mirror of
https://github.com/github/codeql.git
synced 2026-04-21 23:14:03 +02:00
Merge branch 'main' into ts52
This commit is contained in:
erik-krogh
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Only the 2 level indirection of `argv` (corresponding to `**argv`) is consided for `FlowSource`.
|
||||
@@ -53,7 +53,7 @@ private class ArgvSource extends LocalFlowSource {
|
||||
exists(Function main, Parameter argv |
|
||||
main.hasGlobalName("main") and
|
||||
main.getParameter(1) = argv and
|
||||
this.asParameter(_) = argv
|
||||
this.asParameter(2) = argv
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Some queries that had repeated results corresponding to different levels of indirection for `argv` now only have a single result.
|
||||
@@ -40,7 +40,7 @@ module WordexpTaintConfig implements DataFlow::ConfigSig {
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(FunctionCall fc | fc.getTarget() instanceof WordexpFunction |
|
||||
fc.getArgument(0) = sink.asExpr() and
|
||||
fc.getArgument(0) = sink.asIndirectArgument(1) and
|
||||
not isCommandSubstitutionDisabled(fc)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -1,16 +1,8 @@
|
||||
edges
|
||||
| test.cpp:22:27:22:30 | argv | test.cpp:29:13:29:20 | filePath |
|
||||
| test.cpp:22:27:22:30 | argv | test.cpp:29:13:29:20 | filePath |
|
||||
| test.cpp:22:27:22:30 | argv indirection | test.cpp:29:13:29:20 | filePath |
|
||||
| test.cpp:22:27:22:30 | argv indirection | test.cpp:29:13:29:20 | filePath |
|
||||
| test.cpp:22:27:22:30 | argv indirection | test.cpp:29:13:29:20 | filePath indirection |
|
||||
nodes
|
||||
| test.cpp:22:27:22:30 | argv | semmle.label | argv |
|
||||
| test.cpp:22:27:22:30 | argv indirection | semmle.label | argv indirection |
|
||||
| test.cpp:29:13:29:20 | filePath | semmle.label | filePath |
|
||||
| test.cpp:29:13:29:20 | filePath | semmle.label | filePath |
|
||||
| test.cpp:29:13:29:20 | filePath indirection | semmle.label | filePath indirection |
|
||||
subpaths
|
||||
#select
|
||||
| test.cpp:29:13:29:20 | filePath | test.cpp:22:27:22:30 | argv | test.cpp:29:13:29:20 | filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |
|
||||
| test.cpp:29:13:29:20 | filePath | test.cpp:22:27:22:30 | argv | test.cpp:29:13:29:20 | filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |
|
||||
| test.cpp:29:13:29:20 | filePath | test.cpp:22:27:22:30 | argv indirection | test.cpp:29:13:29:20 | filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |
|
||||
| test.cpp:29:13:29:20 | filePath | test.cpp:22:27:22:30 | argv indirection | test.cpp:29:13:29:20 | filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |
|
||||
| test.cpp:29:13:29:20 | filePath indirection | test.cpp:22:27:22:30 | argv indirection | test.cpp:29:13:29:20 | filePath indirection | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |
|
||||
|
||||
@@ -1,16 +1,10 @@
|
||||
edges
|
||||
| test.c:8:27:8:30 | argv | test.c:17:11:17:18 | fileName indirection |
|
||||
| test.c:8:27:8:30 | argv indirection | test.c:17:11:17:18 | fileName indirection |
|
||||
| test.c:8:27:8:30 | argv indirection | test.c:17:11:17:18 | fileName indirection |
|
||||
| test.c:8:27:8:30 | argv indirection | test.c:32:11:32:18 | fileName indirection |
|
||||
| test.c:8:27:8:30 | argv indirection | test.c:32:11:32:18 | fileName indirection |
|
||||
| test.c:8:27:8:30 | argv indirection | test.c:57:10:57:16 | access to array indirection |
|
||||
| test.c:8:27:8:30 | argv indirection | test.c:57:10:57:16 | access to array indirection |
|
||||
| test.c:37:17:37:24 | scanf output argument | test.c:38:11:38:18 | fileName indirection |
|
||||
| test.c:43:17:43:24 | scanf output argument | test.c:44:11:44:18 | fileName indirection |
|
||||
nodes
|
||||
| test.c:8:27:8:30 | argv | semmle.label | argv |
|
||||
| test.c:8:27:8:30 | argv indirection | semmle.label | argv indirection |
|
||||
| test.c:8:27:8:30 | argv indirection | semmle.label | argv indirection |
|
||||
| test.c:17:11:17:18 | fileName indirection | semmle.label | fileName indirection |
|
||||
| test.c:32:11:32:18 | fileName indirection | semmle.label | fileName indirection |
|
||||
@@ -21,12 +15,8 @@ nodes
|
||||
| test.c:57:10:57:16 | access to array indirection | semmle.label | access to array indirection |
|
||||
subpaths
|
||||
#select
|
||||
| test.c:17:11:17:18 | fileName | test.c:8:27:8:30 | argv | test.c:17:11:17:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:8:27:8:30 | argv | user input (a command-line argument) |
|
||||
| test.c:17:11:17:18 | fileName | test.c:8:27:8:30 | argv indirection | test.c:17:11:17:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:8:27:8:30 | argv indirection | user input (a command-line argument) |
|
||||
| test.c:17:11:17:18 | fileName | test.c:8:27:8:30 | argv indirection | test.c:17:11:17:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:8:27:8:30 | argv indirection | user input (a command-line argument) |
|
||||
| test.c:32:11:32:18 | fileName | test.c:8:27:8:30 | argv indirection | test.c:32:11:32:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:8:27:8:30 | argv indirection | user input (a command-line argument) |
|
||||
| test.c:32:11:32:18 | fileName | test.c:8:27:8:30 | argv indirection | test.c:32:11:32:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:8:27:8:30 | argv indirection | user input (a command-line argument) |
|
||||
| test.c:38:11:38:18 | fileName | test.c:37:17:37:24 | scanf output argument | test.c:38:11:38:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:37:17:37:24 | scanf output argument | user input (value read by scanf) |
|
||||
| test.c:44:11:44:18 | fileName | test.c:43:17:43:24 | scanf output argument | test.c:44:11:44:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:43:17:43:24 | scanf output argument | user input (value read by scanf) |
|
||||
| test.c:57:10:57:16 | access to array | test.c:8:27:8:30 | argv indirection | test.c:57:10:57:16 | access to array indirection | This argument to a file access function is derived from $@ and then passed to read(fileName), which calls fopen(filename). | test.c:8:27:8:30 | argv indirection | user input (a command-line argument) |
|
||||
| test.c:57:10:57:16 | access to array | test.c:8:27:8:30 | argv indirection | test.c:57:10:57:16 | access to array indirection | This argument to a file access function is derived from $@ and then passed to read(fileName), which calls fopen(filename). | test.c:8:27:8:30 | argv indirection | user input (a command-line argument) |
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
edges
|
||||
| test.cpp:15:27:15:30 | argv indirection | test.cpp:22:45:22:52 | userName indirection |
|
||||
| test.cpp:15:27:15:30 | argv indirection | test.cpp:22:45:22:52 | userName indirection |
|
||||
| test.cpp:22:13:22:20 | sprintf output argument | test.cpp:23:12:23:19 | command1 indirection |
|
||||
| test.cpp:22:45:22:52 | userName indirection | test.cpp:22:13:22:20 | sprintf output argument |
|
||||
| test.cpp:47:21:47:26 | call to getenv indirection | test.cpp:50:35:50:43 | envCflags indirection |
|
||||
@@ -71,7 +70,6 @@ edges
|
||||
| test.cpp:220:19:220:26 | filename indirection | test.cpp:220:19:220:26 | filename indirection |
|
||||
nodes
|
||||
| test.cpp:15:27:15:30 | argv indirection | semmle.label | argv indirection |
|
||||
| test.cpp:15:27:15:30 | argv indirection | semmle.label | argv indirection |
|
||||
| test.cpp:22:13:22:20 | sprintf output argument | semmle.label | sprintf output argument |
|
||||
| test.cpp:22:45:22:52 | userName indirection | semmle.label | userName indirection |
|
||||
| test.cpp:23:12:23:19 | command1 indirection | semmle.label | command1 indirection |
|
||||
@@ -154,7 +152,6 @@ subpaths
|
||||
| test.cpp:196:26:196:33 | filename indirection | test.cpp:186:47:186:54 | filename indirection | test.cpp:188:11:188:17 | strncat output argument | test.cpp:196:10:196:16 | concat output argument |
|
||||
#select
|
||||
| test.cpp:23:12:23:19 | command1 | test.cpp:15:27:15:30 | argv indirection | test.cpp:23:12:23:19 | command1 indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:15:27:15:30 | argv indirection | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument |
|
||||
| test.cpp:23:12:23:19 | command1 | test.cpp:15:27:15:30 | argv indirection | test.cpp:23:12:23:19 | command1 indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:15:27:15:30 | argv indirection | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument |
|
||||
| test.cpp:51:10:51:16 | command | test.cpp:47:21:47:26 | call to getenv indirection | test.cpp:51:10:51:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:47:21:47:26 | call to getenv indirection | user input (an environment variable) | test.cpp:50:11:50:17 | sprintf output argument | sprintf output argument |
|
||||
| test.cpp:65:10:65:16 | command | test.cpp:62:9:62:16 | fread output argument | test.cpp:65:10:65:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:62:9:62:16 | fread output argument | user input (string read by fread) | test.cpp:64:11:64:17 | strncat output argument | strncat output argument |
|
||||
| test.cpp:85:32:85:38 | command | test.cpp:82:9:82:16 | fread output argument | test.cpp:85:32:85:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:82:9:82:16 | fread output argument | user input (string read by fread) | test.cpp:84:11:84:17 | strncat output argument | strncat output argument |
|
||||
|
||||
@@ -1,27 +1,12 @@
|
||||
edges
|
||||
| test.c:14:27:14:30 | argv | test.c:21:18:21:23 | query1 indirection |
|
||||
| test.c:14:27:14:30 | argv indirection | test.c:21:18:21:23 | query1 indirection |
|
||||
| test.c:14:27:14:30 | argv indirection | test.c:21:18:21:23 | query1 indirection |
|
||||
| test.cpp:39:27:39:30 | argv | test.cpp:43:27:43:33 | access to array |
|
||||
| test.cpp:39:27:39:30 | argv indirection | test.cpp:43:27:43:33 | access to array |
|
||||
| test.cpp:39:27:39:30 | argv indirection | test.cpp:43:27:43:33 | access to array indirection |
|
||||
| test.cpp:39:27:39:30 | argv indirection | test.cpp:43:27:43:33 | access to array indirection |
|
||||
nodes
|
||||
| test.c:14:27:14:30 | argv | semmle.label | argv |
|
||||
| test.c:14:27:14:30 | argv indirection | semmle.label | argv indirection |
|
||||
| test.c:14:27:14:30 | argv indirection | semmle.label | argv indirection |
|
||||
| test.c:21:18:21:23 | query1 indirection | semmle.label | query1 indirection |
|
||||
| test.cpp:39:27:39:30 | argv | semmle.label | argv |
|
||||
| test.cpp:39:27:39:30 | argv indirection | semmle.label | argv indirection |
|
||||
| test.cpp:39:27:39:30 | argv indirection | semmle.label | argv indirection |
|
||||
| test.cpp:43:27:43:33 | access to array | semmle.label | access to array |
|
||||
| test.cpp:43:27:43:33 | access to array indirection | semmle.label | access to array indirection |
|
||||
subpaths
|
||||
#select
|
||||
| test.c:21:18:21:23 | query1 | test.c:14:27:14:30 | argv | test.c:21:18:21:23 | query1 indirection | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:14:27:14:30 | argv | user input (a command-line argument) |
|
||||
| test.c:21:18:21:23 | query1 | test.c:14:27:14:30 | argv indirection | test.c:21:18:21:23 | query1 indirection | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:14:27:14:30 | argv indirection | user input (a command-line argument) |
|
||||
| test.c:21:18:21:23 | query1 | test.c:14:27:14:30 | argv indirection | test.c:21:18:21:23 | query1 indirection | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:14:27:14:30 | argv indirection | user input (a command-line argument) |
|
||||
| test.cpp:43:27:43:33 | access to array | test.cpp:39:27:39:30 | argv | test.cpp:43:27:43:33 | access to array | This argument to a SQL query function is derived from $@ and then passed to pqxx::work::exec1((unnamed parameter 0)). | test.cpp:39:27:39:30 | argv | user input (a command-line argument) |
|
||||
| test.cpp:43:27:43:33 | access to array | test.cpp:39:27:39:30 | argv indirection | test.cpp:43:27:43:33 | access to array | This argument to a SQL query function is derived from $@ and then passed to pqxx::work::exec1((unnamed parameter 0)). | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
|
||||
| test.cpp:43:27:43:33 | access to array | test.cpp:39:27:39:30 | argv indirection | test.cpp:43:27:43:33 | access to array indirection | This argument to a SQL query function is derived from $@ and then passed to pqxx::work::exec1((unnamed parameter 0)). | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
|
||||
| test.cpp:43:27:43:33 | access to array | test.cpp:39:27:39:30 | argv indirection | test.cpp:43:27:43:33 | access to array indirection | This argument to a SQL query function is derived from $@ and then passed to pqxx::work::exec1((unnamed parameter 0)). | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
|
||||
|
||||
@@ -1,10 +1,6 @@
|
||||
edges
|
||||
| main.cpp:6:27:6:30 | argv indirection | main.cpp:7:33:7:36 | argv indirection |
|
||||
| main.cpp:6:27:6:30 | argv indirection | main.cpp:7:33:7:36 | argv indirection |
|
||||
| main.cpp:7:33:7:36 | argv indirection | overflowdestination.cpp:23:45:23:48 | argv indirection |
|
||||
| main.cpp:7:33:7:36 | argv indirection | overflowdestination.cpp:23:45:23:48 | argv indirection |
|
||||
| overflowdestination.cpp:23:45:23:48 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection |
|
||||
| overflowdestination.cpp:23:45:23:48 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection |
|
||||
| overflowdestination.cpp:23:45:23:48 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection |
|
||||
| overflowdestination.cpp:23:45:23:48 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection |
|
||||
| overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | src indirection |
|
||||
@@ -24,10 +20,7 @@ edges
|
||||
| overflowdestination.cpp:76:30:76:32 | src indirection | overflowdestination.cpp:57:52:57:54 | src indirection |
|
||||
nodes
|
||||
| main.cpp:6:27:6:30 | argv indirection | semmle.label | argv indirection |
|
||||
| main.cpp:6:27:6:30 | argv indirection | semmle.label | argv indirection |
|
||||
| main.cpp:7:33:7:36 | argv indirection | semmle.label | argv indirection |
|
||||
| main.cpp:7:33:7:36 | argv indirection | semmle.label | argv indirection |
|
||||
| overflowdestination.cpp:23:45:23:48 | argv indirection | semmle.label | argv indirection |
|
||||
| overflowdestination.cpp:23:45:23:48 | argv indirection | semmle.label | argv indirection |
|
||||
| overflowdestination.cpp:30:17:30:20 | arg1 indirection | semmle.label | arg1 indirection |
|
||||
| overflowdestination.cpp:30:17:30:20 | arg1 indirection | semmle.label | arg1 indirection |
|
||||
@@ -51,8 +44,6 @@ subpaths
|
||||
#select
|
||||
| overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
|
||||
| overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
|
||||
| overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
|
||||
| overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
|
||||
| overflowdestination.cpp:46:2:46:7 | call to memcpy | overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | src indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
|
||||
| overflowdestination.cpp:53:2:53:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:53:15:53:17 | src indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
|
||||
| overflowdestination.cpp:53:2:53:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:53:15:53:17 | src indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
|
||||
|
||||
@@ -1,12 +1,6 @@
|
||||
edges
|
||||
| test1.c:7:26:7:29 | argv | test1.c:9:9:9:9 | i |
|
||||
| test1.c:7:26:7:29 | argv | test1.c:11:9:11:9 | i |
|
||||
| test1.c:7:26:7:29 | argv | test1.c:13:9:13:9 | i |
|
||||
| test1.c:7:26:7:29 | argv indirection | test1.c:9:9:9:9 | i |
|
||||
| test1.c:7:26:7:29 | argv indirection | test1.c:9:9:9:9 | i |
|
||||
| test1.c:7:26:7:29 | argv indirection | test1.c:11:9:11:9 | i |
|
||||
| test1.c:7:26:7:29 | argv indirection | test1.c:11:9:11:9 | i |
|
||||
| test1.c:7:26:7:29 | argv indirection | test1.c:13:9:13:9 | i |
|
||||
| test1.c:7:26:7:29 | argv indirection | test1.c:13:9:13:9 | i |
|
||||
| test1.c:9:9:9:9 | i | test1.c:16:16:16:16 | i |
|
||||
| test1.c:11:9:11:9 | i | test1.c:32:16:32:16 | i |
|
||||
@@ -15,8 +9,6 @@ edges
|
||||
| test1.c:32:16:32:16 | i | test1.c:33:11:33:11 | i |
|
||||
| test1.c:48:16:48:16 | i | test1.c:53:15:53:15 | j |
|
||||
nodes
|
||||
| test1.c:7:26:7:29 | argv | semmle.label | argv |
|
||||
| test1.c:7:26:7:29 | argv indirection | semmle.label | argv indirection |
|
||||
| test1.c:7:26:7:29 | argv indirection | semmle.label | argv indirection |
|
||||
| test1.c:9:9:9:9 | i | semmle.label | i |
|
||||
| test1.c:11:9:11:9 | i | semmle.label | i |
|
||||
@@ -29,12 +21,6 @@ nodes
|
||||
| test1.c:53:15:53:15 | j | semmle.label | j |
|
||||
subpaths
|
||||
#select
|
||||
| test1.c:18:16:18:16 | i | test1.c:7:26:7:29 | argv | test1.c:18:16:18:16 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv | a command-line argument |
|
||||
| test1.c:18:16:18:16 | i | test1.c:7:26:7:29 | argv indirection | test1.c:18:16:18:16 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv indirection | a command-line argument |
|
||||
| test1.c:18:16:18:16 | i | test1.c:7:26:7:29 | argv indirection | test1.c:18:16:18:16 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv indirection | a command-line argument |
|
||||
| test1.c:33:11:33:11 | i | test1.c:7:26:7:29 | argv | test1.c:33:11:33:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv | a command-line argument |
|
||||
| test1.c:33:11:33:11 | i | test1.c:7:26:7:29 | argv indirection | test1.c:33:11:33:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv indirection | a command-line argument |
|
||||
| test1.c:33:11:33:11 | i | test1.c:7:26:7:29 | argv indirection | test1.c:33:11:33:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv indirection | a command-line argument |
|
||||
| test1.c:53:15:53:15 | j | test1.c:7:26:7:29 | argv | test1.c:53:15:53:15 | j | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv | a command-line argument |
|
||||
| test1.c:53:15:53:15 | j | test1.c:7:26:7:29 | argv indirection | test1.c:53:15:53:15 | j | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv indirection | a command-line argument |
|
||||
| test1.c:53:15:53:15 | j | test1.c:7:26:7:29 | argv indirection | test1.c:53:15:53:15 | j | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | argv indirection | a command-line argument |
|
||||
|
||||
@@ -1,21 +1,9 @@
|
||||
edges
|
||||
| test.cpp:39:27:39:30 | argv | test.cpp:43:38:43:44 | tainted |
|
||||
| test.cpp:39:27:39:30 | argv | test.cpp:44:38:44:63 | ... * ... |
|
||||
| test.cpp:39:27:39:30 | argv | test.cpp:46:38:46:63 | ... + ... |
|
||||
| test.cpp:39:27:39:30 | argv | test.cpp:49:32:49:35 | size |
|
||||
| test.cpp:39:27:39:30 | argv | test.cpp:50:26:50:29 | size |
|
||||
| test.cpp:39:27:39:30 | argv | test.cpp:53:35:53:60 | ... * ... |
|
||||
| test.cpp:39:27:39:30 | argv indirection | test.cpp:43:38:43:44 | tainted |
|
||||
| test.cpp:39:27:39:30 | argv indirection | test.cpp:43:38:43:44 | tainted |
|
||||
| test.cpp:39:27:39:30 | argv indirection | test.cpp:44:38:44:63 | ... * ... |
|
||||
| test.cpp:39:27:39:30 | argv indirection | test.cpp:44:38:44:63 | ... * ... |
|
||||
| test.cpp:39:27:39:30 | argv indirection | test.cpp:46:38:46:63 | ... + ... |
|
||||
| test.cpp:39:27:39:30 | argv indirection | test.cpp:46:38:46:63 | ... + ... |
|
||||
| test.cpp:39:27:39:30 | argv indirection | test.cpp:49:32:49:35 | size |
|
||||
| test.cpp:39:27:39:30 | argv indirection | test.cpp:49:32:49:35 | size |
|
||||
| test.cpp:39:27:39:30 | argv indirection | test.cpp:50:26:50:29 | size |
|
||||
| test.cpp:39:27:39:30 | argv indirection | test.cpp:50:26:50:29 | size |
|
||||
| test.cpp:39:27:39:30 | argv indirection | test.cpp:53:35:53:60 | ... * ... |
|
||||
| test.cpp:39:27:39:30 | argv indirection | test.cpp:53:35:53:60 | ... * ... |
|
||||
| test.cpp:124:18:124:23 | call to getenv | test.cpp:128:24:128:41 | ... * ... |
|
||||
| test.cpp:124:18:124:31 | call to getenv indirection | test.cpp:128:24:128:41 | ... * ... |
|
||||
@@ -47,8 +35,6 @@ edges
|
||||
| test.cpp:353:18:353:31 | call to getenv indirection | test.cpp:355:35:355:38 | size |
|
||||
| test.cpp:353:18:353:31 | call to getenv indirection | test.cpp:356:35:356:38 | size |
|
||||
nodes
|
||||
| test.cpp:39:27:39:30 | argv | semmle.label | argv |
|
||||
| test.cpp:39:27:39:30 | argv indirection | semmle.label | argv indirection |
|
||||
| test.cpp:39:27:39:30 | argv indirection | semmle.label | argv indirection |
|
||||
| test.cpp:43:38:43:44 | tainted | semmle.label | tainted |
|
||||
| test.cpp:44:38:44:63 | ... * ... | semmle.label | ... * ... |
|
||||
@@ -92,23 +78,11 @@ nodes
|
||||
| test.cpp:356:35:356:38 | size | semmle.label | size |
|
||||
subpaths
|
||||
#select
|
||||
| test.cpp:43:31:43:36 | call to malloc | test.cpp:39:27:39:30 | argv | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv | user input (a command-line argument) |
|
||||
| test.cpp:43:31:43:36 | call to malloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
|
||||
| test.cpp:43:31:43:36 | call to malloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
|
||||
| test.cpp:44:31:44:36 | call to malloc | test.cpp:39:27:39:30 | argv | test.cpp:44:38:44:63 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv | user input (a command-line argument) |
|
||||
| test.cpp:44:31:44:36 | call to malloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:44:38:44:63 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
|
||||
| test.cpp:44:31:44:36 | call to malloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:44:38:44:63 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
|
||||
| test.cpp:46:31:46:36 | call to malloc | test.cpp:39:27:39:30 | argv | test.cpp:46:38:46:63 | ... + ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv | user input (a command-line argument) |
|
||||
| test.cpp:46:31:46:36 | call to malloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:46:38:46:63 | ... + ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
|
||||
| test.cpp:46:31:46:36 | call to malloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:46:38:46:63 | ... + ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
|
||||
| test.cpp:49:25:49:30 | call to malloc | test.cpp:39:27:39:30 | argv | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv | user input (a command-line argument) |
|
||||
| test.cpp:49:25:49:30 | call to malloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
|
||||
| test.cpp:49:25:49:30 | call to malloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
|
||||
| test.cpp:50:17:50:30 | new[] | test.cpp:39:27:39:30 | argv | test.cpp:50:26:50:29 | size | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv | user input (a command-line argument) |
|
||||
| test.cpp:50:17:50:30 | new[] | test.cpp:39:27:39:30 | argv indirection | test.cpp:50:26:50:29 | size | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
|
||||
| test.cpp:50:17:50:30 | new[] | test.cpp:39:27:39:30 | argv indirection | test.cpp:50:26:50:29 | size | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
|
||||
| test.cpp:53:21:53:27 | call to realloc | test.cpp:39:27:39:30 | argv | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv | user input (a command-line argument) |
|
||||
| test.cpp:53:21:53:27 | call to realloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
|
||||
| test.cpp:53:21:53:27 | call to realloc | test.cpp:39:27:39:30 | argv indirection | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |
|
||||
| test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:23 | call to getenv | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:124:18:124:23 | call to getenv | user input (an environment variable) |
|
||||
| test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:31 | call to getenv indirection | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and might overflow. | test.cpp:124:18:124:31 | call to getenv indirection | user input (an environment variable) |
|
||||
|
||||
@@ -1,12 +1,9 @@
|
||||
edges
|
||||
| test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection |
|
||||
| test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection |
|
||||
| test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection |
|
||||
| test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection |
|
||||
nodes
|
||||
| test2.cpp:110:3:110:6 | call to gets indirection | semmle.label | call to gets indirection |
|
||||
| test.cpp:53:27:53:30 | argv indirection | semmle.label | argv indirection |
|
||||
| test.cpp:53:27:53:30 | argv indirection | semmle.label | argv indirection |
|
||||
| test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
|
||||
| test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
|
||||
subpaths
|
||||
@@ -14,5 +11,3 @@ subpaths
|
||||
| test2.cpp:110:3:110:6 | call to gets | test2.cpp:110:3:110:6 | call to gets indirection | test2.cpp:110:3:110:6 | call to gets indirection | This write into buffer 'password' may contain unencrypted data from $@. | test2.cpp:110:3:110:6 | call to gets indirection | user input (string read by gets) |
|
||||
| test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | argv indirection | user input (a command-line argument) |
|
||||
| test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | argv indirection | user input (a command-line argument) |
|
||||
| test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | argv indirection | user input (a command-line argument) |
|
||||
| test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | argv indirection | user input (a command-line argument) |
|
||||
|
||||
@@ -59,10 +59,13 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
// The OrderBy is used to ensure that we by default select the highest version number.
|
||||
foreach (var info in assemblyInfoByFileName.Values
|
||||
.OrderBy(info => info.Name)
|
||||
.ThenBy(info => info.NetCoreVersion ?? emptyVersion)
|
||||
.ThenBy(info => info.Version ?? emptyVersion))
|
||||
{
|
||||
foreach (var index in info.IndexStrings)
|
||||
{
|
||||
assemblyInfoById[index] = info;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -5,13 +5,15 @@ using System.Linq;
|
||||
using System.Reflection;
|
||||
using System.Security.Cryptography;
|
||||
using System.Text;
|
||||
using System.Reflection.Metadata;
|
||||
using System.Text.RegularExpressions;
|
||||
|
||||
namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
{
|
||||
/// <summary>
|
||||
/// Stores information about an assembly file (DLL).
|
||||
/// </summary>
|
||||
internal sealed class AssemblyInfo
|
||||
internal sealed partial class AssemblyInfo
|
||||
{
|
||||
/// <summary>
|
||||
/// The file containing the assembly.
|
||||
@@ -28,6 +30,17 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
/// </summary>
|
||||
public System.Version? Version { get; }
|
||||
|
||||
/// <summary>
|
||||
/// The version number of the .NET Core framework that this assembly targets.
|
||||
///
|
||||
/// This is extracted from the `TargetFrameworkAttribute` of the assembly, e.g.
|
||||
/// ```
|
||||
/// [assembly:TargetFramework(".NETCoreApp,Version=v7.0")]
|
||||
/// ```
|
||||
/// yields version 7.0.
|
||||
/// </summary>
|
||||
public Version? NetCoreVersion { get; }
|
||||
|
||||
/// <summary>
|
||||
/// The public key token of the assembly.
|
||||
/// </summary>
|
||||
@@ -97,13 +110,14 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
Filename = filename;
|
||||
}
|
||||
|
||||
private AssemblyInfo(string filename, string name, Version version, string culture, string publicKeyToken)
|
||||
private AssemblyInfo(string filename, string name, Version version, string culture, string publicKeyToken, Version? netCoreVersion)
|
||||
{
|
||||
Filename = filename;
|
||||
Name = name;
|
||||
Version = version;
|
||||
Culture = culture;
|
||||
PublicKeyToken = publicKeyToken;
|
||||
NetCoreVersion = netCoreVersion;
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
@@ -150,7 +164,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
var metadata = pereader.GetMetadata();
|
||||
unsafe
|
||||
{
|
||||
var reader = new System.Reflection.Metadata.MetadataReader(metadata.Pointer, metadata.Length);
|
||||
var reader = new MetadataReader(metadata.Pointer, metadata.Length);
|
||||
var def = reader.GetAssemblyDefinition();
|
||||
|
||||
// This is how you compute the public key token from the full public key.
|
||||
@@ -162,7 +176,39 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
publicKeyString.AppendFormat("{0:x2}", b);
|
||||
|
||||
var culture = def.Culture.IsNil ? "neutral" : reader.GetString(def.Culture);
|
||||
return new AssemblyInfo(filename, reader.GetString(def.Name), def.Version, culture, publicKeyString.ToString());
|
||||
Version? netCoreVersion = null;
|
||||
|
||||
foreach (var attrHandle in def.GetCustomAttributes().Select(reader.GetCustomAttribute))
|
||||
{
|
||||
var ctorHandle = attrHandle.Constructor;
|
||||
if (ctorHandle.Kind != HandleKind.MemberReference)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
var mHandle = reader.GetMemberReference((MemberReferenceHandle)ctorHandle).Parent;
|
||||
if (mHandle.Kind != HandleKind.TypeReference)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
var name = reader.GetString(reader.GetTypeReference((TypeReferenceHandle)mHandle).Name);
|
||||
|
||||
if (name is "TargetFrameworkAttribute")
|
||||
{
|
||||
var decoded = attrHandle.DecodeValue(new DummyAttributeDecoder());
|
||||
if (
|
||||
decoded.FixedArguments.Length > 0 &&
|
||||
decoded.FixedArguments[0].Value is string value &&
|
||||
NetCoreAppRegex().Match(value).Groups.TryGetValue("version", out var match))
|
||||
{
|
||||
netCoreVersion = new Version(match.Value);
|
||||
}
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
return new AssemblyInfo(filename, reader.GetString(def.Name), def.Version, culture, publicKeyString.ToString(), netCoreVersion);
|
||||
}
|
||||
}
|
||||
catch (BadImageFormatException)
|
||||
@@ -176,5 +222,33 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
|
||||
throw new AssemblyLoadException();
|
||||
}
|
||||
|
||||
[GeneratedRegex(@"^\.NETCoreApp,Version=v(?<version>\d+\.\d+)$", RegexOptions.IgnoreCase | RegexOptions.Compiled | RegexOptions.Singleline)]
|
||||
private static partial Regex NetCoreAppRegex();
|
||||
|
||||
private class DummyAttributeDecoder : ICustomAttributeTypeProvider<int>
|
||||
{
|
||||
public int GetPrimitiveType(PrimitiveTypeCode typeCode) => 0;
|
||||
|
||||
public int GetSystemType() => throw new NotImplementedException();
|
||||
|
||||
public int GetSZArrayType(int elementType) =>
|
||||
throw new NotImplementedException();
|
||||
|
||||
public int GetTypeFromDefinition(MetadataReader reader, TypeDefinitionHandle handle, byte rawTypeKind) =>
|
||||
throw new NotImplementedException();
|
||||
|
||||
public int GetTypeFromReference(MetadataReader reader, TypeReferenceHandle handle, byte rawTypeKind) =>
|
||||
throw new NotImplementedException();
|
||||
|
||||
public int GetTypeFromSerializedName(string name) =>
|
||||
throw new NotImplementedException();
|
||||
|
||||
public PrimitiveTypeCode GetUnderlyingEnumType(int type) =>
|
||||
throw new NotImplementedException();
|
||||
|
||||
public bool IsSystemType(int type) => throw new NotImplementedException();
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -59,13 +59,14 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
this.progressMonitor.FindingFiles(srcDir);
|
||||
|
||||
packageDirectory = new TemporaryDirectory(ComputeTempDirectory(sourceDir.FullName));
|
||||
|
||||
this.fileContent = new FileContent(progressMonitor, () => GetFiles("*.*"));
|
||||
this.allSources = GetFiles("*.cs").ToList();
|
||||
var allProjects = GetFiles("*.csproj");
|
||||
var allFiles = GetAllFiles().ToList();
|
||||
var smallFiles = allFiles.SelectSmallFiles(progressMonitor).SelectFileNames();
|
||||
this.fileContent = new FileContent(progressMonitor, smallFiles);
|
||||
this.allSources = allFiles.SelectFileNamesByExtension(".cs").ToList();
|
||||
var allProjects = allFiles.SelectFileNamesByExtension(".csproj");
|
||||
var solutions = options.SolutionFile is not null
|
||||
? new[] { options.SolutionFile }
|
||||
: GetFiles("*.sln");
|
||||
: allFiles.SelectFileNamesByExtension(".sln");
|
||||
|
||||
var dllDirNames = options.DllDirs.Select(Path.GetFullPath).ToList();
|
||||
|
||||
@@ -107,7 +108,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
{
|
||||
Restore(solutions);
|
||||
Restore(allProjects);
|
||||
DownloadMissingPackages();
|
||||
DownloadMissingPackages(allFiles);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -122,12 +123,12 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
ResolveConflicts();
|
||||
|
||||
// Output the findings
|
||||
foreach (var r in usedReferences.Keys)
|
||||
foreach (var r in usedReferences.Keys.OrderBy(r => r))
|
||||
{
|
||||
progressMonitor.ResolvedReference(r);
|
||||
}
|
||||
|
||||
foreach (var r in unresolvedReferences)
|
||||
foreach (var r in unresolvedReferences.OrderBy(r => r.Key))
|
||||
{
|
||||
progressMonitor.UnresolvedReference(r.Key, r.Value);
|
||||
}
|
||||
@@ -136,7 +137,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
if (bool.TryParse(webViewExtractionOption, out var shouldExtractWebViews) &&
|
||||
shouldExtractWebViews)
|
||||
{
|
||||
GenerateSourceFilesFromWebViews();
|
||||
GenerateSourceFilesFromWebViews(allFiles);
|
||||
}
|
||||
|
||||
progressMonitor.Summary(
|
||||
@@ -151,13 +152,11 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
DateTime.Now - startTime);
|
||||
}
|
||||
|
||||
private void GenerateSourceFilesFromWebViews()
|
||||
private void GenerateSourceFilesFromWebViews(List<FileInfo> allFiles)
|
||||
{
|
||||
progressMonitor.LogInfo($"Generating source files from cshtml and razor files.");
|
||||
|
||||
var views = GetFiles("*.cshtml")
|
||||
.Concat(GetFiles("*.razor"))
|
||||
.ToArray();
|
||||
var views = allFiles.SelectFileNamesByExtension(".cshtml", ".razor").ToArray();
|
||||
|
||||
if (views.Length > 0)
|
||||
{
|
||||
@@ -185,15 +184,9 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
|
||||
public DependencyManager(string srcDir) : this(srcDir, DependencyOptions.Default, new ConsoleLogger(Verbosity.Info)) { }
|
||||
|
||||
private IEnumerable<string> GetFiles(string pattern, bool recurseSubdirectories = true) =>
|
||||
sourceDir.GetFiles(pattern, new EnumerationOptions
|
||||
{
|
||||
RecurseSubdirectories = recurseSubdirectories,
|
||||
MatchCasing = MatchCasing.CaseInsensitive
|
||||
})
|
||||
.Where(d => d.Extension != ".dll")
|
||||
.Select(d => d.FullName)
|
||||
.Where(d => !options.ExcludesFile(d));
|
||||
private IEnumerable<FileInfo> GetAllFiles() =>
|
||||
sourceDir.GetFiles("*.*", new EnumerationOptions { RecurseSubdirectories = true })
|
||||
.Where(d => d.Extension != ".dll" && !options.ExcludesFile(d.FullName));
|
||||
|
||||
/// <summary>
|
||||
/// Computes a unique temp directory for the packages associated
|
||||
@@ -232,7 +225,8 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
}
|
||||
}
|
||||
|
||||
sortedReferences = sortedReferences.OrderBy(r => r.Version).ToList();
|
||||
var emptyVersion = new Version(0, 0);
|
||||
sortedReferences = sortedReferences.OrderBy(r => r.NetCoreVersion ?? emptyVersion).ThenBy(r => r.Version ?? emptyVersion).ToList();
|
||||
|
||||
var finalAssemblyList = new Dictionary<string, AssemblyInfo>();
|
||||
|
||||
@@ -253,9 +247,9 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
foreach (var r in sortedReferences)
|
||||
{
|
||||
var resolvedInfo = finalAssemblyList[r.Name];
|
||||
if (resolvedInfo.Version != r.Version)
|
||||
if (resolvedInfo.Version != r.Version || resolvedInfo.NetCoreVersion != r.NetCoreVersion)
|
||||
{
|
||||
progressMonitor.ResolvedConflict(r.Id, resolvedInfo.Id);
|
||||
progressMonitor.ResolvedConflict(r.Id, resolvedInfo.Id + resolvedInfo.NetCoreVersion is null ? "" : $" (.NET Core {resolvedInfo.NetCoreVersion})");
|
||||
++conflictedReferences;
|
||||
}
|
||||
}
|
||||
@@ -373,14 +367,17 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
}
|
||||
}
|
||||
|
||||
private void DownloadMissingPackages()
|
||||
private void DownloadMissingPackages(List<FileInfo> allFiles)
|
||||
{
|
||||
var nugetConfigs = GetFiles("nuget.config", recurseSubdirectories: true).ToArray();
|
||||
var nugetConfigs = allFiles.SelectFileNamesByName("nuget.config").ToArray();
|
||||
string? nugetConfig = null;
|
||||
if (nugetConfigs.Length > 1)
|
||||
{
|
||||
progressMonitor.MultipleNugetConfig(nugetConfigs);
|
||||
nugetConfig = GetFiles("nuget.config", recurseSubdirectories: false).FirstOrDefault();
|
||||
nugetConfig = allFiles
|
||||
.SelectRootFiles(sourceDir)
|
||||
.SelectFileNamesByName("nuget.config")
|
||||
.FirstOrDefault();
|
||||
if (nugetConfig == null)
|
||||
{
|
||||
progressMonitor.NoTopLevelNugetConfig();
|
||||
@@ -392,8 +389,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
}
|
||||
|
||||
var alreadyDownloadedPackages = Directory.GetDirectories(packageDirectory.DirInfo.FullName)
|
||||
.Select(d => Path.GetFileName(d)
|
||||
.ToLowerInvariant());
|
||||
.Select(d => Path.GetFileName(d).ToLowerInvariant());
|
||||
var notYetDownloadedPackages = fileContent.AllPackages.Except(alreadyDownloadedPackages);
|
||||
foreach (var package in notYetDownloadedPackages)
|
||||
{
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.IO;
|
||||
using System.Linq;
|
||||
using System.Text.RegularExpressions;
|
||||
using Semmle.Util;
|
||||
|
||||
@@ -18,7 +17,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
{
|
||||
private readonly ProgressMonitor progressMonitor;
|
||||
private readonly IUnsafeFileReader unsafeFileReader;
|
||||
private readonly Func<IEnumerable<string>> getFiles;
|
||||
private readonly IEnumerable<string> files;
|
||||
private readonly HashSet<string> allPackages = new HashSet<string>();
|
||||
private readonly Initializer initialize;
|
||||
|
||||
@@ -50,17 +49,17 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
}
|
||||
|
||||
internal FileContent(ProgressMonitor progressMonitor,
|
||||
Func<IEnumerable<string>> getFiles,
|
||||
IEnumerable<string> files,
|
||||
IUnsafeFileReader unsafeFileReader)
|
||||
{
|
||||
this.progressMonitor = progressMonitor;
|
||||
this.getFiles = getFiles;
|
||||
this.files = files;
|
||||
this.unsafeFileReader = unsafeFileReader;
|
||||
this.initialize = new Initializer(DoInitialize);
|
||||
}
|
||||
|
||||
|
||||
public FileContent(ProgressMonitor progressMonitor, Func<IEnumerable<string>> getFiles) : this(progressMonitor, getFiles, new UnsafeFileReader())
|
||||
public FileContent(ProgressMonitor progressMonitor, IEnumerable<string> files) : this(progressMonitor, files, new UnsafeFileReader())
|
||||
{ }
|
||||
|
||||
private static string GetGroup(ReadOnlySpan<char> input, ValueMatch valueMatch, string groupPrefix)
|
||||
@@ -95,7 +94,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
|
||||
private void DoInitialize()
|
||||
{
|
||||
foreach (var file in getFiles())
|
||||
foreach (var file in files)
|
||||
{
|
||||
try
|
||||
{
|
||||
|
||||
@@ -0,0 +1,39 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.IO;
|
||||
using System.Linq;
|
||||
|
||||
namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
{
|
||||
public static class FileInfoExtensions
|
||||
{
|
||||
private static IEnumerable<string> SelectFilesAux(this IEnumerable<FileInfo> files, Predicate<FileInfo> p) =>
|
||||
files.Where(f => p(f)).Select(fi => fi.FullName);
|
||||
|
||||
public static IEnumerable<FileInfo> SelectRootFiles(this IEnumerable<FileInfo> files, DirectoryInfo dir) =>
|
||||
files.Where(file => file.DirectoryName == dir.FullName);
|
||||
|
||||
internal static IEnumerable<FileInfo> SelectSmallFiles(this IEnumerable<FileInfo> files, ProgressMonitor progressMonitor)
|
||||
{
|
||||
const int oneMb = 1_048_576;
|
||||
return files.Where(file =>
|
||||
{
|
||||
if (file.Length > oneMb)
|
||||
{
|
||||
progressMonitor.LogDebug($"Skipping {file.FullName} because it is bigger than 1MB.");
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
});
|
||||
}
|
||||
|
||||
public static IEnumerable<string> SelectFileNamesByExtension(this IEnumerable<FileInfo> files, params string[] extensions) =>
|
||||
files.SelectFilesAux(fi => extensions.Contains(fi.Extension));
|
||||
|
||||
public static IEnumerable<string> SelectFileNamesByName(this IEnumerable<FileInfo> files, params string[] names) =>
|
||||
files.SelectFilesAux(fi => names.Any(name => string.Compare(name, fi.Name, true) == 0));
|
||||
|
||||
public static IEnumerable<string> SelectFileNames(this IEnumerable<FileInfo> files) =>
|
||||
files.SelectFilesAux(_ => true);
|
||||
}
|
||||
}
|
||||
@@ -18,7 +18,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
|
||||
public void LogInfo(string message) =>
|
||||
logger.Log(Severity.Info, message);
|
||||
|
||||
private void LogDebug(string message) =>
|
||||
public void LogDebug(string message) =>
|
||||
logger.Log(Severity.Debug, message);
|
||||
|
||||
private void LogError(string message) =>
|
||||
|
||||
@@ -35,7 +35,7 @@ namespace Semmle.Extraction.Tests
|
||||
internal class TestFileContent : FileContent
|
||||
{
|
||||
public TestFileContent(List<string> lines) : base(new ProgressMonitor(new LoggerStub()),
|
||||
() => new List<string>() { "test1.cs" },
|
||||
new List<string>() { "test1.cs" },
|
||||
new UnsafeFileReaderStub(lines))
|
||||
{ }
|
||||
}
|
||||
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 278 KiB After Width: | Height: | Size: 58 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 72 KiB After Width: | Height: | Size: 73 KiB |
@@ -20,7 +20,7 @@
|
||||
Java,"Java 7 to 20 [4]_","javac (OpenJDK and Oracle JDK),
|
||||
|
||||
Eclipse compiler for Java (ECJ) [5]_",``.java``
|
||||
Kotlin [6]_,"Kotlin 1.5.0 to 1.9.0","kotlinc",``.kt``
|
||||
Kotlin [6]_,"Kotlin 1.5.0 to 1.9.10","kotlinc",``.kt``
|
||||
JavaScript,ECMAScript 2022 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhtm``, ``.xhtml``, ``.vue``, ``.hbs``, ``.ejs``, ``.njk``, ``.json``, ``.yaml``, ``.yml``, ``.raml``, ``.xml`` [7]_"
|
||||
Python [8]_,"2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11",Not applicable,``.py``
|
||||
Ruby [9]_,"up to 3.2",Not applicable,"``.rb``, ``.erb``, ``.gemspec``, ``Gemfile``"
|
||||
|
||||
@@ -49,11 +49,13 @@ io.netty.handler.ssl,4,,,,,,,,,,,,,,,,,,,4,,,,,,,,,,,,,,,,,,,,,
|
||||
io.netty.handler.stream,1,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,
|
||||
io.netty.resolver,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
io.netty.util,2,,23,,,,,,,,,,,,,,,,,1,,,,,,,,,1,,,,,,,,,,,21,2
|
||||
jakarta.activation,2,,2,,,,,,,,,,,,,,,,,1,,,,,,,,,1,,,,,,,,,,,2,
|
||||
jakarta.faces.context,2,7,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,7,,
|
||||
jakarta.json,,,123,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,23
|
||||
jakarta.ws.rs.client,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,
|
||||
jakarta.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,,
|
||||
jakarta.ws.rs.core,2,,149,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,94,55
|
||||
jakarta.xml.bind.attachment,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,
|
||||
java.awt,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3
|
||||
java.beans,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
java.io,50,,46,,,22,,,,,,,,,,,,,,28,,,,,,,,,,,,,,,,,,,,44,2
|
||||
@@ -63,6 +65,7 @@ java.nio,49,,36,,,5,,,,,,,,,,,,,,43,,,,,,,,,1,,,,,,,,,,,36,
|
||||
java.sql,13,,2,,,,,,,,,,,,,,,,,,,,,,,,,,4,,9,,,,,,,,,2,
|
||||
java.util,45,,487,,,1,,,,,,,,,,,34,,,,,,,5,2,,1,2,,,,,,,,,,,,45,442
|
||||
javafx.scene.web,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,
|
||||
javax.activation,2,,7,,,,,,,,,,,,,,,,,1,,,,,,,,,1,,,,,,,,,,,7,
|
||||
javax.faces.context,2,7,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,7,,
|
||||
javax.imageio.stream,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
javax.jms,,9,57,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,57,
|
||||
@@ -77,6 +80,7 @@ javax.validation,1,1,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,
|
||||
javax.ws.rs.client,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,
|
||||
javax.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,,
|
||||
javax.ws.rs.core,3,,149,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,2,,,,,,94,55
|
||||
javax.xml.bind.attachment,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,
|
||||
javax.xml.transform,2,,6,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,1,,,,6,
|
||||
javax.xml.xpath,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,,,
|
||||
jenkins,,,446,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,423,23
|
||||
|
||||
|
@@ -19,9 +19,9 @@ Java framework & library support
|
||||
JBoss Logging,``org.jboss.logging``,,,324,,,,,,
|
||||
`JSON-java <https://github.com/stleary/JSON-java>`_,``org.json``,,236,,,,,,,
|
||||
Java Standard Library,``java.*``,3,691,201,76,,9,,,18
|
||||
Java extensions,"``javax.*``, ``jakarta.*``",63,672,36,2,4,,1,1,2
|
||||
Java extensions,"``javax.*``, ``jakarta.*``",67,681,40,4,4,,1,1,4
|
||||
Kotlin Standard Library,``kotlin*``,,1849,16,14,,,,,2
|
||||
`Spring <https://spring.io/>`_,``org.springframework.*``,29,483,115,4,,28,14,,35
|
||||
Others,"``actions.osgi``, ``antlr``, ``cn.hutool.core.codec``, ``com.alibaba.druid.sql``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.google.gson``, ``com.hubspot.jinjava``, ``com.jcraft.jsch``, ``com.mitchellbosecke.pebble``, ``com.opensymphony.xwork2``, ``com.rabbitmq.client``, ``com.thoughtworks.xstream``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``freemarker.cache``, ``freemarker.template``, ``groovy.lang``, ``groovy.text``, ``groovy.util``, ``hudson``, ``io.jsonwebtoken``, ``io.netty.bootstrap``, ``io.netty.buffer``, ``io.netty.channel``, ``io.netty.handler.codec``, ``io.netty.handler.ssl``, ``io.netty.handler.stream``, ``io.netty.resolver``, ``io.netty.util``, ``javafx.scene.web``, ``jenkins``, ``jodd.json``, ``net.sf.json``, ``net.sf.saxon.s9api``, ``ognl``, ``okhttp3``, ``org.acegisecurity``, ``org.antlr.runtime``, ``org.apache.commons.codec``, ``org.apache.commons.compress.archivers.tar``, ``org.apache.commons.exec``, ``org.apache.commons.httpclient.util``, ``org.apache.commons.jelly``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.lang``, ``org.apache.commons.logging``, ``org.apache.commons.net``, ``org.apache.commons.ognl``, ``org.apache.directory.ldap.client.api``, ``org.apache.hadoop.fs``, ``org.apache.hadoop.hive.metastore``, ``org.apache.hc.client5.http.async.methods``, ``org.apache.hc.client5.http.classic.methods``, ``org.apache.hc.client5.http.fluent``, ``org.apache.hive.hcatalog.templeton``, ``org.apache.ibatis.jdbc``, ``org.apache.log4j``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.struts.beanvalidation.validation.interceptor``, ``org.apache.struts2``, ``org.apache.tools.ant``, ``org.apache.tools.zip``, ``org.apache.velocity.app``, ``org.apache.velocity.runtime``, ``org.codehaus.cargo.container.installer``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.eclipse.jetty.client``, ``org.fusesource.leveldbjni``, ``org.geogebra.web.full.main``, ``org.gradle.api.file``, ``org.hibernate``, ``org.influxdb``, ``org.jdbi.v3.core``, ``org.jenkins.ui.icon``, ``org.jenkins.ui.symbol``, ``org.jooq``, ``org.kohsuke.stapler``, ``org.mvel2``, ``org.openjdk.jmh.runner.options``, ``org.owasp.esapi``, ``org.scijava.log``, ``org.slf4j``, ``org.thymeleaf``, ``org.xml.sax``, ``org.xmlpull.v1``, ``org.yaml.snakeyaml``, ``play.libs.ws``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``retrofit2``",126,10084,656,89,6,18,18,,200
|
||||
Totals,,283,18456,2144,286,16,122,33,1,391
|
||||
Totals,,287,18465,2148,288,16,122,33,1,393
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
{
|
||||
"markdownMessage": "The Kotlin version installed (`999.999.999`) is too recent for this version of CodeQL. Install a version lower than 1.9.10.",
|
||||
"markdownMessage": "The Kotlin version installed (`999.999.999`) is too recent for this version of CodeQL. Install a version lower than 1.9.20.",
|
||||
"severity": "error",
|
||||
"source": {
|
||||
"extractorName": "java",
|
||||
|
||||
4
java/ql/lib/change-notes/2023-08-24-kotlin-1.9.10.md
Normal file
4
java/ql/lib/change-notes/2023-08-24-kotlin-1.9.10.md
Normal file
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Kotlin versions up to 1.9.10 are now supported.
|
||||
File diff suppressed because it is too large
Load Diff
@@ -19,10 +19,10 @@ extensions:
|
||||
- ["org.kohsuke.stapler.export", "DataWriter", true, "value", "(String)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.export", "ExportConfig", true, "getClassAttribute", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.export", "ExportConfig", true, "getExportInterceptor", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.export", "ExportConfig", true, "withClassAttribute", "(ClassAttributeBehaviour)", "", "Argument[this]", "ReturnValue", "value", "df-generated"]
|
||||
- ["org.kohsuke.stapler.export", "ExportConfig", true, "withClassAttribute", "(ClassAttributeBehaviour)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.export", "ExportConfig", true, "withExportInterceptor", "(ExportInterceptor)", "", "Argument[this]", "ReturnValue", "value", "df-generated"]
|
||||
- ["org.kohsuke.stapler.export", "ExportConfig", true, "withClassAttribute", "(ClassAttributeBehaviour)", "", "Argument[this]", "ReturnValue", "value", "df-generated"]
|
||||
- ["org.kohsuke.stapler.export", "ExportConfig", true, "withExportInterceptor", "(ExportInterceptor)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.export", "ExportConfig", true, "withExportInterceptor", "(ExportInterceptor)", "", "Argument[this]", "ReturnValue", "value", "df-generated"]
|
||||
- ["org.kohsuke.stapler.export", "ExportConfig", true, "withFlavor", "(Flavor)", "", "Argument[this]", "ReturnValue", "value", "df-generated"]
|
||||
- ["org.kohsuke.stapler.export", "ExportConfig", true, "withPrettyPrint", "(boolean)", "", "Argument[this]", "ReturnValue", "value", "df-generated"]
|
||||
- ["org.kohsuke.stapler.export", "ExportConfig", true, "withSkipIfFail", "(boolean)", "", "Argument[this]", "ReturnValue", "value", "df-generated"]
|
||||
@@ -62,9 +62,9 @@ extensions:
|
||||
- ["org.kohsuke.stapler.framework.adjunct", "AdjunctManager", true, "AdjunctManager", "(ServletContext,ClassLoader,String,long)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.framework.adjunct", "AdjunctManager", true, "AdjunctManager", "(ServletContext,ClassLoader,String,long)", "", "Argument[2]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.framework.adjunct", "AdjunctManager", true, "doDynamic", "(StaplerRequest,StaplerResponse)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.framework.adjunct", "AdjunctManager", true, "get", "(String)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.framework.adjunct", "AdjunctManager", true, "get", "(String)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.framework.adjunct", "AdjunctManager", true, "get", "(String)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.framework.adjunct", "AdjunctManager", true, "get", "(String)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.framework.adjunct", "AdjunctsInPage", true, "assumeIncluded", "(Collection)", "", "Argument[0].Element", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.framework.adjunct", "AdjunctsInPage", true, "assumeIncluded", "(String[])", "", "Argument[0].ArrayElement", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.framework.adjunct", "AdjunctsInPage", true, "generate", "(XMLOutput,String[])", "", "Argument[1].ArrayElement", "Argument[this]", "taint", "df-generated"]
|
||||
@@ -82,6 +82,7 @@ extensions:
|
||||
- ["org.kohsuke.stapler.framework.io", "CharSpool", false, "writeTo", "(Writer)", "", "Argument[this]", "Argument[0]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.framework.io", "IOException2", true, "IOException2", "(String)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.framework.io", "IOException2", true, "IOException2", "(String,Throwable)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.framework.io", "IOException2", true, "IOException2", "(Throwable)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.framework.io", "WriterOutputStream", true, "WriterOutputStream", "(Writer)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.framework.io", "WriterOutputStream", true, "WriterOutputStream", "(Writer,Charset)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.framework", "AbstractWebAppMain", true, "getInitializer", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
@@ -97,12 +98,14 @@ extensions:
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "GroovyClassTearOff", false, "GroovyClassTearOff", "(MetaClass)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "GroovyClassTearOff", false, "createDispatcher", "(Object,String)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "GroovyClassTearOff", false, "createDispatcher", "(Object,String)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "GroovyClassTearOff", false, "createDispatcher", "(Object,String)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "GroovyClosureScript", true, "getDelegate", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "GroovyClosureScript", true, "setDelegate", "(GroovyObject)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "GroovyServerPageScript", true, "getOut", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "GroovyServerPageTearOff", true, "GroovyServerPageTearOff", "(MetaClass)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "GroovyServerPageTearOff", true, "createDispatcher", "(Object,String)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "GroovyServerPageTearOff", true, "createDispatcher", "(Object,String)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "GroovyServerPageTearOff", true, "createDispatcher", "(Object,String)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "JellyBuilder", false, "JellyBuilder", "(JellyContext,XMLOutput)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "JellyBuilder", false, "JellyBuilder", "(JellyContext,XMLOutput)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "JellyBuilder", false, "getBuilder", "()", "", "Argument[this]", "ReturnValue", "value", "df-generated"]
|
||||
@@ -112,15 +115,15 @@ extensions:
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "JellyBuilder", false, "getResponse", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "JellyBuilder", false, "getRootURL", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "JellyBuilder", false, "jelly", "(Class)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "JellyBuilder", false, "namespace", "(String)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "JellyBuilder", false, "namespace", "(String)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "JellyBuilder", false, "namespace", "(String,String)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "JellyBuilder", false, "namespace", "(String)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "JellyBuilder", false, "namespace", "(String,String)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "JellyBuilder", false, "namespace", "(String,String)", "", "Argument[1]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "JellyBuilder", false, "res", "(Object,String)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "JellyBuilder", false, "namespace", "(String,String)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "JellyBuilder", false, "res", "(Object,String)", "", "Argument[1]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "JellyBuilder", false, "setOutput", "(XMLOutput)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "JellyBuilder", false, "res", "(Object,String)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "JellyBuilder", false, "setOutput", "(XMLOutput)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "JellyBuilder", false, "setOutput", "(XMLOutput)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "JellyBuilder", false, "with", "(XMLOutput,Closure)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "StaplerClosureScript", true, "gettext", "(String)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly.groovy", "StaplerClosureScript", true, "gettext", "(String,Object[])", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
|
||||
@@ -150,10 +153,12 @@ extensions:
|
||||
- ["org.kohsuke.stapler.jelly", "InternationalizedStringExpression", true, "getArguments", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly", "IsUserInRoleTag", true, "setRole", "(String)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly", "JellyClassLoaderTearOff", true, "JellyClassLoaderTearOff", "(MetaClassLoader)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly", "JellyClassLoaderTearOff", true, "getTagLibrary", "(String)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly", "JellyClassTearOff", true, "JellyClassTearOff", "(MetaClass)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly", "JellyClassTearOff", true, "createDispatcher", "(Object,String)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly", "JellyClassTearOff", true, "createDispatcher", "(Object,String)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly", "JellyClassTearOff", true, "createDispatcher", "(Object,String)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly", "JellyClassTearOff", true, "createDispatcher", "(Object,String)", "", "Argument[1]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly", "JellyClassTearOff", true, "createDispatcher", "(Object,String)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly", "JellyRequestDispatcher", false, "JellyRequestDispatcher", "(Object,Script)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly", "JellyRequestDispatcher", false, "JellyRequestDispatcher", "(Object,Script)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly", "JellyViewScript", false, "JellyViewScript", "(Class,URL,Script)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
|
||||
@@ -179,6 +184,7 @@ extensions:
|
||||
- ["org.kohsuke.stapler.jelly", "ThisTagLibrary", true, "ThisTagLibrary", "(Expression)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.json", "JsonHttpResponse", true, "JsonHttpResponse", "(JSONObject)", "", "Argument[0].Element", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.json", "JsonHttpResponse", true, "JsonHttpResponse", "(JSONObject,int)", "", "Argument[0].Element", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.json", "JsonHttpResponse", true, "JsonHttpResponse", "(Throwable,int)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.lang", "Klass", false, "Klass", "(Object,KlassNavigator)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.lang", "Klass", false, "Klass", "(Object,KlassNavigator)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler.lang", "Klass", false, "getArrayElement", "(Object,int)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
|
||||
@@ -201,22 +207,25 @@ extensions:
|
||||
- ["org.kohsuke.stapler", "Ancestor", true, "getRestOfUrl", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Ancestor", true, "getUrl", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "AttributeKey", true, "AttributeKey", "(String)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "CachingScriptLoader", true, "findScript", "(String)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "CachingScriptLoader", true, "findScript", "(String)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "CachingScriptLoader", true, "findScript", "(String)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "EvaluationTrace", true, "trace", "(StaplerResponse,String)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Facet", true, "buildIndexDispatchers", "(MetaClass,List)", "", "Argument[this]", "Argument[1].Element", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Facet", true, "buildIndexDispatchers", "(MetaClass,List)", "", "Argument[0]", "Argument[1].Element", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Facet", true, "buildIndexDispatchers", "(MetaClass,List)", "", "Argument[this]", "Argument[1].Element", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Facet", true, "buildViewDispatchers", "(MetaClass,List)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Facet", true, "createRequestDispatcher", "(RequestImpl,Class,Object,String)", "", "Argument[2]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Facet", true, "createRequestDispatcher", "(RequestImpl,Klass,Object,String)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Facet", true, "createRequestDispatcher", "(RequestImpl,Class,Object,String)", "", "Argument[3]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Facet", true, "createRequestDispatcher", "(RequestImpl,Class,Object,String)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Facet", true, "createRequestDispatcher", "(RequestImpl,Klass,Object,String)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Facet", true, "createRequestDispatcher", "(RequestImpl,Klass,Object,String)", "", "Argument[2]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Facet", true, "createRequestDispatcher", "(RequestImpl,Klass,Object,String)", "", "Argument[3]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Facet", true, "createRequestDispatcher", "(RequestImpl,Klass,Object,String)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "ForwardToView", true, "optional", "()", "", "Argument[this]", "ReturnValue", "value", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "ForwardToView", true, "with", "(Map)", "", "Argument[this]", "ReturnValue", "value", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "ForwardToView", true, "with", "(Map)", "", "Argument[0].Element", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "ForwardToView", true, "with", "(String,Object)", "", "Argument[this]", "ReturnValue", "value", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "ForwardToView", true, "with", "(Map)", "", "Argument[this]", "ReturnValue", "value", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "ForwardToView", true, "with", "(String,Object)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "ForwardToView", true, "with", "(String,Object)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "ForwardToView", true, "with", "(String,Object)", "", "Argument[this]", "ReturnValue", "value", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "ForwardingFunction", true, "ForwardingFunction", "(Function)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Function$InstanceFunction", true, "InstanceFunction", "(Method)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Function", true, "contextualize", "(Object)", "", "Argument[this]", "ReturnValue", "value", "df-generated"]
|
||||
@@ -228,8 +237,8 @@ extensions:
|
||||
- ["org.kohsuke.stapler", "FunctionList", false, "prefix", "(String)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "FunctionList", false, "signature", "(Class[])", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "FunctionList", false, "signatureStartsWith", "(Class[])", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "FunctionList", false, "union", "(FunctionList)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "FunctionList", false, "union", "(FunctionList)", "", "Argument[0].Element", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "FunctionList", false, "union", "(FunctionList)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "FunctionList", false, "webMethodsLegacy", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "HttpRedirect", false, "HttpRedirect", "(String)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "HttpRedirect", false, "HttpRedirect", "(int,String)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
|
||||
@@ -257,6 +266,7 @@ extensions:
|
||||
- ["org.kohsuke.stapler", "RequestImpl", true, "RequestImpl", "(Stapler,HttpServletRequest,List,TokenList)", "", "Argument[3]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "RequestImpl", true, "getView", "(Klass,Object,String)", "", "Argument[1]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "RequestImpl", true, "getView", "(Klass,Object,String)", "", "Argument[2]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "RequestImpl", true, "getView", "(Klass,Object,String)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "ResponseImpl", true, "ResponseImpl", "(Stapler,HttpServletResponse)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "ResponseImpl", true, "ResponseImpl", "(Stapler,HttpServletResponse)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "ResponseImpl", true, "encode", "(String)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
|
||||
@@ -265,19 +275,25 @@ extensions:
|
||||
- ["org.kohsuke.stapler", "ScriptLoadException", true, "ScriptLoadException", "(Throwable)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "SingleLinkedList", true, "SingleLinkedList", "(Object,SingleLinkedList)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "SingleLinkedList", true, "SingleLinkedList", "(Object,SingleLinkedList)", "", "Argument[1].Element", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "SingleLinkedList", true, "grow", "(Object)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "SingleLinkedList", true, "grow", "(Object)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "SingleLinkedList", true, "grow", "(Object)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Stapler", true, "escape", "(String)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Stapler", true, "getClassLoader", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Stapler", true, "getClassLoader", "(ServletContext)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Stapler", true, "getViewURL", "(Class,String)", "", "Argument[1]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Stapler", true, "getWebApp", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Stapler", true, "htmlSafeArgument", "(Object)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Stapler", true, "htmlSafeArguments", "(Object[])", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "bindJSON", "(Class,JSONObject)", "", "Argument[1].Element", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "bindJSON", "(Type,Class,Object)", "", "Argument[2]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "bindJSONToList", "(Class,Object)", "", "Argument[1]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "createJavaScriptProxy", "(Object)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "findAncestor", "(Class)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "findAncestor", "(Object)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "findAncestorObject", "(Class)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "getAncestors", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "getBindInterceptor", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "getBoundObjectTable", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "getFileItem", "(String)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "getOriginalRequestURI", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "getOriginalRestOfPath", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
@@ -285,16 +301,19 @@ extensions:
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "getStapler", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "getSubmittedForm", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "getView", "(Class,String)", "", "Argument[1]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "getView", "(Class,String)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "getView", "(Klass,String)", "", "Argument[1]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "getView", "(Klass,String)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "getView", "(Object,String)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "getView", "(Object,String)", "", "Argument[1]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "getView", "(Object,String)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "getWebApp", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "setBindInterceptor", "(BindInterceptor)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "setBindInterceptor", "(BindInterceptor)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "setBindInterceptpr", "(BindInterceptor)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "setBindInterceptor", "(BindInterceptor)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "setBindInterceptpr", "(BindInterceptor)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "setBindListener", "(BindInterceptor)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "setBindInterceptpr", "(BindInterceptor)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "setBindListener", "(BindInterceptor)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", true, "setBindListener", "(BindInterceptor)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerResponse", true, "getCompressedOutputStream", "(HttpServletRequest)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerResponse", true, "getCompressedWriter", "(HttpServletRequest)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerResponse", true, "getJsonConfig", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
@@ -319,6 +338,7 @@ extensions:
|
||||
- ["org.kohsuke.stapler", "WebApp", true, "getCrumbIssuer", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "WebApp", true, "getDispatchValidator", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "WebApp", true, "getDispatchersFilter", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "WebApp", true, "getFacet", "(Class)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "WebApp", true, "getFilterForDoActions", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "WebApp", true, "getFilterForFields", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "WebApp", true, "getFilterForGetMethods", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
@@ -328,8 +348,8 @@ extensions:
|
||||
- ["org.kohsuke.stapler", "WebApp", true, "getFilteredGetterTriggerListener", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "WebApp", true, "getJsonInErrorMessageSanitizer", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "WebApp", true, "getMetaClass", "(Class)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "WebApp", true, "getMetaClass", "(Klass)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "WebApp", true, "getMetaClass", "(Klass)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "WebApp", true, "getMetaClass", "(Klass)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "WebApp", true, "getMetaClass", "(Object)", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "WebApp", true, "getResponseRenderers", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "WebApp", true, "getSomeStapler", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
|
||||
@@ -419,7 +439,6 @@ extensions:
|
||||
- ["org.kohsuke.stapler.framework.io", "AtomicFileWriter", "commit", "()", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler.framework.io", "ByteBuffer", "length", "()", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler.framework.io", "ByteBuffer", "newInputStream", "()", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler.framework.io", "IOException2", "IOException2", "(Throwable)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler.framework.io", "LargeText", "LargeText", "(ByteBuffer,Charset,boolean)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler.framework.io", "LargeText", "LargeText", "(ByteBuffer,boolean)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler.framework.io", "LargeText", "LargeText", "(File,Charset,boolean)", "summary", "df-generated"]
|
||||
@@ -469,7 +488,6 @@ extensions:
|
||||
- ["org.kohsuke.stapler.jelly", "IncludeTag", "setOptional", "(boolean)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly", "InternationalizedStringExpression", "makeEscapingExpression", "()", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly", "JellyClassLoaderTearOff", "createContext", "()", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly", "JellyClassLoaderTearOff", "getTagLibrary", "(String)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly", "JellyClassTearOff", "serveIndexJelly", "(StaplerRequest,StaplerResponse,Object)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly", "JellyCompatibleFacet", "getClassTearOffTypes", "()", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly", "JellyCompatibleFacet", "getScriptExtensions", "()", "summary", "df-generated"]
|
||||
@@ -480,7 +498,6 @@ extensions:
|
||||
- ["org.kohsuke.stapler.jelly", "ScriptInvoker", "invokeScript", "(StaplerRequest,StaplerResponse,Script,Object)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly", "ScriptInvoker", "invokeScript", "(StaplerRequest,StaplerResponse,Script,Object,XMLOutput)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler.jelly", "StatusCodeTag", "setValue", "(int)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler.json", "JsonHttpResponse", "JsonHttpResponse", "(Throwable,int)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler.lang.util", "FieldRefFilter", "wrap", "(Field)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler.lang.util", "MethodRefFilter", "wrap", "(Method)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler.lang", "AnnotatedRef", "getAnnotation", "(Class)", "summary", "df-generated"]
|
||||
@@ -616,7 +633,6 @@ extensions:
|
||||
- ["org.kohsuke.stapler", "SingleLinkedList", "empty", "()", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Stapler", "buildResourcePaths", "()", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Stapler", "forward", "(RequestDispatcher,StaplerRequest,HttpServletResponse)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Stapler", "getClassLoader", "(ServletContext)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Stapler", "getCurrent", "()", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Stapler", "getCurrentRequest", "()", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Stapler", "getCurrentResponse", "()", "summary", "df-generated"]
|
||||
@@ -626,9 +642,7 @@ extensions:
|
||||
- ["org.kohsuke.stapler", "Stapler", "setClassLoader", "(ServletContext,ClassLoader)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "Stapler", "setRoot", "(ServletContextEvent,Object)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerFallback", "getStaplerFallback", "()", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", "bindJSON", "(Class,JSONObject)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", "bindJSON", "(Object,JSONObject)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", "bindJSONToList", "(Class,Object)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", "bindParameters", "(Class,String)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", "bindParameters", "(Class,String,int)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", "bindParameters", "(Object)", "summary", "df-generated"]
|
||||
@@ -638,9 +652,6 @@ extensions:
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", "checkIfModified", "(Date,StaplerResponse)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", "checkIfModified", "(long,StaplerResponse)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", "checkIfModified", "(long,StaplerResponse,long)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", "createJavaScriptProxy", "(Object)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", "findAncestorObject", "(Class)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", "getBoundObjectTable", "()", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", "getReferer", "()", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", "getRequestURIWithQueryString", "()", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "StaplerRequest", "getRequestURLWithQueryString", "()", "summary", "df-generated"]
|
||||
@@ -674,6 +685,5 @@ extensions:
|
||||
- ["org.kohsuke.stapler", "WebApp", "clearScripts", "(Class)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "WebApp", "getApp", "()", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "WebApp", "getCurrent", "()", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "WebApp", "getFacet", "(Class)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "WebApp", "getKlass", "(Object)", "summary", "df-generated"]
|
||||
- ["org.kohsuke.stapler", "WebApp", "setApp", "(Object)", "summary", "df-generated"]
|
||||
|
||||
@@ -7,9 +7,9 @@ extensions:
|
||||
- ["hudson.model", "DownloadService", True, "loadJSONHTML", "(URL)", "", "Argument[0]", "request-forgery", "ai-manual"]
|
||||
- ["hudson.model", "DirectoryBrowserSupport", False, "DirectoryBrowserSupport", "(ModelObject,FilePath,String,String,boolean)", "", "Argument[1]", "path-injection", "ai-manual"]
|
||||
- ["hudson.model", "Items", True, "load", "(ItemGroup,File)", "", "Argument[1]", "path-injection", "ai-manual"]
|
||||
- ["hudson.model", "UpdateCenter$UpdateCenterConfiguration", True, "download", "(DownloadJob,URL)", "", "Argument[1]", "request-forgery", "ai-manual"]
|
||||
- ["hudson.model", "UpdateCenter$UpdateCenterConfiguration", True, "install", "(DownloadJob,File,File)", "", "Argument[1]", "path-injection", "ai-manual"]
|
||||
- ["hudson.model", "UpdateCenter$UpdateCenterConfiguration", True, "install", "(DownloadJob,File,File)", "", "Argument[2]", "path-injection", "ai-manual"]
|
||||
- ["hudson.model", "UpdateCenter$UpdateCenterConfiguration", True, "download", "(UpdateCenter$DownloadJob,URL)", "", "Argument[1]", "request-forgery", "ai-manual"]
|
||||
- ["hudson.model", "UpdateCenter$UpdateCenterConfiguration", True, "install", "(UpdateCenter$DownloadJob,File,File)", "", "Argument[1]", "path-injection", "ai-manual"]
|
||||
- ["hudson.model", "UpdateCenter$UpdateCenterConfiguration", True, "install", "(UpdateCenter$DownloadJob,File,File)", "", "Argument[2]", "path-injection", "ai-manual"]
|
||||
- addsTo:
|
||||
pack: codeql/java-all
|
||||
extensible: summaryModel
|
||||
|
||||
@@ -8,7 +8,7 @@ extensions:
|
||||
- ["hudson", "FilePath", True, "copyFrom", "(URL)", "", "Argument[0]", "path-injection", "manual"]
|
||||
- ["hudson", "FilePath", True, "copyFrom", "(FileItem)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
- ["hudson", "FilePath", True, "copyRecursiveTo", "", "", "Argument[this]", "path-injection", "ai-manual"]
|
||||
- ["hudson", "FilePath", True, "copyRecursiveTo", "(DirScanner,FilePath,String,TarCompression)", "", "Argument[1]", "path-injection", "ai-manual"]
|
||||
- ["hudson", "FilePath", True, "copyRecursiveTo", "(DirScanner,FilePath,String,FilePath$TarCompression)", "", "Argument[1]", "path-injection", "ai-manual"]
|
||||
- ["hudson", "FilePath", True, "copyRecursiveTo", "(DirScanner,FilePath,String)", "", "Argument[1]", "file-content-store", "ai-manual"]
|
||||
- ["hudson", "FilePath", True, "copyRecursiveTo", "(String,FilePath)", "", "Argument[1]", "path-injection", "ai-manual"]
|
||||
- ["hudson", "FilePath", True, "copyRecursiveTo", "(String,String,FilePath)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Regular expressions containing multiple parse mode flags are now interpretted correctly. For example `"(?is)abc.*"` with both the `i` and `s` flags.
|
||||
@@ -617,7 +617,7 @@ class RegExp extends Expr instanceof StrConst {
|
||||
private predicate group_start(int start, int end) {
|
||||
this.non_capturing_group_start(start, end)
|
||||
or
|
||||
this.flag_group_start(start, end, _)
|
||||
this.flag_group_start(start, end)
|
||||
or
|
||||
this.named_group_start(start, end)
|
||||
or
|
||||
@@ -679,12 +679,29 @@ class RegExp extends Expr instanceof StrConst {
|
||||
end = min(int i | i > start + 4 and this.getChar(i) = "?")
|
||||
}
|
||||
|
||||
private predicate flag_group_start(int start, int end, string c) {
|
||||
/**
|
||||
* Holds if a parse mode starts between `start` and `end`.
|
||||
*/
|
||||
private predicate flag_group_start(int start, int end) {
|
||||
this.isGroupStart(start) and
|
||||
this.getChar(start + 1) = "?" and
|
||||
end = start + 3 and
|
||||
c = this.getChar(start + 2) and
|
||||
c in ["i", "L", "m", "s", "u", "x"]
|
||||
this.getChar(start + 2) in ["i", "L", "m", "s", "u", "x"] and
|
||||
end = start + 2
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if a parse mode group is between `start` and `end`, and includes the
|
||||
* mode flag `c`. For example the following span, with mode flag `i`:
|
||||
* ```
|
||||
* (?i)
|
||||
* ```
|
||||
*/
|
||||
private predicate flag_group(int start, int end, string c) {
|
||||
exists(int inStart, int inEnd |
|
||||
this.flag_group_start(start, inStart) and
|
||||
this.groupContents(start, end, inStart, inEnd) and
|
||||
this.getChar([inStart .. inEnd - 1]) = c
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -692,7 +709,7 @@ class RegExp extends Expr instanceof StrConst {
|
||||
* it is defined by a prefix.
|
||||
*/
|
||||
string getModeFromPrefix() {
|
||||
exists(string c | this.flag_group_start(_, _, c) |
|
||||
exists(string c | this.flag_group(_, _, c) |
|
||||
c = "i" and result = "IGNORECASE"
|
||||
or
|
||||
c = "L" and result = "LOCALE"
|
||||
|
||||
@@ -0,0 +1,159 @@
|
||||
private import python
|
||||
private import semmle.python.dataflow.new.DataFlow
|
||||
private import semmle.python.ApiGraphs
|
||||
|
||||
/**
|
||||
* A data-flow node that constructs a template.
|
||||
*
|
||||
* Extend this class to refine existing API models. If you want to model new APIs,
|
||||
* extend `TemplateConstruction::Range` instead.
|
||||
*/
|
||||
class TemplateConstruction extends DataFlow::Node instanceof TemplateConstruction::Range {
|
||||
/** Gets the argument that specifies the template source. */
|
||||
DataFlow::Node getSourceArg() { result = super.getSourceArg() }
|
||||
}
|
||||
|
||||
/** Provides a class for modeling new system-command execution APIs. */
|
||||
module TemplateConstruction {
|
||||
/**
|
||||
* A data-flow node that constructs a template.
|
||||
*
|
||||
* Extend this class to model new APIs. If you want to refine existing API models,
|
||||
* extend `TemplateConstruction` instead.
|
||||
*/
|
||||
abstract class Range extends DataFlow::Node {
|
||||
/** Gets the argument that specifies the template source. */
|
||||
abstract DataFlow::Node getSourceArg();
|
||||
}
|
||||
}
|
||||
|
||||
// -----------------------------------------------------------------------------
|
||||
/** A call to `airspeed.Template`. */
|
||||
class AirspeedTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
AirspeedTemplateConstruction() {
|
||||
this = API::moduleImport("airspeed").getMember("Template").getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
/** A call to `bottle.SimpleTemplate`. */
|
||||
class BottleSimpleTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
BottleSimpleTemplateConstruction() {
|
||||
this = API::moduleImport("bottle").getMember("SimpleTemplate").getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
/** A call to `bottle.template`. */
|
||||
class BottleTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
BottleTemplateConstruction() {
|
||||
this = API::moduleImport("bottle").getMember("template").getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
/** A call to `chameleon.PageTemplate`. */
|
||||
class ChameleonTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
ChameleonTemplateConstruction() {
|
||||
this = API::moduleImport("chameleon").getMember("PageTemplate").getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
/** A call to `Cheetah.Template.Template`. */
|
||||
class CheetahTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
CheetahTemplateConstruction() {
|
||||
this =
|
||||
API::moduleImport("Cheetah")
|
||||
.getMember("Template")
|
||||
.getMember("Template")
|
||||
.getASubclass*()
|
||||
.getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
/** A call to `chevron.render`. */
|
||||
class ChevronRenderConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
ChevronRenderConstruction() { this = API::moduleImport("chevron").getMember("render").getACall() }
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
/** A call to `django.template.Template` */
|
||||
class DjangoTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
DjangoTemplateConstruction() {
|
||||
this = API::moduleImport("django").getMember("template").getMember("Template").getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
// TODO: support django.template.engines["django"]].from_string
|
||||
/** A call to `flask.render_template_string`. */
|
||||
class FlaskTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
FlaskTemplateConstruction() {
|
||||
this = API::moduleImport("flask").getMember("render_template_string").getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
/** A call to `genshi.template.TextTemplate`. */
|
||||
class GenshiTextTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
GenshiTextTemplateConstruction() {
|
||||
this = API::moduleImport("genshi").getMember("template").getMember("TextTemplate").getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
/** A call to `genshi.template.MarkupTemplate` */
|
||||
class GenshiMarkupTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
GenshiMarkupTemplateConstruction() {
|
||||
this = API::moduleImport("genshi").getMember("template").getMember("MarkupTemplate").getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
/** A call to `jinja2.Template`. */
|
||||
class Jinja2TemplateConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
Jinja2TemplateConstruction() {
|
||||
this = API::moduleImport("jinja2").getMember("Template").getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
/** A call to `jinja2.from_string`. */
|
||||
class Jinja2FromStringConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
Jinja2FromStringConstruction() {
|
||||
this = API::moduleImport("jinja2").getMember("from_string").getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
/** A call to `mako.template.Template`. */
|
||||
class MakoTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
MakoTemplateConstruction() {
|
||||
this = API::moduleImport("mako").getMember("template").getMember("Template").getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
|
||||
/** A call to `trender.TRender`. */
|
||||
class TRenderTemplateConstruction extends TemplateConstruction::Range, API::CallNode {
|
||||
TRenderTemplateConstruction() {
|
||||
this = API::moduleImport("trender").getMember("TRender").getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getSourceArg() { result = this.getArg(0) }
|
||||
}
|
||||
@@ -11,25 +11,10 @@
|
||||
*/
|
||||
|
||||
import python
|
||||
import semmle.python.security.Paths
|
||||
/* Sources */
|
||||
import semmle.python.web.HttpRequest
|
||||
/* Sinks */
|
||||
import experimental.semmle.python.templates.Ssti
|
||||
/* Flow */
|
||||
import semmle.python.security.strings.Untrusted
|
||||
import TemplateInjectionQuery
|
||||
import TemplateInjectionFlow::PathGraph
|
||||
|
||||
class TemplateInjectionConfiguration extends TaintTracking::Configuration {
|
||||
TemplateInjectionConfiguration() { this = "Template injection configuration" }
|
||||
|
||||
deprecated override predicate isSource(TaintTracking::Source source) {
|
||||
source instanceof HttpRequestTaintSource
|
||||
}
|
||||
|
||||
deprecated override predicate isSink(TaintTracking::Sink sink) { sink instanceof SSTISink }
|
||||
}
|
||||
|
||||
from TemplateInjectionConfiguration config, TaintedPathSource src, TaintedPathSink sink
|
||||
where config.hasFlowPath(src, sink)
|
||||
select sink.getSink(), src, sink, "This Template depends on $@.", src.getSource(),
|
||||
"a user-provided value"
|
||||
from TemplateInjectionFlow::PathNode source, TemplateInjectionFlow::PathNode sink
|
||||
where TemplateInjectionFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "This Template depends on $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -0,0 +1,51 @@
|
||||
/**
|
||||
* Provides default sources, sinks and sanitizers for detecting
|
||||
* "template injection"
|
||||
* vulnerabilities, as well as extension points for adding your own.
|
||||
*/
|
||||
|
||||
private import python
|
||||
private import semmle.python.dataflow.new.DataFlow
|
||||
private import semmle.python.Concepts
|
||||
private import semmle.python.dataflow.new.RemoteFlowSources
|
||||
private import semmle.python.dataflow.new.BarrierGuards
|
||||
private import TemplateConstructionConcept
|
||||
|
||||
/**
|
||||
* Provides default sources, sinks and sanitizers for detecting
|
||||
* "template injection"
|
||||
* vulnerabilities, as well as extension points for adding your own.
|
||||
*/
|
||||
module TemplateInjection {
|
||||
/**
|
||||
* A data flow source for "template injection" vulnerabilities.
|
||||
*/
|
||||
abstract class Source extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* A data flow sink for "template injection" vulnerabilities.
|
||||
*/
|
||||
abstract class Sink extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* A sanitizer for "template injection" vulnerabilities.
|
||||
*/
|
||||
abstract class Sanitizer extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* A source of remote user input, considered as a flow source.
|
||||
*/
|
||||
class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
|
||||
|
||||
/**
|
||||
* A SQL statement of a SQL construction, considered as a flow sink.
|
||||
*/
|
||||
class TemplateConstructionAsSink extends Sink {
|
||||
TemplateConstructionAsSink() { this = any(TemplateConstruction c).getSourceArg() }
|
||||
}
|
||||
|
||||
/**
|
||||
* A comparison with a constant string, considered as a sanitizer-guard.
|
||||
*/
|
||||
class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }
|
||||
}
|
||||
@@ -0,0 +1,18 @@
|
||||
/**
|
||||
* Provides a taint-tracking configuration for detecting "template injection" vulnerabilities.
|
||||
*/
|
||||
|
||||
private import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
import TemplateInjectionCustomizations::TemplateInjection
|
||||
|
||||
module TemplateInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node node) { node instanceof Source }
|
||||
|
||||
predicate isSink(DataFlow::Node node) { node instanceof Sink }
|
||||
|
||||
predicate isBarrierIn(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
}
|
||||
|
||||
module TemplateInjectionFlow = TaintTracking::Global<TemplateInjectionConfig>;
|
||||
@@ -1,36 +0,0 @@
|
||||
/**
|
||||
* @name XSLT query built from user-controlled sources
|
||||
* @description Building a XSLT query from user-controlled sources is vulnerable to insertion of
|
||||
* malicious XSLT code by the user.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @precision high
|
||||
* @id py/xslt-injection
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-643
|
||||
*/
|
||||
|
||||
import python
|
||||
import semmle.python.security.Paths
|
||||
/* Sources */
|
||||
import semmle.python.web.HttpRequest
|
||||
/* Sinks */
|
||||
import experimental.semmle.python.security.injection.XSLT
|
||||
|
||||
class XsltInjectionConfiguration extends TaintTracking::Configuration {
|
||||
XsltInjectionConfiguration() { this = "XSLT injection configuration" }
|
||||
|
||||
deprecated override predicate isSource(TaintTracking::Source source) {
|
||||
source instanceof HttpRequestTaintSource
|
||||
}
|
||||
|
||||
deprecated override predicate isSink(TaintTracking::Sink sink) {
|
||||
sink instanceof XSLTInjection::XSLTInjectionSink
|
||||
}
|
||||
}
|
||||
|
||||
from XsltInjectionConfiguration config, TaintedPathSource src, TaintedPathSink sink
|
||||
where config.hasFlowPath(src, sink)
|
||||
select sink.getSink(), src, sink, "This XSLT query depends on $@.", src.getSource(),
|
||||
"a user-provided value"
|
||||
110
python/ql/src/experimental/Security/CWE-091/XsltConcept.qll
Normal file
110
python/ql/src/experimental/Security/CWE-091/XsltConcept.qll
Normal file
@@ -0,0 +1,110 @@
|
||||
private import python
|
||||
private import semmle.python.dataflow.new.DataFlow
|
||||
private import semmle.python.ApiGraphs
|
||||
|
||||
/**
|
||||
* A data-flow node that constructs a XSLT transformer.
|
||||
*
|
||||
* Extend this class to refine existing API models. If you want to model new APIs,
|
||||
* extend `TemplateConstruction::Range` instead.
|
||||
*/
|
||||
class XsltConstruction extends DataFlow::Node instanceof XsltConstruction::Range {
|
||||
/** Gets the argument that specifies the XSLT transformer. */
|
||||
DataFlow::Node getXsltArg() { result = super.getXsltArg() }
|
||||
}
|
||||
|
||||
/** Provides a class for modeling new system-command execution APIs. */
|
||||
module XsltConstruction {
|
||||
/**
|
||||
* A data-flow node that constructs a XSLT transformer.
|
||||
*
|
||||
* Extend this class to model new APIs. If you want to refine existing API models,
|
||||
* extend `XsltConstruction` instead.
|
||||
*/
|
||||
abstract class Range extends DataFlow::Node {
|
||||
/** Gets the argument that specifies the XSLT transformer. */
|
||||
abstract DataFlow::Node getXsltArg();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A data-flow node that executes a XSLT transformer.
|
||||
*
|
||||
* Extend this class to refine existing API models. If you want to model new APIs,
|
||||
* extend `TemplateConstruction::Range` instead.
|
||||
*/
|
||||
class XsltExecution extends DataFlow::Node instanceof XsltExecution::Range {
|
||||
/** Gets the argument that specifies the XSLT transformer. */
|
||||
DataFlow::Node getXsltArg() { result = super.getXsltArg() }
|
||||
}
|
||||
|
||||
/** Provides a class for modeling new system-command execution APIs. */
|
||||
module XsltExecution {
|
||||
/**
|
||||
* A data-flow node that executes a XSLT transformer.
|
||||
*
|
||||
* Extend this class to model new APIs. If you want to refine existing API models,
|
||||
* extend `XsltExecution` instead.
|
||||
*/
|
||||
abstract class Range extends DataFlow::Node {
|
||||
/** Gets the argument that specifies the XSLT transformer. */
|
||||
abstract DataFlow::Node getXsltArg();
|
||||
}
|
||||
}
|
||||
|
||||
// -----------------------------------------------------------------------------
|
||||
/**
|
||||
* A call to `lxml.etree.XSLT`.
|
||||
*
|
||||
* ```py
|
||||
* from lxml import etree
|
||||
* xslt_tree = etree.parse(...)
|
||||
* doc = etree.parse(...)
|
||||
* transform = etree.XSLT(xslt_tree)
|
||||
* result = transform(doc)
|
||||
* ```
|
||||
*/
|
||||
class LxmlEtreeXsltCall extends XsltConstruction::Range, API::CallNode {
|
||||
LxmlEtreeXsltCall() {
|
||||
this = API::moduleImport("lxml").getMember("etree").getMember("XSLT").getACall()
|
||||
}
|
||||
|
||||
override DataFlow::Node getXsltArg() { result = this.getParameter(0, "xslt_input").asSink() }
|
||||
}
|
||||
|
||||
/**
|
||||
* A call to `.xslt` on an lxml ElementTree object.
|
||||
*
|
||||
* ```py
|
||||
* from lxml import etree
|
||||
* xslt_tree = etree.parse(...)
|
||||
* doc = etree.parse(...)
|
||||
* result = doc.xslt(xslt_tree)
|
||||
* ```
|
||||
*/
|
||||
class XsltAttributeCall extends XsltExecution::Range, API::CallNode {
|
||||
XsltAttributeCall() { this = elementTreeConstruction(_).getReturn().getMember("xslt").getACall() }
|
||||
|
||||
override DataFlow::Node getXsltArg() { result = this.getParameter(0, "_xslt").asSink() }
|
||||
}
|
||||
|
||||
// -----------------------------------------------------------------------------
|
||||
API::CallNode elementTreeConstruction(DataFlow::Node inputArg) {
|
||||
// TODO: If we could, would be nice to model this as flow-summaries. But I'm not sure if we actually can :thinking:
|
||||
// see https://lxml.de/api/lxml.etree-module.html#fromstring
|
||||
result = API::moduleImport("lxml").getMember("etree").getMember("fromstring").getACall() and
|
||||
inputArg = result.getParameter(0, "text").asSink()
|
||||
or
|
||||
// see https://lxml.de/api/lxml.etree-module.html#fromstringlist
|
||||
result = API::moduleImport("lxml").getMember("etree").getMember("fromstringlist").getACall() and
|
||||
inputArg = result.getParameter(0, "strings").asSink()
|
||||
or
|
||||
// TODO: technically we should treat parse differently, since it takes a file as argument
|
||||
// see https://lxml.de/api/lxml.etree-module.html#parse
|
||||
result = API::moduleImport("lxml").getMember("etree").getMember("parse").getACall() and
|
||||
inputArg = result.getParameter(0, "source").asSink()
|
||||
or
|
||||
// see https://lxml.de/api/lxml.etree-module.html#XML
|
||||
result = API::moduleImport("lxml").getMember("etree").getMember("XML").getACall() and
|
||||
inputArg = result.getParameter(0, "text").asSink()
|
||||
}
|
||||
21
python/ql/src/experimental/Security/CWE-091/XsltInjection.ql
Normal file
21
python/ql/src/experimental/Security/CWE-091/XsltInjection.ql
Normal file
@@ -0,0 +1,21 @@
|
||||
/**
|
||||
* @name XSLT query built from user-controlled sources
|
||||
* @description Building a XSLT query from user-controlled sources is vulnerable to insertion of
|
||||
* malicious XSLT code by the user.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @precision high
|
||||
* @id py/xslt-injection
|
||||
* @tags security
|
||||
* experimental
|
||||
* external/cwe/cwe-643
|
||||
*/
|
||||
|
||||
import python
|
||||
import XsltInjectionQuery
|
||||
import XsltInjectionFlow::PathGraph
|
||||
|
||||
from XsltInjectionFlow::PathNode source, XsltInjectionFlow::PathNode sink
|
||||
where XsltInjectionFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "This XSLT query depends on $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
@@ -0,0 +1,58 @@
|
||||
/**
|
||||
* Provides default sources, sinks and sanitizers for detecting
|
||||
* "XSLT injection"
|
||||
* vulnerabilities, as well as extension points for adding your own.
|
||||
*/
|
||||
|
||||
private import python
|
||||
private import semmle.python.dataflow.new.DataFlow
|
||||
private import semmle.python.Concepts
|
||||
private import semmle.python.dataflow.new.RemoteFlowSources
|
||||
private import semmle.python.dataflow.new.BarrierGuards
|
||||
private import XsltConcept
|
||||
|
||||
/**
|
||||
* Provides default sources, sinks and sanitizers for detecting
|
||||
* "XSLT injection"
|
||||
* vulnerabilities, as well as extension points for adding your own.
|
||||
*/
|
||||
module XsltInjection {
|
||||
/**
|
||||
* A data flow source for "XSLT injection" vulnerabilities.
|
||||
*/
|
||||
abstract class Source extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* A data flow sink for "XSLT injection" vulnerabilities.
|
||||
*/
|
||||
abstract class Sink extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* A sanitizer for "XSLT injection" vulnerabilities.
|
||||
*/
|
||||
abstract class Sanitizer extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* A source of remote user input, considered as a flow source.
|
||||
*/
|
||||
class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
|
||||
|
||||
/**
|
||||
* An XSLT construction, considered as a flow sink.
|
||||
*/
|
||||
class XsltConstructionAsSink extends Sink {
|
||||
XsltConstructionAsSink() { this = any(XsltConstruction c).getXsltArg() }
|
||||
}
|
||||
|
||||
/**
|
||||
* An XSLT execution, considered as a flow sink.
|
||||
*/
|
||||
class XsltExecutionAsSink extends Sink {
|
||||
XsltExecutionAsSink() { this = any(XsltExecution c).getXsltArg() }
|
||||
}
|
||||
|
||||
/**
|
||||
* A comparison with a constant string, considered as a sanitizer-guard.
|
||||
*/
|
||||
class StringConstCompareAsSanitizerGuard extends Sanitizer, StringConstCompareBarrier { }
|
||||
}
|
||||
@@ -0,0 +1,24 @@
|
||||
/**
|
||||
* Provides a taint-tracking configuration for detecting "XSLT injection" vulnerabilities.
|
||||
*/
|
||||
|
||||
private import python
|
||||
import semmle.python.dataflow.new.DataFlow
|
||||
import semmle.python.dataflow.new.TaintTracking
|
||||
import XsltInjectionCustomizations::XsltInjection
|
||||
import XsltConcept
|
||||
|
||||
module XsltInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node node) { node instanceof Source }
|
||||
|
||||
predicate isSink(DataFlow::Node node) { node instanceof Sink }
|
||||
|
||||
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
|
||||
// I considered using a FlowState of (raw-string, ElementTree), but in all honesty
|
||||
// valid code would never have direct flow from a string to a sink anyway... so I
|
||||
// opted for the more simple approach.
|
||||
nodeTo = elementTreeConstruction(nodeFrom)
|
||||
}
|
||||
}
|
||||
|
||||
module XsltInjectionFlow = TaintTracking::Global<XsltInjectionConfig>;
|
||||
@@ -1,121 +0,0 @@
|
||||
/**
|
||||
* Provides class and predicates to track external data that
|
||||
* may represent malicious XSLT query objects.
|
||||
*
|
||||
* This module is intended to be imported into a taint-tracking query
|
||||
* to extend `TaintKind` and `TaintSink`.
|
||||
*/
|
||||
|
||||
import python
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
import semmle.python.web.HttpRequest
|
||||
|
||||
/** Models XSLT Injection related classes and functions */
|
||||
module XsltInjection {
|
||||
/** Returns a class value which refers to `lxml.etree` */
|
||||
Value etree() { result = Value::named("lxml.etree") }
|
||||
|
||||
/** A generic taint sink that is vulnerable to XSLT injection. */
|
||||
abstract class XsltInjectionSink extends TaintSink { }
|
||||
|
||||
/** DEPRECATED: Alias for XsltInjectionSink */
|
||||
deprecated class XSLTInjectionSink = XsltInjectionSink;
|
||||
|
||||
/**
|
||||
* A kind of "taint", representing an untrusted XML string
|
||||
*/
|
||||
deprecated private class ExternalXmlStringKind extends ExternalStringKind {
|
||||
ExternalXmlStringKind() { this = "etree.XML string" }
|
||||
|
||||
override TaintKind getTaintForFlowStep(ControlFlowNode fromnode, ControlFlowNode tonode) {
|
||||
etreeXml(fromnode, tonode) and result instanceof ExternalXmlKind
|
||||
or
|
||||
etreeFromStringList(fromnode, tonode) and result instanceof ExternalXmlKind
|
||||
or
|
||||
etreeFromString(fromnode, tonode) and result instanceof ExternalXmlKind
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A kind of "taint", representing a XML encoded string
|
||||
*/
|
||||
class ExternalXmlKind extends TaintKind {
|
||||
ExternalXmlKind() { this = "lxml etree xml" }
|
||||
}
|
||||
|
||||
private predicate etreeXml(ControlFlowNode fromnode, CallNode tonode) {
|
||||
// etree.XML("<xmlContent>")
|
||||
exists(CallNode call | call.getFunction().(AttrNode).getObject("XML").pointsTo(etree()) |
|
||||
call.getArg(0) = fromnode and
|
||||
call = tonode
|
||||
)
|
||||
}
|
||||
|
||||
private predicate etreeFromString(ControlFlowNode fromnode, CallNode tonode) {
|
||||
// etree.fromstring(text, parser=None)
|
||||
exists(CallNode call | call.getFunction().(AttrNode).getObject("fromstring").pointsTo(etree()) |
|
||||
call.getArg(0) = fromnode and
|
||||
call = tonode
|
||||
)
|
||||
}
|
||||
|
||||
private predicate etreeFromStringList(ControlFlowNode fromnode, CallNode tonode) {
|
||||
// etree.fromstringlist(strings, parser=None)
|
||||
exists(CallNode call |
|
||||
call.getFunction().(AttrNode).getObject("fromstringlist").pointsTo(etree())
|
||||
|
|
||||
call.getArg(0) = fromnode and
|
||||
call = tonode
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* A Sink representing an argument to the `etree.XSLT` call.
|
||||
*
|
||||
* from lxml import etree
|
||||
* root = etree.XML("<xmlContent>")
|
||||
* find_text = etree.XSLT("`sink`")
|
||||
*/
|
||||
private class EtreeXsltArgument extends XsltInjectionSink {
|
||||
override string toString() { result = "lxml.etree.XSLT" }
|
||||
|
||||
EtreeXsltArgument() {
|
||||
exists(CallNode call | call.getFunction().(AttrNode).getObject("XSLT").pointsTo(etree()) |
|
||||
call.getArg(0) = this
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalXmlKind }
|
||||
}
|
||||
|
||||
/**
|
||||
* A Sink representing an argument to the `XSLT` call to a parsed xml document.
|
||||
*
|
||||
* from lxml import etree
|
||||
* from io import StringIO
|
||||
* `sink` = etree.XML(xsltQuery)
|
||||
* tree = etree.parse(f)
|
||||
* result_tree = tree.xslt(`sink`)
|
||||
*/
|
||||
private class ParseXsltArgument extends XsltInjectionSink {
|
||||
override string toString() { result = "lxml.etree.parse.xslt" }
|
||||
|
||||
ParseXsltArgument() {
|
||||
exists(
|
||||
CallNode parseCall, CallNode xsltCall, ControlFlowNode obj, Variable var, AssignStmt assign
|
||||
|
|
||||
parseCall.getFunction().(AttrNode).getObject("parse").pointsTo(etree()) and
|
||||
assign.getValue().(Call).getAFlowNode() = parseCall and
|
||||
xsltCall.getFunction().(AttrNode).getObject("xslt") = obj and
|
||||
var.getAUse() = obj and
|
||||
assign.getATarget() = var.getAStore() and
|
||||
xsltCall.getArg(0) = this
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalXmlKind }
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for XsltInjection */
|
||||
deprecated module XSLTInjection = XsltInjection;
|
||||
@@ -1,27 +0,0 @@
|
||||
/** Provides classes which model the `airspeed` package. */
|
||||
|
||||
import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import experimental.semmle.python.templates.SSTISink
|
||||
|
||||
/** returns the ClassValue representing `airspeed.Template` */
|
||||
deprecated ClassValue theAirspeedTemplateClass() { result = Value::named("airspeed.Template") }
|
||||
|
||||
/**
|
||||
* A sink representing the `airspeed.Template` class instantiation argument.
|
||||
*
|
||||
* import airspeed
|
||||
* temp = airspeed.Template(`"sink"`)
|
||||
*/
|
||||
deprecated class AirspeedTemplateSink extends SSTISink {
|
||||
override string toString() { result = "argument to airspeed.Template()" }
|
||||
|
||||
AirspeedTemplateSink() {
|
||||
exists(CallNode call |
|
||||
call.getFunction().pointsTo(theAirspeedTemplateClass()) and
|
||||
call.getArg(0) = this
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
@@ -1,48 +0,0 @@
|
||||
/** Provides classes which model the `bottle` package. */
|
||||
|
||||
import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import experimental.semmle.python.templates.SSTISink
|
||||
|
||||
/** returns the ClassValue representing `bottle.SimpleTemplate` */
|
||||
deprecated ClassValue theBottleSimpleTemplateClass() {
|
||||
result = Value::named("bottle.SimpleTemplate")
|
||||
}
|
||||
|
||||
/**
|
||||
* A sink representing the `bottle.SimpleTemplate` class instantiation argument.
|
||||
*
|
||||
* from bottle import SimpleTemplate
|
||||
* template = SimpleTemplate(`sink`)
|
||||
*/
|
||||
deprecated class BottleSimpleTemplateSink extends SSTISink {
|
||||
override string toString() { result = "argument to bottle.SimpleTemplate()" }
|
||||
|
||||
BottleSimpleTemplateSink() {
|
||||
exists(CallNode call |
|
||||
call.getFunction().pointsTo(theBottleSimpleTemplateClass()) and
|
||||
call.getArg(0) = this
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
|
||||
/**
|
||||
* A sink representing the `bottle.template` function call argument.
|
||||
*
|
||||
* from bottle import template
|
||||
* tmp = template(`sink`)
|
||||
*/
|
||||
deprecated class BottleTemplateSink extends SSTISink {
|
||||
override string toString() { result = "argument to bottle.template()" }
|
||||
|
||||
BottleTemplateSink() {
|
||||
exists(CallNode call |
|
||||
call.getFunction() = theBottleModule().attr("template").getAReference() and
|
||||
call.getArg(0) = this
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
@@ -1,29 +0,0 @@
|
||||
/** Provides classes which model the `Chameleon` package. */
|
||||
|
||||
import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import experimental.semmle.python.templates.SSTISink
|
||||
|
||||
/** returns the ClassValue representing `chameleon.PageTemplate` */
|
||||
deprecated ClassValue theChameleonPageTemplateClass() {
|
||||
result = Value::named("chameleon.PageTemplate")
|
||||
}
|
||||
|
||||
/**
|
||||
* A sink representing the `chameleon.PageTemplate` class instantiation argument.
|
||||
*
|
||||
* from chameleon import PageTemplate
|
||||
* template = PageTemplate(`sink`)
|
||||
*/
|
||||
deprecated class ChameleonTemplateSink extends SSTISink {
|
||||
override string toString() { result = "argument to Chameleon.PageTemplate()" }
|
||||
|
||||
ChameleonTemplateSink() {
|
||||
exists(CallNode call |
|
||||
call.getFunction().pointsTo(theChameleonPageTemplateClass()) and
|
||||
call.getArg(0) = this
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
@@ -1,39 +0,0 @@
|
||||
/** Provides classes which model the `Cheetah3` package. */
|
||||
|
||||
import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import experimental.semmle.python.templates.SSTISink
|
||||
|
||||
/** returns the ClassValue representing `Cheetah.Template.Template` */
|
||||
deprecated ClassValue theCheetahTemplateClass() {
|
||||
result = Value::named("Cheetah.Template.Template")
|
||||
}
|
||||
|
||||
/**
|
||||
* A sink representing the instantiation argument of any class which derives from
|
||||
* the `Cheetah.Template.Template` class .
|
||||
*
|
||||
* from Cheetah.Template import Template
|
||||
* class Template3(Template):
|
||||
* title = 'Hello World Example!'
|
||||
* contents = 'Hello World!'
|
||||
* t3 = Template3("sink")
|
||||
*
|
||||
* This will also detect cases of the following type :
|
||||
*
|
||||
* from Cheetah.Template import Template
|
||||
* t3 = Template("sink")
|
||||
*/
|
||||
deprecated class CheetahTemplateInstantiationSink extends SSTISink {
|
||||
override string toString() { result = "argument to Cheetah.Template.Template()" }
|
||||
|
||||
CheetahTemplateInstantiationSink() {
|
||||
exists(CallNode call, ClassValue cv |
|
||||
cv.getASuperType() = theCheetahTemplateClass() and
|
||||
call.getFunction().pointsTo(cv) and
|
||||
call.getArg(0) = this
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
@@ -1,36 +0,0 @@
|
||||
/** Provides classes which model the `chevron` package. */
|
||||
|
||||
import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import experimental.semmle.python.templates.SSTISink
|
||||
|
||||
/** returns the Value representing `chevron.render` function */
|
||||
deprecated Value theChevronRenderFunc() { result = Value::named("chevron.render") }
|
||||
|
||||
/**
|
||||
* A sink representing the `chevron.render` function call argument.
|
||||
*
|
||||
* import chevron
|
||||
* tmp = chevron.render(`sink`,{ 'key' : 'value' })
|
||||
*/
|
||||
deprecated class ChevronRenderSink extends SSTISink {
|
||||
override string toString() { result = "argument to chevron.render()" }
|
||||
|
||||
ChevronRenderSink() {
|
||||
exists(CallNode call |
|
||||
call.getFunction() = theChevronRenderFunc().getAReference() and
|
||||
call.getArg(0) = this
|
||||
)
|
||||
// TODO: this should also detect :
|
||||
// import chevron
|
||||
// args = {
|
||||
// 'template': 'sink',
|
||||
// 'data': {
|
||||
// 'mustache': 'World'
|
||||
// }
|
||||
// }
|
||||
// chevron.render(**args)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
@@ -1,35 +0,0 @@
|
||||
/** Provides classes which model the `DjangoTemplate` package. */
|
||||
|
||||
import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import experimental.semmle.python.templates.SSTISink
|
||||
|
||||
deprecated ClassValue theDjangoTemplateClass() { result = Value::named("django.template.Template") }
|
||||
|
||||
/**
|
||||
* A sink representing `django.template.Template` class instantiation argument.
|
||||
*
|
||||
* from django.template import Template
|
||||
* template = Template(`sink`)
|
||||
*/
|
||||
deprecated class DjangoTemplateTemplateSink extends SSTISink {
|
||||
override string toString() { result = "argument to Django.template()" }
|
||||
|
||||
DjangoTemplateTemplateSink() {
|
||||
exists(CallNode call |
|
||||
call.getFunction().pointsTo(theDjangoTemplateClass()) and
|
||||
call.getArg(0) = this
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
// TODO (intentionally commented out QLDoc, since qlformat will delete those lines otherwise)
|
||||
// /**
|
||||
// * Sinks representing the django.template.Template class instantiation.
|
||||
// *
|
||||
// * from django.template import engines
|
||||
// *
|
||||
// * django_engine = engines["django"]
|
||||
// * template = django_engine.from_string(`sink`)
|
||||
// */
|
||||
@@ -1,28 +0,0 @@
|
||||
/** Provides classes which model templates in the`flask` package. */
|
||||
|
||||
import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import experimental.semmle.python.templates.SSTISink
|
||||
|
||||
deprecated Value theFlaskRenderTemplateClass() {
|
||||
result = Value::named("flask.render_template_string")
|
||||
}
|
||||
|
||||
/**
|
||||
* A sink representing `flask.render_template_string` function call argument.
|
||||
*
|
||||
* from flask import render_template_string
|
||||
* render_template_string(`sink`)
|
||||
*/
|
||||
deprecated class FlaskTemplateSink extends SSTISink {
|
||||
override string toString() { result = "argument to flask.render_template_string()" }
|
||||
|
||||
FlaskTemplateSink() {
|
||||
exists(CallNode call |
|
||||
call.getFunction().pointsTo(theFlaskRenderTemplateClass()) and
|
||||
call.getArg(0) = this
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
@@ -1,53 +0,0 @@
|
||||
/** Provides classes which model the `Genshi` package. */
|
||||
|
||||
import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import experimental.semmle.python.templates.SSTISink
|
||||
|
||||
/** returns the ClassValue representing `Genshi.template.TextTemplate` */
|
||||
deprecated ClassValue theGenshiTextTemplateClass() {
|
||||
result = Value::named("genshi.template.TextTemplate")
|
||||
}
|
||||
|
||||
/** returns the ClassValue representing `Genshi.template.MarkupTemplate` */
|
||||
deprecated ClassValue theGenshiMarkupTemplateClass() {
|
||||
result = Value::named("genshi.template.MarkupTemplate")
|
||||
}
|
||||
|
||||
/**
|
||||
* A sink representing the `genshi.template.TextTemplate` class instantiation argument.
|
||||
*
|
||||
* from genshi.template import TextTemplate
|
||||
* tmpl = TextTemplate('sink')
|
||||
*/
|
||||
deprecated class GenshiTextTemplateSink extends SSTISink {
|
||||
override string toString() { result = "argument to genshi.template.TextTemplate()" }
|
||||
|
||||
GenshiTextTemplateSink() {
|
||||
exists(CallNode call |
|
||||
call.getFunction().pointsTo(theGenshiTextTemplateClass()) and
|
||||
call.getArg(0) = this
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
|
||||
/**
|
||||
* A sink representing the `genshi.template.MarkupTemplate` class instantiation argument.
|
||||
*
|
||||
* from genshi.template import MarkupTemplate
|
||||
* tmpl = MarkupTemplate('sink')
|
||||
*/
|
||||
deprecated class GenshiMarkupTemplateSink extends SSTISink {
|
||||
override string toString() { result = "argument to genshi.template.MarkupTemplate()" }
|
||||
|
||||
GenshiMarkupTemplateSink() {
|
||||
exists(CallNode call |
|
||||
call.getFunction().pointsTo(theGenshiMarkupTemplateClass()) and
|
||||
call.getArg(0) = this
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
@@ -1,49 +0,0 @@
|
||||
/** Provides classes which model the `Jinja2` package. */
|
||||
|
||||
import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import experimental.semmle.python.templates.SSTISink
|
||||
|
||||
/** returns the ClassValue representing `jinja2.Template` */
|
||||
deprecated ClassValue theJinja2TemplateClass() { result = Value::named("jinja2.Template") }
|
||||
|
||||
/** returns the ClassValue representing `jinja2.Template` */
|
||||
deprecated Value theJinja2FromStringValue() { result = Value::named("jinja2.from_string") }
|
||||
|
||||
/**
|
||||
* A sink representing the `jinja2.Template` class instantiation argument.
|
||||
*
|
||||
* from jinja2 import Template
|
||||
* template = Template(`sink`)
|
||||
*/
|
||||
deprecated class Jinja2TemplateSink extends SSTISink {
|
||||
override string toString() { result = "argument to jinja2.Template()" }
|
||||
|
||||
Jinja2TemplateSink() {
|
||||
exists(CallNode call |
|
||||
call.getFunction().pointsTo(theJinja2TemplateClass()) and
|
||||
call.getArg(0) = this
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
|
||||
/**
|
||||
* A sink representing the `jinja2.from_string` function call argument.
|
||||
*
|
||||
* from jinja2 import from_string
|
||||
* template = from_string(`sink`)
|
||||
*/
|
||||
deprecated class Jinja2FromStringSink extends SSTISink {
|
||||
override string toString() { result = "argument to jinja2.from_string()" }
|
||||
|
||||
Jinja2FromStringSink() {
|
||||
exists(CallNode call |
|
||||
call.getFunction().pointsTo(theJinja2FromStringValue()) and
|
||||
call.getArg(0) = this
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
@@ -1,27 +0,0 @@
|
||||
/** Provides classes which model the `Mako` package. */
|
||||
|
||||
import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import experimental.semmle.python.templates.SSTISink
|
||||
|
||||
/** returns the ClassValue representing `mako.template.Template` */
|
||||
deprecated ClassValue theMakoTemplateClass() { result = Value::named("mako.template.Template") }
|
||||
|
||||
/**
|
||||
* A sink representing the `mako.template.Template` class instantiation argument.
|
||||
*
|
||||
* from mako.template import Template
|
||||
* mytemplate = Template("hello world!")
|
||||
*/
|
||||
deprecated class MakoTemplateSink extends SSTISink {
|
||||
override string toString() { result = "argument to mako.template.Template()" }
|
||||
|
||||
MakoTemplateSink() {
|
||||
exists(CallNode call |
|
||||
call.getFunction().pointsTo(theMakoTemplateClass()) and
|
||||
call.getArg(0) = this
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
@@ -1,7 +0,0 @@
|
||||
import semmle.python.dataflow.TaintTracking
|
||||
|
||||
/**
|
||||
* A generic taint sink that is vulnerable to template inclusions.
|
||||
* The `temp` in `jinja2.Template(temp)` and similar.
|
||||
*/
|
||||
abstract deprecated class SSTISink extends TaintSink { }
|
||||
@@ -1,13 +0,0 @@
|
||||
/** Imports all files which model potential SSTI sinks */
|
||||
|
||||
import experimental.semmle.python.templates.Airspeed
|
||||
import experimental.semmle.python.templates.Bottle
|
||||
import experimental.semmle.python.templates.Chameleon
|
||||
import experimental.semmle.python.templates.Cheetah
|
||||
import experimental.semmle.python.templates.Chevron
|
||||
import experimental.semmle.python.templates.DjangoTemplate
|
||||
import experimental.semmle.python.templates.FlaskTemplate
|
||||
import experimental.semmle.python.templates.Genshi
|
||||
import experimental.semmle.python.templates.Jinja
|
||||
import experimental.semmle.python.templates.Mako
|
||||
import experimental.semmle.python.templates.TRender
|
||||
@@ -1,27 +0,0 @@
|
||||
/** Provides classes which model the `TRender` package. */
|
||||
|
||||
import python
|
||||
import semmle.python.web.HttpRequest
|
||||
import experimental.semmle.python.templates.SSTISink
|
||||
|
||||
/** returns the ClassValue representing `trender.TRender` */
|
||||
deprecated ClassValue theTRenderTemplateClass() { result = Value::named("trender.TRender") }
|
||||
|
||||
/**
|
||||
* A sink representing the `trender.TRender` class instantiation argument.
|
||||
*
|
||||
* from trender import TRender
|
||||
* template = TRender(`sink`)
|
||||
*/
|
||||
deprecated class TRenderTemplateSink extends SSTISink {
|
||||
override string toString() { result = "argument to trender.TRender()" }
|
||||
|
||||
TRenderTemplateSink() {
|
||||
exists(CallNode call |
|
||||
call.getFunction().pointsTo(theTRenderTemplateClass()) and
|
||||
call.getArg(0) = this
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
|
||||
}
|
||||
@@ -0,0 +1,22 @@
|
||||
from flask import Flask, request
|
||||
from Cheetah.Template import Template
|
||||
|
||||
|
||||
app = Flask(__name__)
|
||||
|
||||
|
||||
@app.route('/other')
|
||||
def a():
|
||||
template = request.args.get('template')
|
||||
return Template(template)
|
||||
|
||||
|
||||
class Template3(Template):
|
||||
title = 'Hello World Example!'
|
||||
contents = 'Hello World!'
|
||||
|
||||
|
||||
@app.route('/other2')
|
||||
def b():
|
||||
template = request.args.get('template')
|
||||
t3 = Template3(template)
|
||||
@@ -5,13 +5,13 @@ import chevron
|
||||
app = Flask(__name__)
|
||||
|
||||
|
||||
@route('/other')
|
||||
@app.route('/other')
|
||||
def a():
|
||||
template = request.args.get('template')
|
||||
return chevron.render(template, {"key": "value"})
|
||||
|
||||
|
||||
@route('/other2')
|
||||
@app.route('/other2')
|
||||
def b():
|
||||
template = request.args.get('template')
|
||||
args = {
|
||||
@@ -0,0 +1,107 @@
|
||||
edges
|
||||
| AirspeedSsti.py:2:26:2:32 | ControlFlowNode for ImportMember | AirspeedSsti.py:2:26:2:32 | GSSA Variable request |
|
||||
| AirspeedSsti.py:2:26:2:32 | GSSA Variable request | AirspeedSsti.py:10:16:10:22 | ControlFlowNode for request |
|
||||
| AirspeedSsti.py:10:5:10:12 | SSA variable template | AirspeedSsti.py:11:30:11:37 | ControlFlowNode for template |
|
||||
| AirspeedSsti.py:10:16:10:22 | ControlFlowNode for request | AirspeedSsti.py:10:16:10:27 | ControlFlowNode for Attribute |
|
||||
| AirspeedSsti.py:10:16:10:27 | ControlFlowNode for Attribute | AirspeedSsti.py:10:16:10:43 | ControlFlowNode for Attribute() |
|
||||
| AirspeedSsti.py:10:16:10:43 | ControlFlowNode for Attribute() | AirspeedSsti.py:10:5:10:12 | SSA variable template |
|
||||
| CheetahSinks.py:1:26:1:32 | ControlFlowNode for ImportMember | CheetahSinks.py:1:26:1:32 | GSSA Variable request |
|
||||
| CheetahSinks.py:1:26:1:32 | GSSA Variable request | CheetahSinks.py:10:16:10:22 | ControlFlowNode for request |
|
||||
| CheetahSinks.py:1:26:1:32 | GSSA Variable request | CheetahSinks.py:21:16:21:22 | ControlFlowNode for request |
|
||||
| CheetahSinks.py:10:5:10:12 | SSA variable template | CheetahSinks.py:11:21:11:28 | ControlFlowNode for template |
|
||||
| CheetahSinks.py:10:16:10:22 | ControlFlowNode for request | CheetahSinks.py:10:16:10:27 | ControlFlowNode for Attribute |
|
||||
| CheetahSinks.py:10:16:10:27 | ControlFlowNode for Attribute | CheetahSinks.py:10:16:10:43 | ControlFlowNode for Attribute() |
|
||||
| CheetahSinks.py:10:16:10:43 | ControlFlowNode for Attribute() | CheetahSinks.py:10:5:10:12 | SSA variable template |
|
||||
| CheetahSinks.py:21:5:21:12 | SSA variable template | CheetahSinks.py:22:20:22:27 | ControlFlowNode for template |
|
||||
| CheetahSinks.py:21:16:21:22 | ControlFlowNode for request | CheetahSinks.py:21:16:21:27 | ControlFlowNode for Attribute |
|
||||
| CheetahSinks.py:21:16:21:27 | ControlFlowNode for Attribute | CheetahSinks.py:21:16:21:43 | ControlFlowNode for Attribute() |
|
||||
| CheetahSinks.py:21:16:21:43 | ControlFlowNode for Attribute() | CheetahSinks.py:21:5:21:12 | SSA variable template |
|
||||
| ChevronSsti.py:1:26:1:32 | ControlFlowNode for ImportMember | ChevronSsti.py:1:26:1:32 | GSSA Variable request |
|
||||
| ChevronSsti.py:1:26:1:32 | GSSA Variable request | ChevronSsti.py:10:16:10:22 | ControlFlowNode for request |
|
||||
| ChevronSsti.py:10:5:10:12 | SSA variable template | ChevronSsti.py:11:27:11:34 | ControlFlowNode for template |
|
||||
| ChevronSsti.py:10:16:10:22 | ControlFlowNode for request | ChevronSsti.py:10:16:10:27 | ControlFlowNode for Attribute |
|
||||
| ChevronSsti.py:10:16:10:27 | ControlFlowNode for Attribute | ChevronSsti.py:10:16:10:43 | ControlFlowNode for Attribute() |
|
||||
| ChevronSsti.py:10:16:10:43 | ControlFlowNode for Attribute() | ChevronSsti.py:10:5:10:12 | SSA variable template |
|
||||
| DjangoTemplates.py:6:8:6:14 | ControlFlowNode for request | DjangoTemplates.py:8:5:8:12 | SSA variable template |
|
||||
| DjangoTemplates.py:8:5:8:12 | SSA variable template | DjangoTemplates.py:9:18:9:25 | ControlFlowNode for template |
|
||||
| FlaskTemplate.py:1:26:1:32 | ControlFlowNode for ImportMember | FlaskTemplate.py:1:26:1:32 | GSSA Variable request |
|
||||
| FlaskTemplate.py:1:26:1:32 | GSSA Variable request | FlaskTemplate.py:10:8:10:14 | ControlFlowNode for request |
|
||||
| FlaskTemplate.py:1:26:1:32 | GSSA Variable request | FlaskTemplate.py:11:39:11:45 | ControlFlowNode for request |
|
||||
| FlaskTemplate.py:1:26:1:32 | GSSA Variable request | FlaskTemplate.py:17:41:17:47 | ControlFlowNode for request |
|
||||
| FlaskTemplate.py:10:8:10:14 | ControlFlowNode for request | FlaskTemplate.py:11:39:11:50 | ControlFlowNode for Attribute |
|
||||
| FlaskTemplate.py:11:39:11:45 | ControlFlowNode for request | FlaskTemplate.py:11:39:11:50 | ControlFlowNode for Attribute |
|
||||
| FlaskTemplate.py:11:39:11:50 | ControlFlowNode for Attribute | FlaskTemplate.py:11:39:11:66 | ControlFlowNode for Attribute() |
|
||||
| FlaskTemplate.py:17:41:17:47 | ControlFlowNode for request | FlaskTemplate.py:17:41:17:52 | ControlFlowNode for Attribute |
|
||||
| FlaskTemplate.py:17:41:17:52 | ControlFlowNode for Attribute | FlaskTemplate.py:17:41:17:68 | ControlFlowNode for Attribute() |
|
||||
| JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | JinjaSsti.py:9:5:9:12 | SSA variable template |
|
||||
| JinjaSsti.py:9:5:9:12 | SSA variable template | JinjaSsti.py:10:25:10:32 | ControlFlowNode for template |
|
||||
| JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | JinjaSsti.py:19:5:19:12 | SSA variable template |
|
||||
| JinjaSsti.py:19:5:19:12 | SSA variable template | JinjaSsti.py:20:28:20:35 | ControlFlowNode for template |
|
||||
| MakoSsti.py:6:10:6:16 | ControlFlowNode for request | MakoSsti.py:8:5:8:12 | SSA variable template |
|
||||
| MakoSsti.py:8:5:8:12 | SSA variable template | MakoSsti.py:9:27:9:34 | ControlFlowNode for template |
|
||||
| TRender.py:5:13:5:19 | ControlFlowNode for request | TRender.py:6:5:6:12 | SSA variable template |
|
||||
| TRender.py:6:5:6:12 | SSA variable template | TRender.py:7:24:7:31 | ControlFlowNode for template |
|
||||
nodes
|
||||
| AirspeedSsti.py:2:26:2:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
|
||||
| AirspeedSsti.py:2:26:2:32 | GSSA Variable request | semmle.label | GSSA Variable request |
|
||||
| AirspeedSsti.py:10:5:10:12 | SSA variable template | semmle.label | SSA variable template |
|
||||
| AirspeedSsti.py:10:16:10:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| AirspeedSsti.py:10:16:10:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||
| AirspeedSsti.py:10:16:10:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
| AirspeedSsti.py:11:30:11:37 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
| CheetahSinks.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
|
||||
| CheetahSinks.py:1:26:1:32 | GSSA Variable request | semmle.label | GSSA Variable request |
|
||||
| CheetahSinks.py:10:5:10:12 | SSA variable template | semmle.label | SSA variable template |
|
||||
| CheetahSinks.py:10:16:10:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| CheetahSinks.py:10:16:10:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||
| CheetahSinks.py:10:16:10:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
| CheetahSinks.py:11:21:11:28 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
| CheetahSinks.py:21:5:21:12 | SSA variable template | semmle.label | SSA variable template |
|
||||
| CheetahSinks.py:21:16:21:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| CheetahSinks.py:21:16:21:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||
| CheetahSinks.py:21:16:21:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
| CheetahSinks.py:22:20:22:27 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
| ChevronSsti.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
|
||||
| ChevronSsti.py:1:26:1:32 | GSSA Variable request | semmle.label | GSSA Variable request |
|
||||
| ChevronSsti.py:10:5:10:12 | SSA variable template | semmle.label | SSA variable template |
|
||||
| ChevronSsti.py:10:16:10:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| ChevronSsti.py:10:16:10:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||
| ChevronSsti.py:10:16:10:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
| ChevronSsti.py:11:27:11:34 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
| DjangoTemplates.py:6:8:6:14 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| DjangoTemplates.py:8:5:8:12 | SSA variable template | semmle.label | SSA variable template |
|
||||
| DjangoTemplates.py:9:18:9:25 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
| FlaskTemplate.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
|
||||
| FlaskTemplate.py:1:26:1:32 | GSSA Variable request | semmle.label | GSSA Variable request |
|
||||
| FlaskTemplate.py:10:8:10:14 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| FlaskTemplate.py:11:39:11:45 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| FlaskTemplate.py:11:39:11:50 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||
| FlaskTemplate.py:11:39:11:66 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
| FlaskTemplate.py:17:41:17:47 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| FlaskTemplate.py:17:41:17:52 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||
| FlaskTemplate.py:17:41:17:68 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
| JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| JinjaSsti.py:9:5:9:12 | SSA variable template | semmle.label | SSA variable template |
|
||||
| JinjaSsti.py:10:25:10:32 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
| JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| JinjaSsti.py:19:5:19:12 | SSA variable template | semmle.label | SSA variable template |
|
||||
| JinjaSsti.py:20:28:20:35 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
| MakoSsti.py:6:10:6:16 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| MakoSsti.py:8:5:8:12 | SSA variable template | semmle.label | SSA variable template |
|
||||
| MakoSsti.py:9:27:9:34 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
| TRender.py:5:13:5:19 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| TRender.py:6:5:6:12 | SSA variable template | semmle.label | SSA variable template |
|
||||
| TRender.py:7:24:7:31 | ControlFlowNode for template | semmle.label | ControlFlowNode for template |
|
||||
subpaths
|
||||
#select
|
||||
| AirspeedSsti.py:11:30:11:37 | ControlFlowNode for template | AirspeedSsti.py:2:26:2:32 | ControlFlowNode for ImportMember | AirspeedSsti.py:11:30:11:37 | ControlFlowNode for template | This Template depends on $@. | AirspeedSsti.py:2:26:2:32 | ControlFlowNode for ImportMember | user-provided value |
|
||||
| CheetahSinks.py:11:21:11:28 | ControlFlowNode for template | CheetahSinks.py:1:26:1:32 | ControlFlowNode for ImportMember | CheetahSinks.py:11:21:11:28 | ControlFlowNode for template | This Template depends on $@. | CheetahSinks.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
|
||||
| CheetahSinks.py:22:20:22:27 | ControlFlowNode for template | CheetahSinks.py:1:26:1:32 | ControlFlowNode for ImportMember | CheetahSinks.py:22:20:22:27 | ControlFlowNode for template | This Template depends on $@. | CheetahSinks.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
|
||||
| ChevronSsti.py:11:27:11:34 | ControlFlowNode for template | ChevronSsti.py:1:26:1:32 | ControlFlowNode for ImportMember | ChevronSsti.py:11:27:11:34 | ControlFlowNode for template | This Template depends on $@. | ChevronSsti.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
|
||||
| DjangoTemplates.py:9:18:9:25 | ControlFlowNode for template | DjangoTemplates.py:6:8:6:14 | ControlFlowNode for request | DjangoTemplates.py:9:18:9:25 | ControlFlowNode for template | This Template depends on $@. | DjangoTemplates.py:6:8:6:14 | ControlFlowNode for request | user-provided value |
|
||||
| FlaskTemplate.py:11:39:11:66 | ControlFlowNode for Attribute() | FlaskTemplate.py:1:26:1:32 | ControlFlowNode for ImportMember | FlaskTemplate.py:11:39:11:66 | ControlFlowNode for Attribute() | This Template depends on $@. | FlaskTemplate.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
|
||||
| FlaskTemplate.py:17:41:17:68 | ControlFlowNode for Attribute() | FlaskTemplate.py:1:26:1:32 | ControlFlowNode for ImportMember | FlaskTemplate.py:17:41:17:68 | ControlFlowNode for Attribute() | This Template depends on $@. | FlaskTemplate.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
|
||||
| JinjaSsti.py:10:25:10:32 | ControlFlowNode for template | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | JinjaSsti.py:10:25:10:32 | ControlFlowNode for template | This Template depends on $@. | JinjaSsti.py:7:7:7:13 | ControlFlowNode for request | user-provided value |
|
||||
| JinjaSsti.py:20:28:20:35 | ControlFlowNode for template | JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | JinjaSsti.py:20:28:20:35 | ControlFlowNode for template | This Template depends on $@. | JinjaSsti.py:16:7:16:13 | ControlFlowNode for request | user-provided value |
|
||||
| MakoSsti.py:9:27:9:34 | ControlFlowNode for template | MakoSsti.py:6:10:6:16 | ControlFlowNode for request | MakoSsti.py:9:27:9:34 | ControlFlowNode for template | This Template depends on $@. | MakoSsti.py:6:10:6:16 | ControlFlowNode for request | user-provided value |
|
||||
| TRender.py:7:24:7:31 | ControlFlowNode for template | TRender.py:5:13:5:19 | ControlFlowNode for request | TRender.py:7:24:7:31 | ControlFlowNode for template | This Template depends on $@. | TRender.py:5:13:5:19 | ControlFlowNode for request | user-provided value |
|
||||
@@ -1,60 +0,0 @@
|
||||
edges
|
||||
| AirspeedSsti.py:10:16:10:27 | dict of externally controlled string | AirspeedSsti.py:10:16:10:43 | externally controlled string |
|
||||
| AirspeedSsti.py:10:16:10:27 | dict of externally controlled string | AirspeedSsti.py:10:16:10:43 | externally controlled string |
|
||||
| AirspeedSsti.py:10:16:10:43 | externally controlled string | AirspeedSsti.py:11:30:11:37 | externally controlled string |
|
||||
| AirspeedSsti.py:10:16:10:43 | externally controlled string | AirspeedSsti.py:11:30:11:37 | externally controlled string |
|
||||
| ChevronSsti.py:10:16:10:27 | dict of externally controlled string | ChevronSsti.py:10:16:10:43 | externally controlled string |
|
||||
| ChevronSsti.py:10:16:10:27 | dict of externally controlled string | ChevronSsti.py:10:16:10:43 | externally controlled string |
|
||||
| ChevronSsti.py:10:16:10:43 | externally controlled string | ChevronSsti.py:11:27:11:34 | externally controlled string |
|
||||
| ChevronSsti.py:10:16:10:43 | externally controlled string | ChevronSsti.py:11:27:11:34 | externally controlled string |
|
||||
| DjangoTemplates.py:6:8:6:14 | django.request.HttpRequest | DjangoTemplates.py:8:16:8:22 | django.request.HttpRequest |
|
||||
| DjangoTemplates.py:6:8:6:14 | django.request.HttpRequest | DjangoTemplates.py:8:16:8:22 | django.request.HttpRequest |
|
||||
| DjangoTemplates.py:8:16:8:22 | django.request.HttpRequest | DjangoTemplates.py:8:16:8:26 | django.http.request.QueryDict |
|
||||
| DjangoTemplates.py:8:16:8:22 | django.request.HttpRequest | DjangoTemplates.py:8:16:8:26 | django.http.request.QueryDict |
|
||||
| DjangoTemplates.py:8:16:8:26 | django.http.request.QueryDict | DjangoTemplates.py:8:16:8:38 | externally controlled string |
|
||||
| DjangoTemplates.py:8:16:8:26 | django.http.request.QueryDict | DjangoTemplates.py:8:16:8:38 | externally controlled string |
|
||||
| DjangoTemplates.py:8:16:8:38 | externally controlled string | DjangoTemplates.py:9:18:9:25 | externally controlled string |
|
||||
| DjangoTemplates.py:8:16:8:38 | externally controlled string | DjangoTemplates.py:9:18:9:25 | externally controlled string |
|
||||
| FlaskTemplate.py:17:41:17:52 | dict of externally controlled string | FlaskTemplate.py:17:41:17:68 | externally controlled string |
|
||||
| FlaskTemplate.py:17:41:17:52 | dict of externally controlled string | FlaskTemplate.py:17:41:17:68 | externally controlled string |
|
||||
| JinjaSsti.py:7:7:7:13 | django.request.HttpRequest | JinjaSsti.py:9:16:9:22 | django.request.HttpRequest |
|
||||
| JinjaSsti.py:7:7:7:13 | django.request.HttpRequest | JinjaSsti.py:9:16:9:22 | django.request.HttpRequest |
|
||||
| JinjaSsti.py:9:16:9:22 | django.request.HttpRequest | JinjaSsti.py:9:16:9:26 | django.http.request.QueryDict |
|
||||
| JinjaSsti.py:9:16:9:22 | django.request.HttpRequest | JinjaSsti.py:9:16:9:26 | django.http.request.QueryDict |
|
||||
| JinjaSsti.py:9:16:9:26 | django.http.request.QueryDict | JinjaSsti.py:9:16:9:38 | externally controlled string |
|
||||
| JinjaSsti.py:9:16:9:26 | django.http.request.QueryDict | JinjaSsti.py:9:16:9:38 | externally controlled string |
|
||||
| JinjaSsti.py:9:16:9:38 | externally controlled string | JinjaSsti.py:10:25:10:32 | externally controlled string |
|
||||
| JinjaSsti.py:9:16:9:38 | externally controlled string | JinjaSsti.py:10:25:10:32 | externally controlled string |
|
||||
| JinjaSsti.py:16:7:16:13 | django.request.HttpRequest | JinjaSsti.py:19:16:19:22 | django.request.HttpRequest |
|
||||
| JinjaSsti.py:16:7:16:13 | django.request.HttpRequest | JinjaSsti.py:19:16:19:22 | django.request.HttpRequest |
|
||||
| JinjaSsti.py:19:16:19:22 | django.request.HttpRequest | JinjaSsti.py:19:16:19:26 | django.http.request.QueryDict |
|
||||
| JinjaSsti.py:19:16:19:22 | django.request.HttpRequest | JinjaSsti.py:19:16:19:26 | django.http.request.QueryDict |
|
||||
| JinjaSsti.py:19:16:19:26 | django.http.request.QueryDict | JinjaSsti.py:19:16:19:38 | externally controlled string |
|
||||
| JinjaSsti.py:19:16:19:26 | django.http.request.QueryDict | JinjaSsti.py:19:16:19:38 | externally controlled string |
|
||||
| JinjaSsti.py:19:16:19:38 | externally controlled string | JinjaSsti.py:20:28:20:35 | externally controlled string |
|
||||
| JinjaSsti.py:19:16:19:38 | externally controlled string | JinjaSsti.py:20:28:20:35 | externally controlled string |
|
||||
| MakoSsti.py:6:10:6:16 | django.request.HttpRequest | MakoSsti.py:8:16:8:22 | django.request.HttpRequest |
|
||||
| MakoSsti.py:6:10:6:16 | django.request.HttpRequest | MakoSsti.py:8:16:8:22 | django.request.HttpRequest |
|
||||
| MakoSsti.py:8:16:8:22 | django.request.HttpRequest | MakoSsti.py:8:16:8:26 | django.http.request.QueryDict |
|
||||
| MakoSsti.py:8:16:8:22 | django.request.HttpRequest | MakoSsti.py:8:16:8:26 | django.http.request.QueryDict |
|
||||
| MakoSsti.py:8:16:8:26 | django.http.request.QueryDict | MakoSsti.py:8:16:8:38 | externally controlled string |
|
||||
| MakoSsti.py:8:16:8:26 | django.http.request.QueryDict | MakoSsti.py:8:16:8:38 | externally controlled string |
|
||||
| MakoSsti.py:8:16:8:38 | externally controlled string | MakoSsti.py:9:27:9:34 | externally controlled string |
|
||||
| MakoSsti.py:8:16:8:38 | externally controlled string | MakoSsti.py:9:27:9:34 | externally controlled string |
|
||||
| TRender.py:5:13:5:19 | django.request.HttpRequest | TRender.py:6:16:6:22 | django.request.HttpRequest |
|
||||
| TRender.py:5:13:5:19 | django.request.HttpRequest | TRender.py:6:16:6:22 | django.request.HttpRequest |
|
||||
| TRender.py:6:16:6:22 | django.request.HttpRequest | TRender.py:6:16:6:26 | django.http.request.QueryDict |
|
||||
| TRender.py:6:16:6:22 | django.request.HttpRequest | TRender.py:6:16:6:26 | django.http.request.QueryDict |
|
||||
| TRender.py:6:16:6:26 | django.http.request.QueryDict | TRender.py:6:16:6:38 | externally controlled string |
|
||||
| TRender.py:6:16:6:26 | django.http.request.QueryDict | TRender.py:6:16:6:38 | externally controlled string |
|
||||
| TRender.py:6:16:6:38 | externally controlled string | TRender.py:7:24:7:31 | externally controlled string |
|
||||
| TRender.py:6:16:6:38 | externally controlled string | TRender.py:7:24:7:31 | externally controlled string |
|
||||
#select
|
||||
| AirspeedSsti.py:11:30:11:37 | template | AirspeedSsti.py:10:16:10:27 | dict of externally controlled string | AirspeedSsti.py:11:30:11:37 | externally controlled string | This Template depends on $@. | AirspeedSsti.py:10:16:10:27 | Attribute | a user-provided value |
|
||||
| ChevronSsti.py:11:27:11:34 | template | ChevronSsti.py:10:16:10:27 | dict of externally controlled string | ChevronSsti.py:11:27:11:34 | externally controlled string | This Template depends on $@. | ChevronSsti.py:10:16:10:27 | Attribute | a user-provided value |
|
||||
| DjangoTemplates.py:9:18:9:25 | template | DjangoTemplates.py:6:8:6:14 | django.request.HttpRequest | DjangoTemplates.py:9:18:9:25 | externally controlled string | This Template depends on $@. | DjangoTemplates.py:6:8:6:14 | request | a user-provided value |
|
||||
| FlaskTemplate.py:17:41:17:68 | Attribute() | FlaskTemplate.py:17:41:17:52 | dict of externally controlled string | FlaskTemplate.py:17:41:17:68 | externally controlled string | This Template depends on $@. | FlaskTemplate.py:17:41:17:52 | Attribute | a user-provided value |
|
||||
| JinjaSsti.py:10:25:10:32 | template | JinjaSsti.py:7:7:7:13 | django.request.HttpRequest | JinjaSsti.py:10:25:10:32 | externally controlled string | This Template depends on $@. | JinjaSsti.py:7:7:7:13 | request | a user-provided value |
|
||||
| JinjaSsti.py:20:28:20:35 | template | JinjaSsti.py:16:7:16:13 | django.request.HttpRequest | JinjaSsti.py:20:28:20:35 | externally controlled string | This Template depends on $@. | JinjaSsti.py:16:7:16:13 | request | a user-provided value |
|
||||
| MakoSsti.py:9:27:9:34 | template | MakoSsti.py:6:10:6:16 | django.request.HttpRequest | MakoSsti.py:9:27:9:34 | externally controlled string | This Template depends on $@. | MakoSsti.py:6:10:6:16 | request | a user-provided value |
|
||||
| TRender.py:7:24:7:31 | template | TRender.py:5:13:5:19 | django.request.HttpRequest | TRender.py:7:24:7:31 | externally controlled string | This Template depends on $@. | TRender.py:5:13:5:19 | request | a user-provided value |
|
||||
@@ -1 +0,0 @@
|
||||
semmle-extractor-options: --max-import-depth=3 -p ../../../../query-tests/Security/lib/
|
||||
@@ -0,0 +1,114 @@
|
||||
edges
|
||||
| xslt.py:3:26:3:32 | ControlFlowNode for ImportMember | xslt.py:3:26:3:32 | GSSA Variable request |
|
||||
| xslt.py:3:26:3:32 | GSSA Variable request | xslt.py:10:17:10:23 | ControlFlowNode for request |
|
||||
| xslt.py:10:5:10:13 | SSA variable xsltQuery | xslt.py:11:27:11:35 | ControlFlowNode for xsltQuery |
|
||||
| xslt.py:10:17:10:23 | ControlFlowNode for request | xslt.py:10:17:10:28 | ControlFlowNode for Attribute |
|
||||
| xslt.py:10:17:10:28 | ControlFlowNode for Attribute | xslt.py:10:17:10:43 | ControlFlowNode for Attribute() |
|
||||
| xslt.py:10:17:10:43 | ControlFlowNode for Attribute() | xslt.py:10:5:10:13 | SSA variable xsltQuery |
|
||||
| xslt.py:11:5:11:13 | SSA variable xslt_root | xslt.py:14:29:14:37 | ControlFlowNode for xslt_root |
|
||||
| xslt.py:11:17:11:36 | ControlFlowNode for Attribute() | xslt.py:11:5:11:13 | SSA variable xslt_root |
|
||||
| xslt.py:11:27:11:35 | ControlFlowNode for xsltQuery | xslt.py:11:17:11:36 | ControlFlowNode for Attribute() |
|
||||
| xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:3:26:3:32 | GSSA Variable request |
|
||||
| xsltInjection.py:3:26:3:32 | GSSA Variable request | xsltInjection.py:10:17:10:23 | ControlFlowNode for request |
|
||||
| xsltInjection.py:3:26:3:32 | GSSA Variable request | xsltInjection.py:17:17:17:23 | ControlFlowNode for request |
|
||||
| xsltInjection.py:3:26:3:32 | GSSA Variable request | xsltInjection.py:26:17:26:23 | ControlFlowNode for request |
|
||||
| xsltInjection.py:3:26:3:32 | GSSA Variable request | xsltInjection.py:35:17:35:23 | ControlFlowNode for request |
|
||||
| xsltInjection.py:3:26:3:32 | GSSA Variable request | xsltInjection.py:44:17:44:23 | ControlFlowNode for request |
|
||||
| xsltInjection.py:10:5:10:13 | SSA variable xsltQuery | xsltInjection.py:11:27:11:35 | ControlFlowNode for xsltQuery |
|
||||
| xsltInjection.py:10:17:10:23 | ControlFlowNode for request | xsltInjection.py:10:17:10:28 | ControlFlowNode for Attribute |
|
||||
| xsltInjection.py:10:17:10:28 | ControlFlowNode for Attribute | xsltInjection.py:10:17:10:43 | ControlFlowNode for Attribute() |
|
||||
| xsltInjection.py:10:17:10:43 | ControlFlowNode for Attribute() | xsltInjection.py:10:5:10:13 | SSA variable xsltQuery |
|
||||
| xsltInjection.py:11:5:11:13 | SSA variable xslt_root | xsltInjection.py:12:28:12:36 | ControlFlowNode for xslt_root |
|
||||
| xsltInjection.py:11:17:11:36 | ControlFlowNode for Attribute() | xsltInjection.py:11:5:11:13 | SSA variable xslt_root |
|
||||
| xsltInjection.py:11:27:11:35 | ControlFlowNode for xsltQuery | xsltInjection.py:11:17:11:36 | ControlFlowNode for Attribute() |
|
||||
| xsltInjection.py:17:5:17:13 | SSA variable xsltQuery | xsltInjection.py:18:27:18:35 | ControlFlowNode for xsltQuery |
|
||||
| xsltInjection.py:17:17:17:23 | ControlFlowNode for request | xsltInjection.py:17:17:17:28 | ControlFlowNode for Attribute |
|
||||
| xsltInjection.py:17:17:17:28 | ControlFlowNode for Attribute | xsltInjection.py:17:17:17:43 | ControlFlowNode for Attribute() |
|
||||
| xsltInjection.py:17:17:17:43 | ControlFlowNode for Attribute() | xsltInjection.py:17:5:17:13 | SSA variable xsltQuery |
|
||||
| xsltInjection.py:18:5:18:13 | SSA variable xslt_root | xsltInjection.py:21:29:21:37 | ControlFlowNode for xslt_root |
|
||||
| xsltInjection.py:18:17:18:36 | ControlFlowNode for Attribute() | xsltInjection.py:18:5:18:13 | SSA variable xslt_root |
|
||||
| xsltInjection.py:18:27:18:35 | ControlFlowNode for xsltQuery | xsltInjection.py:18:17:18:36 | ControlFlowNode for Attribute() |
|
||||
| xsltInjection.py:26:5:26:13 | SSA variable xsltQuery | xsltInjection.py:27:27:27:35 | ControlFlowNode for xsltQuery |
|
||||
| xsltInjection.py:26:17:26:23 | ControlFlowNode for request | xsltInjection.py:26:17:26:28 | ControlFlowNode for Attribute |
|
||||
| xsltInjection.py:26:17:26:28 | ControlFlowNode for Attribute | xsltInjection.py:26:17:26:43 | ControlFlowNode for Attribute() |
|
||||
| xsltInjection.py:26:17:26:43 | ControlFlowNode for Attribute() | xsltInjection.py:26:5:26:13 | SSA variable xsltQuery |
|
||||
| xsltInjection.py:27:5:27:13 | SSA variable xslt_root | xsltInjection.py:31:24:31:32 | ControlFlowNode for xslt_root |
|
||||
| xsltInjection.py:27:17:27:36 | ControlFlowNode for Attribute() | xsltInjection.py:27:5:27:13 | SSA variable xslt_root |
|
||||
| xsltInjection.py:27:27:27:35 | ControlFlowNode for xsltQuery | xsltInjection.py:27:17:27:36 | ControlFlowNode for Attribute() |
|
||||
| xsltInjection.py:35:5:35:13 | SSA variable xsltQuery | xsltInjection.py:36:34:36:42 | ControlFlowNode for xsltQuery |
|
||||
| xsltInjection.py:35:17:35:23 | ControlFlowNode for request | xsltInjection.py:35:17:35:28 | ControlFlowNode for Attribute |
|
||||
| xsltInjection.py:35:17:35:28 | ControlFlowNode for Attribute | xsltInjection.py:35:17:35:43 | ControlFlowNode for Attribute() |
|
||||
| xsltInjection.py:35:17:35:43 | ControlFlowNode for Attribute() | xsltInjection.py:35:5:35:13 | SSA variable xsltQuery |
|
||||
| xsltInjection.py:36:5:36:13 | SSA variable xslt_root | xsltInjection.py:40:24:40:32 | ControlFlowNode for xslt_root |
|
||||
| xsltInjection.py:36:17:36:43 | ControlFlowNode for Attribute() | xsltInjection.py:36:5:36:13 | SSA variable xslt_root |
|
||||
| xsltInjection.py:36:34:36:42 | ControlFlowNode for xsltQuery | xsltInjection.py:36:17:36:43 | ControlFlowNode for Attribute() |
|
||||
| xsltInjection.py:44:5:44:13 | SSA variable xsltQuery | xsltInjection.py:45:5:45:15 | SSA variable xsltStrings |
|
||||
| xsltInjection.py:44:17:44:23 | ControlFlowNode for request | xsltInjection.py:44:17:44:28 | ControlFlowNode for Attribute |
|
||||
| xsltInjection.py:44:17:44:28 | ControlFlowNode for Attribute | xsltInjection.py:44:17:44:43 | ControlFlowNode for Attribute() |
|
||||
| xsltInjection.py:44:17:44:43 | ControlFlowNode for Attribute() | xsltInjection.py:44:5:44:13 | SSA variable xsltQuery |
|
||||
| xsltInjection.py:45:5:45:15 | SSA variable xsltStrings | xsltInjection.py:46:38:46:48 | ControlFlowNode for xsltStrings |
|
||||
| xsltInjection.py:46:5:46:13 | SSA variable xslt_root | xsltInjection.py:50:24:50:32 | ControlFlowNode for xslt_root |
|
||||
| xsltInjection.py:46:17:46:49 | ControlFlowNode for Attribute() | xsltInjection.py:46:5:46:13 | SSA variable xslt_root |
|
||||
| xsltInjection.py:46:38:46:48 | ControlFlowNode for xsltStrings | xsltInjection.py:46:17:46:49 | ControlFlowNode for Attribute() |
|
||||
nodes
|
||||
| xslt.py:3:26:3:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
|
||||
| xslt.py:3:26:3:32 | GSSA Variable request | semmle.label | GSSA Variable request |
|
||||
| xslt.py:10:5:10:13 | SSA variable xsltQuery | semmle.label | SSA variable xsltQuery |
|
||||
| xslt.py:10:17:10:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| xslt.py:10:17:10:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||
| xslt.py:10:17:10:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
| xslt.py:11:5:11:13 | SSA variable xslt_root | semmle.label | SSA variable xslt_root |
|
||||
| xslt.py:11:17:11:36 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
| xslt.py:11:27:11:35 | ControlFlowNode for xsltQuery | semmle.label | ControlFlowNode for xsltQuery |
|
||||
| xslt.py:14:29:14:37 | ControlFlowNode for xslt_root | semmle.label | ControlFlowNode for xslt_root |
|
||||
| xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
|
||||
| xsltInjection.py:3:26:3:32 | GSSA Variable request | semmle.label | GSSA Variable request |
|
||||
| xsltInjection.py:10:5:10:13 | SSA variable xsltQuery | semmle.label | SSA variable xsltQuery |
|
||||
| xsltInjection.py:10:17:10:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| xsltInjection.py:10:17:10:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||
| xsltInjection.py:10:17:10:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
| xsltInjection.py:11:5:11:13 | SSA variable xslt_root | semmle.label | SSA variable xslt_root |
|
||||
| xsltInjection.py:11:17:11:36 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
| xsltInjection.py:11:27:11:35 | ControlFlowNode for xsltQuery | semmle.label | ControlFlowNode for xsltQuery |
|
||||
| xsltInjection.py:12:28:12:36 | ControlFlowNode for xslt_root | semmle.label | ControlFlowNode for xslt_root |
|
||||
| xsltInjection.py:17:5:17:13 | SSA variable xsltQuery | semmle.label | SSA variable xsltQuery |
|
||||
| xsltInjection.py:17:17:17:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| xsltInjection.py:17:17:17:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||
| xsltInjection.py:17:17:17:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
| xsltInjection.py:18:5:18:13 | SSA variable xslt_root | semmle.label | SSA variable xslt_root |
|
||||
| xsltInjection.py:18:17:18:36 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
| xsltInjection.py:18:27:18:35 | ControlFlowNode for xsltQuery | semmle.label | ControlFlowNode for xsltQuery |
|
||||
| xsltInjection.py:21:29:21:37 | ControlFlowNode for xslt_root | semmle.label | ControlFlowNode for xslt_root |
|
||||
| xsltInjection.py:26:5:26:13 | SSA variable xsltQuery | semmle.label | SSA variable xsltQuery |
|
||||
| xsltInjection.py:26:17:26:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| xsltInjection.py:26:17:26:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||
| xsltInjection.py:26:17:26:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
| xsltInjection.py:27:5:27:13 | SSA variable xslt_root | semmle.label | SSA variable xslt_root |
|
||||
| xsltInjection.py:27:17:27:36 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
| xsltInjection.py:27:27:27:35 | ControlFlowNode for xsltQuery | semmle.label | ControlFlowNode for xsltQuery |
|
||||
| xsltInjection.py:31:24:31:32 | ControlFlowNode for xslt_root | semmle.label | ControlFlowNode for xslt_root |
|
||||
| xsltInjection.py:35:5:35:13 | SSA variable xsltQuery | semmle.label | SSA variable xsltQuery |
|
||||
| xsltInjection.py:35:17:35:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| xsltInjection.py:35:17:35:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||
| xsltInjection.py:35:17:35:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
| xsltInjection.py:36:5:36:13 | SSA variable xslt_root | semmle.label | SSA variable xslt_root |
|
||||
| xsltInjection.py:36:17:36:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
| xsltInjection.py:36:34:36:42 | ControlFlowNode for xsltQuery | semmle.label | ControlFlowNode for xsltQuery |
|
||||
| xsltInjection.py:40:24:40:32 | ControlFlowNode for xslt_root | semmle.label | ControlFlowNode for xslt_root |
|
||||
| xsltInjection.py:44:5:44:13 | SSA variable xsltQuery | semmle.label | SSA variable xsltQuery |
|
||||
| xsltInjection.py:44:17:44:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
|
||||
| xsltInjection.py:44:17:44:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
|
||||
| xsltInjection.py:44:17:44:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
| xsltInjection.py:45:5:45:15 | SSA variable xsltStrings | semmle.label | SSA variable xsltStrings |
|
||||
| xsltInjection.py:46:5:46:13 | SSA variable xslt_root | semmle.label | SSA variable xslt_root |
|
||||
| xsltInjection.py:46:17:46:49 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
| xsltInjection.py:46:38:46:48 | ControlFlowNode for xsltStrings | semmle.label | ControlFlowNode for xsltStrings |
|
||||
| xsltInjection.py:50:24:50:32 | ControlFlowNode for xslt_root | semmle.label | ControlFlowNode for xslt_root |
|
||||
subpaths
|
||||
#select
|
||||
| xslt.py:14:29:14:37 | ControlFlowNode for xslt_root | xslt.py:3:26:3:32 | ControlFlowNode for ImportMember | xslt.py:14:29:14:37 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xslt.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
|
||||
| xsltInjection.py:12:28:12:36 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:12:28:12:36 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
|
||||
| xsltInjection.py:21:29:21:37 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:21:29:21:37 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
|
||||
| xsltInjection.py:31:24:31:32 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:31:24:31:32 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
|
||||
| xsltInjection.py:40:24:40:32 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:40:24:40:32 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
|
||||
| xsltInjection.py:50:24:50:32 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:50:24:50:32 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
|
||||
@@ -0,0 +1 @@
|
||||
experimental/Security/CWE-091/XsltInjection.ql
|
||||
@@ -1,47 +0,0 @@
|
||||
edges
|
||||
| xslt.py:10:17:10:28 | dict of etree.XML string | xslt.py:10:17:10:43 | etree.XML string |
|
||||
| xslt.py:10:17:10:28 | dict of etree.XML string | xslt.py:10:17:10:43 | etree.XML string |
|
||||
| xslt.py:10:17:10:43 | etree.XML string | xslt.py:11:27:11:35 | etree.XML string |
|
||||
| xslt.py:10:17:10:43 | etree.XML string | xslt.py:11:27:11:35 | etree.XML string |
|
||||
| xslt.py:11:17:11:36 | lxml etree xml | xslt.py:14:29:14:37 | lxml etree xml |
|
||||
| xslt.py:11:17:11:36 | lxml etree xml | xslt.py:14:29:14:37 | lxml etree xml |
|
||||
| xslt.py:11:27:11:35 | etree.XML string | xslt.py:11:17:11:36 | lxml etree xml |
|
||||
| xslt.py:11:27:11:35 | etree.XML string | xslt.py:11:17:11:36 | lxml etree xml |
|
||||
| xsltInjection.py:10:17:10:28 | dict of etree.XML string | xsltInjection.py:10:17:10:43 | etree.XML string |
|
||||
| xsltInjection.py:10:17:10:28 | dict of etree.XML string | xsltInjection.py:10:17:10:43 | etree.XML string |
|
||||
| xsltInjection.py:10:17:10:43 | etree.XML string | xsltInjection.py:11:27:11:35 | etree.XML string |
|
||||
| xsltInjection.py:10:17:10:43 | etree.XML string | xsltInjection.py:11:27:11:35 | etree.XML string |
|
||||
| xsltInjection.py:11:17:11:36 | lxml etree xml | xsltInjection.py:12:28:12:36 | lxml etree xml |
|
||||
| xsltInjection.py:11:17:11:36 | lxml etree xml | xsltInjection.py:12:28:12:36 | lxml etree xml |
|
||||
| xsltInjection.py:11:27:11:35 | etree.XML string | xsltInjection.py:11:17:11:36 | lxml etree xml |
|
||||
| xsltInjection.py:11:27:11:35 | etree.XML string | xsltInjection.py:11:17:11:36 | lxml etree xml |
|
||||
| xsltInjection.py:17:17:17:28 | dict of etree.XML string | xsltInjection.py:17:17:17:43 | etree.XML string |
|
||||
| xsltInjection.py:17:17:17:28 | dict of etree.XML string | xsltInjection.py:17:17:17:43 | etree.XML string |
|
||||
| xsltInjection.py:17:17:17:43 | etree.XML string | xsltInjection.py:18:27:18:35 | etree.XML string |
|
||||
| xsltInjection.py:17:17:17:43 | etree.XML string | xsltInjection.py:18:27:18:35 | etree.XML string |
|
||||
| xsltInjection.py:18:17:18:36 | lxml etree xml | xsltInjection.py:21:29:21:37 | lxml etree xml |
|
||||
| xsltInjection.py:18:17:18:36 | lxml etree xml | xsltInjection.py:21:29:21:37 | lxml etree xml |
|
||||
| xsltInjection.py:18:27:18:35 | etree.XML string | xsltInjection.py:18:17:18:36 | lxml etree xml |
|
||||
| xsltInjection.py:18:27:18:35 | etree.XML string | xsltInjection.py:18:17:18:36 | lxml etree xml |
|
||||
| xsltInjection.py:26:17:26:28 | dict of etree.XML string | xsltInjection.py:26:17:26:43 | etree.XML string |
|
||||
| xsltInjection.py:26:17:26:28 | dict of etree.XML string | xsltInjection.py:26:17:26:43 | etree.XML string |
|
||||
| xsltInjection.py:26:17:26:43 | etree.XML string | xsltInjection.py:27:27:27:35 | etree.XML string |
|
||||
| xsltInjection.py:26:17:26:43 | etree.XML string | xsltInjection.py:27:27:27:35 | etree.XML string |
|
||||
| xsltInjection.py:27:17:27:36 | lxml etree xml | xsltInjection.py:31:24:31:32 | lxml etree xml |
|
||||
| xsltInjection.py:27:17:27:36 | lxml etree xml | xsltInjection.py:31:24:31:32 | lxml etree xml |
|
||||
| xsltInjection.py:27:27:27:35 | etree.XML string | xsltInjection.py:27:17:27:36 | lxml etree xml |
|
||||
| xsltInjection.py:27:27:27:35 | etree.XML string | xsltInjection.py:27:17:27:36 | lxml etree xml |
|
||||
| xsltInjection.py:35:17:35:28 | dict of etree.XML string | xsltInjection.py:35:17:35:43 | etree.XML string |
|
||||
| xsltInjection.py:35:17:35:28 | dict of etree.XML string | xsltInjection.py:35:17:35:43 | etree.XML string |
|
||||
| xsltInjection.py:35:17:35:43 | etree.XML string | xsltInjection.py:36:34:36:42 | etree.XML string |
|
||||
| xsltInjection.py:35:17:35:43 | etree.XML string | xsltInjection.py:36:34:36:42 | etree.XML string |
|
||||
| xsltInjection.py:36:17:36:43 | lxml etree xml | xsltInjection.py:40:24:40:32 | lxml etree xml |
|
||||
| xsltInjection.py:36:17:36:43 | lxml etree xml | xsltInjection.py:40:24:40:32 | lxml etree xml |
|
||||
| xsltInjection.py:36:34:36:42 | etree.XML string | xsltInjection.py:36:17:36:43 | lxml etree xml |
|
||||
| xsltInjection.py:36:34:36:42 | etree.XML string | xsltInjection.py:36:17:36:43 | lxml etree xml |
|
||||
#select
|
||||
| xslt.py:14:29:14:37 | xslt_root | xslt.py:10:17:10:28 | dict of etree.XML string | xslt.py:14:29:14:37 | lxml etree xml | This XSLT query depends on $@. | xslt.py:10:17:10:28 | Attribute | a user-provided value |
|
||||
| xsltInjection.py:12:28:12:36 | xslt_root | xsltInjection.py:10:17:10:28 | dict of etree.XML string | xsltInjection.py:12:28:12:36 | lxml etree xml | This XSLT query depends on $@. | xsltInjection.py:10:17:10:28 | Attribute | a user-provided value |
|
||||
| xsltInjection.py:21:29:21:37 | xslt_root | xsltInjection.py:17:17:17:28 | dict of etree.XML string | xsltInjection.py:21:29:21:37 | lxml etree xml | This XSLT query depends on $@. | xsltInjection.py:17:17:17:28 | Attribute | a user-provided value |
|
||||
| xsltInjection.py:31:24:31:32 | xslt_root | xsltInjection.py:26:17:26:28 | dict of etree.XML string | xsltInjection.py:31:24:31:32 | lxml etree xml | This XSLT query depends on $@. | xsltInjection.py:26:17:26:28 | Attribute | a user-provided value |
|
||||
| xsltInjection.py:40:24:40:32 | xslt_root | xsltInjection.py:35:17:35:28 | dict of etree.XML string | xsltInjection.py:40:24:40:32 | lxml etree xml | This XSLT query depends on $@. | xsltInjection.py:35:17:35:28 | Attribute | a user-provided value |
|
||||
@@ -1 +0,0 @@
|
||||
experimental/Security/CWE-091/Xslt.ql
|
||||
@@ -1,12 +0,0 @@
|
||||
| xslt.py:14:29:14:37 | lxml.etree.parse.xslt | lxml etree xml |
|
||||
| xsltInjection.py:12:28:12:36 | lxml.etree.XSLT | lxml etree xml |
|
||||
| xsltInjection.py:21:29:21:37 | lxml.etree.parse.xslt | lxml etree xml |
|
||||
| xsltInjection.py:31:24:31:32 | lxml.etree.parse.xslt | lxml etree xml |
|
||||
| xsltInjection.py:40:24:40:32 | lxml.etree.parse.xslt | lxml etree xml |
|
||||
| xsltInjection.py:50:24:50:32 | lxml.etree.parse.xslt | lxml etree xml |
|
||||
| xsltInjection.py:60:24:60:32 | lxml.etree.parse.xslt | lxml etree xml |
|
||||
| xsltInjection.py:69:24:69:32 | lxml.etree.parse.xslt | lxml etree xml |
|
||||
| xsltInjection.py:79:24:79:32 | lxml.etree.parse.xslt | lxml etree xml |
|
||||
| xsltSinks.py:17:28:17:36 | lxml.etree.XSLT | lxml etree xml |
|
||||
| xsltSinks.py:30:29:30:37 | lxml.etree.parse.xslt | lxml etree xml |
|
||||
| xsltSinks.py:44:24:44:32 | lxml.etree.parse.xslt | lxml etree xml |
|
||||
@@ -1,6 +0,0 @@
|
||||
import python
|
||||
import experimental.semmle.python.security.injection.XSLT
|
||||
|
||||
from XsltInjection::XsltInjectionSink sink, TaintKind kind
|
||||
where sink.sinks(kind)
|
||||
select sink, kind
|
||||
@@ -1 +0,0 @@
|
||||
semmle-extractor-options: --max-import-depth=3 -p ../../../../query-tests/Security/lib/
|
||||
@@ -1,56 +0,0 @@
|
||||
from lxml import etree
|
||||
from io import StringIO
|
||||
|
||||
from django.urls import path
|
||||
from django.http import HttpResponse
|
||||
from django.template import Template, Context, Engine, engines
|
||||
|
||||
|
||||
def a(request):
|
||||
xslt_root = etree.XML('''\
|
||||
<xsl:stylesheet version="1.0"
|
||||
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||||
<xsl:template match="/">
|
||||
<foo><xsl:value-of select="/a/b/text()" /></foo>
|
||||
</xsl:template>
|
||||
</xsl:stylesheet>''')
|
||||
transform = etree.XSLT(xslt_root)
|
||||
|
||||
|
||||
def b(request):
|
||||
xslt_root = etree.XML('''\
|
||||
<xsl:stylesheet version="1.0"
|
||||
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||||
<xsl:template match="/">
|
||||
<foo><xsl:value-of select="/a/b/text()" /></foo>
|
||||
</xsl:template>
|
||||
</xsl:stylesheet>''')
|
||||
f = StringIO('<foo><bar></bar></foo>')
|
||||
tree = etree.parse(f)
|
||||
result_tree = tree.xslt(xslt_root)
|
||||
|
||||
|
||||
def c(request):
|
||||
xslt_root = etree.XML('''\
|
||||
<xsl:stylesheet version="1.0"
|
||||
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||||
<xsl:template match="/">
|
||||
<foo><xsl:value-of select="/a/b/text()" /></foo>
|
||||
</xsl:template>
|
||||
</xsl:stylesheet>''')
|
||||
|
||||
f = StringIO('<foo><bar></bar></foo>')
|
||||
tree = etree.parse(f)
|
||||
result = tree.xslt(xslt_root, a="'A'")
|
||||
|
||||
|
||||
urlpatterns = [
|
||||
path('a', a),
|
||||
path('b', b),
|
||||
path('c', c)
|
||||
]
|
||||
|
||||
if __name__ == "__main__":
|
||||
a(None)
|
||||
b(None)
|
||||
c(None)
|
||||
@@ -1,10 +0,0 @@
|
||||
from bottle import Bottle, route, request, redirect, response
|
||||
import airspeed
|
||||
|
||||
|
||||
app = Bottle()
|
||||
|
||||
|
||||
@route('/other')
|
||||
def a():
|
||||
return airspeed.Template("sink")
|
||||
@@ -1,2 +0,0 @@
|
||||
WARNING: Type SSTISink has been deprecated and may be removed in future (AirspeedSSTISinks.ql:4,6-14)
|
||||
| Airspeed.py:10:30:10:35 | argument to airspeed.Template() |
|
||||
@@ -1,5 +0,0 @@
|
||||
import python
|
||||
import experimental.semmle.python.templates.Airspeed
|
||||
|
||||
from SSTISink s
|
||||
select s
|
||||
@@ -1,17 +0,0 @@
|
||||
from bottle import Bottle, route, request, redirect, response, SimpleTemplate
|
||||
from bottle import template as temp
|
||||
|
||||
|
||||
app = Bottle()
|
||||
|
||||
|
||||
@route('/other')
|
||||
def a():
|
||||
template = "test"
|
||||
tpl = SimpleTemplate(template)
|
||||
|
||||
|
||||
@route('/other2')
|
||||
def b():
|
||||
template = "test"
|
||||
return temp(template, name='World')
|
||||
@@ -1,3 +0,0 @@
|
||||
WARNING: Type SSTISink has been deprecated and may be removed in future (BottleSSTISinks.ql:4,6-14)
|
||||
| Bottle.py:11:26:11:33 | argument to bottle.SimpleTemplate() |
|
||||
| Bottle.py:17:17:17:24 | argument to bottle.template() |
|
||||
@@ -1,5 +0,0 @@
|
||||
import python
|
||||
import experimental.semmle.python.templates.Bottle
|
||||
|
||||
from SSTISink s
|
||||
select s
|
||||
@@ -1,5 +0,0 @@
|
||||
from chameleon import PageTemplate
|
||||
|
||||
|
||||
def chameleon():
|
||||
template = PageTemplate("sink")
|
||||
@@ -1,2 +0,0 @@
|
||||
WARNING: Type SSTISink has been deprecated and may be removed in future (ChameleonSSTISinks.ql:4,6-14)
|
||||
| Chameleon.py:5:29:5:34 | argument to Chameleon.PageTemplate() |
|
||||
@@ -1,5 +0,0 @@
|
||||
import python
|
||||
import experimental.semmle.python.templates.Chameleon
|
||||
|
||||
from SSTISink s
|
||||
select s
|
||||
@@ -1,3 +0,0 @@
|
||||
WARNING: Type SSTISink has been deprecated and may be removed in future (CheetahSSTISinks.ql:4,6-14)
|
||||
| CheetahSinks.py:10:21:10:26 | argument to Cheetah.Template.Template() |
|
||||
| CheetahSinks.py:20:20:20:25 | argument to Cheetah.Template.Template() |
|
||||
@@ -1,5 +0,0 @@
|
||||
import python
|
||||
import experimental.semmle.python.templates.Cheetah
|
||||
|
||||
from SSTISink s
|
||||
select s
|
||||
@@ -1,20 +0,0 @@
|
||||
from bottle import Bottle, route, request, redirect, response, SimpleTemplate
|
||||
from Cheetah.Template import Template
|
||||
|
||||
|
||||
app = Bottle()
|
||||
|
||||
|
||||
@route('/other')
|
||||
def a():
|
||||
return Template("sink")
|
||||
|
||||
|
||||
class Template3(Template):
|
||||
title = 'Hello World Example!'
|
||||
contents = 'Hello World!'
|
||||
|
||||
|
||||
@route('/other2')
|
||||
def b():
|
||||
t3 = Template3("sink")
|
||||
@@ -1,2 +0,0 @@
|
||||
WARNING: Type SSTISink has been deprecated and may be removed in future (ChevronSSTISinks.ql:4,6-14)
|
||||
| ChevronSinks.py:10:27:10:32 | argument to chevron.render() |
|
||||
@@ -1,5 +0,0 @@
|
||||
import python
|
||||
import experimental.semmle.python.templates.Chevron
|
||||
|
||||
from SSTISink s
|
||||
select s
|
||||
@@ -1,22 +0,0 @@
|
||||
from bottle import Bottle, route, request, redirect, response, SimpleTemplate
|
||||
import chevron
|
||||
|
||||
|
||||
app = Bottle()
|
||||
|
||||
|
||||
@route('/other')
|
||||
def a():
|
||||
return chevron.render("sink", {"key": "value"})
|
||||
|
||||
|
||||
@route('/other2')
|
||||
def b():
|
||||
sink = {
|
||||
'template': "template",
|
||||
|
||||
'data': {
|
||||
'key': 'value'
|
||||
}
|
||||
}
|
||||
return chevron.render(**sink)
|
||||
@@ -1,2 +0,0 @@
|
||||
WARNING: Type SSTISink has been deprecated and may be removed in future (DjangoSSTISinks.ql:4,6-14)
|
||||
| DjangoTemplates.py:9:18:9:25 | argument to Django.template() |
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user