diff --git a/.codeqlmanifest.json b/.codeqlmanifest.json index 3025e97..aab4596 100644 --- a/.codeqlmanifest.json +++ b/.codeqlmanifest.json @@ -1,6 +1,7 @@ { "provide": [ "cpp/*/qlpack.yml", - "go/*/qlpack.yml" + "go/*/qlpack.yml", + "java/*/qlpack.yml" ] } \ No newline at end of file diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 64f84ba..458e78e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -16,3 +16,4 @@ jobs: run: | ${{ steps.init.outputs.codeql-path }} test run ./cpp/test/ ${{ steps.init.outputs.codeql-path }} test run ./go/test/ + ${{ steps.init.outputs.codeql-path }} test run ./java/test/ diff --git a/README.md b/README.md index 91024e9..559efba 100644 --- a/README.md +++ b/README.md @@ -66,6 +66,14 @@ codeql database analyze database.db --format=sarif-latest --output=./tob.sarif - |[Missing MinVersion in tls.Config](./go/src/docs/security/MissingMinVersionTLS/MissingMinVersionTLS.md)|This rule finds cases when you do not set the `tls.Config.MinVersion` explicitly for servers. By default version 1.0 is used, which is considered insecure. This rule does not mark explicitly set insecure versions|error|medium| |[Trim functions misuse](./go/src/docs/security/TrimMisuse/TrimMisuse.md)|Finds calls to `string.{Trim,TrimLeft,TrimRight}` with the 2nd argument not being a cutset but a continuous substring to be trimmed|error|low| +### Java-kotlin + +#### Security + +| Name | Description | Severity | Precision | +| --- | ----------- | :----: | :--------: | +|[Recursive functions](./java-kotlin/src/docs/security/Recursion/Recursion.md)|Detects recursive calls|warning|low| + ## Query suites CodeQL queries are grouped into "suites". To execute queries from a specific suit add its name after a colon: `trailofbits/cpp-queries:codeql-suites/tob-cpp-full.qls`. @@ -89,7 +97,7 @@ echo "--search-path '$PWD/codeql-queries'" > "${HOME}/.config/codeql/config" Check that CodeQL CLI detects the new qlpacks: ```sh -codeql resolve qlpacks | grep trailofbits +codeql resolve packs | grep trailofbits ``` #### Before committing @@ -99,6 +107,7 @@ Run tests: cd codeql-queries codeql test run ./cpp/test codeql test run ./go/test +codeql test run ./java/test ``` Update dependencies: @@ -115,4 +124,5 @@ Generate markdown query help files ```sh codeql generate query-help ./cpp/src/ --format=markdown --output ./cpp/src/docs codeql generate query-help ./go/src/ --format=markdown --output ./go/src/docs +codeql generate query-help ./java/src/ --format=markdown --output ./java/src/docs ``` diff --git a/java/src/codeql-pack.lock.yml b/java/src/codeql-pack.lock.yml new file mode 100644 index 0000000..b1acfc0 --- /dev/null +++ b/java/src/codeql-pack.lock.yml @@ -0,0 +1,28 @@ +--- +lockVersion: 1.0.0 +dependencies: + codeql/dataflow: + version: 1.1.5 + codeql/java-all: + version: 4.2.0 + codeql/mad: + version: 1.0.11 + codeql/rangeanalysis: + version: 1.0.11 + codeql/regex: + version: 1.0.11 + codeql/ssa: + version: 1.0.11 + codeql/threat-models: + version: 1.0.11 + codeql/tutorial: + version: 1.0.11 + codeql/typeflow: + version: 1.0.11 + codeql/typetracking: + version: 1.0.11 + codeql/util: + version: 1.0.11 + codeql/xml: + version: 1.0.11 +compiled: false diff --git a/java/src/codeql-suites/tob-java-code-scanning.qls b/java/src/codeql-suites/tob-java-code-scanning.qls new file mode 100644 index 0000000..4dfa3a7 --- /dev/null +++ b/java/src/codeql-suites/tob-java-code-scanning.qls @@ -0,0 +1,5 @@ +- description: Security queries for Java +- queries: 'security' + from: trailofbits/java-queries +- exclude: + tags contain: experimental \ No newline at end of file diff --git a/java/src/codeql-suites/tob-java-full.qls b/java/src/codeql-suites/tob-java-full.qls new file mode 100644 index 0000000..3501bec --- /dev/null +++ b/java/src/codeql-suites/tob-java-full.qls @@ -0,0 +1,3 @@ +- description: Queries for Java +- queries: '.' + from: trailofbits/java-queries \ No newline at end of file diff --git a/java/src/docs/security/Recursion/Recursion.md b/java/src/docs/security/Recursion/Recursion.md new file mode 100644 index 0000000..60fb228 --- /dev/null +++ b/java/src/docs/security/Recursion/Recursion.md @@ -0,0 +1,39 @@ +# Recursive functions +Recursive functions are methods that call themselves either directly or indirectly through other functions. While recursion can be a powerful programming technique, unbounded recursion on user inputs can lead to stack overflow errors and program crashes, potentially enabling denial of service attacks. This query detects recursive patterns up to order 4. + + +## Recommendation +Review recursive functions and ensure that they are either: - Not processing user-controlled data - The data has been properly sanitized before recursing - The recursion has an explicit depth limit + +Consider replacing recursion with iterative alternatives where possible. + + +## Example + +```java +// From https://github.com/x-stream/xstream/blob/dfa1d35462fe84412ee72a9b0cf5b5c633086520/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java#L165 +private Token readToken() { + // ... + try { + final Token token = tokenFormatter.read(in); + switch (token.getType()) { + case Token.TYPE_MAP_ID_TO_VALUE: // 0x2 + idRegistry.put(token.getId(), token.getValue()); + return readToken(); // Next one please. + default: + return token; + } + } catch (final IOException e) { + throw new StreamException(e); + } + // ... +} +``` +In this example, a binary stream reader processes tokens recursively. + +For each new token \`0x2\`, the parser will create a new recursive call. If this stream is user-controlled, an attacker can generate too many stackframes and crash the application with a `StackOverflow` error. + + +## References +* Trail Of Bits white paper: [Input-Driven Recursion](https://resources.trailofbits.com/input-driven-recursion-white-paper) +* CWE-674: [Uncontrolled Recursion](https://cwe.mitre.org/data/definitions/674.html) diff --git a/java/src/qlpack.yml b/java/src/qlpack.yml new file mode 100644 index 0000000..0ec638e --- /dev/null +++ b/java/src/qlpack.yml @@ -0,0 +1,12 @@ +--- +name: trailofbits/java-queries +description: CodeQL queries for Java developed by Trail of Bits +authors: Trail of Bits +version: 0.0.1 +license: AGPL +library: false +extractor: java-kotlin +dependencies: + codeql/java-all: "*" +suites: codeql-suites +defaultSuiteFile: codeql-suites/tob-java-code-scanning.qls diff --git a/java/src/security/Recursion/Recursion.qhelp b/java/src/security/Recursion/Recursion.qhelp new file mode 100644 index 0000000..78bd881 --- /dev/null +++ b/java/src/security/Recursion/Recursion.qhelp @@ -0,0 +1,39 @@ + + + +

+ Recursive functions are methods that call themselves either directly or indirectly through other functions. + While recursion can be a powerful programming technique, unbounded recursion on user inputs can lead + to stack overflow errors and program crashes, potentially enabling denial of service attacks. + + This query detects recursive patterns up to order 4. +

+ +
+ +

+ Review recursive functions and ensure that they are either: + - Not processing user-controlled data + - The data has been properly sanitized before recursing + - The recursion has an explicit depth limit +

+

+ Consider replacing recursion with iterative alternatives where possible. +

+
+ + +

In this example, a binary stream reader processes tokens recursively.

+

For each new token `0x2`, the parser will create a new recursive call. + If this stream is user-controlled, an attacker can generate too many stackframes + and crash the application with a StackOverflow error.

+
+ +
  • + Trail Of Bits white paper: Input-Driven Recursion +
  • +
  • + CWE-674: Uncontrolled Recursion +
  • +
    +
    \ No newline at end of file diff --git a/java/src/security/Recursion/Recursion.ql b/java/src/security/Recursion/Recursion.ql new file mode 100644 index 0000000..453da8f --- /dev/null +++ b/java/src/security/Recursion/Recursion.ql @@ -0,0 +1,81 @@ +/** + * @name Recursive functions + * @id tob/java/unbounded-recursion + * @description Detects possibly unbounded recursive calls + * @kind path-problem + * @tags security + * @precision low + * @problem.severity warning + * @security-severity 3.0 + * @group security + */ + +import java +import semmle.code.java.dataflow.DataFlow + +predicate isTestPackage(RefType referenceType) { + referenceType.getPackage().getName().toLowerCase().matches("%test%") or + referenceType.getPackage().getName().toLowerCase().matches("%benchmark%") or + referenceType.getName().toLowerCase().matches("%test%") +} + +class RecursionSource extends Method { + RecursionSource() { + not isTestPackage(this.getDeclaringType()) and + this.calls+(this) + } +} + +/** + * Check if the Expr uses directly an argument of the enclosing function + */ +class ParameterOperation extends Expr { + ParameterOperation() { + (this instanceof BinaryExpr or this instanceof UnaryAssignExpr) and + exists(VarAccess va | va.getVariable() = this.getEnclosingCallable().getAParameter() | + this.getAChildExpr+() = va + ) + } +} + +module RecursiveConfig implements DataFlow::StateConfigSig { + class FlowState = Method; + + predicate isSource(DataFlow::Node node, FlowState firstMethod) { + node.asExpr().(MethodCall).getCallee() instanceof RecursionSource and + firstMethod = node.asExpr().(MethodCall).getCallee() + } + + predicate isSink(DataFlow::Node node, FlowState firstMethod) { + node.asExpr().(MethodCall).getCallee().calls(firstMethod) and + firstMethod.calls+(node.asExpr().(MethodCall).getCaller()) + } + + predicate isBarrier(DataFlow::Node node) { + exists(MethodCall ma | + ma = node.asExpr() and + exists(Expr e | e = ma.getAnArgument() and e instanceof ParameterOperation) + ) + } + // /** + // * Weird but useful deduplication logic + // */ + // predicate isBarrierOut(DataFlow::Node node, FlowState state) { + // node.asExpr().(MethodCall).getCallee().getName() > state.getName() + // } +} + +module RecursiveFlow = DataFlow::GlobalWithState; + +import RecursiveFlow::PathGraph + +/* + * TODO: This query could be improved with the following ideas: + * - limit results to methods that take any user input + * - do not return methods that have calls to self (or unbounded recursion) that are conditional + * - gather and print whole call graph (list of calls from recursiveMethod to itself) + */ + +from RecursiveFlow::PathNode source, RecursiveFlow::PathNode sink +where RecursiveFlow::flowPath(source, sink) +select sink.getNode(), source, sink, "Found a recursion: " diff --git a/java/src/security/Recursion/RecursiveCall.java b/java/src/security/Recursion/RecursiveCall.java new file mode 100644 index 0000000..62ad4b4 --- /dev/null +++ b/java/src/security/Recursion/RecursiveCall.java @@ -0,0 +1,17 @@ +// From https://github.com/x-stream/xstream/blob/dfa1d35462fe84412ee72a9b0cf5b5c633086520/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java#L165 +private Token readToken() { + // ... + try { + final Token token = tokenFormatter.read(in); + switch (token.getType()) { + case Token.TYPE_MAP_ID_TO_VALUE: // 0x2 + idRegistry.put(token.getId(), token.getValue()); + return readToken(); // Next one please. + default: + return token; + } + } catch (final IOException e) { + throw new StreamException(e); + } + // ... +} \ No newline at end of file diff --git a/java/test/codeql-pack.lock.yml b/java/test/codeql-pack.lock.yml new file mode 100644 index 0000000..b1acfc0 --- /dev/null +++ b/java/test/codeql-pack.lock.yml @@ -0,0 +1,28 @@ +--- +lockVersion: 1.0.0 +dependencies: + codeql/dataflow: + version: 1.1.5 + codeql/java-all: + version: 4.2.0 + codeql/mad: + version: 1.0.11 + codeql/rangeanalysis: + version: 1.0.11 + codeql/regex: + version: 1.0.11 + codeql/ssa: + version: 1.0.11 + codeql/threat-models: + version: 1.0.11 + codeql/tutorial: + version: 1.0.11 + codeql/typeflow: + version: 1.0.11 + codeql/typetracking: + version: 1.0.11 + codeql/util: + version: 1.0.11 + codeql/xml: + version: 1.0.11 +compiled: false diff --git a/java/test/qlpack.yml b/java/test/qlpack.yml new file mode 100644 index 0000000..a49c548 --- /dev/null +++ b/java/test/qlpack.yml @@ -0,0 +1,8 @@ +--- +name: trailofbits/java-tests +authors: Trail of Bits +license: AGPL +extractor: java-kotlin +tests: . +dependencies: + trailofbits/java-queries: "*" diff --git a/java/test/query-tests/security/Recursion/Recursion.expected b/java/test/query-tests/security/Recursion/Recursion.expected new file mode 100644 index 0000000..c3ffca1 --- /dev/null +++ b/java/test/query-tests/security/Recursion/Recursion.expected @@ -0,0 +1,148 @@ +edges +| Recursion.java:57:24:57:34 | readToken(...) : Token | Recursion.java:57:24:57:34 | readToken(...) | provenance | | +| Recursion.java:57:24:57:34 | readToken(...) : Token | Recursion.java:57:24:57:34 | readToken(...) : Token | provenance | | +| Recursion.java:71:29:71:33 | foo(...) : Boolean | Recursion.java:72:16:72:24 | fooResult : Boolean | provenance | | +| Recursion.java:71:29:71:33 | foo(...) : Boolean | Recursion.java:72:16:72:24 | fooResult : Boolean | provenance | | +| Recursion.java:72:16:72:24 | fooResult : Boolean | Recursion.java:76:16:76:20 | bar(...) | provenance | | +| Recursion.java:72:16:72:24 | fooResult : Boolean | Recursion.java:76:16:76:20 | bar(...) : Boolean | provenance | | +| Recursion.java:72:16:72:24 | fooResult : Boolean | Recursion.java:76:16:76:20 | bar(...) : Boolean | provenance | | +| Recursion.java:76:16:76:20 | bar(...) : Boolean | Recursion.java:71:29:71:33 | foo(...) | provenance | | +| Recursion.java:76:16:76:20 | bar(...) : Boolean | Recursion.java:71:29:71:33 | foo(...) : Boolean | provenance | | +| Recursion.java:76:16:76:20 | bar(...) : Boolean | Recursion.java:71:29:71:33 | foo(...) : Boolean | provenance | | +| Recursion.java:81:16:81:32 | directRecursive(...) : Boolean | Recursion.java:81:16:81:32 | directRecursive(...) | provenance | | +| Recursion.java:81:16:81:32 | directRecursive(...) : Boolean | Recursion.java:81:16:81:32 | directRecursive(...) : Boolean | provenance | | +| Recursion.java:89:16:89:23 | level1(...) : Boolean | Recursion.java:101:16:101:23 | level0(...) | provenance | | +| Recursion.java:89:16:89:23 | level1(...) : Boolean | Recursion.java:101:16:101:23 | level0(...) : Boolean | provenance | | +| Recursion.java:89:16:89:23 | level1(...) : Boolean | Recursion.java:101:16:101:23 | level0(...) : Boolean | provenance | | +| Recursion.java:89:16:89:23 | level1(...) : Boolean | Recursion.java:101:16:101:23 | level0(...) : Boolean | provenance | | +| Recursion.java:95:16:95:23 | level2(...) : Boolean | Recursion.java:89:16:89:23 | level1(...) | provenance | | +| Recursion.java:95:16:95:23 | level2(...) : Boolean | Recursion.java:89:16:89:23 | level1(...) : Boolean | provenance | | +| Recursion.java:95:16:95:23 | level2(...) : Boolean | Recursion.java:89:16:89:23 | level1(...) : Boolean | provenance | | +| Recursion.java:95:16:95:23 | level2(...) : Boolean | Recursion.java:89:16:89:23 | level1(...) : Boolean | provenance | | +| Recursion.java:101:16:101:23 | level0(...) : Boolean | Recursion.java:95:16:95:23 | level2(...) | provenance | | +| Recursion.java:101:16:101:23 | level0(...) : Boolean | Recursion.java:95:16:95:23 | level2(...) : Boolean | provenance | | +| Recursion.java:101:16:101:23 | level0(...) : Boolean | Recursion.java:95:16:95:23 | level2(...) : Boolean | provenance | | +| Recursion.java:101:16:101:23 | level0(...) : Boolean | Recursion.java:95:16:95:23 | level2(...) : Boolean | provenance | | +| Recursion.java:116:20:116:27 | level1(...) : Boolean | Recursion.java:130:16:130:23 | level0(...) | provenance | | +| Recursion.java:116:20:116:27 | level1(...) : Boolean | Recursion.java:130:16:130:23 | level0(...) | provenance | | +| Recursion.java:116:20:116:27 | level1(...) : Boolean | Recursion.java:130:16:130:23 | level0(...) : Boolean | provenance | | +| Recursion.java:116:20:116:27 | level1(...) : Boolean | Recursion.java:130:16:130:23 | level0(...) : Boolean | provenance | | +| Recursion.java:116:20:116:27 | level1(...) : Boolean | Recursion.java:130:16:130:23 | level0(...) : Boolean | provenance | | +| Recursion.java:118:16:118:23 | level2(...) : Boolean | Recursion.java:130:16:130:23 | level0(...) | provenance | | +| Recursion.java:118:16:118:23 | level2(...) : Boolean | Recursion.java:130:16:130:23 | level0(...) | provenance | | +| Recursion.java:118:16:118:23 | level2(...) : Boolean | Recursion.java:130:16:130:23 | level0(...) : Boolean | provenance | | +| Recursion.java:118:16:118:23 | level2(...) : Boolean | Recursion.java:130:16:130:23 | level0(...) : Boolean | provenance | | +| Recursion.java:118:16:118:23 | level2(...) : Boolean | Recursion.java:130:16:130:23 | level0(...) : Boolean | provenance | | +| Recursion.java:124:16:124:23 | level2(...) : Boolean | Recursion.java:116:20:116:27 | level1(...) | provenance | | +| Recursion.java:124:16:124:23 | level2(...) : Boolean | Recursion.java:116:20:116:27 | level1(...) : Boolean | provenance | | +| Recursion.java:124:16:124:23 | level2(...) : Boolean | Recursion.java:116:20:116:27 | level1(...) : Boolean | provenance | | +| Recursion.java:124:16:124:23 | level2(...) : Boolean | Recursion.java:116:20:116:27 | level1(...) : Boolean | provenance | | +| Recursion.java:124:16:124:23 | level2(...) : Boolean | Recursion.java:128:20:128:27 | level1(...) | provenance | | +| Recursion.java:124:16:124:23 | level2(...) : Boolean | Recursion.java:128:20:128:27 | level1(...) : Boolean | provenance | | +| Recursion.java:124:16:124:23 | level2(...) : Boolean | Recursion.java:128:20:128:27 | level1(...) : Boolean | provenance | | +| Recursion.java:124:16:124:23 | level2(...) : Boolean | Recursion.java:128:20:128:27 | level1(...) : Boolean | provenance | | +| Recursion.java:128:20:128:27 | level1(...) : Boolean | Recursion.java:118:16:118:23 | level2(...) | provenance | | +| Recursion.java:128:20:128:27 | level1(...) : Boolean | Recursion.java:118:16:118:23 | level2(...) | provenance | | +| Recursion.java:128:20:128:27 | level1(...) : Boolean | Recursion.java:118:16:118:23 | level2(...) : Boolean | provenance | | +| Recursion.java:128:20:128:27 | level1(...) : Boolean | Recursion.java:118:16:118:23 | level2(...) : Boolean | provenance | | +| Recursion.java:128:20:128:27 | level1(...) : Boolean | Recursion.java:118:16:118:23 | level2(...) : Boolean | provenance | | +| Recursion.java:128:20:128:27 | level1(...) : Boolean | Recursion.java:124:16:124:23 | level2(...) | provenance | | +| Recursion.java:128:20:128:27 | level1(...) : Boolean | Recursion.java:124:16:124:23 | level2(...) | provenance | | +| Recursion.java:128:20:128:27 | level1(...) : Boolean | Recursion.java:124:16:124:23 | level2(...) : Boolean | provenance | | +| Recursion.java:128:20:128:27 | level1(...) : Boolean | Recursion.java:124:16:124:23 | level2(...) : Boolean | provenance | | +| Recursion.java:128:20:128:27 | level1(...) : Boolean | Recursion.java:124:16:124:23 | level2(...) : Boolean | provenance | | +| Recursion.java:130:16:130:23 | level0(...) : Boolean | Recursion.java:118:16:118:23 | level2(...) | provenance | | +| Recursion.java:130:16:130:23 | level0(...) : Boolean | Recursion.java:118:16:118:23 | level2(...) | provenance | | +| Recursion.java:130:16:130:23 | level0(...) : Boolean | Recursion.java:118:16:118:23 | level2(...) : Boolean | provenance | | +| Recursion.java:130:16:130:23 | level0(...) : Boolean | Recursion.java:118:16:118:23 | level2(...) : Boolean | provenance | | +| Recursion.java:130:16:130:23 | level0(...) : Boolean | Recursion.java:118:16:118:23 | level2(...) : Boolean | provenance | | +| Recursion.java:130:16:130:23 | level0(...) : Boolean | Recursion.java:124:16:124:23 | level2(...) | provenance | | +| Recursion.java:130:16:130:23 | level0(...) : Boolean | Recursion.java:124:16:124:23 | level2(...) | provenance | | +| Recursion.java:130:16:130:23 | level0(...) : Boolean | Recursion.java:124:16:124:23 | level2(...) : Boolean | provenance | | +| Recursion.java:130:16:130:23 | level0(...) : Boolean | Recursion.java:124:16:124:23 | level2(...) : Boolean | provenance | | +| Recursion.java:130:16:130:23 | level0(...) : Boolean | Recursion.java:124:16:124:23 | level2(...) : Boolean | provenance | | +| Recursion.java:148:16:148:54 | directRecursiveNoDepth(...) : Boolean | Recursion.java:148:16:148:54 | directRecursiveNoDepth(...) | provenance | | +| Recursion.java:148:16:148:54 | directRecursiveNoDepth(...) : Boolean | Recursion.java:148:16:148:54 | directRecursiveNoDepth(...) : Boolean | provenance | | +| Recursion.java:177:16:177:47 | directRecLocalFlow(...) : Boolean | Recursion.java:177:16:177:47 | directRecLocalFlow(...) | provenance | | +| Recursion.java:177:16:177:47 | directRecLocalFlow(...) : Boolean | Recursion.java:177:16:177:47 | directRecLocalFlow(...) : Boolean | provenance | | +nodes +| Recursion.java:57:24:57:34 | readToken(...) | semmle.label | readToken(...) | +| Recursion.java:57:24:57:34 | readToken(...) : Token | semmle.label | readToken(...) : Token | +| Recursion.java:71:29:71:33 | foo(...) | semmle.label | foo(...) | +| Recursion.java:71:29:71:33 | foo(...) : Boolean | semmle.label | foo(...) : Boolean | +| Recursion.java:71:29:71:33 | foo(...) : Boolean | semmle.label | foo(...) : Boolean | +| Recursion.java:72:16:72:24 | fooResult : Boolean | semmle.label | fooResult : Boolean | +| Recursion.java:72:16:72:24 | fooResult : Boolean | semmle.label | fooResult : Boolean | +| Recursion.java:76:16:76:20 | bar(...) | semmle.label | bar(...) | +| Recursion.java:76:16:76:20 | bar(...) : Boolean | semmle.label | bar(...) : Boolean | +| Recursion.java:76:16:76:20 | bar(...) : Boolean | semmle.label | bar(...) : Boolean | +| Recursion.java:81:16:81:32 | directRecursive(...) | semmle.label | directRecursive(...) | +| Recursion.java:81:16:81:32 | directRecursive(...) : Boolean | semmle.label | directRecursive(...) : Boolean | +| Recursion.java:89:16:89:23 | level1(...) | semmle.label | level1(...) | +| Recursion.java:89:16:89:23 | level1(...) : Boolean | semmle.label | level1(...) : Boolean | +| Recursion.java:89:16:89:23 | level1(...) : Boolean | semmle.label | level1(...) : Boolean | +| Recursion.java:89:16:89:23 | level1(...) : Boolean | semmle.label | level1(...) : Boolean | +| Recursion.java:95:16:95:23 | level2(...) | semmle.label | level2(...) | +| Recursion.java:95:16:95:23 | level2(...) : Boolean | semmle.label | level2(...) : Boolean | +| Recursion.java:95:16:95:23 | level2(...) : Boolean | semmle.label | level2(...) : Boolean | +| Recursion.java:95:16:95:23 | level2(...) : Boolean | semmle.label | level2(...) : Boolean | +| Recursion.java:101:16:101:23 | level0(...) | semmle.label | level0(...) | +| Recursion.java:101:16:101:23 | level0(...) : Boolean | semmle.label | level0(...) : Boolean | +| Recursion.java:101:16:101:23 | level0(...) : Boolean | semmle.label | level0(...) : Boolean | +| Recursion.java:101:16:101:23 | level0(...) : Boolean | semmle.label | level0(...) : Boolean | +| Recursion.java:116:20:116:27 | level1(...) | semmle.label | level1(...) | +| Recursion.java:116:20:116:27 | level1(...) : Boolean | semmle.label | level1(...) : Boolean | +| Recursion.java:116:20:116:27 | level1(...) : Boolean | semmle.label | level1(...) : Boolean | +| Recursion.java:116:20:116:27 | level1(...) : Boolean | semmle.label | level1(...) : Boolean | +| Recursion.java:118:16:118:23 | level2(...) | semmle.label | level2(...) | +| Recursion.java:118:16:118:23 | level2(...) | semmle.label | level2(...) | +| Recursion.java:118:16:118:23 | level2(...) : Boolean | semmle.label | level2(...) : Boolean | +| Recursion.java:118:16:118:23 | level2(...) : Boolean | semmle.label | level2(...) : Boolean | +| Recursion.java:118:16:118:23 | level2(...) : Boolean | semmle.label | level2(...) : Boolean | +| Recursion.java:124:16:124:23 | level2(...) | semmle.label | level2(...) | +| Recursion.java:124:16:124:23 | level2(...) | semmle.label | level2(...) | +| Recursion.java:124:16:124:23 | level2(...) : Boolean | semmle.label | level2(...) : Boolean | +| Recursion.java:124:16:124:23 | level2(...) : Boolean | semmle.label | level2(...) : Boolean | +| Recursion.java:124:16:124:23 | level2(...) : Boolean | semmle.label | level2(...) : Boolean | +| Recursion.java:128:20:128:27 | level1(...) | semmle.label | level1(...) | +| Recursion.java:128:20:128:27 | level1(...) : Boolean | semmle.label | level1(...) : Boolean | +| Recursion.java:128:20:128:27 | level1(...) : Boolean | semmle.label | level1(...) : Boolean | +| Recursion.java:128:20:128:27 | level1(...) : Boolean | semmle.label | level1(...) : Boolean | +| Recursion.java:130:16:130:23 | level0(...) | semmle.label | level0(...) | +| Recursion.java:130:16:130:23 | level0(...) | semmle.label | level0(...) | +| Recursion.java:130:16:130:23 | level0(...) : Boolean | semmle.label | level0(...) : Boolean | +| Recursion.java:130:16:130:23 | level0(...) : Boolean | semmle.label | level0(...) : Boolean | +| Recursion.java:130:16:130:23 | level0(...) : Boolean | semmle.label | level0(...) : Boolean | +| Recursion.java:148:16:148:54 | directRecursiveNoDepth(...) | semmle.label | directRecursiveNoDepth(...) | +| Recursion.java:148:16:148:54 | directRecursiveNoDepth(...) : Boolean | semmle.label | directRecursiveNoDepth(...) : Boolean | +| Recursion.java:177:16:177:47 | directRecLocalFlow(...) | semmle.label | directRecLocalFlow(...) | +| Recursion.java:177:16:177:47 | directRecLocalFlow(...) : Boolean | semmle.label | directRecLocalFlow(...) : Boolean | +subpaths +#select +| Recursion.java:57:24:57:34 | readToken(...) | Recursion.java:57:24:57:34 | readToken(...) | Recursion.java:57:24:57:34 | readToken(...) | Found a recursion: | +| Recursion.java:57:24:57:34 | readToken(...) | Recursion.java:57:24:57:34 | readToken(...) : Token | Recursion.java:57:24:57:34 | readToken(...) | Found a recursion: | +| Recursion.java:71:29:71:33 | foo(...) | Recursion.java:76:16:76:20 | bar(...) : Boolean | Recursion.java:71:29:71:33 | foo(...) | Found a recursion: | +| Recursion.java:76:16:76:20 | bar(...) | Recursion.java:71:29:71:33 | foo(...) : Boolean | Recursion.java:76:16:76:20 | bar(...) | Found a recursion: | +| Recursion.java:81:16:81:32 | directRecursive(...) | Recursion.java:81:16:81:32 | directRecursive(...) | Recursion.java:81:16:81:32 | directRecursive(...) | Found a recursion: | +| Recursion.java:81:16:81:32 | directRecursive(...) | Recursion.java:81:16:81:32 | directRecursive(...) : Boolean | Recursion.java:81:16:81:32 | directRecursive(...) | Found a recursion: | +| Recursion.java:89:16:89:23 | level1(...) | Recursion.java:95:16:95:23 | level2(...) : Boolean | Recursion.java:89:16:89:23 | level1(...) | Found a recursion: | +| Recursion.java:95:16:95:23 | level2(...) | Recursion.java:101:16:101:23 | level0(...) : Boolean | Recursion.java:95:16:95:23 | level2(...) | Found a recursion: | +| Recursion.java:101:16:101:23 | level0(...) | Recursion.java:89:16:89:23 | level1(...) : Boolean | Recursion.java:101:16:101:23 | level0(...) | Found a recursion: | +| Recursion.java:116:20:116:27 | level1(...) | Recursion.java:118:16:118:23 | level2(...) : Boolean | Recursion.java:116:20:116:27 | level1(...) | Found a recursion: | +| Recursion.java:116:20:116:27 | level1(...) | Recursion.java:124:16:124:23 | level2(...) : Boolean | Recursion.java:116:20:116:27 | level1(...) | Found a recursion: | +| Recursion.java:118:16:118:23 | level2(...) | Recursion.java:116:20:116:27 | level1(...) : Boolean | Recursion.java:118:16:118:23 | level2(...) | Found a recursion: | +| Recursion.java:118:16:118:23 | level2(...) | Recursion.java:128:20:128:27 | level1(...) : Boolean | Recursion.java:118:16:118:23 | level2(...) | Found a recursion: | +| Recursion.java:118:16:118:23 | level2(...) | Recursion.java:130:16:130:23 | level0(...) : Boolean | Recursion.java:118:16:118:23 | level2(...) | Found a recursion: | +| Recursion.java:124:16:124:23 | level2(...) | Recursion.java:116:20:116:27 | level1(...) : Boolean | Recursion.java:124:16:124:23 | level2(...) | Found a recursion: | +| Recursion.java:124:16:124:23 | level2(...) | Recursion.java:128:20:128:27 | level1(...) : Boolean | Recursion.java:124:16:124:23 | level2(...) | Found a recursion: | +| Recursion.java:124:16:124:23 | level2(...) | Recursion.java:130:16:130:23 | level0(...) : Boolean | Recursion.java:124:16:124:23 | level2(...) | Found a recursion: | +| Recursion.java:128:20:128:27 | level1(...) | Recursion.java:118:16:118:23 | level2(...) : Boolean | Recursion.java:128:20:128:27 | level1(...) | Found a recursion: | +| Recursion.java:128:20:128:27 | level1(...) | Recursion.java:124:16:124:23 | level2(...) : Boolean | Recursion.java:128:20:128:27 | level1(...) | Found a recursion: | +| Recursion.java:130:16:130:23 | level0(...) | Recursion.java:116:20:116:27 | level1(...) : Boolean | Recursion.java:130:16:130:23 | level0(...) | Found a recursion: | +| Recursion.java:130:16:130:23 | level0(...) | Recursion.java:118:16:118:23 | level2(...) : Boolean | Recursion.java:130:16:130:23 | level0(...) | Found a recursion: | +| Recursion.java:130:16:130:23 | level0(...) | Recursion.java:124:16:124:23 | level2(...) : Boolean | Recursion.java:130:16:130:23 | level0(...) | Found a recursion: | +| Recursion.java:130:16:130:23 | level0(...) | Recursion.java:128:20:128:27 | level1(...) : Boolean | Recursion.java:130:16:130:23 | level0(...) | Found a recursion: | +| Recursion.java:148:16:148:54 | directRecursiveNoDepth(...) | Recursion.java:148:16:148:54 | directRecursiveNoDepth(...) | Recursion.java:148:16:148:54 | directRecursiveNoDepth(...) | Found a recursion: | +| Recursion.java:148:16:148:54 | directRecursiveNoDepth(...) | Recursion.java:148:16:148:54 | directRecursiveNoDepth(...) : Boolean | Recursion.java:148:16:148:54 | directRecursiveNoDepth(...) | Found a recursion: | +| Recursion.java:177:16:177:47 | directRecLocalFlow(...) | Recursion.java:177:16:177:47 | directRecLocalFlow(...) | Recursion.java:177:16:177:47 | directRecLocalFlow(...) | Found a recursion: | +| Recursion.java:177:16:177:47 | directRecLocalFlow(...) | Recursion.java:177:16:177:47 | directRecLocalFlow(...) : Boolean | Recursion.java:177:16:177:47 | directRecLocalFlow(...) | Found a recursion: | diff --git a/java/test/query-tests/security/Recursion/Recursion.java b/java/test/query-tests/security/Recursion/Recursion.java new file mode 100644 index 0000000..296d946 --- /dev/null +++ b/java/test/query-tests/security/Recursion/Recursion.java @@ -0,0 +1,226 @@ +import java.io.IOException; +import java.io.InputStreamReader; +import java.util.HashMap; +import java.util.Map; + +class StreamException extends RuntimeException { + public StreamException(Throwable cause) { + super(cause); + } +} + +class Token { + public static final int TYPE_MAP_ID_TO_VALUE = 0x2; + + private int type; + private String id; + private Object value; + + public int getType() { + return type; + } + + public String getId() { + return id; + } + + public Object getValue() { + return value; + } +} + +class TokenFormatter { + public Token read(InputStreamReader in) throws IOException { + // Implementation would go here + return new Token(); + } +} + +class RecursiveCallExample { + private TokenFormatter tokenFormatter = new TokenFormatter(); + private Map idRegistry = new HashMap<>(); + private InputStreamReader in; + + public RecursiveCallExample(InputStreamReader in) { + this.in = in; + } + + // finding: readToken calls itself + // Based on https://github.com/x-stream/xstream/blob/dfa1d35462fe84412ee72a9b0cf5b5c633086520/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java#L165 + Token readToken() { + // ... + try { + final Token token = tokenFormatter.read(in); + switch (token.getType()) { + case Token.TYPE_MAP_ID_TO_VALUE: // 0x2 + idRegistry.put(token.getId(), token.getValue()); + return readToken(); // Next one please. + default: + return token; + } + } catch (final IOException e) { + throw new StreamException(e); + } + // ... + } +} + +class RecursiveCallBasic { + // finding: foo-bar recursive loop + public boolean bar() { + boolean fooResult = foo(); + return fooResult; + } + + public boolean foo() { + return bar(); + } + + // finding: calls to self + public boolean directRecursive() { + return directRecursive(); + } + + // finding: level0->level1->level2->level0 + public boolean level0() { + if (someCondition()) { + return true; + } + return level1(); + } + public boolean level1() { + if (someCondition()) { + return true; + } + return level2(); + } + public boolean level2() { + if (someCondition()) { + return true; + } + return level0(); + } + + private boolean someCondition() { + return false; + } +} + +class RecursiveCallNonLinear { + // finding: level0->...->level0 + public boolean level0() { + if (someOtherCondition()) { + return true; + } + if (someCondition()) { + return level1(); + } + return level2(); + } + public boolean level1() { + if (someCondition()) { + return true; + } + return level2(); + } + public boolean level2() { + if (someCondition()) { + return level1(); + } + return level0(); + } + + private boolean someCondition() { + return false; + } + + private boolean someOtherCondition() { + return true; + } +} + +class RecursiveCallWronglyLimited { + // finding: recursion is not limited + public boolean directRecursiveNoDepth(int anything, int depth) { + if (depth == 0) { + return true; + } + return directRecursiveNoDepth(anything, depth); + } +} + +class RecursiveCallLimited { + // ok: recursion is limited + public boolean directRecursiveDepth(int depth) { + if (depth == 0) { + return true; + } + return directRecursiveDepth(depth - 1); + } + + // todook: recursion is limited + // public boolean directRecursiveComputedDepth(int depth) { + // if (depth == 0) { + // return true; + // } + + // int newDepth = depth - 2; + // return directRecursiveComputedDepth(newDepth); + // } + + //finding: check is performed on a local variable + public boolean directRecLocalFlow(int depth) { + if (depth == 0) { + return true; + } + int newDepth = 2; + return directRecLocalFlow(newDepth - 1); + } + + // ok: recursion is limited with unary op + public boolean directRecUnaryDec(int depth) { + if (depth == 0) { + return true; + } + + return directRecUnaryDec(depth--); + } + + // ok: level0->level1->level2->level0 with bound + public boolean level0D(int depth) { + if (depth == 0) { + return true; + } + if (someCondition()) { + return true; + } + return level1D(depth-1); + } + public boolean level1D(int depth) { + if (someCondition()) { + return true; + } + return level2D(depth); + } + public boolean level2D(int depth_value) { + if (someCondition()) { + return true; + } + return level0D(depth_value-1); + } + + private boolean someCondition() { + return false; + } +} + +// ok +class NotRecursive { + public static boolean foo() { + return bar(); + } + + public static boolean bar() { + return true; + } +} \ No newline at end of file diff --git a/java/test/query-tests/security/Recursion/Recursion.qlref b/java/test/query-tests/security/Recursion/Recursion.qlref new file mode 100644 index 0000000..3256dfa --- /dev/null +++ b/java/test/query-tests/security/Recursion/Recursion.qlref @@ -0,0 +1 @@ +security/Recursion/Recursion.ql