Refactor TemplateInjection libraries

Author: atorralba

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

@@ -117,6 +117,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.Retrofit
   private import semmle.code.java.frameworks.Stream
   private import semmle.code.java.frameworks.Strings
+  private import semmle.code.java.frameworks.Velocity
   private import semmle.code.java.frameworks.ratpack.Ratpack
   private import semmle.code.java.frameworks.ratpack.RatpackExec
   private import semmle.code.java.frameworks.spring.SpringCache
@@ -141,6 +142,7 @@ private module Frameworks {
   private import semmle.code.java.security.LdapInjection
   private import semmle.code.java.security.MvelInjection
   private import semmle.code.java.security.OgnlInjection
+  private import semmle.code.java.security.TemplateInjection
   private import semmle.code.java.security.XPath
   private import semmle.code.java.security.XsltInjection
   private import semmle.code.java.frameworks.Jdbc

java/ql/lib/semmle/code/java/frameworks/FreeMarker.qll

@@ -1,119 +1,14 @@
 /** Definitions related to the Apache Velocity Templating library. */
 
 import java
-
-/** The `org.apache.velocity.context.AbstractContext` class of the Velocity Templating Engine. */
-class TypeVelocityAbstractContext extends Class {
-  TypeVelocityAbstractContext() {
-    this.hasQualifiedName("org.apache.velocity.context", "AbstractContext")
-  }
-}
-
-/** The `org.apache.velocity.runtime.RuntimeServices` class of the Velocity Templating Engine. */
-class TypeVelocityRuntimeRuntimeServices extends Class {
-  TypeVelocityRuntimeRuntimeServices() {
-    this.hasQualifiedName("org.apache.velocity.runtime", "RuntimeServices")
-  }
-}
-
-/** The `org.apache.velocity.Template` class of the Velocity Templating Engine. */
-class TypeVelocityTemplate extends Class {
-  TypeVelocityTemplate() { this.hasQualifiedName("org.apache.velocity", "Template") }
-}
-
-/** The `org.apache.velocity.runtime.RuntimeSingleton` classTemplating Engine. */
-class TypeVelocityRuntimeRuntimeSingleton extends Class {
-  TypeVelocityRuntimeRuntimeSingleton() {
-    this.hasQualifiedName("org.apache.velocity.runtime", "RuntimeSingleton")
-  }
-}
-
-/** The `org.apache.velocity.VelocityEngine` class of the Velocity Templating Engine. */
-class TypeVelocityVelocityEngine extends Class {
-  TypeVelocityVelocityEngine() { this.hasQualifiedName("org.apache.velocity", "VelocityEngine") }
-}
-
-/** The `org.apache.velocity.app.VelocityEngine` class of the Velocity Templating Engine. */
-class TypeVelocityAppVelocityEngine extends RefType {
-  TypeVelocityAppVelocityEngine() {
-    this.hasQualifiedName("org.apache.velocity.app", "VelocityEngine")
-  }
-}
-
-/** The `org.apache.velocity.app.Velocity` class of the Velocity Templating Engine. */
-class TypeVelocityAppVelocity extends RefType {
-  TypeVelocityAppVelocity() { this.hasQualifiedName("org.apache.velocity.app", "Velocity") }
-}
-
-/**
- * The `org.apache.velocity.runtime.resource.util.StringResourceRepository` interface
- * of the Velocity Templating Engine.
- */
-class TypeVelocityStringResourceRepo extends RefType {
-  TypeVelocityStringResourceRepo() {
-    this.hasQualifiedName("org.apache.velocity.runtime.resource.util", "StringResourceRepository")
-  }
-}
-
-/** The `internalPut` and `put` methods of the Velocity Templating Engine. */
-class MethodVelocityContextPut extends Method {
-  MethodVelocityContextPut() {
-    this.getDeclaringType().getASupertype*() instanceof TypeVelocityAbstractContext and
-    this.hasName(["put", "internalPut"])
-  }
-}
-
-/** The `evaluate` method of the Velocity Templating Engine. */
-class MethodVelocityEvaluate extends Method {
-  MethodVelocityEvaluate() {
-    // static boolean evaluate(Context context, Writer out, String logTag, String instring)
-    // static boolean evaluate(Context context, Writer writer, String logTag, Reader reader)
-    (
-      this.getDeclaringType() instanceof TypeVelocityAppVelocity or
-      this.getDeclaringType() instanceof TypeVelocityAppVelocityEngine or
-      this.getDeclaringType().getASupertype*() instanceof TypeVelocityRuntimeRuntimeServices
-    ) and
-    this.hasName("evaluate")
-  }
-}
-
-/** The `mergeTemplate` method of the Velocity Templating Engine. */
-class MethodVelocityMergeTemplate extends Method {
-  MethodVelocityMergeTemplate() {
-    // static boolean	mergeTemplate(String templateName, String encoding, Context context, Writer writer)
-    (
-      this.getDeclaringType() instanceof TypeVelocityAppVelocity or
-      this.getDeclaringType() instanceof TypeVelocityAppVelocityEngine
-    ) and
-    this.hasName("mergeTemplate")
-  }
-}
-
-/** The `merge` method of the Velocity Templating Engine. */
-class MethodVelocityMerge extends Method {
-  MethodVelocityMerge() {
-    // void merge(Context context, Writer writer)
-    // void merge(Context context, Writer writer, List<String> macroLibraries)
-    this.getDeclaringType() instanceof TypeVelocityTemplate and
-    this.hasName("merge")
-  }
-}
-
-/** The `parse` method of the Velocity Templating Engine. */
-class MethodVelocityParse extends Method {
-  MethodVelocityParse() {
-    (
-      this.getDeclaringType().getASupertype*() instanceof TypeVelocityRuntimeRuntimeSingleton or
-      this.getDeclaringType().getASupertype*() instanceof TypeVelocityRuntimeRuntimeServices
-    ) and
-    this.hasName("parse")
-  }
-}
-
-/** The `putStringResource` method of the Velocity Templating Engine. */
-class MethodVelocityPutStringResource extends Method {
-  MethodVelocityPutStringResource() {
-    this.getDeclaringType().getASupertype*() instanceof TypeVelocityStringResourceRepo and
-    this.hasName("putStringResource")
+private import semmle.code.java.dataflow.ExternalFlow
+
+private class VelocitySummaryModels extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "org.apache.velocity.context;AbstractContext;true;put;;;Argument[1];Argument[-1];taint;manual",
+        "org.apache.velocity.context;AbstractContext;true;internalPut;;;Argument[1];Argument[-1];taint;manual",
+      ]
   }
 }

java/ql/lib/semmle/code/java/frameworks/JinJava.qll

@@ -0,0 +1,106 @@
+/** Definitions related to the server-side template injection (SST) query. */
+
+import java
+private import semmle.code.java.dataflow.FlowSources
+private import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.dataflow.TaintTracking
+
+/**
+ * A source for server-side template injection (SST) vulnerabilities.
+ */
+abstract class TemplateInjectionSource extends DataFlow::Node {
+  /** Holds if this source has the specified `state`. */
+  predicate hasState(DataFlow::FlowState state) { state instanceof DataFlow::FlowStateEmpty }
+}
+
+/**
+ * A sink for server-side template injection (SST) vulnerabilities.
+ */
+abstract class TemplateInjectionSink extends DataFlow::Node {
+  /** Holds if this sink has the specified `state`. */
+  predicate hasState(DataFlow::FlowState state) { state instanceof DataFlow::FlowStateEmpty }
+}
+
+/**
+ * A unit class for adding additional taint steps.
+ *
+ * Extend this class to add additional taint steps that should apply to flows related to
+ * server-side template injection (SST) vulnerabilities.
+ */
+class TemplateInjectionAdditionalTaintStep extends Unit {
+  /**
+   * Holds if the step from `node1` to `node2` should be considered a taint
+   * step for flows related to server-side template injection (SST) vulnerabilities.
+   */
+  predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
+
+  /**
+   * Holds if the step from `node1` to `node2` should be considered a taint
+   * step for flows related toserver-side template injection (SST) vulnerabilities.
+   * This step is only applicable in `state1` and updates the flow state to `state2`.
+   */
+  predicate isAdditionalTaintStep(
+    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
+    DataFlow::FlowState state2
+  ) {
+    none()
+  }
+}
+
+/**
+ * A sanitizer for server-side template injection (SST) vulnerabilities.
+ */
+abstract class TemplateInjectionSanitizer extends DataFlow::Node {
+  /** Holds if this sanitizer has the specified `state`. */
+  predicate hasState(DataFlow::FlowState state) { state instanceof DataFlow::FlowStateEmpty }
+}
+
+private class DefaultTemplateInjectionSource extends TemplateInjectionSource instanceof RemoteFlowSource {
+}
+
+private class DefaultTemplateInjectionSink extends TemplateInjectionSink {
+  DefaultTemplateInjectionSink() { sinkNode(this, "ssti") }
+}
+
+private class DefaultTemplateInjectionSanitizer extends TemplateInjectionSanitizer {
+  DefaultTemplateInjectionSanitizer() {
+    this.getType() instanceof PrimitiveType or
+    this.getType() instanceof BoxedType or
+    this.getType() instanceof NumericType
+  }
+}
+
+private class TemplateInjectionSinkModels extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "freemarker.template;Template;true;process;;;Argument[0];ssti;manual",
+        "freemarker.template;Template;true;Template;(String,Reader);;Argument[1];ssti;manual",
+        "freemarker.template;Template;true;Template;(String,Reader,Configuration);;Argument[1];ssti;manual",
+        "freemarker.template;Template;true;Template;(String,Reader,Configuration,String);;Argument[1];ssti;manual",
+        "freemarker.template;Template;true;Template;(String,String,Reader,Configuration);;Argument[2];ssti;manual",
+        "freemarker.template;Template;true;Template;(String,String,Reader,Configuration,String);;Argument[2];ssti;manual",
+        "freemarker.template;Template;true;Template;(String,String,Reader,Configuration,ParserConfiguration,String);;Argument[2];ssti;manual",
+        "freemarker.template;Template;true;Template;(String,String,Configuration);;Argument[1];ssti;manual",
+        "freemarker.cache;StringTemplateLoader;true;putTemplate;;;Argument[1];ssti;manual",
+        "com.mitchellbosecke.pebble;PebbleEngine;true;getTemplate;;;Argument[0];ssti;manual",
+        "com.mitchellbosecke.pebble;PebbleEngine;true;getLiteralTemplate;;;Argument[0];ssti;manual",
+        "com.hubspot.jinjava;Jinjava;true;renderForResult;;;Argument[0];ssti;manual",
+        "com.hubspot.jinjava;Jinjava;true;render;;;Argument[0];ssti;manual",
+        "org.thymeleaf;ITemplateEngine;true;process;;;Argument[0];ssti;manual",
+        "org.thymeleaf;ITemplateEngine;true;processThrottled;;;Argument[0];ssti;manual",
+        "org.apache.velocity.app;Velocity;true;evaluate;;;Argument[0];ssti;manual",
+        "org.apache.velocity.app;Velocity;true;evaluate;;;Argument[3];ssti;manual",
+        "org.apache.velocity,app;VelocityEngine;true;evaluate;;;Argument[0];ssti;manual",
+        "org.apache.velocity,app;VelocityEngine;true;evaluate;;;Argument[3];ssti;manual",
+        "org.apache.velocity.app;Velocity;true;mergeTemplate;;;Argument[2];ssti;manual",
+        "org.apache.velocity.app;VelocityEngine;true;mergeTemplate;;;Argument[2];ssti;manual",
+        "org.apache.velocity.runtime.resource.util;StringResourceRepository;true;putStringResource;;;Argument[1];ssti;manual",
+        "org.apache.velocity.runtime;RuntimeServices;true;evaluate;;;Argument[0];ssti;manual",
+        "org.apache.velocity.runtime;RuntimeServices;true;evaluate;;;Argument[3];ssti;manual",
+        "org.apache.velocity.runtime;RuntimeServices;true;parse;;;Argument[0];ssti;manual",
+        "org.apache.velocity.runtime;RuntimeSingleton;true;parse;;;Argument[0];ssti;manual",
+        "org.apache.velocity;Template;true;merge;;;Argument[0];ssti;manual"
+      ]
+  }
+}

java/ql/lib/semmle/code/java/frameworks/Pebble.qll

@@ -0,0 +1,40 @@
+/** Provides a taint tracking configuration for server-side template injection (SST) vulnerabilities */
+
+import java
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.TemplateInjection
+
+/** A taint tracking configuration to reason about server-side template injection (SST) vulnerabilities */
+class TemplateInjectionFlowConfig extends TaintTracking::Configuration {
+  TemplateInjectionFlowConfig() { this = "TemplateInjectionFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) { this.isSource(source, _) }
+
+  override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
+    source.(TemplateInjectionSource).hasState(state)
+  }
+
+  override predicate isSink(DataFlow::Node sink) { this.isSink(sink, _) }
+
+  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
+    sink.(TemplateInjectionSink).hasState(state)
+  }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) { this.isSanitizer(sanitizer, _) }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer, DataFlow::FlowState state) {
+    sanitizer.(TemplateInjectionSanitizer).hasState(state)
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(TemplateInjectionAdditionalTaintStep a).isAdditionalTaintStep(node1, node2)
+  }
+
+  override predicate isAdditionalTaintStep(
+    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
+    DataFlow::FlowState state2
+  ) {
+    any(TemplateInjectionAdditionalTaintStep a).isAdditionalTaintStep(node1, state1, node2, state2)
+  }
+}