Merge pull request #183 from advanced-security/securingdev-java-cwe-532-dataflow-update

Update CWE-532 using new dataflow API

Author: GeekMasher

java/CWE-532/SensitiveInformation.ql

@@ -15,23 +15,26 @@ import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking2
-import DataFlow::PathGraph
+//import DataFlow::PathGraph
 // Internal
 import github.Logging
 import github.SensitiveInformation
 
-class SensitiveInformationLoggingConfig extends TaintTracking::Configuration {
-  SensitiveInformationLoggingConfig() { this = "SensitiveInformationLoggingConfig" }
+module SensitiveInformationConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof SensitiveInformationSources }
 
-  override predicate isSource(DataFlow::Node source) {
-    source instanceof SensitiveInformationSources
-  }
+  predicate isSink(DataFlow::Node sink) { sink instanceof LoggingMethodsSinks }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof LoggingMethodsSinks }
+  predicate isBarrier(DataFlow::Node node) {
+    exists(Type t | t = node.getType() | t instanceof BoxedType or t instanceof PrimitiveType)
+  }
 }
 
+module SensitiveInformationFlow = TaintTracking::Global<SensitiveInformationConfig>;
+import SensitiveInformationFlow::PathGraph //importing the path graph from the module
+
+
 // ========== Query ==========
-from DataFlow::PathNode source, DataFlow::PathNode sink, SensitiveInformationLoggingConfig config
-where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Sensative data is being logged $@.", source.getNode(),
-  "user-provided value"
+from SensitiveInformationFlow::PathNode source, SensitiveInformationFlow::PathNode sink
+where SensitiveInformationFlow::flowPath(source, sink) //using flowPath instead of hasFlowPath
+select sink.getNode(), source, sink, "Sensative data is being logged $@.", source.getNode(), "user-provided value"

tests/java-tests/CWE-532/SensitiveInformation.expected

@@ -0,0 +1,22 @@
+edges
+| SensitiveInformation.java:17:23:17:62 | (...)... : String | SensitiveInformation.java:18:26:18:55 | ... + ... |
+| SensitiveInformation.java:17:23:17:62 | (...)... : String | SensitiveInformation.java:19:28:19:31 | attr |
+| SensitiveInformation.java:17:23:17:62 | (...)... : String | SensitiveInformation.java:20:66:20:69 | attr : String |
+| SensitiveInformation.java:17:31:17:62 | getAttribute(...) : Object | SensitiveInformation.java:17:23:17:62 | (...)... : String |
+| SensitiveInformation.java:20:31:20:81 | encodeToString(...) : String | SensitiveInformation.java:26:19:26:30 | responseBody |
+| SensitiveInformation.java:20:66:20:69 | attr : String | SensitiveInformation.java:20:66:20:80 | getBytes(...) : byte[] |
+| SensitiveInformation.java:20:66:20:80 | getBytes(...) : byte[] | SensitiveInformation.java:20:31:20:81 | encodeToString(...) : String |
+nodes
+| SensitiveInformation.java:17:23:17:62 | (...)... : String | semmle.label | (...)... : String |
+| SensitiveInformation.java:17:31:17:62 | getAttribute(...) : Object | semmle.label | getAttribute(...) : Object |
+| SensitiveInformation.java:18:26:18:55 | ... + ... | semmle.label | ... + ... |
+| SensitiveInformation.java:19:28:19:31 | attr | semmle.label | attr |
+| SensitiveInformation.java:20:31:20:81 | encodeToString(...) : String | semmle.label | encodeToString(...) : String |
+| SensitiveInformation.java:20:66:20:69 | attr : String | semmle.label | attr : String |
+| SensitiveInformation.java:20:66:20:80 | getBytes(...) : byte[] | semmle.label | getBytes(...) : byte[] |
+| SensitiveInformation.java:26:19:26:30 | responseBody | semmle.label | responseBody |
+subpaths
+#select
+| SensitiveInformation.java:18:26:18:55 | ... + ... | SensitiveInformation.java:17:31:17:62 | getAttribute(...) : Object | SensitiveInformation.java:18:26:18:55 | ... + ... | Sensative data is being logged $@. | SensitiveInformation.java:17:31:17:62 | getAttribute(...) | user-provided value |
+| SensitiveInformation.java:19:28:19:31 | attr | SensitiveInformation.java:17:31:17:62 | getAttribute(...) : Object | SensitiveInformation.java:19:28:19:31 | attr | Sensative data is being logged $@. | SensitiveInformation.java:17:31:17:62 | getAttribute(...) | user-provided value |
+| SensitiveInformation.java:26:19:26:30 | responseBody | SensitiveInformation.java:17:31:17:62 | getAttribute(...) : Object | SensitiveInformation.java:26:19:26:30 | responseBody | Sensative data is being logged $@. | SensitiveInformation.java:17:31:17:62 | getAttribute(...) | user-provided value |

tests/java-tests/CWE-532/SensitiveInformation.java

@@ -0,0 +1,29 @@
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.Base64;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
+public class SensitiveInformation extends HttpServlet {
+    @Override
+    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        HttpSession session = request.getSession();
+        String requestBody = request.getReader().readLine();
+        session.setAttribute("username", requestBody);
+        // Do something with the request body here
+        String attr = (String)session.getAttribute("username");
+        System.out.print("Username is %s" + attr + "\n");
+        System.out.println(attr);
+        String responseBody = Base64.getEncoder().encodeToString(attr.getBytes());
+        // String responseBody = "Encoded username: " + encodedUsername;
+        response.setContentType("text/plain");
+        response.setCharacterEncoding("UTF-8");
+        response.setStatus(HttpServletResponse.SC_OK);
+        PrintWriter out = response.getWriter();
+        out.print(responseBody);
+        out.flush();
+    }
+}

tests/java-tests/CWE-532/SensitiveInformation.qlref

@@ -0,0 +1 @@
+CWE-532/SensitiveInformation.ql

tests/java-tests/CWE-532/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../codeql/java/ql/test/stubs/javax-servlet-2.5