hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 10:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Address review comments.

Browse Source
This commit is contained in:
Sebastian Bauersfeld
2022-09-15 16:44:36 +07:00
parent f95663cdfb
commit 20d78972f5
4 changed files with 37 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
View File

@@ -401,11 +401,6 @@ private class SummaryModelCsvBase extends SummaryModelCsv {
"java.io;File;false;File;;;Argument[0];Argument[-1];taint;manual",
"java.io;File;false;File;;;Argument[1];Argument[-1];taint;manual",
"java.net;URI;false;URI;(String);;Argument[0];Argument[-1];taint;manual",
"java.net;URI;false;URI;(String,String,String);;Argument[0..2];Argument[-1];taint;manual",
"java.net;URI;false;URI;(String,String,String,int,String,String,String);;Argument[0..2];Argument[-1];taint;manual",
"java.net;URI;false;URI;(String,String,String,int,String,String,String);;Argument[4..6];Argument[-1];taint;manual",
"java.net;URI;false;URI;(String,String,String,String);;Argument[0..3];Argument[-1];taint;manual",
"java.net;URI;false;URI;(String,String,String,String,String);;Argument[0..4];Argument[-1];taint;manual",
"java.net;URL;false;URL;(String);;Argument[0];Argument[-1];taint;manual",
"javax.xml.transform.stream;StreamSource;false;StreamSource;;;Argument[0];Argument[-1];taint;manual",
"javax.xml.transform.sax;SAXSource;false;SAXSource;(InputSource);;Argument[0];Argument[-1];taint;manual",

13
java/ql/src/Security/CWE/CWE-022/TaintedPathCommon.qll
View File

@@ -5,6 +5,19 @@
import java
import semmle.code.java.controlflow.Guards
import semmle.code.java.security.PathCreation
import semmle.code.java.dataflow.ExternalFlow
class TaintedPathInjectionSummaries extends SummaryModelCsv {
override predicate row(string row) {
row =
[
"java.net;URI;false;URI;(String,String,String);;Argument[1];Argument[-1];taint;manual",
"java.net;URI;false;URI;(String,String,String,String);;Argument[1..2];Argument[-1];taint;manual",
"java.net;URI;false;URI;(String,String,String,String,String);;Argument[2];Argument[-1];taint;manual",
"java.net;URI;false;URI;(String,String,String,int,String,String,String);;Argument[4];Argument[-1];taint;manual",
]
}
}
private predicate inWeakCheck(Expr e) {
// None of these are sufficient to guarantee that a string is safe.

73
java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected
View File

@@ -9,42 +9,16 @@ edges
| Test.java:80:31:80:32 | br : BufferedReader | Test.java:80:31:80:43 | readLine(...) : String |
| Test.java:80:31:80:43 | readLine(...) : String | Test.java:82:67:82:81 | ... + ... |
| Test.java:88:17:88:37 | getHostName(...) : String | Test.java:90:26:90:29 | temp |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:96:20:96:20 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:96:23:96:23 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:96:26:96:26 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:20:97:20 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:23:97:23 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:26:97:26 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:29:97:29 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:20:98:20 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:23:98:23 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:26:98:26 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:29:98:29 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:32:98:32 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:20:99:20 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:23:99:23 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:26:99:26 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:32:99:32 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:35:99:35 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:38:99:38 | t : String |
| Test.java:96:20:96:20 | t : String | Test.java:96:12:96:27 | new URI(...) |
| Test.java:96:23:96:23 | t : String | Test.java:96:12:96:27 | new URI(...) |
| Test.java:96:26:96:26 | t : String | Test.java:96:12:96:27 | new URI(...) |
| Test.java:97:20:97:20 | t : String | Test.java:97:12:97:30 | new URI(...) |
| Test.java:97:23:97:23 | t : String | Test.java:97:12:97:30 | new URI(...) |
| Test.java:97:26:97:26 | t : String | Test.java:97:12:97:30 | new URI(...) |
| Test.java:97:29:97:29 | t : String | Test.java:97:12:97:30 | new URI(...) |
| Test.java:98:20:98:20 | t : String | Test.java:98:12:98:33 | new URI(...) |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:29:99:29 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:100:32:100:32 | t : String |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:101:41:101:41 | t : String |
| Test.java:97:26:97:26 | t : String | Test.java:97:12:97:33 | new URI(...) |
| Test.java:98:23:98:23 | t : String | Test.java:98:12:98:33 | new URI(...) |
| Test.java:98:26:98:26 | t : String | Test.java:98:12:98:33 | new URI(...) |
| Test.java:98:29:98:29 | t : String | Test.java:98:12:98:33 | new URI(...) |
| Test.java:98:32:98:32 | t : String | Test.java:98:12:98:33 | new URI(...) |
| Test.java:99:20:99:20 | t : String | Test.java:99:12:99:39 | new URI(...) |
| Test.java:99:23:99:23 | t : String | Test.java:99:12:99:39 | new URI(...) |
| Test.java:99:26:99:26 | t : String | Test.java:99:12:99:39 | new URI(...) |
| Test.java:99:32:99:32 | t : String | Test.java:99:12:99:39 | new URI(...) |
| Test.java:99:35:99:35 | t : String | Test.java:99:12:99:39 | new URI(...) |
| Test.java:99:38:99:38 | t : String | Test.java:99:12:99:39 | new URI(...) |
| Test.java:99:29:99:29 | t : String | Test.java:99:12:99:33 | new URI(...) |
| Test.java:100:32:100:32 | t : String | Test.java:100:12:100:45 | new URI(...) |
| Test.java:101:41:101:41 | t : String | Test.java:101:12:101:54 | new URI(...) |
nodes
| Test.java:19:18:19:38 | getHostName(...) : String | semmle.label | getHostName(...) : String |
| Test.java:24:20:24:23 | temp | semmle.label | temp |
@@ -60,28 +34,16 @@ nodes
| Test.java:88:17:88:37 | getHostName(...) : String | semmle.label | getHostName(...) : String |
| Test.java:90:26:90:29 | temp | semmle.label | temp |
| Test.java:95:14:95:34 | getHostName(...) : String | semmle.label | getHostName(...) : String |
| Test.java:96:12:96:27 | new URI(...) | semmle.label | new URI(...) |
| Test.java:96:20:96:20 | t : String | semmle.label | t : String |
| Test.java:96:23:96:23 | t : String | semmle.label | t : String |
| Test.java:96:26:96:26 | t : String | semmle.label | t : String |
| Test.java:97:12:97:30 | new URI(...) | semmle.label | new URI(...) |
| Test.java:97:20:97:20 | t : String | semmle.label | t : String |
| Test.java:97:23:97:23 | t : String | semmle.label | t : String |
| Test.java:97:12:97:33 | new URI(...) | semmle.label | new URI(...) |
| Test.java:97:26:97:26 | t : String | semmle.label | t : String |
| Test.java:97:29:97:29 | t : String | semmle.label | t : String |
| Test.java:98:12:98:33 | new URI(...) | semmle.label | new URI(...) |
| Test.java:98:20:98:20 | t : String | semmle.label | t : String |
| Test.java:98:23:98:23 | t : String | semmle.label | t : String |
| Test.java:98:26:98:26 | t : String | semmle.label | t : String |
| Test.java:98:29:98:29 | t : String | semmle.label | t : String |
| Test.java:98:32:98:32 | t : String | semmle.label | t : String |
| Test.java:99:12:99:39 | new URI(...) | semmle.label | new URI(...) |
| Test.java:99:20:99:20 | t : String | semmle.label | t : String |
| Test.java:99:23:99:23 | t : String | semmle.label | t : String |
| Test.java:99:26:99:26 | t : String | semmle.label | t : String |
| Test.java:99:32:99:32 | t : String | semmle.label | t : String |
| Test.java:99:35:99:35 | t : String | semmle.label | t : String |
| Test.java:99:38:99:38 | t : String | semmle.label | t : String |
| Test.java:99:12:99:33 | new URI(...) | semmle.label | new URI(...) |
| Test.java:99:29:99:29 | t : String | semmle.label | t : String |
| Test.java:100:12:100:45 | new URI(...) | semmle.label | new URI(...) |
| Test.java:100:32:100:32 | t : String | semmle.label | t : String |
| Test.java:101:12:101:54 | new URI(...) | semmle.label | new URI(...) |
| Test.java:101:41:101:41 | t : String | semmle.label | t : String |
subpaths
#select
| Test.java:24:11:24:24 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:24:20:24:23 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
@@ -90,7 +52,8 @@ subpaths
| Test.java:34:12:34:25 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:34:21:34:24 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
| Test.java:82:52:82:88 | new FileWriter(...) | Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | Test.java:82:67:82:81 | ... + ... | $@ flows to here and is used in a path. | Test.java:79:74:79:97 | getInputStream(...) | User-provided value |
| Test.java:90:26:90:29 | temp | Test.java:88:17:88:37 | getHostName(...) : String | Test.java:90:26:90:29 | temp | $@ flows to here and is used in a path. | Test.java:88:17:88:37 | getHostName(...) | User-provided value |
| Test.java:96:3:96:28 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:96:12:96:27 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
| Test.java:97:3:97:31 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:12:97:30 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
| Test.java:97:3:97:34 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:12:97:33 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
| Test.java:98:3:98:34 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:12:98:33 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
| Test.java:99:3:99:40 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:12:99:39 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
| Test.java:99:3:99:34 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:12:99:33 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
| Test.java:100:3:100:46 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:100:12:100:45 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |
| Test.java:101:3:101:55 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:101:12:101:54 | new URI(...) | $@ flows to here and is used in a path. | Test.java:95:14:95:34 | getHostName(...) | User-provided value |

10
java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java
View File

@@ -93,9 +93,11 @@ class Test {
void doGet5(InetAddress address)
throws URISyntaxException {
String t = address.getHostName();
new File(new URI(t, t, t));
new File(new URI(t, t, t, t));
new File(new URI(t, t, t, t, t));
new File(new URI(t, t, t, 0, t, t, t));
// BAD: construct a file path with user input
new File(new URI(null, t, null));
new File(new URI(t, t, null, t));
new File(new URI(t, null, t, t));
new File(new URI(null, null, t, null, null));
new File(new URI(null, null, null, 0, t, null, null));
}
}