-
Notifications
You must be signed in to change notification settings - Fork 1
/
query_1.4.ql
68 lines (58 loc) · 2.18 KB
/
query_1.4.ql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
/**
* @kind path-problem
*/
import java
import semmle.code.java.dataflow.TaintTracking
import DataFlow::PartialPathGraph
class ConstraintValidator extends RefType {
ConstraintValidator() {
this.hasQualifiedName("javax.validation", "ConstraintValidator")
}
}
predicate overridesAConstraintValidatorMethod(Method override) {
exists(Method base |
base.getSourceDeclaration().getDeclaringType() instanceof ConstraintValidator and
override.overrides(base)
)
}
class ConstraintValidatorSource extends Method {
ConstraintValidatorSource() {
this.getName() = "isValid" and
overridesAConstraintValidatorMethod(this)
}
}
class ConstraintValidatorContext extends RefType {
ConstraintValidatorContext() {
this.hasQualifiedName("javax.validation", "ConstraintValidatorContext")
}
}
class ConstraintValidatorContextSink extends MethodAccess {
ConstraintValidatorContextSink() {
this.getCallee().getName() = "buildConstraintViolationWithTemplate" and
this.getCallee().getDeclaringType() instanceof ConstraintValidatorContext
}
}
class MyTaintTrackingConfig extends TaintTracking::Configuration {
MyTaintTrackingConfig() { this = "MyTaintTrackingConfig" }
override predicate isSource(DataFlow::Node source) {
exists(ConstraintValidatorSource isValid |
source.asParameter() = isValid.getParameter(0)
)
}
override predicate isSink(DataFlow::Node sink) {
exists(ConstraintValidatorContextSink buildWithTemplate |
sink.asExpr() = buildWithTemplate.getArgument(0)
)
}
override int explorationLimit() { result = 10 }
}
class DebugConstraintValidatorSource extends ConstraintValidatorSource{
DebugConstraintValidatorSource() {
this.getDeclaringType().getName() = "SchedulingConstraintSetValidator"
}
}
from MyTaintTrackingConfig cfg, DataFlow::PartialPathNode source, DataFlow::PartialPathNode sink
where
cfg.hasPartialFlow(source, sink, _) and
exists(DebugConstraintValidatorSource specificSource | source.getNode().asParameter() = specificSource.getParameter(0))
select sink, source, sink, "Partial flow from unsanitized user data"