsltInjectionSink extends DataFlow::ExprNode { |
| 48 | + XsltInjectionSink() { |
| 49 | + exists(MethodAccess ma | |
| 50 | + ma.getQualifier() = this.getExpr() and |
| 51 | + ma instanceof TransformerTransform |
| 52 | + ) |
| 53 | + } |
| 54 | +} |
| 55 | + |
| 56 | +/** |
| 57 | + * Holds if `n1` to `n2` is a dataflow step that converts between `InputStream` or `Reader` and |
| 58 | + * `XMLStreamReader`, i.e. `XMLInputFactory.createXMLStreamReader(tainted)`. |
| 59 | + */ |
| 60 | +predicate xmlStreamReaderStep(ExprNode n1, ExprNode n2) { |
| 61 | + exists(XmlInputFactoryStreamReader xmlStreamReader | |
| 62 | + n1.asExpr() = xmlStreamReader.getSink() and |
| 63 | + n2.asExpr() = xmlStreamReader |
| 64 | + ) |
| 65 | +} |
| 66 | + |
| 67 | +/** |
| 68 | + * Holds if `n1` to `n2` is a dataflow step that converts between `InputStream` or `Reader` and |
| 69 | + * `XMLEventReader`, i.e. `XMLInputFactory.createXMLEventReader(tainted)`. |
| 70 | + */ |
| 71 | +predicate xmlEventReaderStep(ExprNode n1, ExprNode n2) { |
| 72 | + exists(XmlInputFactoryEventReader xmlEventReader | |
| 73 | + n1.asExpr() = xmlEventReader.getSink() and |
| 74 | + n2.asExpr() = xmlEventReader |
| 75 | + ) |
| 76 | +} |
| 77 | + |
| 78 | +/** |
| 79 | + * Holds if `n1` to `n2` is a dataflow step that converts between `XMLStreamReader` or |
| 80 | + * `XMLEventReader` and `StAXSource`, i.e. `new StAXSource(tainted)`. |
| 81 | + */ |
| 82 | +predicate staxSourceStep(ExprNode n1, ExprNode n2) { |
| 83 | + exists(ConstructorCall cc | cc.getConstructedType() instanceof TypeStAXSource | |
| 84 | + n1.asExpr() = cc.getAnArgument() and |
| 85 | + n2.asExpr() = cc |
| 86 | + ) |
| 87 | +} |
| 88 | + |
| 89 | +/** |
| 90 | + * Holds if `n1` to `n2` is a dataflow step that converts between `InputStream` and `Document`, |
| 91 | + * i.e. `DocumentBuilder.parse(tainted)`. |
| 92 | + */ |
| 93 | +predicate documentBuilderStep(ExprNode n1, ExprNode n2) { |
| 94 | + exists(DocumentBuilderParse documentBuilder | |
| 95 | + n1.asExpr() = documentBuilder.getSink() and |
| 96 | + n2.asExpr() = documentBuilder |
| 97 | + ) |
| 98 | +} |
| 99 | + |
| 100 | +/** |
| 101 | + * Holds if `n1` to `n2` is a dataflow step that converts between `Document` and `DOMSource`, i.e. |
| 102 | + * `new DOMSource(tainted)`. |
| 103 | + */ |
| 104 | +predicate domSourceStep(ExprNode n1, ExprNode n2) { |
| 105 | + exists(ConstructorCall cc | cc.getConstructedType() instanceof TypeDOMSource | |
| 106 | + n1.asExpr() = cc.getAnArgument() and |
| 107 | + n2.asExpr() = cc |
| 108 | + ) |
| 109 | +} |
| 110 | + |
| 111 | +/** |
| 112 | + * A data flow configuration for secure processing feature that is enabled on `TransformerFactory`. |
| 113 | + */ |
| 114 | +private class TransformerFactoryWithSecureProcessingFeatureFlowConfig extends DataFlow2::Configuration { |
| 115 | + TransformerFactoryWithSecureProcessingFeatureFlowConfig() { |
| 116 | + this = "TransformerFactoryWithSecureProcessingFeatureFlowConfig" |
| 117 | + } |
| 118 | + |
| 119 | + override predicate isSource(DataFlow::Node src) { |
| 120 | + exists(Variable v | v = src.asExpr().(VarAccess).getVariable() | |
| 121 | + exists(TransformerFactoryFeatureConfig config | config.getQualifier() = v.getAnAccess() | |
| 122 | + config.enables(configSecureProcessing()) |
| 123 | + ) |
| 124 | + ) |
| 125 | + } |
| 126 | + |
| 127 | + override predicate isSink(DataFlow::Node sink) { |
| 128 | + exists(MethodAccess ma | |
| 129 | + sink.asExpr() = ma.getQualifier() and |
| 130 | + ma.getMethod().getDeclaringType() instanceof TransformerFactory |
| 131 | + ) |
| 132 | + } |
| 133 | + |
| 134 | + override int fieldFlowBranchLimit() { result = 0 } |
| 135 | +} |
| 136 | + |
| 137 | +/** A `ParserConfig` specific to `TransformerFactory`. */ |
| 138 | +private class TransformerFactoryFeatureConfig extends ParserConfig { |
| 139 | + TransformerFactoryFeatureConfig() { |
| 140 | + exists(Method m | |
| 141 | + m = this.getMethod() and |
| 142 | + m.getDeclaringType() instanceof TransformerFactory and |
| 143 | + m.hasName("setFeature") |
| 144 | + ) |
| 145 | + } |
| 146 | +} |
| 147 | + |
| 148 | +/** |
| 149 | + * Holds if `n1` to `n2` is a dataflow step that converts between `Source` and `Transformer` or |
| 150 | + * `Templates`, i.e. `TransformerFactory.newTransformer(tainted)` or |
| 151 | + * `TransformerFactory.newTemplates(tainted)`. |
| 152 | + */ |
| 153 | +predicate newTransformerOrTemplatesStep(ExprNode n1, ExprNode n2) { |
| 154 | + exists(MethodAccess ma, Method m | ma.getMethod() = m | |
| 155 | + n1.asExpr() = ma.getAnArgument() and |
| 156 | + n2.asExpr() = ma and |
| 157 | + ( |
| 158 | + m.getDeclaringType() instanceof TransformerFactory and m.hasName("newTransformer") |
| 159 | + or |
| 160 | + m.getDeclaringType() instanceof TransformerFactory and m.hasName("newTemplates") |
| 161 | + ) and |
| 162 | + not exists(TransformerFactoryWithSecureProcessingFeatureFlowConfig conf | |
| 163 | + conf.hasFlowToExpr(ma.getQualifier()) |
| 164 | + ) |
| 165 | + ) |
| 166 | +} |
| 167 | + |
| 168 | +/** |
| 169 | + * Holds if `n1` to `n2` is a dataflow step that converts between `Templates` and `Transformer`, |
| 170 | + * i.e. `tainted.newTransformer()`. |
| 171 | + */ |
| 172 | +predicate newTransformerFromTemplatesStep(ExprNode n1, ExprNode n2) { |
| 173 | + exists(MethodAccess ma, Method m | ma.getMethod() = m | |
| 174 | + n1.asExpr() = ma.getQualifier() and |
| 175 | + n2.asExpr() = ma and |
| 176 | + m.getDeclaringType() instanceof TypeTemplates and |
| 177 | + m.hasName("newTransformer") |
| 178 | + ) |
| 179 | +} |
0 commit comments