forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathValidation.qll
More file actions
80 lines (74 loc) · 2.54 KB
/
Validation.qll
File metadata and controls
80 lines (74 loc) · 2.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
import semmle.code.java.Expr
import semmle.code.java.dataflow.SSA
import semmle.code.java.controlflow.Guards
bindingset[result, i]
private int unbindInt(int i) { i <= result and i >= result }
/** Holds if the method `method` validates its `arg`-th argument in some way. */
predicate validationMethod(Method method, int arg) {
// The method examines the contents of the string argument.
exists(Parameter param, VarAccess paramRef, MethodAccess call |
method.getParameter(arg) = param and
param.getType() instanceof TypeString and
paramRef.getVariable() = param and
call.getQualifier() = paramRef and
(
call.getMethod().getName() = "contains" or
call.getMethod().getName() = "charAt"
)
)
or
// The method calls another one that verifies the argument.
exists(Parameter param, MethodAccess call, int recursiveArg |
method.getParameter(arg) = param and
call.getArgument(recursiveArg) = param.getAnAccess() and
validationMethod(call.getMethod(), unbindInt(recursiveArg))
)
}
private predicate validationCall(MethodAccess ma, VarAccess va) {
exists(int arg | validationMethod(ma.getMethod(), arg) and ma.getArgument(arg) = va)
}
private predicate validatedAccess(VarAccess va) {
exists(SsaVariable v, MethodAccess guardcall |
va = v.getAUse() and
validationCall(guardcall, v.getAUse())
|
guardcall.(Guard).controls(va.getBasicBlock(), _)
or
exists(ControlFlowNode node |
guardcall.getMethod().getReturnType() instanceof VoidType and
guardcall.getControlFlowNode() = node
|
exists(BasicBlock succ |
succ = node.getANormalSuccessor() and
dominatingEdge(node.getBasicBlock(), succ) and
succ.bbDominates(va.getBasicBlock())
)
or
exists(BasicBlock bb, int i |
bb.getNode(i) = node and
bb.getNode(i + 1) = node.getANormalSuccessor()
|
bb.bbStrictlyDominates(va.getBasicBlock()) or
bb.getNode(any(int j | j > i)) = va
)
)
)
}
/** A variable access that is guarded by a string verification method. */
class ValidatedVariableAccess extends VarAccess {
ValidatedVariableAccess() { validatedAccess(this) }
}
/**
* DEPRECATED: Use ValidatedVariableAccess instead.
*
* A variable that is ever passed to a string verification method.
*/
deprecated class ValidatedVariable extends Variable {
ValidatedVariable() {
exists(MethodAccess call, int arg, VarAccess access |
validationMethod(call.getMethod(), arg) and
call.getArgument(arg) = access and
access.getVariable() = this
)
}
}