About codeql query for Apache Commons Text

[badnoodle]

Few days ago, apache commons text disclosed [CVE-2022-42889].

When I use codeql to query the project(https://github.com/apache/commons-text/tree/commons-text-1.8), it cann't find any vul in the project.

The ql file is

import java
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.XSS
import DataFlow::PathGraph
import DataFlow
import semmle.code.java.dataflow.internal.DataFlowImplCommon
import semmle.code.java.dataflow.TaintTracking

class SSSConfig extends TaintTracking::Configuration {
  
  SSSConfig() { this = "SqlInjectionLib::QueryInjectionFlowConfig" }
  
  override predicate isSource(DataFlow::Node src) { 
	
	exists(Callable m |
		m.hasName("replace") and m.getNumberOfParameters() = 1 and
		src.asParameter().getCallable() = m
	)	
	
  }

  override predicate isSink(DataFlow::Node sink) { 
	exists(MethodAccess ma | ma.getAnArgument() = sink.asExpr() and 
		ma.getMethod().hasName("eval")
	)
  }
  
  override int explorationLimit() { result = 500 }
}

from SSSConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
where conf.hasFlowPath(source, sink) and conf.isSource(source.getNode())
select source.getNode().asParameter().getName(), sink`

the codeql cann't resolve 'lookup' function, so cann't find the 'eval' sink.

protected String resolveVariable(final String variableName, final TextStringBuilder buf, final int startPos,
            final int endPos) {
        final StringLookup resolver = getStringLookup();
        if (resolver == null) {
            return null;
        }
        return resolver.lookup(variableName);
    }

when I use resolveCall in codeql to debug this problem, I found the 'lookup' resolve to a summary callable.
So I found the "org.apache.commons.text.lookup.StringLookup:lookup" has been defined in the Lang2Generated.qll as a SummaryModel.

When I noted the buildin external flow, I can use codel find the 'eval' sink.

So can codeql add a new feature, ignore the buildin source model in the anaylzed source？

[tausbn]

Thank you for your question! 🙂

There's currently no mechanism for ignoring the built-in summary models in favour of the source code being analysed. The current implementation uses various heuristics to figure out how to resolve the calls in cases like this, but these heuristics are not always perfect.

However, there is definite room for improvement here, and the team responsible for the Java analysis will be looking into ways of improving the status quo.

[badnoodle]

thanks for your reply.