Java: make a separate threat model kind for reverse DNS sources #16760
Conversation
owen-mc
force-pushed
the
java/reverse-dns-separate-threat-model-kind
branch
from
98d91a2 to
f5456b6
Compare
owen-mc
force-pushed
the
java/reverse-dns-separate-threat-model-kind
branch
from
becc25c to
c0172a2
Compare
java/ql/lib/change-notes/2024-06-14-reverse-dns-separate-threat-model-kind.md
Outdated
Show resolved
Hide resolved
owen-mc
force-pushed
the
java/reverse-dns-separate-threat-model-kind
branch
from
e2132ad to
9874bc1
Compare
owen-mc
force-pushed
the
java/reverse-dns-separate-threat-model-kind
branch
from
9874bc1 to
8458bde
Compare
|
|
||
| The less commonly used categories are: | ||
|
|
||
| - ``android`` which represents reads from external files in Android (``android-external-storage-dir``) and parameter of an entry-point method declared in a ``ContentProvider`` class (``contentprovider``). |
There was a problem hiding this comment.
I'm assuming this is kotlin only (though maybe Java as well?).
| - ``android`` which represents reads from external files in Android (``android-external-storage-dir``) and parameter of an entry-point method declared in a ``ContentProvider`` class (``contentprovider``). | |
| - ``android`` which represents reads from external files in Android (``android-external-storage-dir``) and parameter of an entry-point method declared in a ``ContentProvider`` class (``contentprovider``). Currently only used by Kotlin. |
There was a problem hiding this comment.
It's kind of hard to tell, but at least one of the tests for this is written in java. I'll put "Java/Kotlin".
| - ``database-access-result`` which represents a database access (currently only used by javascript). | ||
| - ``file-write`` which represents opening a file in write mode (currently only used in C#). | ||
| - ``reverse-dns`` which represents reverse DNS lookups (currently only used in java). |
There was a problem hiding this comment.
Minor copy-editing:
| - ``database-access-result`` which represents a database access (currently only used by javascript). | |
| - ``file-write`` which represents opening a file in write mode (currently only used in C#). | |
| - ``reverse-dns`` which represents reverse DNS lookups (currently only used in java). | |
| - ``database-access-result`` which represents a database access. Currently only used by JavaScript. | |
| - ``file-write`` which represents opening a file in write mode. Currently only used in C#. | |
| - ``reverse-dns`` which represents reverse DNS lookups. Currently only used in Java. |
|
@aeisenberg Thanks. Note that |
| - ``remote`` which represents requests and responses from the network. | ||
| - ``local`` which represents data from local files (``file``), command-line arguments (``commandargs``), database reads (``database``), and environment variables(``environment``). | ||
| - ``remote`` which represents requests (``request``) and responses (``response``) from the network. | ||
| - ``local`` which represents data from local files (``file``), command-line arguments (``commandargs``), database reads (``database``), environment variables(``environment``) and Windows registry values ("windows-registry"). |
There was a problem hiding this comment.
Not great, but I think this expresses the information you're looking for.
| - ``local`` which represents data from local files (``file``), command-line arguments (``commandargs``), database reads (``database``), environment variables(``environment``) and Windows registry values ("windows-registry"). | |
| - ``local`` which represents data from local files (``file``), command-line arguments (``commandargs``), database reads (``database``), environment variables(``environment``) and Windows registry values ("windows-registry"). Windows registry values are used by C# only. |
They are not in use by any language yet.
|
@aeisenberg Note that I've reverted one line that I had changed in the docs - it no longer explains about the subcategories |
|
I spot-checked some of the QA results and they seemed valid. In total, 469 results were lost (and 3 extra found, which I think must be unrelated), from 5,517 projects, so on average 1 alert for every 11.8 projects. (And, of course, most users are not interested in reverse DNS as a source of untrusted data.) |
I'm new to threat models, so I may be missing something that is required. In particular, is it okay to have a threat model kind that isn't part of the hierarchy controlled by this file?
Also, I searched for other reverse DNS sources and only found this one in C#, which seems to be only be used in one query currently. Any opinion on whether that should be made a source that applies to all queries and added to this new threat model kind? (I think this should be follow-up work.)