General issue - Help needed to get data flow involving variables associated with functions

[SaumoPal97]

I am applying local dataflow, global dataflow as well as taint tracking to obtain the variables affecting an expression but I am unable to do so. I found this tutorial on dataflows (https://help.semmle.com/QL/ql-training/java/global-data-flow-java.html#8) and on slide 8, I found a similar problem to the one I am facing.
name = ai.getProxy().getNamespace(); return compileAndExecute(name, context, ....);
So according to taint tracking module, we can say name or the first argument of compileAndExecute(...) is tainted by getProxy(...) and getNamespace(...) but not by ai variable, where source is a method (https://help.semmle.com/QL/ql-training/java/global-data-flow-java.html#10) and sink is the first argument (https://help.semmle.com/QL/ql-training/java/global-data-flow-java.html#12), which makes sense. But on changing the source to be any expr, I am unable to obtain ai variable as source. So I wanted to know how can I get ai as the source while doing taint tracking. I checked the documentation here (https://help.semmle.com/qldoc/java/semmle/code/java/dataflow/TaintTracking.qll/module.TaintTracking$TaintTracking.html) but did not find sufficient help. Any explanation or tutorial will be appreciated.

[yoff]

On what grounds would you like to deem ai a source? Based on its type? Or on the fact that getProxy is being called on it?

[SaumoPal97]

I was considering ai a source while taint tracking, as there can be values passed to it in an earlier operation which is later retrieved using getProxy(...). To elucidate my issue, I am taking an example similar to above
UriComponentsBuilder ai = UriComponentsBuilder.fromUriString(prop.getSomeProxyUrl()); UriComponents name = ai.getProxy().getNamespace(); return compileAndExecute(name, context, ....);

So here, taking the logic of using method reference expr as source and first argument of function compileAndExecute(...) as sink, I get getProxy(...) as source but not ai. But ai itself is tainted by getSomeProxyUrl(...) in the earlier step. So basically I want to deem ai as a source or at least in the path to sink from getSomeProxyUrl(...) source but using method reference as expr or even just plain expr or parameter as source and sink as described above, I am getting the source as getProxy(...) and not beyond that to reach ai or getNamespace(...).

[yoff]

So it sounds like you need UriComponentsBuilder.fromUriString to propagate taint. Then ai would be tainted from getSomeProxyUrl. Would that solve your issue?

[SaumoPal97]

That is one part of two disjoint dataflows I have now. One is where getSomeProxyUrl taints ai, second is where getProxy taints name. But I am unable to understand why ai doesn't taint name and hence getSomeProxyUrl doesn't taint name, since name = ai.getProxy().getNameSpace(). This is the missing link in the dataflow I need help with, so that the final taint tracking dataflow will have source as getSomeProxyUrl and sink is name. Let me know if my above requirements have some conceptual flaw, and if not, I need some assistance with finding the right set of predicates for source and sink.

[yoff]

So perhaps your two data flows need to be connected? The way to do that is to write them against separate configurations, see https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-611/XXE.ql for an example.

[SaumoPal97]

Yes that is surely one solution, but there is a chance that the ai variable can go through multiple transformations. So ideally I won't want to combine multiple dataflows as I wouldn't know how many disjoint ones will exist, but rather I would want ai variable to appear as a taint source. I think it would be imperative on my side to understand why ai is not a taint in this case - UriComponentsBuilder ai = UriComponentsBuilder.fromUriString(prop.getSomeProxyUrl()); UriComponents name = ai.getProxy().getNamespace(); return compileAndExecute(name, context, ....); when any Expr is a source and the sink is the first argument of the compileAndExecute method call. Any help in understanding the issue will let me clarify further.

[SaumoPal97]

Hi @yoff, I was able to resolve the issue using isAdditionalTaintStep. Closing this issue.

[yoff]

Hi, sorry for dropping out, good to hear that you solved it!