Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

About codeql query for Apache Commons Text #10916

badnoodle started this conversation in Ideas
Discussion options

Few days ago, apache commons text disclosed [CVE-2022-42889].

When I use codeql to query the project(https://github.com/apache/commons-text/tree/commons-text-1.8), it cann't find any vul in the project.

The ql file is

import java
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.XSS
import DataFlow::PathGraph
import DataFlow
import semmle.code.java.dataflow.internal.DataFlowImplCommon
import semmle.code.java.dataflow.TaintTracking
class SSSConfig extends TaintTracking::Configuration {
 
 SSSConfig() { this = "SqlInjectionLib::QueryInjectionFlowConfig" }
 
 override predicate isSource(DataFlow::Node src) { 
	
	exists(Callable m |
		m.hasName("replace") and m.getNumberOfParameters() = 1 and
		src.asParameter().getCallable() = m
	)	
	
 }
 override predicate isSink(DataFlow::Node sink) { 
	exists(MethodAccess ma | ma.getAnArgument() = sink.asExpr() and 
		ma.getMethod().hasName("eval")
	)
 }
 
 override int explorationLimit() { result = 500 }
}
from SSSConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
where conf.hasFlowPath(source, sink) and conf.isSource(source.getNode())
select source.getNode().asParameter().getName(), sink`

the codeql cann't resolve 'lookup' function, so cann't find the 'eval' sink.

protected String resolveVariable(final String variableName, final TextStringBuilder buf, final int startPos,
 final int endPos) {
 final StringLookup resolver = getStringLookup();
 if (resolver == null) {
 return null;
 }
 return resolver.lookup(variableName);
 }

when I use resolveCall in codeql to debug this problem, I found the 'lookup' resolve to a summary callable.
So I found the "org.apache.commons.text.lookup.StringLookup:lookup" has been defined in the Lang2Generated.qll as a SummaryModel.

When I noted the buildin external flow, I can use codel find the 'eval' sink.

So can codeql add a new feature, ignore the buildin source model in the anaylzed source?
You must be logged in to vote

Replies: 1 comment 1 reply

Comment options

Thank you for your question! 🙂

There's currently no mechanism for ignoring the built-in summary models in favour of the source code being analysed. The current implementation uses various heuristics to figure out how to resolve the calls in cases like this, but these heuristics are not always perfect.

However, there is definite room for improvement here, and the team responsible for the Java analysis will be looking into ways of improving the status quo.
You must be logged in to vote
1 reply
Comment options

thanks for your reply.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Ideas
Labels
2 participants

AltStyle によって変換されたページ (->オリジナル) /