From bd7de83aab8af020b7e7d7f668b70d3fe832de0f Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Thu, 19 Oct 2023 17:07:26 -0400 Subject: [PATCH 01/11] Use extension packs for threat models --- codeql-workspace.yml | 2 +- java/ql/lib/qlpack.yml | 2 +- java/ql/lib/semmle/code/java/dataflow/FlowSources.qll | 2 +- .../dataflow/threat-models/threat-models1.ql | 4 ++-- .../dataflow/threat-models/threat-models2.ql | 4 ++-- shared/threat-models-ext/android/qlpack.yml | 10 ++++++++++ shared/threat-models-ext/android/threat.model.yml | 7 +++++++ shared/threat-models-ext/local/qlpack.yml | 10 ++++++++++ shared/threat-models-ext/local/threat.model.yml | 7 +++++++ .../threat-models/codeql/threatmodels/ThreatModels.qll | 4 +--- .../ext}/supported-threat-models.model.yml | 2 +- .../threat-models/ext}/threat-model-grouping.model.yml | 2 +- shared/threat-models/qlpack.yml | 6 ++++++ 13 files changed, 50 insertions(+), 12 deletions(-) create mode 100644 shared/threat-models-ext/android/qlpack.yml create mode 100644 shared/threat-models-ext/android/threat.model.yml create mode 100644 shared/threat-models-ext/local/qlpack.yml create mode 100644 shared/threat-models-ext/local/threat.model.yml rename java/ql/lib/semmle/code/java/dataflow/ExternalFlowConfiguration.qll => shared/threat-models/codeql/threatmodels/ThreatModels.qll (90%) rename {java/ql/lib/ext/threatmodels => shared/threat-models/ext}/supported-threat-models.model.yml (81%) rename {java/ql/lib/ext/threatmodels => shared/threat-models/ext}/threat-model-grouping.model.yml (93%) create mode 100644 shared/threat-models/qlpack.yml diff --git a/codeql-workspace.yml b/codeql-workspace.yml index 2d86498cbeae..03f5866a0c28 100644 --- a/codeql-workspace.yml +++ b/codeql-workspace.yml @@ -6,7 +6,7 @@ provide: - "*/ql/consistency-queries/qlpack.yml" - "*/ql/automodel/src/qlpack.yml" - "*/ql/automodel/test/qlpack.yml" - - "shared/*/qlpack.yml" + - "shared/**/qlpack.yml" - "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml" - "go/ql/config/legacy-support/qlpack.yml" - "go/build/codeql-extractor-go/codeql-extractor.yml" diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml index eef8bc66fe1c..67777a88a936 100644 --- a/java/ql/lib/qlpack.yml +++ b/java/ql/lib/qlpack.yml @@ -9,6 +9,7 @@ dependencies: codeql/dataflow: ${workspace} codeql/mad: ${workspace} codeql/regex: ${workspace} + codeql/threat-models: ${workspace} codeql/tutorial: ${workspace} codeql/typetracking: ${workspace} codeql/util: ${workspace} @@ -16,5 +17,4 @@ dataExtensions: - ext/*.model.yml - ext/generated/*.model.yml - ext/experimental/*.model.yml - - ext/threatmodels/*.model.yml warnOnImplicitThis: true diff --git a/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll b/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll index d135db168318..9e141c323f5d 100644 --- a/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll +++ b/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll @@ -29,7 +29,7 @@ import semmle.code.java.frameworks.struts.StrutsActions import semmle.code.java.frameworks.Thrift import semmle.code.java.frameworks.javaee.jsf.JSFRenderer private import semmle.code.java.dataflow.ExternalFlow -private import semmle.code.java.dataflow.ExternalFlowConfiguration +private import codeql.threatmodels.ThreatModels /** * A data flow source. diff --git a/java/ql/test/library-tests/dataflow/threat-models/threat-models1.ql b/java/ql/test/library-tests/dataflow/threat-models/threat-models1.ql index dd8ed512f528..89d95e3ca950 100644 --- a/java/ql/test/library-tests/dataflow/threat-models/threat-models1.ql +++ b/java/ql/test/library-tests/dataflow/threat-models/threat-models1.ql @@ -1,5 +1,5 @@ -import semmle.code.java.dataflow.ExternalFlowConfiguration as ExternalFlowConfiguration +import codeql.threatmodels.ThreatModels as ThreatModels query predicate supportedThreatModels(string kind) { - ExternalFlowConfiguration::currentThreatModel(kind) + ThreatModels::currentThreatModel(kind) } diff --git a/java/ql/test/library-tests/dataflow/threat-models/threat-models2.ql b/java/ql/test/library-tests/dataflow/threat-models/threat-models2.ql index dd8ed512f528..89d95e3ca950 100644 --- a/java/ql/test/library-tests/dataflow/threat-models/threat-models2.ql +++ b/java/ql/test/library-tests/dataflow/threat-models/threat-models2.ql @@ -1,5 +1,5 @@ -import semmle.code.java.dataflow.ExternalFlowConfiguration as ExternalFlowConfiguration +import codeql.threatmodels.ThreatModels as ThreatModels query predicate supportedThreatModels(string kind) { - ExternalFlowConfiguration::currentThreatModel(kind) + ThreatModels::currentThreatModel(kind) } diff --git a/shared/threat-models-ext/android/qlpack.yml b/shared/threat-models-ext/android/qlpack.yml new file mode 100644 index 000000000000..41e2ee7d642e --- /dev/null +++ b/shared/threat-models-ext/android/qlpack.yml @@ -0,0 +1,10 @@ +name: codeql/threat-android +version: 0.0.0-dev +groups: + - shared + - threat-models +library: true +dataExtensions: + - "*.model.yml" +extensionTargets: + codeql/threat-models: ${workspace} diff --git a/shared/threat-models-ext/android/threat.model.yml b/shared/threat-models-ext/android/threat.model.yml new file mode 100644 index 000000000000..38d302d5ffff --- /dev/null +++ b/shared/threat-models-ext/android/threat.model.yml @@ -0,0 +1,7 @@ +extensions: + + - addsTo: + pack: codeql/threat-models + extensible: supportedThreatModels + data: + - ["android"] diff --git a/shared/threat-models-ext/local/qlpack.yml b/shared/threat-models-ext/local/qlpack.yml new file mode 100644 index 000000000000..87c48bee1a9e --- /dev/null +++ b/shared/threat-models-ext/local/qlpack.yml @@ -0,0 +1,10 @@ +name: codeql/threat-local +version: 0.0.0-dev +groups: + - shared + - threat-models +library: true +dataExtensions: + - "*.model.yml" +extensionTargets: + codeql/threat-models: ${workspace} diff --git a/shared/threat-models-ext/local/threat.model.yml b/shared/threat-models-ext/local/threat.model.yml new file mode 100644 index 000000000000..31d66935392c --- /dev/null +++ b/shared/threat-models-ext/local/threat.model.yml @@ -0,0 +1,7 @@ +extensions: + + - addsTo: + pack: codeql/threat-models + extensible: supportedThreatModels + data: + - ["local"] diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlowConfiguration.qll b/shared/threat-models/codeql/threatmodels/ThreatModels.qll similarity index 90% rename from java/ql/lib/semmle/code/java/dataflow/ExternalFlowConfiguration.qll rename to shared/threat-models/codeql/threatmodels/ThreatModels.qll index 0331da2477fe..96ba95a800a4 100644 --- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlowConfiguration.qll +++ b/shared/threat-models/codeql/threatmodels/ThreatModels.qll @@ -5,12 +5,10 @@ * are applicable to generic queries. */ -private import ExternalFlowExtensions - /** * Holds if the specified kind of source model is supported for the current query. */ -extensible private predicate supportedThreatModels(string kind); +extensible predicate supportedThreatModels(string kind); /** * Holds if the specified kind of source model is containted within the specified group. diff --git a/java/ql/lib/ext/threatmodels/supported-threat-models.model.yml b/shared/threat-models/ext/supported-threat-models.model.yml similarity index 81% rename from java/ql/lib/ext/threatmodels/supported-threat-models.model.yml rename to shared/threat-models/ext/supported-threat-models.model.yml index 8c6c533228d5..5d56ab1adf49 100644 --- a/java/ql/lib/ext/threatmodels/supported-threat-models.model.yml +++ b/shared/threat-models/ext/supported-threat-models.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: - pack: codeql/java-all + pack: codeql/threat-models extensible: supportedThreatModels data: - ["default"] # The "default" threat model is always included. diff --git a/java/ql/lib/ext/threatmodels/threat-model-grouping.model.yml b/shared/threat-models/ext/threat-model-grouping.model.yml similarity index 93% rename from java/ql/lib/ext/threatmodels/threat-model-grouping.model.yml rename to shared/threat-models/ext/threat-model-grouping.model.yml index 1eb334b67e70..53107c1e32bc 100644 --- a/java/ql/lib/ext/threatmodels/threat-model-grouping.model.yml +++ b/shared/threat-models/ext/threat-model-grouping.model.yml @@ -1,7 +1,7 @@ extensions: - addsTo: - pack: codeql/java-all + pack: codeql/threat-models extensible: threatModelGrouping data: # Default threat model diff --git a/shared/threat-models/qlpack.yml b/shared/threat-models/qlpack.yml new file mode 100644 index 000000000000..0023befd76c0 --- /dev/null +++ b/shared/threat-models/qlpack.yml @@ -0,0 +1,6 @@ +name: codeql/threat-models +version: 0.0.0-dev +library: true +groups: shared +dataExtensions: + - ext/*.model.yml From c2681638046fb0ebde14398d422f7465db927fd9 Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Thu, 19 Oct 2023 17:18:47 -0400 Subject: [PATCH 02/11] warnOnImplicitThis --- shared/threat-models-ext/android/qlpack.yml | 1 + shared/threat-models-ext/local/qlpack.yml | 1 + shared/threat-models/qlpack.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/shared/threat-models-ext/android/qlpack.yml b/shared/threat-models-ext/android/qlpack.yml index 41e2ee7d642e..dd9ddfabad03 100644 --- a/shared/threat-models-ext/android/qlpack.yml +++ b/shared/threat-models-ext/android/qlpack.yml @@ -8,3 +8,4 @@ dataExtensions: - "*.model.yml" extensionTargets: codeql/threat-models: ${workspace} +warnOnImplicitThis: true diff --git a/shared/threat-models-ext/local/qlpack.yml b/shared/threat-models-ext/local/qlpack.yml index 87c48bee1a9e..cef7f0e35d34 100644 --- a/shared/threat-models-ext/local/qlpack.yml +++ b/shared/threat-models-ext/local/qlpack.yml @@ -8,3 +8,4 @@ dataExtensions: - "*.model.yml" extensionTargets: codeql/threat-models: ${workspace} +warnOnImplicitThis: true diff --git a/shared/threat-models/qlpack.yml b/shared/threat-models/qlpack.yml index 0023befd76c0..71be8835aa76 100644 --- a/shared/threat-models/qlpack.yml +++ b/shared/threat-models/qlpack.yml @@ -4,3 +4,4 @@ library: true groups: shared dataExtensions: - ext/*.model.yml +warnOnImplicitThis: true From fb1b41b64923fa1b56c76d3e34d4c55254b011c0 Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Thu, 19 Oct 2023 17:20:38 -0400 Subject: [PATCH 03/11] Fix formatting --- .../library-tests/dataflow/threat-models/threat-models1.ql | 4 +--- .../library-tests/dataflow/threat-models/threat-models2.ql | 4 +--- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/java/ql/test/library-tests/dataflow/threat-models/threat-models1.ql b/java/ql/test/library-tests/dataflow/threat-models/threat-models1.ql index 89d95e3ca950..52e2465ac8b7 100644 --- a/java/ql/test/library-tests/dataflow/threat-models/threat-models1.ql +++ b/java/ql/test/library-tests/dataflow/threat-models/threat-models1.ql @@ -1,5 +1,3 @@ import codeql.threatmodels.ThreatModels as ThreatModels -query predicate supportedThreatModels(string kind) { - ThreatModels::currentThreatModel(kind) -} +query predicate supportedThreatModels(string kind) { ThreatModels::currentThreatModel(kind) } diff --git a/java/ql/test/library-tests/dataflow/threat-models/threat-models2.ql b/java/ql/test/library-tests/dataflow/threat-models/threat-models2.ql index 89d95e3ca950..52e2465ac8b7 100644 --- a/java/ql/test/library-tests/dataflow/threat-models/threat-models2.ql +++ b/java/ql/test/library-tests/dataflow/threat-models/threat-models2.ql @@ -1,5 +1,3 @@ import codeql.threatmodels.ThreatModels as ThreatModels -query predicate supportedThreatModels(string kind) { - ThreatModels::currentThreatModel(kind) -} +query predicate supportedThreatModels(string kind) { ThreatModels::currentThreatModel(kind) } From 15e9838f162c1afc69ac8824f24c878f5f5444a1 Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Thu, 19 Oct 2023 17:27:21 -0400 Subject: [PATCH 04/11] Add a readme file --- shared/threat-models-ext/README.md | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 shared/threat-models-ext/README.md diff --git a/shared/threat-models-ext/README.md b/shared/threat-models-ext/README.md new file mode 100644 index 000000000000..8f292a17ec21 --- /dev/null +++ b/shared/threat-models-ext/README.md @@ -0,0 +1,7 @@ +This directory contains an extension pack for each supported threat model. Each pack should have the +same layout. To add a new threat model, just copy one of the existing packs, and update the following: + +- In `qlpack.yml`, update the `name` to `codeql/threat-$name`, where `$name` is the name of the threat model. +- In `threat.model.yml`, change the single row of the `data` property to `- ["$name"]` + +If creating these by copying and pasting becomes a burder, we can always automate the process with a script. From 5fd56ce86609cb03d6f147c826bd5446f5f9462f Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Tue, 24 Oct 2023 13:12:37 -0400 Subject: [PATCH 05/11] Alternate threat model implementation --- .../semmle/code/java/dataflow/FlowSources.qll | 4 -- .../codeql/threatmodels/ThreatModels.qll | 37 ++++++++++++++++--- .../ext/supported-threat-models.model.yml | 5 +-- 3 files changed, 34 insertions(+), 12 deletions(-) diff --git a/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll b/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll index 9e141c323f5d..8b435488bba1 100644 --- a/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll +++ b/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll @@ -47,10 +47,6 @@ abstract class SourceNode extends DataFlow::Node { */ class ThreatModelFlowSource extends DataFlow::Node { ThreatModelFlowSource() { - // Expansive threat model. - currentThreatModel("all") and - (this instanceof SourceNode or sourceNode(this, _)) - or exists(string kind | // Specific threat model. currentThreatModel(kind) and diff --git a/shared/threat-models/codeql/threatmodels/ThreatModels.qll b/shared/threat-models/codeql/threatmodels/ThreatModels.qll index 96ba95a800a4..9b284e582b12 100644 --- a/shared/threat-models/codeql/threatmodels/ThreatModels.qll +++ b/shared/threat-models/codeql/threatmodels/ThreatModels.qll @@ -6,9 +6,22 @@ */ /** - * Holds if the specified kind of source model is supported for the current query. + * Holds configuration entries to specify which threat models are enabled. + * + * - `kind` - Specifies the threat model to configure. This can be the name of a specific threat + * model (for example, `environment`), a group (`local`), or `all`. + * - `enable` - `true` to enable the specified threat model (and its children), or `false` to disable it. + * - `priority` - The order in which the configuration should be applied. Lower values are applied first. + * + * The final configuration is the result of processing each row in ascending order of its `priority` column. + * For example: + * - `{ kind: "all", enable: true, priority: 0 }` + * - `{ kind: "remote", enable: false, priority: 1 }` + * - `{ kind: "environment", enable: true, priority: 2 }` + * This configuration first enables all threat models, then disables the `remote` group, and finally re-enables + * the `environment` threat model. */ -extensible predicate supportedThreatModels(string kind); +extensible predicate threatModelConfiguration(string kind, boolean enable, int priority); /** * Holds if the specified kind of source model is containted within the specified group. @@ -16,14 +29,28 @@ extensible predicate supportedThreatModels(string kind); extensible private predicate threatModelGrouping(string kind, string group); /** - * Gets the threat models that are direct descendants of the specified kind/group. + * Gets the threat model group that directly contains the specified threat model. */ -private string getChildThreatModel(string group) { threatModelGrouping(result, group) } +private string getParentThreatModel(string child) { + threatModelGrouping(child, result) +} /** * Holds if the source model kind `kind` is relevant for generic queries * under the current threat model configuration. */ +bindingset[kind] predicate currentThreatModel(string kind) { - exists(string group | supportedThreatModels(group) and kind = getChildThreatModel*(group)) + // Find the highest-oriority configuration row whose `kind` column includes the specified threat + // model kind. If such a row exists and its `enabled` column is `true`, then the threat model is + // enabled. + max(boolean enabled, int priority | + exists(string configuredKind | + configuredKind = getParentThreatModel*(kind) or configuredKind = "all" + | + threatModelConfiguration(configuredKind, enabled, priority) + ) + | + enabled order by priority + ) = true } diff --git a/shared/threat-models/ext/supported-threat-models.model.yml b/shared/threat-models/ext/supported-threat-models.model.yml index 5d56ab1adf49..59589f50f386 100644 --- a/shared/threat-models/ext/supported-threat-models.model.yml +++ b/shared/threat-models/ext/supported-threat-models.model.yml @@ -1,7 +1,6 @@ extensions: - - addsTo: pack: codeql/threat-models - extensible: supportedThreatModels + extensible: threatModelConfiguration data: - - ["default"] # The "default" threat model is always included. + - ["default", true, -2147483648] # The "default" threat model is included by default From 33f10d8d196aa9c98d91a0f238d1e737f25004a5 Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Tue, 24 Oct 2023 13:59:15 -0400 Subject: [PATCH 06/11] Better handling of `all` threat model without too many binding sets --- shared/threat-models-ext/README.md | 7 --- shared/threat-models-ext/android/qlpack.yml | 11 ----- .../android/threat.model.yml | 7 --- shared/threat-models-ext/local/qlpack.yml | 11 ----- .../threat-models-ext/local/threat.model.yml | 7 --- .../codeql/threatmodels/ThreatModels.qll | 44 ++++++++++++++----- 6 files changed, 33 insertions(+), 54 deletions(-) delete mode 100644 shared/threat-models-ext/README.md delete mode 100644 shared/threat-models-ext/android/qlpack.yml delete mode 100644 shared/threat-models-ext/android/threat.model.yml delete mode 100644 shared/threat-models-ext/local/qlpack.yml delete mode 100644 shared/threat-models-ext/local/threat.model.yml diff --git a/shared/threat-models-ext/README.md b/shared/threat-models-ext/README.md deleted file mode 100644 index 8f292a17ec21..000000000000 --- a/shared/threat-models-ext/README.md +++ /dev/null @@ -1,7 +0,0 @@ -This directory contains an extension pack for each supported threat model. Each pack should have the -same layout. To add a new threat model, just copy one of the existing packs, and update the following: - -- In `qlpack.yml`, update the `name` to `codeql/threat-$name`, where `$name` is the name of the threat model. -- In `threat.model.yml`, change the single row of the `data` property to `- ["$name"]` - -If creating these by copying and pasting becomes a burder, we can always automate the process with a script. diff --git a/shared/threat-models-ext/android/qlpack.yml b/shared/threat-models-ext/android/qlpack.yml deleted file mode 100644 index dd9ddfabad03..000000000000 --- a/shared/threat-models-ext/android/qlpack.yml +++ /dev/null @@ -1,11 +0,0 @@ -name: codeql/threat-android -version: 0.0.0-dev -groups: - - shared - - threat-models -library: true -dataExtensions: - - "*.model.yml" -extensionTargets: - codeql/threat-models: ${workspace} -warnOnImplicitThis: true diff --git a/shared/threat-models-ext/android/threat.model.yml b/shared/threat-models-ext/android/threat.model.yml deleted file mode 100644 index 38d302d5ffff..000000000000 --- a/shared/threat-models-ext/android/threat.model.yml +++ /dev/null @@ -1,7 +0,0 @@ -extensions: - - - addsTo: - pack: codeql/threat-models - extensible: supportedThreatModels - data: - - ["android"] diff --git a/shared/threat-models-ext/local/qlpack.yml b/shared/threat-models-ext/local/qlpack.yml deleted file mode 100644 index cef7f0e35d34..000000000000 --- a/shared/threat-models-ext/local/qlpack.yml +++ /dev/null @@ -1,11 +0,0 @@ -name: codeql/threat-local -version: 0.0.0-dev -groups: - - shared - - threat-models -library: true -dataExtensions: - - "*.model.yml" -extensionTargets: - codeql/threat-models: ${workspace} -warnOnImplicitThis: true diff --git a/shared/threat-models-ext/local/threat.model.yml b/shared/threat-models-ext/local/threat.model.yml deleted file mode 100644 index 31d66935392c..000000000000 --- a/shared/threat-models-ext/local/threat.model.yml +++ /dev/null @@ -1,7 +0,0 @@ -extensions: - - - addsTo: - pack: codeql/threat-models - extensible: supportedThreatModels - data: - - ["local"] diff --git a/shared/threat-models/codeql/threatmodels/ThreatModels.qll b/shared/threat-models/codeql/threatmodels/ThreatModels.qll index 9b284e582b12..9e22baae09ea 100644 --- a/shared/threat-models/codeql/threatmodels/ThreatModels.qll +++ b/shared/threat-models/codeql/threatmodels/ThreatModels.qll @@ -28,29 +28,51 @@ extensible predicate threatModelConfiguration(string kind, boolean enable, int p */ extensible private predicate threatModelGrouping(string kind, string group); +/** Holds if the specified threat model kind is mentioned in either the configuration or grouping table. */ +private predicate knownThreatModel(string kind) { + threatModelConfiguration(kind, _, _) or + threatModelGrouping(kind, _) or + threatModelGrouping(_, kind) or + kind = "all" +} + /** * Gets the threat model group that directly contains the specified threat model. */ private string getParentThreatModel(string child) { threatModelGrouping(child, result) + or + knownThreatModel(child) and child != "all" and result = "all" } /** - * Holds if the source model kind `kind` is relevant for generic queries - * under the current threat model configuration. + * Gets the `enabled` column of the highest-priority configuration row whose `kind` column includes + * the specified threat model kind. */ -bindingset[kind] -predicate currentThreatModel(string kind) { +private boolean threatModelExplicitState(string kind) { // Find the highest-oriority configuration row whose `kind` column includes the specified threat // model kind. If such a row exists and its `enabled` column is `true`, then the threat model is // enabled. - max(boolean enabled, int priority | - exists(string configuredKind | - configuredKind = getParentThreatModel*(kind) or configuredKind = "all" + (knownThreatModel(kind) or kind = "") and + result = + max(boolean enabled, int priority | + exists(string configuredKind | configuredKind = getParentThreatModel*(kind) | + threatModelConfiguration(configuredKind, enabled, priority) + ) | - threatModelConfiguration(configuredKind, enabled, priority) + enabled order by priority ) - | - enabled order by priority - ) = true +} + +/** + * Holds if the source model kind `kind` is relevant for generic queries + * under the current threat model configuration. + */ +bindingset[kind] +predicate currentThreatModel(string kind) { + knownThreatModel(kind) and threatModelExplicitState(kind) = true + or + // For any threat model kind not mentioned in the configuration or grouping tables, its state of + // enablement is controlled only by the entries that specifiy the "all" kind. + not knownThreatModel(kind) and threatModelExplicitState("all") = true } From b3e5b86f0a48452a694edd6101f54a1aca25edd6 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 25 Oct 2023 14:02:31 +0200 Subject: [PATCH 07/11] Java: Cleanup threat models tests. --- .../threat-models-flowtest2.ext.yml | 6 +-- .../threat-models-flowtest3.ext.yml | 6 +-- .../threat-models-flowtest4.ext.yml | 6 +-- .../threat-models-flowtest5.ext.yml | 8 +-- .../threat-models-flowtest6.expected | 54 +++++++++++++++++++ .../threat-models-flowtest6.ext.yml | 16 ++++++ .../threat-models/threat-models-flowtest6.ql | 12 +++++ .../threat-models/threat-models1.expected | 4 -- .../dataflow/threat-models/threat-models1.ql | 3 -- .../threat-models/threat-models2.expected | 9 ---- .../threat-models/threat-models2.ext.yml | 7 --- .../dataflow/threat-models/threat-models2.ql | 3 -- 12 files changed, 95 insertions(+), 39 deletions(-) create mode 100644 java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest6.expected create mode 100644 java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest6.ext.yml create mode 100644 java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest6.ql delete mode 100644 java/ql/test/library-tests/dataflow/threat-models/threat-models1.expected delete mode 100644 java/ql/test/library-tests/dataflow/threat-models/threat-models1.ql delete mode 100644 java/ql/test/library-tests/dataflow/threat-models/threat-models2.expected delete mode 100644 java/ql/test/library-tests/dataflow/threat-models/threat-models2.ext.yml delete mode 100644 java/ql/test/library-tests/dataflow/threat-models/threat-models2.ql diff --git a/java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest2.ext.yml b/java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest2.ext.yml index f8cad9eff2f1..214709ab6b4f 100644 --- a/java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest2.ext.yml +++ b/java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest2.ext.yml @@ -1,10 +1,10 @@ extensions: - addsTo: - pack: codeql/java-all - extensible: supportedThreatModels + pack: codeql/threat-models + extensible: threatModelConfiguration data: - - ["database"] + - ["database", true, 0] - addsTo: pack: codeql/java-all diff --git a/java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest3.ext.yml b/java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest3.ext.yml index f7a5a63530a9..9681e058aeec 100644 --- a/java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest3.ext.yml +++ b/java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest3.ext.yml @@ -1,10 +1,10 @@ extensions: - addsTo: - pack: codeql/java-all - extensible: supportedThreatModels + pack: codeql/threat-models + extensible: threatModelConfiguration data: - - ["local"] + - ["local", true, 0] - addsTo: pack: codeql/java-all diff --git a/java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest4.ext.yml b/java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest4.ext.yml index 4ce73dff4848..1df7c4aa9bea 100644 --- a/java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest4.ext.yml +++ b/java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest4.ext.yml @@ -1,10 +1,10 @@ extensions: - addsTo: - pack: codeql/java-all - extensible: supportedThreatModels + pack: codeql/threat-models + extensible: threatModelConfiguration data: - - ["all"] + - ["all", true, 0] - addsTo: pack: codeql/java-all diff --git a/java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest5.ext.yml b/java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest5.ext.yml index 9b6a38317135..83af0acecbb2 100644 --- a/java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest5.ext.yml +++ b/java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest5.ext.yml @@ -1,11 +1,11 @@ extensions: - addsTo: - pack: codeql/java-all - extensible: supportedThreatModels + pack: codeql/threat-models + extensible: threatModelConfiguration data: - - ["environment"] - - ["commandargs"] + - ["environment", true, 0] + - ["commandargs", true, 0] - addsTo: pack: codeql/java-all diff --git a/java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest6.expected b/java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest6.expected new file mode 100644 index 000000000000..9b5109ab7e97 --- /dev/null +++ b/java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest6.expected @@ -0,0 +1,54 @@ +edges +| Test.java:10:31:10:41 | data : byte[] | Test.java:11:23:11:26 | data : byte[] | +| Test.java:11:23:11:26 | data : byte[] | Test.java:11:12:11:51 | new String(...) : String | +| Test.java:19:5:19:25 | getInputStream(...) : InputStream | Test.java:19:32:19:35 | data [post update] : byte[] | +| Test.java:19:32:19:35 | data [post update] : byte[] | Test.java:22:49:22:52 | data : byte[] | +| Test.java:19:32:19:35 | data [post update] : byte[] | Test.java:25:69:25:72 | data : byte[] | +| Test.java:22:49:22:52 | data : byte[] | Test.java:10:31:10:41 | data : byte[] | +| Test.java:22:49:22:52 | data : byte[] | Test.java:22:36:22:53 | byteToString(...) | +| Test.java:25:56:25:73 | byteToString(...) : String | Test.java:25:26:25:80 | ... + ... | +| Test.java:25:69:25:72 | data : byte[] | Test.java:10:31:10:41 | data : byte[] | +| Test.java:25:69:25:72 | data : byte[] | Test.java:25:56:25:73 | byteToString(...) : String | +| Test.java:30:21:30:61 | executeQuery(...) : String | Test.java:33:26:33:68 | ... + ... | +| Test.java:30:21:30:61 | executeQuery(...) : String | Test.java:36:36:36:41 | result | +| Test.java:64:5:64:13 | System.in : InputStream | Test.java:64:20:64:23 | data [post update] : byte[] | +| Test.java:64:20:64:23 | data [post update] : byte[] | Test.java:67:69:67:72 | data : byte[] | +| Test.java:64:20:64:23 | data [post update] : byte[] | Test.java:70:49:70:52 | data : byte[] | +| Test.java:67:56:67:73 | byteToString(...) : String | Test.java:67:26:67:80 | ... + ... | +| Test.java:67:69:67:72 | data : byte[] | Test.java:10:31:10:41 | data : byte[] | +| Test.java:67:69:67:72 | data : byte[] | Test.java:67:56:67:73 | byteToString(...) : String | +| Test.java:70:49:70:52 | data : byte[] | Test.java:10:31:10:41 | data : byte[] | +| Test.java:70:49:70:52 | data : byte[] | Test.java:70:36:70:53 | byteToString(...) | +nodes +| Test.java:10:31:10:41 | data : byte[] | semmle.label | data : byte[] | +| Test.java:11:12:11:51 | new String(...) : String | semmle.label | new String(...) : String | +| Test.java:11:23:11:26 | data : byte[] | semmle.label | data : byte[] | +| Test.java:19:5:19:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream | +| Test.java:19:32:19:35 | data [post update] : byte[] | semmle.label | data [post update] : byte[] | +| Test.java:22:36:22:53 | byteToString(...) | semmle.label | byteToString(...) | +| Test.java:22:49:22:52 | data : byte[] | semmle.label | data : byte[] | +| Test.java:25:26:25:80 | ... + ... | semmle.label | ... + ... | +| Test.java:25:56:25:73 | byteToString(...) : String | semmle.label | byteToString(...) : String | +| Test.java:25:69:25:72 | data : byte[] | semmle.label | data : byte[] | +| Test.java:30:21:30:61 | executeQuery(...) : String | semmle.label | executeQuery(...) : String | +| Test.java:33:26:33:68 | ... + ... | semmle.label | ... + ... | +| Test.java:36:36:36:41 | result | semmle.label | result | +| Test.java:64:5:64:13 | System.in : InputStream | semmle.label | System.in : InputStream | +| Test.java:64:20:64:23 | data [post update] : byte[] | semmle.label | data [post update] : byte[] | +| Test.java:67:26:67:80 | ... + ... | semmle.label | ... + ... | +| Test.java:67:56:67:73 | byteToString(...) : String | semmle.label | byteToString(...) : String | +| Test.java:67:69:67:72 | data : byte[] | semmle.label | data : byte[] | +| Test.java:70:36:70:53 | byteToString(...) | semmle.label | byteToString(...) | +| Test.java:70:49:70:52 | data : byte[] | semmle.label | data : byte[] | +subpaths +| Test.java:22:49:22:52 | data : byte[] | Test.java:10:31:10:41 | data : byte[] | Test.java:11:12:11:51 | new String(...) : String | Test.java:22:36:22:53 | byteToString(...) | +| Test.java:25:69:25:72 | data : byte[] | Test.java:10:31:10:41 | data : byte[] | Test.java:11:12:11:51 | new String(...) : String | Test.java:25:56:25:73 | byteToString(...) : String | +| Test.java:67:69:67:72 | data : byte[] | Test.java:10:31:10:41 | data : byte[] | Test.java:11:12:11:51 | new String(...) : String | Test.java:67:56:67:73 | byteToString(...) : String | +| Test.java:70:49:70:52 | data : byte[] | Test.java:10:31:10:41 | data : byte[] | Test.java:11:12:11:51 | new String(...) : String | Test.java:70:36:70:53 | byteToString(...) | +#select +| Test.java:19:5:19:25 | getInputStream(...) : InputStream | Test.java:22:36:22:53 | byteToString(...) | +| Test.java:19:5:19:25 | getInputStream(...) : InputStream | Test.java:25:26:25:80 | ... + ... | +| Test.java:30:21:30:61 | executeQuery(...) : String | Test.java:33:26:33:68 | ... + ... | +| Test.java:30:21:30:61 | executeQuery(...) : String | Test.java:36:36:36:41 | result | +| Test.java:64:5:64:13 | System.in : InputStream | Test.java:67:26:67:80 | ... + ... | +| Test.java:64:5:64:13 | System.in : InputStream | Test.java:70:36:70:53 | byteToString(...) | diff --git a/java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest6.ext.yml b/java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest6.ext.yml new file mode 100644 index 000000000000..5e54e0200c91 --- /dev/null +++ b/java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest6.ext.yml @@ -0,0 +1,16 @@ +extensions: + + - addsTo: + pack: codeql/threat-models + extensible: threatModelConfiguration + data: + - ["local", true, 0] + - ["environment", false, 1] + + - addsTo: + pack: codeql/java-all + extensible: sourceModel + data: + - ["testlib", "TestSources", False, "executeQuery", "(String)", "", "ReturnValue", "database", "manual"] + - ["testlib", "TestSources", False, "readEnv", "(String)", "", "ReturnValue", "environment", "manual"] + - ["testlib", "TestSources", False, "getCustom", "(String)", "", "ReturnValue", "custom", "manual"] diff --git a/java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest6.ql b/java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest6.ql new file mode 100644 index 000000000000..5bf328642db7 --- /dev/null +++ b/java/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest6.ql @@ -0,0 +1,12 @@ +/** + * This is a dataflow test using the "default" threat model with the + * addition of the threat model group "local", but without the + * "environment" threat model. + */ + +import Test +import ThreatModel::PathGraph + +from ThreatModel::PathNode source, ThreatModel::PathNode sink +where ThreatModel::flowPath(source, sink) +select source, sink diff --git a/java/ql/test/library-tests/dataflow/threat-models/threat-models1.expected b/java/ql/test/library-tests/dataflow/threat-models/threat-models1.expected deleted file mode 100644 index c471a7cc9129..000000000000 --- a/java/ql/test/library-tests/dataflow/threat-models/threat-models1.expected +++ /dev/null @@ -1,4 +0,0 @@ -| default | -| remote | -| request | -| response | diff --git a/java/ql/test/library-tests/dataflow/threat-models/threat-models1.ql b/java/ql/test/library-tests/dataflow/threat-models/threat-models1.ql deleted file mode 100644 index 52e2465ac8b7..000000000000 --- a/java/ql/test/library-tests/dataflow/threat-models/threat-models1.ql +++ /dev/null @@ -1,3 +0,0 @@ -import codeql.threatmodels.ThreatModels as ThreatModels - -query predicate supportedThreatModels(string kind) { ThreatModels::currentThreatModel(kind) } diff --git a/java/ql/test/library-tests/dataflow/threat-models/threat-models2.expected b/java/ql/test/library-tests/dataflow/threat-models/threat-models2.expected deleted file mode 100644 index 395951c3b475..000000000000 --- a/java/ql/test/library-tests/dataflow/threat-models/threat-models2.expected +++ /dev/null @@ -1,9 +0,0 @@ -| commandargs | -| database | -| default | -| environment | -| file | -| local | -| remote | -| request | -| response | diff --git a/java/ql/test/library-tests/dataflow/threat-models/threat-models2.ext.yml b/java/ql/test/library-tests/dataflow/threat-models/threat-models2.ext.yml deleted file mode 100644 index 1d6ed8c4992f..000000000000 --- a/java/ql/test/library-tests/dataflow/threat-models/threat-models2.ext.yml +++ /dev/null @@ -1,7 +0,0 @@ -extensions: - - - addsTo: - pack: codeql/java-all - extensible: supportedThreatModels - data: - - ["local"] # Add the "local" group threat model. diff --git a/java/ql/test/library-tests/dataflow/threat-models/threat-models2.ql b/java/ql/test/library-tests/dataflow/threat-models/threat-models2.ql deleted file mode 100644 index 52e2465ac8b7..000000000000 --- a/java/ql/test/library-tests/dataflow/threat-models/threat-models2.ql +++ /dev/null @@ -1,3 +0,0 @@ -import codeql.threatmodels.ThreatModels as ThreatModels - -query predicate supportedThreatModels(string kind) { ThreatModels::currentThreatModel(kind) } From 8d9e4d391fd61d4b897a84ab82cfe48cea7d0f9d Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Thu, 26 Oct 2023 13:46:28 -0400 Subject: [PATCH 08/11] Update shared/threat-models/codeql/threatmodels/ThreatModels.qll Co-authored-by: Michael Nebel --- shared/threat-models/codeql/threatmodels/ThreatModels.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/threat-models/codeql/threatmodels/ThreatModels.qll b/shared/threat-models/codeql/threatmodels/ThreatModels.qll index 9e22baae09ea..c30e08f4653c 100644 --- a/shared/threat-models/codeql/threatmodels/ThreatModels.qll +++ b/shared/threat-models/codeql/threatmodels/ThreatModels.qll @@ -70,7 +70,7 @@ private boolean threatModelExplicitState(string kind) { */ bindingset[kind] predicate currentThreatModel(string kind) { - knownThreatModel(kind) and threatModelExplicitState(kind) = true + knownThreatModel(kind) and threatModelEnabled(kind) or // For any threat model kind not mentioned in the configuration or grouping tables, its state of // enablement is controlled only by the entries that specifiy the "all" kind. From 927eb8424d3b8809326d7a299fd110ebffc10dfc Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Thu, 26 Oct 2023 13:46:37 -0400 Subject: [PATCH 09/11] Update shared/threat-models/codeql/threatmodels/ThreatModels.qll Co-authored-by: Michael Nebel --- .../codeql/threatmodels/ThreatModels.qll | 21 +++++++++---------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/shared/threat-models/codeql/threatmodels/ThreatModels.qll b/shared/threat-models/codeql/threatmodels/ThreatModels.qll index c30e08f4653c..3b22a12a858f 100644 --- a/shared/threat-models/codeql/threatmodels/ThreatModels.qll +++ b/shared/threat-models/codeql/threatmodels/ThreatModels.qll @@ -46,22 +46,21 @@ private string getParentThreatModel(string child) { } /** - * Gets the `enabled` column of the highest-priority configuration row whose `kind` column includes - * the specified threat model kind. + * Holds if the `enabled` column is set to `true` of the highest-priority configuration row + * whose `kind` column includes the specified threat model kind. */ -private boolean threatModelExplicitState(string kind) { +private predicate threatModelEnabled(string kind) { // Find the highest-oriority configuration row whose `kind` column includes the specified threat // model kind. If such a row exists and its `enabled` column is `true`, then the threat model is // enabled. - (knownThreatModel(kind) or kind = "") and - result = - max(boolean enabled, int priority | - exists(string configuredKind | configuredKind = getParentThreatModel*(kind) | - threatModelConfiguration(configuredKind, enabled, priority) - ) - | - enabled order by priority + knownThreatModel(kind) and + max(boolean enabled, int priority | + exists(string configuredKind | configuredKind = getParentThreatModel*(kind) | + threatModelConfiguration(configuredKind, enabled, priority) ) + | + enabled order by priority + ) = true } /** From 9800458467b7d96b652f836e4ba772f106cad7bb Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Thu, 26 Oct 2023 13:46:55 -0400 Subject: [PATCH 10/11] Update shared/threat-models/codeql/threatmodels/ThreatModels.qll Co-authored-by: Michael Nebel --- shared/threat-models/codeql/threatmodels/ThreatModels.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/threat-models/codeql/threatmodels/ThreatModels.qll b/shared/threat-models/codeql/threatmodels/ThreatModels.qll index 3b22a12a858f..7b0762273683 100644 --- a/shared/threat-models/codeql/threatmodels/ThreatModels.qll +++ b/shared/threat-models/codeql/threatmodels/ThreatModels.qll @@ -73,5 +73,5 @@ predicate currentThreatModel(string kind) { or // For any threat model kind not mentioned in the configuration or grouping tables, its state of // enablement is controlled only by the entries that specifiy the "all" kind. - not knownThreatModel(kind) and threatModelExplicitState("all") = true + not knownThreatModel(kind) and threatModelEnabled("all") } From e4276f7adbf3548def11d2844d7912144e4cd72e Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Fri, 27 Oct 2023 10:34:20 +0200 Subject: [PATCH 11/11] Java: Apply suggestions from code review Co-authored-by: Anders Schack-Mulligen --- shared/threat-models/codeql/threatmodels/ThreatModels.qll | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/threat-models/codeql/threatmodels/ThreatModels.qll b/shared/threat-models/codeql/threatmodels/ThreatModels.qll index 7b0762273683..d12139ef28ea 100644 --- a/shared/threat-models/codeql/threatmodels/ThreatModels.qll +++ b/shared/threat-models/codeql/threatmodels/ThreatModels.qll @@ -50,7 +50,7 @@ private string getParentThreatModel(string child) { * whose `kind` column includes the specified threat model kind. */ private predicate threatModelEnabled(string kind) { - // Find the highest-oriority configuration row whose `kind` column includes the specified threat + // Find the highest-priority configuration row whose `kind` column includes the specified threat // model kind. If such a row exists and its `enabled` column is `true`, then the threat model is // enabled. knownThreatModel(kind) and @@ -69,7 +69,7 @@ private predicate threatModelEnabled(string kind) { */ bindingset[kind] predicate currentThreatModel(string kind) { - knownThreatModel(kind) and threatModelEnabled(kind) + threatModelEnabled(kind) or // For any threat model kind not mentioned in the configuration or grouping tables, its state of // enablement is controlled only by the entries that specifiy the "all" kind.