Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Java: Prevent a configuration from being visible globally #6888

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

@joefarebrother
Copy link
Contributor

@joefarebrother joefarebrother commented Oct 14, 2021

No description provided.

@joefarebrother
Copy link
Contributor Author

@joefarebrother joefarebrother commented Oct 15, 2021

On second thoughts; this introduces an awkward footgun for queries that use these sinks in needing to import a specific library. Perhaps a better solution is to switch the config in question to a different dataflow instance?

@atorralba
Copy link
Contributor

@atorralba atorralba commented Oct 15, 2021

What we have been doing recently is:

  • Add any reusable code like abstract sinks or additional taint steps to a library (like XSS.qll). This should also contain the CSV models and the default implementations.
  • Add configurations and other classes or predicates that should only be used from queries to a *Query.qll file (like XSSQuery.qll) that imports the previous library.

And then:

  • Queries that need to use the configuration can import XSSQuery.qll.
  • Libraries that need to reuse or redefine sinks or taint steps can import XSS.qll.
  • The bidirectional import of XSS.qll can be added to ExternalFlow.qll without adding any configuration to the global scope.

Would this work for you?

@joefarebrother
Copy link
Contributor Author

@joefarebrother joefarebrother commented Oct 15, 2021

So here XSS.qll doesn't define any CSV models; but it is imported by libraries that do (such as SpringHTTP.qll). And as part of the default definition of its sinks, it uses a TaintTracking2::Configuration; so that also becomes globally visible through the bidirectional import of SpringHTTP.qll.
My current fix is to move this config, along with the definition of the default sinks, to a separate file, currently XSSDefaults.qll but could be called XSSQuery.qll. However, then if a query imports XSS.qll but forgets to import XSSQuery.qll, then the sinks don't work.

@atorralba
Copy link
Contributor

@atorralba atorralba commented Oct 15, 2021

Yes, now it looks better: importing only XSS<Query/Default>.qll in query files makes sense, and XSS.qll is safe to be imported in non-query files. There's a check failing though:

FAILURE: non-query qll files should not import files ending in 'Query.qll'

I think this check should ignore .qll files in the same directory as a .ql file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants