-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Java] - Limiting Flows Based on Patterns #18050
Comments
The predicate URL url = new URL("http://auth.companyportal.com/auth?userId=" + userId + "&token=" + authToken);
... Note: in general it is best to avoid |
Hello @aibaars, Thank you for your response. I agree it is restrictive, and that there are many more ways that that a URL can be constructed with query params. I am using this as a proof of concept and eventually plan to extend the For right now, I am confused as to why this query isn't picking up on the simple example that I am testing. Is it correct to do this in the where clause like I have? Or should it be done differently? For example, I tried switching my query to use Giving me
I haven't ever been able to get tainttracking to work without this error which is why I use the Here is my query using this method for reference
|
That error means the path graph is missing . I think you need to add import TaintedPathFlow::PathGraph |
Hi @aibaars I tried
However, it says that it's not defined, I am using version 2.17 so I am not sure if it was recently added. However, I can't upgrade due to legacy queries. With that said, I almost have it working with Using
This means that indirect uses like this aren't detected
I tried recursively traversing back up the flow path using the Recursive attempt.
Full query without recursion
Thank you, for any help |
No, I think I just remembered it wrong. In one of the versions of the query tt looks like you were missing
|
I guess what you really want is to find a path from a sensitive variable to a query parameter, and then another path from the query parameter to the url connection sink. You can use flow labels for this https://codeql.github.com/docs/codeql-language-guides/using-flow-labels-for-precise-data-flow-analysis/ . Another simpler solution you might want to try first is to use |
Hello @aibaars I don't believe that Java has flow labels. However, I think that flow state does the same thing. From how I understand, this will restrict the overall flow to just flows that end up in every state. Which sounds like what I am looking for. Below is my query adjusted to use flow state, however, I am not getting any results. I have confirmed that each individual flow step works correctly, by breaking them into these smaller queries. State 1: Verify Sources
State 2: Verify Intermediate Flows
State 3: Verify Sinks
Main Query
Thank you for your help. |
Have you checked whether your |
Hello @intrigus-lgtm , It won't let me do a quick eval on that predicate, However, I have tried to cover it here
I believe that the issue has something to do with this, maybe the flow from one of the states is not working as expected. |
Hi @KylerKatzUH, I had a look at your filter predicate predicate isValidQueryParamFlow(Flow::PathNode source, Flow::PathNode sink) {
exists(BinaryExpr be |
be.getOp() = "+" and
be.getLeftOperand().toString().matches(".*\\?.*=.*") and // Ensure there is a `=` after `?`
source.getNode().asExpr() = be.getRightOperand() and
sink.getNode().asExpr() = be
)
} You mentioned that even without the regex it still doesn't provide results. |
Also note that the See also: |
Hello, I am trying to restrict flows to only include those that have a source flow that is used as a query parameter.
For example, say authToken is a source,
However, my current query is picking up false positives where the source isn't used as a query parameter but somehow reaches the sink. Such as a dummy example like this
To address this I added a
isValidQueryParamFlow
predicate to my query that matches based on".*\\?.*=.*"
however, this causes all of the expected detections to be removed. Even if I remove the regex, or relax the restrictions there still aren't any results. I know the rest of the query is operating as it should since I am getting the expected results without this check. So, I believe it is an issue with how I am performing this filtering.Here is my full query
Any help is appreciated, thank you,
The text was updated successfully, but these errors were encountered: