forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathGroovyInjection.qll
More file actions
137 lines (122 loc) · 4.94 KB
/
GroovyInjection.qll
File metadata and controls
137 lines (122 loc) · 4.94 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
/** Provides classes to reason about Groovy code injection attacks. */
overlay[local?]
module;
private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.frameworks.Networking
/** A data flow sink for Groovy expression injection vulnerabilities. */
abstract class GroovyInjectionSink extends DataFlow::ExprNode { }
/**
* A unit class for adding additional taint steps.
*
* Extend this class to add additional taint steps that should apply to the `GroovyInjectionConfig`.
*/
class GroovyInjectionAdditionalTaintStep extends Unit {
/**
* Holds if the step from `node1` to `node2` should be considered a taint
* step for the `GroovyInjectionConfig` configuration.
*/
abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
}
private class DefaultGroovyInjectionSink extends GroovyInjectionSink {
DefaultGroovyInjectionSink() { sinkNode(this, "groovy-injection") }
}
/** A data flow sanitizer for Groovy expression injection vulnerabilities. */
abstract class GroovyInjectionSanitizer extends DataFlow::ExprNode { }
private class ExternalGroovyInjectionSanitizer extends GroovyInjectionSanitizer {
ExternalGroovyInjectionSanitizer() { barrierNode(this, "groovy-injection") }
}
/** A set of additional taint steps to consider when taint tracking Groovy related data flows. */
private class DefaultGroovyInjectionAdditionalTaintStep extends GroovyInjectionAdditionalTaintStep {
override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
groovyCodeSourceTaintStep(node1, node2) or
groovyCompilationUnitTaintStep(node1, node2) or
groovySourceUnitTaintStep(node1, node2) or
groovyReaderSourceTaintStep(node1, node2)
}
}
/**
* Holds if `fromNode` to `toNode` is a dataflow step from a tainted string to
* a `GroovyCodeSource` instance by calling `new GroovyCodeSource(tainted, ...)`.
*/
private predicate groovyCodeSourceTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
exists(ConstructorCall gcscc |
gcscc.getConstructedType() instanceof TypeGroovyCodeSource and
gcscc = toNode.asExpr() and
gcscc.getArgument(0) = fromNode.asExpr()
)
}
/**
* Holds if `fromNode` to `toNode` is a dataflow step from a tainted object to
* a `CompilationUnit` instance by calling `compilationUnit.addSource(..., tainted)`.
*/
private predicate groovyCompilationUnitTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
exists(MethodCall ma, Method m |
ma.getMethod() = m and
m.hasName("addSource") and
m.getDeclaringType() instanceof TypeGroovyCompilationUnit
|
fromNode.asExpr() = ma.getArgument(ma.getNumArgument() - 1) and
toNode.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() = ma.getQualifier()
)
}
/**
* Holds if `fromNode` to `toNode` is a dataflow step from a tainted object to
* a `SourceUnit` instance by calling `new SourceUnit(..., tainted, ...)`
* or `SourceUnit.create(..., tainted)`
*/
private predicate groovySourceUnitTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
exists(ClassInstanceExpr cie, Argument arg, int index |
cie.getConstructedType() instanceof TypeGroovySourceUnit and
arg = cie.getArgument(index) and
(
index = 0 and arg.getType() instanceof TypeUrl
or
index = 1 and
(
arg.getType() instanceof TypeString or
arg.getType() instanceof TypeReaderSource
)
)
|
fromNode.asExpr() = arg and
toNode.asExpr() = cie
)
or
exists(MethodCall ma, Method m |
ma.getMethod() = m and
m.hasName("create") and
m.getDeclaringType() instanceof TypeGroovySourceUnit
|
fromNode.asExpr() = ma.getArgument(1) and toNode.asExpr() = ma
)
}
/**
* Holds if `fromNode` to `toNode` is a dataflow step from a tainted object to
* a `ReaderSource` instance by calling `new ReaderSource(tainted, ...)`.
*/
private predicate groovyReaderSourceTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
exists(ClassInstanceExpr cie | cie.getConstructedType() instanceof TypeReaderSource |
fromNode.asExpr() = cie.getArgument(0) and toNode.asExpr() = cie
)
}
/** The class `groovy.lang.GroovyCodeSource`. */
private class TypeGroovyCodeSource extends RefType {
TypeGroovyCodeSource() { this.hasQualifiedName("groovy.lang", "GroovyCodeSource") }
}
/** The class `org.codehaus.groovy.control.CompilationUnit`. */
private class TypeGroovyCompilationUnit extends RefType {
TypeGroovyCompilationUnit() {
this.hasQualifiedName("org.codehaus.groovy.control", "CompilationUnit")
}
}
/** The class `org.codehaus.groovy.control.CompilationUnit`. */
private class TypeGroovySourceUnit extends RefType {
TypeGroovySourceUnit() { this.hasQualifiedName("org.codehaus.groovy.control", "SourceUnit") }
}
/** The class `org.codehaus.groovy.control.io.ReaderSource`. */
private class TypeReaderSource extends RefType {
TypeReaderSource() {
this.getAnAncestor().hasQualifiedName("org.codehaus.groovy.control.io", "ReaderSource")
}
}