Skip to content

Java: Diff-informed CleartextStorageCookie.ql #19846

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Java: Diff-informed CleartextStorageCookie.ql #19846

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 11 additions & 1 deletion java/ql/lib/semmle/code/java/security/CleartextStorageCookieQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,17 @@ private import semmle.code.java.dataflow.FlowSinks
private import semmle.code.java.dataflow.FlowSources

private class CookieCleartextStorageSink extends CleartextStorageSink {
CookieCleartextStorageSink() { this.asExpr() = cookieInput(_) }
Cookie cookie;

CookieCleartextStorageSink() { this.asExpr() = cookieInput(cookie) }

override Location getASelectedLocation() {
result = this.getLocation()
or
result = cookie.getLocation()
or
result = cookie.getAStore().getLocation()
}
}

/** The instantiation of a cookie, which can act as storage. */
Expand Down
20 changes: 19 additions & 1 deletion java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,14 @@ private import semmle.code.java.dataflow.TaintTracking
private import semmle.code.java.security.SensitiveActions

/** A sink representing persistent storage that saves data in clear text. */
abstract class CleartextStorageSink extends DataFlow::Node { }
abstract class CleartextStorageSink extends DataFlow::Node {
/**
* Gets a location that will be selected in the diff-informed query where
* this sink is found. If this has no results for any sink, that's taken to
* mean the query is not diff-informed.
*/
Location getASelectedLocation() { none() }
}

/** A sanitizer for flows tracking sensitive data being stored in persistent storage. */
abstract class CleartextStorageSanitizer extends DataFlow::Node { }
Expand Down Expand Up @@ -46,6 +53,17 @@ private module SensitiveSourceFlowConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
any(CleartextStorageAdditionalTaintStep c).step(n1, n2)
}

predicate observeDiffInformedIncrementalMode() {
// This configuration is used by several queries. A query can opt in to
// diff-informed mode by implementing `getASelectedLocation` on its sinks,
// indicating that it has considered which sinks are selected.
exists(CleartextStorageSink sink | exists(sink.getASelectedLocation()))
}

Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.(CleartextStorageSink).getASelectedLocation()
}
}

private module SensitiveSourceFlow = TaintTracking::Global<SensitiveSourceFlowConfig>;
Expand Down