Add list of constants sanitizer

owen-mc · owen-mc · commit 74a6698c4fed · 2024-07-23T15:15:05.000+01:00
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -665,3 +665,83 @@ private predicate entrypointFieldStep(DataFlow::Node src, DataFlow::Node sink) {
   ) and
   src.getType().(RefType).getSourceDeclaration() = entrypointType()
 }
+
+/**
+ * A comparison against a list of compile-time constants, sanitizing taint by
+ * restricting to a set of known values.
+ */
+class ListOfConstantsComparisonSanitizerGuard extends TaintTracking::DefaultTaintSanitizer {
+  ListOfConstantsComparisonSanitizerGuard() {
+    this = DataFlow::BarrierGuard<listOfConstantsComparisonSanitizerGuard/3>::getABarrierNode()
+  }
+}
+
+private predicate listOfConstantsComparisonSanitizerGuard(Guard g, Expr e, boolean outcome) {
+  exists(ListOfConstantsComparison locc |
+    g = locc and
+    e = locc.getExpr() and
+    outcome = locc.getOutcome()
+  )
+}
+
+/** A comparison against a list of compile-time constants. */
+abstract class ListOfConstantsComparison extends Guard {
+  Expr e;
+  boolean outcome;
+
+  ListOfConstantsComparison() {
+    exists(this) and
+    outcome = [true, false]
+  }
+
+  Expr getExpr() { result = e }
+
+  boolean getOutcome() { result = outcome }
+}
+
+/**
+ * An invocation of `java.util.List.contains` where the qualifier contains only
+ * compile-time constants.
+ */
+private class JavaUtilListOfConstantsContains extends ListOfConstantsComparison {
+  JavaUtilListOfConstantsContains() {
+    exists(MethodCall mc, Method m | mc.getMethod() = m |
+      m.hasName("contains") and
+      m.getDeclaringType().getSourceDeclaration().hasQualifiedName("java.util", "List") and
+      DataFlow::localFlow(any(JavaUtilListOfConstants loc), DataFlow::exprNode(mc.getQualifier())) and
+      this = mc and
+      e = mc.getArgument(0) and
+      outcome = true
+    )
+  }
+}
+
+/**
+ * An instance of `java.util.List` which contains only compile-time constants.
+ */
+abstract class JavaUtilListOfConstants extends DataFlow::Node { }
+
+/**
+ * An invocation of `java.util.List.of` which constructs an (immutable) list
+ * which contains only compile-time constants.
+ */
+private class JavaUtilListOfConstantsCreatedWithListOf extends JavaUtilListOfConstants {
+  JavaUtilListOfConstantsCreatedWithListOf() {
+    exists(MethodCall mc, Method m |
+      m.hasName("of") and
+      m.getDeclaringType().getSourceDeclaration().hasQualifiedName("java.util", "List") and
+      mc.getMethod() = m and
+      DataFlow::localFlow(DataFlow::exprNode(mc), this) and
+      (
+        // List<String> allowlist = List.of("a", "b", "c")
+        forall(Expr e | e = mc.getAnArgument() | e.isCompileTimeConstant())
+        or
+        // String[] a = {"a", "b", "c"};
+        // List<String> allowlist = List.of(a)
+        exists(ArrayInit arr | DataFlow::localExprFlow(arr, mc.getArgument(0)) |
+          forall(Expr e | e = arr.getAnInit() | e.isCompileTimeConstant())
+        )
+      )
+    )
+  }
+}
diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected
@@ -14,9 +14,7 @@ edges
 | Test.java:60:29:60:46 | toString(...) : String | Test.java:62:47:62:61 | querySbToString | provenance |  Sink:MaD:43208 |
 | Test.java:183:33:183:45 | args : String[] | Test.java:209:47:209:68 | queryWithUserTableName | provenance |  Sink:MaD:43208 |
 | Test.java:213:34:213:46 | args : String[] | Test.java:221:81:221:111 | ... + ... | provenance |  Sink:MaD:43208 |
-| Test.java:227:32:227:44 | args : String[] | Test.java:236:48:236:52 | query | provenance |  Sink:MaD:43208 |
 | Test.java:227:32:227:44 | args : String[] | Test.java:246:48:246:52 | query | provenance |  Sink:MaD:43208 |
-| Test.java:227:32:227:44 | args : String[] | Test.java:257:48:257:52 | query | provenance |  Sink:MaD:43208 |
 | Test.java:227:32:227:44 | args : String[] | Test.java:268:48:268:52 | query | provenance |  Sink:MaD:43208 |
 | Test.java:227:32:227:44 | args : String[] | Test.java:281:48:281:52 | query | provenance |  Sink:MaD:43208 |
 | Test.java:286:26:286:38 | args : String[] | Test.java:287:11:287:14 | args : String[] | provenance |  |
@@ -48,9 +46,7 @@ nodes
 | Test.java:213:34:213:46 | args : String[] | semmle.label | args : String[] |
 | Test.java:221:81:221:111 | ... + ... | semmle.label | ... + ... |
 | Test.java:227:32:227:44 | args : String[] | semmle.label | args : String[] |
-| Test.java:236:48:236:52 | query | semmle.label | query |
 | Test.java:246:48:246:52 | query | semmle.label | query |
-| Test.java:257:48:257:52 | query | semmle.label | query |
 | Test.java:268:48:268:52 | query | semmle.label | query |
 | Test.java:281:48:281:52 | query | semmle.label | query |
 | Test.java:286:26:286:38 | args : String[] | semmle.label | args : String[] |
@@ -70,8 +66,6 @@ subpaths
 | Test.java:78:46:78:50 | query | Test.java:286:26:286:38 | args : String[] | Test.java:78:46:78:50 | query | This query depends on a $@. | Test.java:286:26:286:38 | args | user-provided value |
 | Test.java:209:47:209:68 | queryWithUserTableName | Test.java:286:26:286:38 | args : String[] | Test.java:209:47:209:68 | queryWithUserTableName | This query depends on a $@. | Test.java:286:26:286:38 | args | user-provided value |
 | Test.java:221:81:221:111 | ... + ... | Test.java:286:26:286:38 | args : String[] | Test.java:221:81:221:111 | ... + ... | This query depends on a $@. | Test.java:286:26:286:38 | args | user-provided value |
-| Test.java:236:48:236:52 | query | Test.java:286:26:286:38 | args : String[] | Test.java:236:48:236:52 | query | This query depends on a $@. | Test.java:286:26:286:38 | args | user-provided value |
 | Test.java:246:48:246:52 | query | Test.java:286:26:286:38 | args : String[] | Test.java:246:48:246:52 | query | This query depends on a $@. | Test.java:286:26:286:38 | args | user-provided value |
-| Test.java:257:48:257:52 | query | Test.java:286:26:286:38 | args : String[] | Test.java:257:48:257:52 | query | This query depends on a $@. | Test.java:286:26:286:38 | args | user-provided value |
 | Test.java:268:48:268:52 | query | Test.java:286:26:286:38 | args : String[] | Test.java:268:48:268:52 | query | This query depends on a $@. | Test.java:286:26:286:38 | args | user-provided value |
 | Test.java:281:48:281:52 | query | Test.java:286:26:286:38 | args : String[] | Test.java:281:48:281:52 | query | This query depends on a $@. | Test.java:286:26:286:38 | args | user-provided value |
