Java: Make taint-tracking queries speculative

I've considered every query in the code-scanning suite (high-precision
security queries).

Taint-tracking queries made speculative:
- java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
- java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
- java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql
- java/ql/src/Security/CWE/CWE-074/JndiInjection.ql
- java/ql/src/Security/CWE/CWE-074/XsltInjection.ql
- java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
- java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
- java/ql/src/Security/CWE/CWE-079/XSS.ql
- java/ql/src/Security/CWE/CWE-089/SqlTainted.ql
- java/ql/src/Security/CWE/CWE-090/LdapInjection.ql
- java/ql/src/Security/CWE/CWE-094/GroovyInjection.ql
- java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
- java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
- java/ql/src/Security/CWE/CWE-094/MvelInjection.ql
- java/ql/src/Security/CWE/CWE-094/SpelInjection.ql
- java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql
- java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
- java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql
- java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql
- java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql
- java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
- java/ql/src/Security/CWE/CWE-330/InsecureRandomness.ql
- java/ql/src/Security/CWE/CWE-441/UnsafeContentUriResolution.ql
- java/ql/src/Security/CWE/CWE-470/FragmentInjection.ql
- java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
- java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql
- java/ql/src/Security/CWE/CWE-552/UrlForward.ql
- java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql
- java/ql/src/Security/CWE/CWE-611/XXE.ql
- java/ql/src/Security/CWE/CWE-643/XPathInjection.ql
- java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql
- java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.ql
- java/ql/src/Security/CWE/CWE-730/RegexInjection.ql
- java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql
- java/ql/src/Security/CWE/CWE-918/RequestForgery.ql
- java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.ql
- java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirection.ql

Skipped because they're problem queries, not path-problem, even though
they use taint tracking:
- java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
- java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql
- java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql
- java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql
- java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql

Skipped because they use data flow, not taint tracking
- java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql
- java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
- java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
- java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql
- java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
- java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql
- java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
- java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql

java/ql/lib/Customizations.qll

@@ -10,3 +10,6 @@
  */
 
 import java
+
+// For the hackathon, make speculative data flow tunable from a central location
+int speculativity() { result = 5 }

java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll

@@ -23,7 +23,8 @@ module IntentRedirectionConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks the flow of tainted Intents being used to start Android components. */
-module IntentRedirectionFlow = TaintTracking::Global<IntentRedirectionConfig>;
+module IntentRedirectionFlow =
+  TaintTracking::SpeculativeGlobal<IntentRedirectionConfig, speculativity/0>;
 
 /**
  * A sanitizer for sinks that receive the original incoming Intent,

java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll

@@ -36,4 +36,4 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig {
 /**
  * Taint-tracking flow for use of broken or risky cryptographic algorithms.
  */
-module InsecureCryptoFlow = TaintTracking::Global<InsecureCryptoConfig>;
+module InsecureCryptoFlow = TaintTracking::SpeculativeGlobal<InsecureCryptoConfig, speculativity/0>;

java/ql/lib/semmle/code/java/security/CommandLineQuery.qll

@@ -68,7 +68,8 @@ deprecated module RemoteUserInputToArgumentToExecFlowConfig = InputToArgumentToE
 /**
  * Taint-tracking flow for unvalidated input that is used to run an external process.
  */
-module InputToArgumentToExecFlow = TaintTracking::Global<InputToArgumentToExecFlowConfig>;
+module InputToArgumentToExecFlow =
+  TaintTracking::SpeculativeGlobal<InputToArgumentToExecFlowConfig, speculativity/0>;
 
 /**
  * DEPRECATED: Use `InputToArgumentToExecFlow` instead.

java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll

@@ -31,4 +31,4 @@ module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig {
  * Taint-tracking flow for externally controlled format string vulnerabilities.
  */
 module ExternallyControlledFormatStringFlow =
-  TaintTracking::Global<ExternallyControlledFormatStringConfig>;
+  TaintTracking::SpeculativeGlobal<ExternallyControlledFormatStringConfig, speculativity/0>;

java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll

@@ -25,4 +25,5 @@ module FragmentInjectionTaintConfig implements DataFlow::ConfigSig {
  * Taint-tracking flow for unsafe user input
  * that is used to create Android fragments dynamically.
  */
-module FragmentInjectionTaintFlow = TaintTracking::Global<FragmentInjectionTaintConfig>;
+module FragmentInjectionTaintFlow =
+  TaintTracking::SpeculativeGlobal<FragmentInjectionTaintConfig, speculativity/0>;

java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll

@@ -25,4 +25,5 @@ module GroovyInjectionConfig implements DataFlow::ConfigSig {
  * Detect taint flow of unsafe user input
  * that is used to evaluate a Groovy expression.
  */
-module GroovyInjectionFlow = TaintTracking::Global<GroovyInjectionConfig>;
+module GroovyInjectionFlow =
+  TaintTracking::SpeculativeGlobal<GroovyInjectionConfig, speculativity/0>;

java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll

@@ -53,4 +53,4 @@ module ImplicitPendingIntentStartConfig implements DataFlow::StateConfigSig {
 }
 
 module ImplicitPendingIntentStartFlow =
-  TaintTracking::GlobalWithState<ImplicitPendingIntentStartConfig>;
+  TaintTracking::SpeculativeGlobalWithState<ImplicitPendingIntentStartConfig, speculativity/0>;

java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll

@@ -54,7 +54,7 @@ module BeanValidationConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks flow from user input to the argument of a method that builds constraint error messages. */
-module BeanValidationFlow = TaintTracking::Global<BeanValidationConfig>;
+module BeanValidationFlow = TaintTracking::SpeculativeGlobal<BeanValidationConfig, speculativity/0>;
 
 /**
  * A bean validation sink, such as method `buildConstraintViolationWithTemplate`

java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll

@@ -26,7 +26,8 @@ module InsecureLdapUrlConfig implements DataFlow::ConfigSig {
   predicate observeDiffInformedIncrementalMode() { any() }
 }
 
-module InsecureLdapUrlFlow = TaintTracking::Global<InsecureLdapUrlConfig>;
+module InsecureLdapUrlFlow =
+  TaintTracking::SpeculativeGlobal<InsecureLdapUrlConfig, speculativity/0>;
 
 /**
  * A taint-tracking configuration for `simple` basic-authentication in LDAP configuration.

java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll

@@ -103,4 +103,5 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig {
 /**
  * Taint-tracking flow of a Insecurely random value into a sensitive sink.
  */
-module InsecureRandomnessFlow = TaintTracking::Global<InsecureRandomnessConfig>;
+module InsecureRandomnessFlow =
+  TaintTracking::SpeculativeGlobal<InsecureRandomnessConfig, speculativity/0>;

java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll

@@ -31,4 +31,4 @@ module IntentUriPermissionManipulationConfig implements DataFlow::ConfigSig {
  * Taint tracking flow for user-provided Intents being returned to third party apps.
  */
 module IntentUriPermissionManipulationFlow =
-  TaintTracking::Global<IntentUriPermissionManipulationConfig>;
+  TaintTracking::SpeculativeGlobal<IntentUriPermissionManipulationConfig, speculativity/0>;

java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll

@@ -59,7 +59,7 @@ module JexlInjectionConfig implements DataFlow::ConfigSig {
  * Tracks unsafe user input that is used to construct and evaluate a JEXL expression.
  * It supports both JEXL 2 and 3.
  */
-module JexlInjectionFlow = TaintTracking::Global<JexlInjectionConfig>;
+module JexlInjectionFlow = TaintTracking::SpeculativeGlobal<JexlInjectionConfig, speculativity/0>;
 
 /**
  * Holds if `n1` to `n2` is a dataflow step that creates a JEXL script using an unsafe engine

java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll

@@ -28,7 +28,8 @@ module JndiInjectionFlowConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks flow of unvalidated user input that is used in JNDI lookup */
-module JndiInjectionFlow = TaintTracking::Global<JndiInjectionFlowConfig>;
+module JndiInjectionFlow =
+  TaintTracking::SpeculativeGlobal<JndiInjectionFlowConfig, speculativity/0>;
 
 /**
  * A method that does a JNDI lookup when it receives a `SearchControls` argument with `setReturningObjFlag` = `true`

java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll

@@ -22,4 +22,4 @@ module LdapInjectionFlowConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks flow from remote sources to LDAP injection vulnerabilities. */
-module LdapInjectionFlow = TaintTracking::Global<LdapInjectionFlowConfig>;
+module LdapInjectionFlow = TaintTracking::SpeculativeGlobal<LdapInjectionFlowConfig, speculativity/0>;

java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll

@@ -24,4 +24,5 @@ module MvelInjectionFlowConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a MVEL expression. */
-module MvelInjectionFlow = TaintTracking::Global<MvelInjectionFlowConfig>;
+module MvelInjectionFlow =
+  TaintTracking::SpeculativeGlobal<MvelInjectionFlowConfig, speculativity/0>;

java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll

@@ -109,7 +109,7 @@ module NumericCastFlowConfig implements DataFlow::ConfigSig {
 /**
  * Taint-tracking flow for user input that is used in a numeric cast.
  */
-module NumericCastFlow = TaintTracking::Global<NumericCastFlowConfig>;
+module NumericCastFlow = TaintTracking::SpeculativeGlobal<NumericCastFlowConfig, speculativity/0>;
 
 /**
  * A taint-tracking configuration for reasoning about local user input that is

java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll

@@ -23,4 +23,5 @@ module OgnlInjectionFlowConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks flow of unvalidated user input that is used in OGNL EL evaluation. */
-module OgnlInjectionFlow = TaintTracking::Global<OgnlInjectionFlowConfig>;
+module OgnlInjectionFlow =
+  TaintTracking::SpeculativeGlobal<OgnlInjectionFlowConfig, speculativity/0>;

java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll

@@ -23,4 +23,4 @@ module PartialPathTraversalFromRemoteConfig implements DataFlow::ConfigSig {
 
 /** Tracks flow of unsafe user input that is used to validate against path traversal, but is insufficient and remains vulnerable to Partial Path Traversal. */
 module PartialPathTraversalFromRemoteFlow =
-  TaintTracking::Global<PartialPathTraversalFromRemoteConfig>;
+  TaintTracking::SpeculativeGlobal<PartialPathTraversalFromRemoteConfig, speculativity/0>;

java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll

@@ -32,4 +32,4 @@ module RequestForgeryConfig implements DataFlow::ConfigSig {
   predicate observeDiffInformedIncrementalMode() { any() }
 }
 
-module RequestForgeryFlow = TaintTracking::Global<RequestForgeryConfig>;
+module RequestForgeryFlow = TaintTracking::SpeculativeGlobal<RequestForgeryConfig, speculativity/0>;

java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll

@@ -38,4 +38,5 @@ module ResponseSplittingConfig implements DataFlow::ConfigSig {
 /**
  * Tracks flow from remote sources to response splitting vulnerabilities.
  */
-module ResponseSplittingFlow = TaintTracking::Global<ResponseSplittingConfig>;
+module ResponseSplittingFlow =
+  TaintTracking::SpeculativeGlobal<ResponseSplittingConfig, speculativity/0>;

java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll

@@ -23,7 +23,7 @@ module SpelInjectionConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a SpEL expression. */
-module SpelInjectionFlow = TaintTracking::Global<SpelInjectionConfig>;
+module SpelInjectionFlow = TaintTracking::SpeculativeGlobal<SpelInjectionConfig, speculativity/0>;
 
 /** Default sink for SpEL injection vulnerabilities. */
 private class DefaultSpelExpressionEvaluationSink extends SpelExpressionEvaluationSink {

java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll

@@ -27,7 +27,7 @@ module QueryInjectionFlowConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks flow of unvalidated user input that is used in SQL queries. */
-module QueryInjectionFlow = TaintTracking::Global<QueryInjectionFlowConfig>;
+module QueryInjectionFlow = TaintTracking::SpeculativeGlobal<QueryInjectionFlowConfig, speculativity/0>;
 
 /**
  * Implementation of `SqlTainted.ql`. This is extracted to a QLL so that it

java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll

@@ -131,4 +131,5 @@ module StaticInitializationVectorConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks the flow from a static initialization vector to the initialization of a cipher */
-module StaticInitializationVectorFlow = TaintTracking::Global<StaticInitializationVectorConfig>;
+module StaticInitializationVectorFlow =
+  TaintTracking::SpeculativeGlobal<StaticInitializationVectorConfig, speculativity/0>;

java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll

@@ -77,7 +77,7 @@ module TaintedPathConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks flow from remote sources to the creation of a path. */
-module TaintedPathFlow = TaintTracking::Global<TaintedPathConfig>;
+module TaintedPathFlow = TaintTracking::SpeculativeGlobal<TaintedPathConfig, speculativity/0>;
 
 /**
  * A taint-tracking configuration for tracking flow from local user input to the creation of a path.

java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll

@@ -21,4 +21,4 @@ module TemplateInjectionFlowConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks server-side template injection (SST) vulnerabilities */
-module TemplateInjectionFlow = TaintTracking::Global<TemplateInjectionFlowConfig>;
+module TemplateInjectionFlow = TaintTracking::SpeculativeGlobal<TemplateInjectionFlowConfig, speculativity/0>;

java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll

@@ -25,4 +25,5 @@ module UnsafeContentResolutionConfig implements DataFlow::ConfigSig {
 }
 
 /** Taint-tracking flow to find paths from remote sources to content URI resolutions. */
-module UnsafeContentResolutionFlow = TaintTracking::Global<UnsafeContentResolutionConfig>;
+module UnsafeContentResolutionFlow =
+  TaintTracking::SpeculativeGlobal<UnsafeContentResolutionConfig, speculativity/0>;

java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll

@@ -329,7 +329,10 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
   predicate observeDiffInformedIncrementalMode() { any() }
 }
 
-module UnsafeDeserializationFlow = TaintTracking::Global<UnsafeDeserializationConfig>;
+int speculationLimit() { result = 10 }
+
+module UnsafeDeserializationFlow =
+  TaintTracking::SpeculativeGlobal<UnsafeDeserializationConfig, speculationLimit/0>;
 
 /**
  * Gets a safe usage of the `use` method of Flexjson, which could be:

java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll

@@ -202,4 +202,4 @@ module UrlForwardFlowConfig implements DataFlow::ConfigSig {
 /**
  * Taint-tracking flow for URL forwarding.
  */
-module UrlForwardFlow = TaintTracking::Global<UrlForwardFlowConfig>;
+module UrlForwardFlow = TaintTracking::SpeculativeGlobal<UrlForwardFlowConfig, speculativity/0>;

java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll

@@ -20,4 +20,4 @@ module UrlRedirectConfig implements DataFlow::ConfigSig {
 /**
  * Taint-tracking flow for URL redirections.
  */
-module UrlRedirectFlow = TaintTracking::Global<UrlRedirectConfig>;
+module UrlRedirectFlow = TaintTracking::SpeculativeGlobal<UrlRedirectConfig, speculativity/0>;

java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll

@@ -19,4 +19,4 @@ module XPathInjectionConfig implements DataFlow::ConfigSig {
 /**
  * Taint-tracking flow for XPath injection vulnerabilities.
  */
-module XPathInjectionFlow = TaintTracking::Global<XPathInjectionConfig>;
+module XPathInjectionFlow = TaintTracking::SpeculativeGlobal<XPathInjectionConfig, speculativity/0>;

java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll

@@ -27,7 +27,8 @@ module XsltInjectionFlowConfig implements DataFlow::ConfigSig {
 /**
  * Tracks flow from unvalidated user input to XSLT transformation.
  */
-module XsltInjectionFlow = TaintTracking::Global<XsltInjectionFlowConfig>;
+module XsltInjectionFlow =
+  TaintTracking::SpeculativeGlobal<XsltInjectionFlowConfig, speculativity/0>;
 
 /**
  * A set of additional taint steps to consider when taint tracking XSLT related data flows.

java/ql/lib/semmle/code/java/security/XssQuery.qll

@@ -25,4 +25,4 @@ module XssConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks flow from remote sources to cross site scripting vulnerabilities. */
-module XssFlow = TaintTracking::Global<XssConfig>;
+module XssFlow = TaintTracking::SpeculativeGlobal<XssConfig, speculativity/0>;

java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll

@@ -25,4 +25,4 @@ module XxeConfig implements DataFlow::ConfigSig {
 /**
  * Detect taint flow of unvalidated remote user input that is used in XML external entity expansion.
  */
-module XxeFlow = TaintTracking::Global<XxeConfig>;
+module XxeFlow = TaintTracking::SpeculativeGlobal<XxeConfig, speculativity/0>;

java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll

@@ -48,7 +48,7 @@ module ZipSlipConfig implements DataFlow::ConfigSig {
 }
 
 /** Tracks flow from archive entries to file creation. */
-module ZipSlipFlow = TaintTracking::Global<ZipSlipConfig>;
+module ZipSlipFlow = TaintTracking::SpeculativeGlobal<ZipSlipConfig, speculativity/0>;
 
 /**
  * A sink that represents a file creation, such as a file write, copy or move operation.

java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll

@@ -49,4 +49,5 @@ module PolynomialRedosConfig implements DataFlow::ConfigSig {
   }
 }
 
-module PolynomialRedosFlow = TaintTracking::Global<PolynomialRedosConfig>;
+module PolynomialRedosFlow =
+  TaintTracking::SpeculativeGlobal<PolynomialRedosConfig, speculativity/0>;

java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll

@@ -21,4 +21,4 @@ module RegexInjectionConfig implements DataFlow::ConfigSig {
 /**
  * Taint-tracking flow for untrusted user input used to construct regular expressions.
  */
-module RegexInjectionFlow = TaintTracking::Global<RegexInjectionConfig>;
+module RegexInjectionFlow = TaintTracking::SpeculativeGlobal<RegexInjectionConfig, speculativity/0>;