Skip to content

Java: Reduce DataFlow Configuration pollution from Random.qll and JexlInjection.qll#6203

Merged
smowton merged 6 commits intogithub:mainfrom
smowton:smowton/admin/avoid-config-imports-from-qlls
Jul 2, 2021
Merged

Java: Reduce DataFlow Configuration pollution from Random.qll and JexlInjection.qll#6203
smowton merged 6 commits intogithub:mainfrom
smowton:smowton/admin/avoid-config-imports-from-qlls

Conversation

@smowton
Copy link
Copy Markdown
Contributor

@smowton smowton commented Jul 1, 2021
edited
Loading

This splits Random.qll, JexlInjection.qll and some of XSS.qll into parts used by queries and those imported by other libraries, in order to avoid bringing DataFlow::Configurations into scope except directly from a .ql file.

@smowton smowton requested a review from a team as a code owner July 1, 2021 16:30
@github-actions github-actions bot added the Java label Jul 1, 2021
aschackmull
aschackmull previously approved these changes Jul 2, 2021
View reviewed changes
@aschackmull
Copy link
Copy Markdown
Contributor

aschackmull commented Jul 2, 2021 

Error: The following CodeQL elements are lacking documentation:
semmle/code/java/security/RandomQuery.qll  RandomQuery                          file
semmle/code/java/security/RandomQuery.qll  RandomQuery::PredictableSeedExpr     class
semmle/code/java/security/RandomQuery.qll  RandomQuery::ReturnsPredictableExpr  class
semmle/code/java/security/RandomQuery.qll  RandomQuery::ReturnsSystemTime       class
semmle/code/java/security/RandomQuery.qll  RandomQuery::unsafelySeeded/2        classless-predicate

@aschackmull aschackmull added no-change-note-required This PR does not need a change note and removed no-change-note-required This PR does not need a change note labels Jul 2, 2021
atorralba
atorralba reviewed Jul 2, 2021
View reviewed changes
java/ql/test/query-tests/security/CWE-094/JexlInjectionTest.ql Outdated
import semmle.code.java.security.JexlInjectionQuery
import TestUtilities.InlineExpectationsTest

class Conf extends TaintTracking::Configuration {
Copy link
Copy Markdown
Contributor

@atorralba atorralba Jul 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This configuration can be removed now, since the one in JexlInjectionQuery can be reused.

aschackmull
aschackmull previously approved these changes Jul 2, 2021
View reviewed changes
smowton added 6 commits July 2, 2021 10:00
@smowton
Split up Random.qll
643f7df 
This prevents bringing a dataflow config into scope from utility libraries.
@smowton
Split up JexlInjection.qll
747a8e4 
This avoids a DataFlow2::Configuration being in scope for all queries via the import from ExternalFlow.qll
@smowton
Split Android XSS sink defintions out of XSS.qll
e661fc0 
This removes one of the routes by which XSS.qll is always in scope, and so its dataflow configuration is too -- however it is still always in scope because JaxWS.qll imports it.
@smowton
Add docs to RandomQuery.qll
bbd3ecb
@smowton
Add change note
d022c57
@smowton
Deduplicate Jexl configuration
a51154a
@smowton smowton force-pushed the smowton/admin/avoid-config-imports-from-qlls branch from 666d8d9 to a51154a Compare July 2, 2021 09:02
@smowton smowton merged commit 6823855 into github:main Jul 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aschackmull aschackmull aschackmull approved these changes

+1 more reviewer

@atorralba atorralba atorralba left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

documentation Java

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@smowton @aschackmull @atorralba