New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Java: Remove local query variants. #16362
Java: Remove local query variants. #16362
Conversation
QHelp previews: |
9ba9a11
to
cf6b755
Compare
… the arithmetic tainted local query variant.
cf6b755
to
b4a6a74
Compare
…exec tainted local query variant.
…uery and remove the externally controlled format string local query variant.
…ocal query variants.
…he local query variant and update the non-local query variant.
… local query variant.
…cal query variant.
…local query variant.
… the local query variant.
eee3efa
to
42653b5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is great, thank you! 🎉
java/ql/src/change-notes/2024-05-01-remove-local-query-variants.md
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
I have not changed the java/tainted-permissions-check query. It is hardcoded to use UserInput as sources (both remote and local sources). Should it be considered to make this an threat model opt-in instead?
The query is so old that it probably predated remote flow sources and the old UserInput
class was used instead. So it probably would make sense to adapt it to threat models as well, but we can defer this decision and change it in another PR if you want.
Since this change is pretty impactful, maybe we should coordinate communication with @coadaflorin before merging/releasing.
@atorralba : Thank you for the review (and I agree with your comment) @coadaflorin : Last year we discussed the removal of local versions of the security queries. Now that threat models has been properly released and public documentation is available for enabling (the |
We already announced when we released C# threat models that for some queries we removed the local sources, so I think it's fair that we follow-up with this work. If someone manually included this query in their suite, what would they see? |
In this PR we remove the local query variants.
The results from the queries can still be found by configuring threat models to also include local sources and using the non local query variants.
Some notes to consider in terms of review:
java/tainted-numeric-cast
is not completely similar tojava/tainted-numeric-cast-local
it appears that the difference in the where clause is coded into the sanitiser (but the local query variant was just not updated accordingly): Java: Move sink-constraints into the configuration in NumericCastTainted.ql. #10084java/http-response-splitting
is not identical tojava/http-response-splitting-local
, but it looks like a missing implementation detail on Java: Introduce a common sanitizer type for types which cannot realistically carry taint. #15291java/unvalidated-url-redirection
is not identicaljava/unvalidated-url-redirection-local
, but it looks like a missing implementation detail on Java: Add extension point and default sanitizer to Open Redirect query #15565java/command-line-injection
that both local and remote sources are included (maybe it is because both these data flow configurations are in the same QL lib, but this is not the case for the other local vs non local query modules).I have not changed the
java/tainted-permissions-check
query. It is hardcoded to useUserInput
as sources (both remote and local sources). Should it be considered to make this an threat model opt-in instead?There are still some experimental queries where the exist a local and non local query variant.
Comments to the DCA experiment:
DCA was run on the nightly source suite and the security extended query suite and for variant
v0
the threat model configuration was the default (remote
sources) and for variantv1
the threat model configuration was set toremote
andlocal
.v0
onlyremote
sources are included and in inv1
bothremote
andlocal
sources are included for queries that have opt'ed in to threat models.java/concatenated-command-line
andjava/concatenated-sql-query
. This is not surprising asjava/concatenated-command-line
excludes all findings byjava/command-line-injection
(which shows an increase in findings) andjava/concatenated-sql-query
excludes all findings byjava/sql-injection
(which also shows an increase in findings).