Question about monotonic recursion in customizations

[chmodxxx]

Hey @rvermeulen

I'm hitting an issue when setting up a customizations for JndiInjectionQuery (https://github.com/github/codeql/blob/bbd7e623418e41775c90cfbbe44ad25b3bf9c5e3/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll#L12)

so the code I have right now in my Customizations.qll is :

import java 

private import semmle.code.java.dataflow.FlowSources
private import semmle.code.java.security.JndiInjectionQuery

class JndiInjectionSanitizer extends JndiInjectionFlowConfig {
    override predicate isSanitizer(DataFlow::Node node) { 
        exists(MethodAccess containsCall |
            containsCall.getMethod().toString() = "contains" and
            containsCall.getMethod() instanceof CollectionMethod and
            containsCall.getAnArgument() = node.asExpr()
          )
      }
}

However this is returning an error about monotonic-recursion in a bunch of files, is this not the correct way to customize the sanitizer of a flowconfig class ?

[rvermeulen]

Hi @chmodxxx,

The way to customize a data flow configuration is to subclass the abstract classes used by the configuration. See https://github.com/github/codeql/blob/main/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll#L31 for an example.

Unfortunately, the JndiInjectionFlowConfig configuration doesn't allow additional sanitizers. This might be a good candidate for a PR against github/codeql where the sanitizer becomes.

override predicate isSanitizer(DataFlow::Node node) {
    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
    or
    node instanceof JndiInjectionSanitizer
  }

and https://github.com/github/codeql/blob/main/java/ql/lib/semmle/code/java/security/JndiInjection.qll implements

abstract class JndiInjectionSanitizer extends DataFlow::Node { }

Once that is merged your customization becomes

class ContainsJndiInjectionSanitizer extends JndiInjectionSanitizer {
    ContainsJndiInjectionSanitizer() { 
        exists(MethodAccess containsCall |
            containsCall.getMethod().hasName("contains") and
            containsCall.getMethod() instanceof CollectionMethod and
            containsCall.getAnArgument() = this.asExpr()
          )
      }
}

[chmodxxx]

ah yes, that makes a lot of sense, thank you.
Also unrelated, is there a plan when you want to publish this script to pypi or move it to another org (e,g codeql), just want to make sure if we point to this repo we won't have to update it later on.

[rvermeulen]

It might get moved to the github.com/advanced-security org in the near future.