Merge pull request #15291 from egregius313/egregius313/java/dataflow/default-sanitizers

Java: Introduce a common sanitizer type for types which cannot realistically carry taint.

Author: egregius313

java/ql/lib/change-notes/2024-01-20-introduce-simplescalarsanitizer-class-for-common-sanitizer.md

@@ -0,0 +1,5 @@
+---
+category: feature
+---
+* Added a new library `semmle.code.java.security.Sanitizers` which contains a new sanitizer class `SimpleTypeSanitizer`, which represents nodes which cannot realistically carry taint for most queries (e.g. primitives, their boxed equivalents, and numeric types).
+* Converted definitions of `isBarrier` and sanitizer classes to use `SimpleTypeSanitizer` instead of checking if `node.getType()` is `PrimitiveType` or `BoxedType`.

java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll

@@ -3,6 +3,7 @@
 import java
 private import semmle.code.java.security.Encryption
 private import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.security.Sanitizers
 
 private class ShortStringLiteral extends StringLiteral {
   ShortStringLiteral() { this.getValue().length() < 100 }
@@ -27,9 +28,7 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node n) { exists(CryptoAlgoSpec c | n.asExpr() = c.getAlgoSpec()) }
 
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
 }
 
 /**

java/ql/lib/semmle/code/java/security/CommandLineQuery.qll

@@ -12,6 +12,7 @@ private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.security.CommandArguments
 private import semmle.code.java.security.ExternalProcess
+private import semmle.code.java.security.Sanitizers
 
 /** A sink for command injection vulnerabilities. */
 abstract class CommandInjectionSink extends DataFlow::Node { }
@@ -38,11 +39,7 @@ private class DefaultCommandInjectionSink extends CommandInjectionSink {
 
 private class DefaultCommandInjectionSanitizer extends CommandInjectionSanitizer {
   DefaultCommandInjectionSanitizer() {
-    this.getType() instanceof PrimitiveType
-    or
-    this.getType() instanceof BoxedType
-    or
-    this.getType() instanceof NumberType
+    this instanceof SimpleTypeSanitizer
     or
     isSafeCommandArgument(this.asExpr())
   }

java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll

@@ -4,6 +4,7 @@ import java
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.security.ExternalProcess
 private import semmle.code.java.security.CommandArguments
+private import semmle.code.java.security.Sanitizers
 
 /** A taint-tracking configuration to reason about use of externally controlled strings to make command line commands. */
 module ExecTaintedLocalConfig implements DataFlow::ConfigSig {
@@ -12,9 +13,7 @@ module ExecTaintedLocalConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof ArgumentToExec }
 
   predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType
-    or
-    node.getType() instanceof BoxedType
+    node instanceof SimpleTypeSanitizer
     or
     isSafeCommandArgument(node.asExpr())
   }

java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll

@@ -4,6 +4,7 @@ import java
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.frameworks.Networking
 import semmle.code.java.security.HttpsUrls
+private import semmle.code.java.security.Sanitizers
 
 /**
  * DEPRECATED: Use `HttpsStringToUrlOpenMethodFlow` instead.
@@ -38,9 +39,7 @@ module HttpStringToUrlOpenMethodFlowConfig implements DataFlow::ConfigSig {
     any(HttpUrlsAdditionalTaintStep c).step(node1, node2)
   }
 
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
 }
 
 /**

java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll

@@ -5,6 +5,7 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.frameworks.Jndi
 import semmle.code.java.frameworks.SpringLdap
 import semmle.code.java.security.JndiInjection
+private import semmle.code.java.security.Sanitizers
 
 /**
  * DEPRECATED: Use `JndiInjectionFlow` instead.
@@ -19,8 +20,7 @@ deprecated class JndiInjectionFlowConfig extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof JndiInjectionSink }
 
   override predicate isSanitizer(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or
-    node.getType() instanceof BoxedType or
+    node instanceof SimpleTypeSanitizer or
     node instanceof JndiInjectionSanitizer
   }
 
@@ -38,8 +38,7 @@ module JndiInjectionFlowConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof JndiInjectionSink }
 
   predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or
-    node.getType() instanceof BoxedType or
+    node instanceof SimpleTypeSanitizer or
     node instanceof JndiInjectionSanitizer
   }
 

java/ql/lib/semmle/code/java/security/LdapInjection.qll

@@ -7,6 +7,7 @@ import semmle.code.java.frameworks.UnboundId
 import semmle.code.java.frameworks.SpringLdap
 import semmle.code.java.frameworks.ApacheLdap
 private import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.security.Sanitizers
 
 /** A data flow sink for unvalidated user input that is used to construct LDAP queries. */
 abstract class LdapInjectionSink extends DataFlow::Node { }
@@ -33,12 +34,7 @@ private class DefaultLdapInjectionSink extends LdapInjectionSink {
 }
 
 /** A sanitizer that clears the taint on (boxed) primitive types. */
-private class DefaultLdapSanitizer extends LdapInjectionSanitizer {
-  DefaultLdapSanitizer() {
-    this.getType() instanceof PrimitiveType or
-    this.getType() instanceof BoxedType
-  }
-}
+private class DefaultLdapSanitizer extends LdapInjectionSanitizer instanceof SimpleTypeSanitizer { }
 
 /**
  * Holds if `n1` to `n2` is a dataflow step that converts between `String` and `LdapName`,

java/ql/lib/semmle/code/java/security/LogInjection.qll

@@ -4,6 +4,7 @@ import java
 private import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.controlflow.Guards
+private import semmle.code.java.security.Sanitizers
 
 /** A data flow sink for unvalidated user input that is used to log messages. */
 abstract class LogInjectionSink extends DataFlow::Node { }
@@ -30,13 +31,8 @@ private class DefaultLogInjectionSink extends LogInjectionSink {
   DefaultLogInjectionSink() { sinkNode(this, "log-injection") }
 }
 
-private class DefaultLogInjectionSanitizer extends LogInjectionSanitizer {
-  DefaultLogInjectionSanitizer() {
-    this.getType() instanceof BoxedType or
-    this.getType() instanceof PrimitiveType or
-    this.getType() instanceof NumericType
-  }
-}
+private class DefaultLogInjectionSanitizer extends LogInjectionSanitizer instanceof SimpleTypeSanitizer
+{ }
 
 private class LineBreaksLogInjectionSanitizer extends LogInjectionSanitizer {
   LineBreaksLogInjectionSanitizer() {

java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll

@@ -3,6 +3,7 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.OgnlInjection
+private import semmle.code.java.security.Sanitizers
 
 /**
  * DEPRECATED: Use `OgnlInjectionFlow` instead.
@@ -33,9 +34,7 @@ module OgnlInjectionFlowConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof OgnlInjectionSink }
 
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
 
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(OgnlInjectionAdditionalTaintStep c).step(node1, node2)

java/ql/lib/semmle/code/java/security/RequestForgery.qll

@@ -10,6 +10,7 @@ import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.frameworks.Properties
 private import semmle.code.java.dataflow.StringPrefixes
 private import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.security.Sanitizers
 
 /**
  * A unit class for adding additional taint steps that are specific to server-side request forgery (SSRF) attacks.
@@ -59,13 +60,7 @@ private class DefaultRequestForgerySink extends RequestForgerySink {
 /** A sanitizer for request forgery vulnerabilities. */
 abstract class RequestForgerySanitizer extends DataFlow::Node { }
 
-private class PrimitiveSanitizer extends RequestForgerySanitizer {
-  PrimitiveSanitizer() {
-    this.getType() instanceof PrimitiveType or
-    this.getType() instanceof BoxedType or
-    this.getType() instanceof NumberType
-  }
-}
+private class PrimitiveSanitizer extends RequestForgerySanitizer instanceof SimpleTypeSanitizer { }
 
 private class HostnameSanitizingPrefix extends InterestingPrefix {
   int offset;