hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into fix/update-gson-model

Browse Source
This commit is contained in:
Eric Bickle
2024-01-02 14:05:33 -08:00
committed by GitHub
parent 95ce7c9ba4 671343619f
commit 0cd89bf815
383 changed files with 23119 additions and 2317 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
java/ql/automodel/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.0.10
No user-facing changes.
## 0.0.9
No user-facing changes.

3
java/ql/automodel/src/change-notes/released/0.0.10.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.0.10
No user-facing changes.

2
java/ql/automodel/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.0.9
lastReleaseVersion: 0.0.10

2
java/ql/automodel/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-automodel-queries
version: 0.0.10-dev
version: 0.0.11-dev
groups:
- java
- automodel

2
java/ql/integration-tests/all-platforms/java/buildless-dependency-different-repository/buildless-fetches.expected Normal file
View File

@@ -0,0 +1,2 @@
http://localhost:9428/releases/com/github/my/other/repo/test/otherreleasetest/1.0/otherreleasetest-1.0.jar
http://localhost:9429/releases/com/github/hosted/in/other/repo/test/inotherrepo/1.0/inotherrepo-1.0.jar

28
java/ql/integration-tests/all-platforms/java/buildless-dependency-different-repository/pom.xml Normal file
View File

@@ -0,0 +1,28 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.mycompany.app</groupId>
<artifactId>my-app</artifactId>
<version>1.0-SNAPSHOT</version>
<properties>
<maven.compiler.source>8</maven.compiler.source>
<maven.compiler.target>8</maven.compiler.target>
</properties>
<repositories>
<repository>
<id>first-test-repo</id>
<url>http://localhost:9428/releases</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>com.github.my.other.repo.test</groupId>
<artifactId>otherreleasetest</artifactId>
<version>1.0</version>
</dependency>
</dependencies>
</project>

BIN
java/ql/integration-tests/all-platforms/java/buildless-dependency-different-repository/repo/releases/com/github/my/other/repo/test/otherreleasetest/1.0/otherreleasetest-1.0.jar Normal file
View File

Binary file not shown.

1
java/ql/integration-tests/all-platforms/java/buildless-dependency-different-repository/repo/releases/com/github/my/other/repo/test/otherreleasetest/1.0/otherreleasetest-1.0.jar.md5 Normal file
View File

@@ -0,0 +1 @@
ff29cc2e7c14353abbfddd2356672fa3

1
java/ql/integration-tests/all-platforms/java/buildless-dependency-different-repository/repo/releases/com/github/my/other/repo/test/otherreleasetest/1.0/otherreleasetest-1.0.jar.sha1 Normal file
View File

@@ -0,0 +1 @@
f1e9185fe95c430181ddf79643794ea3762239c4

24
java/ql/integration-tests/all-platforms/java/buildless-dependency-different-repository/repo/releases/com/github/my/other/repo/test/otherreleasetest/1.0/otherreleasetest-1.0.pom Normal file
View File

@@ -0,0 +1,24 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.github.my.other.repo.test</groupId>
<artifactId>otherreleasetest</artifactId>
<version>1.0</version>
<repositories>
<repository>
<id>second-test-repo</id>
<url>http://localhost:9429/releases</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>com.github.hosted.in.other.repo.test</groupId>
<artifactId>inotherrepo</artifactId>
<version>1.0</version>
</dependency>
</dependencies>
</project>

1
java/ql/integration-tests/all-platforms/java/buildless-dependency-different-repository/repo/releases/com/github/my/other/repo/test/otherreleasetest/1.0/otherreleasetest-1.0.pom.md5 Normal file
View File

@@ -0,0 +1 @@
fb11c1bdba89ffd4a2bedc9c79fe7d66

1
java/ql/integration-tests/all-platforms/java/buildless-dependency-different-repository/repo/releases/com/github/my/other/repo/test/otherreleasetest/1.0/otherreleasetest-1.0.pom.sha1 Normal file
View File

@@ -0,0 +1 @@
787d45cbeba15d9e29cdd446234497df84138458

BIN
java/ql/integration-tests/all-platforms/java/buildless-dependency-different-repository/repo2/releases/com/github/hosted/in/other/repo/test/inotherrepo/1.0/inotherrepo-1.0.jar Normal file
View File

Binary file not shown.

1
java/ql/integration-tests/all-platforms/java/buildless-dependency-different-repository/repo2/releases/com/github/hosted/in/other/repo/test/inotherrepo/1.0/inotherrepo-1.0.jar.md5 Normal file
View File

@@ -0,0 +1 @@
db083868a74964a247f8fbe409a19b63

1
java/ql/integration-tests/all-platforms/java/buildless-dependency-different-repository/repo2/releases/com/github/hosted/in/other/repo/test/inotherrepo/1.0/inotherrepo-1.0.jar.sha1 Normal file
View File

@@ -0,0 +1 @@
8dea20ff7b3d0525b70f15eb9f0e2bd3056c2070

8
java/ql/integration-tests/all-platforms/java/buildless-dependency-different-repository/repo2/releases/com/github/hosted/in/other/repo/test/inotherrepo/1.0/inotherrepo-1.0.pom Normal file
View File

@@ -0,0 +1,8 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.github.hosted.in.other.repo.test</groupId>
<artifactId>inotherrepo</artifactId>
<version>1.0</version>
</project>

1
java/ql/integration-tests/all-platforms/java/buildless-dependency-different-repository/repo2/releases/com/github/hosted/in/other/repo/test/inotherrepo/1.0/inotherrepo-1.0.pom.md5 Normal file
View File

@@ -0,0 +1 @@
2c2065d57ce8aad45b7fa06e5faa2d8b

1
java/ql/integration-tests/all-platforms/java/buildless-dependency-different-repository/repo2/releases/com/github/hosted/in/other/repo/test/inotherrepo/1.0/inotherrepo-1.0.pom.sha1 Normal file
View File

@@ -0,0 +1 @@
12d7de7581af2253d33a2b930e3715c797552700

8
java/ql/integration-tests/all-platforms/java/buildless-dependency-different-repository/src/main/java/Test.java Normal file
View File

@@ -0,0 +1,8 @@
import testpkg.DepClass;
import testpkg2.DepClass2;
public class Test {
DepClass2 dc2 = DepClass.getDep2();
}

3
java/ql/integration-tests/all-platforms/java/buildless-dependency-different-repository/test.expected Normal file
View File

@@ -0,0 +1,3 @@
diagnostics
#select
| DepClass |

19
java/ql/integration-tests/all-platforms/java/buildless-dependency-different-repository/test.py Normal file
View File

@@ -0,0 +1,19 @@
import sys
from create_database_utils import *
from buildless_test_utils import *
import subprocess
repo_server_process = subprocess.Popen(["python3", "-m", "http.server", "9428"], cwd = "repo")
repo_server_process2 = subprocess.Popen(["python3", "-m", "http.server", "9429"], cwd = "repo2")
try:
run_codeql_database_create([], lang="java", extra_args=["--extractor-option=buildless=true"], extra_env={"CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true"})
finally:
try:
repo_server_process.kill()
except Exception as e:
print("Failed to kill server 1:", e, file = sys.stderr)
repo_server_process2.kill()
check_buildless_fetches()

8
java/ql/integration-tests/all-platforms/java/buildless-dependency-different-repository/test.ql Normal file
View File

@@ -0,0 +1,8 @@
import java
import semmle.code.java.Diagnostics
query predicate diagnostics(Diagnostic d) { any() }
from Class c
where c.getName() = "DepClass"
select c.toString()

9
java/ql/integration-tests/all-platforms/java/buildless-gradle/.gitattributes vendored Normal file
View File

@@ -0,0 +1,9 @@
#
# https://help.github.com/articles/dealing-with-line-endings/
#
# Linux start script should use lf
/gradlew text eol=lf
# These are Windows script files and should use crlf
*.bat text eol=crlf

5
java/ql/integration-tests/all-platforms/java/buildless-gradle/.gitignore vendored Normal file
View File

@@ -0,0 +1,5 @@
# Ignore Gradle project-specific cache directory
.gradle
# Ignore Gradle build output directory
build

16
java/ql/integration-tests/all-platforms/java/buildless-gradle/build.gradle Normal file
View File

@@ -0,0 +1,16 @@
/*
* This file was generated by the Gradle 'init' task.
*
* This is a general purpose Gradle build.
* To learn more about Gradle by exploring our Samples at https://docs.gradle.org/8.3/samples
*/
apply plugin: 'java-library'
repositories {
mavenCentral()
}
dependencies {
api 'org.apache.commons:commons-math3:3.6.1'
}

1
java/ql/integration-tests/all-platforms/java/buildless-gradle/buildless-fetches.expected Normal file
View File

@@ -0,0 +1 @@
https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar

56
java/ql/integration-tests/all-platforms/java/buildless-gradle/diagnostics.expected Normal file
View File

@@ -0,0 +1,56 @@
{
"markdownMessage": "Java buildless mode used build tool Gradle to pick a JDK version and/or to recommend external dependencies.",
"severity": "unknown",
"source": {
"extractorName": "java",
"id": "java/autobuilder/buildless/using-build-tool-advice",
"name": "Java buildless mode used build tool Gradle to pick a JDK version and/or to recommend external dependencies"
},
"visibility": {
"cliSummaryTable": true,
"statusPage": false,
"telemetry": true
}
}
{
"markdownMessage": "Java buildless mode used the system default JDK.",
"severity": "unknown",
"source": {
"extractorName": "java",
"id": "java/autobuilder/buildless/jdk-system-default",
"name": "Java buildless mode used the system default JDK"
},
"visibility": {
"cliSummaryTable": true,
"statusPage": false,
"telemetry": true
}
}
{
"markdownMessage": "Java was extracted in buildless mode. This means that all Java source in the working directory will be scanned, with build tools such as Maven and Gradle only contributing information about external dependencies.",
"severity": "note",
"source": {
"extractorName": "java",
"id": "java/autobuilder/buildless/mode-active",
"name": "Java was extracted in buildless mode"
},
"visibility": {
"cliSummaryTable": true,
"statusPage": true,
"telemetry": true
}
}
{
"markdownMessage": "Reading the dependency graph from Gradle build files provided 1 classpath entries",
"severity": "unknown",
"source": {
"extractorName": "java",
"id": "java/autobuilder/buildless/depgraph-provided-by-gradle",
"name": "Java buildless mode extracted precise dependency graph information from Gradle"
},
"visibility": {
"cliSummaryTable": true,
"statusPage": false,
"telemetry": true
}
}

3
java/ql/integration-tests/all-platforms/java/buildless-gradle/force_sequential_test_execution Normal file
View File

@@ -0,0 +1,3 @@
# We currently have a bug where gradle tests become flaky when executed in parallel
# - sometimes, gradle fails to connect to the gradle daemon.
# Therefore, force this test to run sequentially.

BIN
java/ql/integration-tests/all-platforms/java/buildless-gradle/gradle/wrapper/gradle-wrapper.jar vendored Normal file
View File

Binary file not shown.

7
java/ql/integration-tests/all-platforms/java/buildless-gradle/gradle/wrapper/gradle-wrapper.properties vendored Normal file
View File

@@ -0,0 +1,7 @@
distributionBase=GRADLE_USER_HOME
distributionPath=wrapper/dists
distributionUrl=https\://services.gradle.org/distributions/gradle-8.3-bin.zip
networkTimeout=10000
validateDistributionUrl=true
zipStoreBase=GRADLE_USER_HOME
zipStorePath=wrapper/dists

249
java/ql/integration-tests/all-platforms/java/buildless-gradle/gradlew vendored Executable file
View File

@@ -0,0 +1,249 @@
#!/bin/sh
#
# Copyright © 2015-2021 the original authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
##############################################################################
#
# Gradle start up script for POSIX generated by Gradle.
#
# Important for running:
#
# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is
# noncompliant, but you have some other compliant shell such as ksh or
# bash, then to run this script, type that shell name before the whole
# command line, like:
#
# ksh Gradle
#
# Busybox and similar reduced shells will NOT work, because this script
# requires all of these POSIX shell features:
# * functions;
# * expansions «$var», «${var}», «${var:-default}», «${var+SET}»,
# «${var#prefix}», «${var%suffix}», and «$( cmd )»;
# * compound commands having a testable exit status, especially «case»;
# * various built-in commands including «command», «set», and «ulimit».
#
# Important for patching:
#
# (2) This script targets any POSIX shell, so it avoids extensions provided
# by Bash, Ksh, etc; in particular arrays are avoided.
#
# The "traditional" practice of packing multiple parameters into a
# space-separated string is a well documented source of bugs and security
# problems, so this is (mostly) avoided, by progressively accumulating
# options in "$@", and eventually passing that to Java.
#
# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS,
# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly;
# see the in-line comments for details.
#
# There are tweaks for specific operating systems such as AIX, CygWin,
# Darwin, MinGW, and NonStop.
#
# (3) This script is generated from the Groovy template
# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
# within the Gradle project.
#
# You can find Gradle at https://github.com/gradle/gradle/.
#
##############################################################################
# Attempt to set APP_HOME
# Resolve links: $0 may be a link
app_path=$0
# Need this for daisy-chained symlinks.
while
APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path
[ -h "$app_path" ]
do
ls=$( ls -ld "$app_path" )
link=${ls#*' -> '}
case $link in #(
/*) app_path=$link ;; #(
*) app_path=$APP_HOME$link ;;
esac
done
# This is normally unused
# shellcheck disable=SC2034
APP_BASE_NAME=${0##*/}
# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
# Use the maximum available, or set MAX_FD != -1 to use that value.
MAX_FD=maximum
warn () {
echo "$*"
} >&2
die () {
echo
echo "$*"
echo
exit 1
} >&2
# OS specific support (must be 'true' or 'false').
cygwin=false
msys=false
darwin=false
nonstop=false
case "$( uname )" in #(
CYGWIN* ) cygwin=true ;; #(
Darwin* ) darwin=true ;; #(
MSYS* | MINGW* ) msys=true ;; #(
NONSTOP* ) nonstop=true ;;
esac
CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
# Determine the Java command to use to start the JVM.
if [ -n "$JAVA_HOME" ] ; then
if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
# IBM's JDK on AIX uses strange locations for the executables
JAVACMD=$JAVA_HOME/jre/sh/java
else
JAVACMD=$JAVA_HOME/bin/java
fi
if [ ! -x "$JAVACMD" ] ; then
die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
Please set the JAVA_HOME variable in your environment to match the
location of your Java installation."
fi
else
JAVACMD=java
if ! command -v java >/dev/null 2>&1
then
die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
Please set the JAVA_HOME variable in your environment to match the
location of your Java installation."
fi
fi
# Increase the maximum file descriptors if we can.
if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
case $MAX_FD in #(
max*)
# In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
# shellcheck disable=SC3045
MAX_FD=$( ulimit -H -n ) ||
warn "Could not query maximum file descriptor limit"
esac
case $MAX_FD in #(
'' | soft) :;; #(
*)
# In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
# shellcheck disable=SC3045
ulimit -n "$MAX_FD" ||
warn "Could not set maximum file descriptor limit to $MAX_FD"
esac
fi
# Collect all arguments for the java command, stacking in reverse order:
# * args from the command line
# * the main class name
# * -classpath
# * -D...appname settings
# * --module-path (only if needed)
# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables.
# For Cygwin or MSYS, switch paths to Windows format before running java
if "$cygwin" || "$msys" ; then
APP_HOME=$( cygpath --path --mixed "$APP_HOME" )
CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" )
JAVACMD=$( cygpath --unix "$JAVACMD" )
# Now convert the arguments - kludge to limit ourselves to /bin/sh
for arg do
if
case $arg in #(
-*) false ;; # don't mess with options #(
/?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath
[ -e "$t" ] ;; #(
*) false ;;
esac
then
arg=$( cygpath --path --ignore --mixed "$arg" )
fi
# Roll the args list around exactly as many times as the number of
# args, so each arg winds up back in the position where it started, but
# possibly modified.
#
# NB: a `for` loop captures its iteration list before it begins, so
# changing the positional parameters here affects neither the number of
# iterations, nor the values presented in `arg`.
shift # remove old arg
set -- "$@" "$arg" # push replacement arg
done
fi
# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
# Collect all arguments for the java command;
# * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of
# shell script including quotes and variable substitutions, so put them in
# double quotes to make sure that they get re-expanded; and
# * put everything else in single quotes, so that it's not re-expanded.
set -- \
"-Dorg.gradle.appname=$APP_BASE_NAME" \
-classpath "$CLASSPATH" \
org.gradle.wrapper.GradleWrapperMain \
"$@"
# Stop when "xargs" is not available.
if ! command -v xargs >/dev/null 2>&1
then
die "xargs is not available"
fi
# Use "xargs" to parse quoted args.
#
# With -n1 it outputs one arg per line, with the quotes and backslashes removed.
#
# In Bash we could simply go:
#
# readarray ARGS < <( xargs -n1 <<<"$var" ) &&
# set -- "${ARGS[@]}" "$@"
#
# but POSIX shell has neither arrays nor command substitution, so instead we
# post-process each arg (as a line of input to sed) to backslash-escape any
# character that might be a shell metacharacter, then use eval to reverse
# that process (while maintaining the separation between arguments), and wrap
# the whole thing up as a single "set" statement.
#
# This will of course break if any of these variables contains a newline or
# an unmatched quote.
#
eval "set -- $(
printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" |
xargs -n1 |
sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' |
tr '\n' ' '
)" '"$@"'
exec "$JAVACMD" "$@"

92
java/ql/integration-tests/all-platforms/java/buildless-gradle/gradlew.bat vendored Normal file
View File

@@ -0,0 +1,92 @@
@rem
@rem Copyright 2015 the original author or authors.
@rem
@rem Licensed under the Apache License, Version 2.0 (the "License");
@rem you may not use this file except in compliance with the License.
@rem You may obtain a copy of the License at
@rem
@rem https://www.apache.org/licenses/LICENSE-2.0
@rem
@rem Unless required by applicable law or agreed to in writing, software
@rem distributed under the License is distributed on an "AS IS" BASIS,
@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@rem See the License for the specific language governing permissions and
@rem limitations under the License.
@rem
@if "%DEBUG%"=="" @echo off
@rem ##########################################################################
@rem
@rem Gradle startup script for Windows
@rem
@rem ##########################################################################
@rem Set local scope for the variables with windows NT shell
if "%OS%"=="Windows_NT" setlocal
set DIRNAME=%~dp0
if "%DIRNAME%"=="" set DIRNAME=.
@rem This is normally unused
set APP_BASE_NAME=%~n0
set APP_HOME=%DIRNAME%
@rem Resolve any "." and ".." in APP_HOME to make it shorter.
for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
@rem Find java.exe
if defined JAVA_HOME goto findJavaFromJavaHome
set JAVA_EXE=java.exe
%JAVA_EXE% -version >NUL 2>&1
if %ERRORLEVEL% equ 0 goto execute
echo.
echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
echo.
echo Please set the JAVA_HOME variable in your environment to match the
echo location of your Java installation.
goto fail
:findJavaFromJavaHome
set JAVA_HOME=%JAVA_HOME:"=%
set JAVA_EXE=%JAVA_HOME%/bin/java.exe
if exist "%JAVA_EXE%" goto execute
echo.
echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
echo.
echo Please set the JAVA_HOME variable in your environment to match the
echo location of your Java installation.
goto fail
:execute
@rem Setup the command line
set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
@rem Execute Gradle
"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
:end
@rem End local scope for the variables with windows NT shell
if %ERRORLEVEL% equ 0 goto mainEnd
:fail
rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
rem the _cmd.exe /c_ return code!
set EXIT_CODE=%ERRORLEVEL%
if %EXIT_CODE% equ 0 set EXIT_CODE=1
if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE%
exit /b %EXIT_CODE%
:mainEnd
if "%OS%"=="Windows_NT" endlocal
:omega

8
java/ql/integration-tests/all-platforms/java/buildless-gradle/settings.gradle Normal file
View File

@@ -0,0 +1,8 @@
/*
* This file was generated by the Gradle 'init' task.
*
* The settings file is used to specify which projects to include in your build.
* For more detailed information on multi-project builds, please refer to https://docs.gradle.org/8.3/userguide/building_swift_projects.html in the Gradle documentation.
*/
rootProject.name = 'buildless-gradle'

9
java/ql/integration-tests/all-platforms/java/buildless-gradle/src/main/java/com/fractestexample/Test.java Normal file
View File

@@ -0,0 +1,9 @@
package com.fractestexample;
import org.apache.commons.math3.fraction.Fraction;
public class Test {
public Fraction test() { return Fraction.ONE; }
}

1
java/ql/integration-tests/all-platforms/java/buildless-gradle/test.expected Normal file
View File

@@ -0,0 +1 @@
| src/main/java/com/fractestexample/Test.java:0:0:0:0 | Test |

8
java/ql/integration-tests/all-platforms/java/buildless-gradle/test.py Normal file
View File

@@ -0,0 +1,8 @@
from create_database_utils import *
from diagnostics_test_utils import *
from buildless_test_utils import *
run_codeql_database_create([], lang="java", extra_env={"CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS": "true", "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true"})
check_diagnostics()
check_buildless_fetches()

5
java/ql/integration-tests/all-platforms/java/buildless-gradle/test.ql Normal file
View File

@@ -0,0 +1,5 @@
import java
from File f
where f.isSourceFile()
select f

26
java/ql/integration-tests/all-platforms/java/buildless-maven/buildless-fetches.actual Normal file
View File

@@ -0,0 +1,26 @@
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
https://repo.maven.apache.org/maven2/com/intuit/benten/benten-examples/0.1.5/benten-examples-0.1.5.jar
https://repo.maven.apache.org/maven2/com/jakewharton/twirl/sample-runtime/1.2.0/sample-runtime-1.2.0.jar
https://repo.maven.apache.org/maven2/com/mattunderscore/code/generation/specky/plugin-example/0.8.0/plugin-example-0.8.0.jar
https://repo.maven.apache.org/maven2/com/microsoft/tang/tang-test-jarAB/0.9/tang-test-jarAB-0.9.jar
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/rx-redis-example_2.11-0.1.2.jar
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-mustache/0.5.10/minijax-example-mustache-0.5.10.jar
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-petclinic/0.5.10/minijax-example-petclinic-0.5.10.jar
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-security/0.5.10/minijax-example-security-0.5.10.jar
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-ssl/0.5.10/minijax-example-ssl-0.5.10.jar
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-todo-backend/0.5.10/minijax-example-todo-backend-0.5.10.jar
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-websocket/0.5.10/minijax-example-websocket-0.5.10.jar
https://repo.maven.apache.org/maven2/org/scalamock/scalamock-examples_2.10/3.6.0/scalamock-examples_2.10-3.6.0.jar
https://repo.maven.apache.org/maven2/org/somda/sdc/glue-examples/4.0.0/glue-examples-4.0.0.jar
https://repo.maven.apache.org/maven2/us/fatehi/schemacrawler-examplecode/16.20.2/schemacrawler-examplecode-16.20.2.jar
https://repo1.maven.org/maven2/junit/junit/4.11/junit-4.11.jar
https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar

26
java/ql/integration-tests/all-platforms/java/buildless-maven/buildless-fetches.expected Normal file
View File

@@ -0,0 +1,26 @@
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
https://repo.maven.apache.org/maven2/com/intuit/benten/benten-examples/0.1.5/benten-examples-0.1.5.jar
https://repo.maven.apache.org/maven2/com/jakewharton/twirl/sample-runtime/1.2.0/sample-runtime-1.2.0.jar
https://repo.maven.apache.org/maven2/com/mattunderscore/code/generation/specky/plugin-example/0.8.0/plugin-example-0.8.0.jar
https://repo.maven.apache.org/maven2/com/microsoft/tang/tang-test-jarAB/0.9/tang-test-jarAB-0.9.jar
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/rx-redis-example_2.11-0.1.2.jar
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-mustache/0.5.10/minijax-example-mustache-0.5.10.jar
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-petclinic/0.5.10/minijax-example-petclinic-0.5.10.jar
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-security/0.5.10/minijax-example-security-0.5.10.jar
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-ssl/0.5.10/minijax-example-ssl-0.5.10.jar
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-todo-backend/0.5.10/minijax-example-todo-backend-0.5.10.jar
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-websocket/0.5.10/minijax-example-websocket-0.5.10.jar
https://repo.maven.apache.org/maven2/org/scalamock/scalamock-examples_2.10/3.6.0/scalamock-examples_2.10-3.6.0.jar
https://repo.maven.apache.org/maven2/org/somda/sdc/glue-examples/4.0.0/glue-examples-4.0.0.jar
https://repo.maven.apache.org/maven2/us/fatehi/schemacrawler-examplecode/16.20.2/schemacrawler-examplecode-16.20.2.jar
https://repo1.maven.org/maven2/junit/junit/4.11/junit-4.11.jar
https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar

10
java/ql/integration-tests/all-platforms/java/buildless-maven/test.actual Normal file
View File

@@ -0,0 +1,10 @@
#select
| src/main/java/com/example/App.java:0:0:0:0 | App |
| src/test/java/com/example/AppTest.java:0:0:0:0 | AppTest |
xmlFiles
| pom.xml:0:0:0:0 | pom.xml |
| src/main/resources/page.xml:0:0:0:0 | src/main/resources/page.xml |
| src/main/resources/struts.xml:0:0:0:0 | src/main/resources/struts.xml |
propertiesFiles
| src/main/resources/my-app.properties:0:0:0:0 | src/main/resources/my-app.properties |
| test-db/log/ext/javac.properties:0:0:0:0 | test-db/log/ext/javac.properties |

4
java/ql/integration-tests/all-platforms/java/buildless-maven/test.py
View File

@@ -1,8 +1,8 @@
import sys
from create_database_utils import *
from diagnostics_test_utils import *
from buildless_test_utils import *
run_codeql_database_create([], lang="java", extra_env={"CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS": "true", "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true"})
check_diagnostics()
check_buildless_fetches()

1
java/ql/integration-tests/all-platforms/java/buildless-snapshot-repository/buildless-fetches.expected Normal file
View File

@@ -0,0 +1 @@
http://localhost:9427/snapshots/com/github/my/snapshot/test/snapshottest/1.0-SNAPSHOT/snapshottest-1.0-20230901.050514-100.jar

2
java/ql/integration-tests/all-platforms/java/buildless-snapshot-repository/test.py
View File

@@ -1,6 +1,7 @@
import sys
from create_database_utils import *
from buildless_test_utils import *
import subprocess
repo_server_process = subprocess.Popen(["python3", "-m", "http.server", "9427"], cwd = "repo")
@@ -10,3 +11,4 @@ try:
finally:
repo_server_process.kill()
check_buildless_fetches()

4
java/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.8.5
No user-facing changes.
## 0.8.4
### Minor Analysis Improvements

12
java/ql/lib/change-notes/2023-10-24-new-models.md Normal file
View File

@@ -0,0 +1,12 @@
---
category: minorAnalysis
---
* Added models for the following packages:
* com.alibaba.druid.sql.repository
* jakarta.persistence
* jakarta.persistence.criteria
* liquibase.database.jvm
* liquibase.statement.core
* org.apache.ibatis.mapping
* org.keycloak.models.map.storage

16
java/ql/lib/change-notes/2023-10-31-new-models.md Normal file
View File

@@ -0,0 +1,16 @@
---
category: minorAnalysis
---
* Added models for the following packages:
* com.google.common.io
* hudson
* hudson.console
* java.lang
* java.net
* java.util.logging
* javax.imageio.stream
* org.apache.commons.io
* org.apache.hadoop.hive.ql.exec
* org.apache.hadoop.hive.ql.metadata
* org.apache.tools.ant.taskdefs

4
java/ql/lib/change-notes/2023-12-19-add-replace-methods-to-mapmutator.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added the `Map#replace` and `Map#replaceAll` methods to the `MapMutator` class in `semmle.code.java.Maps`.

3
java/ql/lib/change-notes/released/0.8.5.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.8.5
No user-facing changes.

2
java/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.8.4
lastReleaseVersion: 0.8.5

6
java/ql/lib/ext/com.alibaba.druid.sql.repository.model.yml Normal file
View File

@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["com.alibaba.druid.sql.repository", "SchemaRepository", True, "console", "(String)", "", "Argument[0]", "sql-injection", "ai-manual"]

2
java/ql/lib/ext/com.google.common.io.model.yml
View File

@@ -3,9 +3,11 @@ extensions:
pack: codeql/java-all
extensible: sinkModel
data:
- ["com.google.common.io", "Files", False, "asByteSink", "(File,FileWriteMode[])", "", "Argument[0]", "path-injection", "ai-manual"]
- ["com.google.common.io", "Files", False, "asCharSink", "(File,Charset,FileWriteMode[])", "", "Argument[0]", "path-injection", "ai-manual"]
- ["com.google.common.io", "Files", False, "asCharSource", "(File,Charset)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["com.google.common.io", "Files", False, "copy", "(File,OutputStream)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["com.google.common.io", "Files", False, "newWriter", "(File,Charset)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["com.google.common.io", "Files", False, "readLines", "(File,Charset)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["com.google.common.io", "Files", False, "toByteArray", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["com.google.common.io", "Files", False, "toString", "(File,Charset)", "", "Argument[0]", "path-injection", "ai-manual"]

6
java/ql/lib/ext/hudson.console.model.yml Normal file
View File

@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["hudson.console", "AnnotatedLargeText", True, "AnnotatedLargeText", "(File,Charset,boolean,Object)", "", "Argument[0]", "Argument[this]", "taint", "ai-manual"]

3
java/ql/lib/ext/hudson.model.yml
View File

@@ -3,6 +3,8 @@ extensions:
pack: codeql/java-all
extensible: sinkModel
data:
- ["hudson", "FilePath", False, "tar", "(OutputStream,String)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["hudson", "FilePath", False, "unzipFrom", "(InputStream)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["hudson", "FilePath", True, "copyFrom", "", "", "Argument[this]", "path-injection", "manual"]
- ["hudson", "FilePath", True, "copyFrom", "(FilePath)", "", "Argument[0]", "path-injection", "manual"]
- ["hudson", "FilePath", True, "copyFrom", "(URL)", "", "Argument[0]", "path-injection", "manual"]
@@ -32,6 +34,7 @@ extensions:
- ["hudson", "Launcher$ProcStarter", False, "cmdAsSingleString", "", "", "Argument[0]", "command-injection", "manual"]
- ["hudson", "Launcher", True, "launch", "", "", "Argument[0]", "command-injection", "manual"]
- ["hudson", "Launcher", True, "launchChannel", "", "", "Argument[0]", "command-injection", "manual"]
- ["hudson", "XmlFile", False, "XmlFile", "(XStream,File)", "", "Argument[1]", "path-injection", "ai-manual"]
- addsTo:
pack: codeql/java-all
extensible: sourceModel

6
java/ql/lib/ext/jakarta.persistence.criteria.model.yml Normal file
View File

@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["jakarta.persistence.criteria", "CriteriaBuilder", True, "concat", "(String,Expression)", "", "Argument[1]", "ReturnValue", "taint", "ai-manual"]

7
java/ql/lib/ext/jakarta.persistence.model.yml Normal file
View File

@@ -0,0 +1,7 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["jakarta.persistence", "EntityManager", True, "createNativeQuery", "(String,Class)", "", "Argument[0]", "sql-injection", "ai-manual"]
- ["jakarta.persistence", "EntityManager", True, "createQuery", "(CriteriaDelete)", "", "Argument[0]", "sql-injection", "ai-manual"]

1
java/ql/lib/ext/java.lang.model.yml
View File

@@ -13,6 +13,7 @@ extensions:
- ["java.lang", "ProcessBuilder", False, "directory", "(File)", "", "Argument[0]", "command-injection", "ai-manual"]
- ["java.lang", "ProcessBuilder", False, "ProcessBuilder", "(List)", "", "Argument[0]", "command-injection", "ai-manual"]
- ["java.lang", "ProcessBuilder", False, "ProcessBuilder", "(String[])", "", "Argument[0]", "command-injection", "ai-manual"]
- ["java.lang", "ProcessBuilder", False, "redirectError", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.lang", "Runtime", True, "exec", "(String)", "", "Argument[0]", "command-injection", "ai-manual"]
- ["java.lang", "Runtime", True, "exec", "(String[])", "", "Argument[0]", "command-injection", "ai-manual"]
- ["java.lang", "Runtime", True, "exec", "(String[],String[])", "", "Argument[0]", "command-injection", "ai-manual"]

1
java/ql/lib/ext/java.net.model.yml
View File

@@ -9,6 +9,7 @@ extensions:
pack: codeql/java-all
extensible: sinkModel
data:
- ["java.net", "DatagramPacket", False, "DatagramPacket", "(byte[],int,InetAddress,int)", "", "Argument[2]", "request-forgery", "ai-manual"]
- ["java.net", "DatagramSocket", True, "connect", "(SocketAddress)", "", "Argument[0]", "request-forgery", "ai-manual"]
- ["java.net", "PasswordAuthentication", False, "PasswordAuthentication", "(String,char[])", "", "Argument[1]", "credentials-password", "hq-generated"]
- ["java.net", "Socket", True, "Socket", "(String,int)", "", "Argument[0]", "request-forgery", "ai-manual"]

3
java/ql/lib/ext/java.util.logging.model.yml
View File

@@ -3,6 +3,8 @@ extensions:
pack: codeql/java-all
extensible: sinkModel
data:
- ["java.util.logging", "FileHandler", True, "FileHandler", "(String,boolean)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.util.logging", "FileHandler", True, "FileHandler", "(String,int,int)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.util.logging", "Logger", True, "config", "", "", "Argument[0]", "log-injection", "manual"]
- ["java.util.logging", "Logger", True, "entering", "(String,String)", "", "Argument[0..1]", "log-injection", "manual"]
- ["java.util.logging", "Logger", True, "entering", "(String,String,Object)", "", "Argument[0..2]", "log-injection", "manual"]
@@ -44,7 +46,6 @@ extensions:
- ["java.util.logging", "Logger", False, "getLogger", "(String)", "", "Argument[0]", "ReturnValue.SyntheticField[java.util.logging.Logger.name]", "value", "manual"]
- ["java.util.logging", "Logger", False, "getName", "()", "", "Argument[this].SyntheticField[java.util.logging.Logger.name]", "ReturnValue", "value", "manual"]
- ["java.util.logging", "LogRecord", False, "LogRecord", "", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- addsTo:
pack: codeql/java-all
extensible: neutralModel

6
java/ql/lib/ext/javax.imageio.stream.model.yml
View File

@@ -1,7 +1,11 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["javax.imageio.stream", "FileCacheImageInputStream", True, "FileCacheImageInputStream", "(InputStream,File)", "", "Argument[0]", "Argument[this].Element", "taint", "ai-manual"]
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["javax.imageio.stream", "FileImageOutputStream", True, "FileImageOutputStream", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]

6
java/ql/lib/ext/liquibase.database.jvm.model.yml Normal file
View File

@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["liquibase.database.jvm", "JdbcConnection", True, "prepareStatement", "(String)", "", "Argument[0]", "sql-injection", "ai-manual"]

6
java/ql/lib/ext/liquibase.statement.core.model.yml Normal file
View File

@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["liquibase.statement.core", "RawSqlStatement", True, "RawSqlStatement", "(String)", "", "Argument[0]", "sql-injection", "ai-manual"]

8
java/ql/lib/ext/org.apache.commons.io.model.yml
View File

@@ -3,6 +3,8 @@ extensions:
pack: codeql/java-all
extensible: summaryModel
data:
- ["org.apache.commons.io", "FileUtils", False, "listFiles", "(File,IOFileFilter,IOFileFilter)", "", "Argument[0]", "ReturnValue.Element", "taint", "ai-manual"]
- ["org.apache.commons.io", "FileUtils", False, "listFiles", "(File,String[],boolean)", "", "Argument[0]", "ReturnValue.Element", "taint", "ai-manual"]
# Models that are not yet auto generated or where the generated summaries will
# be ignored.
# Note that if a callable has any handwritten summary, all generated summaries
@@ -16,8 +18,14 @@ extensions:
pack: codeql/java-all
extensible: sinkModel
data:
- ["org.apache.commons.io", "FileUtils", False, "forceMkdir", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["org.apache.commons.io", "FileUtils", False, "moveDirectory", "(File,File)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["org.apache.commons.io", "FileUtils", False, "readFileToByteArray", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["org.apache.commons.io", "FileUtils", False, "writeLines", "(File,String,Collection,String)", "", "Argument[3]", "file-content-store", "ai-manual"]
- ["org.apache.commons.io", "FileUtils", False, "writeStringToFile", "(File,String,Charset,boolean)", "", "Argument[1]", "file-content-store", "ai-manual"]
- ["org.apache.commons.io", "FileUtils", True, "copyInputStreamToFile", "(InputStream,File)", "", "Argument[0]", "file-content-store", "ai-manual"]
- ["org.apache.commons.io", "FileUtils", True, "copyInputStreamToFile", "(InputStream,File)", "", "Argument[1]", "path-injection", "manual"]
- ["org.apache.commons.io", "FileUtils", True, "copyToFile", "(InputStream,File)", "", "Argument[0]", "file-content-store", "ai-manual"]
- ["org.apache.commons.io", "FileUtils", True, "copyToFile", "(InputStream,File)", "", "Argument[1]", "path-injection", "manual"]
- ["org.apache.commons.io", "FileUtils", True, "openInputStream", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["org.apache.commons.io", "IOUtils", False, "resourceToString", "(String,Charset)", "", "Argument[0]", "path-injection", "ai-manual"]

11
java/ql/lib/ext/org.apache.hadoop.hive.ql.exec.model.yml Normal file
View File

@@ -0,0 +1,11 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["org.apache.hadoop.hive.ql.exec", "Utilities", False, "renameOrMoveFilesInParallel", "(Configuration,FileSystem,Path,Path)", "", "Argument[2]", "path-injection", "ai-manual"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["org.apache.hadoop.hive.ql.exec", "Utilities", False, "replaceTaskIdFromFilename", "(String,String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]

6
java/ql/lib/ext/org.apache.hadoop.hive.ql.metadata.model.yml Normal file
View File

@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["org.apache.hadoop.hive.ql.metadata", "Hive", False, "copyFiles", "(HiveConf,Path,Path,FileSystem,boolean,boolean,boolean,List,boolean,boolean,boolean,boolean)", "", "Argument[2]", "path-injection", "ai-manual"]

6
java/ql/lib/ext/org.apache.ibatis.mapping.model.yml Normal file
View File

@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["org.apache.ibatis.mapping", "BoundSql", True, "getSql", "()", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"]

1
java/ql/lib/ext/org.apache.tools.ant.taskdefs.model.yml
View File

@@ -7,5 +7,6 @@ extensions:
- ["org.apache.tools.ant.taskdefs", "Copy", True, "setFile", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["org.apache.tools.ant.taskdefs", "Copy", True, "setTodir", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["org.apache.tools.ant.taskdefs", "Copy", True, "setTofile", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["org.apache.tools.ant.taskdefs", "Execute", False, "runCommand", "(Task,String[])", "", "Argument[1]", "command-injection", "ai-manual"]
- ["org.apache.tools.ant.taskdefs", "Expand", True, "setDest", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["org.apache.tools.ant.taskdefs", "Expand", True, "setSrc", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]

6
java/ql/lib/ext/org.keycloak.models.map.storage.model.yml Normal file
View File

@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["org.keycloak.models.map.storage", "MapStorage", True, "delete", "(QueryParameters)", "", "Argument[0]", "sql-injection", "ai-manual"]

2
java/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-all
version: 0.8.5-dev
version: 0.8.6-dev
groups: java
dbscheme: config/semmlecode.dbscheme
extractor: java

4
java/ql/lib/semmle/code/java/Maps.qll
View File

@@ -40,7 +40,9 @@ class MapMethod extends Method {
/** A method that mutates the map it belongs to. */
class MapMutator extends MapMethod {
MapMutator() { pragma[only_bind_into](this).getName().regexpMatch("(put.*|remove|clear)") }
MapMutator() {
pragma[only_bind_into](this).getName().regexpMatch("(put.*|remove|clear|replace.*)")
}
}
/** The `size` method of `java.util.Map`. */

21
java/ql/lib/semmle/code/java/frameworks/Properties.qll
View File

@@ -2,6 +2,8 @@
import semmle.code.java.Type
private import semmle.code.java.dataflow.FlowSteps
private import semmle.code.configfiles.ConfigFiles
private import semmle.code.java.dataflow.RangeUtils
/**
* The `java.util.Properties` class.
@@ -43,3 +45,22 @@ class PropertiesStoreMethod extends Method {
(this.getName().matches("store%") or this.getName() = "save")
}
}
/**
* A call to the `getProperty` method of the class `java.util.Properties`.
*/
class PropertiesGetPropertyMethodCall extends MethodCall {
PropertiesGetPropertyMethodCall() { this.getMethod() instanceof PropertiesGetPropertyMethod }
private ConfigPair getPair() {
this.getArgument(0).(ConstantStringExpr).getStringValue() = result.getNameElement().getName()
}
/**
* Get the potential string values that can be associated with the given property name.
*/
string getPropertyValue() {
result = this.getPair().getValueElement().getValue() or
result = this.getArgument(1).(ConstantStringExpr).getStringValue()
}
}

14
java/ql/lib/semmle/code/java/security/AndroidCertificatePinningQuery.qll
View File

@@ -108,9 +108,9 @@ private class MissingPinningSink extends DataFlow::Node {
/** Configuration for finding uses of non trusted URLs. */
private module UntrustedUrlConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) {
trustedDomain(_) and
exists(string lit | lit = node.asExpr().(CompileTimeConstantExpr).getStringValue() |
lit.matches("%://%") and // it's a URL
not lit.regexpMatch("^(classpath|file|jar):.*") and // discard non-network URIs
not exists(string dom | trustedDomain(dom) and lit.matches("%" + dom + "%"))
)
}
@@ -121,16 +121,10 @@ private module UntrustedUrlConfig implements DataFlow::ConfigSig {
private module UntrustedUrlFlow = TaintTracking::Global<UntrustedUrlConfig>;
/** Holds if `node` is a network communication call for which certificate pinning is not implemented. */
predicate missingPinning(DataFlow::Node node, string domain) {
predicate missingPinning(MissingPinningSink node, string domain) {
isAndroid() and
node instanceof MissingPinningSink and
(
not trustedDomain(_) and domain = ""
or
exists(DataFlow::Node src |
UntrustedUrlFlow::flow(src, node) and
domain = getDomain(src.asExpr())
)
exists(DataFlow::Node src | UntrustedUrlFlow::flow(src, node) |
if trustedDomain(_) then domain = getDomain(src.asExpr()) else domain = ""
)
}

35
java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll
View File

@@ -3,9 +3,18 @@
*/
import java
private import semmle.code.configfiles.ConfigFiles
private import semmle.code.java.security.Encryption
private import semmle.code.java.dataflow.TaintTracking
private import semmle.code.java.dataflow.RangeUtils
private import semmle.code.java.dispatch.VirtualDispatch
private import semmle.code.java.frameworks.Properties
/** A reference to an insecure cryptographic algorithm. */
abstract class InsecureAlgorithm extends Expr {
/** Gets the string representation of this insecure cryptographic algorithm. */
abstract string getStringValue();
}
private class ShortStringLiteral extends StringLiteral {
ShortStringLiteral() { this.getValue().length() < 100 }
@@ -14,16 +23,34 @@ private class ShortStringLiteral extends StringLiteral {
/**
* A string literal that may refer to an insecure cryptographic algorithm.
*/
class InsecureAlgoLiteral extends ShortStringLiteral {
class InsecureAlgoLiteral extends InsecureAlgorithm, ShortStringLiteral {
InsecureAlgoLiteral() {
// Algorithm identifiers should be at least two characters.
this.getValue().length() > 1 and
exists(string s | s = this.getValue() |
// Algorithm identifiers should be at least two characters.
s.length() > 1 and
not s.regexpMatch(getSecureAlgorithmRegex()) and
// Exclude results covered by another query.
not s.regexpMatch(getInsecureAlgorithmRegex())
)
}
override string getStringValue() { result = this.getValue() }
}
/**
* A property access that may refer to an insecure cryptographic algorithm.
*/
class InsecureAlgoProperty extends InsecureAlgorithm, PropertiesGetPropertyMethodCall {
string value;
InsecureAlgoProperty() {
value = this.getPropertyValue() and
// Since properties pairs are not included in the java/weak-cryptographic-algorithm,
// the check for values from properties files can be less strict than `InsecureAlgoLiteral`.
not value.regexpMatch(getSecureAlgorithmRegex())
}
override string getStringValue() { result = value }
}
private predicate objectToString(MethodCall ma) {
@@ -38,7 +65,7 @@ private predicate objectToString(MethodCall ma) {
* A taint-tracking configuration to reason about the use of potentially insecure cryptographic algorithms.
*/
module InsecureCryptoConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node n) { n.asExpr() instanceof InsecureAlgoLiteral }
predicate isSource(DataFlow::Node n) { n.asExpr() instanceof InsecureAlgorithm }
predicate isSink(DataFlow::Node n) { exists(CryptoAlgoSpec c | n.asExpr() = c.getAlgoSpec()) }

4
java/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.8.5
No user-facing changes.
## 0.8.4
No user-facing changes.

11
java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql
View File

@@ -13,16 +13,15 @@
import java
import semmle.code.java.security.Encryption
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.frameworks.Properties
import semmle.code.java.security.MaybeBrokenCryptoAlgorithmQuery
import InsecureCryptoFlow::PathGraph
from
InsecureCryptoFlow::PathNode source, InsecureCryptoFlow::PathNode sink, CryptoAlgoSpec c,
InsecureAlgoLiteral s
from InsecureCryptoFlow::PathNode source, InsecureCryptoFlow::PathNode sink, CryptoAlgoSpec c
where
sink.getNode().asExpr() = c.getAlgoSpec() and
source.getNode().asExpr() = s and
InsecureCryptoFlow::flowPath(source, sink)
select c, source, sink,
"Cryptographic algorithm $@ may not be secure, consider using a different algorithm.", s,
s.getValue()
"Cryptographic algorithm $@ may not be secure, consider using a different algorithm.", source,
source.getNode().asExpr().(InsecureAlgorithm).getStringValue()

4
java/ql/src/change-notes/2023-12-12-android-certificate-pinning-precision.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The query `java/android/missing-certificate-pinning` should no longer alert about requests pointing to the local filesystem.

4
java/ql/src/change-notes/2023-12-15-weak-cryptographic-algorithm-from-properties-file.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Modified the `java/potentially-weak-cryptographic-algorithm` query to include the use of weak cryptographic algorithms from configuration values specified in properties files.

3
java/ql/src/change-notes/released/0.8.5.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.8.5
No user-facing changes.

2
java/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.8.4
lastReleaseVersion: 0.8.5

27
java/ql/src/experimental/Security/CWE/CWE-470/BadClassLoader.java Normal file
View File

@@ -0,0 +1,27 @@
package poc.sample.classloader;
import android.app.Application;
import android.content.pm.PackageInfo;
import android.content.Context;
import android.util.Log;
public class BadClassLoader extends Application {
@Override
public void onCreate() {
super.onCreate();
for (PackageInfo p : getPackageManager().getInstalledPackages(0)) {
try {
if (p.packageName.startsWith("some.package.")) {
Context appContext = createPackageContext(p.packageName,
CONTEXT_INCLUDE_CODE | CONTEXT_IGNORE_SECURITY);
ClassLoader classLoader = appContext.getClassLoader();
Object result = classLoader.loadClass("some.package.SomeClass")
.getMethod("someMethod")
.invoke(null);
}
} catch (Exception e) {
Log.e("Class loading failed", e.toString());
}
}
}
}

31
java/ql/src/experimental/Security/CWE/CWE-470/GoodClassLoader.java Normal file
View File

@@ -0,0 +1,31 @@
package poc.sample.classloader;
import android.app.Application;
import android.content.pm.PackageInfo;
import android.content.Context;
import android.content.pm.PackageManager;
import android.util.Log;
public class GoodClassLoader extends Application {
@Override
public void onCreate() {
super.onCreate();
PackageManager pm = getPackageManager();
for (PackageInfo p : pm.getInstalledPackages(0)) {
try {
if (p.packageName.startsWith("some.package.") &&
(pm.checkSignatures(p.packageName, getApplicationContext().getPackageName()) == PackageManager.SIGNATURE_MATCH)
) {
Context appContext = createPackageContext(p.packageName,
CONTEXT_INCLUDE_CODE | CONTEXT_IGNORE_SECURITY);
ClassLoader classLoader = appContext.getClassLoader();
Object result = classLoader.loadClass("some.package.SomeClass")
.getMethod("someMethod")
.invoke(null);
}
} catch (Exception e) {
Log.e("Class loading failed", e.toString());
}
}
}
}

40
java/ql/src/experimental/Security/CWE/CWE-470/LoadClassNoSignatureCheck.qhelp Normal file
View File

@@ -0,0 +1,40 @@
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
<qhelp>
<overview>
<p>
If an application loads classes or code from another app based solely on its package name without
first checking its package signature, this could allow a malicious app with the same package name
to be loaded through "package namespace squatting".
If the victim user install such malicious app in the same device as the vulnerable app, the vulnerable app would load
classes or code from the malicious app, potentially leading to arbitrary code execution.
</p>
</overview>
<recommendation>
<p>
Verify the package signature in addition to the package name before loading any classes or code from another application.
</p>
</recommendation>
<example>
<p>
The <code>BadClassLoader</code> class illustrates class loading with the <code>android.content.pm.PackageInfo.packageName.startsWith()</code> method without any check on the package signature.
</p>
<sample src="BadClassLoader.java" />
<p>
The <code>GoodClassLoader</code> class illustrates class loading with correct package signature check using the <code>android.content.pm.PackageManager.checkSignatures()</code> method.
</p>
<sample src="GoodClassLoader.java" />
</example>
<references>
<li>
<a href="https://blog.oversecured.com/Android-arbitrary-code-execution-via-third-party-package-contexts/">
Oversecured (Android: arbitrary code execution via third-party package contexts)
</a>
</li>
</references>
</qhelp>

88
java/ql/src/experimental/Security/CWE/CWE-470/LoadClassNoSignatureCheck.ql Normal file
View File

@@ -0,0 +1,88 @@
/**
* @name Load 3rd party classes or code ('unsafe reflection') without signature check
* @description Loading classes or code from third-party packages without checking the
* package signature could make the application
* susceptible to package namespace squatting attacks,
* potentially leading to arbitrary code execution.
* @problem.severity error
* @precision high
* @kind path-problem
* @id java/android/unsafe-reflection
* @tags security
* experimental
* external/cwe/cwe-470
*/
import java
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.controlflow.Guards
import semmle.code.java.dataflow.SSA
import semmle.code.java.frameworks.android.Intent
class CheckSignaturesGuard extends Guard instanceof EqualityTest {
MethodCall checkSignatures;
CheckSignaturesGuard() {
this.getAnOperand() = checkSignatures and
checkSignatures
.getMethod()
.hasQualifiedName("android.content.pm", "PackageManager", "checkSignatures") and
exists(Expr signatureCheckResult |
this.getAnOperand() = signatureCheckResult and signatureCheckResult != checkSignatures
|
signatureCheckResult.(CompileTimeConstantExpr).getIntValue() = 0 or
signatureCheckResult
.(FieldRead)
.getField()
.hasQualifiedName("android.content.pm", "PackageManager", "SIGNATURE_MATCH")
)
}
Expr getCheckedExpr() { result = checkSignatures.getArgument(0) }
}
predicate signatureChecked(Expr safe) {
exists(CheckSignaturesGuard g, SsaVariable v |
v.getAUse() = g.getCheckedExpr() and
safe = v.getAUse() and
g.controls(safe.getBasicBlock(), g.(EqualityTest).polarity())
)
}
module InsecureLoadingConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) {
exists(Method m | m = src.asExpr().(MethodCall).getMethod() |
m.getDeclaringType().getASourceSupertype*() instanceof TypeContext and
m.hasName("createPackageContext") and
not signatureChecked(src.asExpr().(MethodCall).getArgument(0))
)
}
predicate isSink(DataFlow::Node sink) {
exists(MethodCall ma |
ma.getMethod().hasQualifiedName("java.lang", "ClassLoader", "loadClass")
|
sink.asExpr() = ma.getQualifier()
)
}
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
exists(MethodCall ma, Method m |
ma.getMethod() = m and
m.getDeclaringType().getASourceSupertype*() instanceof TypeContext and
m.hasName("getClassLoader")
|
node1.asExpr() = ma.getQualifier() and
node2.asExpr() = ma
)
}
}
module InsecureLoadFlow = TaintTracking::Global<InsecureLoadingConfig>;
import InsecureLoadFlow::PathGraph
from InsecureLoadFlow::PathNode source, InsecureLoadFlow::PathNode sink
where InsecureLoadFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "Class loaded from a $@ without signature check",
source.getNode(), "third party library"

2
java/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-queries
version: 0.8.5-dev
version: 0.8.6-dev
groups:
- java
- queries

27
java/ql/test/experimental/query-tests/security/CWE-470/BadClassLoader.java Normal file
View File

@@ -0,0 +1,27 @@
package poc.sample.classloader;
import android.app.Application;
import android.content.pm.PackageInfo;
import android.content.Context;
import android.util.Log;
public class BadClassLoader extends Application {
@Override
public void onCreate() {
super.onCreate();
for (PackageInfo p : getPackageManager().getInstalledPackages(0)) {
try {
if (p.packageName.startsWith("some.package.")) {
Context appContext = createPackageContext(p.packageName,
CONTEXT_INCLUDE_CODE | CONTEXT_IGNORE_SECURITY);
ClassLoader classLoader = appContext.getClassLoader();
Object result = classLoader.loadClass("some.package.SomeClass")
.getMethod("someMethod")
.invoke(null);
}
} catch (Exception e) {
Log.e("Class loading failed", e.toString());
}
}
}
}

31
java/ql/test/experimental/query-tests/security/CWE-470/GoodClassLoader.java Normal file
View File

@@ -0,0 +1,31 @@
package poc.sample.classloader;
import android.app.Application;
import android.content.pm.PackageInfo;
import android.content.Context;
import android.content.pm.PackageManager;
import android.util.Log;
public class GoodClassLoader extends Application {
@Override
public void onCreate() {
super.onCreate();
PackageManager pm = getPackageManager();
for (PackageInfo p : pm.getInstalledPackages(0)) {
try {
if (p.packageName.startsWith("some.package.") &&
(pm.checkSignatures(p.packageName, getApplicationContext().getPackageName()) == PackageManager.SIGNATURE_MATCH)
) {
Context appContext = createPackageContext(p.packageName,
CONTEXT_INCLUDE_CODE | CONTEXT_IGNORE_SECURITY);
ClassLoader classLoader = appContext.getClassLoader();
Object result = classLoader.loadClass("some.package.SomeClass")
.getMethod("someMethod")
.invoke(null);
}
} catch (Exception e) {
Log.e("Class loading failed", e.toString());
}
}
}
}

12
java/ql/test/experimental/query-tests/security/CWE-470/LoadClassNoSignatureCheck.expected Normal file
View File

@@ -0,0 +1,12 @@
edges
| BadClassLoader.java:15:42:16:75 | createPackageContext(...) : Context | BadClassLoader.java:17:47:17:56 | appContext : Context |
| BadClassLoader.java:17:47:17:56 | appContext : Context | BadClassLoader.java:17:47:17:73 | getClassLoader(...) : ClassLoader |
| BadClassLoader.java:17:47:17:73 | getClassLoader(...) : ClassLoader | BadClassLoader.java:18:37:18:47 | classLoader |
nodes
| BadClassLoader.java:15:42:16:75 | createPackageContext(...) : Context | semmle.label | createPackageContext(...) : Context |
| BadClassLoader.java:17:47:17:56 | appContext : Context | semmle.label | appContext : Context |
| BadClassLoader.java:17:47:17:73 | getClassLoader(...) : ClassLoader | semmle.label | getClassLoader(...) : ClassLoader |
| BadClassLoader.java:18:37:18:47 | classLoader | semmle.label | classLoader |
subpaths
#select
| BadClassLoader.java:18:37:18:47 | classLoader | BadClassLoader.java:15:42:16:75 | createPackageContext(...) : Context | BadClassLoader.java:18:37:18:47 | classLoader | Class loaded from a $@ without signature check | BadClassLoader.java:15:42:16:75 | createPackageContext(...) | third party library |

1
java/ql/test/experimental/query-tests/security/CWE-470/LoadClassNoSignatureCheck.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-470/LoadClassNoSignatureCheck.ql

2
java/ql/test/experimental/query-tests/security/CWE-470/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.3.8/
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.3.8/:${testdir}/../../../../stubs/google-android-9.0.0

16
java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test1/Test.java
View File

@@ -1,7 +1,7 @@
import java.net.URL;
import java.net.URLConnection;
class Test{
class Test {
URLConnection test1() throws Exception {
return new URL("https://good.example.com").openConnection();
}
@@ -9,4 +9,16 @@ class Test{
URLConnection test2() throws Exception {
return new URL("https://bad.example.com").openConnection(); // $hasUntrustedResult
}
}
URLConnection test3() throws Exception {
return new URL("classpath:example/directory/test.class").openConnection();
}
URLConnection test4() throws Exception {
return new URL("file:///example/file").openConnection();
}
URLConnection test5() throws Exception {
return new URL("jar:file:///C:/example/test.jar!/test.xml").openConnection();
}
}

16
java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test2/Test.java
View File

@@ -1,8 +1,20 @@
import java.net.URL;
import java.net.URLConnection;
class Test{
class Test {
URLConnection test2() throws Exception {
return new URL("https://example.com").openConnection(); // $hasNoTrustedResult
}
}
URLConnection test3() throws Exception {
return new URL("classpath:example/directory/test.class").openConnection();
}
URLConnection test4() throws Exception {
return new URL("file:///example/file").openConnection();
}
URLConnection test5() throws Exception {
return new URL("jar:file:///C:/example/test.jar!/test.xml").openConnection();
}
}

25
java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test3/Test.java
View File

@@ -2,16 +2,21 @@ import okhttp3.OkHttpClient;
import okhttp3.CertificatePinner;
import okhttp3.Request;
class Test{
class Test {
void test1() throws Exception {
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add("good.example.com", "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
.build();
OkHttpClient client = new OkHttpClient.Builder()
.certificatePinner(certificatePinner)
.build();
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add("good.example.com", "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
.build();
OkHttpClient client =
new OkHttpClient.Builder().certificatePinner(certificatePinner).build();
client.newCall(new Request.Builder().url("https://good.example.com").build()).execute();
client.newCall(new Request.Builder().url("https://bad.example.com").build()).execute(); // $hasUntrustedResult
client.newCall(new Request.Builder().url("https://good.example.com").build()).execute();
client.newCall(new Request.Builder().url("https://bad.example.com").build()).execute(); // $hasUntrustedResult
client.newCall(new Request.Builder().url("classpath:example/directory/test.class").build())
.execute();
client.newCall(new Request.Builder().url("file:///example/file").build()).execute();
client.newCall(
new Request.Builder().url("jar:file:///C:/example/test.jar!/test.xml").build())
.execute();
}
}
}

9
java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test4/Test.java
View File

@@ -8,19 +8,20 @@ import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import android.content.res.Resources;
class Test{
class Test {
void test1(Resources resources) throws Exception {
KeyStore keyStore = KeyStore.getInstance("BKS");
keyStore.load(resources.openRawResource(R.raw.cert), null);
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(keyStore);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, tmf.getTrustManagers(), null);
URL url = new URL("http://www.example.com/");
HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection();
HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection();
urlConnection.setSSLSocketFactory(sslContext.getSocketFactory());
}
@@ -29,4 +30,4 @@ class Test{
URL url = new URL("http://www.example.com/");
HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection(); // $hasNoTrustedResult
}
}
}

26
java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test5/Test.java
View File

@@ -9,12 +9,13 @@ import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import android.content.res.Resources;
class Test{
class Test {
void init(Resources resources) throws Exception {
KeyStore keyStore = KeyStore.getInstance("BKS");
keyStore.load(resources.openRawResource(R.raw.cert), null);
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(keyStore);
SSLContext sslContext = SSLContext.getInstance("TLS");
@@ -25,11 +26,26 @@ class Test{
URLConnection test1() throws Exception {
URL url = new URL("http://www.example.com/");
return url.openConnection();
return url.openConnection();
}
InputStream test2() throws Exception {
URL url = new URL("http://www.example.com/");
return url.openStream();
return url.openStream();
}
}
InputStream test3() throws Exception {
URL url = new URL("classpath:example/directory/test.class");
return url.openStream();
}
InputStream test4() throws Exception {
URL url = new URL("file:///example/file");
return url.openStream();
}
InputStream test5() throws Exception {
URL url = new URL("jar:file:///C:/example/test.jar!/test.xml");
return url.openStream();
}
}

4
java/ql/test/query-tests/security/CWE-327/semmle/tests/BrokenCryptoAlgorithm.expected
View File

@@ -1,8 +1,12 @@
edges
| WeakHashing.java:21:86:21:90 | "MD5" : String | WeakHashing.java:21:56:21:91 | getProperty(...) |
nodes
| Test.java:19:45:19:49 | "DES" | semmle.label | "DES" |
| Test.java:42:33:42:37 | "RC2" | semmle.label | "RC2" |
| WeakHashing.java:21:56:21:91 | getProperty(...) | semmle.label | getProperty(...) |
| WeakHashing.java:21:86:21:90 | "MD5" : String | semmle.label | "MD5" : String |
subpaths
#select
| Test.java:19:20:19:50 | getInstance(...) | Test.java:19:45:19:49 | "DES" | Test.java:19:45:19:49 | "DES" | Cryptographic algorithm $@ is weak and should not be used. | Test.java:19:45:19:49 | "DES" | DES |
| Test.java:42:14:42:38 | getInstance(...) | Test.java:42:33:42:37 | "RC2" | Test.java:42:33:42:37 | "RC2" | Cryptographic algorithm $@ is weak and should not be used. | Test.java:42:33:42:37 | "RC2" | RC2 |
| WeakHashing.java:21:30:21:92 | getInstance(...) | WeakHashing.java:21:86:21:90 | "MD5" : String | WeakHashing.java:21:56:21:91 | getProperty(...) | Cryptographic algorithm $@ is weak and should not be used. | WeakHashing.java:21:86:21:90 | "MD5" | MD5 |

6
java/ql/test/query-tests/security/CWE-327/semmle/tests/MaybeBrokenCryptoAlgorithm.expected
View File

@@ -1,6 +1,12 @@
edges
nodes
| Test.java:34:48:34:52 | "foo" | semmle.label | "foo" |
| WeakHashing.java:15:55:15:83 | getProperty(...) | semmle.label | getProperty(...) |
| WeakHashing.java:18:56:18:95 | getProperty(...) | semmle.label | getProperty(...) |
| WeakHashing.java:21:56:21:91 | getProperty(...) | semmle.label | getProperty(...) |
subpaths
#select
| Test.java:34:21:34:53 | new SecretKeySpec(...) | Test.java:34:48:34:52 | "foo" | Test.java:34:48:34:52 | "foo" | Cryptographic algorithm $@ may not be secure, consider using a different algorithm. | Test.java:34:48:34:52 | "foo" | foo |
| WeakHashing.java:15:29:15:84 | getInstance(...) | WeakHashing.java:15:55:15:83 | getProperty(...) | WeakHashing.java:15:55:15:83 | getProperty(...) | Cryptographic algorithm $@ may not be secure, consider using a different algorithm. | WeakHashing.java:15:55:15:83 | getProperty(...) | MD5 |
| WeakHashing.java:18:30:18:96 | getInstance(...) | WeakHashing.java:18:56:18:95 | getProperty(...) | WeakHashing.java:18:56:18:95 | getProperty(...) | Cryptographic algorithm $@ may not be secure, consider using a different algorithm. | WeakHashing.java:18:56:18:95 | getProperty(...) | MD5 |
| WeakHashing.java:21:30:21:92 | getInstance(...) | WeakHashing.java:21:56:21:91 | getProperty(...) | WeakHashing.java:21:56:21:91 | getProperty(...) | Cryptographic algorithm $@ may not be secure, consider using a different algorithm. | WeakHashing.java:21:56:21:91 | getProperty(...) | MD5 |

29
java/ql/test/query-tests/security/CWE-327/semmle/tests/WeakHashing.java Normal file
View File

@@ -0,0 +1,29 @@
package test.cwe327.semmle.tests;
import java.util.Properties;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
public class WeakHashing {
void hashing() throws NoSuchAlgorithmException, IOException {
java.util.Properties props = new java.util.Properties();
props.load(new FileInputStream("example.properties"));
// BAD: Using a weak hashing algorithm
MessageDigest bad = MessageDigest.getInstance(props.getProperty("hashAlg1"));
// BAD: Using a weak hashing algorithm even with a secure default
MessageDigest bad2 = MessageDigest.getInstance(props.getProperty("hashAlg1", "SHA-256"));
// BAD: Using a strong hashing algorithm but with a weak default
MessageDigest bad3 = MessageDigest.getInstance(props.getProperty("hashAlg2", "MD5"));
// GOOD: Using a strong hashing algorithm
MessageDigest ok = MessageDigest.getInstance(props.getProperty("hashAlg2"));
// OK: Property does not exist and default is secure
MessageDigest ok2 = MessageDigest.getInstance(props.getProperty("hashAlg3", "SHA-256"));
}
}

2
java/ql/test/query-tests/security/CWE-327/semmle/tests/example.properties Normal file
View File

@@ -0,0 +1,2 @@
hashAlg1=MD5
hashAlg2=SHA-256