log4j2.ql

/**
 * @name log4jshell
 * @description log4j2->rce
 * @kind path-problem
 * @problem.severity error
 * @precision high
 * @id java/jndi-injection
 * @tags security
 */

import java
import semmle.code.java.security.JndiInjectionQuery
import DataFlow::PathGraph

class LoggerSource extends DataFlow::Node {
  LoggerSource() {
    exists(Method method |
      method.getParameter(0) = this.asParameter() and
      method.getQualifiedName() = "AbstractLogger.error" and
      method.getNumberOfParameters() = 1 and
      method.getParameter(0).getType().getName() = "String"
    )
  }
}

class Log4j2Config extends TaintTracking::Configuration {
  Log4j2Config() { this = "Log4j2Config" }

  override predicate isSource(DataFlow::Node source) { source instanceof LoggerSource }

  override predicate isSink(DataFlow::Node sink) { sink instanceof JndiInjectionSink }

  override predicate isSanitizer(DataFlow::Node node) {
    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
    or node.getLocation().toString().regexpMatch(".*src/test/.*")
  }

  override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
    exists(MethodAccess call | call.getMethod().getName() = "newMessage" |
      n1.asExpr() = call.getAnArgument() and
      n2.asExpr() = call
    )
    or
    any(JndiInjectionAdditionalTaintStep c).step(n1, n2)
  }
}

from Log4j2Config config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink, source, sink, "log4j2 rce"