Java: Diff-informed information leak queries

jbj · jbj · commit a2fd4eee275c · 2025-02-07T14:58:59.000+01:00
diff --git a/java/ql/lib/semmle/code/java/security/InformationLeak.qll b/java/ql/lib/semmle/code/java/security/InformationLeak.qll
@@ -5,13 +5,44 @@ import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.java.security.XSS
 
-/** A sink that represent a method that outputs data to an HTTP response. */
-abstract class InformationLeakSink extends DataFlow::Node { }
+/**
+ * A sink that represent a method that outputs data to an HTTP response. Extend
+ * this class to add more sinks that should be considered information leak
+ * points by every query. To find the full set of information-leak sinks, use
+ * `InformationLeakSink` instead.
+ */
+abstract class AbstractInformationLeakSink extends DataFlow::Node { }
+
+/**
+ * A sink that represent a method that outputs data to an HTTP response. To add
+ * more sinks, extend `AbstractInformationLeakSink` rather than this class.
+ */
+final class InformationLeakSink extends DataFlow::Node instanceof InformationLeakDiffInformed<xssNotDiffInformed/0>::InformationLeakSink
+{ }
 
 /** A default sink representing methods outputing data to an HTTP response. */
-private class DefaultInformationLeakSink extends InformationLeakSink {
-  DefaultInformationLeakSink() {
-    sinkNode(this, "information-leak") or
-    this instanceof XssSink
+private class DefaultInformationLeakSink extends AbstractInformationLeakSink {
+  DefaultInformationLeakSink() { sinkNode(this, "information-leak") }
+}
+
+/**
+ * A module for finding information-leak sinks faster in a diff-informed query.
+ * The `hasSourceInDiffRange` parameter should hold if the overall data-flow
+ * configuration of the query has any sources in the diff range.
+ */
+module InformationLeakDiffInformed<xssNullaryPredicate/0 hasSourceInDiffRange> {
+  final private class Node = DataFlow::Node;
+
+  /**
+   * A diff-informed replacement for the top-level `InformationLeakSink`,
+   * omitting for efficiency some sinks that would never be reported by a
+   * diff-informed query.
+   */
+  final class InformationLeakSink extends Node {
+    InformationLeakSink() {
+      this instanceof AbstractInformationLeakSink
+      or
+      this instanceof XssDiffInformed<hasSourceInDiffRange/0>::XssSink
+    }
   }
 }
diff --git a/java/ql/lib/semmle/code/java/security/SensitiveDataExposureThroughErrorMessageQuery.qll b/java/ql/lib/semmle/code/java/security/SensitiveDataExposureThroughErrorMessageQuery.qll
@@ -20,7 +20,12 @@ private class GetMessageFlowSource extends ApiSourceNode {
 private module GetMessageFlowSourceToHttpResponseSinkFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src instanceof GetMessageFlowSource }
 
-  predicate isSink(DataFlow::Node sink) { sink instanceof InformationLeakSink }
+  predicate isSink(DataFlow::Node sink) {
+    sink instanceof
+      InformationLeakDiffInformed<GetMessageFlowSourceToHttpResponseSinkFlow::hasSourceInDiffRange/0>::InformationLeakSink
+  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 private module GetMessageFlowSourceToHttpResponseSinkFlow =
diff --git a/java/ql/lib/semmle/code/java/security/StackTraceExposureQuery.qll b/java/ql/lib/semmle/code/java/security/StackTraceExposureQuery.qll
@@ -25,6 +25,14 @@ private module ServletWriterSourceToPrintStackTraceMethodFlowConfig implements D
       sink.asExpr() = ma.getAnArgument() and ma.getMethod() instanceof PrintStackTraceMethod
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(MethodCall ma | result = ma.getLocation() |
+      sink.asExpr() = ma.getAnArgument() and ma.getMethod() instanceof PrintStackTraceMethod
+    )
+  }
 }
 
 private module ServletWriterSourceToPrintStackTraceMethodFlow =
@@ -69,7 +77,16 @@ private predicate stackTraceExpr(Expr exception, MethodCall stackTraceString) {
 private module StackTraceStringToHttpResponseSinkFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { stackTraceExpr(_, src.asExpr()) }
 
-  predicate isSink(DataFlow::Node sink) { sink instanceof InformationLeakSink }
+  predicate isSink(DataFlow::Node sink) {
+    sink instanceof
+      InformationLeakDiffInformed<StackTraceStringToHttpResponseSinkFlow::hasSourceInDiffRange/0>::InformationLeakSink
+  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    exists(Expr e | stackTraceExpr(e, source.asExpr()) and result = e.getLocation())
+  }
 }
 
 private module StackTraceStringToHttpResponseSinkFlow =
