Skip to content

Java: Add Guard Classes for checking OS & unify System Property Access #8032

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
smowton merged 28 commits into from
Mar 18, 2022
Merged

Java: Add Guard Classes for checking OS & unify System Property Access #8032

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
cd073a2
Java: Add Guard Classes for checking OS
JLLeitschuh Feb 14, 2022
39828fd
Apply OS guard checks to TempDirLocalInformationDisclosure
JLLeitschuh Feb 14, 2022
3cdfc00
Cleanup from review feedback
JLLeitschuh Feb 15, 2022
4951344
Update java/ql/lib/semmle/code/java/os/OSCheck.qll
JLLeitschuh Feb 23, 2022
9f5022e
Review fixup and add test for apache SystemUtils
JLLeitschuh Feb 23, 2022
fd63107
Update OS Check from Review Feedback
JLLeitschuh Mar 1, 2022
5913c9a
Refactor OS Guard Checks
JLLeitschuh Mar 1, 2022
dad9a02
Update TempDirInfoDisclosure with new OS Guards
JLLeitschuh Mar 1, 2022
82d3cd8
Improve system property lookup
JLLeitschuh Mar 2, 2022
3c53a05
Add OS Checks based upon separator or path separator
JLLeitschuh Mar 2, 2022
a7adbb7
Refactor more system property access logic
JLLeitschuh Mar 3, 2022
85de9f3
Fix naming of OSCheck method
JLLeitschuh Mar 3, 2022
fea5006
Fix duplicated comment
JLLeitschuh Mar 3, 2022
103c770
Apply suggestions from code review
JLLeitschuh Mar 3, 2022
31527a6
Refactor OS Checks & SystemProperty logic from review feedback
JLLeitschuh Mar 3, 2022
7ab193d
Add System.getProperties().getProperty support
JLLeitschuh Mar 4, 2022
5243fe3
Apply suggestions from code review
JLLeitschuh Mar 4, 2022
523ddb7
Cleanup after code review feedback
JLLeitschuh Mar 4, 2022
b282c7f
Apply suggestions from code review
JLLeitschuh Mar 7, 2022
5b651f2
Fix insufficient tests and add documentation
JLLeitschuh Mar 7, 2022
a21992a
Minor refactoring to improve tests and documentation
JLLeitschuh Mar 7, 2022
2a6c4e9
Add localFlowPlusInitializers
JLLeitschuh Mar 9, 2022
ecb8911
Apply suggestions from code review
JLLeitschuh Mar 10, 2022
1c98642
Remove SystemProperty from FlowSources
JLLeitschuh Mar 10, 2022
50ff2c2
Code cleanup from code review
JLLeitschuh Mar 11, 2022
451661d
Improve guard class names
smowton Mar 15, 2022
09cc8ee
Add tests for StandardSystemProperty
JLLeitschuh Mar 15, 2022
b11340c
Change note tense and detail level
smowton Mar 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Java: Add Guard Classes for checking OS
  • Loading branch information
@JLLeitschuh
JLLeitschuh committed Mar 2, 2022
commit cd073a21736b8a9aeab480c438b09d3656bead1b
14 changes: 14 additions & 0 deletions java/ql/lib/semmle/code/java/StringCheck.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
/**
* Provides classes and predicates for reasoning about checking characterizations about strings.
*/

import java

/**
* Holds if `ma` is a call to a method that checks a partial string match.
*/
predicate isStringPartialMatch(MethodAccess ma) {
Comment thread
JLLeitschuh marked this conversation as resolved.
Outdated
ma.getMethod().getDeclaringType() instanceof TypeString and
ma.getMethod().getName() =
["contains", "startsWith", "matches", "regionMatches", "indexOf", "lastIndexOf"]
Comment thread
JLLeitschuh marked this conversation as resolved.
Outdated
}
Comment thread
JLLeitschuh marked this conversation as resolved.
Outdated
9 changes: 9 additions & 0 deletions java/ql/lib/semmle/code/java/frameworks/apache/Lang.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,3 +37,12 @@ private class ApacheStrBuilderFluentMethod extends FluentMethod {
this.getReturnType().(RefType).hasQualifiedName("org.apache.commons.lang3.text", "StrBuilder")
}
}

/**
* The class ``org.apache.commons.lang.SystemUtils` or `org.apache.commons.lang3.SystemUtils`.
Comment thread
JLLeitschuh marked this conversation as resolved.
Outdated
*/
class ApacheSystemUtilis extends Class {
Comment thread
JLLeitschuh marked this conversation as resolved.
Outdated
ApacheSystemUtilis() {
this.hasQualifiedName(["org.apache.commons.lang", "org.apache.commons.lang3"], "SystemUtils")
}
}
93 changes: 93 additions & 0 deletions java/ql/lib/semmle/code/java/os/OSCheck.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
/**
* Provides classes and predicates for guards that check for the current OS.
*/

import java
import semmle.code.java.controlflow.Guards
private import semmle.code.java.frameworks.apache.Lang
private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.StringCheck

/**
* A complimentatry guard that checks if the current platform is Windows.
Comment thread
JLLeitschuh marked this conversation as resolved.
Outdated
*/
abstract class IsWindowsGuard extends Guard { }

/**
* A complimentatry guard that checks if the current platform is unix or unix-like.
Comment thread
JLLeitschuh marked this conversation as resolved.
Outdated
*/
abstract class IsUnixGuard extends Guard { }

/**
* Holds when the MethodAccess is a call to check the current OS using either the upper case `osUpperCase` or lower case `osLowerCase` string constants.
Comment thread
JLLeitschuh marked this conversation as resolved.
Outdated
*/
bindingset[osUpperCase, osLowerCase]
private predicate isOsFromSystemProp(MethodAccess ma, string osUpperCase, string osLowerCase) {
Comment thread
JLLeitschuh marked this conversation as resolved.
Outdated
exists(MethodAccessSystemGetProperty sgpMa |
sgpMa.hasCompileTimeConstantGetPropertyName("os.name")
|
DataFlow::localExprFlow(sgpMa, ma.getQualifier()) and // Call from System.getProperty to some partial match method
Comment thread
JLLeitschuh marked this conversation as resolved.
Outdated
ma.getAnArgument().(CompileTimeConstantExpr).getStringValue().matches(osUpperCase)
or
exists(MethodAccess toLowerCaseMa |
toLowerCaseMa.getMethod() =
any(Method m | m.getDeclaringType() instanceof TypeString and m.hasName("toLowerCase"))
|
DataFlow::localExprFlow(sgpMa, toLowerCaseMa.getQualifier()) and // Call from System.getProperty to toLowerCase
Comment thread
JLLeitschuh marked this conversation as resolved.
Outdated
DataFlow::localExprFlow(toLowerCaseMa, ma.getQualifier()) and // Call from toLowerCase to some partial match method
ma.getAnArgument().(CompileTimeConstantExpr).getStringValue().matches(osLowerCase)
)
) and
isStringPartialMatch(ma)
}

private class IsWindowsFromSystemProp extends IsWindowsGuard instanceof MethodAccess {
IsWindowsFromSystemProp() { isOsFromSystemProp(this, "Window%", "window%") }
}

private class IsUnixFromSystemProp extends IsUnixGuard instanceof MethodAccess {
IsUnixFromSystemProp() {
isOsFromSystemProp(this, ["Mac%", "Linux%", "LINUX%"], ["mac%", "linux%"])
}
}

private predicate isOsFromApacheCommons(FieldAccess fa, string fieldName) {
exists(Field f | f = fa.getField() |
f.getDeclaringType() instanceof ApacheSystemUtilis and
f.hasName(fieldName)
)
}

private class IsWindowsFromApacheCommons extends IsWindowsGuard instanceof FieldAccess {
IsWindowsFromApacheCommons() { isOsFromApacheCommons(this, "IS_OS_WINDOWS%") }
Comment thread
JLLeitschuh marked this conversation as resolved.
Outdated
}

private class IsUnixFromApacheCommons extends IsUnixGuard instanceof FieldAccess {
IsUnixFromApacheCommons() { isOsFromApacheCommons(this, ["IS_OS_UNIX"]) }
}

/**
* A guard that checks if the `java.nio.file.FileSystem` supports posix file permissions.
* This is often used to infer if the OS is unix-based.
* Looks for calls to `contains("poxix")` on the `supportedFileAttributeViews` method returned by `FileSystem`.
Comment thread
JLLeitschuh marked this conversation as resolved.
Outdated
*/
private class IsUnixFromPosixFromFileSystem extends IsUnixGuard instanceof MethodAccess {
IsUnixFromPosixFromFileSystem() {
exists(Method m | m = this.getMethod() |
m.getDeclaringType()
.getASupertype*()
.getSourceDeclaration()
.hasQualifiedName("java.util", "Set") and
m.hasName("contains")
) and
this.getArgument(0).(CompileTimeConstantExpr).getStringValue() = "posix" and
exists(Method supportedFileAttribtueViewsMethod |
supportedFileAttribtueViewsMethod.hasName("supportedFileAttributeViews") and
supportedFileAttribtueViewsMethod.getDeclaringType() instanceof TypeFileSystem
|
DataFlow::localExprFlow(any(MethodAccess ma |
ma.getMethod() = supportedFileAttribtueViewsMethod
Comment thread
JLLeitschuh marked this conversation as resolved.
Outdated
), super.getQualifier())
)
}
}
34 changes: 34 additions & 0 deletions java/ql/test/library-tests/os/Test.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
import java.nio.file.FileSystems;
import java.nio.file.Path;

public class Test {
void test() {
if (System.getProperty("os.name").contains("Windows")) {

}

if (System.getProperty("os.name").toLowerCase().contains("windows")) {

}

if (System.getProperty("os.name").contains("Linux")) {

}

if (System.getProperty("os.name").contains("Mac OS X")) {

}

if (System.getProperty("os.name").toLowerCase().contains("mac")) {

}

if (Path.of("whatever").getFileSystem().supportedFileAttributeViews().contains("posix")) {

}

if (FileSystems.getDefault().supportedFileAttributeViews().contains("posix")) {

}
}
}
5 changes: 5 additions & 0 deletions java/ql/test/library-tests/os/unix-test.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
| Test.java:14:13:14:59 | contains(...) |
| Test.java:18:13:18:62 | contains(...) |
| Test.java:22:13:22:71 | contains(...) |
| Test.java:26:13:26:95 | contains(...) |
| Test.java:30:13:30:84 | contains(...) |
5 changes: 5 additions & 0 deletions java/ql/test/library-tests/os/unix-test.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
import default
import semmle.code.java.os.OSCheck

from IsUnixGuard isUnix
select isUnix
2 changes: 2 additions & 0 deletions java/ql/test/library-tests/os/windows-test.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
| Test.java:6:13:6:61 | contains(...) |
| Test.java:10:13:10:75 | contains(...) |
5 changes: 5 additions & 0 deletions java/ql/test/library-tests/os/windows-test.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
import default
import semmle.code.java.os.OSCheck

from IsWindowsGuard isWindows
select isWindows