Trust Boundary Work

2023-07-19 16:39:09 -04:00 · 2023-07-19 16:39:09 -04:00 · f58590c6a9
--- a/java/ql/lib/semmle/code/java/frameworks/Servlets.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/Servlets.qll
@ -397,3 +397,7 @@ class GetServletResourceAsStreamMethod extends Method {
    this.hasName("getResourceAsStream")
  }
 }
+
+class HttpServletSession extends RefType {
+  HttpServletSession() { this.hasQualifiedName("javax.servlet.http", "HttpSession") }
+}
--- a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll
@ -24,6 +24,8 @@ class TrustBoundaryViolationSink extends DataFlow::Node {
  TrustBoundaryViolationSink() { sinkNode(this, "trust-boundary") }
 }

+abstract class TrustBoundaryValidationSanitizer extends DataFlow::Node { }
+
 /**
 * Taint tracking for data that crosses a trust boundary.
 */
@ -34,6 +36,15 @@ module TrustBoundaryConfig implements DataFlow::ConfigSig {
    n2.asExpr().(MethodAccess).getQualifier() = n1.asExpr()
  }

+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof TrustBoundaryValidationSanitizer or
+    node.getType() instanceof HttpServletSession or
+    node.asExpr()
+        .(MethodAccess)
+        .getMethod()
+        .hasQualifiedName("javax.servlet.http", "HttpServletRequest", "getMethod")
+  }
+
  predicate isSink(DataFlow::Node sink) { sink instanceof TrustBoundaryViolationSink }
 }

--- a/java/ql/src/Security/CWE/CWE-501/TrustBoundaryViolation.qhelp
+++ b/java/ql/src/Security/CWE/CWE-501/TrustBoundaryViolation.qhelp
@ -0,0 +1,39 @@
+<!DOCTYPE qhelp PUBLIC
+ "-//Semmle//qhelp//EN"
+ "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      A trust boundary violation occurs when a value is passed from a less trusted context to a more trusted context.
+    </p>
+    
+    <p>
+      For example, a value that is generated by a less trusted source, such as a user, may be passed to a more trusted
+      source, such as a system process. If the less trusted source is malicious, then the value may be crafted to
+      exploit the more trusted source.
+    </p>
+
+    <p>
+      Trust boundary violations are often caused by a failure to validate input. For example, if a web application
+      accepts a cookie from a user, then the application should validate the cookie before using it. If the cookie is
+      not validated, then the user may be able to craft a malicious cookie that exploits the application.
+    </p>
+  </overview>
+
+  <recommendation>
+    <p>
+      Validate input coming from a user. For example, if a web application accepts a cookie from a user, then the
+      application should validate the cookie before using it.
+    </p>
+  </recommendation>
+
+  <example>
+  </example>
+
+  <references>
+    <li>
+      Wikipedia: <a href="http://en.wikipedia.org/wiki/Trust_boundary">Trust boundary</a>.
+    </li>
+  </references>
+
+</qhelp>
--- a/java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java
+++ b/java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java
@ -0,0 +1,12 @@
+import java.io.IOException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class TrustBoundaryViolations extends HttpServlet {
+    public void doGet(HttpServletRequest request, HttpServletResponse response) {
+        String input = request.getParameter("input");
+
+        request.getSession().setAttribute("input", input); // $ hasTaintFlow
+    }
+}
--- a/java/ql/test/query-tests/security/CWE-501/options
+++ b/java/ql/test/query-tests/security/CWE-501/options