hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 18:25:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: Track taint through constructor arguments of java.net.URI.

Browse Source
This commit is contained in:
Sebastian Bauersfeld
2022-09-13 11:35:04 +07:00
parent e07e6c9053
commit 0468b3a361
3 changed files with 78 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
View File

@@ -401,6 +401,11 @@ private class SummaryModelCsvBase extends SummaryModelCsv {
"java.io;File;false;File;;;Argument[0];Argument[-1];taint;manual",
"java.io;File;false;File;;;Argument[1];Argument[-1];taint;manual",
"java.net;URI;false;URI;(String);;Argument[0];Argument[-1];taint;manual",
"java.net;URI;false;URI;(String,String,String);;Argument[0..2];Argument[-1];taint;manual",
"java.net;URI;false;URI;(String,String,String,int,String,String,String);;Argument[0..2];Argument[-1];taint;manual",
"java.net;URI;false;URI;(String,String,String,int,String,String,String);;Argument[4..6];Argument[-1];taint;manual",
"java.net;URI;false;URI;(String,String,String,String);;Argument[0..3];Argument[-1];taint;manual",
"java.net;URI;false;URI;(String,String,String,String,String);;Argument[0..4];Argument[-1];taint;manual",
"java.net;URL;false;URL;(String);;Argument[0];Argument[-1];taint;manual",
"javax.xml.transform.stream;StreamSource;false;StreamSource;;;Argument[0];Argument[-1];taint;manual",
"javax.xml.transform.sax;SAXSource;false;SAXSource;(InputSource);;Argument[0];Argument[-1];taint;manual",

63
java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected
View File

@@ -9,6 +9,42 @@ edges
| Test.java:80:31:80:32 | br : BufferedReader | Test.java:80:31:80:43 | readLine(...) : String |
| Test.java:80:31:80:43 | readLine(...) : String | Test.java:82:67:82:81 | ... + ... |
| Test.java:88:17:88:37 | getHostName(...) : String | Test.java:90:26:90:29 | temp |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:96:20:96:20 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:96:23:96:23 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:96:26:96:26 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:20:97:20 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:23:97:23 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:26:97:26 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:29:97:29 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:20:98:20 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:23:98:23 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:26:98:26 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:29:98:29 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:32:98:32 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:20:99:20 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:23:99:23 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:26:99:26 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:32:99:32 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:35:99:35 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:38:99:38 | t : String |
| Test.java:96:20:96:20 | t : String | Test.java:96:12:96:27 | new URI(...) |
| Test.java:96:23:96:23 | t : String | Test.java:96:12:96:27 | new URI(...) |
| Test.java:96:26:96:26 | t : String | Test.java:96:12:96:27 | new URI(...) |
| Test.java:97:20:97:20 | t : String | Test.java:97:12:97:30 | new URI(...) |
| Test.java:97:23:97:23 | t : String | Test.java:97:12:97:30 | new URI(...) |
| Test.java:97:26:97:26 | t : String | Test.java:97:12:97:30 | new URI(...) |
| Test.java:97:29:97:29 | t : String | Test.java:97:12:97:30 | new URI(...) |
| Test.java:98:20:98:20 | t : String | Test.java:98:12:98:33 | new URI(...) |
| Test.java:98:23:98:23 | t : String | Test.java:98:12:98:33 | new URI(...) |
| Test.java:98:26:98:26 | t : String | Test.java:98:12:98:33 | new URI(...) |
| Test.java:98:29:98:29 | t : String | Test.java:98:12:98:33 | new URI(...) |
| Test.java:98:32:98:32 | t : String | Test.java:98:12:98:33 | new URI(...) |
| Test.java:99:20:99:20 | t : String | Test.java:99:12:99:39 | new URI(...) |
| Test.java:99:23:99:23 | t : String | Test.java:99:12:99:39 | new URI(...) |
| Test.java:99:26:99:26 | t : String | Test.java:99:12:99:39 | new URI(...) |
| Test.java:99:32:99:32 | t : String | Test.java:99:12:99:39 | new URI(...) |
| Test.java:99:35:99:35 | t : String | Test.java:99:12:99:39 | new URI(...) |
| Test.java:99:38:99:38 | t : String | Test.java:99:12:99:39 | new URI(...) |
nodes
| Test.java:19:18:19:38 | getHostName(...) : String | semmle.label | getHostName(...) : String |
| Test.java:24:20:24:23 | temp | semmle.label | temp |
@@ -23,6 +59,29 @@ nodes
| Test.java:82:67:82:81 | ... + ... | semmle.label | ... + ... |
| Test.java:88:17:88:37 | getHostName(...) : String | semmle.label | getHostName(...) : String |
| Test.java:90:26:90:29 | temp | semmle.label | temp |
| Test.java:95:14:95:34 | getHostName(...) : String | semmle.label | getHostName(...) : String |
| Test.java:96:12:96:27 | new URI(...) | semmle.label | new URI(...) |
| Test.java:96:20:96:20 | t : String | semmle.label | t : String |
| Test.java:96:23:96:23 | t : String | semmle.label | t : String |
| Test.java:96:26:96:26 | t : String | semmle.label | t : String |
| Test.java:97:12:97:30 | new URI(...) | semmle.label | new URI(...) |
| Test.java:97:20:97:20 | t : String | semmle.label | t : String |
| Test.java:97:23:97:23 | t : String | semmle.label | t : String |
| Test.java:97:26:97:26 | t : String | semmle.label | t : String |
| Test.java:97:29:97:29 | t : String | semmle.label | t : String |
| Test.java:98:12:98:33 | new URI(...) | semmle.label | new URI(...) |
| Test.java:98:20:98:20 | t : String | semmle.label | t : String |
| Test.java:98:23:98:23 | t : String | semmle.label | t : String |
| Test.java:98:26:98:26 | t : String | semmle.label | t : String |
| Test.java:98:29:98:29 | t : String | semmle.label | t : String |
| Test.java:98:32:98:32 | t : String | semmle.label | t : String |
| Test.java:99:12:99:39 | new URI(...) | semmle.label | new URI(...) |
| Test.java:99:20:99:20 | t : String | semmle.label | t : String |
| Test.java:99:23:99:23 | t : String | semmle.label | t : String |
| Test.java:99:26:99:26 | t : String | semmle.label | t : String |
| Test.java:99:32:99:32 | t : String | semmle.label | t : String |
| Test.java:99:35:99:35 | t : String | semmle.label | t : String |
| Test.java:99:38:99:38 | t : String | semmle.label | t : String |
subpaths
#select
| Test.java:24:11:24:24 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:24:20:24:23 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
@@ -31,3 +90,7 @@ subpaths
| Test.java:34:12:34:25 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:34:21:34:24 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
| Test.java:82:52:82:88 | new FileWriter(...) | Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | Test.java:82:67:82:81 | ... + ... | $@ flows to here and is used in a path. | Test.java:79:74:79:97 | getInputStream(...) | User-provided value |
| Test.java:90:26:90:29 | temp | Test.java:88:17:88:37 | getHostName(...) : String | Test.java:90:26:90:29 | temp | $@ flows to here and is used in a path. | Test.java:88:17:88:37 | getHostName(...) | User-provided value |
| Test.java:96:3:96:28 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:96:12:96:27 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
| Test.java:97:3:97:31 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:12:97:30 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
| Test.java:98:3:98:34 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:12:98:33 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
| Test.java:99:3:99:40 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:12:99:39 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |

11
java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java
View File

@@ -6,7 +6,7 @@ import javax.servlet.http.*;
import javax.servlet.ServletException;
import java.io.*;
import java.net.InetAddress;
import java.net.*;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.FileSystems;
@@ -89,4 +89,13 @@ class Test {
// BAD: open a file based on user input, using a MaD-documented API
new LockableFileWriter(temp);
}
void doGet5(InetAddress address)
throws URISyntaxException {
String t = address.getHostName();
new File(new URI(t, t, t));
new File(new URI(t, t, t, t));
new File(new URI(t, t, t, t, t));
new File(new URI(t, t, t, 0, t, t, t));
}
}