Module DataFlow

DEPRECATED: Use semmle.code.java.dataflow.DataFlow, semmle.code.java.dataflow.TaintTracking, and semmle.code.java.dataflow.FlowSources instead.

Data flow module in the security pack.

This module tracks data through a program.

Import path

semmle.code.java.security.DataFlow

Imports

ApacheHttp
DefUse

Provides classes and predicates for def-use and use-use pairs. Built on top of the SSA library for maximal precision.

Expr

Provides classes for working with Java expressions.

JaxWS
Jdbc

Provides classes and predicates for working with the Java JDBC API.

Networking
Properties
Rmi
SQLite
SSA

Provides classes and predicates for SSA representation (Static Single Assignment form).

SecurityTests

Test detection for the security pack.

Servlets

Provides classes and predicates for working with the Java Servlet API.

Validation
VirtualDispatch
WebView
XmlParsing

Predicates

constructorStep

An object construction that preserves the data flow status of any of its arguments.

dataPreservingArgument

Library methods that return tainted data if one of their arguments is tainted.

methodReturnsArg

Holds if a method can return its argument. This is public for testing.

qualifierToMethodStep

Access to a method that passes taint from the qualifier.

unsafeEscape

Classes

DataPreservingMethod

Methods that return tainted data when called on tainted data.

DatabaseInput
EnvInput
EnvTaintedMethod
FlowExpr

DEPRECATED: Use semmle.code.java.dataflow.DataFlow, semmle.code.java.dataflow.TaintTracking, and semmle.code.java.dataflow.FlowSources instead.

FlowSource

DEPRECATED: Use semmle.code.java.dataflow.DataFlow, semmle.code.java.dataflow.TaintTracking, and semmle.code.java.dataflow.FlowSources instead.

LocalUserInput

DEPRECATED: Use semmle.code.java.dataflow.FlowSources.LocalUserInput instead.

ObjectOutputStreamVar

A local variable that is assigned an ObjectOutputStream. Writing tainted data to such a stream causes the underlying OutputStream to be tainted.

RemoteTaintedMethod
RemoteUserInput

DEPRECATED: Use semmle.code.java.dataflow.FlowSources.RemoteUserInput instead.

ReverseDNSMethod
StringBuilderVar

DEPRECATED: Use semmle.code.java.dataflow.TaintTracking.TaintTracking::StringBuilderVar instead.

StringReplaceMethod
TypeInetAddr
UserInput

DEPRECATED: Use semmle.code.java.dataflow.FlowSources.UserInput instead.