hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-23 07:45:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Include switch and instanceof binding in Variable.getAnAssignedValue, and test via endsInQuote

Browse Source
This commit is contained in:
Chris Smowton
2023-11-21 15:54:52 +00:00
parent ef6ea71e43
commit 29fdd04eb0
8 changed files with 66 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
java/ql/lib/semmle/code/java/Variable.qll
View File

@@ -15,9 +15,12 @@ class Variable extends @variable, Annotatable, Element, Modifiable {
/** Gets an access to this variable. */
VarAccess getAnAccess() { variableBinding(result, this) }
/** Gets an expression on the right-hand side of an assignment to this variable. */
/**
* Gets an expression assigned to this variable, either appearing on the right-hand side of an
* assignment or bound to it via a binding `instanceof` expression or `switch` block.
*/
Expr getAnAssignedValue() {
exists(LocalVariableDeclExpr e | e.getVariable() = this and result = e.getInit())
exists(LocalVariableDeclExpr e | e.getVariable() = this and result = e.getInitOrPatternSource())
or
exists(AssignExpr e | e.getDest() = this.getAnAccess() and result = e.getSource())
}

1
java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlConcatenated.expected
View File

@@ -9,3 +9,4 @@
| Test.java:98:47:98:60 | queryFromField | Query built by concatenation with $@, which may be untrusted. | Test.java:97:8:97:19 | categoryName | this expression |
| Test.java:108:47:108:61 | querySbToString | Query built by concatenation with $@, which may be untrusted. | Test.java:104:19:104:30 | categoryName | this expression |
| Test.java:118:47:118:62 | querySb2ToString | Query built by concatenation with $@, which may be untrusted. | Test.java:114:46:114:57 | categoryName | this expression |
| Test.java:221:81:221:111 | ... + ... | Query built by concatenation with $@, which may be untrusted. | Test.java:221:95:221:102 | category | this expression |

35
java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.expected
View File

@@ -13,10 +13,13 @@ edges
| Test.java:60:29:60:35 | querySb : StringBuilder | Test.java:60:29:60:46 | toString(...) : String |
| Test.java:60:29:60:46 | toString(...) : String | Test.java:62:47:62:61 | querySbToString |
| Test.java:183:33:183:45 | args : String[] | Test.java:209:47:209:68 | queryWithUserTableName |
| Test.java:213:26:213:38 | args : String[] | Test.java:214:11:214:14 | args : String[] |
| Test.java:213:26:213:38 | args : String[] | Test.java:218:14:218:17 | args : String[] |
| Test.java:214:11:214:14 | args : String[] | Test.java:29:30:29:42 | args : String[] |
| Test.java:218:14:218:17 | args : String[] | Test.java:183:33:183:45 | args : String[] |
| Test.java:213:34:213:46 | args : String[] | Test.java:221:81:221:111 | ... + ... |
| Test.java:227:26:227:38 | args : String[] | Test.java:228:11:228:14 | args : String[] |
| Test.java:227:26:227:38 | args : String[] | Test.java:232:14:232:17 | args : String[] |
| Test.java:227:26:227:38 | args : String[] | Test.java:233:15:233:18 | args : String[] |
| Test.java:228:11:228:14 | args : String[] | Test.java:29:30:29:42 | args : String[] |
| Test.java:232:14:232:17 | args : String[] | Test.java:183:33:183:45 | args : String[] |
| Test.java:233:15:233:18 | args : String[] | Test.java:213:34:213:46 | args : String[] |
nodes
| Mongo.java:10:29:10:41 | args : String[] | semmle.label | args : String[] |
| Mongo.java:17:45:17:67 | parse(...) | semmle.label | parse(...) |
@@ -35,17 +38,21 @@ nodes
| Test.java:78:46:78:50 | query | semmle.label | query |
| Test.java:183:33:183:45 | args : String[] | semmle.label | args : String[] |
| Test.java:209:47:209:68 | queryWithUserTableName | semmle.label | queryWithUserTableName |
| Test.java:213:26:213:38 | args : String[] | semmle.label | args : String[] |
| Test.java:214:11:214:14 | args : String[] | semmle.label | args : String[] |
| Test.java:218:14:218:17 | args : String[] | semmle.label | args : String[] |
| Test.java:213:34:213:46 | args : String[] | semmle.label | args : String[] |
| Test.java:221:81:221:111 | ... + ... | semmle.label | ... + ... |
| Test.java:227:26:227:38 | args : String[] | semmle.label | args : String[] |
| Test.java:228:11:228:14 | args : String[] | semmle.label | args : String[] |
| Test.java:232:14:232:17 | args : String[] | semmle.label | args : String[] |
| Test.java:233:15:233:18 | args : String[] | semmle.label | args : String[] |
subpaths
#select
| Mongo.java:17:45:17:67 | parse(...) | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:17:45:17:67 | parse(...) | This query depends on a $@. | Mongo.java:10:29:10:41 | args | user-provided value |
| Mongo.java:21:49:21:52 | json | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:21:49:21:52 | json | This query depends on a $@. | Mongo.java:10:29:10:41 | args | user-provided value |
| Test.java:36:47:36:52 | query1 | Test.java:213:26:213:38 | args : String[] | Test.java:36:47:36:52 | query1 | This query depends on a $@. | Test.java:213:26:213:38 | args | user-provided value |
| Test.java:42:57:42:62 | query2 | Test.java:213:26:213:38 | args : String[] | Test.java:42:57:42:62 | query2 | This query depends on a $@. | Test.java:213:26:213:38 | args | user-provided value |
| Test.java:50:62:50:67 | query3 | Test.java:213:26:213:38 | args : String[] | Test.java:50:62:50:67 | query3 | This query depends on a $@. | Test.java:213:26:213:38 | args | user-provided value |
| Test.java:62:47:62:61 | querySbToString | Test.java:213:26:213:38 | args : String[] | Test.java:62:47:62:61 | querySbToString | This query depends on a $@. | Test.java:213:26:213:38 | args | user-provided value |
| Test.java:70:40:70:44 | query | Test.java:213:26:213:38 | args : String[] | Test.java:70:40:70:44 | query | This query depends on a $@. | Test.java:213:26:213:38 | args | user-provided value |
| Test.java:78:46:78:50 | query | Test.java:213:26:213:38 | args : String[] | Test.java:78:46:78:50 | query | This query depends on a $@. | Test.java:213:26:213:38 | args | user-provided value |
| Test.java:209:47:209:68 | queryWithUserTableName | Test.java:213:26:213:38 | args : String[] | Test.java:209:47:209:68 | queryWithUserTableName | This query depends on a $@. | Test.java:213:26:213:38 | args | user-provided value |
| Test.java:36:47:36:52 | query1 | Test.java:227:26:227:38 | args : String[] | Test.java:36:47:36:52 | query1 | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value |
| Test.java:42:57:42:62 | query2 | Test.java:227:26:227:38 | args : String[] | Test.java:42:57:42:62 | query2 | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value |
| Test.java:50:62:50:67 | query3 | Test.java:227:26:227:38 | args : String[] | Test.java:50:62:50:67 | query3 | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value |
| Test.java:62:47:62:61 | querySbToString | Test.java:227:26:227:38 | args : String[] | Test.java:62:47:62:61 | querySbToString | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value |
| Test.java:70:40:70:44 | query | Test.java:227:26:227:38 | args : String[] | Test.java:70:40:70:44 | query | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value |
| Test.java:78:46:78:50 | query | Test.java:227:26:227:38 | args : String[] | Test.java:78:46:78:50 | query | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value |
| Test.java:209:47:209:68 | queryWithUserTableName | Test.java:227:26:227:38 | args : String[] | Test.java:209:47:209:68 | queryWithUserTableName | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value |
| Test.java:221:81:221:111 | ... + ... | Test.java:227:26:227:38 | args : String[] | Test.java:221:81:221:111 | ... + ... | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value |

15
java/ql/test/query-tests/security/CWE-089/semmle/examples/Test.java
View File

@@ -210,12 +210,27 @@ abstract class Test {
}
}
private static void bindingVars(String[] args) throws IOException, SQLException {
// BAD: the category might have SQL special characters in it
{
String category = args[1];
Statement statement = connection.createStatement();
String prefix = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='";
String suffix = "' ORDER BY PRICE";
switch(prefix) {
case String prefixAlias when prefix.length() > 10 -> statement.executeQuery(prefixAlias + category + suffix);
default -> { }
}
}
}
public static void main(String[] args) throws IOException, SQLException {
tainted(args);
unescaped();
good(args);
controlledStrings();
tableNames(args);
bindingVars(args);
}
}

10
java/ql/test/query-tests/security/CWE-089/semmle/examples/controlledString.expected
View File

@@ -1,6 +1,16 @@
| <clinit> | 1 | Test.java:20:2:20:9 | FloorWax |
| <clinit> | 1 | Test.java:20:12:20:18 | Topping |
| <clinit> | 1 | Test.java:20:21:20:28 | Biscuits |
| bindingVars | 3 | Test.java:216:48:216:48 | 1 |
| bindingVars | 5 | Test.java:218:20:218:73 | "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" |
| bindingVars | 6 | Test.java:219:20:219:37 | "' ORDER BY PRICE" |
| bindingVars | 7 | Test.java:220:11:220:16 | prefix |
| bindingVars | 8 | Test.java:221:34:221:39 | prefix |
| bindingVars | 8 | Test.java:221:34:221:48 | length(...) |
| bindingVars | 8 | Test.java:221:34:221:53 | ... > ... |
| bindingVars | 8 | Test.java:221:52:221:53 | 10 |
| bindingVars | 8 | Test.java:221:81:221:91 | prefixAlias |
| bindingVars | 8 | Test.java:221:106:221:111 | suffix |
| checkIdentifier | 1 | Validation.java:7:12:7:16 | i |
| checkIdentifier | 1 | Validation.java:7:16:7:16 | 0 |
| checkIdentifier | 1 | Validation.java:7:19:7:19 | i |

4
java/ql/test/query-tests/security/CWE-089/semmle/examples/endsInQuote.expected
View File

@@ -1,3 +1,7 @@
| bindingVars | 5 | Test.java:218:20:218:73 | "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" |
| bindingVars | 7 | Test.java:220:11:220:16 | prefix |
| bindingVars | 8 | Test.java:221:34:221:39 | prefix |
| bindingVars | 8 | Test.java:221:81:221:91 | prefixAlias |
| controlledStrings | 4 | Test.java:137:26:137:79 | "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" |
| controlledStrings | 12 | Test.java:145:27:145:80 | "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" |
| controlledStrings | 20 | Test.java:153:35:153:88 | "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" |

2
java/ql/test/query-tests/security/CWE-089/semmle/examples/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/springframework-5.3.8:${testdir}/../../../../../stubs/apache-hive
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/springframework-5.3.8:${testdir}/../../../../../stubs/apache-hive --release 21

12
java/ql/test/query-tests/security/CWE-089/semmle/examples/taintedString.expected
View File

@@ -59,9 +59,15 @@
| Test.java:183:22:183:31 | tableNames | 23 | Test.java:206:36:208:55 | ... + ... |
| Test.java:183:22:183:31 | tableNames | 24 | Test.java:207:8:207:18 | userTabName |
| Test.java:183:22:183:31 | tableNames | 26 | Test.java:209:47:209:68 | queryWithUserTableName |
| Test.java:213:21:213:24 | main | 1 | Test.java:214:11:214:14 | args |
| Test.java:213:21:213:24 | main | 3 | Test.java:216:8:216:11 | args |
| Test.java:213:21:213:24 | main | 5 | Test.java:218:14:218:17 | args |
| Test.java:213:22:213:32 | bindingVars | 3 | Test.java:216:43:216:46 | args |
| Test.java:213:22:213:32 | bindingVars | 3 | Test.java:216:43:216:49 | ...[...] |
| Test.java:213:22:213:32 | bindingVars | 8 | Test.java:221:81:221:102 | ... + ... |
| Test.java:213:22:213:32 | bindingVars | 8 | Test.java:221:81:221:111 | ... + ... |
| Test.java:213:22:213:32 | bindingVars | 8 | Test.java:221:95:221:102 | category |
| Test.java:227:21:227:24 | main | 1 | Test.java:228:11:228:14 | args |
| Test.java:227:21:227:24 | main | 3 | Test.java:230:8:230:11 | args |
| Test.java:227:21:227:24 | main | 5 | Test.java:232:14:232:17 | args |
| Test.java:227:21:227:24 | main | 6 | Test.java:233:15:233:18 | args |
| Validation.java:6:21:6:35 | checkIdentifier | 1 | Validation.java:7:23:7:24 | id |
| Validation.java:6:21:6:35 | checkIdentifier | 2 | Validation.java:8:13:8:14 | id |
| Validation.java:6:21:6:35 | checkIdentifier | 2 | Validation.java:8:13:8:24 | charAt(...) |