Missing data flow

[LFYSec]

I use the following rule of TaintTracking to query the data flow from CONTEXT_THREAD_LOCAL to if(user), but it doesn't work.

It seems that there is no data flow from CONTEXT_THREAD_LOCAL to User user variable?

override predicate isSource(DataFlow::Node source) {
    exists(FieldRead f | source.asExpr() = f | 
        not source.asExpr().getEnclosingStmt() instanceof IfStmt and
        f.getField().isStatic()
    )
}

override predicate isSink(DataFlow::Node sink) {
    exists(IfStmt ret |
        sink.asExpr() = ret.getCondition().getAChildExpr*()
    )
}

@SuppressWarnings("resource")
public static User getCurrentUser() {
    return CONTEXT_THREAD_LOCAL.get().user;
}

public static User getRequiredCurrentUser() {
    User user = getCurrentUser();
    if (user == null) {
        throw new ApiException(ApiError.AUTH_SIGNIN_REQUIRED, null, "Need signin first.");
    }
    return user;
}

[smowton]

This works for me:

public class Test {

  public static ThreadLocal<HasUser> CONTEXT_THREAD_LOCAL;

  public static User getCurrentUser() {
    return CONTEXT_THREAD_LOCAL.get().user;
  }

  public static User getRequiredCurrentUser() {
    User user = getCurrentUser();
    if (user == null) {
        throw new RuntimeException("Need signin first.");
    }
    return user;
  }

}

class HasUser {

  public User user;

}

class User { }

import java
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.dataflow.ExternalFlow
import semmle.code.java.dataflow.internal.DataFlowPrivate as DFP

class Models extends SummaryModelCsv {
  override predicate row(string r) {
    r = "java.lang;ThreadLocal;true;get;;;Argument[-1];ReturnValue;taint;manual"
  }
}

class Configuration extends TaintTracking::Configuration {
  Configuration() { this = "rfelkgjdfslgkd" }

  override predicate isSource(DataFlow::Node source) {
    exists(FieldRead f | source.asExpr() = f |
      not source.asExpr().getEnclosingStmt() instanceof IfStmt and
      f.getField().isStatic()
    )
  }

  override predicate isSink(DataFlow::Node sink) {
    exists(IfStmt ret | sink.asExpr() = ret.getCondition().getAChildExpr*())
  }

  override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
    DFP::readStep(fromNode, any(DataFlow::FieldContent f | f.getField().getDeclaringType().hasQualifiedName("", "HasUser")), toNode)
  }
}

from Configuration c, DataFlow::Node src, DataFlow::Node sink
where c.hasFlow(src, sink)
select src, sink

I've done two things here:

1. Implement a model for ThreadLocal.get() using SummaryModelCsv indicating that if the ThreadLocal itself is considered tainted, then so is the result of get().
2. Used isAdditionalTaintStep to indicate that if a HasUser instance is tainted, then so is anything read from one of its fields (in this case a User). Per default field-reads are not considered taint-propagating like this, so we need to manually opt in to this behaviour.

[LFYSec]

Thanks!