diff --git a/java/ql/lib/semmle/code/java/frameworks/Servlets.qll b/java/ql/lib/semmle/code/java/frameworks/Servlets.qll index f2de51b2aab..bc080fcb48f 100644 --- a/java/ql/lib/semmle/code/java/frameworks/Servlets.qll +++ b/java/ql/lib/semmle/code/java/frameworks/Servlets.qll @@ -397,3 +397,7 @@ class GetServletResourceAsStreamMethod extends Method { this.hasName("getResourceAsStream") } } + +class HttpServletSession extends RefType { + HttpServletSession() { this.hasQualifiedName("javax.servlet.http", "HttpSession") } +} diff --git a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll index 39e0fb3fef1..60801fceff6 100644 --- a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll @@ -24,6 +24,8 @@ class TrustBoundaryViolationSink extends DataFlow::Node { TrustBoundaryViolationSink() { sinkNode(this, "trust-boundary") } } +abstract class TrustBoundaryValidationSanitizer extends DataFlow::Node { } + /** * Taint tracking for data that crosses a trust boundary. */ @@ -34,6 +36,15 @@ module TrustBoundaryConfig implements DataFlow::ConfigSig { n2.asExpr().(MethodAccess).getQualifier() = n1.asExpr() } + predicate isBarrier(DataFlow::Node node) { + node instanceof TrustBoundaryValidationSanitizer or + node.getType() instanceof HttpServletSession or + node.asExpr() + .(MethodAccess) + .getMethod() + .hasQualifiedName("javax.servlet.http", "HttpServletRequest", "getMethod") + } + predicate isSink(DataFlow::Node sink) { sink instanceof TrustBoundaryViolationSink } } diff --git a/java/ql/src/Security/CWE/CWE-501/TrustBoundaryViolation.qhelp b/java/ql/src/Security/CWE/CWE-501/TrustBoundaryViolation.qhelp new file mode 100644 index 00000000000..2c6148129d3 --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-501/TrustBoundaryViolation.qhelp @@ -0,0 +1,39 @@ + + + +

+ A trust boundary violation occurs when a value is passed from a less trusted context to a more trusted context. +

+ +

+ For example, a value that is generated by a less trusted source, such as a user, may be passed to a more trusted + source, such as a system process. If the less trusted source is malicious, then the value may be crafted to + exploit the more trusted source. +

+ +

+ Trust boundary violations are often caused by a failure to validate input. For example, if a web application + accepts a cookie from a user, then the application should validate the cookie before using it. If the cookie is + not validated, then the user may be able to craft a malicious cookie that exploits the application. +

+ + + +

+ Validate input coming from a user. For example, if a web application accepts a cookie from a user, then the + application should validate the cookie before using it. +

+ + + + + + +
  • + Wikipedia: Trust boundary. +
    • +     + +     diff --git a/java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java b/java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java new file mode 100644 index 00000000000..5bef7e087d2 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java @@ -0,0 +1,12 @@ +import java.io.IOException; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +public class TrustBoundaryViolations extends HttpServlet { + public void doGet(HttpServletRequest request, HttpServletResponse response) { + String input = request.getParameter("input"); + + request.getSession().setAttribute("input", input); // $ hasTaintFlow + } +} diff --git a/java/ql/test/query-tests/security/CWE-501/options b/java/ql/test/query-tests/security/CWE-501/options new file mode 100644 index 00000000000..e69de29bb2d