V1 Bombs

Author: am0o0

java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/ApacheCommonsUploadFile.ql

@@ -0,0 +1,31 @@
+/**
+ * @name Unsafe file write from a remotely provided path.
+ * @description using apache commons upload file write sink is dangerous without sanitization
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/unsafe-file-write
+ * @tags security
+ *       experimental
+ */
+
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.FlowSources
+import RemoteSource
+
+module ApacheCommonsUploadFileConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof FormRemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() = any(ApacheCommonsFileUpload::DangerousSink::FileWriteSink s).getAPathArgument()
+  }
+}
+
+module BombsFlow = TaintTracking::Global<ApacheCommonsUploadFileConfig>;
+
+import BombsFlow::PathGraph
+
+from BombsFlow::PathNode source, BombsFlow::PathNode sink
+where BombsFlow::flowPath(source, sink)
+select sink.getNode(), source, sink, "This file extraction depends on a $@.", source.getNode(),
+  "potentially untrusted source"

java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/CommandLineSource.qll

@@ -0,0 +1,187 @@
+import java
+import semmle.code.java.dataflow.DataFlow
+
+abstract class CLIFlowSource extends DataFlow::Node { }
+
+Field childFiled(RefType rt) {
+  not result.getType() instanceof PrimitiveType and
+  not result.getType() instanceof BoxedType and
+  (
+    result.getDeclaringType() = rt or
+    result.getDeclaringType() = childFiled(result.getDeclaringType()).getType()
+  )
+}
+
+module CommonsCLI {
+  class TypeCommandLine extends RefType {
+    TypeCommandLine() {
+      this.getAStrictAncestor*().hasQualifiedName("org.apache.commons.cli", "CommandLine")
+    }
+  }
+
+  class TypeOption extends RefType {
+    TypeOption() { this.getAStrictAncestor*().hasQualifiedName("org.apache.commons.cli", "Option") }
+  }
+
+  class OptionValue extends CLIFlowSource {
+    OptionValue() {
+      exists(MethodAccess ma |
+        ma.getCallee().getDeclaringType() instanceof TypeOption and
+        ma.getCallee().hasName(["getValue", "getValues", "getValuesList"]) and
+        this.asExpr() = ma
+      )
+    }
+  }
+
+  class CommandLine extends CLIFlowSource {
+    CommandLine() {
+      exists(MethodAccess ma |
+        ma.getCallee().getDeclaringType() instanceof TypeCommandLine and
+        ma.getCallee()
+            .hasName(["getArgs", "getArgList", "getOptionValue", "getOptionValues", "getArgs"]) and
+        this.asExpr() = ma
+      )
+    }
+  }
+}
+
+module Args4j {
+  class TypeCmdLineParser extends RefType {
+    TypeCmdLineParser() {
+      // classes of ArgumentParser interface like `SubParser`
+      this.getAStrictAncestor*().hasQualifiedName("org.kohsuke.args4j", "CmdLineParser")
+    }
+  }
+
+  class CommandLine extends CLIFlowSource {
+    CommandLine() {
+      exists(Call c, ClassInstanceExpr cie, Field f |
+        c.getCallee().getDeclaringType() instanceof TypeCmdLineParser and
+        DataFlow::localExprFlow(cie, c.getArgument(0)) and
+        f.getDeclaringType() = cie.getType() and
+        (
+          this.asExpr() = f.getAnAccess()
+          or
+          this.asExpr() = childFiled(f.getType()).getAnAccess()
+        )
+      )
+    }
+  }
+}
+
+module Jcommander {
+  class TypeBuilder extends RefType {
+    TypeBuilder() {
+      // classes of ArgumentParser interface like `SubParser`
+      this.getAStrictAncestor*().hasQualifiedName("com.beust.jcommander", "JCommander$Builder")
+    }
+  }
+
+  class CommandLine extends CLIFlowSource {
+    CommandLine() {
+      exists(Call c, ClassInstanceExpr cie, Field f |
+        c.getCallee().getDeclaringType() instanceof TypeBuilder and
+        DataFlow::localExprFlow(cie, c.getArgument(0)) and
+        f.getDeclaringType() = cie.getType() and
+        (
+          this.asExpr() = f.getAnAccess()
+          or
+          this.asExpr() = childFiled(f.getType()).getAnAccess()
+        )
+      )
+    }
+  }
+}
+
+module Picocli {
+  class TypeCommandLine extends RefType {
+    TypeCommandLine() {
+      // classes of ArgumentParser interface like `SubParser`
+      this.getAStrictAncestor*().hasQualifiedName("picocli", "CommandLine")
+    }
+  }
+
+  class GetCallResult extends CLIFlowSource {
+    GetCallResult() {
+      exists(MethodAccess ma |
+        ma.getCallee().getDeclaringType() instanceof TypeCommandLine and
+        ma.getCallee().hasName("getExecutionResult") and
+        this.asExpr() = ma
+      )
+    }
+  }
+
+  class Execute extends CLIFlowSource {
+    Execute() {
+      exists(MethodAccess ma, ClassInstanceExpr cie, Field f |
+        ma.getCallee().getDeclaringType() instanceof TypeCommandLine and
+        ma.getCallee().hasName("populateCommand") and
+        DataFlow::localExprFlow(cie, ma.getArgument(0)) and
+        f.getDeclaringType() = cie.getType() and
+        (
+          this.asExpr() = f.getAnAccess()
+          or
+          this.asExpr() = childFiled(f.getType()).getAnAccess()
+        )
+      )
+    }
+  }
+
+  class CommandLine extends CLIFlowSource {
+    CommandLine() {
+      exists(Call c, ClassInstanceExpr cie, Field f |
+        c.getCallee().getDeclaringType() instanceof TypeCommandLine and
+        DataFlow::localExprFlow(cie, c.getArgument(0)) and
+        f.getDeclaringType() = cie.getType() and
+        (
+          this.asExpr() = f.getAnAccess()
+          or
+          this.asExpr() = childFiled(f.getType()).getAnAccess()
+        )
+      )
+    }
+  }
+}
+
+module ArgParse4j {
+  class TypeArgumentParser extends RefType {
+    TypeArgumentParser() {
+      // classes of ArgumentParser interface like `SubParser`
+      this.getAStrictAncestor*()
+          .hasQualifiedName("net.sourceforge.argparse4j.inf", "ArgumentParser")
+    }
+  }
+
+  class TypeNamespace extends RefType {
+    TypeNamespace() {
+      this.getAStrictAncestor*().hasQualifiedName("net.sourceforge.argparse4j.inf", "Namespace")
+    }
+  }
+
+  class ParseArgsReturnValue extends CLIFlowSource {
+    ParseArgsReturnValue() {
+      exists(MethodAccess ma |
+        ma.getReceiverType() instanceof TypeNamespace and
+        ma.getCallee().hasName(["getString", "getList", "toString", "getByte", "get", "getAttrs"]) and
+        this.asExpr() = ma
+      )
+    }
+  }
+
+  class ParseArgsSecondArg extends CLIFlowSource {
+    ParseArgsSecondArg() {
+      exists(MethodAccess ma, ClassInstanceExpr cie, Field f |
+        ma.getReceiverType() instanceof TypeArgumentParser and
+        ma.getCallee().hasName(["parseArgs"]) and
+        ma.getNumArgument() = 2 and
+        DataFlow::localExprFlow(cie, ma.getArgument(1)) and
+        f.getDeclaringType() = cie.getType() and
+        (
+          this.asExpr() = f.getAnAccess()
+          or
+          this.asExpr() = childFiled(f.getType()).getAnAccess()
+        )
+      )
+    }
+  }
+}

java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.qhelp

@@ -0,0 +1,38 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Extracting Compressed files with any compression algorithm like gzip can cause to denial of service attacks.</p>
+<p>Attackers can compress a huge file which created by repeated similiar byte and convert it to a small compressed file.</p>
+
+</overview>
+<recommendation>
+
+<p>When you want to decompress a user-provided compressed file you must be careful about the decompression ratio or read these files within a loop byte by byte to be able to manage the decompressed size in each cycle of the loop.</p>
+
+</recommendation>
+<example>
+
+<p>
+Reading uncompressed ZipFile within a loop and check for a Threshold size in each cycle.
+</p>
+<sample src="example_good.java"/>
+
+<p>
+An Unsafe Approach can be this example which we don't check for uncompressed size.
+</p>
+<sample src="example_bad.java" />
+
+</example>
+<references>
+
+<li>
+<a href="https://github.com/advisories/GHSA-47vx-fqr5-j2gw">CVE-2022-4565</a>
+</li>
+<li>
+<a href="https://www.bamsoftware.com/hacks/zipbomb/">A great research to gain more impact by this kind of attacks</a>
+</li>
+
+</references>
+</qhelp>