How to sanitize the partitial flow result?

[ox1234]

Here is my ql. I want to cut off all data flow which not flow through a specific method (such as spring controller method).

/**
 * @kind path-problem
 */

import java
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.security.FileReadWrite
import semmle.code.java.frameworks.spring.SpringController
import DataFlow::PartialPathGraph


class SSRFConfig extends TaintTracking::Configuration{
    SSRFConfig(){
        this = "SSRFConfig"
    } 

    override int fieldFlowBranchLimit() { result = 5000 }

    override int explorationLimit() { result = 10 }

    override predicate isSource(DataFlow::Node n){
        n.asParameter() = any(SpringControllerMethod m).getAParameter()
    }

    override predicate isSink(DataFlow::Node n){
        exists(FileReadExpr fileread | fileread.getFileVarAccess() = n.asExpr())
    }
}

from SSRFConfig conf, DataFlow::PartialPathNode node, DataFlow::PartialPathNode sink, int dist
where 
    conf.hasPartialFlowRev(node, sink, dist) and 
    node.getNode().asExpr().getEnclosingCallable().fromSource() and
    dist > 2
select node.getNode(), node, sink, "has flow"
// order by dist desc

For example, here is my result:

This data flow result flow through a spring controller method called export which means this is an interesting data flow i need to check.
But for other data flow it don't flow through an controller method. I want to cut off there result. So how can i do this?

[aeisenberg]

Your best bet is to implement the isSanitizer predicate in your taint tracking config. See the docs for more info.

I would do this in two steps:

1. Define a CodeQL class SpringControllerMethod that describes the characteristics of a method that is a spring controller (i.e., it has a GetMapping or similar annotation.
2. Add the isSanitizer predicate so that the predicate returns true if the nd parameter is not a SpringControllerMethod.

Step 1 looks like this:

class SpringControllerMethod extends Method {
  SpringControllerMethod() {
    this.hasAnnotation("spring.whatever.package", "GetMapping") or // include other annotations
  }
}

Step 2 looks like this:

    override predicate isSanitizer(DataFlow::Node nd) {
      nd.asExpr().(MethodAccess).getMethod() instanceof SpringControllerMethod
    }

(Just a warning that I haven't actually tried this out and my CodeQL syntax may be a little bit off.)

[ox1234]

I want to search such data flow:
Only the data flow flows through a controller method's expression is what i want. I defined such isSanitizer but i got complete opposite result:

/**
 * @kind path-problem
 */

import java
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.security.FileReadWrite
// import semmle.code.java.frameworks.spring.SpringController
import DataFlow::PartialPathGraph

class SpringControllerMethod extends Method {
    SpringControllerMethod() {
      this.hasAnnotation("org.springframework.web.bind.annotation", "GetMapping")
    }
  }


class SSRFConfig extends TaintTracking::Configuration{
    SSRFConfig(){
        this = "SSRFConfig"
    } 

    override int fieldFlowBranchLimit() { result = 5000 }

    override int explorationLimit() { result = 10 }

    override predicate isSource(DataFlow::Node n){
        n.asParameter() = any(SpringControllerMethod m).getAParameter()
    }

    override predicate isSink(DataFlow::Node n){
        exists(FileReadExpr fileread | fileread.getFileVarAccess() = n.asExpr())
    }

    override predicate isSanitizer(DataFlow::Node nd) {
        nd.asExpr().(MethodAccess).getEnclosingCallable() instanceof SpringControllerMethod
    }
}

from SSRFConfig conf, DataFlow::PartialPathNode node, DataFlow::PartialPathNode sink, int dist
where 
    conf.hasPartialFlowRev(node, sink, dist) and 
    node.getNode().asExpr().getEnclosingCallable().fromSource() and
    dist > 2
select node.getNode(), node, sink, "has flow"
// order by dist desc

Because it sanitizer all data flow flows though Controller's body.So how i define the isScanitizer method

[aeisenberg]

Yes, my previous solution wasn't quite right. I think we'll need to do a different approach.

There is a new API called FlowStates that allows you to tag different flows with extra state depending on which steps it goes through. With this in mind, your original TaintTracking::Configuration is largely correct, but we need to add a few new predicates.

oerride predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
  node1 = node2 and 
  state1 = "" and
  state2 = "waypoint-reached" and
  not this.isSource(node1) and
  node1.asParameter() = any(SpringControllerMethod m).getAParameter()
}

override predicate isSink(Node source, FlowState state) { 
  state = "waypoint-reached" and ...  // existing isSink implementation
}

This will add a waypoint-reached state to all flows where they pass through a spring controller method (but don't originate from one).

Please let me know if that works for you.

cc: @smowton