Java: apply query alert restrictions

Author: cklin

java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll

@@ -36,7 +36,8 @@ abstract class Storable extends Call {
   abstract Expr getAStore();
 }
 
-private module SensitiveSourceFlowConfig implements DataFlow::ConfigSig {
+/** Flow configuration for sensitive data flowing into cleartext storage. */
+module SensitiveSourceFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SensitiveExpr }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof CleartextStorageSink }

java/ql/lib/semmle/code/java/security/StackTraceExposureQuery.qll

@@ -7,7 +7,7 @@ private import semmle.code.java.security.InformationLeak
 /**
  * One of the `printStackTrace()` overloads on `Throwable`.
  */
-private class PrintStackTraceMethod extends Method {
+class PrintStackTraceMethod extends Method {
   PrintStackTraceMethod() {
     this.getDeclaringType()
         .getSourceDeclaration()
@@ -17,7 +17,11 @@ private class PrintStackTraceMethod extends Method {
   }
 }
 
-private module ServletWriterSourceToPrintStackTraceMethodFlowConfig implements DataFlow::ConfigSig {
+/**
+ * Flow configuration for xss vulnerable writer source flowing to `Throwable.printStackTrace()` on
+ * a stream that is connected to external output.
+ */
+module ServletWriterSourceToPrintStackTraceMethodFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src instanceof XssVulnerableWriterSourceNode }
 
   predicate isSink(DataFlow::Node sink) {
@@ -55,7 +59,10 @@ private predicate printWriterOnStringWriter(Expr printWriter, Variable stringWri
   )
 }
 
-private predicate stackTraceExpr(Expr exception, MethodCall stackTraceString) {
+/**
+ * Holds if `stackTraceString` writes the stack trace from `exception` to a string.
+ */
+predicate stackTraceExpr(Expr exception, MethodCall stackTraceString) {
   exists(Expr printWriter, Variable stringWriterVar, MethodCall printStackCall |
     printWriterOnStringWriter(printWriter, stringWriterVar) and
     printStackCall.getMethod() instanceof PrintStackTraceMethod and
@@ -66,7 +73,8 @@ private predicate stackTraceExpr(Expr exception, MethodCall stackTraceString) {
   )
 }
 
-private module StackTraceStringToHttpResponseSinkFlowConfig implements DataFlow::ConfigSig {
+/** Flow configuration for stack trace flowing to http response. */
+module StackTraceStringToHttpResponseSinkFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { stackTraceExpr(_, src.asExpr()) }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof InformationLeakSink }

java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll

@@ -334,7 +334,7 @@ deprecated class UnsafeDeserializationConfig extends TaintTracking::Configuratio
 }
 
 /** Tracks flows from remote user input to a deserialization sink. */
-private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
+module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserializationSink }

java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql

@@ -35,6 +35,7 @@ Variable getVariable(Expr dest) {
 
 from DangerousAssignOpExpr a, Expr e, Top v
 where
+  AlertFiltering::filterByLocation(a.getLocation()) and
   e = a.getSource() and
   problematicCasting(a.getDest().getType(), e) and
   (

java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql

@@ -12,6 +12,7 @@
  *       external/cwe/cwe-020
  */
 
+private import semmle.code.java.AlertFiltering
 private import semmle.code.java.regex.RegexTreeView::RegexTreeView as TreeView
 import codeql.regex.OverlyLargeRangeQuery::Make<TreeView>
 
@@ -22,6 +23,7 @@ TreeView::RegExpCharacterClass potentialMisparsedCharClass() {
 
 from TreeView::RegExpCharacterRange range, string reason
 where
+  AlertFiltering::filterByLocation(range.getLocation()) and
   problem(range, reason) and
   not range.getParent() = potentialMisparsedCharClass()
 select range, "Suspicious character range that " + reason + "."

java/ql/src/Security/CWE/CWE-022/TaintedPath.ql

@@ -16,6 +16,10 @@
 import java
 import semmle.code.java.security.PathCreation
 import semmle.code.java.security.TaintedPathQuery
+private import semmle.code.java.dataflow.DataFlowFiltering
+
+module TaintedPathFlow = TaintTracking::Global<FilteredConfig<TaintedPathConfig>>;
+
 import TaintedPathFlow::PathGraph
 
 from TaintedPathFlow::PathNode source, TaintedPathFlow::PathNode sink

java/ql/src/Security/CWE/CWE-022/ZipSlip.ql

@@ -14,6 +14,10 @@
 
 import java
 import semmle.code.java.security.ZipSlipQuery
+private import semmle.code.java.dataflow.DataFlowFiltering
+
+module ZipSlipFlow = TaintTracking::Global<FilteredConfig<ZipSlipConfig>>;
+
 import ZipSlipFlow::PathGraph
 
 from ZipSlipFlow::PathNode source, ZipSlipFlow::PathNode sink

java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql

@@ -11,6 +11,11 @@
  */
 
 import semmle.code.java.security.PartialPathTraversalQuery
+private import semmle.code.java.dataflow.DataFlowFiltering
+
+module PartialPathTraversalFromRemoteFlow =
+  TaintTracking::Global<FilteredConfig<PartialPathTraversalFromRemoteConfig>>;
+
 import PartialPathTraversalFromRemoteFlow::PathGraph
 
 from

java/ql/src/Security/CWE/CWE-074/JndiInjection.ql

@@ -13,6 +13,10 @@
 
 import java
 import semmle.code.java.security.JndiInjectionQuery
+private import semmle.code.java.dataflow.DataFlowFiltering
+
+module JndiInjectionFlow = TaintTracking::Global<FilteredConfig<JndiInjectionFlowConfig>>;
+
 import JndiInjectionFlow::PathGraph
 
 from JndiInjectionFlow::PathNode source, JndiInjectionFlow::PathNode sink

java/ql/src/Security/CWE/CWE-074/XsltInjection.ql

@@ -13,6 +13,10 @@
 
 import java
 import semmle.code.java.security.XsltInjectionQuery
+private import semmle.code.java.dataflow.DataFlowFiltering
+
+module XsltInjectionFlow = TaintTracking::Global<FilteredConfig<XsltInjectionFlowConfig>>;
+
 import XsltInjectionFlow::PathGraph
 
 from XsltInjectionFlow::PathNode source, XsltInjectionFlow::PathNode sink

java/ql/src/Security/CWE/CWE-078/ExecTainted.ql

@@ -14,8 +14,21 @@
 
 import java
 import semmle.code.java.security.CommandLineQuery
+private import semmle.code.java.dataflow.DataFlowFiltering
+private import semmle.code.java.dataflow.TaintTracking
+
+module InputToArgumentToExecFlow =
+  TaintTracking::Global<FilteredConfig<InputToArgumentToExecFlowConfig>>;
+
 import InputToArgumentToExecFlow::PathGraph
 
+predicate execIsTainted(
+  InputToArgumentToExecFlow::PathNode source, InputToArgumentToExecFlow::PathNode sink, Expr execArg
+) {
+  InputToArgumentToExecFlow::flowPath(source, sink) and
+  argumentToExec(execArg, sink.getNode())
+}
+
 from
   InputToArgumentToExecFlow::PathNode source, InputToArgumentToExecFlow::PathNode sink, Expr execArg
 where execIsTainted(source, sink, execArg)

java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql

@@ -47,6 +47,7 @@ predicate builtFromUncontrolledConcat(Expr expr) {
 
 from StringArgumentToExec argument
 where
+  AlertFiltering::filterByLocation(argument.getLocation()) and
   builtFromUncontrolledConcat(argument) and
   not execIsTainted(_, _, argument)
 select argument, "Command line is built with string concatenation."

java/ql/src/Security/CWE/CWE-079/XSS.ql

@@ -13,6 +13,10 @@
 
 import java
 import semmle.code.java.security.XssQuery
+private import semmle.code.java.dataflow.DataFlowFiltering
+
+module XssFlow = TaintTracking::Global<FilteredConfig<XssConfig>>;
+
 import XssFlow::PathGraph
 
 from XssFlow::PathNode source, XssFlow::PathNode sink

java/ql/src/Security/CWE/CWE-089/SqlTainted.ql

@@ -15,8 +15,18 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.SqlInjectionQuery
+private import semmle.code.java.dataflow.DataFlowFiltering
+
+module QueryInjectionFlow = TaintTracking::Global<FilteredConfig<QueryInjectionFlowConfig>>;
+
 import QueryInjectionFlow::PathGraph
 
+predicate queryIsTaintedBy(
+  QueryInjectionSink query, QueryInjectionFlow::PathNode source, QueryInjectionFlow::PathNode sink
+) {
+  QueryInjectionFlow::flowPath(source, sink) and sink.getNode() = query
+}
+
 from
   QueryInjectionSink query, QueryInjectionFlow::PathNode source, QueryInjectionFlow::PathNode sink
 where queryIsTaintedBy(query, source, sink)

java/ql/src/Security/CWE/CWE-090/LdapInjection.ql

@@ -14,6 +14,10 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.LdapInjectionQuery
+private import semmle.code.java.dataflow.DataFlowFiltering
+
+module LdapInjectionFlow = TaintTracking::Global<FilteredConfig<LdapInjectionFlowConfig>>;
+
 import LdapInjectionFlow::PathGraph
 
 from LdapInjectionFlow::PathNode source, LdapInjectionFlow::PathNode sink

java/ql/src/Security/CWE/CWE-094/GroovyInjection.ql

@@ -13,6 +13,10 @@
 
 import java
 import semmle.code.java.security.GroovyInjectionQuery
+private import semmle.code.java.dataflow.DataFlowFiltering
+
+module GroovyInjectionFlow = TaintTracking::Global<FilteredConfig<GroovyInjectionConfig>>;
+
 import GroovyInjectionFlow::PathGraph
 
 from GroovyInjectionFlow::PathNode source, GroovyInjectionFlow::PathNode sink

java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql

@@ -12,6 +12,10 @@
 
 import java
 import semmle.code.java.security.InsecureBeanValidationQuery
+private import semmle.code.java.dataflow.DataFlowFiltering
+
+module BeanValidationFlow = TaintTracking::Global<FilteredConfig<BeanValidationConfig>>;
+
 import BeanValidationFlow::PathGraph
 
 from BeanValidationFlow::PathNode source, BeanValidationFlow::PathNode sink

java/ql/src/Security/CWE/CWE-094/JexlInjection.ql

@@ -13,6 +13,10 @@
 
 import java
 import semmle.code.java.security.JexlInjectionQuery
+private import semmle.code.java.dataflow.DataFlowFiltering
+
+module JexlInjectionFlow = TaintTracking::Global<FilteredConfig<JexlInjectionConfig>>;
+
 import JexlInjectionFlow::PathGraph
 
 from JexlInjectionFlow::PathNode source, JexlInjectionFlow::PathNode sink

java/ql/src/Security/CWE/CWE-094/MvelInjection.ql

@@ -13,6 +13,10 @@
 
 import java
 import semmle.code.java.security.MvelInjectionQuery
+private import semmle.code.java.dataflow.DataFlowFiltering
+
+module MvelInjectionFlow = TaintTracking::Global<FilteredConfig<MvelInjectionFlowConfig>>;
+
 import MvelInjectionFlow::PathGraph
 
 from MvelInjectionFlow::PathNode source, MvelInjectionFlow::PathNode sink

java/ql/src/Security/CWE/CWE-094/SpelInjection.ql

@@ -13,7 +13,11 @@
 
 import java
 import semmle.code.java.security.SpelInjectionQuery
-import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.dataflow.DataFlowFiltering
+
+module SpelInjectionFlow = TaintTracking::Global<FilteredConfig<SpelInjectionConfig>>;
+
 import SpelInjectionFlow::PathGraph
 
 from SpelInjectionFlow::PathNode source, SpelInjectionFlow::PathNode sink

java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql

@@ -13,6 +13,10 @@
 
 import java
 import semmle.code.java.security.TemplateInjectionQuery
+private import semmle.code.java.dataflow.DataFlowFiltering
+
+module TemplateInjectionFlow = TaintTracking::Global<FilteredConfig<TemplateInjectionFlowConfig>>;
+
 import TemplateInjectionFlow::PathGraph
 
 from TemplateInjectionFlow::PathNode source, TemplateInjectionFlow::PathNode sink

java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql

@@ -93,4 +93,5 @@ private class InsecureDefaultFullHttpRequestClassInstantiation extends RequestSp
 }
 
 from InsecureNettyObjectCreation new
+where AlertFiltering::filterByLocation(new.getLocation())
 select new, new.splittingType() + " vulnerability due to header value verification being disabled."

java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql

@@ -13,6 +13,10 @@
 
 import java
 import semmle.code.java.security.ResponseSplittingQuery
+private import semmle.code.java.dataflow.DataFlowFiltering
+
+module ResponseSplittingFlow = TaintTracking::Global<FilteredConfig<ResponseSplittingConfig>>;
+
 import ResponseSplittingFlow::PathGraph
 
 from ResponseSplittingFlow::PathNode source, ResponseSplittingFlow::PathNode sink

java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql

@@ -13,6 +13,11 @@
 
 import java
 import semmle.code.java.security.StaticInitializationVectorQuery
+private import semmle.code.java.dataflow.DataFlowFiltering
+
+module StaticInitializationVectorFlow =
+  TaintTracking::Global<FilteredConfig<StaticInitializationVectorConfig>>;
+
 import StaticInitializationVectorFlow::PathGraph
 
 from StaticInitializationVectorFlow::PathNode source, StaticInitializationVectorFlow::PathNode sink

java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql

@@ -11,8 +11,14 @@
  */
 
 import java
+import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.ExternallyControlledFormatStringQuery
 import semmle.code.java.StringFormat
+private import semmle.code.java.dataflow.DataFlowFiltering
+
+module ExternallyControlledFormatStringFlow =
+  TaintTracking::Global<FilteredConfig<ExternallyControlledFormatStringConfig>>;
+
 import ExternallyControlledFormatStringFlow::PathGraph
 
 from

java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql

@@ -15,7 +15,35 @@
 
 import java
 import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.StackTraceExposureQuery
+private import semmle.code.java.dataflow.DataFlowFiltering
+
+private module ServletWriterSourceToPrintStackTraceMethodFlow =
+  TaintTracking::Global<FilteredConfig<ServletWriterSourceToPrintStackTraceMethodFlowConfig>>;
+
+private predicate printsStackToWriter(MethodCall call) {
+  exists(PrintStackTraceMethod printStackTrace |
+    call.getMethod() = printStackTrace and
+    ServletWriterSourceToPrintStackTraceMethodFlow::flowToExpr(call.getAnArgument())
+  )
+}
+
+predicate printsStackExternally(MethodCall call, Expr stackTrace) {
+  printsStackToWriter(call) and
+  call.getQualifier() = stackTrace and
+  not call.getQualifier() instanceof SuperAccess
+}
+
+private module StackTraceStringToHttpResponseSinkFlow =
+  TaintTracking::Global<FilteredConfig<StackTraceStringToHttpResponseSinkFlowConfig>>;
+
+predicate stringifiedStackFlowsExternally(DataFlow::Node externalExpr, Expr stackTrace) {
+  exists(MethodCall stackTraceString |
+    stackTraceExpr(stackTrace, stackTraceString) and
+    StackTraceStringToHttpResponseSinkFlow::flow(DataFlow::exprNode(stackTraceString), externalExpr)
+  )
+}
 
 from Expr externalExpr, Expr errorInformation
 where

java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql

@@ -14,7 +14,12 @@
 
 import java
 import semmle.code.java.security.IntentUriPermissionManipulationQuery
-import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.dataflow.DataFlowFiltering
+
+module IntentUriPermissionManipulationFlow =
+  TaintTracking::Global<FilteredConfig<IntentUriPermissionManipulationConfig>>;
+
 import IntentUriPermissionManipulationFlow::PathGraph
 
 from

java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql

@@ -14,5 +14,7 @@ import java
 import semmle.code.java.security.AndroidLocalAuthQuery
 
 from AuthenticationSuccessCallback c
-where not exists(c.getAResultUse())
+where
+  AlertFiltering::filterByLocation(c.getLocation()) and
+  not exists(c.getAResultUse())
 select c, "This authentication callback does not use its result for a cryptographic operation."

java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql

@@ -14,5 +14,7 @@ import java
 import semmle.code.java.security.AndroidWebViewCertificateValidationQuery
 
 from OnReceivedSslErrorMethod m
-where trustsAllCerts(m)
+where
+  AlertFiltering::filterByLocation(m.getLocation()) and
+  trustsAllCerts(m)
 select m, "This handler accepts all SSL certificates."