Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java: Add Guard Classes for checking OS & unify System Property Access #8032

Merged
merged 28 commits into from
Mar 18, 2022
Merged

Java: Add Guard Classes for checking OS & unify System Property Access #8032

Show file tree
Hide file tree
Changes from 16 commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
cd073a2
Java: Add Guard Classes for checking OS
JLLeitschuh Feb 14, 2022
39828fd
Apply OS guard checks to TempDirLocalInformationDisclosure
JLLeitschuh Feb 14, 2022
3cdfc00
Cleanup from review feedback
JLLeitschuh Feb 15, 2022
4951344
Update java/ql/lib/semmle/code/java/os/OSCheck.qll
JLLeitschuh Feb 23, 2022
9f5022e
Review fixup and add test for apache SystemUtils
JLLeitschuh Feb 23, 2022
fd63107
Update OS Check from Review Feedback
JLLeitschuh Mar 1, 2022
5913c9a
Refactor OS Guard Checks
JLLeitschuh Mar 1, 2022
dad9a02
Update TempDirInfoDisclosure with new OS Guards
JLLeitschuh Mar 1, 2022
82d3cd8
Improve system property lookup
JLLeitschuh Mar 2, 2022
3c53a05
Add OS Checks based upon separator or path separator
JLLeitschuh Mar 2, 2022
a7adbb7
Refactor more system property access logic
JLLeitschuh Mar 3, 2022
85de9f3
Fix naming of OSCheck method
JLLeitschuh Mar 3, 2022
fea5006
Fix duplicated comment
JLLeitschuh Mar 3, 2022
103c770
Apply suggestions from code review
JLLeitschuh Mar 3, 2022
31527a6
Refactor OS Checks & SystemProperty logic from review feedback
JLLeitschuh Mar 3, 2022
7ab193d
Add System.getProperties().getProperty support
JLLeitschuh Mar 4, 2022
5243fe3
Apply suggestions from code review
JLLeitschuh Mar 4, 2022
523ddb7
Cleanup after code review feedback
JLLeitschuh Mar 4, 2022
b282c7f
Apply suggestions from code review
JLLeitschuh Mar 7, 2022
5b651f2
Fix insufficient tests and add documentation
JLLeitschuh Mar 7, 2022
a21992a
Minor refactoring to improve tests and documentation
JLLeitschuh Mar 7, 2022
2a6c4e9
Add localFlowPlusInitializers
JLLeitschuh Mar 9, 2022
ecb8911
Apply suggestions from code review
JLLeitschuh Mar 10, 2022
1c98642
Remove SystemProperty from FlowSources
JLLeitschuh Mar 10, 2022
50ff2c2
Code cleanup from code review
JLLeitschuh Mar 11, 2022
451661d
Improve guard class names
smowton Mar 15, 2022
09cc8ee
Add tests for StandardSystemProperty
JLLeitschuh Mar 15, 2022
b11340c
Change note tense and detail level
smowton Mar 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 28 additions & 1 deletion java/ql/lib/semmle/code/java/JDK.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@

import Member
import semmle.code.java.security.ExternalProcess
private import semmle.code.java.dataflow.FlowSteps
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I presume this is a pretty large import, I hope it's fine and won't break anything. Should I do this differently?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is ok -- note that in FlowSteps.qll's Frameworks module you should private-import this file back. This is to ensure all queries using FlowSteps see the same set of standard value-preserving methods etc, and so the related QL can be evaluated once for the whole query suite, not re-evaluated per query as it would need to be if each one defined extra flow steps.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. Thanks!


// --- Standard types ---
/** The class `java.lang.Object`. */
Expand Down Expand Up @@ -37,6 +38,27 @@ class StringLengthMethod extends Method {
StringLengthMethod() { this.hasName("length") and this.getDeclaringType() instanceof TypeString }
}

/**
* The methods on the class `java.lang.String` that are used to perform partial matches with a specified substring or char.
*/
class StringPartialMatchMethod extends Method {
StringPartialMatchMethod() {
this.hasName([
"contains", "startsWith", "endsWith", "matches", "indexOf", "lastIndexOf", "regionMatches"
]) and
this.getDeclaringType() instanceof TypeString
}

/**
* Gets the index of the parameter that is being matched against.
*/
int getMatchParameterIndex() {
if this.hasName("regionMatches")
then this.getParameterType(result) instanceof TypeString
else result = 0
}
}

/** The class `java.lang.StringBuffer`. */
class TypeStringBuffer extends Class {
TypeStringBuffer() { this.hasQualifiedName("java.lang", "StringBuffer") }
Expand Down Expand Up @@ -228,11 +250,13 @@ class MethodSystemGetenv extends Method {
/**
* Any method named `getProperty` on class `java.lang.System`.
*/
class MethodSystemGetProperty extends Method {
class MethodSystemGetProperty extends ValuePreservingMethod {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't a value-preserving method. A value-preserving method is return this; or return param1; or something else that conveys an exact reference across a function.

Do you mean to say you want System.getProperty(x) to generally conserve taint, such that if x is user-controlled then so is the result of System.getProperty? If so I'm not sure we'd want that as a general rule, since in order to be exploited it needs the user to know the name of a property containing sensitive information, or to have a way to get an arbitrary string into that environment.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

System.getProperty(propertyName, defaultValue) is a value preserving method. Here's the code of this method:

    /**
     * Searches for the property with the specified key in this property list.
     * If the key is not found in this property list, the default property list,
     * and its defaults, recursively, are then checked. The method returns the
     * default value argument if the property is not found.
     *
     * @param   key            the hashtable key.
     * @param   defaultValue   a default value.
     *
     * @return  the value in this property list with the specified key value.
     * @see     #setProperty
     * @see     #defaults
     */
    public String getProperty(String key, String defaultValue) {
        String val = getProperty(key);
        return (val == null) ? defaultValue : val;
    }

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doh right, I'd forgotten those overloads existed.

MethodSystemGetProperty() {
this.hasName("getProperty") and
this.getDeclaringType() instanceof TypeSystem
}

override predicate returnsValue(int arg) { arg = 1 }
}

/**
Expand All @@ -244,6 +268,9 @@ class MethodAccessSystemGetProperty extends MethodAccess {
/**
* Holds if this call has a compile-time constant first argument with the value `propertyName`.
* For example: `System.getProperty("user.dir")`.
*
* Note: Better to use `semmle.code.java.environment.SystemProperty#getSystemProperty` instead
* as that predicate covers more libraries' and JDK API's ways of accessing the same information
JLLeitschuh marked this conversation as resolved.
Show resolved Hide resolved
*/
predicate hasCompileTimeConstantGetPropertyName(string propertyName) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@smowton wondering if I should deprecate this in favor of the new way of finding all expressions that access system properties

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't deprecate since we use it ourselves, but expand your comment a little to point out that the recommended predicate covers more libraries' ways of accessing the same information.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As of my changes, it's only ever now used in my code, it isn't used anywhere else in this repository.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, at your request, I've improved my comment

this.getArgument(0).(CompileTimeConstantExpr).getStringValue() = propertyName
Expand Down
23 changes: 2 additions & 21 deletions java/ql/lib/semmle/code/java/StringFormat.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@

import java
import dataflow.DefUse
private import semmle.code.java.environment.SystemProperty

/**
* A library method that formats a number of its arguments according to a
Expand Down Expand Up @@ -312,27 +313,7 @@ private predicate formatStringValue(Expr e, string fmtvalue) {
or
formatStringValue(e.(ChooseExpr).getAResultExpr(), fmtvalue)
or
exists(Method getprop, MethodAccess ma, string prop |
e = ma and
ma.getMethod() = getprop and
getprop.hasName("getProperty") and
getprop.getDeclaringType().hasQualifiedName("java.lang", "System") and
getprop.getNumberOfParameters() = 1 and
ma.getAnArgument().(StringLiteral).getValue() = prop and
(prop = "line.separator" or prop = "file.separator" or prop = "path.separator") and
fmtvalue = "x" // dummy value
)
or
exists(Field f |
e = f.getAnAccess() and
f.getDeclaringType() instanceof TypeFile and
fmtvalue = "x" // dummy value
|
f.hasName("pathSeparator") or
f.hasName("pathSeparatorChar") or
f.hasName("separator") or
f.hasName("separatorChar")
)
e = getSystemProperty(["line.separator", "file.separator", "path.separator"]) and fmtvalue = "x" // dummy value
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Simpler, and more comprehensive! 😄

)
}

Expand Down
4 changes: 4 additions & 0 deletions java/ql/lib/semmle/code/java/dataflow/FlowSources.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.dataflow.DefUse
import semmle.code.java.environment.SystemProperty
import semmle.code.java.frameworks.Jdbc
import semmle.code.java.frameworks.Networking
import semmle.code.java.frameworks.Properties
Expand Down Expand Up @@ -182,6 +183,8 @@ class EnvInput extends LocalUserInput {
// Results from various specific methods.
this.asExpr().(MethodAccess).getMethod() instanceof EnvReadMethod
or
this.asExpr() = getSystemProperty(_)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommend removing from this PR, because this will cause FPs due to mistaking System.getProperty("line.separator") for something the user can control, and we'd want to assess the frequency of those FPs.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

line.separator is something the user can control

https://stackoverflow.com/a/22681891

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

/**
 * System Property initialization for internal use only
 * Retrieves the platform, JVM, and command line properties,
 * applies initial defaults and returns the Properties instance
 * that becomes the System.getProperties instance.
 */
public final class SystemProps {

    // no instances
    private SystemProps() {}

    /**
     * Create and initialize the system properties from the native properties
     * and command line properties.
     * Note:  Build-defined properties such as versions and vendor information
     * are initialized by VersionProps.java-template.
     *
     * @return a Properties instance initialized with all of the properties
     */
    public static Map<String, String> initProperties() {

        // Initially, cmdProperties only includes -D and props from the VM
        Raw raw = new Raw();
        HashMap<String, String> props = raw.cmdProperties();

        String javaHome = props.get("java.home");
        assert javaHome != null : "java.home not set";

        putIfAbsent(props, "user.home", raw.propDefault(Raw._user_home_NDX));
        putIfAbsent(props, "user.dir", raw.propDefault(Raw._user_dir_NDX));
        putIfAbsent(props, "user.name", raw.propDefault(Raw._user_name_NDX));

        // Platform defined encoding cannot be overridden on the command line
        put(props, "sun.jnu.encoding", raw.propDefault(Raw._sun_jnu_encoding_NDX));
        var nativeEncoding = ((raw.propDefault(Raw._file_encoding_NDX) == null)
                ? raw.propDefault(Raw._sun_jnu_encoding_NDX)
                : raw.propDefault(Raw._file_encoding_NDX));
        put(props, "native.encoding", nativeEncoding);

        // Add properties that have not been overridden on the cmdline
        putIfAbsent(props, "file.encoding", nativeEncoding);

        // Use platform values if not overridden by a commandline -Dkey=value
        // In no particular order
        putIfAbsent(props, "os.name", raw.propDefault(Raw._os_name_NDX));
        putIfAbsent(props, "os.arch", raw.propDefault(Raw._os_arch_NDX));
        putIfAbsent(props, "os.version", raw.propDefault(Raw._os_version_NDX));
        putIfAbsent(props, "line.separator", raw.propDefault(Raw._line_separator_NDX));
        putIfAbsent(props, "file.separator", raw.propDefault(Raw._file_separator_NDX));
        putIfAbsent(props, "path.separator", raw.propDefault(Raw._path_separator_NDX));
        putIfAbsent(props, "java.io.tmpdir", raw.propDefault(Raw._java_io_tmpdir_NDX));
        putIfAbsent(props, "http.proxyHost", raw.propDefault(Raw._http_proxyHost_NDX));
        putIfAbsent(props, "http.proxyPort", raw.propDefault(Raw._http_proxyPort_NDX));
        putIfAbsent(props, "https.proxyHost", raw.propDefault(Raw._https_proxyHost_NDX));
        putIfAbsent(props, "https.proxyPort", raw.propDefault(Raw._https_proxyPort_NDX));
        putIfAbsent(props, "ftp.proxyHost", raw.propDefault(Raw._ftp_proxyHost_NDX));
        putIfAbsent(props, "ftp.proxyPort", raw.propDefault(Raw._ftp_proxyPort_NDX));
        putIfAbsent(props, "socksProxyHost", raw.propDefault(Raw._socksProxyHost_NDX));
        putIfAbsent(props, "socksProxyPort", raw.propDefault(Raw._socksProxyPort_NDX));
        putIfAbsent(props, "http.nonProxyHosts", raw.propDefault(Raw._http_nonProxyHosts_NDX));
        putIfAbsent(props, "ftp.nonProxyHosts", raw.propDefault(Raw._ftp_nonProxyHosts_NDX));
        putIfAbsent(props, "socksNonProxyHosts", raw.propDefault(Raw._socksNonProxyHosts_NDX));
        putIfAbsent(props, "sun.arch.abi", raw.propDefault(Raw._sun_arch_abi_NDX));
        putIfAbsent(props, "sun.arch.data.model", raw.propDefault(Raw._sun_arch_data_model_NDX));
        putIfAbsent(props, "sun.os.patch.level", raw.propDefault(Raw._sun_os_patch_level_NDX));
        putIfAbsent(props, "sun.stdout.encoding", raw.propDefault(Raw._sun_stdout_encoding_NDX));
        putIfAbsent(props, "sun.stderr.encoding", raw.propDefault(Raw._sun_stderr_encoding_NDX));
        putIfAbsent(props, "sun.io.unicode.encoding", raw.propDefault(Raw._sun_io_unicode_encoding_NDX));
        putIfAbsent(props, "sun.cpu.isalist", raw.propDefault(Raw._sun_cpu_isalist_NDX));
        putIfAbsent(props, "sun.cpu.endian", raw.propDefault(Raw._sun_cpu_endian_NDX));

        /* Construct i18n related options */
        fillI18nProps(props,"user.language", raw.propDefault(Raw._display_language_NDX),
                raw.propDefault(Raw._format_language_NDX));
        fillI18nProps(props,"user.script",   raw.propDefault(Raw._display_script_NDX),
                raw.propDefault(Raw._format_script_NDX));
        fillI18nProps(props,"user.country",  raw.propDefault(Raw._display_country_NDX),
                raw.propDefault(Raw._format_country_NDX));
        fillI18nProps(props,"user.variant",  raw.propDefault(Raw._display_variant_NDX),
                raw.propDefault(Raw._format_variant_NDX));

        return props;
    }

Copy link
Contributor

@smowton smowton Mar 10, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's hard to say without experimenting at length, but it looks like props that come from Raw might not let the user override them? In that function at least native.,encoding doesn't let the user override it.

At the very least this is surely a different PR. The scope of this one has already ballooned, let's please stop adding new tangentially related features to the same one.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can do

or
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Found another really good place to put my new predicate! 😄

// Access to `System.in`.
exists(Field f | this.asExpr() = f.getAnAccess() | f instanceof SystemIn)
or
Expand All @@ -203,6 +206,7 @@ class EnvReadMethod extends Method {
EnvReadMethod() {
this instanceof MethodSystemGetenv or
this instanceof PropertiesGetPropertyMethod or
this instanceof PropertiesGetMethod or
this instanceof MethodSystemGetProperty
}
}
Expand Down
1 change: 1 addition & 0 deletions java/ql/lib/semmle/code/java/dataflow/FlowSteps.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ private module Frameworks {
private import semmle.code.java.frameworks.android.Intent
private import semmle.code.java.frameworks.android.SQLite
private import semmle.code.java.frameworks.Guice
private import semmle.code.java.frameworks.Properties
private import semmle.code.java.frameworks.Protobuf
private import semmle.code.java.frameworks.guava.Guava
private import semmle.code.java.frameworks.apache.Lang
Expand Down
249 changes: 249 additions & 0 deletions java/ql/lib/semmle/code/java/environment/SystemProperty.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,249 @@
import java
private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.frameworks.Properties
private import semmle.code.java.frameworks.apache.Lang

/**
* Gets an expression that retrieves the value of `propertyName` from `System.getProperty()`.
*/
Expr getSystemProperty(string propertyName) {
result = getSystemPropertyFromSystem(propertyName) or
result = getSystemPropertyFromSystemGetProperties(propertyName) or
result = getSystemPropertyFromFile(propertyName) or
result = getSystemPropertyFromApacheSystemUtils(propertyName) or
result = getSystemPropertyFromApacheFileUtils(propertyName) or
result = getSystemPropertyFromGuava(propertyName) or
result = getSystemPropertyFromOperatingSystemMXBean(propertyName) or
result = getSystemPropertyFromSpringProperties(propertyName)
}

private MethodAccess getSystemPropertyFromSystem(string propertyName) {
result.(MethodAccessSystemGetProperty).hasCompileTimeConstantGetPropertyName(propertyName)
or
exists(Method m | result.getMethod() = m | m.hasName("lineSeparator")) and
JLLeitschuh marked this conversation as resolved.
Show resolved Hide resolved
propertyName = "line.separator"
}

/**
* A method access that retrieves the value of `propertyName` from the following methods:
* - `System.getProperties().getProperty(...)`
* - `System.getProperties().get(...)`
*/
private MethodAccess getSystemPropertyFromSystemGetProperties(string propertyName) {
exists(Method getMethod |
getMethod instanceof PropertiesGetMethod
or
getMethod instanceof PropertiesGetPropertyMethod and
result.getMethod() = getMethod
) and
result.getArgument(0).(CompileTimeConstantExpr).getStringValue() = propertyName and
DataFlow::localExprFlow(any(MethodAccess m |
m.getMethod().getDeclaringType() instanceof TypeSystem and
m.getMethod().hasName("getProperties")
), result.getQualifier())
}

private FieldAccess getSystemPropertyFromFile(string propertyName) {
result.getField() instanceof FieldFileSeparator and propertyName = "file.separator"
or
result.getField() instanceof FieldFilePathSeparator and propertyName = "path.separator"
}

/** The field `java.io.File.separator` or `java.io.File.separatorChar` */
private class FieldFileSeparator extends Field {
FieldFileSeparator() {
this.getDeclaringType() instanceof TypeFile and this.hasName(["separator", "separatorChar"])
}
}

/* The field `java.io.File.pathSeparator` or `java.io.File.pathSeparatorChar` */
private class FieldFilePathSeparator extends Field {
FieldFilePathSeparator() {
this.getDeclaringType() instanceof TypeFile and
this.hasName(["pathSeparator", "pathSeparatorChar"])
}
}

/**
* A field access to the system property.
* See: https://commons.apache.org/proper/commons-lang/apidocs/org/apache/commons/lang3/SystemUtils.html
*/
private FieldAccess getSystemPropertyFromApacheSystemUtils(string propertyName) {
exists(Field f | f = result.getField() and f.getDeclaringType() instanceof ApacheSystemUtils |
f.hasName("AWT_TOOLKIT") and propertyName = "awt.toolkit"
or
f.hasName("FILE_ENCODING") and propertyName = "file.encoding"
or
f.hasName("FILE_SEPARATOR") and propertyName = "file.separator"
or
f.hasName("JAVA_AWT_FONTS") and propertyName = "java.awt.fonts"
or
f.hasName("JAVA_AWT_GRAPHICSENV") and propertyName = "java.awt.graphicsenv"
or
f.hasName("JAVA_AWT_HEADLESS") and propertyName = "java.awt.headless"
or
f.hasName("JAVA_AWT_PRINTERJOB") and propertyName = "java.awt.printerjob"
or
f.hasName("JAVA_CLASS_PATH") and propertyName = "java.class.path"
or
f.hasName("JAVA_CLASS_VERSION") and propertyName = "java.class.version"
or
f.hasName("JAVA_COMPILER") and propertyName = "java.compiler"
or
f.hasName("JAVA_EXT_DIRS") and propertyName = "java.ext.dirs"
or
f.hasName("JAVA_HOME") and propertyName = "java.home"
or
f.hasName("JAVA_IO_TMPDIR") and propertyName = "java.io.tmpdir"
or
f.hasName("JAVA_LIBRARY_PATH") and propertyName = "java.library.path"
or
f.hasName("JAVA_RUNTIME_NAME") and propertyName = "java.runtime.name"
or
f.hasName("JAVA_RUNTIME_VERSION") and propertyName = "java.runtime.version"
or
f.hasName("JAVA_SPECIFICATION_NAME") and propertyName = "java.specification.name"
or
f.hasName("JAVA_SPECIFICATION_VENDOR") and propertyName = "java.specification.vendor"
or
f.hasName("JAVA_UTIL_PREFS_PREFERENCES_FACTORY") and
propertyName = "java.util.prefs.PreferencesFactory" // This really does break the lowercase convention obeyed everywhere else
or
f.hasName("JAVA_VENDOR") and propertyName = "java.vendor"
or
f.hasName("JAVA_VENDOR_URL") and propertyName = "java.vendor.url"
or
f.hasName("JAVA_VERSION") and propertyName = "java.version"
or
f.hasName("JAVA_VM_INFO") and propertyName = "java.vm.info"
or
f.hasName("JAVA_VM_NAME") and propertyName = "java.vm.name"
or
f.hasName("JAVA_VM_SPECIFICATION_NAME") and propertyName = "java.vm.specification.name"
or
f.hasName("JAVA_VM_SPECIFICATION_VENDOR") and propertyName = "java.vm.specification.vendor"
or
f.hasName("JAVA_VM_VENDOR") and propertyName = "java.vm.vendor"
or
f.hasName("JAVA_VM_VERSION") and propertyName = "java.vm.version"
or
f.hasName("LINE_SEPARATOR") and propertyName = "line.separator"
or
f.hasName("OS_ARCH") and propertyName = "os.arch"
or
f.hasName("OS_NAME") and propertyName = "os.name"
or
f.hasName("OS_VERSION") and propertyName = "os.version"
or
f.hasName("PATH_SEPARATOR") and propertyName = "path.separator"
or
f.hasName("USER_COUNTRY") and propertyName = "user.country"
or
f.hasName("USER_DIR") and propertyName = "user.dir"
or
f.hasName("USER_HOME") and propertyName = "user.home"
or
f.hasName("USER_LANGUAGE") and propertyName = "user.language"
or
f.hasName("USER_NAME") and propertyName = "user.name"
or
f.hasName("USER_TIMEZONE") and propertyName = "user.timezone"
)
}

private MethodAccess getSystemPropertyFromApacheFileUtils(string propertyName) {
exists(Method m |
result.getMethod() = m and
m.getDeclaringType().hasQualifiedName("org.apache.commons.io", "FileUtils")
|
m.hasName(["getTempDirectory", "getTempDirectoryPath"]) and propertyName = "java.io.tmpdir"
or
m.hasName(["getUserDirectory", "getUserDirectoryPath"]) and propertyName = "user.home"
)
}
Comment on lines +159 to +168
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both getTempDirectory and getUserDirectory return File instead of String:

I figure that this is still fine as it's essentially equivalent to the string variant, but wrapped in a different type

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it should be documented for getSystemProperty then, that the type of the expression is in some cases something other than a String (e.g. here a File, or for the separators a char).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done


private MethodAccess getSystemPropertyFromGuava(string propertyName) {
exists(EnumConstant ec |
ec.getDeclaringType().hasQualifiedName("com.google.common.base", "StandardSystemProperty") and
result.getQualifier() = ec.getAnAccess() and
result.getMethod().hasName("value")
|
ec.hasName("JAVA_VERSION") and propertyName = "java.version"
or
ec.hasName("JAVA_VENDOR") and propertyName = "java.vendor"
or
ec.hasName("JAVA_VENDOR_URL") and propertyName = "java.vendor.url"
or
ec.hasName("JAVA_HOME") and propertyName = "java.home"
or
ec.hasName("JAVA_VM_SPECIFICATION_VERSION") and propertyName = "java.vm.specification.version"
or
ec.hasName("JAVA_VM_SPECIFICATION_VENDOR") and propertyName = "java.vm.specification.vendor"
or
ec.hasName("JAVA_VM_SPECIFICATION_NAME") and propertyName = "java.vm.specification.name"
or
ec.hasName("JAVA_VM_VERSION") and propertyName = "java.vm.version"
or
ec.hasName("JAVA_VM_VENDOR") and propertyName = "java.vm.vendor"
or
ec.hasName("JAVA_VM_NAME") and propertyName = "java.vm.name"
or
ec.hasName("JAVA_SPECIFICATION_VERSION") and propertyName = "java.specification.version"
or
ec.hasName("JAVA_SPECIFICATION_VENDOR") and propertyName = "java.specification.vendor"
or
ec.hasName("JAVA_SPECIFICATION_NAME") and propertyName = "java.specification.name"
or
ec.hasName("JAVA_CLASS_VERSION") and propertyName = "java.class.version"
or
ec.hasName("JAVA_CLASS_PATH") and propertyName = "java.class.path"
or
ec.hasName("JAVA_LIBRARY_PATH") and propertyName = "java.library.path"
or
ec.hasName("JAVA_IO_TMPDIR") and propertyName = "java.io.tmpdir"
or
ec.hasName("JAVA_COMPILER") and propertyName = "java.compiler"
or
ec.hasName("JAVA_EXT_DIRS") and propertyName = "java.ext.dirs"
or
ec.hasName("OS_NAME") and propertyName = "os.name"
or
ec.hasName("OS_ARCH") and propertyName = "os.arch"
or
ec.hasName("OS_VERSION") and propertyName = "os.version"
or
ec.hasName("FILE_SEPARATOR") and propertyName = "file.separator"
or
ec.hasName("PATH_SEPARATOR") and propertyName = "path.separator"
or
ec.hasName("LINE_SEPARATOR") and propertyName = "line.separator"
or
ec.hasName("USER_NAME") and propertyName = "user.name"
or
ec.hasName("USER_HOME") and propertyName = "user.home"
or
ec.hasName("USER_DIR") and propertyName = "user.dir"
)
}

private MethodAccess getSystemPropertyFromOperatingSystemMXBean(string propertyName) {
exists(Method m |
m = result.getMethod() and
m.getDeclaringType().hasQualifiedName("java.lang.management", "OperatingSystemMXBean")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be good to consider subtypes as well, because there is at least com.sun.management.OperatingSystemMXBean

Copy link
Contributor Author

@JLLeitschuh JLLeitschuh Mar 7, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.getDeclaringType() should theoretically look at the declaration site, right? So because these methods are declared on java.lang.management.OperatingSystemMXBean, and then the class is extended, the methods selected should still be considered? Is this correct @smowton?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah you are right; com.sun.management.OperatingSystemMXBean does not override them, and there are no other subtypes which override these either. You could of course consider declarations by subtypes nonetheless in case the JDK overrides them at some point (e.g. to adjust Javadoc), but it is probably unlikely that this will happen.

|
m.getName() = "getName" and propertyName = "os.name"
or
m.getName() = "getArch" and propertyName = "os.arch"
or
m.getName() = "getVersion" and propertyName = "os.version"
)
}

private MethodAccess getSystemPropertyFromSpringProperties(string propertyName) {
exists(Method m |
m = result.getMethod() and
m.getDeclaringType().hasQualifiedName("org.springframework.core", "SpringProperties") and
m.hasName("getProperty")
) and
result.getArgument(0).(CompileTimeConstantExpr).getStringValue() = propertyName
}
Loading