mirror of
https://github.com/github/codeql.git
synced 2026-06-13 08:51:20 +02:00
First pass converting qlref tests to inline expectation with postprocess
This commit is contained in:
Owen Mansel-Chan
@@ -1,2 +1,4 @@
|
||||
query: experimental/quantum/Examples/ReusedNonce.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -16,7 +16,7 @@ public class Test {
|
||||
|
||||
private static byte[] getRandomWrapper1() throws Exception {
|
||||
byte[] val = new byte[16];
|
||||
new SecureRandom().nextBytes(val);
|
||||
new SecureRandom().nextBytes(val); // $ Source
|
||||
return val;
|
||||
}
|
||||
|
||||
@@ -37,7 +37,7 @@ public class Test {
|
||||
IvParameterSpec ivSpec = new IvParameterSpec(iv);
|
||||
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
|
||||
SecretKey key = generateAESKey();
|
||||
cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // BAD: Reuse of `iv` in funcB1
|
||||
cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // $ Alert // BAD: Reuse of `iv` in funcB1
|
||||
byte[] ciphertext = cipher.doFinal("Simple Test Data".getBytes());
|
||||
}
|
||||
|
||||
@@ -46,7 +46,7 @@ public class Test {
|
||||
IvParameterSpec ivSpec = new IvParameterSpec(iv);
|
||||
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
|
||||
SecretKey key = generateAESKey();
|
||||
cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // BAD: Reuse of `iv` in funcA1
|
||||
cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // $ Alert // BAD: Reuse of `iv` in funcA1
|
||||
byte[] ciphertext = cipher.doFinal("Simple Test Data".getBytes());
|
||||
}
|
||||
|
||||
@@ -73,13 +73,13 @@ public class Test {
|
||||
IvParameterSpec ivSpec1 = new IvParameterSpec(iv);
|
||||
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
|
||||
SecretKey key1 = generateAESKey();
|
||||
cipher.init(Cipher.ENCRYPT_MODE, key1, ivSpec1); // BAD: reuse of `iv` below
|
||||
cipher.init(Cipher.ENCRYPT_MODE, key1, ivSpec1); // $ Alert // BAD: reuse of `iv` below
|
||||
byte[] ciphertext = cipher.doFinal("Simple Test Data".getBytes());
|
||||
|
||||
IvParameterSpec ivSpec2 = new IvParameterSpec(iv);
|
||||
Cipher cipher2 = Cipher.getInstance("AES/CBC/PKCS5Padding");
|
||||
SecretKey key2 = generateAESKey();
|
||||
cipher2.init(Cipher.ENCRYPT_MODE, key2, ivSpec2); // BAD: Reuse of `iv` above
|
||||
cipher2.init(Cipher.ENCRYPT_MODE, key2, ivSpec2); // $ Alert // BAD: Reuse of `iv` above
|
||||
byte[] ciphertext2 = cipher2.doFinal("Simple Test Data".getBytes());
|
||||
}
|
||||
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -18,12 +18,12 @@ public class FilePathInjection extends Controller {
|
||||
|
||||
// BAD: Upload file to user specified path without validation
|
||||
public void uploadFile() throws IOException {
|
||||
String savePath = getPara("dir");
|
||||
String savePath = getPara("dir"); // $ Source
|
||||
File file = getFile("fileParam").getFile();
|
||||
String finalFilePath = BASE_PATH + savePath;
|
||||
|
||||
FileInputStream fis = new FileInputStream(file);
|
||||
FileOutputStream fos = new FileOutputStream(finalFilePath);
|
||||
FileOutputStream fos = new FileOutputStream(finalFilePath); // $ Alert
|
||||
int i = 0;
|
||||
|
||||
do {
|
||||
@@ -61,7 +61,7 @@ public class FilePathInjection extends Controller {
|
||||
|
||||
// BAD: Upload file to user specified path without validation through session attribute
|
||||
public void uploadFile3() throws IOException {
|
||||
String savePath = getPara("dir");
|
||||
String savePath = getPara("dir"); // $ Source
|
||||
setSessionAttr("uploadDir", savePath);
|
||||
String sessionUploadDir = getSessionAttr("uploadDir");
|
||||
|
||||
@@ -69,7 +69,7 @@ public class FilePathInjection extends Controller {
|
||||
String finalFilePath = BASE_PATH + sessionUploadDir;
|
||||
|
||||
FileInputStream fis = new FileInputStream(file);
|
||||
FileOutputStream fos = new FileOutputStream(finalFilePath);
|
||||
FileOutputStream fos = new FileOutputStream(finalFilePath); // $ Alert
|
||||
int i = 0;
|
||||
|
||||
do {
|
||||
@@ -84,7 +84,7 @@ public class FilePathInjection extends Controller {
|
||||
|
||||
// BAD: Upload file to user specified path without validation through request attribute
|
||||
public void uploadFile4() throws IOException {
|
||||
String savePath = getPara("dir");
|
||||
String savePath = getPara("dir"); // $ Source
|
||||
setAttr("uploadDir2", savePath);
|
||||
String requestUploadDir = getAttr("uploadDir2");
|
||||
|
||||
@@ -92,7 +92,7 @@ public class FilePathInjection extends Controller {
|
||||
String finalFilePath = BASE_PATH + requestUploadDir;
|
||||
|
||||
FileInputStream fis = new FileInputStream(file);
|
||||
FileOutputStream fos = new FileOutputStream(finalFilePath);
|
||||
FileOutputStream fos = new FileOutputStream(finalFilePath); // $ Alert
|
||||
int i = 0;
|
||||
|
||||
do {
|
||||
@@ -179,7 +179,7 @@ public class FilePathInjection extends Controller {
|
||||
FileInputStream fis = null;
|
||||
try {
|
||||
os = resp.getOutputStream();
|
||||
fis = new FileInputStream(file);
|
||||
fis = new FileInputStream(file); // $ Alert
|
||||
byte fileContent[] = new byte[(int) file.length()];
|
||||
fis.read(fileContent);
|
||||
os.write(fileContent);
|
||||
@@ -202,12 +202,12 @@ public class FilePathInjection extends Controller {
|
||||
// BAD: Download file to user specified path without validation
|
||||
public void downloadFile() throws FileNotFoundException, IOException {
|
||||
HttpServletRequest request = getRequest();
|
||||
String path = request.getParameter("path");
|
||||
String path = request.getParameter("path"); // $ Source
|
||||
String filePath = BASE_PATH + path;
|
||||
|
||||
HttpServletResponse resp = getResponse();
|
||||
File file = new File(filePath);
|
||||
if (path != null && file.exists()) {
|
||||
if (path != null && file.exists()) { // $ Alert
|
||||
resp.setHeader("Content-type", "application/force-download");
|
||||
resp.setHeader("Content-Disposition", "inline;filename=\"" + filePath + "\"");
|
||||
resp.setHeader("Content-Transfer-Encoding", "Binary");
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-073/FilePathInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-078/ExecTainted.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -11,7 +11,7 @@ public class JSchOSInjectionTest extends HttpServlet {
|
||||
String host = "sshHost";
|
||||
String user = "user";
|
||||
String password = "password";
|
||||
String command = request.getParameter("command");
|
||||
String command = request.getParameter("command"); // $ Source[java/command-line-injection-experimental]
|
||||
|
||||
java.util.Properties config = new java.util.Properties();
|
||||
config.put("StrictHostKeyChecking", "no");
|
||||
@@ -24,7 +24,7 @@ public class JSchOSInjectionTest extends HttpServlet {
|
||||
session.connect();
|
||||
|
||||
Channel channel = session.openChannel("exec");
|
||||
((ChannelExec) channel).setCommand("ping " + command);
|
||||
((ChannelExec) channel).setCommand("ping " + command); // $ Alert[java/command-line-injection-experimental]
|
||||
channel.setInputStream(null);
|
||||
((ChannelExec) channel).setErrStream(System.err);
|
||||
|
||||
@@ -37,7 +37,7 @@ public class JSchOSInjectionTest extends HttpServlet {
|
||||
String host = "sshHost";
|
||||
String user = "user";
|
||||
String password = "password";
|
||||
String command = request.getParameter("command");
|
||||
String command = request.getParameter("command"); // $ Source[java/command-line-injection-experimental]
|
||||
|
||||
java.util.Properties config = new java.util.Properties();
|
||||
config.put("StrictHostKeyChecking", "no");
|
||||
@@ -50,7 +50,7 @@ public class JSchOSInjectionTest extends HttpServlet {
|
||||
session.connect();
|
||||
|
||||
ChannelExec channel = (ChannelExec)session.openChannel("exec");
|
||||
channel.setCommand("ping " + command);
|
||||
channel.setCommand("ping " + command); // $ Alert[java/command-line-injection-experimental]
|
||||
channel.setInputStream(null);
|
||||
channel.setErrStream(System.err);
|
||||
|
||||
|
||||
@@ -14,29 +14,29 @@ public class RuntimeExecTest {
|
||||
public static void test() {
|
||||
System.out.println("Command injection test");
|
||||
|
||||
String script = System.getenv("SCRIPTNAME");
|
||||
String script = System.getenv("SCRIPTNAME"); // $ Source[java/command-line-injection-extra-local]
|
||||
|
||||
if (script != null) {
|
||||
try {
|
||||
// 1. array literal in the args
|
||||
Runtime.getRuntime().exec(new String[]{"/bin/sh", script});
|
||||
Runtime.getRuntime().exec(new String[]{"/bin/sh", script}); // $ Alert[java/command-line-injection-extra-local]
|
||||
|
||||
// 2. array literal with dataflow
|
||||
String[] commandArray1 = new String[]{"/bin/sh", script};
|
||||
Runtime.getRuntime().exec(commandArray1);
|
||||
Runtime.getRuntime().exec(commandArray1); // $ Alert[java/command-line-injection-extra-local]
|
||||
|
||||
// 3. array assignment after it is created
|
||||
String[] commandArray2 = new String[4];
|
||||
commandArray2[0] = "/bin/sh";
|
||||
commandArray2[1] = script;
|
||||
Runtime.getRuntime().exec(commandArray2);
|
||||
Runtime.getRuntime().exec(commandArray2); // $ Alert[java/command-line-injection-extra-local]
|
||||
|
||||
// 4. Stream concatenation
|
||||
Runtime.getRuntime().exec(
|
||||
Stream.concat(
|
||||
Stream.concat( // $
|
||||
Arrays.stream(new String[]{"/bin/sh"}),
|
||||
Arrays.stream(new String[]{script})
|
||||
).toArray(String[]::new)
|
||||
).toArray(String[]::new) // $ Alert[java/command-line-injection-extra-local]
|
||||
);
|
||||
|
||||
} catch (Exception e) {
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -16,55 +16,55 @@ public class MybatisSqlInjection {
|
||||
private MybatisSqlInjectionService mybatisSqlInjectionService;
|
||||
|
||||
@GetMapping(value = "msi1")
|
||||
public List<Test> bad1(@RequestParam String name) {
|
||||
public List<Test> bad1(@RequestParam String name) { // $ Source[java/mybatis-xml-sql-injection]
|
||||
List<Test> result = mybatisSqlInjectionService.bad1(name);
|
||||
return result;
|
||||
}
|
||||
|
||||
@GetMapping(value = "msi2")
|
||||
public List<Test> bad2(@RequestParam String name) {
|
||||
public List<Test> bad2(@RequestParam String name) { // $ Source[java/mybatis-xml-sql-injection]
|
||||
List<Test> result = mybatisSqlInjectionService.bad2(name);
|
||||
return result;
|
||||
}
|
||||
|
||||
@GetMapping(value = "msi3")
|
||||
public List<Test> bad3(@ModelAttribute Test test) {
|
||||
public List<Test> bad3(@ModelAttribute Test test) { // $ Source[java/mybatis-xml-sql-injection]
|
||||
List<Test> result = mybatisSqlInjectionService.bad3(test);
|
||||
return result;
|
||||
}
|
||||
|
||||
@RequestMapping(value = "msi4", method = RequestMethod.POST, produces = "application/json")
|
||||
public void bad4(@RequestBody Test test) {
|
||||
public void bad4(@RequestBody Test test) { // $ Source[java/mybatis-xml-sql-injection]
|
||||
mybatisSqlInjectionService.bad4(test);
|
||||
}
|
||||
|
||||
@RequestMapping(value = "msi5", method = RequestMethod.PUT, produces = "application/json")
|
||||
public void bad5(@RequestBody Test test) {
|
||||
public void bad5(@RequestBody Test test) { // $ Source[java/mybatis-xml-sql-injection]
|
||||
mybatisSqlInjectionService.bad5(test);
|
||||
}
|
||||
|
||||
@RequestMapping(value = "msi6", method = RequestMethod.POST, produces = "application/json")
|
||||
public void bad6(@RequestBody Map<String, String> params) {
|
||||
public void bad6(@RequestBody Map<String, String> params) { // $ Source[java/mybatis-xml-sql-injection]
|
||||
mybatisSqlInjectionService.bad6(params);
|
||||
}
|
||||
|
||||
@RequestMapping(value = "msi7", method = RequestMethod.POST, produces = "application/json")
|
||||
public void bad7(@RequestBody List<String> params) {
|
||||
public void bad7(@RequestBody List<String> params) { // $ Source[java/mybatis-xml-sql-injection]
|
||||
mybatisSqlInjectionService.bad7(params);
|
||||
}
|
||||
|
||||
@RequestMapping(value = "msi8", method = RequestMethod.POST, produces = "application/json")
|
||||
public void bad8(@RequestBody String[] params) {
|
||||
public void bad8(@RequestBody String[] params) { // $ Source[java/mybatis-xml-sql-injection]
|
||||
mybatisSqlInjectionService.bad8(params);
|
||||
}
|
||||
|
||||
@GetMapping(value = "msi9")
|
||||
public void bad9(@RequestParam String name) {
|
||||
public void bad9(@RequestParam String name) { // $ Source[java/mybatis-annotation-sql-injection]
|
||||
mybatisSqlInjectionService.bad9(name);
|
||||
}
|
||||
|
||||
@GetMapping(value = "msi10")
|
||||
public void bad10(@RequestParam Integer id, @RequestParam String name) {
|
||||
public void bad10(@RequestParam Integer id, @RequestParam String name) { // $ Source[java/mybatis-annotation-sql-injection]
|
||||
mybatisSqlInjectionService.bad10(id, name);
|
||||
}
|
||||
|
||||
|
||||
@@ -11,48 +11,48 @@ public class MybatisSqlInjectionService {
|
||||
private SqlInjectionMapper sqlInjectionMapper;
|
||||
|
||||
public List<Test> bad1(String name) {
|
||||
List<Test> result = sqlInjectionMapper.bad1(name);
|
||||
List<Test> result = sqlInjectionMapper.bad1(name); // $ Alert[java/mybatis-xml-sql-injection]
|
||||
return result;
|
||||
}
|
||||
|
||||
public List<Test> bad2(String name) {
|
||||
List<Test> result = sqlInjectionMapper.bad2(name);
|
||||
List<Test> result = sqlInjectionMapper.bad2(name); // $ Alert[java/mybatis-xml-sql-injection]
|
||||
return result;
|
||||
}
|
||||
|
||||
public List<Test> bad3(Test test) {
|
||||
List<Test> result = sqlInjectionMapper.bad3(test);
|
||||
List<Test> result = sqlInjectionMapper.bad3(test); // $ Alert[java/mybatis-xml-sql-injection]
|
||||
return result;
|
||||
}
|
||||
|
||||
public void bad4(Test test) {
|
||||
sqlInjectionMapper.bad4(test);
|
||||
sqlInjectionMapper.bad4(test); // $ Alert[java/mybatis-xml-sql-injection]
|
||||
}
|
||||
|
||||
public void bad5(Test test) {
|
||||
sqlInjectionMapper.bad5(test);
|
||||
sqlInjectionMapper.bad5(test); // $ Alert[java/mybatis-xml-sql-injection]
|
||||
}
|
||||
|
||||
public void bad6(Map<String, String> params) {
|
||||
sqlInjectionMapper.bad6(params);
|
||||
sqlInjectionMapper.bad6(params); // $ Alert[java/mybatis-xml-sql-injection]
|
||||
}
|
||||
|
||||
public void bad7(List<String> params) {
|
||||
sqlInjectionMapper.bad7(params);
|
||||
sqlInjectionMapper.bad7(params); // $ Alert[java/mybatis-xml-sql-injection]
|
||||
}
|
||||
|
||||
public void bad8(String[] params) {
|
||||
sqlInjectionMapper.bad8(params);
|
||||
sqlInjectionMapper.bad8(params); // $ Alert[java/mybatis-xml-sql-injection]
|
||||
}
|
||||
|
||||
public void bad9(String name) {
|
||||
HashMap hashMap = new HashMap();
|
||||
hashMap.put("name", name);
|
||||
sqlInjectionMapper.bad9(hashMap);
|
||||
sqlInjectionMapper.bad9(hashMap); // $ Alert[java/mybatis-annotation-sql-injection]
|
||||
}
|
||||
|
||||
public void bad10(Integer id, String name) {
|
||||
sqlInjectionMapper.bad10(id, name);
|
||||
sqlInjectionMapper.bad10(id, name); // $ Alert[java/mybatis-annotation-sql-injection]
|
||||
}
|
||||
|
||||
public List<Test> good1(Integer id) {
|
||||
|
||||
@@ -10,24 +10,24 @@ public class BeanShellInjection {
|
||||
|
||||
@GetMapping(value = "bad1")
|
||||
public void bad1(HttpServletRequest request) {
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/beanshell-injection]
|
||||
BshScriptEvaluator evaluator = new BshScriptEvaluator();
|
||||
evaluator.evaluate(new StaticScriptSource(code)); //bad
|
||||
evaluator.evaluate(new StaticScriptSource(code)); // $ Alert[java/beanshell-injection] //bad
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad2")
|
||||
public void bad2(HttpServletRequest request) throws Exception {
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/beanshell-injection]
|
||||
Interpreter interpreter = new Interpreter();
|
||||
interpreter.eval(code); //bad
|
||||
interpreter.eval(code); // $ Alert[java/beanshell-injection] //bad
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad3")
|
||||
public void bad3(HttpServletRequest request) {
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/beanshell-injection]
|
||||
StaticScriptSource staticScriptSource = new StaticScriptSource("test");
|
||||
staticScriptSource.setScript(code);
|
||||
BshScriptEvaluator evaluator = new BshScriptEvaluator();
|
||||
evaluator.evaluate(staticScriptSource); //bad
|
||||
evaluator.evaluate(staticScriptSource); // $ Alert[java/beanshell-injection] //bad
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-094/BeanShellInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -9,24 +9,24 @@ public class JShellInjection {
|
||||
|
||||
@GetMapping(value = "bad1")
|
||||
public void bad1(HttpServletRequest request) {
|
||||
String input = request.getParameter("code");
|
||||
String input = request.getParameter("code"); // $ Source[java/jshell-injection]
|
||||
JShell jShell = JShell.builder().build();
|
||||
// BAD: allow execution of arbitrary Java code
|
||||
jShell.eval(input);
|
||||
jShell.eval(input); // $ Alert[java/jshell-injection]
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad2")
|
||||
public void bad2(HttpServletRequest request) {
|
||||
String input = request.getParameter("code");
|
||||
String input = request.getParameter("code"); // $ Source[java/jshell-injection]
|
||||
JShell jShell = JShell.builder().build();
|
||||
SourceCodeAnalysis sourceCodeAnalysis = jShell.sourceCodeAnalysis();
|
||||
// BAD: allow execution of arbitrary Java code
|
||||
sourceCodeAnalysis.wrappers(input);
|
||||
sourceCodeAnalysis.wrappers(input); // $ Alert[java/jshell-injection]
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad3")
|
||||
public void bad3(HttpServletRequest request) {
|
||||
String input = request.getParameter("code");
|
||||
String input = request.getParameter("code"); // $ Source[java/jshell-injection]
|
||||
JShell jShell = JShell.builder().build();
|
||||
SourceCodeAnalysis.CompletionInfo info;
|
||||
SourceCodeAnalysis sca = jShell.sourceCodeAnalysis();
|
||||
@@ -34,7 +34,7 @@ public class JShellInjection {
|
||||
info.completeness().isComplete();
|
||||
info = sca.analyzeCompletion(info.remaining())) {
|
||||
// BAD: allow execution of arbitrary Java code
|
||||
jShell.eval(info.source());
|
||||
jShell.eval(info.source()); // $ Alert[java/jshell-injection]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-094/JShellInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -20,7 +20,7 @@ public class JakartaExpressionInjection {
|
||||
try (ServerSocket serverSocket = new ServerSocket(0)) {
|
||||
try (Socket socket = serverSocket.accept()) {
|
||||
byte[] bytes = new byte[1024];
|
||||
int n = socket.getInputStream().read(bytes);
|
||||
int n = socket.getInputStream().read(bytes); // $ Source[java/javaee-expression-injection]
|
||||
String expression = new String(bytes, 0, n);
|
||||
action.accept(expression);
|
||||
}
|
||||
@@ -31,7 +31,7 @@ public class JakartaExpressionInjection {
|
||||
private static void testWithELProcessorEval() throws IOException {
|
||||
testWithSocket(expression -> {
|
||||
ELProcessor processor = new ELProcessor();
|
||||
processor.eval(expression);
|
||||
processor.eval(expression); // $ Alert[java/javaee-expression-injection]
|
||||
});
|
||||
}
|
||||
|
||||
@@ -39,7 +39,7 @@ public class JakartaExpressionInjection {
|
||||
private static void testWithELProcessorGetValue() throws IOException {
|
||||
testWithSocket(expression -> {
|
||||
ELProcessor processor = new ELProcessor();
|
||||
processor.getValue(expression, Object.class);
|
||||
processor.getValue(expression, Object.class); // $ Alert[java/javaee-expression-injection]
|
||||
});
|
||||
}
|
||||
|
||||
@@ -50,7 +50,7 @@ public class JakartaExpressionInjection {
|
||||
StandardELContext context = new StandardELContext(factory);
|
||||
ValueExpression valueExpression = factory.createValueExpression(context, expression, Object.class);
|
||||
LambdaExpression lambdaExpression = new LambdaExpression(new ArrayList<>(), valueExpression);
|
||||
lambdaExpression.invoke(context, new Object[0]);
|
||||
lambdaExpression.invoke(context, new Object[0]); // $ Alert[java/javaee-expression-injection]
|
||||
});
|
||||
}
|
||||
|
||||
@@ -58,7 +58,7 @@ public class JakartaExpressionInjection {
|
||||
private static void testWithELProcessorSetValue() throws IOException {
|
||||
testWithSocket(expression -> {
|
||||
ELProcessor processor = new ELProcessor();
|
||||
processor.setValue(expression, new Object());
|
||||
processor.setValue(expression, new Object()); // $ Alert[java/javaee-expression-injection]
|
||||
});
|
||||
}
|
||||
|
||||
@@ -66,7 +66,7 @@ public class JakartaExpressionInjection {
|
||||
private static void testWithELProcessorSetVariable() throws IOException {
|
||||
testWithSocket(expression -> {
|
||||
ELProcessor processor = new ELProcessor();
|
||||
processor.setVariable("test", expression);
|
||||
processor.setVariable("test", expression); // $ Alert[java/javaee-expression-injection]
|
||||
});
|
||||
}
|
||||
|
||||
@@ -76,7 +76,7 @@ public class JakartaExpressionInjection {
|
||||
ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl();
|
||||
ELContext context = new de.odysseus.el.util.SimpleContext();
|
||||
ValueExpression e = factory.createValueExpression(context, expression, Object.class);
|
||||
e.getValue(context);
|
||||
e.getValue(context); // $ Alert[java/javaee-expression-injection]
|
||||
});
|
||||
}
|
||||
|
||||
@@ -86,7 +86,7 @@ public class JakartaExpressionInjection {
|
||||
ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl();
|
||||
ELContext context = new de.odysseus.el.util.SimpleContext();
|
||||
ValueExpression e = factory.createValueExpression(context, expression, Object.class);
|
||||
e.setValue(context, new Object());
|
||||
e.setValue(context, new Object()); // $ Alert[java/javaee-expression-injection]
|
||||
});
|
||||
}
|
||||
|
||||
@@ -96,7 +96,7 @@ public class JakartaExpressionInjection {
|
||||
ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl();
|
||||
ELContext context = new de.odysseus.el.util.SimpleContext();
|
||||
MethodExpression e = factory.createMethodExpression(context, expression, Object.class, new Class[0]);
|
||||
e.invoke(context, new Object[0]);
|
||||
e.invoke(context, new Object[0]); // $ Alert[java/javaee-expression-injection]
|
||||
});
|
||||
}
|
||||
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -25,7 +25,7 @@ public class JythonInjection extends HttpServlet {
|
||||
// BAD: allow execution of arbitrary Python code
|
||||
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
response.setContentType("text/plain");
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/jython-injection]
|
||||
PythonInterpreter interpreter = null;
|
||||
ByteArrayOutputStream out = new ByteArrayOutputStream();
|
||||
|
||||
@@ -33,7 +33,7 @@ public class JythonInjection extends HttpServlet {
|
||||
interpreter = new PythonInterpreter();
|
||||
interpreter.setOut(out);
|
||||
interpreter.setErr(out);
|
||||
interpreter.exec(code);
|
||||
interpreter.exec(code); // $ Alert[java/jython-injection]
|
||||
out.flush();
|
||||
|
||||
response.getWriter().print(out.toString());
|
||||
@@ -50,12 +50,12 @@ public class JythonInjection extends HttpServlet {
|
||||
// BAD: allow execution of arbitrary Python code
|
||||
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
response.setContentType("text/plain");
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/jython-injection]
|
||||
PythonInterpreter interpreter = null;
|
||||
|
||||
try {
|
||||
interpreter = new PythonInterpreter();
|
||||
PyObject py = interpreter.eval(code);
|
||||
PyObject py = interpreter.eval(code); // $ Alert[java/jython-injection]
|
||||
|
||||
response.getWriter().print(py.toString());
|
||||
} catch(PyException ex) {
|
||||
@@ -70,7 +70,7 @@ public class JythonInjection extends HttpServlet {
|
||||
// BAD: allow arbitrary Jython expression to run
|
||||
protected void doPut(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
response.setContentType("text/plain");
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/jython-injection]
|
||||
InteractiveInterpreter interpreter = null;
|
||||
ByteArrayOutputStream out = new ByteArrayOutputStream();
|
||||
|
||||
@@ -78,7 +78,7 @@ public class JythonInjection extends HttpServlet {
|
||||
interpreter = new InteractiveInterpreter();
|
||||
interpreter.setOut(out);
|
||||
interpreter.setErr(out);
|
||||
interpreter.runsource(code);
|
||||
interpreter.runsource(code); // $ Alert[java/jython-injection]
|
||||
out.flush();
|
||||
|
||||
response.getWriter().print(out.toString());
|
||||
@@ -94,7 +94,7 @@ public class JythonInjection extends HttpServlet {
|
||||
// BAD: load arbitrary class file to execute
|
||||
protected void doTrace(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
response.setContentType("text/plain");
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/jython-injection]
|
||||
PythonInterpreter interpreter = null;
|
||||
ByteArrayOutputStream out = new ByteArrayOutputStream();
|
||||
|
||||
@@ -103,7 +103,7 @@ public class JythonInjection extends HttpServlet {
|
||||
interpreter.setOut(out);
|
||||
interpreter.setErr(out);
|
||||
|
||||
PyCode pyCode = BytecodeLoader.makeCode("test", code.getBytes(), getServletContext().getRealPath("/com/example/test.pyc"));
|
||||
PyCode pyCode = BytecodeLoader.makeCode("test", code.getBytes(), getServletContext().getRealPath("/com/example/test.pyc")); // $ Alert[java/jython-injection]
|
||||
interpreter.exec(pyCode);
|
||||
out.flush();
|
||||
|
||||
@@ -128,7 +128,7 @@ public class JythonInjection extends HttpServlet {
|
||||
interpreter.setOut(out);
|
||||
interpreter.setErr(out);
|
||||
|
||||
PyCode pyCode = Py.compile(request.getInputStream(), "Test.py", org.python.core.CompileMode.eval);
|
||||
PyCode pyCode = Py.compile(request.getInputStream(), "Test.py", org.python.core.CompileMode.eval); // $ Alert[java/jython-injection]
|
||||
interpreter.exec(pyCode);
|
||||
out.flush();
|
||||
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-094/JythonInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -25,11 +25,11 @@ public class RhinoServlet extends HttpServlet {
|
||||
// BAD: allow arbitrary Java and JavaScript code to be executed
|
||||
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
response.setContentType("text/plain");
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/unsafe-eval]
|
||||
Context ctx = Context.enter();
|
||||
try {
|
||||
Scriptable scope = ctx.initStandardObjects();
|
||||
Object result = ctx.evaluateString(scope, code, "<code>", 1, null);
|
||||
Object result = ctx.evaluateString(scope, code, "<code>", 1, null); // $ Alert[java/unsafe-eval]
|
||||
response.getWriter().print(Context.toString(result));
|
||||
} catch(RhinoException ex) {
|
||||
response.getWriter().println(ex.getMessage());
|
||||
@@ -78,14 +78,14 @@ public class RhinoServlet extends HttpServlet {
|
||||
|
||||
// BAD: allow arbitrary code to be compiled for subsequent execution
|
||||
protected void doGet2(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/unsafe-eval]
|
||||
ClassCompiler compiler = new ClassCompiler(new CompilerEnvirons());
|
||||
Object[] objs = compiler.compileToClassFiles(code, "/sourceLocation", 1, "mainClassName");
|
||||
Object[] objs = compiler.compileToClassFiles(code, "/sourceLocation", 1, "mainClassName"); // $ Alert[java/unsafe-eval]
|
||||
}
|
||||
|
||||
// BAD: allow arbitrary code to be loaded for subsequent execution
|
||||
protected void doPost2(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
String code = request.getParameter("code");
|
||||
Class clazz = new DefiningClassLoader().defineClass("Powerfunc", code.getBytes());
|
||||
String code = request.getParameter("code"); // $ Source[java/unsafe-eval]
|
||||
Class clazz = new DefiningClassLoader().defineClass("Powerfunc", code.getBytes()); // $ Alert[java/unsafe-eval]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -21,14 +21,14 @@ public class ScriptEngineTest extends HttpServlet {
|
||||
ScriptEngineManager scriptEngineManager = new ScriptEngineManager();
|
||||
// Create with ScriptEngine reference
|
||||
ScriptEngine scriptEngine = scriptEngineManager.getEngineByExtension("js");
|
||||
Object result = scriptEngine.eval(input);
|
||||
Object result = scriptEngine.eval(input); // $ Alert[java/unsafe-eval]
|
||||
}
|
||||
|
||||
public void testNashornWithScriptEngineReference(String input) throws ScriptException {
|
||||
NashornScriptEngineFactory factory = new NashornScriptEngineFactory();
|
||||
// Create Nashorn with ScriptEngine reference
|
||||
ScriptEngine engine = (NashornScriptEngine) factory.getScriptEngine(new String[] { "-scripting" });
|
||||
Object result = engine.eval(input);
|
||||
Object result = engine.eval(input); // $ Alert[java/unsafe-eval]
|
||||
}
|
||||
|
||||
|
||||
@@ -36,27 +36,27 @@ public class ScriptEngineTest extends HttpServlet {
|
||||
NashornScriptEngineFactory factory = new NashornScriptEngineFactory();
|
||||
// Create Nashorn with NashornScriptEngine reference
|
||||
NashornScriptEngine engine = (NashornScriptEngine) factory.getScriptEngine(new String[] { "-scripting" });
|
||||
Object result = engine.eval(input);
|
||||
Object result = engine.eval(input); // $ Alert[java/unsafe-eval]
|
||||
}
|
||||
|
||||
public void testCustomScriptEngineReference(String input) throws ScriptException {
|
||||
MyCustomFactory factory = new MyCustomFactory();
|
||||
//Create with Custom Script Engine reference
|
||||
MyCustomScriptEngine engine = (MyCustomScriptEngine) factory.getScriptEngine(new String[] { "-scripting" });
|
||||
Object result = engine.eval(input);
|
||||
Object result = engine.eval(input); // $ Alert[java/unsafe-eval]
|
||||
}
|
||||
|
||||
public void testScriptEngineCompilable(String input) throws ScriptException {
|
||||
NashornScriptEngineFactory factory = new NashornScriptEngineFactory();
|
||||
Compilable engine = (Compilable) factory.getScriptEngine(new String[] { "-scripting" });
|
||||
CompiledScript script = engine.compile(input);
|
||||
CompiledScript script = engine.compile(input); // $ Alert[java/unsafe-eval]
|
||||
Object result = script.eval();
|
||||
}
|
||||
|
||||
public void testScriptEngineGetProgram(String input) throws ScriptException {
|
||||
ScriptEngineManager scriptEngineManager = new ScriptEngineManager();
|
||||
ScriptEngine engine = scriptEngineManager.getEngineByName("nashorn");
|
||||
String program = engine.getFactory().getProgram(input);
|
||||
String program = engine.getFactory().getProgram(input); // $ Alert[java/unsafe-eval]
|
||||
Object result = engine.eval(program);
|
||||
}
|
||||
|
||||
@@ -88,7 +88,7 @@ public class ScriptEngineTest extends HttpServlet {
|
||||
|
||||
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
try {
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/unsafe-eval]
|
||||
|
||||
new ScriptEngineTest().testWithScriptEngineReference(code);
|
||||
new ScriptEngineTest().testNashornWithScriptEngineReference(code);
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-094/ScriptInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -42,7 +42,7 @@ public class FileService extends Service {
|
||||
|
||||
try {
|
||||
String[] uris = (String[]) params[1];
|
||||
outputStream = new FileOutputStream(uris[0]);
|
||||
outputStream = new FileOutputStream(uris[0]); // $ Alert[java/sensitive-android-file-leak]
|
||||
return "success";
|
||||
} catch (Exception e) {
|
||||
}
|
||||
|
||||
@@ -25,7 +25,7 @@ public class InsecureWebResourceResponse extends Activity {
|
||||
super.onCreate(savedInstanceState);
|
||||
setContentView(-1);
|
||||
|
||||
String inputUrl = getIntent().getStringExtra("inputUrl");
|
||||
String inputUrl = getIntent().getStringExtra("inputUrl"); // $ Source[java/insecure-webview-resource-response]
|
||||
|
||||
getBadResponse1(inputUrl);
|
||||
|
||||
@@ -65,7 +65,7 @@ public class InsecureWebResourceResponse extends Activity {
|
||||
Uri uri = Uri.parse(url);
|
||||
FileInputStream inputStream = new FileInputStream(uri.getPath());
|
||||
String mimeType = getMimeTypeFromPath(uri.getPath());
|
||||
return new WebResourceResponse(mimeType, "UTF-8", inputStream);
|
||||
return new WebResourceResponse(mimeType, "UTF-8", inputStream); // $ Alert[java/insecure-webview-resource-response]
|
||||
} catch (IOException ie) {
|
||||
return new WebResourceResponse("text/plain", "UTF-8", null);
|
||||
}
|
||||
@@ -88,7 +88,7 @@ public class InsecureWebResourceResponse extends Activity {
|
||||
File cacheFile = new File(getCacheDir(), uri.getLastPathSegment());
|
||||
FileInputStream inputStream = new FileInputStream(cacheFile);
|
||||
String mimeType = getMimeTypeFromPath(uri.getPath());
|
||||
return new WebResourceResponse(mimeType, "UTF-8", inputStream);
|
||||
return new WebResourceResponse(mimeType, "UTF-8", inputStream); // $ Alert[java/insecure-webview-resource-response]
|
||||
} else {
|
||||
return new WebResourceResponse("text/plain", "UTF-8", null);
|
||||
}
|
||||
@@ -114,7 +114,7 @@ public class InsecureWebResourceResponse extends Activity {
|
||||
if (path.startsWith("files/")) {
|
||||
FileInputStream inputStream = new FileInputStream(path.substring("files/".length()));
|
||||
String mimeType = getMimeTypeFromPath(uri.getPath());
|
||||
return new WebResourceResponse(mimeType, "UTF-8", inputStream);
|
||||
return new WebResourceResponse(mimeType, "UTF-8", inputStream); // $ Alert[java/insecure-webview-resource-response]
|
||||
} else {
|
||||
return new WebResourceResponse("text/plain", "UTF-8", null);
|
||||
}
|
||||
@@ -196,7 +196,7 @@ public class InsecureWebResourceResponse extends Activity {
|
||||
File cacheFile = new File(getCacheDir(), uri.getLastPathSegment());
|
||||
FileInputStream inputStream = new FileInputStream(cacheFile);
|
||||
String mimeType = getMimeTypeFromPath(uri.getPath());
|
||||
return new WebResourceResponse(mimeType, "UTF-8", inputStream);
|
||||
return new WebResourceResponse(mimeType, "UTF-8", inputStream); // $ Alert[java/insecure-webview-resource-response]
|
||||
} else {
|
||||
return new WebResourceResponse("text/plain", "UTF-8", null);
|
||||
}
|
||||
@@ -234,7 +234,7 @@ class VulnerableWebViewClient extends WebViewClient {
|
||||
Uri uri = Uri.parse(url);
|
||||
FileInputStream inputStream = new FileInputStream(uri.getPath());
|
||||
String mimeType = InsecureWebResourceResponse.getMimeTypeFromPath(uri.getPath());
|
||||
return new WebResourceResponse(mimeType, "UTF-8", inputStream);
|
||||
return new WebResourceResponse(mimeType, "UTF-8", inputStream); // $ Alert[java/insecure-webview-resource-response]
|
||||
} catch (IOException ie) {
|
||||
return new WebResourceResponse("text/plain", "UTF-8", null);
|
||||
}
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -24,7 +24,7 @@ public class InsecureWebViewActivity extends Activity {
|
||||
setContentView(-1);
|
||||
webview = (VulnerableWebView) findViewById(-1);
|
||||
|
||||
String inputUrl = getIntent().getStringExtra("inputUrl");
|
||||
String inputUrl = getIntent().getStringExtra("inputUrl"); // $ Source[java/insecure-webview-resource-response]
|
||||
loadWebUrl(inputUrl);
|
||||
}
|
||||
|
||||
@@ -55,7 +55,7 @@ class VulnerableWebView extends WebView {
|
||||
Uri uri = Uri.parse(url);
|
||||
FileInputStream inputStream = new FileInputStream(uri.getPath());
|
||||
String mimeType = InsecureWebViewActivity.getMimeTypeFromPath(uri.getPath());
|
||||
return new WebResourceResponse(mimeType, "UTF-8", inputStream);
|
||||
return new WebResourceResponse(mimeType, "UTF-8", inputStream); // $ Alert[java/insecure-webview-resource-response]
|
||||
} catch (IOException ie) {
|
||||
return new WebResourceResponse("text/plain", "UTF-8", null);
|
||||
}
|
||||
|
||||
@@ -11,14 +11,14 @@ public class LeakFileActivity extends Activity {
|
||||
protected void onActivityResult(int requestCode, int resultCode, Intent data) {
|
||||
if (requestCode == GetFileActivity.REQUEST_CODE__SELECT_CONTENT_FROM_APPS &&
|
||||
resultCode == RESULT_OK) {
|
||||
loadOfContentFromApps(data, resultCode);
|
||||
loadOfContentFromApps(data, resultCode); // $ Source[java/sensitive-android-file-leak]
|
||||
}
|
||||
}
|
||||
|
||||
private void loadOfContentFromApps(Intent contentIntent, int resultCode) {
|
||||
Uri streamsToUpload = contentIntent.getData();
|
||||
try {
|
||||
RandomAccessFile file = new RandomAccessFile(streamsToUpload.getPath(), "r");
|
||||
RandomAccessFile file = new RandomAccessFile(streamsToUpload.getPath(), "r"); // $ Alert[java/sensitive-android-file-leak]
|
||||
} catch (Exception ex) {
|
||||
ex.printStackTrace();
|
||||
}
|
||||
|
||||
@@ -12,8 +12,8 @@ public class LeakFileActivity2 extends Activity {
|
||||
if (requestCode == GetFileActivity.REQUEST_CODE__SELECT_CONTENT_FROM_APPS &&
|
||||
resultCode == RESULT_OK) {
|
||||
Intent intent = new Intent(this, FileService.class);
|
||||
intent.putExtra(FileService.KEY_LOCAL_FILE, localPath);
|
||||
startService(intent);
|
||||
intent.putExtra(FileService.KEY_LOCAL_FILE, localPath); // $ Source[java/sensitive-android-file-leak]
|
||||
startService(intent); // $ Source[java/sensitive-android-file-leak]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-200/SensitiveAndroidFileLeak.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -11,8 +11,8 @@ public class Test {
|
||||
// BAD: compare MACs using a not-constant time method
|
||||
public boolean unsafeMacCheck(byte[] expectedMac, byte[] data) throws Exception {
|
||||
Mac mac = Mac.getInstance("HmacSHA256");
|
||||
byte[] actualMac = mac.doFinal(data);
|
||||
return Arrays.equals(expectedMac, actualMac);
|
||||
byte[] actualMac = mac.doFinal(data); // $ Source
|
||||
return Arrays.equals(expectedMac, actualMac); // $ Alert
|
||||
}
|
||||
|
||||
// GOOD: compare MACs using a constant time method
|
||||
@@ -27,8 +27,8 @@ public class Test {
|
||||
Signature engine = Signature.getInstance("SHA256withRSA");
|
||||
engine.initSign(key);
|
||||
engine.update(data);
|
||||
byte[] signature = engine.sign();
|
||||
return Arrays.equals(expected, signature);
|
||||
byte[] signature = engine.sign(); // $ Source
|
||||
return Arrays.equals(expected, signature); // $ Alert
|
||||
}
|
||||
|
||||
// GOOD: compare signatures using a constant time method
|
||||
@@ -44,8 +44,8 @@ public class Test {
|
||||
public boolean unsafeCheckCustomMac(byte[] expected, byte[] plaintext, Key key) throws Exception {
|
||||
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
|
||||
cipher.init(Cipher.ENCRYPT_MODE, key);
|
||||
byte[] tag = cipher.doFinal(plaintext);
|
||||
return Arrays.equals(expected, tag);
|
||||
byte[] tag = cipher.doFinal(plaintext); // $ Source
|
||||
return Arrays.equals(expected, tag); // $ Alert
|
||||
}
|
||||
|
||||
// GOOD: compare ciphertexts using a constant time method
|
||||
@@ -56,4 +56,4 @@ public class Test {
|
||||
return MessageDigest.isEqual(expected, tag);
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-208/PossibleTimingAttackAgainstSignature.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -7,7 +7,7 @@ import java.lang.String;
|
||||
public class Test {
|
||||
private boolean UnsafeComparison(HttpServletRequest request) {
|
||||
String Key = "secret";
|
||||
return Key.equals(request.getHeader("X-Auth-Token"));
|
||||
return Key.equals(request.getHeader("X-Auth-Token")); // $ Alert
|
||||
}
|
||||
|
||||
private boolean safeComparison(HttpServletRequest request) {
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.ql
|
||||
query: experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -18,9 +18,9 @@ public class Test {
|
||||
Mac mac = Mac.getInstance("HmacSHA256");
|
||||
byte[] data = new byte[1024];
|
||||
is.read(data);
|
||||
byte[] actualMac = mac.doFinal(data);
|
||||
byte[] actualMac = mac.doFinal(data); // $ Source
|
||||
byte[] expectedMac = is.readNBytes(32);
|
||||
return Arrays.equals(expectedMac, actualMac);
|
||||
return Arrays.equals(expectedMac, actualMac); // $ Alert
|
||||
}
|
||||
}
|
||||
|
||||
@@ -31,9 +31,9 @@ public class Test {
|
||||
Mac mac = Mac.getInstance("HmacSHA256");
|
||||
byte[] actualMac = new byte[256];
|
||||
mac.update(data);
|
||||
mac.doFinal(actualMac, 0);
|
||||
mac.doFinal(actualMac, 0); // $ Source
|
||||
byte[] expectedMac = socket.getInputStream().readNBytes(256);
|
||||
return Arrays.equals(expectedMac, actualMac);
|
||||
return Arrays.equals(expectedMac, actualMac); // $ Alert
|
||||
}
|
||||
}
|
||||
|
||||
@@ -56,9 +56,9 @@ public class Test {
|
||||
engine.initSign(key);
|
||||
byte[] data = socket.getInputStream().readAllBytes();
|
||||
engine.update(data);
|
||||
byte[] signature = engine.sign();
|
||||
byte[] signature = engine.sign(); // $ Source
|
||||
byte[] expected = is.readNBytes(256);
|
||||
return Arrays.equals(expected, signature);
|
||||
return Arrays.equals(expected, signature); // $ Alert
|
||||
}
|
||||
}
|
||||
|
||||
@@ -70,9 +70,9 @@ public class Test {
|
||||
byte[] data = socket.getInputStream().readAllBytes();
|
||||
engine.update(data);
|
||||
byte[] signature = new byte[1024];
|
||||
engine.sign(signature, 0, 1024);
|
||||
engine.sign(signature, 0, 1024); // $ Source
|
||||
byte[] expected = is.readNBytes(256);
|
||||
return Arrays.equals(expected, signature);
|
||||
return Arrays.equals(expected, signature); // $ Alert
|
||||
}
|
||||
}
|
||||
|
||||
@@ -96,9 +96,9 @@ public class Test {
|
||||
byte[] hash = MessageDigest.getInstance("SHA-256").digest(plaintext);
|
||||
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
|
||||
cipher.init(Cipher.ENCRYPT_MODE, key);
|
||||
byte[] tag = cipher.doFinal(hash);
|
||||
byte[] tag = cipher.doFinal(hash); // $ Source
|
||||
byte[] expected = socket.getInputStream().readAllBytes();
|
||||
return Objects.deepEquals(expected, tag);
|
||||
return Objects.deepEquals(expected, tag); // $ Alert
|
||||
}
|
||||
}
|
||||
|
||||
@@ -113,9 +113,9 @@ public class Test {
|
||||
cipher.init(Cipher.ENCRYPT_MODE, key);
|
||||
cipher.update(hash);
|
||||
byte[] tag = new byte[1024];
|
||||
cipher.doFinal(tag, 0);
|
||||
cipher.doFinal(tag, 0); // $ Source
|
||||
byte[] expected = is.readNBytes(32);
|
||||
return Arrays.equals(expected, tag);
|
||||
return Arrays.equals(expected, tag); // $ Alert
|
||||
}
|
||||
}
|
||||
|
||||
@@ -131,9 +131,9 @@ public class Test {
|
||||
cipher.init(Cipher.ENCRYPT_MODE, key);
|
||||
cipher.update(hash);
|
||||
ByteBuffer tag = ByteBuffer.wrap(new byte[1024]);
|
||||
cipher.doFinal(ByteBuffer.wrap(plaintext), tag);
|
||||
cipher.doFinal(ByteBuffer.wrap(plaintext), tag); // $ Source
|
||||
byte[] expected = socket.getInputStream().readNBytes(1024);
|
||||
return Arrays.equals(expected, tag.array());
|
||||
return Arrays.equals(expected, tag.array()); // $ Alert
|
||||
}
|
||||
}
|
||||
|
||||
@@ -145,9 +145,9 @@ public class Test {
|
||||
byte[] plaintext = socket.getInputStream().readAllBytes();
|
||||
cipher.update(plaintext);
|
||||
ByteBuffer tag = ByteBuffer.wrap(new byte[1024]);
|
||||
cipher.doFinal(ByteBuffer.wrap(plaintext), tag);
|
||||
cipher.doFinal(ByteBuffer.wrap(plaintext), tag); // $ Source
|
||||
byte[] expected = is.readNBytes(32);
|
||||
return ByteBuffer.wrap(expected).equals(tag);
|
||||
return ByteBuffer.wrap(expected).equals(tag); // $ Alert
|
||||
}
|
||||
}
|
||||
|
||||
@@ -171,9 +171,9 @@ public class Test {
|
||||
byte[] plaintext = is.readNBytes(100);
|
||||
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
|
||||
cipher.init(Cipher.ENCRYPT_MODE, key);
|
||||
byte[] tag = cipher.doFinal(plaintext);
|
||||
byte[] tag = cipher.doFinal(plaintext); // $ Source
|
||||
byte[] expected = is.readNBytes(32);
|
||||
return Arrays.equals(expected, tag);
|
||||
return Arrays.equals(expected, tag); // $ Alert
|
||||
}
|
||||
}
|
||||
|
||||
@@ -233,4 +233,4 @@ public class Test {
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-208/TimingAttackAgainstSignature.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
|
||||
query: experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -14,7 +14,7 @@ public class JxBrowserWithoutCertValidationV6_23_1 {
|
||||
}
|
||||
|
||||
private static void badUsage() {
|
||||
Browser browser = new Browser();
|
||||
Browser browser = new Browser(); // $ Alert
|
||||
browser.loadURL("https://example.com");
|
||||
// no further calls
|
||||
// BAD: The browser ignores any certificate error by default!
|
||||
@@ -33,4 +33,4 @@ public class JxBrowserWithoutCertValidationV6_23_1 {
|
||||
}); // GOOD: A secure `LoadHandler` is used.
|
||||
browser.loadURL("https://example.com");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
|
||||
query: experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -13,7 +13,7 @@ public class IgnoredHostnameVerification {
|
||||
|
||||
SSLSocket socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket(host, port);
|
||||
socket.startHandshake();
|
||||
verifier.verify(host, socket.getSession());
|
||||
verifier.verify(host, socket.getSession()); // $ Alert[java/ignored-hostname-verification]
|
||||
return socket;
|
||||
}
|
||||
|
||||
@@ -109,4 +109,4 @@ public class IgnoredHostnameVerification {
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-297/IgnoredHostnameVerification.ql
|
||||
query: experimental/Security/CWE/CWE-297/IgnoredHostnameVerification.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -16,7 +16,7 @@ public class InsecureLdapEndpoint {
|
||||
env.put(Context.SECURITY_CREDENTIALS, "secpassword");
|
||||
|
||||
// Disable SSL endpoint check
|
||||
System.setProperty("com.sun.jndi.ldap.object.disableEndpointIdentification", "true");
|
||||
System.setProperty("com.sun.jndi.ldap.object.disableEndpointIdentification", "true"); // $ Alert[java/insecure-ldaps-endpoint]
|
||||
|
||||
return env;
|
||||
}
|
||||
@@ -47,7 +47,7 @@ public class InsecureLdapEndpoint {
|
||||
// Disable SSL endpoint check
|
||||
Properties properties = new Properties();
|
||||
properties.setProperty("com.sun.jndi.ldap.object.disableEndpointIdentification", "true");
|
||||
System.setProperties(properties);
|
||||
System.setProperties(properties); // $ Alert[java/insecure-ldaps-endpoint]
|
||||
|
||||
return env;
|
||||
}
|
||||
@@ -65,7 +65,7 @@ public class InsecureLdapEndpoint {
|
||||
// Disable SSL endpoint check
|
||||
Properties properties = new Properties();
|
||||
properties.put("com.sun.jndi.ldap.object.disableEndpointIdentification", "true");
|
||||
System.setProperties(properties);
|
||||
System.setProperties(properties); // $ Alert[java/insecure-ldaps-endpoint]
|
||||
|
||||
return env;
|
||||
}
|
||||
@@ -81,7 +81,7 @@ public class InsecureLdapEndpoint {
|
||||
env.put(Context.SECURITY_CREDENTIALS, "secpassword");
|
||||
|
||||
// Disable SSL endpoint check
|
||||
System.setProperty(PROP_DISABLE_LDAP_ENDPOINT_IDENTIFICATION, Boolean.TRUE.toString());
|
||||
System.setProperty(PROP_DISABLE_LDAP_ENDPOINT_IDENTIFICATION, Boolean.TRUE.toString()); // $ Alert[java/insecure-ldaps-endpoint]
|
||||
|
||||
return env;
|
||||
}
|
||||
@@ -99,7 +99,7 @@ public class InsecureLdapEndpoint {
|
||||
// Disable SSL endpoint check
|
||||
Properties properties = new Properties();
|
||||
properties.put("com.sun.jndi.ldap.object.disableEndpointIdentification", true);
|
||||
System.setProperties(properties);
|
||||
System.setProperties(properties); // $ Alert[java/insecure-ldaps-endpoint]
|
||||
|
||||
return env;
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.ql
|
||||
query: experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -14,7 +14,7 @@ public class DisabledRevocationChecking {
|
||||
private boolean flag = true;
|
||||
|
||||
public void disableRevocationChecking() {
|
||||
flag = false;
|
||||
flag = false; // $ Alert
|
||||
}
|
||||
|
||||
public void testDisabledRevocationChecking(KeyStore cacerts, CertPath certPath) throws Exception {
|
||||
@@ -25,7 +25,7 @@ public class DisabledRevocationChecking {
|
||||
public void validate(KeyStore cacerts, CertPath certPath) throws Exception {
|
||||
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
|
||||
PKIXParameters params = new PKIXParameters(cacerts);
|
||||
params.setRevocationEnabled(flag);
|
||||
params.setRevocationEnabled(flag); // $ Sink
|
||||
validator.validate(certPath, params);
|
||||
}
|
||||
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-299/DisabledRevocationChecking.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -13,12 +13,12 @@ public class UnsafeTlsVersion {
|
||||
public static void testSslContextWithProtocol() throws NoSuchAlgorithmException {
|
||||
|
||||
// unsafe
|
||||
SSLContext.getInstance("SSL");
|
||||
SSLContext.getInstance("SSLv2");
|
||||
SSLContext.getInstance("SSLv3");
|
||||
SSLContext.getInstance("TLS");
|
||||
SSLContext.getInstance("TLSv1");
|
||||
SSLContext.getInstance("TLSv1.1");
|
||||
SSLContext.getInstance("SSL"); // $ Alert
|
||||
SSLContext.getInstance("SSLv2"); // $ Alert
|
||||
SSLContext.getInstance("SSLv3"); // $ Alert
|
||||
SSLContext.getInstance("TLS"); // $ Alert
|
||||
SSLContext.getInstance("TLSv1"); // $ Alert
|
||||
SSLContext.getInstance("TLSv1.1"); // $ Alert
|
||||
|
||||
// safe
|
||||
SSLContext.getInstance("TLSv1.2");
|
||||
@@ -28,11 +28,11 @@ public class UnsafeTlsVersion {
|
||||
public static void testCreateSslParametersWithProtocol(String[] cipherSuites) {
|
||||
|
||||
// unsafe
|
||||
createSslParameters(cipherSuites, "SSLv3");
|
||||
createSslParameters(cipherSuites, "TLS");
|
||||
createSslParameters(cipherSuites, "TLSv1");
|
||||
createSslParameters(cipherSuites, "TLSv1.1");
|
||||
createSslParameters(cipherSuites, "TLSv1", "TLSv1.1", "TLSv1.2");
|
||||
createSslParameters(cipherSuites, "SSLv3"); // $ Source
|
||||
createSslParameters(cipherSuites, "TLS"); // $ Source
|
||||
createSslParameters(cipherSuites, "TLSv1"); // $ Source
|
||||
createSslParameters(cipherSuites, "TLSv1.1"); // $ Source
|
||||
createSslParameters(cipherSuites, "TLSv1", "TLSv1.1", "TLSv1.2"); // $ Source
|
||||
createSslParameters(cipherSuites, "TLSv1.2");
|
||||
|
||||
// safe
|
||||
@@ -41,19 +41,19 @@ public class UnsafeTlsVersion {
|
||||
}
|
||||
|
||||
public static SSLParameters createSslParameters(String[] cipherSuites, String... protocols) {
|
||||
return new SSLParameters(cipherSuites, protocols);
|
||||
return new SSLParameters(cipherSuites, protocols); // $ Alert
|
||||
}
|
||||
|
||||
public static void testSettingProtocolsForSslParameters() {
|
||||
|
||||
// unsafe
|
||||
new SSLParameters().setProtocols(new String[] { "SSLv3" });
|
||||
new SSLParameters().setProtocols(new String[] { "TLS" });
|
||||
new SSLParameters().setProtocols(new String[] { "TLSv1" });
|
||||
new SSLParameters().setProtocols(new String[] { "TLSv1.1" });
|
||||
new SSLParameters().setProtocols(new String[] { "SSLv3" }); // $ Alert
|
||||
new SSLParameters().setProtocols(new String[] { "TLS" }); // $ Alert
|
||||
new SSLParameters().setProtocols(new String[] { "TLSv1" }); // $ Alert
|
||||
new SSLParameters().setProtocols(new String[] { "TLSv1.1" }); // $ Alert
|
||||
|
||||
SSLParameters parameters = new SSLParameters();
|
||||
parameters.setProtocols(new String[] { "TLSv1.1", "TLSv1.2" });
|
||||
parameters.setProtocols(new String[] { "TLSv1.1", "TLSv1.2" }); // $ Alert
|
||||
|
||||
// safe
|
||||
new SSLParameters().setProtocols(new String[] { "TLSv1.2" });
|
||||
@@ -65,11 +65,11 @@ public class UnsafeTlsVersion {
|
||||
public static void testSettingProtocolForSslSocket() throws IOException {
|
||||
|
||||
// unsafe
|
||||
createSslSocket("SSLv3");
|
||||
createSslSocket("TLS");
|
||||
createSslSocket("TLSv1");
|
||||
createSslSocket("TLSv1.1");
|
||||
createSslSocket("TLSv1.1", "TLSv1.2");
|
||||
createSslSocket("SSLv3"); // $ Source
|
||||
createSslSocket("TLS"); // $ Source
|
||||
createSslSocket("TLSv1"); // $ Source
|
||||
createSslSocket("TLSv1.1"); // $ Source
|
||||
createSslSocket("TLSv1.1", "TLSv1.2"); // $ Source
|
||||
|
||||
// safe
|
||||
createSslSocket("TLSv1.2");
|
||||
@@ -78,18 +78,18 @@ public class UnsafeTlsVersion {
|
||||
|
||||
public static SSLSocket createSslSocket(String... protocols) throws IOException {
|
||||
SSLSocket socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket();
|
||||
socket.setEnabledProtocols(protocols);
|
||||
socket.setEnabledProtocols(protocols); // $ Alert
|
||||
return socket;
|
||||
}
|
||||
|
||||
public static void testSettingProtocolForSslServerSocket() throws IOException {
|
||||
|
||||
// unsafe
|
||||
createSslServerSocket("SSLv3");
|
||||
createSslServerSocket("TLS");
|
||||
createSslServerSocket("TLSv1");
|
||||
createSslServerSocket("TLSv1.1");
|
||||
createSslServerSocket("TLSv1.1", "TLSv1.2");
|
||||
createSslServerSocket("SSLv3"); // $ Source
|
||||
createSslServerSocket("TLS"); // $ Source
|
||||
createSslServerSocket("TLSv1"); // $ Source
|
||||
createSslServerSocket("TLSv1.1"); // $ Source
|
||||
createSslServerSocket("TLSv1.1", "TLSv1.2"); // $ Source
|
||||
|
||||
// safe
|
||||
createSslServerSocket("TLSv1.2");
|
||||
@@ -98,18 +98,18 @@ public class UnsafeTlsVersion {
|
||||
|
||||
public static SSLServerSocket createSslServerSocket(String... protocols) throws IOException {
|
||||
SSLServerSocket socket = (SSLServerSocket) SSLServerSocketFactory.getDefault().createServerSocket();
|
||||
socket.setEnabledProtocols(protocols);
|
||||
socket.setEnabledProtocols(protocols); // $ Alert
|
||||
return socket;
|
||||
}
|
||||
|
||||
public static void testSettingProtocolForSslEngine() throws NoSuchAlgorithmException {
|
||||
|
||||
// unsafe
|
||||
createSslEngine("SSLv3");
|
||||
createSslEngine("TLS");
|
||||
createSslEngine("TLSv1");
|
||||
createSslEngine("TLSv1.1");
|
||||
createSslEngine("TLSv1.1", "TLSv1.2");
|
||||
createSslEngine("SSLv3"); // $ Source
|
||||
createSslEngine("TLS"); // $ Source
|
||||
createSslEngine("TLSv1"); // $ Source
|
||||
createSslEngine("TLSv1.1"); // $ Source
|
||||
createSslEngine("TLSv1.1", "TLSv1.2"); // $ Source
|
||||
|
||||
// safe
|
||||
createSslEngine("TLSv1.2");
|
||||
@@ -118,7 +118,7 @@ public class UnsafeTlsVersion {
|
||||
|
||||
public static SSLEngine createSslEngine(String... protocols) throws NoSuchAlgorithmException {
|
||||
SSLEngine engine = SSLContext.getDefault().createSSLEngine();
|
||||
engine.setEnabledProtocols(protocols);
|
||||
engine.setEnabledProtocols(protocols); // $ Alert
|
||||
return engine;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-327/UnsafeTlsVersion.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -18,13 +18,13 @@ public class UnvalidatedCors implements Filter {
|
||||
FilterChain chain) throws IOException, ServletException {
|
||||
HttpServletRequest request = (HttpServletRequest) req;
|
||||
HttpServletResponse response = (HttpServletResponse) res;
|
||||
String url = request.getHeader("Origin");
|
||||
String url = request.getHeader("Origin"); // $ Source
|
||||
|
||||
if (!StringUtils.isEmpty(url)) {
|
||||
String val = response.getHeader("Access-Control-Allow-Origin");
|
||||
|
||||
if (StringUtils.isEmpty(val)) {
|
||||
response.addHeader("Access-Control-Allow-Origin", url);
|
||||
response.addHeader("Access-Control-Allow-Origin", url); // $ Alert
|
||||
response.addHeader("Access-Control-Allow-Credentials", "true");
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-346/UnvalidatedCors.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-347/Auth0NoVerifier.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -41,7 +41,7 @@ public class JwtNoVerifier extends HttpServlet {
|
||||
PrintWriter out = response.getWriter();
|
||||
|
||||
// NOT OK: only decode, no verification
|
||||
String JwtToken1 = request.getParameter("JWT2");
|
||||
String JwtToken1 = request.getParameter("JWT2"); // $ Source
|
||||
String userName = decodeToken(JwtToken1);
|
||||
if (Objects.equals(userName, "Admin")) {
|
||||
out.println("<html><body>");
|
||||
@@ -55,7 +55,7 @@ public class JwtNoVerifier extends HttpServlet {
|
||||
JWT.decode(JwtToken2);
|
||||
|
||||
// NOT OK: only decode, no verification
|
||||
String JwtToken3 = (String) authToken.getCredentials();
|
||||
String JwtToken3 = (String) authToken.getCredentials(); // $ Source
|
||||
userName = decodeToken(JwtToken3);
|
||||
if (Objects.equals(userName, "Admin")) {
|
||||
out.println("<html><body>");
|
||||
@@ -88,7 +88,7 @@ public class JwtNoVerifier extends HttpServlet {
|
||||
|
||||
public static String decodeToken(final String token) {
|
||||
DecodedJWT jwt = JWT.decode(token);
|
||||
return Optional.of(jwt).map(item -> item.getClaim("userName").asString()).orElse("");
|
||||
return Optional.of(jwt).map(item -> item.getClaim("userName").asString()).orElse(""); // $ Alert
|
||||
}
|
||||
|
||||
|
||||
|
||||
@@ -14,7 +14,7 @@ public class ClientSuppliedIpUsedInSecurityCheck {
|
||||
@GetMapping(value = "bad1")
|
||||
public void bad1(HttpServletRequest request) {
|
||||
String ip = getClientIP();
|
||||
if (!StringUtils.startsWith(ip, "192.168.")) {
|
||||
if (!StringUtils.startsWith(ip, "192.168.")) { // $ Alert
|
||||
new Exception("ip illegal");
|
||||
}
|
||||
}
|
||||
@@ -22,7 +22,7 @@ public class ClientSuppliedIpUsedInSecurityCheck {
|
||||
@GetMapping(value = "bad2")
|
||||
public void bad2(HttpServletRequest request) {
|
||||
String ip = getClientIP();
|
||||
if (!"127.0.0.1".equals(ip)) {
|
||||
if (!"127.0.0.1".equals(ip)) { // $ Alert
|
||||
new Exception("ip illegal");
|
||||
}
|
||||
}
|
||||
@@ -40,7 +40,7 @@ public class ClientSuppliedIpUsedInSecurityCheck {
|
||||
}
|
||||
|
||||
protected String getClientIP() {
|
||||
String xfHeader = request.getHeader("X-Forwarded-For");
|
||||
String xfHeader = request.getHeader("X-Forwarded-For"); // $ Source
|
||||
if (xfHeader == null) {
|
||||
return request.getRemoteAddr();
|
||||
}
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -30,79 +30,79 @@ public class JsonpController {
|
||||
@ResponseBody
|
||||
public String bad1(HttpServletRequest request) {
|
||||
String resultStr = null;
|
||||
String jsonpCallback = request.getParameter("jsonpCallback");
|
||||
String jsonpCallback = request.getParameter("jsonpCallback"); // $ Source
|
||||
Gson gson = new Gson();
|
||||
String result = gson.toJson(hashMap);
|
||||
resultStr = jsonpCallback + "(" + result + ")";
|
||||
return resultStr;
|
||||
return resultStr; // $ Alert
|
||||
}
|
||||
|
||||
@GetMapping(value = "jsonp2")
|
||||
@ResponseBody
|
||||
public String bad2(HttpServletRequest request) {
|
||||
String resultStr = null;
|
||||
String jsonpCallback = request.getParameter("jsonpCallback");
|
||||
String jsonpCallback = request.getParameter("jsonpCallback"); // $ Source
|
||||
resultStr = jsonpCallback + "(" + JSONObject.toJSONString(hashMap) + ")";
|
||||
return resultStr;
|
||||
return resultStr; // $ Alert
|
||||
}
|
||||
|
||||
@GetMapping(value = "jsonp3")
|
||||
@ResponseBody
|
||||
public String bad3(HttpServletRequest request) {
|
||||
String resultStr = null;
|
||||
String jsonpCallback = request.getParameter("jsonpCallback");
|
||||
String jsonpCallback = request.getParameter("jsonpCallback"); // $ Source
|
||||
String jsonStr = getJsonStr(hashMap);
|
||||
resultStr = jsonpCallback + "(" + jsonStr + ")";
|
||||
return resultStr;
|
||||
return resultStr; // $ Alert
|
||||
}
|
||||
|
||||
@GetMapping(value = "jsonp4")
|
||||
@ResponseBody
|
||||
public String bad4(HttpServletRequest request) {
|
||||
String resultStr = null;
|
||||
String jsonpCallback = request.getParameter("jsonpCallback");
|
||||
String jsonpCallback = request.getParameter("jsonpCallback"); // $ Source
|
||||
String restr = JSONObject.toJSONString(hashMap);
|
||||
resultStr = jsonpCallback + "(" + restr + ");";
|
||||
return resultStr;
|
||||
return resultStr; // $ Alert
|
||||
}
|
||||
|
||||
@GetMapping(value = "jsonp5")
|
||||
@ResponseBody
|
||||
public void bad5(HttpServletRequest request,
|
||||
HttpServletResponse response) throws Exception {
|
||||
String jsonpCallback = request.getParameter("jsonpCallback");
|
||||
String jsonpCallback = request.getParameter("jsonpCallback"); // $ Source
|
||||
PrintWriter pw = null;
|
||||
Gson gson = new Gson();
|
||||
String result = gson.toJson(hashMap);
|
||||
String resultStr = null;
|
||||
pw = response.getWriter();
|
||||
resultStr = jsonpCallback + "(" + result + ")";
|
||||
pw.println(resultStr);
|
||||
pw.println(resultStr); // $ Alert
|
||||
}
|
||||
|
||||
@GetMapping(value = "jsonp6")
|
||||
@ResponseBody
|
||||
public void bad6(HttpServletRequest request,
|
||||
HttpServletResponse response) throws Exception {
|
||||
String jsonpCallback = request.getParameter("jsonpCallback");
|
||||
String jsonpCallback = request.getParameter("jsonpCallback"); // $ Source
|
||||
PrintWriter pw = null;
|
||||
ObjectMapper mapper = new ObjectMapper();
|
||||
String result = mapper.writeValueAsString(hashMap);
|
||||
String resultStr = null;
|
||||
pw = response.getWriter();
|
||||
resultStr = jsonpCallback + "(" + result + ")";
|
||||
pw.println(resultStr);
|
||||
pw.println(resultStr); // $ Alert
|
||||
}
|
||||
|
||||
@RequestMapping(value = "jsonp7", method = RequestMethod.GET)
|
||||
@ResponseBody
|
||||
public String bad7(HttpServletRequest request) {
|
||||
String resultStr = null;
|
||||
String jsonpCallback = request.getParameter("jsonpCallback");
|
||||
String jsonpCallback = request.getParameter("jsonpCallback"); // $ Source
|
||||
Gson gson = new Gson();
|
||||
String result = gson.toJson(hashMap);
|
||||
resultStr = jsonpCallback + "(" + result + ")";
|
||||
return resultStr;
|
||||
return resultStr; // $ Alert
|
||||
}
|
||||
|
||||
@RequestMapping(value = "jsonp11")
|
||||
@@ -158,4 +158,4 @@ public class JsonpController {
|
||||
public static String getJsonStr(Object result) {
|
||||
return JSONObject.toJSONString(result);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-352/JsonpInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -15,7 +15,7 @@ public class ThreadResourceAbuse extends HttpServlet {
|
||||
|
||||
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
// BAD: Get thread pause time from request parameter without validation
|
||||
String delayTimeStr = request.getParameter("DelayTime");
|
||||
String delayTimeStr = request.getParameter("DelayTime"); // $ Source[java/thread-resource-abuse]
|
||||
try {
|
||||
int delayTime = Integer.valueOf(delayTimeStr);
|
||||
new UncheckedSyncAction(delayTime).start();
|
||||
@@ -26,7 +26,7 @@ public class ThreadResourceAbuse extends HttpServlet {
|
||||
protected void doGet2(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
// BAD: Get thread pause time from request parameter without validation
|
||||
try {
|
||||
int delayTime = request.getParameter("nodelay") != null ? 0 : Integer.valueOf(request.getParameter("DelayTime"));
|
||||
int delayTime = request.getParameter("nodelay") != null ? 0 : Integer.valueOf(request.getParameter("DelayTime")); // $ Source[java/thread-resource-abuse]
|
||||
new UncheckedSyncAction(delayTime).start();
|
||||
} catch (NumberFormatException e) {
|
||||
}
|
||||
@@ -34,7 +34,7 @@ public class ThreadResourceAbuse extends HttpServlet {
|
||||
|
||||
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
// BAD: Get thread pause time from context init parameter without validation
|
||||
String delayTimeStr = getServletContext().getInitParameter("DelayTime");
|
||||
String delayTimeStr = getServletContext().getInitParameter("DelayTime"); // $ Source[java/local-thread-resource-abuse]
|
||||
try {
|
||||
int delayTime = Integer.valueOf(delayTimeStr);
|
||||
new UncheckedSyncAction(delayTime).start();
|
||||
@@ -71,7 +71,7 @@ public class ThreadResourceAbuse extends HttpServlet {
|
||||
public void run() {
|
||||
// BAD: no boundary check on wait time
|
||||
try {
|
||||
Thread.sleep(waitTime);
|
||||
Thread.sleep(waitTime); // $ Alert[java/thread-resource-abuse] Alert[java/local-thread-resource-abuse]
|
||||
// Do other updates
|
||||
} catch (InterruptedException e) {
|
||||
}
|
||||
@@ -138,10 +138,10 @@ public class ThreadResourceAbuse extends HttpServlet {
|
||||
Cookie cookie = cookies[i];
|
||||
|
||||
if (cookie.getName().equals("DelayTime")) {
|
||||
String delayTimeStr = cookie.getValue();
|
||||
String delayTimeStr = cookie.getValue(); // $ Source[java/thread-resource-abuse]
|
||||
try {
|
||||
int delayTime = Integer.valueOf(delayTimeStr);
|
||||
TimeUnit.MILLISECONDS.sleep(delayTime);
|
||||
TimeUnit.MILLISECONDS.sleep(delayTime); // $ Alert[java/thread-resource-abuse]
|
||||
// Do other updates
|
||||
} catch (NumberFormatException ne) {
|
||||
} catch (InterruptedException ie) {
|
||||
@@ -169,11 +169,11 @@ public class ThreadResourceAbuse extends HttpServlet {
|
||||
|
||||
protected void doHead2(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
// BAD: Get thread pause time from request header without validation
|
||||
String header = request.getHeader("Retry-After");
|
||||
String header = request.getHeader("Retry-After"); // $ Source[java/thread-resource-abuse]
|
||||
int retryAfter = Integer.parseInt(header);
|
||||
|
||||
try {
|
||||
Thread.sleep(retryAfter);
|
||||
Thread.sleep(retryAfter); // $ Alert[java/thread-resource-abuse]
|
||||
} catch (InterruptedException ignore) {
|
||||
// ignore
|
||||
}
|
||||
@@ -203,7 +203,7 @@ public class ThreadResourceAbuse extends HttpServlet {
|
||||
protected void doHead4(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
// BAD: Get thread pause time from request header without validation
|
||||
try {
|
||||
String uploadDelayStr = request.getParameter("delay");
|
||||
String uploadDelayStr = request.getParameter("delay"); // $ Source[java/thread-resource-abuse]
|
||||
int uploadDelay = Integer.parseInt(uploadDelayStr);
|
||||
|
||||
UploadListener listener = new UploadListener(uploadDelay, getContentLength(request));
|
||||
@@ -212,11 +212,11 @@ public class ThreadResourceAbuse extends HttpServlet {
|
||||
|
||||
protected void doHead5(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
// BAD: Get thread pause time from request header with binary multiplication expression and without validation
|
||||
String header = request.getHeader("Retry-After");
|
||||
String header = request.getHeader("Retry-After"); // $ Source[java/thread-resource-abuse]
|
||||
int retryAfter = Integer.parseInt(header);
|
||||
|
||||
try {
|
||||
Thread.sleep(retryAfter * 1000);
|
||||
Thread.sleep(retryAfter * 1000); // $ Alert[java/thread-resource-abuse]
|
||||
} catch (InterruptedException ignore) {
|
||||
// ignore
|
||||
}
|
||||
@@ -224,13 +224,13 @@ public class ThreadResourceAbuse extends HttpServlet {
|
||||
|
||||
protected void doHead6(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
// BAD: Get thread pause time from request header with multiplication assignment operator and without validation
|
||||
String header = request.getHeader("Retry-After");
|
||||
String header = request.getHeader("Retry-After"); // $ Source[java/thread-resource-abuse]
|
||||
int retryAfter = Integer.parseInt(header);
|
||||
|
||||
retryAfter *= 1000;
|
||||
|
||||
try {
|
||||
Thread.sleep(retryAfter);
|
||||
Thread.sleep(retryAfter); // $ Alert[java/thread-resource-abuse]
|
||||
} catch (InterruptedException ignore) {
|
||||
// ignore
|
||||
}
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -32,7 +32,7 @@ public class UploadListener implements ProgressListener, Serializable {
|
||||
// Just a way to slow down the upload process and see the progress bar in fast networks.
|
||||
if (slowUploads > 0 && done < total) {
|
||||
try {
|
||||
Thread.sleep(slowUploads);
|
||||
Thread.sleep(slowUploads); // $ Alert[java/thread-resource-abuse]
|
||||
} catch (Exception e) {
|
||||
}
|
||||
}
|
||||
|
||||
@@ -12,10 +12,10 @@ public class BadClassLoader extends Application {
|
||||
for (PackageInfo p : getPackageManager().getInstalledPackages(0)) {
|
||||
try {
|
||||
if (p.packageName.startsWith("some.package.")) {
|
||||
Context appContext = createPackageContext(p.packageName,
|
||||
CONTEXT_INCLUDE_CODE | CONTEXT_IGNORE_SECURITY);
|
||||
Context appContext = createPackageContext(p.packageName, // $
|
||||
CONTEXT_INCLUDE_CODE | CONTEXT_IGNORE_SECURITY); // $ Source[java/android/unsafe-reflection]
|
||||
ClassLoader classLoader = appContext.getClassLoader();
|
||||
Object result = classLoader.loadClass("some.package.SomeClass")
|
||||
Object result = classLoader.loadClass("some.package.SomeClass") // $ Alert[java/android/unsafe-reflection]
|
||||
.getMethod("someMethod")
|
||||
.invoke(null);
|
||||
}
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-470/LoadClassNoSignatureCheck.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -18,11 +18,11 @@ public class UnsafeReflection {
|
||||
|
||||
@GetMapping(value = "uf1")
|
||||
public void bad1(HttpServletRequest request) {
|
||||
String className = request.getParameter("className");
|
||||
String className = request.getParameter("className"); // $ Source[java/unsafe-reflection]
|
||||
String parameterValue = request.getParameter("parameterValue");
|
||||
try {
|
||||
Class clazz = Class.forName(className);
|
||||
Object object = clazz.getDeclaredConstructors()[0].newInstance(parameterValue); //bad
|
||||
Object object = clazz.getDeclaredConstructors()[0].newInstance(parameterValue); // $ Alert[java/unsafe-reflection] //bad
|
||||
} catch (Exception e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
@@ -30,20 +30,20 @@ public class UnsafeReflection {
|
||||
|
||||
@GetMapping(value = "uf2")
|
||||
public void bad2(HttpServletRequest request) {
|
||||
String className = request.getParameter("className");
|
||||
String className = request.getParameter("className"); // $ Source[java/unsafe-reflection]
|
||||
String parameterValue = request.getParameter("parameterValue");
|
||||
try {
|
||||
ClassLoader classLoader = ClassLoader.getSystemClassLoader();
|
||||
Class clazz = classLoader.loadClass(className);
|
||||
Object object = clazz.newInstance();
|
||||
clazz.getDeclaredMethods()[0].invoke(object, parameterValue); //bad
|
||||
clazz.getDeclaredMethods()[0].invoke(object, parameterValue); // $ Alert[java/unsafe-reflection] //bad
|
||||
} catch (Exception e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
@RequestMapping(value = {"/service/{beanIdOrClassName}/{methodName}"}, method = {RequestMethod.POST}, consumes = {"application/json"}, produces = {"application/json"})
|
||||
public Object bad3(@PathVariable("beanIdOrClassName") String beanIdOrClassName, @PathVariable("methodName") String methodName, @RequestBody Map<String, Object> body) throws Exception {
|
||||
public Object bad3(@PathVariable("beanIdOrClassName") String beanIdOrClassName, @PathVariable("methodName") String methodName, @RequestBody Map<String, Object> body) throws Exception { // $ Source[java/unsafe-reflection]
|
||||
List<Object> rawData = null;
|
||||
try {
|
||||
rawData = (List<Object>)body.get("methodInput");
|
||||
@@ -116,7 +116,7 @@ public class UnsafeReflection {
|
||||
b++;
|
||||
continue;
|
||||
}
|
||||
Object result = method.invoke(bean, data);
|
||||
Object result = method.invoke(bean, data); // $ Alert[java/unsafe-reflection]
|
||||
Map<String, Object> map = new HashMap<>();
|
||||
return map;
|
||||
}
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-470/UnsafeReflection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -52,7 +52,7 @@ public class ServiceBean implements SessionBean {
|
||||
}
|
||||
|
||||
/** Local unit testing code */
|
||||
public static void main(String[] args) throws Exception {
|
||||
public static void main(String[] args) throws Exception { // $ Alert[java/main-method-in-enterprise-bean]
|
||||
ServiceBean b = new ServiceBean();
|
||||
b.doService();
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-489/EJBMain.ql
|
||||
query: experimental/Security/CWE/CWE-489/EJBMain.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -14,7 +14,7 @@ public class ServletContextListenerMain implements ServletContextListener {
|
||||
}
|
||||
|
||||
// BAD - Implement a main method in servlet listener.
|
||||
public static void main(String[] args) {
|
||||
public static void main(String[] args) { // $ Alert[java/main-method-in-web-components]
|
||||
try {
|
||||
URL url = new URL("https://www.example.com");
|
||||
url.openConnection();
|
||||
|
||||
@@ -25,7 +25,7 @@ public class ServletMain implements Servlet {
|
||||
}
|
||||
|
||||
// BAD - Implement a main method in servlet.
|
||||
public static void main(String[] args) throws Exception {
|
||||
public static void main(String[] args) throws Exception { // $ Alert[java/main-method-in-web-components]
|
||||
// Connect to my server
|
||||
URL url = new URL("https://www.example.com");
|
||||
url.openConnection();
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-489/WebComponentMain.ql
|
||||
query: experimental/Security/CWE/CWE-489/WebComponentMain.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -11,7 +11,7 @@ import org.springframework.remoting.rmi.RmiServiceExporter;
|
||||
public class SpringExporterUnsafeDeserialization {
|
||||
|
||||
@Bean(name = "/unsafeRmiServiceExporter")
|
||||
RmiServiceExporter unsafeRmiServiceExporter() {
|
||||
RmiServiceExporter unsafeRmiServiceExporter() { // $ Alert[java/unsafe-deserialization-spring-exporter-in-configuration-class]
|
||||
RmiServiceExporter exporter = new RmiServiceExporter();
|
||||
exporter.setServiceInterface(AccountService.class);
|
||||
exporter.setService(new AccountServiceImpl());
|
||||
@@ -21,7 +21,7 @@ public class SpringExporterUnsafeDeserialization {
|
||||
}
|
||||
|
||||
@Bean(name = "/unsafeHessianServiceExporter")
|
||||
HessianServiceExporter unsafeHessianServiceExporter() {
|
||||
HessianServiceExporter unsafeHessianServiceExporter() { // $ Alert[java/unsafe-deserialization-spring-exporter-in-configuration-class]
|
||||
HessianServiceExporter exporter = new HessianServiceExporter();
|
||||
exporter.setService(new AccountServiceImpl());
|
||||
exporter.setServiceInterface(AccountService.class);
|
||||
@@ -29,7 +29,7 @@ public class SpringExporterUnsafeDeserialization {
|
||||
}
|
||||
|
||||
@Bean(name = "/unsafeHttpInvokerServiceExporter")
|
||||
HttpInvokerServiceExporter unsafeHttpInvokerServiceExporter() {
|
||||
HttpInvokerServiceExporter unsafeHttpInvokerServiceExporter() { // $ Alert[java/unsafe-deserialization-spring-exporter-in-configuration-class]
|
||||
HttpInvokerServiceExporter exporter = new HttpInvokerServiceExporter();
|
||||
exporter.setService(new AccountServiceImpl());
|
||||
exporter.setServiceInterface(AccountService.class);
|
||||
@@ -37,7 +37,7 @@ public class SpringExporterUnsafeDeserialization {
|
||||
}
|
||||
|
||||
@Bean(name = "/unsafeCustomeRemoteInvocationSerializingExporter")
|
||||
RemoteInvocationSerializingExporter unsafeCustomeRemoteInvocationSerializingExporter() {
|
||||
RemoteInvocationSerializingExporter unsafeCustomeRemoteInvocationSerializingExporter() { // $ Alert[java/unsafe-deserialization-spring-exporter-in-configuration-class]
|
||||
return new CustomeRemoteInvocationSerializingExporter();
|
||||
}
|
||||
|
||||
@@ -53,7 +53,7 @@ public class SpringExporterUnsafeDeserialization {
|
||||
class SpringBootTestApplication {
|
||||
|
||||
@Bean(name = "/unsafeHttpInvokerServiceExporter")
|
||||
HttpInvokerServiceExporter unsafeHttpInvokerServiceExporter() {
|
||||
HttpInvokerServiceExporter unsafeHttpInvokerServiceExporter() { // $ Alert[java/unsafe-deserialization-spring-exporter-in-configuration-class]
|
||||
HttpInvokerServiceExporter exporter = new HttpInvokerServiceExporter();
|
||||
exporter.setService(new AccountServiceImpl());
|
||||
exporter.setServiceInterface(AccountService.class);
|
||||
@@ -65,7 +65,7 @@ class SpringBootTestApplication {
|
||||
class SpringBootTestConfiguration {
|
||||
|
||||
@Bean(name = "/unsafeHttpInvokerServiceExporter")
|
||||
HttpInvokerServiceExporter unsafeHttpInvokerServiceExporter() {
|
||||
HttpInvokerServiceExporter unsafeHttpInvokerServiceExporter() { // $ Alert[java/unsafe-deserialization-spring-exporter-in-configuration-class]
|
||||
HttpInvokerServiceExporter exporter = new HttpInvokerServiceExporter();
|
||||
exporter.setService(new AccountServiceImpl());
|
||||
exporter.setServiceInterface(AccountService.class);
|
||||
|
||||
@@ -12,9 +12,9 @@ public class UnsafeDeserializationRmi {
|
||||
// BAD (bind a remote object that has a vulnerable method)
|
||||
public static void testRegistryBindWithObjectParameter() throws Exception {
|
||||
Registry registry = LocateRegistry.createRegistry(1099);
|
||||
registry.bind("unsafe", new UnsafeRemoteObjectImpl());
|
||||
registry.rebind("unsafe", new UnsafeRemoteObjectImpl());
|
||||
registry.rebind("unsafe", UnicastRemoteObject.exportObject(new UnsafeRemoteObjectImpl()));
|
||||
registry.bind("unsafe", new UnsafeRemoteObjectImpl()); // $ Alert[java/unsafe-deserialization-rmi]
|
||||
registry.rebind("unsafe", new UnsafeRemoteObjectImpl()); // $ Alert[java/unsafe-deserialization-rmi]
|
||||
registry.rebind("unsafe", UnicastRemoteObject.exportObject(new UnsafeRemoteObjectImpl())); // $ Alert[java/unsafe-deserialization-rmi]
|
||||
}
|
||||
|
||||
// GOOD (bind a remote object that has methods that takes safe parameters)
|
||||
@@ -26,8 +26,8 @@ public class UnsafeDeserializationRmi {
|
||||
|
||||
// BAD (bind a remote object that has a vulnerable method)
|
||||
public static void testNamingBindWithObjectParameter() throws Exception {
|
||||
Naming.bind("unsafe", new UnsafeRemoteObjectImpl());
|
||||
Naming.rebind("unsafe", new UnsafeRemoteObjectImpl());
|
||||
Naming.bind("unsafe", new UnsafeRemoteObjectImpl()); // $ Alert[java/unsafe-deserialization-rmi]
|
||||
Naming.rebind("unsafe", new UnsafeRemoteObjectImpl()); // $ Alert[java/unsafe-deserialization-rmi]
|
||||
}
|
||||
|
||||
// GOOD (bind a remote object that has methods that takes safe parameters)
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-502/UnsafeSpringExporterInConfigurationClass.ql
|
||||
query: experimental/Security/CWE/CWE-502/UnsafeSpringExporterInConfigurationClass.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-502/UnsafeSpringExporterInXMLConfiguration.ql
|
||||
query: experimental/Security/CWE/CWE-502/UnsafeSpringExporterInXMLConfiguration.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -10,21 +10,21 @@
|
||||
<bean name="/unsafeBooking" class="org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter">
|
||||
<property name="service" ref="anotherBookingService"/>
|
||||
<property name="serviceInterface" value="com.gypsyengineer.api.CabBookingService"/>
|
||||
</bean>
|
||||
</bean> <!-- $ Alert[java/unsafe-deserialization-spring-exporter-in-xml-configuration] -->
|
||||
|
||||
<bean class="org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter">
|
||||
<property name="service" ref="anotherBookingService"/>
|
||||
<property name="serviceInterface" value="com.gypsyengineer.api.CabBookingService"/>
|
||||
</bean>
|
||||
</bean> <!-- $ Alert[java/unsafe-deserialization-spring-exporter-in-xml-configuration] -->
|
||||
|
||||
<bean class="org.springframework.remoting.rmi.RmiServiceExporter">
|
||||
<property name="service" ref="oneMoreBookingService"/>
|
||||
<property name="serviceInterface" value="com.gypsyengineer.api.CabBookingService"/>
|
||||
<property name="registryPort" value="1199"/>
|
||||
</bean>
|
||||
</bean> <!-- $ Alert[java/unsafe-deserialization-spring-exporter-in-xml-configuration] -->
|
||||
|
||||
<bean class="org.springframework.remoting.caucho.HessianServiceExporter">
|
||||
<property name="service" ref="oneMoreBookingService"/>
|
||||
<property name="serviceInterface" value="com.gypsyengineer.api.CabBookingService"/>
|
||||
</bean>
|
||||
</bean> <!-- $ Alert[java/unsafe-deserialization-spring-exporter-in-xml-configuration] -->
|
||||
</beans>
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-548/InsecureDirectoryConfig.ql
|
||||
query: experimental/Security/CWE/CWE-548/InsecureDirectoryConfig.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -16,7 +16,7 @@
|
||||
<init-param>
|
||||
<param-name>listings</param-name>
|
||||
<param-value>true</param-value>
|
||||
</init-param>
|
||||
</init-param> <!-- $ Alert -->
|
||||
<load-on-startup>1</load-on-startup>
|
||||
</servlet>
|
||||
|
||||
@@ -26,4 +26,4 @@
|
||||
<url-pattern>/</url-pattern>
|
||||
</servlet-mapping>
|
||||
|
||||
</web-app>
|
||||
</web-app>
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-555/PasswordInConfigurationFile.ql
|
||||
query: experimental/Security/CWE/CWE-555/PasswordInConfigurationFile.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -6,7 +6,7 @@
|
||||
<property name="driverClassName" value="com.mysql.jdbc.Driver" />
|
||||
<property name="url" value="jdbc:mysql://www.example.com:3306/test" />
|
||||
<property name="username" value="root" />
|
||||
<property name="password" value="mysecret" />
|
||||
<property name="password" value="mysecret" /> <!-- $ Alert -->
|
||||
<property name="initialSize" value="30" />
|
||||
|
||||
<property name="maxActive" value="500" />
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
maxTotal="100" maxIdle="30" maxWaitMillis="10000"
|
||||
username="root" password="1234"
|
||||
driverClassName="com.mysql.jdbc.Driver"
|
||||
url="jdbc:mysql://www.example1.com:3306/proj"/>
|
||||
url="jdbc:mysql://www.example1.com:3306/proj"/> <!-- $ Alert -->
|
||||
|
||||
<!-- GOOD: Password is encrypted and stored in a password vault -->
|
||||
<Resource name="jdbc/exampleDS2" auth="Container" type="javax.sql.DataSource"
|
||||
@@ -27,4 +27,4 @@
|
||||
username="root" password="Tg2Nn7wUZOQ6Xc+1lenkZTQ9ZDf9a2/RBRiqJBCIX6o="
|
||||
driverClassName="com.mysql.jdbc.Driver"
|
||||
url="jdbc:mysql://www.example4.com:3306/proj"/>
|
||||
</Context>
|
||||
</Context>
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<db-connections>
|
||||
<db-connection name="oracleServerConn" value="server=myoracle.example.com;port=1521;database=testdb;username=root;password=test1234" />
|
||||
<db-connection name="oracleServerConn" value="server=myoracle.example.com;port=1521;database=testdb;username=root;password=test1234" /> <!-- $ Alert -->
|
||||
</db-connections>
|
||||
|
||||
@@ -9,13 +9,13 @@ public class SensitiveGetQuery extends HttpServlet {
|
||||
// BAD - Tests retrieving sensitive information through `request.getParameter()` in a GET request.
|
||||
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
|
||||
String username = request.getParameter("username");
|
||||
String password = request.getParameter("password");
|
||||
String password = request.getParameter("password"); // $ Source
|
||||
|
||||
processUserInfo(username, password);
|
||||
processUserInfo(username, password); // $ Alert
|
||||
}
|
||||
|
||||
void processUserInfo(String username, String password) {
|
||||
System.out.println("username = " + username+"; password "+password);
|
||||
System.out.println("username = " + username+"; password "+password); // $ Alert
|
||||
}
|
||||
|
||||
// GOOD - Tests retrieving sensitive information through `request.getParameter()` in a POST request.
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -9,14 +9,14 @@ import javax.servlet.ServletException;
|
||||
public class SensitiveGetQuery2 extends HttpServlet {
|
||||
// BAD - Tests retrieving sensitive information through `request.getParameterMap()` in a GET request.
|
||||
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
|
||||
Map map = request.getParameterMap();
|
||||
Map map = request.getParameterMap(); // $ Source
|
||||
String username = (String) map.get("username");
|
||||
String password = (String) map.get("password");
|
||||
processUserInfo(username, password);
|
||||
processUserInfo(username, password); // $ Alert
|
||||
}
|
||||
|
||||
void processUserInfo(String username, String password) {
|
||||
System.out.println("username = " + username+"; password "+password);
|
||||
System.out.println("username = " + username+"; password "+password); // $ Alert
|
||||
}
|
||||
|
||||
// GOOD - Tests retrieving sensitive information through `request.getParameterMap()` in a POST request.
|
||||
|
||||
@@ -10,11 +10,11 @@ public class SensitiveGetQuery3 extends HttpServlet {
|
||||
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
|
||||
String username = getRequestParameter(request, "username");
|
||||
String password = getRequestParameter(request, "password");
|
||||
System.out.println("Username="+username+"; password="+password);
|
||||
System.out.println("Username="+username+"; password="+password); // $ Alert
|
||||
}
|
||||
|
||||
String getRequestParameter(HttpServletRequest request, String paramName) {
|
||||
return request.getParameter(paramName);
|
||||
return request.getParameter(paramName); // $ Source
|
||||
}
|
||||
|
||||
// GOOD - Tests retrieving sensitive information through a wrapper call in a POST request.
|
||||
|
||||
@@ -13,11 +13,11 @@ public class SensitiveGetQuery4 extends HttpServlet {
|
||||
String tokenType = getRequestParameter(request, "tokenType");
|
||||
String accessToken = getRequestParameter(request, "accessToken");
|
||||
System.out.println("Username="+username+"; token="+token+"; tokenType="+tokenType);
|
||||
System.out.println("AccessToken="+accessToken);
|
||||
System.out.println("AccessToken="+accessToken); // $ Alert
|
||||
}
|
||||
|
||||
String getRequestParameter(HttpServletRequest request, String paramName) {
|
||||
return request.getParameter(paramName);
|
||||
return request.getParameter(paramName); // $ Source
|
||||
}
|
||||
|
||||
// GOOD - Tests retrieving non-sensitive tokens and sensitive tokens in a POST request.
|
||||
|
||||
@@ -10,11 +10,11 @@ import javax.servlet.ServletException;
|
||||
class UncaughtServletException extends HttpServlet {
|
||||
// BAD - Tests `doGet` without catching exceptions.
|
||||
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
|
||||
String ip = request.getParameter("srcIP");
|
||||
InetAddress addr = InetAddress.getByName(ip); // getByName(String) throws UnknownHostException
|
||||
String ip = request.getParameter("srcIP"); // $ Source
|
||||
InetAddress addr = InetAddress.getByName(ip); // $ Alert // getByName(String) throws UnknownHostException
|
||||
|
||||
String userId = request.getRemoteUser();
|
||||
Integer.parseInt(userId); // Integer.parse(String) throws RuntimeException
|
||||
String userId = request.getRemoteUser(); // $ Source
|
||||
Integer.parseInt(userId); // $ Alert // Integer.parse(String) throws RuntimeException
|
||||
}
|
||||
|
||||
// GOOD - Tests `doPost` with catching exceptions.
|
||||
@@ -51,8 +51,8 @@ class UncaughtServletException extends HttpServlet {
|
||||
// BAD - Tests rethrowing caught exceptions with stack trace.
|
||||
public void doOptions(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
|
||||
try {
|
||||
String ip = request.getParameter("srcIP");
|
||||
InetAddress addr = InetAddress.getByName(ip);
|
||||
String ip = request.getParameter("srcIP"); // $ Source
|
||||
InetAddress addr = InetAddress.getByName(ip); // $ Alert
|
||||
} catch (UnknownHostException uhex) {
|
||||
uhex.printStackTrace();
|
||||
throw uhex;
|
||||
@@ -72,8 +72,8 @@ class UncaughtServletException extends HttpServlet {
|
||||
try {
|
||||
addr = InetAddress.getByName(ip);
|
||||
|
||||
String userId = request.getRemoteUser();
|
||||
Integer.parseInt(userId); // Integer.parse(String) throws RuntimeException
|
||||
String userId = request.getRemoteUser(); // $ Source
|
||||
Integer.parseInt(userId); // $ Alert // Integer.parse(String) throws RuntimeException
|
||||
} catch (UnknownHostException uhex) {
|
||||
throw new UnknownHostException("Got exception "+uhex.getMessage());
|
||||
}
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-600/UncaughtServletException.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -14,53 +14,53 @@ public class SpringUrlRedirect {
|
||||
private final static String VALID_REDIRECT = "http://127.0.0.1";
|
||||
|
||||
@GetMapping("url1")
|
||||
public RedirectView bad1(String redirectUrl, HttpServletResponse response) throws Exception {
|
||||
public RedirectView bad1(String redirectUrl, HttpServletResponse response) throws Exception { // $ Source
|
||||
RedirectView rv = new RedirectView();
|
||||
rv.setUrl(redirectUrl);
|
||||
rv.setUrl(redirectUrl); // $ Alert
|
||||
return rv;
|
||||
}
|
||||
|
||||
@GetMapping("url2")
|
||||
public String bad2(String redirectUrl) {
|
||||
String url = "redirect:" + redirectUrl;
|
||||
public String bad2(String redirectUrl) { // $ Source
|
||||
String url = "redirect:" + redirectUrl; // $ Alert
|
||||
return url;
|
||||
}
|
||||
|
||||
@GetMapping("url3")
|
||||
public RedirectView bad3(String redirectUrl) {
|
||||
RedirectView rv = new RedirectView(redirectUrl);
|
||||
public RedirectView bad3(String redirectUrl) { // $ Source
|
||||
RedirectView rv = new RedirectView(redirectUrl); // $ Alert
|
||||
return rv;
|
||||
}
|
||||
|
||||
@GetMapping("url4")
|
||||
public ModelAndView bad4(String redirectUrl) {
|
||||
return new ModelAndView("redirect:" + redirectUrl);
|
||||
public ModelAndView bad4(String redirectUrl) { // $ Source
|
||||
return new ModelAndView("redirect:" + redirectUrl); // $ Alert
|
||||
}
|
||||
|
||||
@GetMapping("url5")
|
||||
public String bad5(String redirectUrl) {
|
||||
public String bad5(String redirectUrl) { // $ Source
|
||||
StringBuffer stringBuffer = new StringBuffer();
|
||||
stringBuffer.append("redirect:");
|
||||
stringBuffer.append(redirectUrl);
|
||||
stringBuffer.append(redirectUrl); // $ Alert
|
||||
return stringBuffer.toString();
|
||||
}
|
||||
|
||||
@GetMapping("url6")
|
||||
public String bad6(String redirectUrl) {
|
||||
public String bad6(String redirectUrl) { // $ Source
|
||||
StringBuilder stringBuilder = new StringBuilder();
|
||||
stringBuilder.append("redirect:");
|
||||
stringBuilder.append(redirectUrl);
|
||||
stringBuilder.append(redirectUrl); // $ Alert
|
||||
return stringBuilder.toString();
|
||||
}
|
||||
|
||||
@GetMapping("url7")
|
||||
public String bad7(String redirectUrl) {
|
||||
return "redirect:" + String.format("%s/?aaa", redirectUrl);
|
||||
public String bad7(String redirectUrl) { // $ Source
|
||||
return "redirect:" + String.format("%s/?aaa", redirectUrl); // $ Alert
|
||||
}
|
||||
|
||||
@GetMapping("url8")
|
||||
public String bad8(String redirectUrl, String token) {
|
||||
return "redirect:" + String.format(redirectUrl + "?token=%s", token);
|
||||
public String bad8(String redirectUrl, String token) { // $ Source
|
||||
return "redirect:" + String.format(redirectUrl + "?token=%s", token); // $ Alert
|
||||
}
|
||||
|
||||
@GetMapping("url9")
|
||||
@@ -86,49 +86,49 @@ public class SpringUrlRedirect {
|
||||
}
|
||||
|
||||
@GetMapping("url12")
|
||||
public ResponseEntity<Void> bad9(String redirectUrl) {
|
||||
public ResponseEntity<Void> bad9(String redirectUrl) { // $ Source
|
||||
return ResponseEntity.status(HttpStatus.FOUND)
|
||||
.location(URI.create(redirectUrl))
|
||||
.location(URI.create(redirectUrl)) // $ Alert
|
||||
.build();
|
||||
}
|
||||
|
||||
@GetMapping("url13")
|
||||
public ResponseEntity<Void> bad10(String redirectUrl) {
|
||||
public ResponseEntity<Void> bad10(String redirectUrl) { // $ Source
|
||||
HttpHeaders httpHeaders = new HttpHeaders();
|
||||
httpHeaders.setLocation(URI.create(redirectUrl));
|
||||
|
||||
return new ResponseEntity<>(httpHeaders, HttpStatus.SEE_OTHER);
|
||||
return new ResponseEntity<>(httpHeaders, HttpStatus.SEE_OTHER); // $ Alert
|
||||
}
|
||||
|
||||
@GetMapping("url14")
|
||||
public ResponseEntity<Void> bad11(String redirectUrl) {
|
||||
public ResponseEntity<Void> bad11(String redirectUrl) { // $ Source
|
||||
HttpHeaders httpHeaders = new HttpHeaders();
|
||||
httpHeaders.add("Location", redirectUrl);
|
||||
|
||||
return ResponseEntity.status(HttpStatus.SEE_OTHER).headers(httpHeaders).build();
|
||||
return ResponseEntity.status(HttpStatus.SEE_OTHER).headers(httpHeaders).build(); // $ Alert
|
||||
}
|
||||
|
||||
@GetMapping("url15")
|
||||
public ResponseEntity<Void> bad12(String redirectUrl) {
|
||||
public ResponseEntity<Void> bad12(String redirectUrl) { // $ Source
|
||||
HttpHeaders httpHeaders = new HttpHeaders();
|
||||
httpHeaders.add("Location", redirectUrl);
|
||||
|
||||
return new ResponseEntity<>(httpHeaders, HttpStatus.SEE_OTHER);
|
||||
return new ResponseEntity<>(httpHeaders, HttpStatus.SEE_OTHER); // $ Alert
|
||||
}
|
||||
|
||||
@GetMapping("url16")
|
||||
public ResponseEntity bad13(String redirectUrl) {
|
||||
public ResponseEntity bad13(String redirectUrl) { // $ Source
|
||||
HttpHeaders httpHeaders = new HttpHeaders();
|
||||
httpHeaders.add("Location", redirectUrl);
|
||||
|
||||
return new ResponseEntity<>("TestBody", httpHeaders, HttpStatus.SEE_OTHER);
|
||||
return new ResponseEntity<>("TestBody", httpHeaders, HttpStatus.SEE_OTHER); // $ Alert
|
||||
}
|
||||
|
||||
@GetMapping("url17")
|
||||
public ResponseEntity bad14(String redirectUrl) {
|
||||
public ResponseEntity bad14(String redirectUrl) { // $ Source
|
||||
HttpHeaders httpHeaders = new HttpHeaders();
|
||||
httpHeaders.setLocation(URI.create(redirectUrl));
|
||||
|
||||
return new ResponseEntity<>("TestBody", httpHeaders, HttpStatus.SEE_OTHER);
|
||||
return new ResponseEntity<>("TestBody", httpHeaders, HttpStatus.SEE_OTHER); // $ Alert
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -26,10 +26,10 @@ public class DotRegexFilter implements Filter {
|
||||
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
|
||||
HttpServletRequest httpRequest = (HttpServletRequest) request;
|
||||
HttpServletResponse httpResponse = (HttpServletResponse) response;
|
||||
String source = httpRequest.getPathInfo();
|
||||
String source = httpRequest.getPathInfo(); // $ Source
|
||||
|
||||
Pattern p = Pattern.compile(PROTECTED_PATTERN);
|
||||
Matcher m = p.matcher(source);
|
||||
Matcher m = p.matcher(source); // $ Alert
|
||||
|
||||
if (m.matches()) {
|
||||
// Protected page - check access token and redirect to login page
|
||||
@@ -67,4 +67,4 @@ public class DotRegexFilter implements Filter {
|
||||
public void destroy() {
|
||||
// Close resources
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -16,10 +16,10 @@ public class DotRegexServlet extends HttpServlet {
|
||||
// BAD: A string with line return e.g. `/protected/%0dxyz` can bypass the path check
|
||||
protected void doGet(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
String source = request.getPathInfo();
|
||||
String source = request.getPathInfo(); // $ Source
|
||||
|
||||
Pattern p = Pattern.compile(PROTECTED_PATTERN);
|
||||
Matcher m = p.matcher(source);
|
||||
Matcher m = p.matcher(source); // $ Alert
|
||||
|
||||
if (m.matches()) {
|
||||
// Protected page - check access token and redirect to login page
|
||||
@@ -54,9 +54,9 @@ public class DotRegexServlet extends HttpServlet {
|
||||
// BAD: A string with line return e.g. `/protected/%0axyz` can bypass the path check
|
||||
protected void doGet3(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
String source = request.getRequestURI();
|
||||
String source = request.getRequestURI(); // $ Source
|
||||
|
||||
boolean matches = source.matches(PROTECTED_PATTERN);
|
||||
boolean matches = source.matches(PROTECTED_PATTERN); // $ Alert
|
||||
|
||||
if (matches) {
|
||||
// Protected page - check access token and redirect to login page
|
||||
@@ -72,9 +72,9 @@ public class DotRegexServlet extends HttpServlet {
|
||||
// BAD: A string with line return e.g. `/protected/%0axyz` can bypass the path check
|
||||
protected void doGet4(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
String source = request.getPathInfo();
|
||||
String source = request.getPathInfo(); // $ Source
|
||||
|
||||
boolean matches = Pattern.matches(PROTECTED_PATTERN, source);
|
||||
boolean matches = Pattern.matches(PROTECTED_PATTERN, source); // $ Alert
|
||||
|
||||
if (matches) {
|
||||
// Protected page - check access token and redirect to login page
|
||||
@@ -109,10 +109,10 @@ public class DotRegexServlet extends HttpServlet {
|
||||
// BAD: A string with line return e.g. `/protected/%0dxyz` can bypass the path check
|
||||
protected void doGet6(HttpServletRequest request, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
String source = request.getPathInfo();
|
||||
String source = request.getPathInfo(); // $ Source
|
||||
|
||||
Pattern p = Pattern.compile(PROTECTED_PATTERN);
|
||||
Matcher m = p.matcher(source);
|
||||
Matcher m = p.matcher(source); // $ Alert
|
||||
|
||||
if (m.matches()) {
|
||||
// Protected page - check access token and redirect to login page
|
||||
|
||||
@@ -17,10 +17,10 @@ public class DotRegexSpring {
|
||||
|
||||
@GetMapping("param")
|
||||
// BAD: A string with line return e.g. `/protected/%0dxyz` can bypass the path check
|
||||
public String withParam(@RequestParam String path, Model model) throws UnsupportedEncodingException {
|
||||
public String withParam(@RequestParam String path, Model model) throws UnsupportedEncodingException { // $ Source
|
||||
Pattern p = Pattern.compile(PROTECTED_PATTERN);
|
||||
path = decodePath(path);
|
||||
Matcher m = p.matcher(path);
|
||||
Matcher m = p.matcher(path); // $ Alert
|
||||
|
||||
if (m.matches()) {
|
||||
// Protected page - check access token and redirect to login page
|
||||
@@ -34,10 +34,10 @@ public class DotRegexSpring {
|
||||
|
||||
@GetMapping("{path}")
|
||||
// BAD: A string with line return e.g. `%252Fprotected%252F%250dxyz` can bypass the path check
|
||||
public RedirectView withPathVariable1(@PathVariable String path, Model model) throws UnsupportedEncodingException {
|
||||
public RedirectView withPathVariable1(@PathVariable String path, Model model) throws UnsupportedEncodingException { // $ Source
|
||||
Pattern p = Pattern.compile(PROTECTED_PATTERN);
|
||||
path = decodePath(path);
|
||||
Matcher m = p.matcher(path);
|
||||
Matcher m = p.matcher(path); // $ Alert
|
||||
|
||||
if (m.matches()) {
|
||||
// Protected page - check access token and redirect to login page
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-625/PermissiveDotRegex.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -42,13 +42,13 @@ public class XQueryInjection {
|
||||
|
||||
@RequestMapping
|
||||
public void testRequestbad(HttpServletRequest request) throws Exception {
|
||||
String name = request.getParameter("name");
|
||||
String name = request.getParameter("name"); // $ Source
|
||||
XQDataSource ds = new SaxonXQDataSource();
|
||||
XQConnection conn = ds.getConnection();
|
||||
String query = "for $user in doc(\"users.xml\")/Users/User[name='" + name
|
||||
+ "'] return $user/password";
|
||||
XQPreparedExpression xqpe = conn.prepareExpression(query);
|
||||
XQResultSequence result = xqpe.executeQuery();
|
||||
XQResultSequence result = xqpe.executeQuery(); // $ Alert
|
||||
while (result.next()) {
|
||||
System.out.println(result.getItemAsString(null));
|
||||
}
|
||||
@@ -56,13 +56,13 @@ public class XQueryInjection {
|
||||
|
||||
@RequestMapping
|
||||
public void testRequestbad1(HttpServletRequest request) throws Exception {
|
||||
String name = request.getParameter("name");
|
||||
String name = request.getParameter("name"); // $ Source
|
||||
XQDataSource xqds = new SaxonXQDataSource();
|
||||
String query = "for $user in doc(\"users.xml\")/Users/User[name='" + name
|
||||
+ "'] return $user/password";
|
||||
XQConnection conn = xqds.getConnection();
|
||||
XQExpression expr = conn.createExpression();
|
||||
XQResultSequence result = expr.executeQuery(query);
|
||||
XQResultSequence result = expr.executeQuery(query); // $ Alert
|
||||
while (result.next()) {
|
||||
System.out.println(result.getItemAsString(null));
|
||||
}
|
||||
@@ -70,26 +70,26 @@ public class XQueryInjection {
|
||||
|
||||
|
||||
@RequestMapping
|
||||
public void testStringtbad(@RequestParam String nameStr) throws XQException {
|
||||
public void testStringtbad(@RequestParam String nameStr) throws XQException { // $ Source
|
||||
XQDataSource ds = new SaxonXQDataSource();
|
||||
XQConnection conn = ds.getConnection();
|
||||
String query = "for $user in doc(\"users.xml\")/Users/User[name='" + nameStr
|
||||
+ "'] return $user/password";
|
||||
XQPreparedExpression xqpe = conn.prepareExpression(query);
|
||||
XQResultSequence result = xqpe.executeQuery();
|
||||
XQResultSequence result = xqpe.executeQuery(); // $ Alert
|
||||
while (result.next()) {
|
||||
System.out.println(result.getItemAsString(null));
|
||||
}
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testStringtbad1(@RequestParam String nameStr) throws XQException {
|
||||
public void testStringtbad1(@RequestParam String nameStr) throws XQException { // $ Source
|
||||
XQDataSource xqds = new SaxonXQDataSource();
|
||||
String query = "for $user in doc(\"users.xml\")/Users/User[name='" + nameStr
|
||||
+ "'] return $user/password";
|
||||
XQConnection conn = xqds.getConnection();
|
||||
XQExpression expr = conn.createExpression();
|
||||
XQResultSequence result = expr.executeQuery(query);
|
||||
XQResultSequence result = expr.executeQuery(query); // $ Alert
|
||||
while (result.next()) {
|
||||
System.out.println(result.getItemAsString(null));
|
||||
}
|
||||
@@ -97,11 +97,11 @@ public class XQueryInjection {
|
||||
|
||||
@RequestMapping
|
||||
public void testInputStreambad(HttpServletRequest request) throws Exception {
|
||||
InputStream name = request.getInputStream();
|
||||
InputStream name = request.getInputStream(); // $ Source
|
||||
XQDataSource ds = new SaxonXQDataSource();
|
||||
XQConnection conn = ds.getConnection();
|
||||
XQPreparedExpression xqpe = conn.prepareExpression(name);
|
||||
XQResultSequence result = xqpe.executeQuery();
|
||||
XQResultSequence result = xqpe.executeQuery(); // $ Alert
|
||||
while (result.next()) {
|
||||
System.out.println(result.getItemAsString(null));
|
||||
}
|
||||
@@ -109,11 +109,11 @@ public class XQueryInjection {
|
||||
|
||||
@RequestMapping
|
||||
public void testInputStreambad1(HttpServletRequest request) throws Exception {
|
||||
InputStream name = request.getInputStream();
|
||||
InputStream name = request.getInputStream(); // $ Source
|
||||
XQDataSource xqds = new SaxonXQDataSource();
|
||||
XQConnection conn = xqds.getConnection();
|
||||
XQExpression expr = conn.createExpression();
|
||||
XQResultSequence result = expr.executeQuery(name);
|
||||
XQResultSequence result = expr.executeQuery(name); // $ Alert
|
||||
while (result.next()) {
|
||||
System.out.println(result.getItemAsString(null));
|
||||
}
|
||||
@@ -121,12 +121,12 @@ public class XQueryInjection {
|
||||
|
||||
@RequestMapping
|
||||
public void testReaderbad(HttpServletRequest request) throws Exception {
|
||||
InputStream name = request.getInputStream();
|
||||
InputStream name = request.getInputStream(); // $ Source
|
||||
BufferedReader br = new BufferedReader(new InputStreamReader(name));
|
||||
XQDataSource ds = new SaxonXQDataSource();
|
||||
XQConnection conn = ds.getConnection();
|
||||
XQPreparedExpression xqpe = conn.prepareExpression(br);
|
||||
XQResultSequence result = xqpe.executeQuery();
|
||||
XQResultSequence result = xqpe.executeQuery(); // $ Alert
|
||||
while (result.next()) {
|
||||
System.out.println(result.getItemAsString(null));
|
||||
}
|
||||
@@ -134,12 +134,12 @@ public class XQueryInjection {
|
||||
|
||||
@RequestMapping
|
||||
public void testReaderbad1(HttpServletRequest request) throws Exception {
|
||||
InputStream name = request.getInputStream();
|
||||
InputStream name = request.getInputStream(); // $ Source
|
||||
BufferedReader br = new BufferedReader(new InputStreamReader(name));
|
||||
XQDataSource xqds = new SaxonXQDataSource();
|
||||
XQConnection conn = xqds.getConnection();
|
||||
XQExpression expr = conn.createExpression();
|
||||
XQResultSequence result = expr.executeQuery(br);
|
||||
XQResultSequence result = expr.executeQuery(br); // $ Alert
|
||||
while (result.next()) {
|
||||
System.out.println(result.getItemAsString(null));
|
||||
}
|
||||
@@ -147,16 +147,16 @@ public class XQueryInjection {
|
||||
|
||||
@RequestMapping
|
||||
public void testExecuteCommandbad(HttpServletRequest request) throws Exception {
|
||||
String name = request.getParameter("name");
|
||||
String name = request.getParameter("name"); // $ Source
|
||||
XQDataSource xqds = new SaxonXQDataSource();
|
||||
XQConnection conn = xqds.getConnection();
|
||||
XQExpression expr = conn.createExpression();
|
||||
//bad code
|
||||
expr.executeCommand(name);
|
||||
expr.executeCommand(name); // $ Alert
|
||||
//bad code
|
||||
InputStream is = request.getInputStream();
|
||||
InputStream is = request.getInputStream(); // $ Source
|
||||
BufferedReader br = new BufferedReader(new InputStreamReader(is));
|
||||
expr.executeCommand(br);
|
||||
expr.executeCommand(br); // $ Alert
|
||||
expr.close();
|
||||
}
|
||||
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-652/XQueryInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -9,12 +9,12 @@ public class InsecureRmiJmxEnvironmentConfiguration {
|
||||
|
||||
public void initInsecureJmxDueToNullEnv() throws IOException {
|
||||
// Bad initializing env (arg1) with null
|
||||
JMXConnectorServerFactory.newJMXConnectorServer(null, null, null);
|
||||
JMXConnectorServerFactory.newJMXConnectorServer(null, null, null); // $ Alert
|
||||
}
|
||||
|
||||
public void initInsecureRmiDueToNullEnv() throws IOException {
|
||||
// Bad initializing env (arg1) with null
|
||||
new RMIConnectorServer(null, null, null, null);
|
||||
new RMIConnectorServer(null, null, null, null); // $ Alert
|
||||
}
|
||||
|
||||
public void initInsecureRmiDueToMissingEnvKeyValue() throws IOException {
|
||||
@@ -22,7 +22,7 @@ public class InsecureRmiJmxEnvironmentConfiguration {
|
||||
// "jmx.remote.rmi.server.credential.types"
|
||||
Map<String, Object> env = new HashMap<>();
|
||||
env.put("jmx.remote.x.daemon", "true");
|
||||
new RMIConnectorServer(null, env, null, null);
|
||||
new RMIConnectorServer(null, env, null, null); // $ Alert
|
||||
}
|
||||
|
||||
public void initInsecureJmxDueToMissingEnvKeyValue() throws IOException {
|
||||
@@ -30,7 +30,7 @@ public class InsecureRmiJmxEnvironmentConfiguration {
|
||||
// "jmx.remote.rmi.server.credential.types"
|
||||
Map<String, Object> env = new HashMap<>();
|
||||
env.put("jmx.remote.x.daemon", "true");
|
||||
JMXConnectorServerFactory.newJMXConnectorServer(null, env, null);
|
||||
JMXConnectorServerFactory.newJMXConnectorServer(null, env, null); // $ Alert
|
||||
}
|
||||
|
||||
public void secureJmxConnnectorServer() throws IOException {
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql
|
||||
query: experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -10,8 +10,8 @@ public class NFEAndroidDoS extends Activity {
|
||||
super.onCreate(savedInstanceState);
|
||||
setContentView(-1);
|
||||
|
||||
String minPriceStr = getIntent().getStringExtra("priceMin");
|
||||
double minPrice = Double.parseDouble(minPriceStr);
|
||||
String minPriceStr = getIntent().getStringExtra("priceMin"); // $ Source
|
||||
double minPrice = Double.parseDouble(minPriceStr); // $ Alert
|
||||
}
|
||||
|
||||
// BAD - parse string extra to integer
|
||||
@@ -19,11 +19,11 @@ public class NFEAndroidDoS extends Activity {
|
||||
super.onCreate(savedInstanceState);
|
||||
setContentView(-1);
|
||||
|
||||
String widthStr = getIntent().getStringExtra("width");
|
||||
int width = Integer.parseInt(widthStr);
|
||||
String widthStr = getIntent().getStringExtra("width"); // $ Source
|
||||
int width = Integer.parseInt(widthStr); // $ Alert
|
||||
|
||||
String heightStr = getIntent().getStringExtra("height");
|
||||
int height = Integer.parseInt(heightStr);
|
||||
String heightStr = getIntent().getStringExtra("height"); // $ Source
|
||||
int height = Integer.parseInt(heightStr); // $ Alert
|
||||
}
|
||||
|
||||
// GOOD - parse int extra to integer
|
||||
@@ -40,11 +40,11 @@ public class NFEAndroidDoS extends Activity {
|
||||
super.onCreate(savedInstanceState);
|
||||
setContentView(-1);
|
||||
|
||||
String minPriceStr = getIntent().getStringExtra("priceMin");
|
||||
double minPrice = new Double(minPriceStr);
|
||||
String minPriceStr = getIntent().getStringExtra("priceMin"); // $ Source
|
||||
double minPrice = new Double(minPriceStr); // $ Alert
|
||||
|
||||
String maxPriceStr = getIntent().getStringExtra("priceMax");
|
||||
double maxPrice = Double.valueOf(minPriceStr);
|
||||
double maxPrice = Double.valueOf(minPriceStr); // $ Alert
|
||||
}
|
||||
|
||||
// GOOD - parse string extra to double with caught NFE
|
||||
@@ -83,4 +83,4 @@ public class NFEAndroidDoS extends Activity {
|
||||
|
||||
double priceMin = IntentUtils.getDoubleExtra(this, "priceMin");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user