Add cookie sinks

atorralba · atorralba · commit 3a5d711711c8 · 2023-12-13T11:15:27.000+01:00
diff --git a/java/ql/lib/semmle/code/java/frameworks/Netty.qll b/java/ql/lib/semmle/code/java/frameworks/Netty.qll
@@ -0,0 +1,23 @@
+/** Provides definitions related to the Netty framework. */
+
+import java
+
+/** The interface `Cookie` in the packages `io.netty.handler.codec.http` and `io.netty.handler.codec.http.cookie`. */
+class NettyCookie extends Interface {
+  NettyCookie() { this.hasQualifiedName("io.netty.handler.codec.http" + [".cookie", ""], "Cookie") }
+}
+
+/** The class `DefaultCookie` in the packages `io.netty.handler.codec.http` and `io.netty.handler.codec.http.cookie`. */
+class NettyDefaultCookie extends Class {
+  NettyDefaultCookie() {
+    this.hasQualifiedName("io.netty.handler.codec.http" + [".cookie", ""], "DefaultCookie")
+  }
+}
+
+/** The method `setValue` of the interface `Cookie` or a class implementing it. */
+class NettySetCookieValueMethod extends Method {
+  NettySetCookieValueMethod() {
+    this.getDeclaringType*() instanceof NettyCookie and
+    this.hasName("setValue")
+  }
+}
diff --git a/java/ql/lib/semmle/code/java/frameworks/Servlets.qll b/java/ql/lib/semmle/code/java/frameworks/Servlets.qll
@@ -244,7 +244,7 @@ class TypeCookie extends Class {
 }
 
 /**
- * The method `getValue(String)` declared in `javax.servlet.http.Cookie`.
+ * The method `getValue()` declared in `javax.servlet.http.Cookie`.
  */
 class CookieGetValueMethod extends Method {
   CookieGetValueMethod() {
@@ -254,6 +254,16 @@ class CookieGetValueMethod extends Method {
   }
 }
 
+/**
+ * The method `setValue(String)` declared in `javax.servlet.http.Cookie`.
+ */
+class CookieSetValueMethod extends Method {
+  CookieSetValueMethod() {
+    this.getDeclaringType() instanceof TypeCookie and
+    this.hasName("setValue")
+  }
+}
+
 /**
  * The method `getName()` declared in `javax.servlet.http.Cookie`.
  */
diff --git a/java/ql/lib/semmle/code/java/security/Cookies.qll b/java/ql/lib/semmle/code/java/security/Cookies.qll
@@ -0,0 +1,32 @@
+/** Provides definitions to reason about HTTP cookies. */
+
+import java
+private import semmle.code.java.frameworks.Netty
+private import semmle.code.java.frameworks.Servlets
+
+/** An expression setting the value of a cookie. */
+abstract class SetCookieValue extends Expr { }
+
+private class ServletSetCookieValue extends SetCookieValue {
+  ServletSetCookieValue() {
+    exists(Call c |
+      c.(ClassInstanceExpr).getConstructedType() instanceof TypeCookie and
+      this = c.getArgument(1)
+      or
+      c.(MethodCall).getMethod() instanceof CookieSetValueMethod and
+      this = c.getArgument(0)
+    )
+  }
+}
+
+private class NettySetCookieValue extends SetCookieValue {
+  NettySetCookieValue() {
+    exists(Call c |
+      c.(ClassInstanceExpr).getConstructedType() instanceof NettyDefaultCookie and
+      this = c.getArgument(1)
+      or
+      c.(MethodCall).getMethod() instanceof NettySetCookieValueMethod and
+      this = c.getArgument(0)
+    )
+  }
+}
diff --git a/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll
@@ -3,11 +3,12 @@
 import java
 private import semmle.code.java.frameworks.OpenSaml
 private import semmle.code.java.frameworks.Servlets
-private import semmle.code.java.security.SensitiveActions
-private import semmle.code.java.security.SensitiveApi
-private import semmle.code.java.dataflow.TaintTracking
 private import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.security.Cookies
 private import semmle.code.java.security.RandomQuery
+private import semmle.code.java.security.SensitiveActions
+private import semmle.code.java.security.SensitiveApi
 
 /**
  * A node representing a source of insecure randomness.
@@ -49,16 +50,7 @@ abstract class InsecureRandomnessSink extends DataFlow::Node { }
  * A node which sets the value of a cookie.
  */
 private class CookieSink extends InsecureRandomnessSink {
-  CookieSink() {
-    exists(Call c |
-      c.(ClassInstanceExpr).getConstructedType() instanceof TypeCookie and
-      this.asExpr() = c.getArgument(1)
-      or
-      c.(MethodCall).getMethod().getDeclaringType() instanceof TypeCookie and
-      c.(MethodCall).getMethod().hasName("setValue") and
-      this.asExpr() = c.getArgument(0)
-    )
-  }
+  CookieSink() { this.asExpr() instanceof SetCookieValue }
 }
 
 private class SensitiveActionSink extends InsecureRandomnessSink {
@@ -89,6 +81,17 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig {
       n1.asExpr() = mc.getArgument(0) and
       n2.asExpr() = mc
     )
+    or
+    // TODO: Once we have a default sanitizer for UUIDs, we can convert these to global summaries.
+    exists(Call c |
+      c.(ClassInstanceExpr).getConstructedType().hasQualifiedName("java.util", "UUID") and
+      n1.asExpr() = c.getAnArgument() and
+      n2.asExpr() = c
+      or
+      c.(MethodCall).getMethod().hasQualifiedName("java.util", "UUID", "toString") and
+      n1.asExpr() = c.getQualifier() and
+      n2.asExpr() = c
+    )
   }
 }
 
