Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space JAVA and version Publish


Dont print
Code Block
titleQuery: ArithmeticTainted.ql
 * @name User-controlled data in arithmetic expression
 * @description Arithmetic operations on user-controlled data that is not validated can cause
 *              overflows.
 * @kind path-problem
 * @problem.severity warning
 * @precision medium
 * @id java/tainted-arithmetic
 * @tags security
 *       external/cwe/cwe-190
 *       external/cwe/cwe-191

import java
import ArithmeticCommon
import DataFlow::PathGraph

predicateclass sink(ArithExpr exp, VarAccess tainted, string effect) RemoteUserInputOverflowConfig extends TaintTracking::Configuration {
  exp.getAnOperandRemoteUserInputOverflowConfig() ={ tainted and
    not guardedAgainstUnderflow(exp, tainted) and effect this = "underflowArithmeticTainted.ql:RemoteUserInputOverflowConfig" }

  oroverride     not guardedAgainstOverflow(exp, tainted) and effect = "overflow"
  ) and
  // Exclude widening conversions of tainted values due to binary numeric promotion (JLS 5.6.2)
  // unless there is an enclosing cast down to a narrower type.
  narrowerThanOrEqualTo(exp, tainted.getType()) and
  not overflowIrrelevant(exp)

class RemoteUserInputConfigpredicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

  override predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) }

  override predicate isSanitizer(DataFlow::Node n) { overflowBarrier(n) }

class RemoteUserInputUnderflowConfig extends TaintTracking::Configuration {
  RemoteUserInputConfigRemoteUserInputUnderflowConfig() { this = "ArithmeticTainted.ql:RemoteUserInputConfigRemoteUserInputUnderflowConfig" }

  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

  override predicate isSink(DataFlow::Node sink) { sinkunderflowSink(_, sink.asExpr(), _) }

  override predicate isSanitizer(DataFlow::Node n) { underflowBarrier(n.getType() instanceof BooleanType }

from   DataFlow::PathNode source, DataFlow::PathNode sink, ArithExpr exp, string effect
  any(RemoteUserInputOverflowConfig c).hasFlowPath(source, sink) and
RemoteUserInputConfig conf where
  confoverflowSink(exp, sink.getNode().asExpr()) and
  effect = "overflow"
  any(RemoteUserInputUnderflowConfig c).hasFlowPath(source, sink) and
  sinkunderflowSink(exp, sink.getNode().asExpr(),) and
  effect) = "underflow"
select exp, source, sink,
  "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
  source.getNode(), "User-provided value"