Add CodeQL workspace and lock files

Author: Alvaro Muñoz

codeql-workspace.yml

@@ -0,0 +1,2 @@
+provide:
+- java/**/qlpack.yml

java/ext/library_sources/codeql-pack.lock.yml

@@ -0,0 +1,4 @@
+---
+lockVersion: 1.0.0
+dependencies: {}
+compiled: false

java/ext/models/codeql-pack.lock.yml

@@ -0,0 +1,4 @@
+---
+lockVersion: 1.0.0
+dependencies: {}
+compiled: false

java/lib/.codeql/pack/githubsecuritylab/java-lib/0.0.1/ResearchMode.qll

@@ -0,0 +1,118 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.FlowSteps
+import semmle.code.java.dataflow.ExternalFlow
+
+/**
+ * Taintsteps to enable this -> read flow
+ * eg: this.field
+ */
+class FieldReadTaintStep extends TaintTracking::AdditionalTaintStep {
+  override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+    exists(FieldRead fa |
+      n1 = DataFlow::getFieldQualifier(fa) and
+      n2.asExpr() = fa
+    )
+  }
+}
+
+/**
+ * Treats a field write as a jump step (one that discards calling context, and supposes that probably at some point a read step takes place)
+ */
+class FieldTaintStep extends TaintTracking::AdditionalTaintStep {
+  override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+    // From field write to read
+    exists(Field f, RefType t |
+      n1.asExpr() = f.getAnAssignedValue() and
+      n2.asExpr() = f.getAnAccess() and
+      n1.asExpr().getEnclosingCallable().getDeclaringType() = t and
+      n2.asExpr().getEnclosingCallable().getDeclaringType() = t
+    )
+  }
+}
+
+/**
+ * Create jump steps for methods connected by the wait/notify pattern
+ */
+class NotifyWaitTaintStep extends TaintTracking::AdditionalTaintStep {
+  override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+    exists(
+      MethodAccess notify, RefType t, MethodAccess wait, SynchronizedStmt notifySync,
+      SynchronizedStmt waitSync
+    |
+      notify.getMethod().getName() = ["notify", "notifyAll"] and
+      notify.getAnEnclosingStmt() = notifySync and
+      notifySync.getExpr().getType() = t and
+      wait.getMethod().getName() = "wait" and
+      wait.getAnEnclosingStmt() = waitSync and
+      waitSync.getExpr().getType() = t and
+      exists(AssignExpr write, FieldAccess read, Field f |
+        write.getAnEnclosingStmt() = notifySync and
+        write.getDest().(FieldAccess).getField() = f and
+        write = n1.asExpr() and
+        read.getAnEnclosingStmt() = waitSync and
+        read.getField() = f and
+        read = n2.asExpr()
+      )
+    )
+  }
+}
+
+/**
+ * Convey taint from the argument of a method call that can throw an exception
+ * to the exception variable in the correspondinf catch block
+ */
+class ExceptionTaintStep extends TaintTracking::AdditionalTaintStep {
+  override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+    exists(Call call, TryStmt t, CatchClause c, MethodAccess gm |
+      call.getEnclosingStmt().getEnclosingStmt*() = t.getBlock() and
+      t.getACatchClause() = c and
+      (
+        call.getCallee().getAThrownExceptionType().getASubtype*() = c.getACaughtType() or
+        c.getACaughtType().getASupertype*() instanceof TypeRuntimeException
+      ) and
+      c.getVariable().getAnAccess() = gm.getQualifier() and
+      gm.getMethod().getName().regexpMatch("get(Localized)?Message|toString") and
+      n1.asExpr() = call.getAnArgument() and
+      n2.asExpr() = gm
+    )
+  }
+}
+
+/**
+ * Convey taint from globally tainted objects to their fields
+ */
+private class GetterTaintStep extends TaintTracking::AdditionalTaintStep {
+  override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+    exists(MethodAccess ma, Method m |
+      ma.getMethod() = m and
+      m.getName().matches("get%") and
+      m.getNumberOfParameters() = 0 and
+      n1.asExpr() = ma.getQualifier() and
+      n2.asExpr() = ma
+    )
+  }
+}
+/*
+ * private class SetterTaintStep extends TaintTracking::AdditionalTaintStep {
+ *  override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+ *    exists(MethodAccess ma, Method m |
+ *      ma.getMethod() = m and
+ *      m.getName().matches("set%") and
+ *      m.getNumberOfParameters() = 1 and
+ *      ma.getEnclosingCallable().getDeclaringType().getName().matches("%Factory") and
+ *      n1.asExpr() = ma.getArgument(0) and
+ *      n2.asExpr() = ma.getQualifier()
+ *    )
+ *  }
+ * }
+ *
+ * class GlobalSanitizer extends TaintTracking::Sanitizer {
+ *  override predicate sanitize(DataFlow::Node node) {
+ *    node.asExpr().(MethodAccess).getMethod().hasName("getInputStream") or
+ *    node.asExpr().(MethodAccess).getMethod().hasName("getHostName")
+ *  }
+ * }
+ */
+

java/lib/.codeql/pack/githubsecuritylab/java-lib/0.0.1/applications/Dubbo.qll

@@ -0,0 +1,128 @@
+import java
+import semmle.code.java.dataflow.FlowSteps
+import semmle.code.java.dataflow.FlowSources
+
+module Dubbo {
+  class ConfigListener extends RemoteFlowSource {
+    ConfigListener() {
+      exists(Method m, Parameter p, Interface c |
+        this.asParameter() = p and
+        m.getAParameter() = p and
+        m.isPublic() and
+        c = m.getDeclaringType().getASourceSupertype*() and
+        c.getName() = ["NotifyListener", "ConfigurationListener"] and
+        m.overridesOrInstantiates(c.getAMethod()) and
+        not m.getDeclaringType().getLocation().getFile().getAbsolutePath().matches("%/src/test/%")
+      )
+    }
+
+    override string getSourceType() { result = "Config Listener Source" }
+  }
+
+  class CodecSupportGetPayload extends TaintTracking::AdditionalTaintStep {
+    override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+      exists(MethodAccess ma |
+        ma.getMethod()
+            .getDeclaringType()
+            .hasQualifiedName("org.apache.dubbo.remoting.transport", "CodecSupport") and
+        ma.getMethod().hasName("getPayload") and
+        n1.asExpr() = ma.getArgument(0) and
+        n2.asExpr() = ma
+      )
+    }
+  }
+
+  class CodecSupportDeserialize extends TaintTracking::AdditionalTaintStep {
+    override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+      exists(MethodAccess ma |
+        ma.getMethod()
+            .getDeclaringType()
+            .hasQualifiedName("org.apache.dubbo.remoting.transport", "CodecSupport") and
+        ma.getMethod().hasName("deserialize") and
+        n1.asExpr() = ma.getArgument(1) and
+        n2.asExpr() = ma
+      )
+    }
+  }
+
+  class ChannelBufferInputStreamInit extends TaintTracking::AdditionalTaintStep {
+    override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+      exists(ClassInstanceExpr ma |
+        ma.getConstructedType()
+            .hasQualifiedName("org.apache.dubbo.remoting.buffer", "ChannelBufferInputStream") and
+        n1.asExpr() = ma.getArgument(0) and
+        n2.asExpr() = ma
+      )
+    }
+  }
+
+  class ChannelBuffer_ThisReturn_TaintStep extends TaintTracking::AdditionalTaintStep {
+    override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+      exists(MethodAccess ma |
+        ma.getMethod()
+            .getDeclaringType()
+            .getASourceSupertype*()
+            .hasQualifiedName("org.apache.dubbo.remoting.buffer", "ChannelBuffer") and
+        ma.getMethod().getName().matches(["array", "getByte", "readByte", "toByteBuffer"]) and
+        n1.asExpr() = ma.getQualifier() and
+        n2.asExpr() = ma
+      )
+    }
+  }
+
+  class ChannelBuffer_ThisArg1_TaintStep extends TaintTracking::AdditionalTaintStep {
+    override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+      exists(MethodAccess ma |
+        ma.getMethod()
+            .getDeclaringType()
+            .getASourceSupertype*()
+            .hasQualifiedName("org.apache.dubbo.remoting.buffer", "ChannelBuffer") and
+        ma.getMethod().getName().matches("getBytes") and
+        n1.asExpr() = ma.getQualifier() and
+        n2.asExpr() = ma.getArgument(1)
+      )
+    }
+  }
+
+  class ChannelBuffer_ThisArg0_TaintStep extends TaintTracking::AdditionalTaintStep {
+    override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+      exists(MethodAccess ma |
+        ma.getMethod()
+            .getDeclaringType()
+            .getASourceSupertype*()
+            .hasQualifiedName("org.apache.dubbo.remoting.buffer", "ChannelBuffer") and
+        ma.getMethod().getName().matches("readBytes") and
+        n1.asExpr() = ma.getQualifier() and
+        n2.asExpr() = ma.getArgument(0)
+      )
+    }
+  }
+
+  class ChannelBuffer_ArgThis1_TaintStep extends TaintTracking::AdditionalTaintStep {
+    override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+      exists(MethodAccess ma |
+        ma.getMethod()
+            .getDeclaringType()
+            .getASourceSupertype*()
+            .hasQualifiedName("org.apache.dubbo.remoting.buffer", "ChannelBuffer") and
+        ma.getMethod().getName().matches("setBytes") and
+        n1.asExpr() = ma.getArgument(1) and
+        n2.asExpr() = ma.getQualifier()
+      )
+    }
+  }
+
+  class ChannelBuffer_ArgThis0_TaintStep extends TaintTracking::AdditionalTaintStep {
+    override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+      exists(MethodAccess ma |
+        ma.getMethod()
+            .getDeclaringType()
+            .getASourceSupertype*()
+            .hasQualifiedName("org.apache.dubbo.remoting.buffer", "ChannelBuffer") and
+        ma.getMethod().getName().matches("writeBytes") and
+        n1.asExpr() = ma.getArgument(1) and
+        n2.asExpr() = ma.getQualifier()
+      )
+    }
+  }
+}

java/lib/.codeql/pack/githubsecuritylab/java-lib/0.0.1/applications/Nacos.qll

@@ -0,0 +1,16 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+
+class GrpcRequest extends RemoteFlowSource {
+  GrpcRequest() {
+    exists(Method m |
+      m.getName() = "handleRequest" and
+      m.getDeclaringType()
+          .getASourceSupertype*()
+          .hasQualifiedName("com.alipay.sofa.jraft.rpc", "RpcProcessor") and
+      m.getParameter(1) = this.asParameter()
+    )
+  }
+
+  override string getSourceType() { result = "gRPC Form Field" }
+}

java/lib/.codeql/pack/githubsecuritylab/java-lib/0.0.1/applications/OneDev.qll

@@ -0,0 +1,21 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+
+class OneDevEditableField extends RemoteFlowSource {
+  OneDevEditableField() {
+    exists(Method getter, Method setter |
+      getter
+          .getAnAnnotation()
+          .getType()
+          .hasQualifiedName("io.onedev.server.web.editable.annotation", "Editable") and
+      getter.getDeclaringType() = setter.getDeclaringType() and
+      getter.getName().matches("get%") and
+      setter.getName().matches("set%") and
+      setter.getName().substring(1, setter.getName().length()) =
+        getter.getName().substring(1, getter.getName().length()) and
+      setter.getAParameter() = this.asParameter()
+    )
+  }
+
+  override string getSourceType() { result = "OneDev Form Field" }
+}

java/lib/.codeql/pack/githubsecuritylab/java-lib/0.0.1/frameworks/GoogleGuavaCache.qll

@@ -0,0 +1,54 @@
+import semmle.code.java.dataflow.TaintTracking
+
+module GuavaCache {
+  class TypeCacheBuilder extends RefType {
+    TypeCacheBuilder() { this.hasQualifiedName("com.google.common.cache", "CacheBuilder") }
+  }
+
+  class TypeLoadingCache extends RefType {
+    TypeLoadingCache() { this.hasQualifiedName("com.google.common.cache", "LoadingCache") }
+  }
+
+  class GetFromCacheMethod extends Method {
+    GetFromCacheMethod() {
+      this.getDeclaringType().getASourceSupertype*() instanceof TypeLoadingCache and
+      (this.getName() = "get" or this.getName() = "getUnchecked")
+    }
+  }
+
+  class BuildCacheLoaderMethod extends Method {
+    BuildCacheLoaderMethod() {
+      this.getDeclaringType().getASourceSupertype*() instanceof TypeCacheBuilder and
+      this.getName() = "build"
+    }
+  }
+
+  /**
+   * Taint step from the `get` operation to the loader
+   * CacheLoader<String, String> loader;
+   * loader = new CacheLoader<String, String>() {
+   *
+   * @Override public String load(String key) {
+   *         return key.toUpperCase(); // N2
+   *     }
+   * };
+   * LoadingCache<String, String> cache;
+   * cache = CacheBuilder.newBuilder().build(loader);
+   * assertEquals("HELLO", cache.getUnchecked("doo")); // N1
+   */
+  class LoadCacheItemTaintStep extends TaintTracking::AdditionalTaintStep {
+    override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+      exists(MethodAccess ma1, MethodAccess ma2, VarAccess va |
+        ma1.getMethod() instanceof GetFromCacheMethod and
+        ma2.getMethod() instanceof BuildCacheLoaderMethod and
+        exists(Method m |
+          ma2.getArgument(0).getType().(RefType).getAMethod() = m and
+          m.getName() = "load" and
+          m.getAParameter() = va.getVariable() and
+          n1.asExpr() = ma1.getArgument(0) and
+          n2.asExpr() = va
+        )
+      )
+    }
+  }
+}