Merge branch 'main' into fix/update-gson-model

java/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.8.5
+
+No user-facing changes.
+
 ## 0.8.4
 
 ### Minor Analysis Improvements

java/ql/lib/change-notes/2023-10-24-new-models.md

@@ -0,0 +1,12 @@
+---
+category: minorAnalysis
+---
+* Added models for the following packages:
+
+  * com.alibaba.druid.sql.repository
+  * jakarta.persistence
+  * jakarta.persistence.criteria
+  * liquibase.database.jvm
+  * liquibase.statement.core
+  * org.apache.ibatis.mapping
+  * org.keycloak.models.map.storage

java/ql/lib/change-notes/2023-10-31-new-models.md

@@ -0,0 +1,16 @@
+---
+category: minorAnalysis
+---
+* Added models for the following packages:
+
+  * com.google.common.io
+  * hudson
+  * hudson.console
+  * java.lang
+  * java.net
+  * java.util.logging
+  * javax.imageio.stream
+  * org.apache.commons.io
+  * org.apache.hadoop.hive.ql.exec
+  * org.apache.hadoop.hive.ql.metadata
+  * org.apache.tools.ant.taskdefs

java/ql/lib/change-notes/2023-12-19-add-replace-methods-to-mapmutator.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added the `Map#replace` and `Map#replaceAll` methods to the `MapMutator` class in `semmle.code.java.Maps`.

java/ql/lib/change-notes/released/0.8.5.md

@@ -0,0 +1,3 @@
+## 0.8.5
+
+No user-facing changes.

java/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.8.4
+lastReleaseVersion: 0.8.5

java/ql/lib/ext/com.alibaba.druid.sql.repository.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.alibaba.druid.sql.repository", "SchemaRepository", True, "console", "(String)", "", "Argument[0]", "sql-injection", "ai-manual"]

java/ql/lib/ext/com.google.common.io.model.yml

@@ -3,9 +3,11 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
+      - ["com.google.common.io", "Files", False, "asByteSink", "(File,FileWriteMode[])", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["com.google.common.io", "Files", False, "asCharSink", "(File,Charset,FileWriteMode[])", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["com.google.common.io", "Files", False, "asCharSource", "(File,Charset)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["com.google.common.io", "Files", False, "copy", "(File,OutputStream)", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["com.google.common.io", "Files", False, "newWriter", "(File,Charset)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["com.google.common.io", "Files", False, "readLines", "(File,Charset)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["com.google.common.io", "Files", False, "toByteArray", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["com.google.common.io", "Files", False, "toString", "(File,Charset)", "", "Argument[0]", "path-injection", "ai-manual"]

java/ql/lib/ext/hudson.console.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["hudson.console", "AnnotatedLargeText", True, "AnnotatedLargeText", "(File,Charset,boolean,Object)", "", "Argument[0]", "Argument[this]", "taint", "ai-manual"]

java/ql/lib/ext/hudson.model.yml

@@ -3,6 +3,8 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
+      - ["hudson", "FilePath", False, "tar", "(OutputStream,String)", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["hudson", "FilePath", False, "unzipFrom", "(InputStream)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["hudson", "FilePath", True, "copyFrom", "", "", "Argument[this]", "path-injection", "manual"]
       - ["hudson", "FilePath", True, "copyFrom", "(FilePath)", "", "Argument[0]", "path-injection", "manual"]
       - ["hudson", "FilePath", True, "copyFrom", "(URL)", "", "Argument[0]", "path-injection", "manual"]
@@ -32,6 +34,7 @@ extensions:
       - ["hudson", "Launcher$ProcStarter", False, "cmdAsSingleString", "", "", "Argument[0]", "command-injection", "manual"]
       - ["hudson", "Launcher", True, "launch", "", "", "Argument[0]", "command-injection", "manual"]
       - ["hudson", "Launcher", True, "launchChannel", "", "", "Argument[0]", "command-injection", "manual"]
+      - ["hudson", "XmlFile", False, "XmlFile", "(XStream,File)", "", "Argument[1]", "path-injection", "ai-manual"]
   - addsTo:
       pack: codeql/java-all
       extensible: sourceModel

java/ql/lib/ext/jakarta.persistence.criteria.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["jakarta.persistence.criteria", "CriteriaBuilder", True, "concat", "(String,Expression)", "", "Argument[1]", "ReturnValue", "taint", "ai-manual"]

java/ql/lib/ext/jakarta.persistence.model.yml

@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["jakarta.persistence", "EntityManager", True, "createNativeQuery", "(String,Class)", "", "Argument[0]", "sql-injection", "ai-manual"]
+      - ["jakarta.persistence", "EntityManager", True, "createQuery", "(CriteriaDelete)", "", "Argument[0]", "sql-injection", "ai-manual"]

java/ql/lib/ext/java.lang.model.yml

@@ -13,6 +13,7 @@ extensions:
       - ["java.lang", "ProcessBuilder", False, "directory", "(File)", "", "Argument[0]", "command-injection", "ai-manual"]
       - ["java.lang", "ProcessBuilder", False, "ProcessBuilder", "(List)", "", "Argument[0]", "command-injection", "ai-manual"]
       - ["java.lang", "ProcessBuilder", False, "ProcessBuilder", "(String[])", "", "Argument[0]", "command-injection", "ai-manual"]
+      - ["java.lang", "ProcessBuilder", False, "redirectError", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["java.lang", "Runtime", True, "exec", "(String)", "", "Argument[0]", "command-injection", "ai-manual"]
       - ["java.lang", "Runtime", True, "exec", "(String[])", "", "Argument[0]", "command-injection", "ai-manual"]
       - ["java.lang", "Runtime", True, "exec", "(String[],String[])", "", "Argument[0]", "command-injection", "ai-manual"]

java/ql/lib/ext/java.net.model.yml

@@ -9,6 +9,7 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
+      - ["java.net", "DatagramPacket", False, "DatagramPacket", "(byte[],int,InetAddress,int)", "", "Argument[2]", "request-forgery", "ai-manual"]
       - ["java.net", "DatagramSocket", True, "connect", "(SocketAddress)", "", "Argument[0]", "request-forgery", "ai-manual"]
       - ["java.net", "PasswordAuthentication", False, "PasswordAuthentication", "(String,char[])", "", "Argument[1]", "credentials-password", "hq-generated"]
       - ["java.net", "Socket", True, "Socket", "(String,int)", "", "Argument[0]", "request-forgery", "ai-manual"]

java/ql/lib/ext/java.util.logging.model.yml

@@ -3,6 +3,8 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
+      - ["java.util.logging", "FileHandler", True, "FileHandler", "(String,boolean)", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["java.util.logging", "FileHandler", True, "FileHandler", "(String,int,int)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["java.util.logging", "Logger", True, "config", "", "", "Argument[0]", "log-injection", "manual"]
       - ["java.util.logging", "Logger", True, "entering", "(String,String)", "", "Argument[0..1]", "log-injection", "manual"]
       - ["java.util.logging", "Logger", True, "entering", "(String,String,Object)", "", "Argument[0..2]", "log-injection", "manual"]
@@ -44,7 +46,6 @@ extensions:
       - ["java.util.logging", "Logger", False, "getLogger", "(String)", "", "Argument[0]", "ReturnValue.SyntheticField[java.util.logging.Logger.name]", "value", "manual"]
       - ["java.util.logging", "Logger", False, "getName", "()", "", "Argument[this].SyntheticField[java.util.logging.Logger.name]", "ReturnValue", "value", "manual"]
       - ["java.util.logging", "LogRecord", False, "LogRecord", "", "", "Argument[1]", "Argument[this]", "taint", "manual"]
-
   - addsTo:
       pack: codeql/java-all
       extensible: neutralModel

java/ql/lib/ext/javax.imageio.stream.model.yml

@@ -1,7 +1,11 @@
 extensions:
-
   - addsTo:
       pack: codeql/java-all
       extensible: summaryModel
     data:
       - ["javax.imageio.stream", "FileCacheImageInputStream", True, "FileCacheImageInputStream", "(InputStream,File)", "", "Argument[0]", "Argument[this].Element", "taint", "ai-manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["javax.imageio.stream", "FileImageOutputStream", True, "FileImageOutputStream", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]

java/ql/lib/ext/liquibase.database.jvm.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["liquibase.database.jvm", "JdbcConnection", True, "prepareStatement", "(String)", "", "Argument[0]", "sql-injection", "ai-manual"]

java/ql/lib/ext/liquibase.statement.core.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["liquibase.statement.core", "RawSqlStatement", True, "RawSqlStatement", "(String)", "", "Argument[0]", "sql-injection", "ai-manual"]

java/ql/lib/ext/org.apache.commons.io.model.yml

@@ -3,6 +3,8 @@ extensions:
       pack: codeql/java-all
       extensible: summaryModel
     data:
+      - ["org.apache.commons.io", "FileUtils", False, "listFiles", "(File,IOFileFilter,IOFileFilter)", "", "Argument[0]", "ReturnValue.Element", "taint", "ai-manual"]
+      - ["org.apache.commons.io", "FileUtils", False, "listFiles", "(File,String[],boolean)", "", "Argument[0]", "ReturnValue.Element", "taint", "ai-manual"]
       # Models that are not yet auto generated or where the generated summaries will
       # be ignored.
       # Note that if a callable has any handwritten summary, all generated summaries
@@ -16,8 +18,14 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
+      - ["org.apache.commons.io", "FileUtils", False, "forceMkdir", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["org.apache.commons.io", "FileUtils", False, "moveDirectory", "(File,File)", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["org.apache.commons.io", "FileUtils", False, "readFileToByteArray", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["org.apache.commons.io", "FileUtils", False, "writeLines", "(File,String,Collection,String)", "", "Argument[3]", "file-content-store", "ai-manual"]
+      - ["org.apache.commons.io", "FileUtils", False, "writeStringToFile", "(File,String,Charset,boolean)", "", "Argument[1]", "file-content-store", "ai-manual"]
       - ["org.apache.commons.io", "FileUtils", True, "copyInputStreamToFile", "(InputStream,File)", "", "Argument[0]", "file-content-store", "ai-manual"]
       - ["org.apache.commons.io", "FileUtils", True, "copyInputStreamToFile", "(InputStream,File)", "", "Argument[1]", "path-injection", "manual"]
       - ["org.apache.commons.io", "FileUtils", True, "copyToFile", "(InputStream,File)", "", "Argument[0]", "file-content-store", "ai-manual"]
       - ["org.apache.commons.io", "FileUtils", True, "copyToFile", "(InputStream,File)", "", "Argument[1]", "path-injection", "manual"]
       - ["org.apache.commons.io", "FileUtils", True, "openInputStream", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["org.apache.commons.io", "IOUtils", False, "resourceToString", "(String,Charset)", "", "Argument[0]", "path-injection", "ai-manual"]

java/ql/lib/ext/org.apache.hadoop.hive.ql.exec.model.yml

@@ -0,0 +1,11 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["org.apache.hadoop.hive.ql.exec", "Utilities", False, "renameOrMoveFilesInParallel", "(Configuration,FileSystem,Path,Path)", "", "Argument[2]", "path-injection", "ai-manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["org.apache.hadoop.hive.ql.exec", "Utilities", False, "replaceTaskIdFromFilename", "(String,String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]

java/ql/lib/ext/org.apache.hadoop.hive.ql.metadata.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["org.apache.hadoop.hive.ql.metadata", "Hive", False, "copyFiles", "(HiveConf,Path,Path,FileSystem,boolean,boolean,boolean,List,boolean,boolean,boolean,boolean)", "", "Argument[2]", "path-injection", "ai-manual"]

java/ql/lib/ext/org.apache.ibatis.mapping.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["org.apache.ibatis.mapping", "BoundSql", True, "getSql", "()", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"]

java/ql/lib/ext/org.apache.tools.ant.taskdefs.model.yml

@@ -7,5 +7,6 @@ extensions:
       - ["org.apache.tools.ant.taskdefs", "Copy", True, "setFile", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["org.apache.tools.ant.taskdefs", "Copy", True, "setTodir", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["org.apache.tools.ant.taskdefs", "Copy", True, "setTofile", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["org.apache.tools.ant.taskdefs", "Execute", False, "runCommand", "(Task,String[])", "", "Argument[1]", "command-injection", "ai-manual"]
       - ["org.apache.tools.ant.taskdefs", "Expand", True, "setDest", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["org.apache.tools.ant.taskdefs", "Expand", True, "setSrc", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]

java/ql/lib/ext/org.keycloak.models.map.storage.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["org.keycloak.models.map.storage", "MapStorage", True, "delete", "(QueryParameters)", "", "Argument[0]", "sql-injection", "ai-manual"]

java/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 0.8.5-dev
+version: 0.8.6-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java

java/ql/lib/semmle/code/java/Maps.qll

@@ -40,7 +40,9 @@ class MapMethod extends Method {
 
 /** A method that mutates the map it belongs to. */
 class MapMutator extends MapMethod {
-  MapMutator() { pragma[only_bind_into](this).getName().regexpMatch("(put.*|remove|clear)") }
+  MapMutator() {
+    pragma[only_bind_into](this).getName().regexpMatch("(put.*|remove|clear|replace.*)")
+  }
 }
 
 /** The `size` method of `java.util.Map`. */

java/ql/lib/semmle/code/java/frameworks/Properties.qll

@@ -2,6 +2,8 @@
 
 import semmle.code.java.Type
 private import semmle.code.java.dataflow.FlowSteps
+private import semmle.code.configfiles.ConfigFiles
+private import semmle.code.java.dataflow.RangeUtils
 
 /**
  * The `java.util.Properties` class.
@@ -43,3 +45,22 @@ class PropertiesStoreMethod extends Method {
     (this.getName().matches("store%") or this.getName() = "save")
   }
 }
+
+/**
+ * A call to the `getProperty` method of the class `java.util.Properties`.
+ */
+class PropertiesGetPropertyMethodCall extends MethodCall {
+  PropertiesGetPropertyMethodCall() { this.getMethod() instanceof PropertiesGetPropertyMethod }
+
+  private ConfigPair getPair() {
+    this.getArgument(0).(ConstantStringExpr).getStringValue() = result.getNameElement().getName()
+  }
+
+  /**
+   * Get the potential string values that can be associated with the given property name.
+   */
+  string getPropertyValue() {
+    result = this.getPair().getValueElement().getValue() or
+    result = this.getArgument(1).(ConstantStringExpr).getStringValue()
+  }
+}

java/ql/lib/semmle/code/java/security/AndroidCertificatePinningQuery.qll

@@ -108,9 +108,9 @@ private class MissingPinningSink extends DataFlow::Node {
 /** Configuration for finding uses of non trusted URLs. */
 private module UntrustedUrlConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) {
-    trustedDomain(_) and
     exists(string lit | lit = node.asExpr().(CompileTimeConstantExpr).getStringValue() |
       lit.matches("%://%") and // it's a URL
+      not lit.regexpMatch("^(classpath|file|jar):.*") and // discard non-network URIs
       not exists(string dom | trustedDomain(dom) and lit.matches("%" + dom + "%"))
     )
   }
@@ -121,16 +121,10 @@ private module UntrustedUrlConfig implements DataFlow::ConfigSig {
 private module UntrustedUrlFlow = TaintTracking::Global<UntrustedUrlConfig>;
 
 /** Holds if `node` is a network communication call for which certificate pinning is not implemented. */
-predicate missingPinning(DataFlow::Node node, string domain) {
+predicate missingPinning(MissingPinningSink node, string domain) {
   isAndroid() and
-  node instanceof MissingPinningSink and
-  (
-    not trustedDomain(_) and domain = ""
-    or
-    exists(DataFlow::Node src |
-      UntrustedUrlFlow::flow(src, node) and
-      domain = getDomain(src.asExpr())
-    )
+  exists(DataFlow::Node src | UntrustedUrlFlow::flow(src, node) |
+    if trustedDomain(_) then domain = getDomain(src.asExpr()) else domain = ""
   )
 }
 

java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll

@@ -3,9 +3,18 @@
  */
 
 import java
+private import semmle.code.configfiles.ConfigFiles
 private import semmle.code.java.security.Encryption
 private import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.dataflow.RangeUtils
 private import semmle.code.java.dispatch.VirtualDispatch
+private import semmle.code.java.frameworks.Properties
+
+/** A reference to an insecure cryptographic algorithm. */
+abstract class InsecureAlgorithm extends Expr {
+  /** Gets the string representation of this insecure cryptographic algorithm. */
+  abstract string getStringValue();
+}
 
 private class ShortStringLiteral extends StringLiteral {
   ShortStringLiteral() { this.getValue().length() < 100 }
@@ -14,16 +23,34 @@ private class ShortStringLiteral extends StringLiteral {
 /**
  * A string literal that may refer to an insecure cryptographic algorithm.
  */
-class InsecureAlgoLiteral extends ShortStringLiteral {
+class InsecureAlgoLiteral extends InsecureAlgorithm, ShortStringLiteral {
   InsecureAlgoLiteral() {
-    // Algorithm identifiers should be at least two characters.
-    this.getValue().length() > 1 and
     exists(string s | s = this.getValue() |
+      // Algorithm identifiers should be at least two characters.
+      s.length() > 1 and
       not s.regexpMatch(getSecureAlgorithmRegex()) and
       // Exclude results covered by another query.
       not s.regexpMatch(getInsecureAlgorithmRegex())
     )
   }
+
+  override string getStringValue() { result = this.getValue() }
+}
+
+/**
+ * A property access that may refer to an insecure cryptographic algorithm.
+ */
+class InsecureAlgoProperty extends InsecureAlgorithm, PropertiesGetPropertyMethodCall {
+  string value;
+
+  InsecureAlgoProperty() {
+    value = this.getPropertyValue() and
+    // Since properties pairs are not included in the java/weak-cryptographic-algorithm,
+    // the check for values from properties files can be less strict than `InsecureAlgoLiteral`.
+    not value.regexpMatch(getSecureAlgorithmRegex())
+  }
+
+  override string getStringValue() { result = value }
 }
 
 private predicate objectToString(MethodCall ma) {
@@ -38,7 +65,7 @@ private predicate objectToString(MethodCall ma) {
  * A taint-tracking configuration to reason about the use of potentially insecure cryptographic algorithms.
  */
 module InsecureCryptoConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node n) { n.asExpr() instanceof InsecureAlgoLiteral }
+  predicate isSource(DataFlow::Node n) { n.asExpr() instanceof InsecureAlgorithm }
 
   predicate isSink(DataFlow::Node n) { exists(CryptoAlgoSpec c | n.asExpr() = c.getAlgoSpec()) }