hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-23 04:06:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into jcogs33/shared-sink-kind-validation

Browse Source
This commit is contained in:
Jami
2023-06-14 08:06:34 -04:00
committed by GitHub
parent 9abe3e3da4 afec9b05e9
commit 35591113c2
893 changed files with 16779 additions and 17965 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
java/ql/integration-tests/all-platforms/kotlin/default-parameter-mad-flow/test.expected
View File

@@ -0,0 +1,2 @@
failures
testFailures

10
java/ql/integration-tests/all-platforms/kotlin/default-parameter-mad-flow/test.ql
View File

@@ -19,12 +19,10 @@ module Config implements DataFlow::ConfigSig {
module Flow = TaintTracking::Global<Config>;
class InlineFlowTest extends InlineExpectationsTest {
InlineFlowTest() { this = "HasFlowTest" }
module InlineFlowTest implements TestSig {
string getARelevantTag() { result = "flow" }
override string getARelevantTag() { result = "flow" }
override predicate hasActualResult(Location location, string element, string tag, string value) {
predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "flow" and
exists(DataFlow::Node sink | Flow::flowTo(sink) |
sink.getLocation() = location and
@@ -33,3 +31,5 @@ class InlineFlowTest extends InlineExpectationsTest {
)
}
}
import MakeTest<InlineFlowTest>

4
java/ql/lib/change-notes/2023-05-19-path-injection-sinks-mad.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Path creation sinks modeled in `PathCreation.qll` have been added to the models-as-data sink kind `path-injection`.

4
java/ql/lib/change-notes/2023-05-22-hudson-models.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added more models for the Hudson framework.

7
java/ql/lib/change-notes/2023-06-01-new-models.md Normal file
View File

@@ -0,0 +1,7 @@
---
category: minorAnalysis
---
* Added models for the following packages:
* java.lang
* java.nio.file

6
java/ql/lib/change-notes/2023-06-02-delete-deps.md Normal file
View File

@@ -0,0 +1,6 @@
---
category: minorAnalysis
---
* Deleted the deprecated `getRHS` predicate from the `LValue` class, use `getRhs` instead.
* Deleted the deprecated `getCFGNode` predicate from the `SsaVariable` class, use `getCfgNode` instead.
* Deleted many deprecated predicates and classes with uppercase `XML`, `JSON`, `URL`, `API`, etc. in their names. Use the PascalCased versions instead.

4
java/ql/lib/change-notes/2023-06-06-kotlin-use-with-flow.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added flow through the block arguments of `kotlin.io.use` and `kotlin.with`.

15
java/ql/lib/change-notes/2023-06-06-new-models.md Normal file
View File

@@ -0,0 +1,15 @@
---
category: minorAnalysis
---
* Added models for the following packages:
* com.alibaba.druid.sql
* com.fasterxml.jackson.databind
* com.jcraft.jsch
* io.netty.handler.ssl
* okhttp3
* org.antlr.runtime
* org.fusesource.leveldbjni
* org.influxdb
* org.springframework.core.io
* org.yaml.snakeyaml

4
java/ql/lib/change-notes/2023-06-08-type-strengthening.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: majorAnalysis
---
* The data flow library now performs type strengthening. This increases precision for all data flow queries by excluding paths that can be inferred to be impossible due to incompatible types.

6
java/ql/lib/ext/com.alibaba.druid.sql.model.yml Normal file
View File

@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["com.alibaba.druid.sql", "SQLUtils", False, "toMySqlString", "(SQLObject)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]

6
java/ql/lib/ext/com.fasterxml.jackson.databind.model.yml
View File

@@ -9,3 +9,9 @@ extensions:
- ["com.fasterxml.jackson.databind", "ObjectMapper", True, "valueToTree", "", "", "Argument[0].MapValue", "ReturnValue", "taint", "manual"]
- ["com.fasterxml.jackson.databind", "ObjectMapper", True, "valueToTree", "", "", "Argument[0].MapValue.Element", "ReturnValue", "taint", "manual"]
- ["com.fasterxml.jackson.databind", "ObjectReader", False, "createParser", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["com.fasterxml.jackson.databind", "ObjectMapper", True, "readValue", "(File,Class)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["com.fasterxml.jackson.databind", "ObjectMapper", True, "writeValue", "(File,Object)", "", "Argument[0]", "path-injection", "ai-manual"]

11
java/ql/lib/ext/com.google.gson.model.yml
View File

@@ -26,18 +26,23 @@ extensions:
- ["com.google.gson", "JsonElement", True, "getAsJsonPrimitive", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.gson", "JsonElement", True, "getAsString", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.gson", "JsonElement", True, "toString", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.gson", "JsonArray", True, "add", "", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
- ["com.google.gson", "JsonArray", True, "add", "(Boolean)", "", "Argument[0]", "Argument[this].Element", "taint", "manual"]
- ["com.google.gson", "JsonArray", True, "add", "(Character)", "", "Argument[0]", "Argument[this].Element", "taint", "manual"]
- ["com.google.gson", "JsonArray", True, "add", "(JsonElement)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
- ["com.google.gson", "JsonArray", True, "add", "(Number)", "", "Argument[0]", "Argument[this].Element", "taint", "manual"]
- ["com.google.gson", "JsonArray", True, "add", "(String)", "", "Argument[0]", "Argument[this].Element", "taint", "manual"]
- ["com.google.gson", "JsonArray", True, "addAll", "(JsonArray)", "", "Argument[0].Element", "Argument[this].Element", "value", "manual"]
- ["com.google.gson", "JsonArray", True, "asList", "", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
- ["com.google.gson", "JsonArray", True, "get", "", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
- ["com.google.gson", "JsonArray", True, "set", "", "", "Argument[1]", "Argument[this].Element", "value", "manual"]
- ["com.google.gson", "JsonObject", True, "add", "", "", "Argument[0]", "Argument[this].MapKey", "value", "manual"]
- ["com.google.gson", "JsonObject", True, "add", "", "", "Argument[1]", "Argument[this].MapValue", "value", "manual"]
- ["com.google.gson", "JsonObject", True, "addProperty", "(String,String)", "", "Argument[0]", "Argument[this].MapKey", "value", "manual"]
- ["com.google.gson", "JsonObject", True, "addProperty", "(String,String)", "", "Argument[1]", "Argument[this].MapValue", "value", "manual"]
- ["com.google.gson", "JsonObject", True, "addProperty", "(String,String)", "", "Argument[1]", "Argument[this].MapValue", "taint", "manual"]
- ["com.google.gson", "JsonObject", True, "asMap", "", "", "Argument[this].MapKey", "ReturnValue.MapKey", "value", "manual"]
- ["com.google.gson", "JsonObject", True, "asMap", "", "", "Argument[this].MapValue", "ReturnValue.MapValue", "value", "manual"]
- ["com.google.gson", "JsonObject", True, "entrySet", "", "", "Argument[this].MapKey", "ReturnValue.Element.MapKey", "value", "manual"]
- ["com.google.gson", "JsonObject", True, "entrySet", "", "", "Argument[this].MapKey", "ReturnValue.Element.MapValue", "value", "manual"]
- ["com.google.gson", "JsonObject", True, "entrySet", "", "", "Argument[this].MapValue", "ReturnValue.Element.MapValue", "value", "manual"]
- ["com.google.gson", "JsonObject", True, "get", "", "", "Argument[this].MapValue", "ReturnValue", "value", "manual"]
- ["com.google.gson", "JsonObject", True, "keySet", "", "", "Argument[this].MapKey", "ReturnValue.Element", "value", "manual"]
- ["com.google.gson", "JsonPrimitive", True, "JsonPrimitive", "(Character)", "", "Argument[0]", "Argument[this]", "taint", "manual"]

11
java/ql/lib/ext/com.jcraft.jsch.model.yml Normal file
View File

@@ -0,0 +1,11 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["com.jcraft.jsch", "JSch", True, "getSession", "(String,String,int)", "", "Argument[1]", "request-forgery", "ai-manual"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["com.jcraft.jsch", "ChannelSftp", True, "realpath", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]

6
java/ql/lib/ext/hudson.model.model.yml
View File

@@ -16,3 +16,9 @@ extensions:
data:
- ["hudson.model", "Node", True, "createPath", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
- ["hudson.model", "DirectoryBrowserSupport$Path", False, "Path", "(String,String,boolean,long,boolean,long)", "", "Argument[0]", "Argument[this].SyntheticField[hudson.model.DirectoryBrowserSupport$Path.href]", "taint", "ai-manual"]
- addsTo:
pack: codeql/java-all
extensible: sourceModel
data:
- ["hudson.model", "Descriptor", True, "configure", "", "", "Parameter", "remote", "manual"]
- ["hudson.model", "Descriptor", True, "newInstance", "", "", "Parameter", "remote", "manual"]

78
java/ql/lib/ext/hudson.model.yml
View File

@@ -3,24 +3,68 @@ extensions:
pack: codeql/java-all
extensible: sinkModel
data:
- ["hudson", "FilePath", False, "copyFrom", "(FilePath)", "", "Argument[0]", "path-injection", "manual"]
- ["hudson", "FilePath", False, "copyFrom", "(URL)", "", "Argument[0]", "path-injection", "manual"]
- ["hudson", "FilePath", False, "copyFrom", "(FileItem)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["hudson", "FilePath", False, "copyRecursiveTo", "(DirScanner,FilePath,String,TarCompression)", "", "Argument[1]", "path-injection", "ai-manual"]
- ["hudson", "FilePath", False, "copyRecursiveTo", "(DirScanner,FilePath,String)", "", "Argument[1]", "file-content-store", "ai-manual"]
- ["hudson", "FilePath", False, "copyRecursiveTo", "(String,FilePath)", "", "Argument[1]", "path-injection", "ai-manual"]
- ["hudson", "FilePath", False, "copyRecursiveTo", "(String,String,FilePath)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["hudson", "FilePath", False, "copyRecursiveTo", "(String,String,FilePath)", "", "Argument[2]", "path-injection", "ai-manual"]
- ["hudson", "FilePath", False, "copyTo", "(FilePath)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["hudson", "FilePath", False, "installIfNecessaryFrom", "(URL,TaskListener,String)", "", "Argument[0]", "request-forgery", "ai-manual"]
- ["hudson", "FilePath", False, "newInputStreamDenyingSymlinkAsNeeded", "(File,String,boolean)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["hudson", "FilePath", True, "copyFrom", "", "", "Argument[this]", "path-injection", "manual"]
- ["hudson", "FilePath", True, "copyFrom", "(FilePath)", "", "Argument[0]", "path-injection", "manual"]
- ["hudson", "FilePath", True, "copyFrom", "(URL)", "", "Argument[0]", "path-injection", "manual"]
- ["hudson", "FilePath", True, "copyFrom", "(FileItem)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["hudson", "FilePath", True, "copyRecursiveTo", "", "", "Argument[this]", "path-injection", "ai-manual"]
- ["hudson", "FilePath", True, "copyRecursiveTo", "(DirScanner,FilePath,String,TarCompression)", "", "Argument[1]", "path-injection", "ai-manual"]
- ["hudson", "FilePath", True, "copyRecursiveTo", "(DirScanner,FilePath,String)", "", "Argument[1]", "file-content-store", "ai-manual"]
- ["hudson", "FilePath", True, "copyRecursiveTo", "(String,FilePath)", "", "Argument[1]", "path-injection", "ai-manual"]
- ["hudson", "FilePath", True, "copyRecursiveTo", "(String,String,FilePath)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["hudson", "FilePath", True, "copyRecursiveTo", "(String,String,FilePath)", "", "Argument[2]", "path-injection", "ai-manual"]
- ["hudson", "FilePath", True, "copyTo", "", "", "Argument[this]", "path-injection", "manual"]
- ["hudson", "FilePath", True, "copyTo", "(FilePath)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["hudson", "FilePath", True, "copyToWithPermission", "", "", "Argument[this]", "path-injection", "manual"]
- ["hudson", "FilePath", True, "copyToWithPermission", "(FilePath)", "", "Argument[0]", "path-injection", "manual"]
- ["hudson", "FilePath", True, "installIfNecessaryFrom", "(URL,TaskListener,String)", "", "Argument[0]", "request-forgery", "ai-manual"]
- ["hudson", "FilePath", True, "newInputStreamDenyingSymlinkAsNeeded", "(File,String,boolean)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["hudson", "FilePath", True, "openInputStream", "(File,OpenOption[])", "", "Argument[0]", "path-injection", "manual"]
- ["hudson", "FilePath", True, "read", "", "", "Argument[this]", "path-injection", "manual"]
- ["hudson", "FilePath", True, "read", "(FilePath,OpenOption[])", "", "Argument[0]", "path-injection", "manual"]
- ["hudson", "FilePath", True, "readFromOffset", "", "", "Argument[this]", "path-injection", "manual"]
- ["hudson", "FilePath", True, "readToString", "", "", "Argument[this]", "path-injection", "manual"]
- ["hudson", "FilePath", True, "renameTo", "", "", "Argument[this]", "path-injection", "manual"]
- ["hudson", "FilePath", True, "renameTo", "", "", "Argument[0]", "path-injection", "manual"]
- ["hudson", "FilePath", True, "write", "", "", "Argument[this]", "path-injection", "manual"]
- ["hudson", "FilePath", True, "write", "(String,String)", "", "Argument[0]", "file-content-store", "manual"]
- ["hudson", "Launcher$ProcStarter", False, "cmds", "", "", "Argument[0]", "command-injection", "manual"]
- ["hudson", "Launcher$ProcStarter", False, "cmdAsSingleString", "", "", "Argument[0]", "command-injection", "manual"]
- ["hudson", "Launcher", True, "launch", "", "", "Argument[0]", "command-injection", "manual"]
- ["hudson", "Launcher", True, "launchChannel", "", "", "Argument[0]", "command-injection", "manual"]
- addsTo:
pack: codeql/java-all
extensible: sourceModel
data:
- ["hudson", "Plugin", True, "configure", "", "", "Parameter", "remote", "manual"]
- ["hudson", "Plugin", True, "newInstance", "", "", "Parameter", "remote", "manual"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["hudson", "FilePath", False, "child", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
- ["hudson", "FilePath", False, "list", "(String,String,boolean)", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"]
- ["hudson", "FilePath", False, "list", "(String,String)", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"]
- ["hudson", "FilePath", False, "list", "(String)", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"]
- ["hudson", "FilePath", False, "normalize", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
- ["hudson", "FilePath", False, "sibling", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
- ["hudson", "FilePath", True, "FilePath", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["hudson", "FilePath", True, "FilePath", "(FilePath,String)", "", "Argument[0..1]", "Argument[this]", "taint", "manual"]
- ["hudson", "FilePath", True, "FilePath", "(VirtualChannel,String)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["hudson", "FilePath", True, "child", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
- ["hudson", "FilePath", True, "list", "(String,String,boolean)", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"]
- ["hudson", "FilePath", True, "list", "(String,String)", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"]
- ["hudson", "FilePath", True, "list", "(String)", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"]
- ["hudson", "FilePath", True, "normalize", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
- ["hudson", "FilePath", True, "sibling", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
- ["hudson", "Util", True, "nullify", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["hudson", "Util", True, "fixNull", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["hudson", "Util", True, "fixEmpty", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["hudson", "Util", True, "fixEmptyAndTrim", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["hudson", "Util", True, "getFileName", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["hudson", "Util", True, "join", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["hudson", "Util", True, "encodeRFC2396", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["hudson", "Util", True, "wrapToErrorSpan", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["hudson", "Util", True, "fileToPath", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["hudson", "Util", True, "xmlEscape", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["hudson", "Util", True, "escape", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["hudson", "Util", True, "singleQuote", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["hudson", "Util", True, "rawEncode", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["hudson", "Util", True, "encode", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["hudson", "Util", True, "fromHexString", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["hudson", "Util", True, "toHexString", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["hudson", "Util", True, "tokenize", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]

22
java/ql/lib/ext/hudson.util.model.yml
View File

@@ -7,6 +7,10 @@ extensions:
- ["hudson.util", "AtomicFileWriter", True, "AtomicFileWriter", "(Path,Charset,boolean,boolean)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["hudson.util", "AtomicFileWriter", True, "AtomicFileWriter", "(Path,Charset)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["hudson.util", "ClasspathBuilder", True, "add", "(FilePath)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["hudson.util", "FormValidation", True, "errorWithMarkup", "", "", "Argument[0]", "html-injection", "manual"]
- ["hudson.util", "FormValidation", True, "okWithMarkup", "", "", "Argument[0]", "html-injection", "manual"]
- ["hudson.util", "FormValidation", True, "respond", "", "", "Argument[1]", "html-injection", "manual"]
- ["hudson.util", "FormValidation", True, "warningWithMarkup", "", "", "Argument[0]", "html-injection", "manual"]
- ["hudson.util", "IOUtils", True, "mkdirs", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["hudson.util", "StreamTaskListener", True, "StreamTaskListener", "(File,boolean,Charset)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["hudson.util", "TextFile", True, "delete", "()", "", "Argument[this]", "path-injection", "manual"]
@@ -15,10 +19,28 @@ extensions:
- ["hudson.util", "TextFile", True, "lines", "()", "", "Argument[this]", "path-injection", "manual"]
- ["hudson.util", "TextFile", True, "read", "()", "", "Argument[this]", "path-injection", "manual"]
- ["hudson.util", "TextFile", True, "readTrim", "()", "", "Argument[this]", "path-injection", "manual"]
- ["hudson.util", "TextFile", True, "write", "(String)", "", "Argument[this]", "path-injection", "manual"]
- ["hudson.util", "TextFile", True, "write", "(String)", "", "Argument[0]", "file-content-store", "manual"]
- ["hudson.util", "HttpResponses", True, "staticResource", "(File)", "", "Argument[0]", "path-injection", "manual"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["hudson.util", "ArgumentListBuilder", True, "ArgumentListBuilder", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["hudson.util", "ArgumentListBuilder", True, "add", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["hudson.util", "ArgumentListBuilder", True, "clone", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["hudson.util", "ArgumentListBuilder", True, "prepend", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["hudson.util", "ArgumentListBuilder", True, "toCommandArray", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["hudson.util", "ArgumentListBuilder", True, "toList", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["hudson.util", "ArgumentListBuilder", True, "toWindowsCommand", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
# ArgumentListBuilder fluent methods
- ["hudson.util", "ArgumentListBuilder", True, "add", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["hudson.util", "ArgumentListBuilder", True, "addKeyValuePair", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["hudson.util", "ArgumentListBuilder", True, "addKeyValuePairs", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["hudson.util", "ArgumentListBuilder", True, "addKeyValuePairsFromPropertyString", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["hudson.util", "ArgumentListBuilder", True, "addMasked", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["hudson.util", "ArgumentListBuilder", True, "addQuoted", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["hudson.util", "ArgumentListBuilder", True, "addTokenized", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["hudson.util", "ArgumentListBuilder", True, "prepend", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["hudson.util", "QuotedStringTokenizer", True, "tokenize", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
- ["hudson.util", "TextFile", True, "TextFile", "(File)", "", "Argument[0]", "Argument[this]", "taint", "ai-manual"]

2
java/ql/lib/ext/io.netty.handler.ssl.model.yml
View File

@@ -5,3 +5,5 @@ extensions:
data:
- ["io.netty.handler.ssl", "OpenSslServerContext", False, "OpenSslServerContext", "(File,File)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["io.netty.handler.ssl", "SslContextBuilder", False, "forServer", "(File,File)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["io.netty.handler.ssl", "SslContextBuilder", False, "trustManager", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["io.netty.handler.ssl", "SslContextBuilder", False, "trustManager", "(InputStream)", "", "Argument[0]", "path-injection", "ai-manual"]

5
java/ql/lib/ext/java.io.model.yml
View File

@@ -3,6 +3,10 @@ extensions:
pack: codeql/java-all
extensible: sinkModel
data:
- ["java.io", "File", False, "File", "(File,String)", "", "Argument[1]", "path-injection", "manual"] # old PathCreation
- ["java.io", "File", False, "File", "(String)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
- ["java.io", "File", False, "File", "(String,String)", "", "Argument[0..1]", "path-injection", "manual"] # old PathCreation
- ["java.io", "File", False, "File", "(URI)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
- ["java.io", "File", True, "createTempFile", "(String,String,File)", "", "Argument[2]", "path-injection", "ai-manual"]
- ["java.io", "File", True, "renameTo", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.io", "FileInputStream", True, "FileInputStream", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
@@ -11,6 +15,7 @@ extensions:
- ["java.io", "FileOutputStream", False, "write", "", "", "Argument[0]", "file-content-store", "manual"]
- ["java.io", "FileReader", True, "FileReader", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.io", "FileReader", True, "FileReader", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.io", "FileReader", True, "FileReader", "(String,Charset)", "", "Argument[0]", "path-injection", "manual"]
- ["java.io", "FileSystem", True, "createDirectory", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.io", "FileWriter", False, "FileWriter", "", "", "Argument[0]", "path-injection", "manual"]
- ["java.io", "PrintStream", False, "PrintStream", "(File)", "", "Argument[0]", "path-injection", "manual"]

3
java/ql/lib/ext/java.lang.model.yml
View File

@@ -8,6 +8,9 @@ extensions:
- ["java.lang", "ClassLoader", True, "getSystemResource", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.lang", "ClassLoader", True, "getSystemResourceAsStream", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.lang", "Module", True, "getResourceAsStream", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
# These are potential vulnerabilities, but not for command-injection. No query for this kind of vulnerability currently exists.
# - ["java.lang", "Runtime", False, "load", "(String)", "", "Argument[0]", "command-injection", "ai-manual"]
# - ["java.lang", "Runtime", False, "loadLibrary", "(String)", "", "Argument[0]", "command-injection", "ai-manual"]
# These are modeled in plain CodeQL. TODO: migrate them.
# - ["java.lang", "ProcessBuilder", False, "command", "(String[])", "", "Argument[0]", "command-injection", "ai-manual"]
# - ["java.lang", "ProcessBuilder", False, "directory", "(File)", "", "Argument[0]", "command-injection", "ai-manual"]

13
java/ql/lib/ext/java.nio.file.model.yml
View File

@@ -18,6 +18,7 @@ extensions:
- ["java.nio.file", "Files", False, "delete", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.nio.file", "Files", False, "deleteIfExists", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.nio.file", "Files", False, "deleteIfExists", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.nio.file", "Files", False, "getFileStore", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"] # the FileStore class is unlikely to be used for later sanitization
- ["java.nio.file", "Files", False, "lines", "(Path,Charset)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.nio.file", "Files", False, "lines", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.nio.file", "Files", False, "move", "", "", "Argument[1]", "path-injection", "manual"]
@@ -26,6 +27,7 @@ extensions:
- ["java.nio.file", "Files", False, "newBufferedWriter", "", "", "Argument[0]", "path-injection", "manual"]
- ["java.nio.file", "Files", False, "newInputStream", "(Path,OpenOption[])", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.nio.file", "Files", False, "newOutputStream", "", "", "Argument[0]", "path-injection", "manual"]
- ["java.nio.file", "Files", False, "probeContentType", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"] # accesses the file based on user input, but only reads its content type from it
- ["java.nio.file", "Files", False, "readAllBytes", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.nio.file", "Files", False, "readAllLines", "(Path,Charset)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.nio.file", "Files", False, "readAllLines", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
@@ -40,12 +42,23 @@ extensions:
- ["java.nio.file", "Files", True, "delete", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.nio.file", "Files", True, "newInputStream", "(Path,OpenOption[])", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.nio.file", "Files", True, "newOutputStream", "(Path,OpenOption[])", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.nio.file", "FileSystem", False, "getPath", "", "", "Argument[0..1]", "path-injection", "manual"] # old PathCreation
- ["java.nio.file", "Path", False, "of", "(String,String[])", "", "Argument[0..1]", "path-injection", "manual"] # old PathCreation
- ["java.nio.file", "Path", False, "of", "(URI)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
- ["java.nio.file", "Path", False, "resolve", "(String)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
- ["java.nio.file", "Path", False, "resolveSibling", "(String)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
- ["java.nio.file", "Paths", False, "get", "(String,String[])", "", "Argument[0..1]", "path-injection", "manual"] # old PathCreation
- ["java.nio.file", "Paths", False, "get", "(URI)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
- ["java.nio.file", "SecureDirectoryStream", True, "deleteDirectory", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.nio.file", "SecureDirectoryStream", True, "deleteFile", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["java.nio.file", "Files", False, "find", "(Path,int,BiPredicate,FileVisitOption[])", "", "Argument[0]", "ReturnValue.Element", "taint", "ai-manual"]
- ["java.nio.file", "Files", False, "find", "(Path,int,BiPredicate,FileVisitOption[])", "", "Argument[2]", "ReturnValue.Element", "taint", "ai-manual"]
- ["java.nio.file", "Files", False, "list", "(Path)", "", "Argument[0]", "ReturnValue.Element", "taint", "ai-manual"]
- ["java.nio.file", "Files", False, "readSymbolicLink", "(Path)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"] # this can be used to enumerate a file system
- ["java.nio.file", "Files", True, "newBufferedReader", "(Path,Charset)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
- ["java.nio.file", "Files", True, "newBufferedReader", "(Path)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
- ["java.nio.file", "Files", True, "newByteChannel", "(Path,OpenOption[])", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]

6
java/ql/lib/ext/java.sql.model.yml
View File

@@ -21,7 +21,6 @@ extensions:
extensible: summaryModel
data:
- ["java.sql", "Connection", True, "nativeSQL", "(String)", "", "Argument[0]", "ReturnValue", "taint", "hq-manual"]
- ["java.sql", "PreparedStatement", True, "setString", "(int,String)", "", "Argument[1]", "Argument[this]", "value", "manual"]
- ["java.sql", "ResultSet", True, "getString", "(String)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- addsTo:
@@ -31,13 +30,14 @@ extensions:
- ["java.sql", "Connection", "createStatement", "()", "summary", "manual"]
- ["java.sql", "PreparedStatement", "executeUpdate", "()", "summary", "manual"]
- ["java.sql", "PreparedStatement", "executeQuery", "()", "summary", "manual"]
- ["java.sql", "PreparedStatement", "setInt", "(int,int)", "summary", "manual"]
- ["java.sql", "PreparedStatement", "setLong", "(int,long)", "summary", "manual"]
- ["java.sql", "PreparedStatement", "setString", "(int,String)", "summary", "manual"]
- ["java.sql", "ResultSet", "next", "()", "summary", "manual"]
- ["java.sql", "Statement", "close", "()", "summary", "manual"]
# The below APIs have numeric flow and are currently being stored as neutral models.
# These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
- ["java.sql", "PreparedStatement", "setInt", "(int,int)", "summary", "manual"] # value-numeric
- ["java.sql", "PreparedStatement", "setLong", "(int,long)", "summary", "manual"] # value-numeric
- ["java.sql", "ResultSet", "getInt", "(int)", "summary", "manual"] # taint-numeric
- ["java.sql", "ResultSet", "getInt", "(String)", "summary", "manual"] # taint-numeric
- ["java.sql", "ResultSet", "getLong", "(String)", "summary", "manual"] # taint-numeric

2
java/ql/lib/ext/kotlin.io.model.yml
View File

@@ -11,6 +11,8 @@ extensions:
pack: codeql/java-all
extensible: summaryModel
data:
- ["kotlin.io", "CloseableKt", False, "use", "", "", "Argument[0]", "Argument[1].Parameter[0]", "value", "manual"]
- ["kotlin.io", "CloseableKt", False, "use", "", "", "Argument[1].ReturnValue", "ReturnValue", "value", "manual"]
- ["kotlin.io", "FilesKt", False, "normalize", "(File)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
- ["kotlin.io", "FilesKt", False, "relativeTo", "(File,File)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
- ["kotlin.io", "FilesKt", False, "relativeTo", "(File,File)", "", "Argument[1]", "ReturnValue", "taint", "ai-manual"]

7
java/ql/lib/ext/kotlin.model.yml Normal file
View File

@@ -0,0 +1,7 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["kotlin", "StandardKt", False, "with", "", "", "Argument[0]", "Argument[1].Parameter[0]", "value", "manual"]
- ["kotlin", "StandardKt", False, "with", "", "", "Argument[1].ReturnValue", "ReturnValue", "value", "manual"]

1
java/ql/lib/ext/okhttp3.model.yml
View File

@@ -58,3 +58,4 @@ extensions:
- ["okhttp3", "HttpUrl$Builder", False, "setQueryParameter", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["okhttp3", "HttpUrl$Builder", False, "setQueryParameter", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["okhttp3", "HttpUrl$Builder", False, "username", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["okhttp3", "Request$Builder", True, "build", "()", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"]

6
java/ql/lib/ext/org.antlr.runtime.model.yml Normal file
View File

@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["org.antlr.runtime", "ANTLRFileStream", True, "ANTLRFileStream", "(String,String)", "", "Argument[0]", "path-injection", "ai-manual"]

6
java/ql/lib/ext/org.fusesource.leveldbjni.model.yml Normal file
View File

@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["org.fusesource.leveldbjni", "JniDBFactory", True, "open", "(File,Options)", "", "Argument[0]", "path-injection", "ai-manual"]

6
java/ql/lib/ext/org.influxdb.model.yml Normal file
View File

@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["org.influxdb", "InfluxDBFactory", False, "connect", "(String,String,String,Builder)", "", "Argument[0]", "request-forgery", "ai-manual"]

7
java/ql/lib/ext/org.springframework.core.io.model.yml Normal file
View File

@@ -0,0 +1,7 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["org.springframework.core.io", "ResourceLoader", True, "getResource", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["org.springframework.core.io", "ResourceLoader", True, "getResource", "(String)", "", "Argument[0]", "request-forgery", "manual"]

6
java/ql/lib/ext/org.yaml.snakeyaml.model.yml Normal file
View File

@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["org.yaml.snakeyaml", "Yaml", True, "load", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]

3
java/ql/lib/semmle/code/java/Expr.qll
View File

@@ -1809,9 +1809,6 @@ class LValue extends VarAccess {
* are source expressions of the assignment.
*/
Expr getRhs() { exists(Assignment e | e.getDest() = this and e.getSource() = result) }
/** DEPRECATED: Alias for getRhs */
deprecated Expr getRHS() { result = this.getRhs() }
}
/**

16
java/ql/lib/semmle/code/java/Type.qll
View File

@@ -987,6 +987,17 @@ private string getAPublicObjectMethodSignature() {
)
}
pragma[nomagic]
private predicate interfaceInheritsOverridingNonAbstractMethod(Interface interface, Method m) {
interface.inherits(m) and
not m.isAbstract() and
m.overrides(_)
}
bindingset[m]
pragma[inline_late]
private Method getAnOverridden(Method m) { m.overrides(result) }
private Method getAnAbstractMethod(Interface interface) {
interface.inherits(result) and
result.isAbstract() and
@@ -995,9 +1006,8 @@ private Method getAnAbstractMethod(Interface interface) {
// Make sure that there is no other non-abstract method
// (e.g. `default`) which overrides the abstract one
not exists(Method m |
interface.inherits(m) and
not m.isAbstract() and
m.overrides(result)
interfaceInheritsOverridingNonAbstractMethod(interface, m) and
result = getAnOverridden(m)
)
}

9
java/ql/lib/semmle/code/java/controlflow/internal/Preconditions.qll
View File

@@ -6,15 +6,6 @@
import java
/**
* DEPRECATED: Use `conditionCheckMethodArgument` instead.
* Holds if `m` is a non-overridable method that checks that its first argument
* is equal to `checkTrue` and throws otherwise.
*/
deprecated predicate conditionCheckMethod(Method m, boolean checkTrue) {
conditionCheckMethodArgument(m, 0, checkTrue)
}
/**
* Holds if `m` is a non-overridable method that checks that its zero-indexed `argument`
* is equal to `checkTrue` and throws otherwise.

7
java/ql/lib/semmle/code/java/dataflow/FlowSources.qll
View File

@@ -36,6 +36,13 @@ abstract class RemoteFlowSource extends DataFlow::Node {
abstract string getSourceType();
}
/**
* A module for importing frameworks that define flow sources.
*/
private module FlowSources {
private import semmle.code.java.frameworks.hudson.Hudson
}
private class ExternalRemoteFlowSource extends RemoteFlowSource {
ExternalRemoteFlowSource() { sourceNode(this, "remote") }

5
java/ql/lib/semmle/code/java/dataflow/FlowSummary.qll
View File

@@ -149,8 +149,9 @@ class SummarizedCallableBase extends TSummarizedCallableBase {
or
result = this.asSyntheticCallable().getParameterType(pos)
or
exists(SyntheticCallable sc | sc = this.asSyntheticCallable() |
Impl::Private::summaryParameterNodeRange(this, pos) and
exists(SyntheticCallable sc, Impl::Private::SummaryNode p | sc = this.asSyntheticCallable() |
Impl::Private::summaryParameterNode(p, pos) and
this = p.getSummarizedCallable() and
not exists(sc.getParameterType(pos)) and
result instanceof TypeObject
)

3
java/ql/lib/semmle/code/java/dataflow/SSA.qll
View File

@@ -931,9 +931,6 @@ class SsaVariable extends TSsaVariable {
this = TSsaUntracked(_, result)
}
/** DEPRECATED: Alias for getCfgNode */
deprecated ControlFlowNode getCFGNode() { result = this.getCfgNode() }
/** Gets a textual representation of this SSA variable. */
string toString() { none() }

3
java/ql/lib/semmle/code/java/dataflow/internal/BaseSSA.qll
View File

@@ -483,9 +483,6 @@ class BaseSsaVariable extends TBaseSsaVariable {
this = TSsaEntryDef(_, result)
}
/** DEPRECATED: Alias for getCfgNode */
deprecated ControlFlowNode getCFGNode() { result = this.getCfgNode() }
string toString() { none() }
Location getLocation() { result = this.getCfgNode().getLocation() }

152
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll
View File

@@ -1135,8 +1135,8 @@ module Impl<FullStateConfigSig Config> {
DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow
);
bindingset[node, state, t, ap]
predicate filter(NodeEx node, FlowState state, Typ t, Ap ap);
bindingset[node, state, t0, ap]
predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t);
bindingset[typ, contentType]
predicate typecheckStore(Typ typ, DataFlowType contentType);
@@ -1199,17 +1199,21 @@ module Impl<FullStateConfigSig Config> {
NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT,
ApOption argAp, Typ t, Ap ap, ApApprox apa
) {
fwdFlow0(node, state, cc, summaryCtx, argT, argAp, t, ap, apa) and
PrevStage::revFlow(node, state, apa) and
filter(node, state, t, ap)
fwdFlow1(node, state, cc, summaryCtx, argT, argAp, _, t, ap, apa)
}
pragma[inline]
additional predicate fwdFlow(
private predicate fwdFlow1(
NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT,
ApOption argAp, Typ t, Ap ap
ApOption argAp, Typ t0, Typ t, Ap ap, ApApprox apa
) {
fwdFlow(node, state, cc, summaryCtx, argT, argAp, t, ap, _)
fwdFlow0(node, state, cc, summaryCtx, argT, argAp, t0, ap, apa) and
PrevStage::revFlow(node, state, apa) and
filter(node, state, t0, ap, t)
}
pragma[nomagic]
private predicate typeStrengthen(Typ t0, Ap ap, Typ t) {
fwdFlow1(_, _, _, _, _, _, t0, t, ap, _) and t0 != t
}
pragma[assume_small_delta]
@@ -1339,6 +1343,11 @@ module Impl<FullStateConfigSig Config> {
private predicate fwdFlowConsCand(Typ t2, Ap cons, Content c, Typ t1, Ap tail) {
fwdFlowStore(_, t1, tail, c, t2, _, _, _, _, _, _) and
cons = apCons(c, t1, tail)
or
exists(Typ t0 |
typeStrengthen(t0, cons, t2) and
fwdFlowConsCand(t0, cons, c, t1, tail)
)
}
pragma[nomagic]
@@ -1359,7 +1368,7 @@ module Impl<FullStateConfigSig Config> {
ParamNodeOption summaryCtx, TypOption argT, ApOption argAp
) {
exists(ApHeadContent apc |
fwdFlow(node1, state, cc, summaryCtx, argT, argAp, t, ap) and
fwdFlow(node1, state, cc, summaryCtx, argT, argAp, t, ap, _) and
apc = getHeadContent(ap) and
readStepCand0(node1, apc, c, node2)
)
@@ -1520,14 +1529,14 @@ module Impl<FullStateConfigSig Config> {
NodeEx node, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap
) {
revFlow0(node, state, returnCtx, returnAp, ap) and
fwdFlow(node, state, _, _, _, _, _, ap)
fwdFlow(node, state, _, _, _, _, _, ap, _)
}
pragma[nomagic]
private predicate revFlow0(
NodeEx node, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap
) {
fwdFlow(node, state, _, _, _, _, _, ap) and
fwdFlow(node, state, _, _, _, _, _, ap, _) and
sinkNode(node, state) and
(
if hasSinkCallCtx()
@@ -1780,13 +1789,13 @@ module Impl<FullStateConfigSig Config> {
boolean fwd, int nodes, int fields, int conscand, int states, int tuples
) {
fwd = true and
nodes = count(NodeEx node | fwdFlow(node, _, _, _, _, _, _, _)) and
nodes = count(NodeEx node | fwdFlow(node, _, _, _, _, _, _, _, _)) and
fields = count(Content f0 | fwdConsCand(f0, _, _)) and
conscand = count(Content f0, Typ t, Ap ap | fwdConsCand(f0, t, ap)) and
states = count(FlowState state | fwdFlow(_, state, _, _, _, _, _, _)) and
states = count(FlowState state | fwdFlow(_, state, _, _, _, _, _, _, _)) and
tuples =
count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT,
ApOption argAp, Typ t, Ap ap | fwdFlow(n, state, cc, summaryCtx, argT, argAp, t, ap))
ApOption argAp, Typ t, Ap ap | fwdFlow(n, state, cc, summaryCtx, argT, argAp, t, ap, _))
or
fwd = false and
nodes = count(NodeEx node | revFlow(node, _, _, _, _)) and
@@ -1963,10 +1972,10 @@ module Impl<FullStateConfigSig Config> {
)
}
bindingset[node, state, t, ap]
predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) {
bindingset[node, state, t0, ap]
predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) {
PrevStage::revFlowState(state) and
exists(t) and
t0 = t and
exists(ap) and
not stateBarrier(node, state) and
(
@@ -2197,8 +2206,8 @@ module Impl<FullStateConfigSig Config> {
import BooleanCallContext
predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
DataFlowType t, LocalCc lcc
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, Typ t,
LocalCc lcc
) {
localFlowBigStep(node1, state1, node2, state2, preservesValue, t, _) and
exists(lcc)
@@ -2218,10 +2227,16 @@ module Impl<FullStateConfigSig Config> {
)
}
bindingset[node, state, t, ap]
predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) {
bindingset[node, state, t0, ap]
predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) {
exists(state) and
(if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) and
// We can get away with not using type strengthening here, since we aren't
// going to use the tracked types in the construction of Stage 4 access
// paths. For Stage 4 and onwards, the tracked types must be consistent as
// the cons candidates including types are used to construct subsequent
// access path approximations.
t0 = t and
(if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t0) else any()) and
(
notExpectsContent(node)
or
@@ -2241,6 +2256,16 @@ module Impl<FullStateConfigSig Config> {
import MkStage<Stage2>::Stage<Stage3Param>
}
bindingset[node, t0]
private predicate strengthenType(NodeEx node, DataFlowType t0, DataFlowType t) {
if castingNodeEx(node)
then
exists(DataFlowType nt | nt = node.getDataFlowType() |
if typeStrongerThan(nt, t0) then t = nt else (compatibleTypes(nt, t0) and t = t0)
)
else t = t0
}
private module Stage4Param implements MkStage<Stage3>::StageParam {
private module PrevStage = Stage3;
@@ -2274,8 +2299,8 @@ module Impl<FullStateConfigSig Config> {
pragma[nomagic]
predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
DataFlowType t, LocalCc lcc
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, Typ t,
LocalCc lcc
) {
localFlowBigStep(node1, state1, node2, state2, preservesValue, t, _) and
PrevStage::revFlow(node1, pragma[only_bind_into](state1), _) and
@@ -2333,11 +2358,11 @@ module Impl<FullStateConfigSig Config> {
)
}
bindingset[node, state, t, ap]
predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) {
bindingset[node, state, t0, ap]
predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) {
exists(state) and
not clear(node, ap) and
(if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) and
strengthenType(node, t0, t) and
(
notExpectsContent(node)
or
@@ -2365,7 +2390,7 @@ module Impl<FullStateConfigSig Config> {
exists(AccessPathFront apf |
Stage4::revFlow(node, state, TReturnCtxMaybeFlowThrough(_), _, apf) and
Stage4::fwdFlow(node, state, any(Stage4::CcCall ccc), _, _, TAccessPathFrontSome(argApf), _,
apf)
apf, _)
)
}
@@ -2579,8 +2604,8 @@ module Impl<FullStateConfigSig Config> {
import LocalCallContext
predicate localStep(
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
DataFlowType t, LocalCc lcc
NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, Typ t,
LocalCc lcc
) {
localFlowBigStep(node1, state1, node2, state2, preservesValue, t, lcc) and
PrevStage::revFlow(node1, pragma[only_bind_into](state1), _) and
@@ -2609,9 +2634,9 @@ module Impl<FullStateConfigSig Config> {
)
}
bindingset[node, state, t, ap]
predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) {
(if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) and
bindingset[node, state, t0, ap]
predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) {
strengthenType(node, t0, t) and
exists(state) and
exists(ap)
}
@@ -2632,7 +2657,7 @@ module Impl<FullStateConfigSig Config> {
Stage5::parameterMayFlowThrough(p, _) and
Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0) and
Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()), _,
TAccessPathApproxSome(apa), _, apa0)
TAccessPathApproxSome(apa), _, apa0, _)
)
}
@@ -2649,7 +2674,7 @@ module Impl<FullStateConfigSig Config> {
TSummaryCtxSome(ParamNodeEx p, FlowState state, DataFlowType t, AccessPath ap) {
exists(AccessPathApprox apa | ap.getApprox() = apa |
Stage5::parameterMayFlowThrough(p, apa) and
Stage5::fwdFlow(p, state, _, _, _, _, t, apa) and
Stage5::fwdFlow(p, state, _, _, Option<DataFlowType>::some(t), _, _, apa, _) and
Stage5::revFlow(p, state, _)
)
}
@@ -2820,9 +2845,7 @@ module Impl<FullStateConfigSig Config> {
ap = TAccessPathNil()
or
// ... or a step from an existing PathNode to another node.
pathStep(_, node, state, cc, sc, t, ap) and
Stage5::revFlow(node, state, ap.getApprox()) and
(if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any())
pathStep(_, node, state, cc, sc, t, ap)
} or
TPathNodeSink(NodeEx node, FlowState state) {
exists(PathNodeMid sink |
@@ -3340,13 +3363,24 @@ module Impl<FullStateConfigSig Config> {
ap = mid.getAp()
}
private predicate pathStep(
PathNodeMid mid, NodeEx node, FlowState state, CallContext cc, SummaryCtx sc, DataFlowType t,
AccessPath ap
) {
exists(DataFlowType t0 |
pathStep0(mid, node, state, cc, sc, t0, ap) and
Stage5::revFlow(node, state, ap.getApprox()) and
strengthenType(node, t0, t)
)
}
/**
* Holds if data may flow from `mid` to `node`. The last step in or out of
* a callable is recorded by `cc`.
*/
pragma[assume_small_delta]
pragma[nomagic]
private predicate pathStep(
private predicate pathStep0(
PathNodeMid mid, NodeEx node, FlowState state, CallContext cc, SummaryCtx sc, DataFlowType t,
AccessPath ap
) {
@@ -3964,7 +3998,7 @@ module Impl<FullStateConfigSig Config> {
ap = TPartialNil() and
exists(explorationLimit())
or
partialPathNodeMk0(node, state, cc, sc1, sc2, sc3, sc4, t, ap) and
partialPathStep(_, node, state, cc, sc1, sc2, sc3, sc4, t, ap) and
distSrc(node.getEnclosingCallable()) <= explorationLimit()
} or
TPartialPathNodeRev(
@@ -3990,11 +4024,20 @@ module Impl<FullStateConfigSig Config> {
}
pragma[nomagic]
private predicate partialPathNodeMk0(
NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t, PartialAccessPath ap
private predicate partialPathStep(
PartialPathNodeFwd mid, NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1,
TSummaryCtx2 sc2, TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t, PartialAccessPath ap
) {
partialPathStep(_, node, state, cc, sc1, sc2, sc3, sc4, t, ap) and
partialPathStep1(mid, node, state, cc, sc1, sc2, sc3, sc4, _, t, ap)
}
pragma[nomagic]
private predicate partialPathStep1(
PartialPathNodeFwd mid, NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1,
TSummaryCtx2 sc2, TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t0, DataFlowType t,
PartialAccessPath ap
) {
partialPathStep0(mid, node, state, cc, sc1, sc2, sc3, sc4, t0, ap) and
not fullBarrier(node) and
not stateBarrier(node, state) and
not clearsContentEx(node, ap.getHead()) and
@@ -4002,9 +4045,14 @@ module Impl<FullStateConfigSig Config> {
notExpectsContent(node) or
expectsContentEx(node, ap.getHead())
) and
if node.asNode() instanceof CastingNode
then compatibleTypes(node.getDataFlowType(), t)
else any()
strengthenType(node, t0, t)
}
pragma[nomagic]
private predicate partialPathTypeStrengthen(
DataFlowType t0, PartialAccessPath ap, DataFlowType t
) {
partialPathStep1(_, _, _, _, _, _, _, _, t0, t, ap) and t0 != t
}
/**
@@ -4183,7 +4231,8 @@ module Impl<FullStateConfigSig Config> {
}
}
private predicate partialPathStep(
pragma[nomagic]
private predicate partialPathStep0(
PartialPathNodeFwd mid, NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1,
TSummaryCtx2 sc2, TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t, PartialAccessPath ap
) {
@@ -4309,6 +4358,11 @@ module Impl<FullStateConfigSig Config> {
DataFlowType t1, PartialAccessPath ap1, Content c, DataFlowType t2, PartialAccessPath ap2
) {
partialPathStoreStep(_, t1, ap1, c, _, t2, ap2)
or
exists(DataFlowType t0 |
partialPathTypeStrengthen(t0, ap2, t2) and
apConsFwd(t1, ap1, c, t0, ap2)
)
}
pragma[nomagic]

78
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowNodes.qll
View File

@@ -54,12 +54,7 @@ private module Cached {
fa.getField() instanceof InstanceField and ia.isImplicitFieldQualifier(fa)
)
} or
TSummaryInternalNode(SummarizedCallable c, FlowSummaryImpl::Private::SummaryNodeState state) {
FlowSummaryImpl::Private::summaryNodeRange(c, state)
} or
TSummaryParameterNode(SummarizedCallable c, int pos) {
FlowSummaryImpl::Private::summaryParameterNodeRange(c, pos)
} or
TFlowSummaryNode(FlowSummaryImpl::Private::SummaryNode sn) or
TFieldValueNode(Field f)
cached
@@ -132,8 +127,6 @@ module Public {
or
result = this.(ImplicitPostUpdateNode).getPreUpdateNode().getType()
or
result = this.(SummaryParameterNode).getTypeImpl()
or
result = this.(FieldValueNode).getField().getType()
}
@@ -378,8 +371,7 @@ module Private {
result.asCallable() = n.(ImplicitInstanceAccess).getInstanceAccess().getEnclosingCallable() or
result.asCallable() = n.(MallocNode).getClassInstanceExpr().getEnclosingCallable() or
result = nodeGetEnclosingCallable(n.(ImplicitPostUpdateNode).getPreUpdateNode()) or
n = TSummaryInternalNode(result.asSummarizedCallable(), _) or
n = TSummaryParameterNode(result.asSummarizedCallable(), _) or
result.asSummarizedCallable() = n.(FlowSummaryNode).getSummarizedCallable() or
result.asFieldScope() = n.(FieldValueNode).getField()
}
@@ -407,7 +399,7 @@ module Private {
or
this = getInstanceArgument(_)
or
this.(SummaryNode).isArgumentOf(_, _)
this.(FlowSummaryNode).isArgumentOf(_, _)
}
/**
@@ -424,7 +416,7 @@ module Private {
or
pos = -1 and this = getInstanceArgument(call.asCall())
or
this.(SummaryNode).isArgumentOf(call, pos)
this.(FlowSummaryNode).isArgumentOf(call, pos)
}
/** Gets the call in which this node is an argument. */
@@ -435,7 +427,7 @@ module Private {
class ReturnNode extends Node {
ReturnNode() {
exists(ReturnStmt ret | this.asExpr() = ret.getResult()) or
this.(SummaryNode).isReturn()
this.(FlowSummaryNode).isReturn()
}
/** Gets the kind of this returned value. */
@@ -447,61 +439,57 @@ module Private {
OutNode() {
this.asExpr() instanceof MethodAccess
or
this.(SummaryNode).isOut(_)
this.(FlowSummaryNode).isOut(_)
}
/** Gets the underlying call. */
DataFlowCall getCall() {
result.asCall() = this.asExpr()
or
this.(SummaryNode).isOut(result)
this.(FlowSummaryNode).isOut(result)
}
}
/**
* A data-flow node used to model flow summaries.
*/
class SummaryNode extends Node, TSummaryInternalNode {
private SummarizedCallable c;
private FlowSummaryImpl::Private::SummaryNodeState state;
class FlowSummaryNode extends Node, TFlowSummaryNode {
FlowSummaryImpl::Private::SummaryNode getSummaryNode() { this = TFlowSummaryNode(result) }
SummaryNode() { this = TSummaryInternalNode(c, state) }
SummarizedCallable getSummarizedCallable() {
result = this.getSummaryNode().getSummarizedCallable()
}
override Location getLocation() { result = c.getLocation() }
override Location getLocation() { result = this.getSummarizedCallable().getLocation() }
override string toString() { result = "[summary] " + state + " in " + c }
override string toString() { result = this.getSummaryNode().toString() }
/** Holds if this summary node is the `i`th argument of `call`. */
predicate isArgumentOf(DataFlowCall call, int i) {
FlowSummaryImpl::Private::summaryArgumentNode(call, this, i)
FlowSummaryImpl::Private::summaryArgumentNode(call, this.getSummaryNode(), i)
}
/** Holds if this summary node is a return node. */
predicate isReturn() { FlowSummaryImpl::Private::summaryReturnNode(this, _) }
predicate isReturn() { FlowSummaryImpl::Private::summaryReturnNode(this.getSummaryNode(), _) }
/** Holds if this summary node is an out node for `call`. */
predicate isOut(DataFlowCall call) { FlowSummaryImpl::Private::summaryOutNode(call, this, _) }
predicate isOut(DataFlowCall call) {
FlowSummaryImpl::Private::summaryOutNode(call, this.getSummaryNode(), _)
}
}
SummaryNode getSummaryNode(SummarizedCallable c, FlowSummaryImpl::Private::SummaryNodeState state) {
result = TSummaryInternalNode(c, state)
}
class SummaryParameterNode extends ParameterNode, TSummaryParameterNode {
private SummarizedCallable sc;
private int pos_;
SummaryParameterNode() { this = TSummaryParameterNode(sc, pos_) }
override Location getLocation() { result = sc.getLocation() }
override string toString() { result = "[summary param] " + pos_ + " in " + sc }
override predicate isParameterOf(DataFlowCallable c, int pos) {
c.asSummarizedCallable() = sc and pos = pos_
class SummaryParameterNode extends ParameterNode, FlowSummaryNode {
SummaryParameterNode() {
FlowSummaryImpl::Private::summaryParameterNode(this.getSummaryNode(), _)
}
Type getTypeImpl() { result = sc.getParameterType(pos_) }
private int getPosition() {
FlowSummaryImpl::Private::summaryParameterNode(this.getSummaryNode(), result)
}
override predicate isParameterOf(DataFlowCallable c, int pos) {
c.asSummarizedCallable() = this.getSummarizedCallable() and pos = this.getPosition()
}
}
}
@@ -523,10 +511,12 @@ private class MallocNode extends Node, TMallocNode {
ClassInstanceExpr getClassInstanceExpr() { result = cie }
}
private class SummaryPostUpdateNode extends SummaryNode, PostUpdateNode {
private Node pre;
private class SummaryPostUpdateNode extends FlowSummaryNode, PostUpdateNode {
private FlowSummaryNode pre;
SummaryPostUpdateNode() { FlowSummaryImpl::Private::summaryPostUpdateNode(this, pre) }
SummaryPostUpdateNode() {
FlowSummaryImpl::Private::summaryPostUpdateNode(this.getSummaryNode(), pre.getSummaryNode())
}
override Node getPreUpdateNode() { result = pre }
}

39
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
View File

@@ -85,7 +85,8 @@ predicate jumpStep(Node node1, Node node2) {
any(AdditionalValueStep a).step(node1, node2) and
node1.getEnclosingCallable() != node2.getEnclosingCallable()
or
FlowSummaryImpl::Private::Steps::summaryJumpStep(node1, node2)
FlowSummaryImpl::Private::Steps::summaryJumpStep(node1.(FlowSummaryNode).getSummaryNode(),
node2.(FlowSummaryNode).getSummaryNode())
}
/**
@@ -114,7 +115,8 @@ predicate storeStep(Node node1, Content f, Node node2) {
or
f instanceof ArrayContent and arrayStoreStep(node1, node2)
or
FlowSummaryImpl::Private::Steps::summaryStoreStep(node1, f, node2)
FlowSummaryImpl::Private::Steps::summaryStoreStep(node1.(FlowSummaryNode).getSummaryNode(), f,
node2.(FlowSummaryNode).getSummaryNode())
}
/**
@@ -145,7 +147,8 @@ predicate readStep(Node node1, Content f, Node node2) {
or
f instanceof CollectionContent and collectionReadStep(node1, node2)
or
FlowSummaryImpl::Private::Steps::summaryReadStep(node1, f, node2)
FlowSummaryImpl::Private::Steps::summaryReadStep(node1.(FlowSummaryNode).getSummaryNode(), f,
node2.(FlowSummaryNode).getSummaryNode())
}
/**
@@ -160,7 +163,7 @@ predicate clearsContent(Node n, Content c) {
c.(FieldContent).getField() = fa.getField()
)
or
FlowSummaryImpl::Private::Steps::summaryClearsContent(n, c)
FlowSummaryImpl::Private::Steps::summaryClearsContent(n.(FlowSummaryNode).getSummaryNode(), c)
}
/**
@@ -168,7 +171,7 @@ predicate clearsContent(Node n, Content c) {
* at node `n`.
*/
predicate expectsContent(Node n, ContentSet c) {
FlowSummaryImpl::Private::Steps::summaryExpectsContent(n, c)
FlowSummaryImpl::Private::Steps::summaryExpectsContent(n.(FlowSummaryNode).getSummaryNode(), c)
}
/**
@@ -176,7 +179,7 @@ predicate expectsContent(Node n, ContentSet c) {
* possible flow. A single type is used for all numeric types to account for
* numeric conversions, and otherwise the erasure is used.
*/
DataFlowType getErasedRepr(Type t) {
RefType getErasedRepr(Type t) {
exists(Type e | e = t.getErasure() |
if e instanceof NumericOrCharType
then result.(BoxedType).getPrimitiveType().getName() = "double"
@@ -189,11 +192,18 @@ DataFlowType getErasedRepr(Type t) {
t instanceof NullType and result instanceof TypeObject
}
class DataFlowType extends SrcRefType {
DataFlowType() { this = getErasedRepr(_) }
}
pragma[nomagic]
predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { t1.getASourceSupertype+() = t2 }
pragma[noinline]
DataFlowType getNodeType(Node n) {
result = getErasedRepr(n.getTypeBound())
or
result = FlowSummaryImpl::Private::summaryNodeType(n)
result = FlowSummaryImpl::Private::summaryNodeType(n.(FlowSummaryNode).getSummaryNode())
}
/** Gets a string representation of a type returned by `getErasedRepr`. */
@@ -259,11 +269,9 @@ class DataFlowCallable extends TDataFlowCallable {
class DataFlowExpr = Expr;
class DataFlowType = RefType;
private newtype TDataFlowCall =
TCall(Call c) or
TSummaryCall(SummarizedCallable c, Node receiver) {
TSummaryCall(SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver) {
FlowSummaryImpl::Private::summaryCallbackRange(c, receiver)
}
@@ -313,12 +321,12 @@ class SrcCall extends DataFlowCall, TCall {
/** A synthesized call inside a `SummarizedCallable`. */
class SummaryCall extends DataFlowCall, TSummaryCall {
private SummarizedCallable c;
private Node receiver;
private FlowSummaryImpl::Private::SummaryNode receiver;
SummaryCall() { this = TSummaryCall(c, receiver) }
/** Gets the data flow node that this call targets. */
Node getReceiver() { result = receiver }
FlowSummaryImpl::Private::SummaryNode getReceiver() { result = receiver }
override DataFlowCallable getEnclosingCallable() { result.asSummarizedCallable() = c }
@@ -378,10 +386,7 @@ predicate forceHighPrecision(Content c) {
}
/** Holds if `n` should be hidden from path explanations. */
predicate nodeIsHidden(Node n) {
n instanceof SummaryNode or
n instanceof SummaryParameterNode
}
predicate nodeIsHidden(Node n) { n instanceof FlowSummaryNode }
class LambdaCallKind = Method; // the "apply" method in the functional interface
@@ -399,7 +404,7 @@ predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c)
/** Holds if `call` is a lambda call of kind `kind` where `receiver` is the lambda expression. */
predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
receiver = call.(SummaryCall).getReceiver() and
receiver.(FlowSummaryNode).getSummaryNode() = call.(SummaryCall).getReceiver() and
getNodeDataFlowType(receiver)
.getSourceDeclaration()
.(FunctionalInterface)

3
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll
View File

@@ -183,7 +183,8 @@ private predicate simpleLocalFlowStep0(Node node1, Node node2) {
node1.(ArgumentNode).argumentOf(any(DataFlowCall c | c.asCall() = ma), argNo)
)
or
FlowSummaryImpl::Private::Steps::summaryLocalStep(node1, node2, true)
FlowSummaryImpl::Private::Steps::summaryLocalStep(node1.(FlowSummaryNode).getSummaryNode(),
node2.(FlowSummaryNode).getSummaryNode(), true)
}
/**

196
java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
View File

@@ -180,6 +180,11 @@ module Public {
result = "Argument[" + getParameterPosition(pos) + "]"
)
or
exists(string synthetic |
sc = TSyntheticGlobalSummaryComponent(synthetic) and
result = "SyntheticGlobal[" + synthetic + "]"
)
or
sc = TReturnSummaryComponent(getReturnValueKind()) and result = "ReturnValue"
}
@@ -505,6 +510,9 @@ module Private {
or
// Add the post-update node corresponding to the requested argument node
outputState(c, s) and isCallbackParameter(s)
or
// Add the parameter node for parameter side-effects
outputState(c, s) and s = SummaryComponentStack::argument(_)
}
private newtype TSummaryNodeState =
@@ -530,7 +538,7 @@ module Private {
* this state represents that the components in `s` _remain to be written_ to
* the output.
*/
class SummaryNodeState extends TSummaryNodeState {
private class SummaryNodeState extends TSummaryNodeState {
/** Holds if this state is a valid input state for `c`. */
pragma[nomagic]
predicate isInputState(SummarizedCallable c, SummaryComponentStack s) {
@@ -559,6 +567,42 @@ module Private {
}
}
private newtype TSummaryNode =
TSummaryInternalNode(SummarizedCallable c, SummaryNodeState state) {
summaryNodeRange(c, state)
} or
TSummaryParameterNode(SummarizedCallable c, ParameterPosition pos) {
summaryParameterNodeRange(c, pos)
}
abstract class SummaryNode extends TSummaryNode {
abstract string toString();
abstract SummarizedCallable getSummarizedCallable();
}
private class SummaryInternalNode extends SummaryNode, TSummaryInternalNode {
private SummarizedCallable c;
private SummaryNodeState state;
SummaryInternalNode() { this = TSummaryInternalNode(c, state) }
override string toString() { result = "[summary] " + state + " in " + c }
override SummarizedCallable getSummarizedCallable() { result = c }
}
private class SummaryParamNode extends SummaryNode, TSummaryParameterNode {
private SummarizedCallable c;
private ParameterPosition pos;
SummaryParamNode() { this = TSummaryParameterNode(c, pos) }
override string toString() { result = "[summary param] " + pos + " in " + c }
override SummarizedCallable getSummarizedCallable() { result = c }
}
/**
* Holds if `state` represents having read from a parameter at position
* `pos` in `c`. In this case we are not synthesizing a data-flow node,
@@ -574,7 +618,7 @@ module Private {
* Holds if a synthesized summary node is needed for the state `state` in summarized
* callable `c`.
*/
predicate summaryNodeRange(SummarizedCallable c, SummaryNodeState state) {
private predicate summaryNodeRange(SummarizedCallable c, SummaryNodeState state) {
state.isInputState(c, _) and
not parameterReadState(c, state, _)
or
@@ -582,22 +626,22 @@ module Private {
}
pragma[noinline]
private Node summaryNodeInputState(SummarizedCallable c, SummaryComponentStack s) {
private SummaryNode summaryNodeInputState(SummarizedCallable c, SummaryComponentStack s) {
exists(SummaryNodeState state | state.isInputState(c, s) |
result = summaryNode(c, state)
result = TSummaryInternalNode(c, state)
or
exists(ParameterPosition pos |
parameterReadState(c, state, pos) and
result.(ParamNode).isParameterOf(inject(c), pos)
result = TSummaryParameterNode(c, pos)
)
)
}
pragma[noinline]
private Node summaryNodeOutputState(SummarizedCallable c, SummaryComponentStack s) {
private SummaryNode summaryNodeOutputState(SummarizedCallable c, SummaryComponentStack s) {
exists(SummaryNodeState state |
state.isOutputState(c, s) and
result = summaryNode(c, state)
result = TSummaryInternalNode(c, state)
)
}
@@ -605,12 +649,14 @@ module Private {
* Holds if a write targets `post`, which is a post-update node for a
* parameter at position `pos` in `c`.
*/
private predicate isParameterPostUpdate(Node post, SummarizedCallable c, ParameterPosition pos) {
private predicate isParameterPostUpdate(
SummaryNode post, SummarizedCallable c, ParameterPosition pos
) {
post = summaryNodeOutputState(c, SummaryComponentStack::argument(pos))
}
/** Holds if a parameter node at position `pos` is required for `c`. */
predicate summaryParameterNodeRange(SummarizedCallable c, ParameterPosition pos) {
private predicate summaryParameterNodeRange(SummarizedCallable c, ParameterPosition pos) {
parameterReadState(c, _, pos)
or
// Same as `isParameterPostUpdate(_, c, pos)`, but can be used in a negative context
@@ -618,7 +664,7 @@ module Private {
}
private predicate callbackOutput(
SummarizedCallable c, SummaryComponentStack s, Node receiver, ReturnKind rk
SummarizedCallable c, SummaryComponentStack s, SummaryNode receiver, ReturnKind rk
) {
any(SummaryNodeState state).isInputState(c, s) and
s.head() = TReturnSummaryComponent(rk) and
@@ -626,7 +672,7 @@ module Private {
}
private predicate callbackInput(
SummarizedCallable c, SummaryComponentStack s, Node receiver, ArgumentPosition pos
SummarizedCallable c, SummaryComponentStack s, SummaryNode receiver, ArgumentPosition pos
) {
any(SummaryNodeState state).isOutputState(c, s) and
s.head() = TParameterSummaryComponent(pos) and
@@ -634,7 +680,7 @@ module Private {
}
/** Holds if a call targeting `receiver` should be synthesized inside `c`. */
predicate summaryCallbackRange(SummarizedCallable c, Node receiver) {
predicate summaryCallbackRange(SummarizedCallable c, SummaryNode receiver) {
callbackOutput(c, _, receiver, _)
or
callbackInput(c, _, receiver, _)
@@ -647,10 +693,10 @@ module Private {
* `getContentType()`, `getReturnType()`, `getCallbackParameterType()`, and
* `getCallbackReturnType()`.
*/
DataFlowType summaryNodeType(Node n) {
exists(Node pre |
DataFlowType summaryNodeType(SummaryNode n) {
exists(SummaryNode pre |
summaryPostUpdateNode(n, pre) and
result = getNodeType(pre)
result = summaryNodeType(pre)
)
or
exists(SummarizedCallable c, SummaryComponentStack s, SummaryComponent head | head = s.head() |
@@ -662,12 +708,12 @@ module Private {
)
or
head = TWithoutContentSummaryComponent(_) and
result = getNodeType(summaryNodeInputState(c, s.tail()))
result = summaryNodeType(summaryNodeInputState(c, s.tail()))
or
exists(ReturnKind rk |
head = TReturnSummaryComponent(rk) and
result =
getCallbackReturnType(getNodeType(summaryNodeInputState(pragma[only_bind_out](c),
getCallbackReturnType(summaryNodeType(summaryNodeInputState(pragma[only_bind_out](c),
s.tail())), rk)
)
or
@@ -675,6 +721,11 @@ module Private {
head = TSyntheticGlobalSummaryComponent(sg) and
result = getSyntheticGlobalType(sg)
)
or
exists(ParameterPosition pos |
head = TArgumentSummaryComponent(pos) and
result = getParameterType(c, pos)
)
)
or
n = summaryNodeOutputState(c, s) and
@@ -691,7 +742,7 @@ module Private {
or
exists(ArgumentPosition pos | head = TParameterSummaryComponent(pos) |
result =
getCallbackParameterType(getNodeType(summaryNodeInputState(pragma[only_bind_out](c),
getCallbackParameterType(summaryNodeType(summaryNodeInputState(pragma[only_bind_out](c),
s.tail())), pos)
)
or
@@ -703,9 +754,14 @@ module Private {
)
}
/** Holds if summary node `p` is a parameter with position `pos`. */
predicate summaryParameterNode(SummaryNode p, ParameterPosition pos) {
p = TSummaryParameterNode(_, pos)
}
/** Holds if summary node `out` contains output of kind `rk` from call `c`. */
predicate summaryOutNode(DataFlowCall c, Node out, ReturnKind rk) {
exists(SummarizedCallable callable, SummaryComponentStack s, Node receiver |
predicate summaryOutNode(DataFlowCall c, SummaryNode out, ReturnKind rk) {
exists(SummarizedCallable callable, SummaryComponentStack s, SummaryNode receiver |
callbackOutput(callable, s, receiver, rk) and
out = summaryNodeInputState(callable, s) and
c = summaryDataFlowCall(receiver)
@@ -713,8 +769,8 @@ module Private {
}
/** Holds if summary node `arg` is at position `pos` in the call `c`. */
predicate summaryArgumentNode(DataFlowCall c, Node arg, ArgumentPosition pos) {
exists(SummarizedCallable callable, SummaryComponentStack s, Node receiver |
predicate summaryArgumentNode(DataFlowCall c, SummaryNode arg, ArgumentPosition pos) {
exists(SummarizedCallable callable, SummaryComponentStack s, SummaryNode receiver |
callbackInput(callable, s, receiver, pos) and
arg = summaryNodeOutputState(callable, s) and
c = summaryDataFlowCall(receiver)
@@ -722,10 +778,10 @@ module Private {
}
/** Holds if summary node `post` is a post-update node with pre-update node `pre`. */
predicate summaryPostUpdateNode(Node post, Node pre) {
predicate summaryPostUpdateNode(SummaryNode post, SummaryNode pre) {
exists(SummarizedCallable c, ParameterPosition pos |
isParameterPostUpdate(post, c, pos) and
pre.(ParamNode).isParameterOf(inject(c), pos)
pre = TSummaryParameterNode(c, pos)
)
or
exists(SummarizedCallable callable, SummaryComponentStack s |
@@ -736,7 +792,7 @@ module Private {
}
/** Holds if summary node `ret` is a return node of kind `rk`. */
predicate summaryReturnNode(Node ret, ReturnKind rk) {
predicate summaryReturnNode(SummaryNode ret, ReturnKind rk) {
exists(SummaryComponentStack s |
ret = summaryNodeOutputState(_, s) and
s = TSingletonSummaryComponentStack(TReturnSummaryComponent(rk))
@@ -748,7 +804,9 @@ module Private {
* node, and back out to `p`.
*/
predicate summaryAllowParameterReturnInSelf(ParamNode p) {
exists(SummarizedCallable c, ParameterPosition ppos | p.isParameterOf(inject(c), ppos) |
exists(SummarizedCallable c, ParameterPosition ppos |
p.isParameterOf(inject(c), pragma[only_bind_into](ppos))
|
exists(SummaryComponentStack inputContents, SummaryComponentStack outputContents |
summary(c, inputContents, outputContents, _) and
inputContents.bottom() = pragma[only_bind_into](TArgumentSummaryComponent(ppos)) and
@@ -763,7 +821,7 @@ module Private {
* Holds if there is a local step from `pred` to `succ`, which is synthesized
* from a flow summary.
*/
predicate summaryLocalStep(Node pred, Node succ, boolean preservesValue) {
predicate summaryLocalStep(SummaryNode pred, SummaryNode succ, boolean preservesValue) {
exists(
SummarizedCallable c, SummaryComponentStack inputContents,
SummaryComponentStack outputContents
@@ -789,7 +847,7 @@ module Private {
* Holds if there is a read step of content `c` from `pred` to `succ`, which
* is synthesized from a flow summary.
*/
predicate summaryReadStep(Node pred, ContentSet c, Node succ) {
predicate summaryReadStep(SummaryNode pred, ContentSet c, SummaryNode succ) {
exists(SummarizedCallable sc, SummaryComponentStack s |
pred = summaryNodeInputState(sc, s.tail()) and
succ = summaryNodeInputState(sc, s) and
@@ -801,7 +859,7 @@ module Private {
* Holds if there is a store step of content `c` from `pred` to `succ`, which
* is synthesized from a flow summary.
*/
predicate summaryStoreStep(Node pred, ContentSet c, Node succ) {
predicate summaryStoreStep(SummaryNode pred, ContentSet c, SummaryNode succ) {
exists(SummarizedCallable sc, SummaryComponentStack s |
pred = summaryNodeOutputState(sc, s) and
succ = summaryNodeOutputState(sc, s.tail()) and
@@ -813,7 +871,7 @@ module Private {
* Holds if there is a jump step from `pred` to `succ`, which is synthesized
* from a flow summary.
*/
predicate summaryJumpStep(Node pred, Node succ) {
predicate summaryJumpStep(SummaryNode pred, SummaryNode succ) {
exists(SummaryComponentStack s |
s = SummaryComponentStack::singleton(SummaryComponent::syntheticGlobal(_)) and
pred = summaryNodeOutputState(_, s) and
@@ -840,9 +898,9 @@ module Private {
* `a` on line 2 to the post-update node for `a` on that line (via an intermediate
* node where field `b` is cleared).
*/
predicate summaryClearsContent(Node n, ContentSet c) {
predicate summaryClearsContent(SummaryNode n, ContentSet c) {
exists(SummarizedCallable sc, SummaryNodeState state, SummaryComponentStack stack |
n = summaryNode(sc, state) and
n = TSummaryInternalNode(sc, state) and
state.isInputState(sc, stack) and
stack.head() = SummaryComponent::withoutContent(c)
)
@@ -852,9 +910,9 @@ module Private {
* Holds if the value that is being tracked is expected to be stored inside
* content `c` at `n`.
*/
predicate summaryExpectsContent(Node n, ContentSet c) {
predicate summaryExpectsContent(SummaryNode n, ContentSet c) {
exists(SummarizedCallable sc, SummaryNodeState state, SummaryComponentStack stack |
n = summaryNode(sc, state) and
n = TSummaryInternalNode(sc, state) and
state.isInputState(sc, stack) and
stack.head() = SummaryComponent::withContent(c)
)
@@ -862,17 +920,17 @@ module Private {
pragma[noinline]
private predicate viableParam(
DataFlowCall call, SummarizedCallable sc, ParameterPosition ppos, ParamNode p
DataFlowCall call, SummarizedCallable sc, ParameterPosition ppos, SummaryParamNode p
) {
exists(DataFlowCallable c |
c = inject(sc) and
p.isParameterOf(c, ppos) and
p = TSummaryParameterNode(sc, ppos) and
c = viableCallable(call)
)
}
pragma[nomagic]
private ParamNode summaryArgParam0(DataFlowCall call, ArgNode arg, SummarizedCallable sc) {
private SummaryParamNode summaryArgParam(DataFlowCall call, ArgNode arg, SummarizedCallable sc) {
exists(ParameterPosition ppos |
argumentPositionMatch(call, arg, ppos) and
viableParam(call, sc, ppos, result)
@@ -884,12 +942,12 @@ module Private {
* local steps. `clearsOrExpects` records whether any node on the path from `p` to
* `n` either clears or expects contents.
*/
private predicate paramReachesLocal(ParamNode p, Node n, boolean clearsOrExpects) {
private predicate paramReachesLocal(SummaryParamNode p, SummaryNode n, boolean clearsOrExpects) {
viableParam(_, _, _, p) and
n = p and
clearsOrExpects = false
or
exists(Node mid, boolean clearsOrExpectsMid |
exists(SummaryNode mid, boolean clearsOrExpectsMid |
paramReachesLocal(p, mid, clearsOrExpectsMid) and
summaryLocalStep(mid, n, true) and
if
@@ -909,21 +967,33 @@ module Private {
*/
pragma[nomagic]
predicate prohibitsUseUseFlow(ArgNode arg, SummarizedCallable sc) {
exists(ParamNode p, ParameterPosition ppos, Node ret |
exists(SummaryParamNode p, ParameterPosition ppos, SummaryNode ret |
paramReachesLocal(p, ret, true) and
p = summaryArgParam0(_, arg, sc) and
p.isParameterOf(_, pragma[only_bind_into](ppos)) and
p = summaryArgParam(_, arg, sc) and
p = TSummaryParameterNode(_, pragma[only_bind_into](ppos)) and
isParameterPostUpdate(ret, _, pragma[only_bind_into](ppos))
)
}
pragma[nomagic]
private predicate summaryReturnNodeExt(SummaryNode ret, ReturnKindExt rk) {
summaryReturnNode(ret, rk.(ValueReturnKind).getKind())
or
exists(SummaryParamNode p, SummaryNode pre, ParameterPosition pos |
paramReachesLocal(p, pre, _) and
summaryPostUpdateNode(ret, pre) and
p = TSummaryParameterNode(_, pos) and
rk.(ParamUpdateReturnKind).getPosition() = pos
)
}
bindingset[ret]
private ParamNode summaryArgParam(
ArgNode arg, ReturnNodeExt ret, OutNodeExt out, SummarizedCallable sc
private SummaryParamNode summaryArgParamRetOut(
ArgNode arg, SummaryNode ret, OutNodeExt out, SummarizedCallable sc
) {
exists(DataFlowCall call, ReturnKindExt rk |
result = summaryArgParam0(call, arg, sc) and
ret.getKind() = pragma[only_bind_into](rk) and
result = summaryArgParam(call, arg, sc) and
summaryReturnNodeExt(ret, pragma[only_bind_into](rk)) and
out = pragma[only_bind_into](rk).getAnOutNode(call)
)
}
@@ -936,9 +1006,9 @@ module Private {
* be useful to include in the exposed local data-flow/taint-tracking relations.
*/
predicate summaryThroughStepValue(ArgNode arg, Node out, SummarizedCallable sc) {
exists(ReturnKind rk, ReturnNode ret, DataFlowCall call |
summaryLocalStep(summaryArgParam0(call, arg, sc), ret, true) and
ret.getKind() = pragma[only_bind_into](rk) and
exists(ReturnKind rk, SummaryNode ret, DataFlowCall call |
summaryLocalStep(summaryArgParam(call, arg, sc), ret, true) and
summaryReturnNode(ret, pragma[only_bind_into](rk)) and
out = getAnOutNode(call, pragma[only_bind_into](rk))
)
}
@@ -951,7 +1021,9 @@ module Private {
* be useful to include in the exposed local data-flow/taint-tracking relations.
*/
predicate summaryThroughStepTaint(ArgNode arg, Node out, SummarizedCallable sc) {
exists(ReturnNodeExt ret | summaryLocalStep(summaryArgParam(arg, ret, out, sc), ret, false))
exists(SummaryNode ret |
summaryLocalStep(summaryArgParamRetOut(arg, ret, out, sc), ret, false)
)
}
/**
@@ -962,8 +1034,8 @@ module Private {
* be useful to include in the exposed local data-flow/taint-tracking relations.
*/
predicate summaryGetterStep(ArgNode arg, ContentSet c, Node out, SummarizedCallable sc) {
exists(Node mid, ReturnNodeExt ret |
summaryReadStep(summaryArgParam(arg, ret, out, sc), c, mid) and
exists(SummaryNode mid, SummaryNode ret |
summaryReadStep(summaryArgParamRetOut(arg, ret, out, sc), c, mid) and
summaryLocalStep(mid, ret, _)
)
}
@@ -976,8 +1048,8 @@ module Private {
* be useful to include in the exposed local data-flow/taint-tracking relations.
*/
predicate summarySetterStep(ArgNode arg, ContentSet c, Node out, SummarizedCallable sc) {
exists(Node mid, ReturnNodeExt ret |
summaryLocalStep(summaryArgParam(arg, ret, out, sc), mid, _) and
exists(SummaryNode mid, SummaryNode ret |
summaryLocalStep(summaryArgParamRetOut(arg, ret, out, sc), mid, _) and
summaryStoreStep(mid, c, ret)
)
}
@@ -1344,11 +1416,11 @@ module Private {
}
private newtype TNodeOrCall =
MkNode(Node n) {
MkNode(SummaryNode n) {
exists(RelevantSummarizedCallable c |
n = summaryNode(c, _)
n = TSummaryInternalNode(c, _)
or
n.(ParamNode).isParameterOf(inject(c), _)
n = TSummaryParameterNode(c, _)
)
} or
MkCall(DataFlowCall call) {
@@ -1357,7 +1429,7 @@ module Private {
}
private class NodeOrCall extends TNodeOrCall {
Node asNode() { this = MkNode(result) }
SummaryNode asNode() { this = MkNode(result) }
DataFlowCall asCall() { this = MkCall(result) }
@@ -1377,9 +1449,11 @@ module Private {
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn
) {
this.asNode().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
or
this.asCall().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
filepath = "" and
startline = 0 and
startcolumn = 0 and
endline = 0 and
endcolumn = 0
}
}

10
java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll
View File

@@ -26,15 +26,17 @@ DataFlowCallable inject(SummarizedCallable c) { result.asSummarizedCallable() =
/** Gets the parameter position of the instance parameter. */
ArgumentPosition callbackSelfParameterPosition() { result = -1 }
/** Gets the synthesized summary data-flow node for the given values. */
Node summaryNode(SummarizedCallable c, SummaryNodeState state) { result = getSummaryNode(c, state) }
/** Gets the synthesized data-flow call for `receiver`. */
SummaryCall summaryDataFlowCall(Node receiver) { result.getReceiver() = receiver }
SummaryCall summaryDataFlowCall(SummaryNode receiver) { result.getReceiver() = receiver }
/** Gets the type of content `c`. */
DataFlowType getContentType(Content c) { result = c.getType() }
/** Gets the type of the parameter at the given position. */
DataFlowType getParameterType(SummarizedCallable c, ParameterPosition pos) {
result = getErasedRepr(c.getParameterType(pos))
}
/** Gets the return type of kind `rk` for callable `c`. */
DataFlowType getReturnType(SummarizedCallable c, ReturnKind rk) {
result = getErasedRepr(c.getReturnType()) and

4
java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
View File

@@ -86,6 +86,7 @@ module LocalTaintFlow<nodeSig/1 source, nodeSig/1 sink> {
cached
private module Cached {
private import DataFlowImplCommon as DataFlowImplCommon
private import DataFlowPrivate as DataFlowPrivate
cached
predicate forceCachingInSameStage() { DataFlowImplCommon::forceCachingInSameStage() }
@@ -136,7 +137,8 @@ private module Cached {
)
)
or
FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, false)
FlowSummaryImpl::Private::Steps::summaryLocalStep(src.(DataFlowPrivate::FlowSummaryNode)
.getSummaryNode(), sink.(DataFlowPrivate::FlowSummaryNode).getSummaryNode(), false)
}
/**

3
java/ql/lib/semmle/code/java/deadcode/EntryPoints.qll
View File

@@ -456,9 +456,6 @@ class ArbitraryXmlEntryPoint extends ReflectivelyConstructedClass {
}
}
/** DEPRECATED: Alias for ArbitraryXmlEntryPoint */
deprecated class ArbitraryXMLEntryPoint = ArbitraryXmlEntryPoint;
/** A Selenium PageObject, created by a call to PageFactory.initElements(..). */
class SeleniumPageObjectEntryPoint extends ReflectivelyConstructedClass instanceof SeleniumPageObject
{ }

3
java/ql/lib/semmle/code/java/frameworks/Networking.qll
View File

@@ -38,9 +38,6 @@ class UrlConnectionGetInputStreamMethod extends Method {
}
}
/** DEPRECATED: Alias for UrlConnectionGetInputStreamMethod */
deprecated class URLConnectionGetInputStreamMethod = UrlConnectionGetInputStreamMethod;
/** The method `java.net.Socket::getInputStream`. */
class SocketGetInputStreamMethod extends Method {
SocketGetInputStreamMethod() {

6
java/ql/lib/semmle/code/java/frameworks/Servlets.qll
View File

@@ -128,9 +128,6 @@ class HttpServletRequestGetRequestUrlMethod extends Method {
}
}
/** DEPRECATED: Alias for HttpServletRequestGetRequestUrlMethod */
deprecated class HttpServletRequestGetRequestURLMethod = HttpServletRequestGetRequestUrlMethod;
/**
* The method `getRequestURI()` declared in `javax.servlet.http.HttpServletRequest`.
*/
@@ -339,9 +336,6 @@ class ServletWebXmlListenerType extends RefType {
}
}
/** DEPRECATED: Alias for ServletWebXmlListenerType */
deprecated class ServletWebXMLListenerType = ServletWebXmlListenerType;
/** Holds if `m` is a request handler method (for example `doGet` or `doPost`). */
predicate isServletRequestMethod(Method m) {
m.getDeclaringType() instanceof ServletClass and

14
java/ql/lib/semmle/code/java/frameworks/UnboundId.qll
View File

@@ -29,9 +29,6 @@ class TypeUnboundIdLdapConnection extends Class {
}
}
/** DEPRECATED: Alias for TypeUnboundIdLdapConnection */
deprecated class TypeUnboundIdLDAPConnection = TypeUnboundIdLdapConnection;
/*--- Methods ---*/
/** A method with the name `setBaseDN` declared in `com.unboundid.ldap.sdk.SearchRequest`. */
class MethodUnboundIdSearchRequestSetBaseDN extends Method {
@@ -103,9 +100,6 @@ class MethodUnboundIdLdapConnectionSearch extends Method {
}
}
/** DEPRECATED: Alias for MethodUnboundIdLdapConnectionSearch */
deprecated class MethodUnboundIdLDAPConnectionSearch = MethodUnboundIdLdapConnectionSearch;
/** A method with the name `asyncSearch` declared in `com.unboundid.ldap.sdk.LDAPConnection`. */
class MethodUnboundIdLdapConnectionAsyncSearch extends Method {
MethodUnboundIdLdapConnectionAsyncSearch() {
@@ -114,10 +108,6 @@ class MethodUnboundIdLdapConnectionAsyncSearch extends Method {
}
}
/** DEPRECATED: Alias for MethodUnboundIdLdapConnectionAsyncSearch */
deprecated class MethodUnboundIdLDAPConnectionAsyncSearch =
MethodUnboundIdLdapConnectionAsyncSearch;
/** A method with the name `searchForEntry` declared in `com.unboundid.ldap.sdk.LDAPConnection`. */
class MethodUnboundIdLdapConnectionSearchForEntry extends Method {
MethodUnboundIdLdapConnectionSearchForEntry() {
@@ -125,7 +115,3 @@ class MethodUnboundIdLdapConnectionSearchForEntry extends Method {
this.hasName("searchForEntry")
}
}
/** DEPRECATED: Alias for MethodUnboundIdLdapConnectionSearchForEntry */
deprecated class MethodUnboundIdLDAPConnectionSearchForEntry =
MethodUnboundIdLdapConnectionSearchForEntry;

29
java/ql/lib/semmle/code/java/frameworks/hudson/Hudson.qll Normal file
View File

@@ -0,0 +1,29 @@
/** Provides classes and predicates related to the Hudson framework. */
import java
private import semmle.code.java.dataflow.FlowSources
private import semmle.code.java.security.XSS
private class FilePathRead extends LocalUserInput {
FilePathRead() {
this.asExpr()
.(MethodAccess)
.getMethod()
.hasQualifiedName("hudson", "FilePath",
[
"newInputStreamDenyingSymlinkAsNeeded", "openInputStream", "read", "readFromOffset",
"readToString"
])
}
}
private class HudsonUtilXssSanitizer extends XssSanitizer {
HudsonUtilXssSanitizer() {
this.asExpr()
.(MethodAccess)
.getMethod()
// Not including xmlEscape because it only accounts for >, <, and &.
// It does not account for ", or ', which makes it an incomplete XSS sanitizer.
.hasQualifiedName("hudson", "Util", "escape")
}
}

3
java/ql/lib/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
View File

@@ -20,9 +20,6 @@ class JacksonJsonIgnoreAnnotation extends NonReflectiveAnnotation {
}
}
/** DEPRECATED: Alias for JacksonJsonIgnoreAnnotation */
deprecated class JacksonJSONIgnoreAnnotation = JacksonJsonIgnoreAnnotation;
/** A type whose values may be serialized using the Jackson JSON framework. */
abstract class JacksonSerializableType extends Type { }

3
java/ql/lib/semmle/code/java/frameworks/javaee/PersistenceXML.qll
View File

@@ -26,9 +26,6 @@ class PersistenceXmlFile extends XmlFile {
}
}
/** DEPRECATED: Alias for PersistenceXmlFile */
deprecated class PersistenceXMLFile = PersistenceXmlFile;
/** The root `persistence` XML element in a `persistence.xml` file. */
class PersistenceXmlRoot extends XmlElement {
PersistenceXmlRoot() {

3
java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJBJarXML.qll
View File

@@ -35,9 +35,6 @@ class EjbJarXmlFile extends XmlFile {
}
}
/** DEPRECATED: Alias for EjbJarXmlFile */
deprecated class EjbJarXMLFile = EjbJarXmlFile;
/** The root `ejb-jar` XML element in an `ejb-jar.xml` file. */
class EjbJarRootElement extends XmlElement {
EjbJarRootElement() {

6
java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFFacesContextXML.qll
View File

@@ -16,9 +16,6 @@ class FacesConfigXmlFile extends XmlFile {
}
}
/** DEPRECATED: Alias for FacesConfigXmlFile */
deprecated class FacesConfigXMLFile = FacesConfigXmlFile;
/**
* An XML element in a `FacesConfigXMLFile`.
*/
@@ -31,9 +28,6 @@ class FacesConfigXmlElement extends XmlElement {
string getValue() { result = this.allCharactersString().trim() }
}
/** DEPRECATED: Alias for FacesConfigXmlElement */
deprecated class FacesConfigXMLElement = FacesConfigXmlElement;
/**
* An element in a JSF config file that declares a managed bean.
*/

3
java/ql/lib/semmle/code/java/frameworks/spring/SpringAutowire.qll
View File

@@ -100,9 +100,6 @@ class SpringBeanXmlAutowiredSetterMethod extends Method {
}
}
/** DEPRECATED: Alias for SpringBeanXmlAutowiredSetterMethod */
deprecated class SpringBeanXMLAutowiredSetterMethod = SpringBeanXmlAutowiredSetterMethod;
/**
* A callable that is annotated with `@Autowired`.
*

24
java/ql/lib/semmle/code/java/frameworks/spring/SpringCamel.qll
View File

@@ -13,9 +13,6 @@ class SpringCamelXmlElement extends SpringXmlElement {
SpringCamelXmlElement() { this.getNamespace().getUri() = "http://camel.apache.org/schema/spring" }
}
/** DEPRECATED: Alias for SpringCamelXmlElement */
deprecated class SpringCamelXMLElement = SpringCamelXmlElement;
/**
* An element in a Spring beans file that defines an Apache Camel context.
*
@@ -25,9 +22,6 @@ class SpringCamelXmlContext extends SpringCamelXmlElement {
SpringCamelXmlContext() { this.getName() = "camelContext" }
}
/** DEPRECATED: Alias for SpringCamelXmlContext */
deprecated class SpringCamelXMLContext = SpringCamelXmlContext;
/**
* An element in a Spring beans file that defines an Apache Camel route context.
*
@@ -38,9 +32,6 @@ class SpringCamelXmlRouteContext extends SpringCamelXmlElement {
SpringCamelXmlRouteContext() { this.getName() = "routeContext" }
}
/** DEPRECATED: Alias for SpringCamelXmlRouteContext */
deprecated class SpringCamelXMLRouteContext = SpringCamelXmlRouteContext;
/**
* An element in a Spring beans files that defines an Apache Camel route.
*
@@ -58,9 +49,6 @@ class SpringCamelXmlRoute extends SpringCamelXmlElement {
}
}
/** DEPRECATED: Alias for SpringCamelXmlRoute */
deprecated class SpringCamelXMLRoute = SpringCamelXmlRoute;
/**
* An element in a Spring bean file that is logically contained in an Apache Camel route.
*/
@@ -71,9 +59,6 @@ class SpringCamelXmlRouteElement extends SpringCamelXmlElement {
}
}
/** DEPRECATED: Alias for SpringCamelXmlRouteElement */
deprecated class SpringCamelXMLRouteElement = SpringCamelXmlRouteElement;
/**
* A reference to a Spring bean in an Apache Camel route defined in a Spring beans file.
*
@@ -98,9 +83,6 @@ class SpringCamelXmlBeanRef extends SpringCamelXmlRouteElement {
RefType getBeanType() { result.getQualifiedName() = this.getAttribute("beanType").getValue() }
}
/** DEPRECATED: Alias for SpringCamelXmlBeanRef */
deprecated class SpringCamelXMLBeanRef = SpringCamelXmlBeanRef;
/**
* A declaration of a target in an Apache Camel route defined in a Spring beans file.
*
@@ -120,9 +102,6 @@ class SpringCamelXmlToElement extends SpringCamelXmlRouteElement {
deprecated string getURI() { result = this.getUri() }
}
/** DEPRECATED: Alias for SpringCamelXmlToElement */
deprecated class SpringCamelXMLToElement = SpringCamelXmlToElement;
/**
* A declaration of a Apache Camel "method" expression defined in a Spring beans file.
*
@@ -147,6 +126,3 @@ class SpringCamelXmlMethodElement extends SpringCamelXmlElement {
*/
RefType getBeanType() { result.getQualifiedName() = this.getAttribute("beanType").getValue() }
}
/** DEPRECATED: Alias for SpringCamelXmlMethodElement */
deprecated class SpringCamelXMLMethodElement = SpringCamelXmlMethodElement;

3
java/ql/lib/semmle/code/java/frameworks/spring/SpringComponentScan.qll
View File

@@ -23,9 +23,6 @@ class SpringXmlComponentScan extends SpringXmlElement {
string getAProfileExpr() { result = this.getSpringBeanFile().getAProfileExpr() }
}
/** DEPRECATED: Alias for SpringXmlComponentScan */
deprecated class SpringXMLComponentScan = SpringXmlComponentScan;
/**
* An annotation of a class that configures which packages are considered to be "base" packages
* when performing the Spring component scan.

5
java/ql/lib/semmle/code/java/frameworks/spring/SpringFlex.qll
View File

@@ -57,11 +57,6 @@ class SpringRemotingDestinationClass extends Class {
*/
SpringRemotingDestination getRemotingDestinationXml() { this = result.getSpringBean().getClass() }
/** DEPRECATED: Alias for getRemotingDestinationXml */
deprecated SpringRemotingDestination getRemotingDestinationXML() {
result = this.getRemotingDestinationXml()
}
/**
* Holds if the class is operating on an "include" or "exclude" basis.
*

3
java/ql/lib/semmle/code/java/frameworks/spring/SpringXMLElement.qll
View File

@@ -37,6 +37,3 @@ class SpringXmlElement extends XmlElement {
string getContentString() { result = this.allCharactersString() }
}
/** DEPRECATED: Alias for SpringXmlElement */
deprecated class SpringXMLElement = SpringXmlElement;

3
java/ql/lib/semmle/code/java/frameworks/struts/StrutsConventions.qll
View File

@@ -77,9 +77,6 @@ StrutsXmlFile getRootXmlFile(RefType refType) {
)
}
/** DEPRECATED: Alias for getRootXmlFile */
deprecated StrutsXMLFile getRootXMLFile(RefType refType) { result = getRootXmlFile(refType) }
/**
* Gets the suffix used for automatically identifying actions when using the convention plugin.
*

24
java/ql/lib/semmle/code/java/frameworks/struts/StrutsXML.qll
View File

@@ -5,9 +5,6 @@ import java
*/
predicate isStrutsXmlIncluded() { exists(StrutsXmlFile strutsXml) }
/** DEPRECATED: Alias for isStrutsXmlIncluded */
deprecated predicate isStrutsXMLIncluded = isStrutsXmlIncluded/0;
/**
* A struts 2 configuration file.
*/
@@ -51,9 +48,6 @@ abstract class StrutsXmlFile extends XmlFile {
}
}
/** DEPRECATED: Alias for StrutsXmlFile */
deprecated class StrutsXMLFile = StrutsXmlFile;
/**
* A Struts 2 "root" configuration XML file directly read by struts.
*
@@ -66,9 +60,6 @@ class StrutsRootXmlFile extends StrutsXmlFile {
}
}
/** DEPRECATED: Alias for StrutsRootXmlFile */
deprecated class StrutsRootXMLFile = StrutsRootXmlFile;
/**
* A Struts 2 configuration XML file included, directly or indirectly, by a root Struts configuration.
*/
@@ -76,9 +67,6 @@ class StrutsIncludedXmlFile extends StrutsXmlFile {
StrutsIncludedXmlFile() { exists(StrutsXmlInclude include | this = include.getIncludedFile()) }
}
/** DEPRECATED: Alias for StrutsIncludedXmlFile */
deprecated class StrutsIncludedXMLFile = StrutsIncludedXmlFile;
/**
* A Folder which has one or more Struts 2 root configurations.
*/
@@ -116,9 +104,6 @@ class StrutsXmlElement extends XmlElement {
string getValue() { result = this.allCharactersString().trim() }
}
/** DEPRECATED: Alias for StrutsXmlElement */
deprecated class StrutsXMLElement = StrutsXmlElement;
/**
* A `<include>` element within a `struts.xml` file.
*
@@ -141,9 +126,6 @@ class StrutsXmlInclude extends StrutsXmlElement {
}
}
/** DEPRECATED: Alias for StrutsXmlInclude */
deprecated class StrutsXMLInclude = StrutsXmlInclude;
/**
* Escape a string for use as the matcher in a string.match(..) call.
*/
@@ -192,9 +174,6 @@ class StrutsXmlAction extends StrutsXmlElement {
}
}
/** DEPRECATED: Alias for StrutsXmlAction */
deprecated class StrutsXMLAction = StrutsXmlAction;
/**
* A `<constant>` property, representing a configuration parameter to struts.
*/
@@ -205,6 +184,3 @@ class StrutsXmlConstant extends StrutsXmlElement {
string getConstantValue() { result = this.getAttribute("value").getValue() }
}
/** DEPRECATED: Alias for StrutsXmlConstant */
deprecated class StrutsXMLConstant = StrutsXmlConstant;

3
java/ql/lib/semmle/code/java/security/Encryption.qll
View File

@@ -25,9 +25,6 @@ class HttpsUrlConnection extends RefType {
HttpsUrlConnection() { this.hasQualifiedName("javax.net.ssl", "HttpsURLConnection") }
}
/** DEPRECATED: Alias for HttpsUrlConnection */
deprecated class HttpsURLConnection = HttpsUrlConnection;
class SslSocketFactory extends RefType {
SslSocketFactory() { this.hasQualifiedName("javax.net.ssl", "SSLSocketFactory") }
}

15
java/ql/lib/semmle/code/java/security/ExternalAPIs.qll
View File

@@ -12,9 +12,6 @@ import semmle.code.java.dataflow.TaintTracking
*/
abstract class SafeExternalApiMethod extends Method { }
/** DEPRECATED: Alias for SafeExternalApiMethod */
deprecated class SafeExternalAPIMethod = SafeExternalApiMethod;
/** The default set of "safe" external APIs. */
private class DefaultSafeExternalApiMethod extends SafeExternalApiMethod {
DefaultSafeExternalApiMethod() {
@@ -95,9 +92,6 @@ class ExternalApiDataNode extends DataFlow::Node {
string getMethodDescription() { result = this.getMethod().getQualifiedName() }
}
/** DEPRECATED: Alias for ExternalApiDataNode */
deprecated class ExternalAPIDataNode = ExternalApiDataNode;
/**
* DEPRECATED: Use `UntrustedDataToExternalApiFlow` instead.
*
@@ -125,9 +119,6 @@ module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
*/
module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExternalApiConfig>;
/** DEPRECATED: Alias for UntrustedDataToExternalApiConfig */
deprecated class UntrustedDataToExternalAPIConfig = UntrustedDataToExternalApiConfig;
/** A node representing untrusted data being passed to an external API. */
class UntrustedExternalApiDataNode extends ExternalApiDataNode {
UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flowTo(this) }
@@ -136,9 +127,6 @@ class UntrustedExternalApiDataNode extends ExternalApiDataNode {
DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) }
}
/** DEPRECATED: Alias for UntrustedExternalApiDataNode */
deprecated class UntrustedExternalAPIDataNode = UntrustedExternalApiDataNode;
/** An external API which is used with untrusted data. */
private newtype TExternalApi =
/** An untrusted API method `m` where untrusted data is passed at `index`. */
@@ -172,6 +160,3 @@ class ExternalApiUsedWithUntrustedData extends TExternalApi {
)
}
}
/** DEPRECATED: Alias for ExternalApiUsedWithUntrustedData */
deprecated class ExternalAPIUsedWithUntrustedData = ExternalApiUsedWithUntrustedData;

27
java/ql/lib/semmle/code/java/security/LogInjection.qll
View File

@@ -46,16 +46,33 @@ private class LineBreaksLogInjectionSanitizer extends LogInjectionSanitizer {
}
}
private predicate stringMethodAccess(
MethodAccess ma, CompileTimeConstantExpr arg0, CompileTimeConstantExpr arg1
) {
ma.getMethod().getDeclaringType() instanceof TypeString and
arg0 = ma.getArgument(0) and
arg1 = ma.getArgument(1)
}
private predicate stringMethodArgument(CompileTimeConstantExpr arg) {
stringMethodAccess(_, arg, _) or stringMethodAccess(_, _, arg)
}
bindingset[match]
pragma[inline_late]
private predicate stringMethodArgumentValueMatches(CompileTimeConstantExpr const, string match) {
stringMethodArgument(const) and
const.getStringValue().matches(match)
}
/**
* Holds if the return value of `ma` is sanitized against log injection attacks
* by removing line breaks from it.
*/
private predicate logInjectionSanitizer(MethodAccess ma) {
exists(CompileTimeConstantExpr target, CompileTimeConstantExpr replacement |
ma.getMethod().getDeclaringType() instanceof TypeString and
target = ma.getArgument(0) and
replacement = ma.getArgument(1) and
not replacement.getStringValue().matches(["%\n%", "%\r%"])
stringMethodAccess(ma, target, replacement) and
not stringMethodArgumentValueMatches(replacement, ["%\n%", "%\r%"])
|
ma.getMethod().hasName("replace") and
not replacement.getIntValue() = [10, 13] and
@@ -68,7 +85,7 @@ private predicate logInjectionSanitizer(MethodAccess ma) {
(
// Replace anything not in an allow list
target.getStringValue().matches("[^%]") and
not target.getStringValue().matches("%" + ["\n", "\r", "\\n", "\\r", "\\R"] + "%")
not stringMethodArgumentValueMatches(target, "%" + ["\n", "\r", "\\n", "\\r", "\\R"] + "%")
or
// Replace line breaks
target.getStringValue() = ["\n", "\r", "\\n", "\\r", "\\R"]

13
java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll
View File

@@ -5,7 +5,6 @@ import semmle.code.java.frameworks.Networking
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.FlowSources
private import semmle.code.java.dataflow.ExternalFlow
import semmle.code.java.security.PathCreation
import semmle.code.java.security.PathSanitizer
/**
@@ -55,11 +54,7 @@ private class TaintPreservingUriCtorParam extends Parameter {
module TaintedPathConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSink(DataFlow::Node sink) {
sink.asExpr() = any(PathCreation p).getAnInput()
or
sinkNode(sink, "path-injection")
}
predicate isSink(DataFlow::Node sink) { sinkNode(sink, "path-injection") }
predicate isBarrier(DataFlow::Node sanitizer) {
sanitizer.getType() instanceof BoxedType or
@@ -82,11 +77,7 @@ module TaintedPathFlow = TaintTracking::Global<TaintedPathConfig>;
module TaintedPathLocalConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
predicate isSink(DataFlow::Node sink) {
sink.asExpr() = any(PathCreation p).getAnInput()
or
sinkNode(sink, "path-injection")
}
predicate isSink(DataFlow::Node sink) { sinkNode(sink, "path-injection") }
predicate isBarrier(DataFlow::Node sanitizer) {
sanitizer.getType() instanceof BoxedType or

1
java/ql/lib/semmle/code/java/security/XSS.qll
View File

@@ -6,6 +6,7 @@ import semmle.code.java.frameworks.android.WebView
import semmle.code.java.frameworks.spring.SpringController
import semmle.code.java.frameworks.spring.SpringHttp
import semmle.code.java.frameworks.javaee.jsf.JSFRenderer
private import semmle.code.java.frameworks.hudson.Hudson
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.TaintTracking
private import semmle.code.java.dataflow.ExternalFlow

87
java/ql/lib/semmle/code/java/security/XmlParsers.qll
View File

@@ -337,9 +337,6 @@ class SaxBuilder extends RefType {
}
}
/** DEPRECATED: Alias for SaxBuilder */
deprecated class SAXBuilder = SaxBuilder;
/**
* A call to `SAXBuilder.build.`
*/
@@ -359,9 +356,6 @@ class SaxBuilderParse extends XmlParserCall {
}
}
/** DEPRECATED: Alias for SaxBuilderParse */
deprecated class SAXBuilderParse = SaxBuilderParse;
private module SafeSaxBuilderToSaxBuilderParseFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxBuilder }
@@ -386,9 +380,6 @@ class SaxBuilderConfig extends ParserConfig {
}
}
/** DEPRECATED: Alias for SaxBuilderConfig */
deprecated class SAXBuilderConfig = SaxBuilderConfig;
/** A safely configured `SaxBuilder`. */
class SafeSaxBuilder extends VarAccess {
SafeSaxBuilder() {
@@ -404,9 +395,6 @@ class SafeSaxBuilder extends VarAccess {
}
}
/** DEPRECATED: Alias for SafeSaxBuilder */
deprecated class SafeSAXBuilder = SafeSaxBuilder;
/*
* The case in
* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxb-unmarshaller
@@ -420,17 +408,11 @@ class SaxParser extends RefType {
SaxParser() { this.hasQualifiedName("javax.xml.parsers", "SAXParser") }
}
/** DEPRECATED: Alias for SaxParser */
deprecated class SAXParser = SaxParser;
/** The class `javax.xml.parsers.SAXParserFactory`. */
class SaxParserFactory extends RefType {
SaxParserFactory() { this.hasQualifiedName("javax.xml.parsers", "SAXParserFactory") }
}
/** DEPRECATED: Alias for SaxParserFactory */
deprecated class SAXParserFactory = SaxParserFactory;
/** A call to `SAXParser.parse`. */
class SaxParserParse extends XmlParserCall {
SaxParserParse() {
@@ -446,9 +428,6 @@ class SaxParserParse extends XmlParserCall {
override predicate isSafe() { SafeSaxParserFlow::flowToExpr(this.getQualifier()) }
}
/** DEPRECATED: Alias for SaxParserParse */
deprecated class SAXParserParse = SaxParserParse;
/** A `ParserConfig` that is specific to `SaxParserFactory`. */
class SaxParserFactoryConfig extends ParserConfig {
SaxParserFactoryConfig() {
@@ -460,9 +439,6 @@ class SaxParserFactoryConfig extends ParserConfig {
}
}
/** DEPRECATED: Alias for SaxParserFactoryConfig */
deprecated class SAXParserFactoryConfig = SaxParserFactoryConfig;
/**
* A safely configured `SAXParserFactory`.
*/
@@ -496,9 +472,6 @@ class SafeSaxParserFactory extends VarAccess {
}
}
/** DEPRECATED: Alias for SafeSaxParserFactory */
deprecated class SafeSAXParserFactory = SafeSaxParserFactory;
private module SafeSaxParserFactoryToNewSaxParserFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxParserFactory }
@@ -540,9 +513,6 @@ class SafeSaxParser extends MethodAccess {
}
}
/** DEPRECATED: Alias for SafeSaxParser */
deprecated class SafeSAXParser = SafeSaxParser;
/* SAXReader: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#saxreader */
/**
* The class `org.dom4j.io.SAXReader`.
@@ -551,9 +521,6 @@ class SaxReader extends RefType {
SaxReader() { this.hasQualifiedName("org.dom4j.io", "SAXReader") }
}
/** DEPRECATED: Alias for SaxReader */
deprecated class SAXReader = SaxReader;
/** A call to `SAXReader.read`. */
class SaxReaderRead extends XmlParserCall {
SaxReaderRead() {
@@ -569,9 +536,6 @@ class SaxReaderRead extends XmlParserCall {
override predicate isSafe() { SafeSaxReaderFlow::flowToExpr(this.getQualifier()) }
}
/** DEPRECATED: Alias for SaxReaderRead */
deprecated class SAXReaderRead = SaxReaderRead;
/** A `ParserConfig` specific to `SaxReader`. */
class SaxReaderConfig extends ParserConfig {
SaxReaderConfig() {
@@ -583,9 +547,6 @@ class SaxReaderConfig extends ParserConfig {
}
}
/** DEPRECATED: Alias for SaxReaderConfig */
deprecated class SAXReaderConfig = SaxReaderConfig;
private module SafeSaxReaderFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxReader }
@@ -626,9 +587,6 @@ class SafeSaxReader extends VarAccess {
}
}
/** DEPRECATED: Alias for SafeSaxReader */
deprecated class SafeSAXReader = SafeSaxReader;
/* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlreader */
/** The class `org.xml.sax.XMLReader`. */
class XmlReader extends RefType {
@@ -640,9 +598,6 @@ class InputSource extends Class {
InputSource() { this.hasQualifiedName("org.xml.sax", "InputSource") }
}
/** DEPRECATED: Alias for XmlReader */
deprecated class XMLReader = XmlReader;
/** A call to `XMLReader.read`. */
class XmlReaderParse extends XmlParserCall {
XmlReaderParse() {
@@ -661,9 +616,6 @@ class XmlReaderParse extends XmlParserCall {
}
}
/** DEPRECATED: Alias for XmlReaderParse */
deprecated class XMLReaderParse = XmlReaderParse;
/** A `ParserConfig` specific to the `XmlReader`. */
class XmlReaderConfig extends ParserConfig {
XmlReaderConfig() {
@@ -675,9 +627,6 @@ class XmlReaderConfig extends ParserConfig {
}
}
/** DEPRECATED: Alias for XmlReaderConfig */
deprecated class XMLReaderConfig = XmlReaderConfig;
private module ExplicitlySafeXmlReaderFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof ExplicitlySafeXmlReader }
@@ -697,9 +646,6 @@ class SafeXmlReaderFlowSink extends Expr {
}
}
/** DEPRECATED: Alias for SafeXmlReaderFlowSink */
deprecated class SafeXMLReaderFlowSink = SafeXmlReaderFlowSink;
/** An `XmlReader` that is explicitly configured to be safe. */
class ExplicitlySafeXmlReader extends VarAccess {
ExplicitlySafeXmlReader() {
@@ -739,9 +685,6 @@ class ExplicitlySafeXmlReader extends VarAccess {
}
}
/** DEPRECATED: Alias for ExplicitlySafeXmlReader */
deprecated class ExplicitlySafeXMLReader = ExplicitlySafeXmlReader;
private module CreatedSafeXmlReaderFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof CreatedSafeXmlReader }
@@ -778,9 +721,6 @@ class CreatedSafeXmlReader extends Call {
}
}
/** DEPRECATED: Alias for CreatedSafeXmlReader */
deprecated class CreatedSafeXMLReader = CreatedSafeXmlReader;
/*
* SAXSource in
* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxb-unmarshaller
@@ -791,9 +731,6 @@ class SaxSource extends RefType {
SaxSource() { this.hasQualifiedName("javax.xml.transform.sax", "SAXSource") }
}
/** DEPRECATED: Alias for SaxSource */
deprecated class SAXSource = SaxSource;
/** A call to the constructor of `SAXSource` with `XmlReader` and `InputSource`. */
class ConstructedSaxSource extends ClassInstanceExpr {
ConstructedSaxSource() {
@@ -814,9 +751,6 @@ class ConstructedSaxSource extends ClassInstanceExpr {
}
}
/** DEPRECATED: Alias for ConstructedSaxSource */
deprecated class ConstructedSAXSource = ConstructedSaxSource;
/** A call to the `SAXSource.setXMLReader` method. */
class SaxSourceSetReader extends MethodAccess {
SaxSourceSetReader() {
@@ -828,9 +762,6 @@ class SaxSourceSetReader extends MethodAccess {
}
}
/** DEPRECATED: Alias for SaxSourceSetReader */
deprecated class SAXSourceSetReader = SaxSourceSetReader;
/** A `SaxSource` that is safe to use. */
class SafeSaxSource extends Expr {
SafeSaxSource() {
@@ -847,9 +778,6 @@ class SafeSaxSource extends Expr {
}
}
/** DEPRECATED: Alias for SafeSaxSource */
deprecated class SafeSAXSource = SafeSaxSource;
/* Transformer: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory */
/** An access to a method use for configuring a transformer or schema. */
abstract class TransformerConfig extends MethodAccess {
@@ -1063,9 +991,6 @@ class SaxTransformerFactoryNewXmlFilter extends XmlParserCall {
override predicate isSafe() { SafeTransformerFactoryFlow::flowToExpr(this.getQualifier()) }
}
/** DEPRECATED: Alias for SaxTransformerFactoryNewXmlFilter */
deprecated class SAXTransformerFactoryNewXMLFilter = SaxTransformerFactoryNewXmlFilter;
/* Schema: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory */
/** The class `javax.xml.validation.SchemaFactory`. */
class SchemaFactory extends RefType {
@@ -1197,9 +1122,6 @@ class SimpleXmlPersisterCall extends XmlParserCall {
override predicate isSafe() { none() }
}
/** DEPRECATED: Alias for SimpleXmlPersisterCall */
deprecated class SimpleXMLPersisterCall = SimpleXmlPersisterCall;
/** A call to `provide` in `Provider`. */
class SimpleXmlProviderCall extends XmlParserCall {
SimpleXmlProviderCall() {
@@ -1218,9 +1140,6 @@ class SimpleXmlProviderCall extends XmlParserCall {
override predicate isSafe() { none() }
}
/** DEPRECATED: Alias for SimpleXmlProviderCall */
deprecated class SimpleXMLProviderCall = SimpleXmlProviderCall;
/** A call to `read` in `NodeBuilder`. */
class SimpleXmlNodeBuilderCall extends XmlParserCall {
SimpleXmlNodeBuilderCall() {
@@ -1236,9 +1155,6 @@ class SimpleXmlNodeBuilderCall extends XmlParserCall {
override predicate isSafe() { none() }
}
/** DEPRECATED: Alias for SimpleXmlNodeBuilderCall */
deprecated class SimpleXMLNodeBuilderCall = SimpleXmlNodeBuilderCall;
/** A call to the `format` method of the `Formatter`. */
class SimpleXmlFormatterCall extends XmlParserCall {
SimpleXmlFormatterCall() {
@@ -1254,9 +1170,6 @@ class SimpleXmlFormatterCall extends XmlParserCall {
override predicate isSafe() { none() }
}
/** DEPRECATED: Alias for SimpleXmlFormatterCall */
deprecated class SimpleXMLFormatterCall = SimpleXmlFormatterCall;
/** A configuration for secure processing. */
Expr configSecureProcessing() {
result.(ConstantStringExpr).getStringValue() =

26
java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll
View File

@@ -4,6 +4,7 @@ import java
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.security.PathSanitizer
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.security.PathCreation
/**
* A method that returns the name of an archive entry.
@@ -40,5 +41,28 @@ module ZipSlipFlow = TaintTracking::Global<ZipSlipConfig>;
* A sink that represents a file creation, such as a file write, copy or move operation.
*/
private class FileCreationSink extends DataFlow::Node {
FileCreationSink() { sinkNode(this, "path-injection") }
FileCreationSink() {
sinkNode(this, "path-injection") and
not isPathCreation(this)
}
}
/**
* Holds if `sink` is a path creation node that doesn't imply a read/write filesystem operation.
* This is to avoid creating new spurious alerts, since `PathCreation` sinks weren't
* previously part of this query.
*/
private predicate isPathCreation(DataFlow::Node sink) {
exists(PathCreation pc |
pc.getAnInput() = sink.asExpr()
or
pc.getAnInput().(Argument).isVararg() and sink.(DataFlow::ImplicitVarargsArray).getCall() = pc
|
// exclude actual read/write operations included in `PathCreation`
not pc.(Call)
.getCallee()
.getDeclaringType()
.hasQualifiedName("java.io",
["FileInputStream", "FileOutputStream", "FileReader", "FileWriter"])
)
}

9
java/ql/lib/semmle/code/xml/WebXML.qll
View File

@@ -5,9 +5,6 @@ import java
*/
predicate isWebXmlIncluded() { exists(WebXmlFile webXml) }
/** DEPRECATED: Alias for isWebXmlIncluded */
deprecated predicate isWebXMLIncluded = isWebXmlIncluded/0;
/**
* A deployment descriptor file, typically called `web.xml`.
*/
@@ -31,9 +28,6 @@ class WebXmlFile extends XmlFile {
}
}
/** DEPRECATED: Alias for WebXmlFile */
deprecated class WebXMLFile = WebXmlFile;
/**
* An XML element in a `WebXMLFile`.
*/
@@ -46,9 +40,6 @@ class WebXmlElement extends XmlElement {
string getValue() { result = this.allCharactersString().trim() }
}
/** DEPRECATED: Alias for WebXmlElement */
deprecated class WebXMLElement = WebXmlElement;
/**
* A `<context-param>` element in a `web.xml` file.
*/

6
java/ql/src/Metrics/Summaries/LinesOfCode.ql
View File

@@ -1,8 +1,8 @@
/**
* @id java/summary/lines-of-code
* @name Total lines of Java code in the database
* @description The total number of lines of code across all files. This is a useful metric of the size of a database.
* For all files that were seen during the build, this query counts the lines of code, excluding whitespace
* @description The total number of lines of code across all Java files. This is a useful metric of the size of a database.
* For all Java files that were seen during the build, this query counts the lines of code, excluding whitespace
* or comments.
* @kind metric
* @tags summary
@@ -11,4 +11,4 @@
import java
select sum(CompilationUnit f | f.fromSource() | f.getNumberOfLinesOfCode())
select sum(CompilationUnit f | f.fromSource() and f.isJavaSourceFile() | f.getNumberOfLinesOfCode())

18
java/ql/src/Metrics/Summaries/LinesOfCodeKotlin.ql Normal file
View File

@@ -0,0 +1,18 @@
/**
* @id java/summary/lines-of-code-kotlin
* @name Total lines of Kotlin code in the database
* @description The total number of lines of code across all Kotlin files. This is a useful metric of the size of a database.
* For all Kotlin files that were seen during the build, this query counts the lines of code, excluding whitespace
* or comments.
* @kind metric
* @tags summary
* lines-of-code
*/
import java
select sum(CompilationUnit f |
f.fromSource() and f.isKotlinSourceFile()
|
f.getNumberOfLinesOfCode()
)

1
java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
View File

@@ -14,6 +14,7 @@
*/
import java
import semmle.code.java.security.PathCreation
import semmle.code.java.security.TaintedPathQuery
import TaintedPathFlow::PathGraph

1
java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql
View File

@@ -14,6 +14,7 @@
*/
import java
import semmle.code.java.security.PathCreation
import semmle.code.java.security.TaintedPathQuery
import TaintedPathLocalFlow::PathGraph

444
java/ql/src/Telemetry/AutomodelApplicationModeCharacteristics.qll Normal file
View File

@@ -0,0 +1,444 @@
/**
* For internal use only.
*/
private import java
private import semmle.code.Location as Location
private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.dataflow.TaintTracking
private import semmle.code.java.security.PathCreation
private import semmle.code.java.dataflow.ExternalFlow as ExternalFlow
private import semmle.code.java.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
private import semmle.code.java.security.ExternalAPIs as ExternalAPIs
private import semmle.code.java.Expr as Expr
private import semmle.code.java.security.QueryInjection
private import semmle.code.java.security.RequestForgery
private import semmle.code.java.dataflow.internal.ModelExclusions as ModelExclusions
private import AutomodelJavaUtil as AutomodelJavaUtil
private import semmle.code.java.security.PathSanitizer as PathSanitizer
private import AutomodelSharedGetCallable as AutomodelSharedGetCallable
import AutomodelSharedCharacteristics as SharedCharacteristics
import AutomodelEndpointTypes as AutomodelEndpointTypes
newtype JavaRelatedLocationType = CallContext()
/**
* A class representing nodes that are arguments to calls.
*/
private class ArgumentNode extends DataFlow::Node {
ArgumentNode() { this.asExpr() = [any(Call c).getAnArgument(), any(Call c).getQualifier()] }
}
/**
* A candidates implementation.
*
* Some important notes:
* - This mode is using arguments as endpoints.
* - We use the `CallContext` (the surrounding call expression) as related location.
*/
module ApplicationCandidatesImpl implements SharedCharacteristics::CandidateSig {
// for documentation of the implementations here, see the QLDoc in the CandidateSig signature module.
class Endpoint = ArgumentNode;
class EndpointType = AutomodelEndpointTypes::EndpointType;
class NegativeEndpointType = AutomodelEndpointTypes::NegativeSinkType;
class RelatedLocation = Location::Top;
class RelatedLocationType = JavaRelatedLocationType;
// Sanitizers are currently not modeled in MaD. TODO: check if this has large negative impact.
predicate isSanitizer(Endpoint e, EndpointType t) {
exists(t) and
(
e.getType() instanceof BoxedType
or
e.getType() instanceof PrimitiveType
or
e.getType() instanceof NumberType
)
or
t instanceof AutomodelEndpointTypes::TaintedPathSinkType and
e instanceof PathSanitizer::PathInjectionSanitizer
}
RelatedLocation asLocation(Endpoint e) { result = e.asExpr() }
predicate isKnownKind = AutomodelJavaUtil::isKnownKind/3;
predicate isSink(Endpoint e, string kind) {
exists(string package, string type, string name, string signature, string ext, string input |
sinkSpec(e, package, type, name, signature, ext, input) and
ExternalFlow::sinkModel(package, type, _, name, [signature, ""], ext, input, kind, _)
)
or
isCustomSink(e, kind)
}
predicate isNeutral(Endpoint e) {
exists(string package, string type, string name, string signature |
sinkSpec(e, package, type, name, signature, _, _) and
ExternalFlow::neutralModel(package, type, name, [signature, ""], _, _)
)
}
additional predicate sinkSpec(
Endpoint e, string package, string type, string name, string signature, string ext, string input
) {
ApplicationModeGetCallable::getCallable(e).hasQualifiedName(package, type, name) and
signature = ExternalFlow::paramsString(ApplicationModeGetCallable::getCallable(e)) and
ext = "" and
(
exists(Call c, int argIdx |
e.asExpr() = c.getArgument(argIdx) and
input = AutomodelJavaUtil::getArgumentForIndex(argIdx)
)
or
exists(Call c |
e.asExpr() = c.getQualifier() and input = AutomodelJavaUtil::getArgumentForIndex(-1)
)
)
}
/**
* Gets the related location for the given endpoint.
*
* The only related location we model is the the call expression surrounding to
* which the endpoint is either argument or qualifier (known as the call context).
*/
RelatedLocation getRelatedLocation(Endpoint e, RelatedLocationType type) {
type = CallContext() and
result = any(Call c | e.asExpr() = [c.getAnArgument(), c.getQualifier()])
}
}
private class JavaCallable = Callable;
private module ApplicationModeGetCallable implements AutomodelSharedGetCallable::GetCallableSig {
class Callable = JavaCallable;
class Endpoint = ApplicationCandidatesImpl::Endpoint;
/**
* Returns the API callable being modeled.
*/
Callable getCallable(Endpoint e) {
exists(Call c |
e.asExpr() = [c.getAnArgument(), c.getQualifier()] and
result = c.getCallee()
)
}
}
/**
* Contains endpoints that are defined in QL code rather than as a MaD model. Ideally this predicate
* should be empty.
*/
private predicate isCustomSink(Endpoint e, string kind) {
e.asExpr() instanceof ArgumentToExec and kind = "command injection"
or
e instanceof RequestForgerySink and kind = "request forgery"
or
e instanceof QueryInjectionSink and kind = "sql"
}
module CharacteristicsImpl =
SharedCharacteristics::SharedCharacteristics<ApplicationCandidatesImpl>;
class EndpointCharacteristic = CharacteristicsImpl::EndpointCharacteristic;
class Endpoint = ApplicationCandidatesImpl::Endpoint;
/*
* Predicates that are used to surface prompt examples and candidates for classification with an ML model.
*/
/**
* A MetadataExtractor that extracts metadata for application mode.
*/
class ApplicationModeMetadataExtractor extends string {
ApplicationModeMetadataExtractor() { this = "ApplicationModeMetadataExtractor" }
predicate hasMetadata(
Endpoint e, string package, string type, string subtypes, string name, string signature,
string input
) {
exists(Call call, Callable callable, int argIdx |
call.getCallee() = callable and
(
e.asExpr() = call.getArgument(argIdx)
or
e.asExpr() = call.getQualifier() and argIdx = -1
) and
input = AutomodelJavaUtil::getArgumentForIndex(argIdx) and
package = callable.getDeclaringType().getPackage().getName() and
// we're using the erased types because the MaD convention is to not specify type parameters.
// Whether something is or isn't a sink doesn't usually depend on the type parameters.
type = callable.getDeclaringType().getErasure().(RefType).nestedName() and
subtypes = AutomodelJavaUtil::considerSubtypes(callable).toString() and
name = callable.getName() and
signature = ExternalFlow::paramsString(callable)
)
}
}
/*
* EndpointCharacteristic classes that are specific to Automodel for Java.
*/
/**
* A negative characteristic that indicates that an is-style boolean method is unexploitable even if it is a sink.
*
* A sink is highly unlikely to be exploitable if its callable's name starts with `is` and the callable has a boolean return
* type (e.g. `isDirectory`). These kinds of calls normally do only checks, and appear before the proper call that does
* the dangerous/interesting thing, so we want the latter to be modeled as the sink.
*
* TODO: this might filter too much, it's possible that methods with more than one parameter contain interesting sinks
*/
private class UnexploitableIsCharacteristic extends CharacteristicsImpl::NotASinkCharacteristic {
UnexploitableIsCharacteristic() { this = "unexploitable (is-style boolean method)" }
override predicate appliesToEndpoint(Endpoint e) {
not ApplicationCandidatesImpl::isSink(e, _) and
ApplicationModeGetCallable::getCallable(e).getName().matches("is%") and
ApplicationModeGetCallable::getCallable(e).getReturnType() instanceof BooleanType
}
}
/**
* A negative characteristic that indicates that an existence-checking boolean method is unexploitable even if it is a
* sink.
*
* A sink is highly unlikely to be exploitable if its callable's name is `exists` or `notExists` and the callable has a
* boolean return type. These kinds of calls normally do only checks, and appear before the proper call that does the
* dangerous/interesting thing, so we want the latter to be modeled as the sink.
*/
private class UnexploitableExistsCharacteristic extends CharacteristicsImpl::NotASinkCharacteristic {
UnexploitableExistsCharacteristic() { this = "unexploitable (existence-checking boolean method)" }
override predicate appliesToEndpoint(Endpoint e) {
not ApplicationCandidatesImpl::isSink(e, _) and
exists(Callable callable |
callable = ApplicationModeGetCallable::getCallable(e) and
callable.getName().toLowerCase() = ["exists", "notexists"] and
callable.getReturnType() instanceof BooleanType
)
}
}
/**
* A negative characteristic that indicates that an endpoint is an argument to an exception, which is not a sink.
*/
private class ExceptionCharacteristic extends CharacteristicsImpl::NotASinkCharacteristic {
ExceptionCharacteristic() { this = "exception" }
override predicate appliesToEndpoint(Endpoint e) {
ApplicationModeGetCallable::getCallable(e).getDeclaringType().getASupertype*() instanceof
TypeThrowable
}
}
/**
* A negative characteristic that indicates that an endpoint is a MaD taint step. MaD modeled taint steps are global,
* so they are not sinks for any query. Non-MaD taint steps might be specific to a particular query, so we don't
* filter those out.
*/
private class IsMaDTaintStepCharacteristic extends CharacteristicsImpl::NotASinkCharacteristic {
IsMaDTaintStepCharacteristic() { this = "taint step" }
override predicate appliesToEndpoint(Endpoint e) {
FlowSummaryImpl::Private::Steps::summaryThroughStepValue(e, _, _) or
FlowSummaryImpl::Private::Steps::summaryThroughStepTaint(e, _, _) or
FlowSummaryImpl::Private::Steps::summaryGetterStep(e, _, _, _) or
FlowSummaryImpl::Private::Steps::summarySetterStep(e, _, _, _)
}
}
/**
* A negative characteristic that filters out qualifiers that are classes (i.e. static calls). These
* are unlikely to have any non-trivial flow going into them.
*
* Technically, an accessed type _could_ come from outside of the source code, but there's not
* much likelihood of that being user-controlled.
*/
private class ClassQualifierCharacteristic extends CharacteristicsImpl::NotASinkCharacteristic {
ClassQualifierCharacteristic() { this = "class qualifier" }
override predicate appliesToEndpoint(Endpoint e) {
exists(Call c |
e.asExpr() = c.getQualifier() and
c.getQualifier() instanceof TypeAccess
)
}
}
/**
* A call to a method that's known locally will not be considered as a candidate to model.
*
* The reason is that we would expect data/taint flow into the method implementation to uncover
* any sinks that are present there.
*/
private class ArgumentToLocalCall extends CharacteristicsImpl::UninterestingToModelCharacteristic {
ArgumentToLocalCall() { this = "argument to local call" }
override predicate appliesToEndpoint(Endpoint e) {
ApplicationModeGetCallable::getCallable(e).fromSource()
}
}
/**
* A Characteristic that marks endpoints as uninteresting to model, according to the Java ModelExclusions module.
*/
private class ExcludedFromModeling extends CharacteristicsImpl::UninterestingToModelCharacteristic {
ExcludedFromModeling() { this = "excluded from modeling" }
override predicate appliesToEndpoint(Endpoint e) {
ModelExclusions::isUninterestingForModels(ApplicationModeGetCallable::getCallable(e))
}
}
/**
* A negative characteristic that filters out non-public methods. Non-public methods are not interesting to include in
* the standard Java modeling, because they cannot be called from outside the package.
*/
private class NonPublicMethodCharacteristic extends CharacteristicsImpl::UninterestingToModelCharacteristic
{
NonPublicMethodCharacteristic() { this = "non-public method" }
override predicate appliesToEndpoint(Endpoint e) {
not ApplicationModeGetCallable::getCallable(e).isPublic()
}
}
/**
* A negative characteristic that indicates that an endpoint is a non-sink argument to a method whose sinks have already
* been modeled.
*
* WARNING: These endpoints should not be used as negative samples for training, because some sinks may have been missed
* when the method was modeled. Specifically, as we start using ATM to merge in new declarations, we can be less sure
* that a method with one argument modeled as a MaD sink has also had its remaining arguments manually reviewed. The
* ML model might have predicted argument 0 of some method to be a sink but not argument 1, when in fact argument 1 is
* also a sink.
*/
private class OtherArgumentToModeledMethodCharacteristic extends CharacteristicsImpl::LikelyNotASinkCharacteristic
{
OtherArgumentToModeledMethodCharacteristic() {
this = "other argument to a method that has already been modeled"
}
override predicate appliesToEndpoint(Endpoint e) {
not ApplicationCandidatesImpl::isSink(e, _) and
exists(DataFlow::Node otherSink |
ApplicationCandidatesImpl::isSink(otherSink, _) and
e.asExpr() = otherSink.asExpr().(Argument).getCall().getAnArgument() and
e != otherSink
)
}
}
/**
* A characteristic that marks functional expression as likely not sinks.
*
* These expressions may well _contain_ sinks, but rarely are sinks themselves.
*/
private class FunctionValueCharacteristic extends CharacteristicsImpl::LikelyNotASinkCharacteristic {
FunctionValueCharacteristic() { this = "function value" }
override predicate appliesToEndpoint(Endpoint e) { e.asExpr() instanceof FunctionalExpr }
}
/**
* A negative characteristic that indicates that an endpoint is not a `to` node for any known taint step. Such a node
* cannot be tainted, because taint can't flow into it.
*
* WARNING: These endpoints should not be used as negative samples for training, because they may include sinks for
* which our taint tracking modeling is incomplete.
*/
private class CannotBeTaintedCharacteristic extends CharacteristicsImpl::LikelyNotASinkCharacteristic
{
CannotBeTaintedCharacteristic() { this = "cannot be tainted" }
override predicate appliesToEndpoint(Endpoint e) { not this.isKnownOutNodeForStep(e) }
/**
* Holds if the node `n` is known as the predecessor in a modeled flow step.
*/
private predicate isKnownOutNodeForStep(Endpoint e) {
e.asExpr() instanceof Call or // we just assume flow in that case
TaintTracking::localTaintStep(_, e) or
FlowSummaryImpl::Private::Steps::summaryThroughStepValue(_, e, _) or
FlowSummaryImpl::Private::Steps::summaryThroughStepTaint(_, e, _) or
FlowSummaryImpl::Private::Steps::summaryGetterStep(_, _, e, _) or
FlowSummaryImpl::Private::Steps::summarySetterStep(_, _, e, _)
}
}
/**
* Holds if the given endpoint has a self-contradictory combination of characteristics. Detects errors in our endpoint
* characteristics. Lists the problematic characteristics and their implications for all such endpoints, together with
* an error message indicating why this combination is problematic.
*
* Copied from
* javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/ContradictoryEndpointCharacteristics.ql
*/
predicate erroneousEndpoints(
Endpoint endpoint, EndpointCharacteristic characteristic,
AutomodelEndpointTypes::EndpointType endpointType, float confidence, string errorMessage,
boolean ignoreKnownModelingErrors
) {
// An endpoint's characteristics should not include positive indicators with medium/high confidence for more than one
// sink/source type (including the negative type).
exists(
EndpointCharacteristic characteristic2, AutomodelEndpointTypes::EndpointType endpointClass2,
float confidence2
|
endpointType != endpointClass2 and
(
endpointType instanceof AutomodelEndpointTypes::SinkType and
endpointClass2 instanceof AutomodelEndpointTypes::SinkType
or
endpointType instanceof AutomodelEndpointTypes::SourceType and
endpointClass2 instanceof AutomodelEndpointTypes::SourceType
) and
characteristic.appliesToEndpoint(endpoint) and
characteristic2.appliesToEndpoint(endpoint) and
characteristic.hasImplications(endpointType, true, confidence) and
characteristic2.hasImplications(endpointClass2, true, confidence2) and
confidence > SharedCharacteristics::mediumConfidence() and
confidence2 > SharedCharacteristics::mediumConfidence() and
(
ignoreKnownModelingErrors = true and
not knownOverlappingCharacteristics(characteristic, characteristic2)
or
ignoreKnownModelingErrors = false
)
) and
errorMessage = "Endpoint has high-confidence positive indicators for multiple classes"
or
// An endpoint's characteristics should not include positive indicators with medium/high confidence for some class and
// also include negative indicators with medium/high confidence for this same class.
exists(EndpointCharacteristic characteristic2, float confidence2 |
characteristic.appliesToEndpoint(endpoint) and
characteristic2.appliesToEndpoint(endpoint) and
characteristic.hasImplications(endpointType, true, confidence) and
characteristic2.hasImplications(endpointType, false, confidence2) and
confidence > SharedCharacteristics::mediumConfidence() and
confidence2 > SharedCharacteristics::mediumConfidence()
) and
ignoreKnownModelingErrors = false and
errorMessage = "Endpoint has high-confidence positive and negative indicators for the same class"
}
/**
* Holds if `characteristic1` and `characteristic2` are among the pairs of currently known positive characteristics that
* have some overlap in their results. This indicates a problem with the underlying Java modeling. Specifically,
* `PathCreation` is prone to FPs.
*/
private predicate knownOverlappingCharacteristics(
EndpointCharacteristic characteristic1, EndpointCharacteristic characteristic2
) {
characteristic1 != characteristic2 and
characteristic1 = ["mad taint step", "create path", "read file", "known non-sink"] and
characteristic2 = ["mad taint step", "create path", "read file", "known non-sink"]
}

49
java/ql/src/Telemetry/AutomodelApplicationModeExtractCandidates.ql Normal file
View File

@@ -0,0 +1,49 @@
/**
* Surfaces the endpoints that are not already known to be sinks, and are therefore used as candidates for
* classification with an ML model.
*
* Note: This query does not actually classify the endpoints using the model.
*
* @name Automodel candidates (application mode)
* @description A query to extract automodel candidates in application mode.
* @kind problem
* @problem.severity recommendation
* @id java/ml/extract-automodel-application-candidates
* @tags internal extract automodel application-mode candidates
*/
private import AutomodelApplicationModeCharacteristics
private import AutomodelJavaUtil
from
Endpoint endpoint, string message, ApplicationModeMetadataExtractor meta, DollarAtString package,
DollarAtString type, DollarAtString subtypes, DollarAtString name, DollarAtString signature,
DollarAtString input
where
not exists(CharacteristicsImpl::UninterestingToModelCharacteristic u |
u.appliesToEndpoint(endpoint)
) and
// If a node is already a known sink for any of our existing ATM queries and is already modeled as a MaD sink, we
// don't include it as a candidate. Otherwise, we might include it as a candidate for query A, but the model will
// label it as a sink for one of the sink types of query B, for which it's already a known sink. This would result in
// overlap between our detected sinks and the pre-existing modeling. We assume that, if a sink has already been
// modeled in a MaD model, then it doesn't belong to any additional sink types, and we don't need to reexamine it.
not CharacteristicsImpl::isSink(endpoint, _) and
meta.hasMetadata(endpoint, package, type, subtypes, name, signature, input) and
// The message is the concatenation of all sink types for which this endpoint is known neither to be a sink nor to be
// a non-sink, and we surface only endpoints that have at least one such sink type.
message =
strictconcat(AutomodelEndpointTypes::SinkType sinkType |
not CharacteristicsImpl::isKnownSink(endpoint, sinkType) and
CharacteristicsImpl::isSinkCandidate(endpoint, sinkType)
|
sinkType, ", "
)
select endpoint, message + "\nrelated locations: $@." + "\nmetadata: $@, $@, $@, $@, $@, $@.", //
CharacteristicsImpl::getRelatedLocationOrCandidate(endpoint, CallContext()), "CallContext", //
package, "package", //
type, "type", //
subtypes, "subtypes", //
name, "name", // method name
signature, "signature", //
input, "input" //

73
java/ql/src/Telemetry/AutomodelApplicationModeExtractNegativeExamples.ql Normal file
View File

@@ -0,0 +1,73 @@
/**
* Surfaces endpoints that are non-sinks with high confidence, for use as negative examples in the prompt.
*
* @name Negative examples (application mode)
* @kind problem
* @problem.severity recommendation
* @id java/ml/extract-automodel-application-negative-examples
* @tags internal extract automodel application-mode negative examples
*/
private import java
private import AutomodelApplicationModeCharacteristics
private import AutomodelEndpointTypes
private import AutomodelJavaUtil
/**
* Gets a sample of endpoints (of at most `limit` samples) for which the given characteristic applies.
*
* The main purpose of this helper predicate is to avoid selecting too many samples, as this may
* cause the SARIF file to exceed the maximum size limit.
*/
bindingset[limit]
Endpoint getSampleForCharacteristic(EndpointCharacteristic c, int limit) {
exists(int n, int num_endpoints | num_endpoints = count(Endpoint e | c.appliesToEndpoint(e)) |
result =
rank[n](Endpoint e, Location loc |
loc = e.getLocation() and c.appliesToEndpoint(e)
|
e
order by
loc.getFile().getAbsolutePath(), loc.getStartLine(), loc.getStartColumn(),
loc.getEndLine(), loc.getEndColumn()
) and
// To avoid selecting samples that are too close together (as the ranking above goes by file
// path first), we select `limit` evenly spaced samples from the ranked list of endpoints. By
// default this would always include the first sample, so we add a random-chosen prime offset
// to the first sample index, and reduce modulo the number of endpoints.
// Finally, we add 1 to the result, as ranking results in a 1-indexed relation.
n = 1 + (([0 .. limit - 1] * (num_endpoints / limit).floor() + 46337) % num_endpoints)
)
}
from
Endpoint endpoint, EndpointCharacteristic characteristic, float confidence, string message,
ApplicationModeMetadataExtractor meta, DollarAtString package, DollarAtString type,
DollarAtString subtypes, DollarAtString name, DollarAtString signature, DollarAtString input
where
endpoint = getSampleForCharacteristic(characteristic, 100) and
confidence >= SharedCharacteristics::highConfidence() and
characteristic.hasImplications(any(NegativeSinkType negative), true, confidence) and
// Exclude endpoints that have contradictory endpoint characteristics, because we only want examples we're highly
// certain about in the prompt.
not erroneousEndpoints(endpoint, _, _, _, _, false) and
meta.hasMetadata(endpoint, package, type, subtypes, name, signature, input) and
// It's valid for a node to satisfy the logic for both `isSink` and `isSanitizer`, but in that case it will be
// treated by the actual query as a sanitizer, since the final logic is something like
// `isSink(n) and not isSanitizer(n)`. We don't want to include such nodes as negative examples in the prompt, because
// they're ambiguous and might confuse the model, so we explicitly exclude all known sinks from the negative examples.
not exists(EndpointCharacteristic characteristic2, float confidence2, SinkType positiveType |
not positiveType instanceof NegativeSinkType and
characteristic2.appliesToEndpoint(endpoint) and
confidence2 >= SharedCharacteristics::maximalConfidence() and
characteristic2.hasImplications(positiveType, true, confidence2)
) and
message = characteristic
select endpoint, message + "\nrelated locations: $@." + "\nmetadata: $@, $@, $@, $@, $@, $@.", //
CharacteristicsImpl::getRelatedLocationOrCandidate(endpoint, CallContext()), "CallContext", //
package, "package", //
type, "type", //
subtypes, "subtypes", //
name, "name", //
signature, "signature", //
input, "input" //

33
java/ql/src/Telemetry/AutomodelApplicationModeExtractPositiveExamples.ql Normal file
View File

@@ -0,0 +1,33 @@
/**
* Surfaces endpoints that are sinks with high confidence, for use as positive examples in the prompt.
*
* @name Positive examples (application mode)
* @kind problem
* @problem.severity recommendation
* @id java/ml/extract-automodel-application-positive-examples
* @tags internal extract automodel application-mode positive examples
*/
private import AutomodelApplicationModeCharacteristics
private import AutomodelEndpointTypes
private import AutomodelJavaUtil
from
Endpoint endpoint, SinkType sinkType, ApplicationModeMetadataExtractor meta,
DollarAtString package, DollarAtString type, DollarAtString subtypes, DollarAtString name,
DollarAtString signature, DollarAtString input
where
// Exclude endpoints that have contradictory endpoint characteristics, because we only want examples we're highly
// certain about in the prompt.
not erroneousEndpoints(endpoint, _, _, _, _, false) and
meta.hasMetadata(endpoint, package, type, subtypes, name, signature, input) and
// Extract positive examples of sinks belonging to the existing ATM query configurations.
CharacteristicsImpl::isKnownSink(endpoint, sinkType)
select endpoint, sinkType + "\nrelated locations: $@." + "\nmetadata: $@, $@, $@, $@, $@, $@.", //
CharacteristicsImpl::getRelatedLocationOrCandidate(endpoint, CallContext()), "CallContext", //
package, "package", //
type, "type", //
subtypes, "subtypes", //
name, "name", //
signature, "signature", //
input, "input" //

106
java/ql/src/Telemetry/AutomodelFrameworkModeCharacteristics.qll
View File

@@ -14,23 +14,11 @@ private import semmle.code.java.Expr as Expr
private import semmle.code.java.security.QueryInjection
private import semmle.code.java.security.RequestForgery
private import semmle.code.java.dataflow.internal.ModelExclusions as ModelExclusions
private import AutomodelJavaUtil as AutomodelJavaUtil
private import AutomodelSharedGetCallable as AutomodelSharedGetCallable
import AutomodelSharedCharacteristics as SharedCharacteristics
import AutomodelEndpointTypes as AutomodelEndpointTypes
/**
* A meta data extractor. Any Java extraction mode needs to implement exactly
* one instance of this class.
*/
abstract class MetadataExtractor extends string {
bindingset[this]
MetadataExtractor() { any() }
abstract predicate hasMetadata(
DataFlow::ParameterNode e, string package, string type, boolean subtypes, string name,
string signature, int input, string parameterName
);
}
newtype JavaRelatedLocationType =
MethodDoc() or
ClassDoc()
@@ -60,31 +48,7 @@ module FrameworkCandidatesImpl implements SharedCharacteristics::CandidateSig {
RelatedLocation asLocation(Endpoint e) { result = e.asParameter() }
predicate isKnownKind(string kind, string humanReadableKind, EndpointType type) {
kind = "read-file" and
humanReadableKind = "read file" and
type instanceof AutomodelEndpointTypes::TaintedPathSinkType
or
kind = "create-file" and
humanReadableKind = "create file" and
type instanceof AutomodelEndpointTypes::TaintedPathSinkType
or
kind = "sql" and
humanReadableKind = "mad modeled sql" and
type instanceof AutomodelEndpointTypes::SqlSinkType
or
kind = "open-url" and
humanReadableKind = "open url" and
type instanceof AutomodelEndpointTypes::RequestForgerySinkType
or
kind = "jdbc-url" and
humanReadableKind = "jdbc url" and
type instanceof AutomodelEndpointTypes::RequestForgerySinkType
or
kind = "command-injection" and
humanReadableKind = "command injection" and
type instanceof AutomodelEndpointTypes::CommandInjectionSinkType
}
predicate isKnownKind = AutomodelJavaUtil::isKnownKind/3;
predicate isSink(Endpoint e, string kind) {
exists(string package, string type, string name, string signature, string ext, string input |
@@ -103,33 +67,41 @@ module FrameworkCandidatesImpl implements SharedCharacteristics::CandidateSig {
additional predicate sinkSpec(
Endpoint e, string package, string type, string name, string signature, string ext, string input
) {
FrameworkCandidatesImpl::getCallable(e).hasQualifiedName(package, type, name) and
signature = ExternalFlow::paramsString(getCallable(e)) and
FrameworkModeGetCallable::getCallable(e).hasQualifiedName(package, type, name) and
signature = ExternalFlow::paramsString(FrameworkModeGetCallable::getCallable(e)) and
ext = "" and
exists(int paramIdx | e.isParameterOf(_, paramIdx) |
if paramIdx = -1 then input = "Argument[this]" else input = "Argument[" + paramIdx + "]"
input = AutomodelJavaUtil::getArgumentForIndex(paramIdx)
)
}
/**
* Returns the related location for the given endpoint.
* Gets the related location for the given endpoint.
*
* Related locations can be JavaDoc comments of the class or the method.
*/
RelatedLocation getRelatedLocation(Endpoint e, RelatedLocationType type) {
type = MethodDoc() and
result = FrameworkCandidatesImpl::getCallable(e).(Documentable).getJavadoc()
result = FrameworkModeGetCallable::getCallable(e).(Documentable).getJavadoc()
or
type = ClassDoc() and
result = FrameworkCandidatesImpl::getCallable(e).getDeclaringType().(Documentable).getJavadoc()
result = FrameworkModeGetCallable::getCallable(e).getDeclaringType().(Documentable).getJavadoc()
}
}
private class JavaCallable = Callable;
private module FrameworkModeGetCallable implements AutomodelSharedGetCallable::GetCallableSig {
class Callable = JavaCallable;
class Endpoint = FrameworkCandidatesImpl::Endpoint;
/**
* Returns the callable that contains the given endpoint.
*
* Each Java mode should implement this predicate.
*/
additional Callable getCallable(Endpoint e) { result = e.getEnclosingCallable() }
Callable getCallable(Endpoint e) { result = e.getEnclosingCallable() }
}
module CharacteristicsImpl = SharedCharacteristics::SharedCharacteristics<FrameworkCandidatesImpl>;
@@ -145,35 +117,19 @@ class Endpoint = FrameworkCandidatesImpl::Endpoint;
/**
* A MetadataExtractor that extracts metadata for framework mode.
*/
class FrameworkModeMetadataExtractor extends MetadataExtractor {
class FrameworkModeMetadataExtractor extends string {
FrameworkModeMetadataExtractor() { this = "FrameworkModeMetadataExtractor" }
/**
* By convention, the subtypes property of the MaD declaration should only be
* true when there _can_ exist any subtypes with a different implementation.
*
* It would technically be ok to always use the value 'true', but this would
* break convention.
*/
boolean considerSubtypes(Callable callable) {
if
callable.isStatic() or
callable.getDeclaringType().isStatic() or
callable.isFinal() or
callable.getDeclaringType().isFinal()
then result = false
else result = true
}
override predicate hasMetadata(
Endpoint e, string package, string type, boolean subtypes, string name, string signature,
int input, string parameterName
predicate hasMetadata(
Endpoint e, string package, string type, string subtypes, string name, string signature,
string input, string parameterName
) {
exists(Callable callable |
e.asParameter() = callable.getParameter(input) and
exists(Callable callable, int paramIdx |
e.asParameter() = callable.getParameter(paramIdx) and
input = AutomodelJavaUtil::getArgumentForIndex(paramIdx) and
package = callable.getDeclaringType().getPackage().getName() and
type = callable.getDeclaringType().getErasure().(RefType).nestedName() and
subtypes = this.considerSubtypes(callable) and
subtypes = AutomodelJavaUtil::considerSubtypes(callable).toString() and
name = callable.getName() and
parameterName = e.asParameter().getName() and
signature = ExternalFlow::paramsString(callable)
@@ -199,8 +155,8 @@ private class UnexploitableIsCharacteristic extends CharacteristicsImpl::NotASin
override predicate appliesToEndpoint(Endpoint e) {
not FrameworkCandidatesImpl::isSink(e, _) and
FrameworkCandidatesImpl::getCallable(e).getName().matches("is%") and
FrameworkCandidatesImpl::getCallable(e).getReturnType() instanceof BooleanType
FrameworkModeGetCallable::getCallable(e).getName().matches("is%") and
FrameworkModeGetCallable::getCallable(e).getReturnType() instanceof BooleanType
}
}
@@ -218,7 +174,7 @@ private class UnexploitableExistsCharacteristic extends CharacteristicsImpl::Not
override predicate appliesToEndpoint(Endpoint e) {
not FrameworkCandidatesImpl::isSink(e, _) and
exists(Callable callable |
callable = FrameworkCandidatesImpl::getCallable(e) and
callable = FrameworkModeGetCallable::getCallable(e) and
callable.getName().toLowerCase() = ["exists", "notexists"] and
callable.getReturnType() instanceof BooleanType
)
@@ -232,7 +188,7 @@ private class ExceptionCharacteristic extends CharacteristicsImpl::NotASinkChara
ExceptionCharacteristic() { this = "exception" }
override predicate appliesToEndpoint(Endpoint e) {
FrameworkCandidatesImpl::getCallable(e).getDeclaringType().getASupertype*() instanceof
FrameworkModeGetCallable::getCallable(e).getDeclaringType().getASupertype*() instanceof
TypeThrowable
}
}
@@ -258,7 +214,7 @@ private class NonPublicMethodCharacteristic extends CharacteristicsImpl::Uninter
NonPublicMethodCharacteristic() { this = "non-public method" }
override predicate appliesToEndpoint(Endpoint e) {
not FrameworkCandidatesImpl::getCallable(e).isPublic()
not FrameworkModeGetCallable::getCallable(e).isPublic()
}
}

31
java/ql/src/Telemetry/AutomodelFrameworkModeExtractCandidates.ql
View File

@@ -4,20 +4,21 @@
*
* Note: This query does not actually classify the endpoints using the model.
*
* @name Automodel candidates
* @description A query to extract automodel candidates.
* @name Automodel candidates (framework mode)
* @description A query to extract automodel candidates in framework mode.
* @kind problem
* @severity info
* @id java/ml/extract-automodel-candidates
* @tags internal automodel extract candidates
* @problem.severity recommendation
* @id java/ml/extract-automodel-framework-candidates
* @tags internal extract automodel framework-mode candidates
*/
private import AutomodelFrameworkModeCharacteristics
private import AutomodelSharedUtil
private import AutomodelJavaUtil
from
Endpoint endpoint, string message, MetadataExtractor meta, string package, string type,
boolean subtypes, string name, string signature, int input, string parameterName
Endpoint endpoint, string message, FrameworkModeMetadataExtractor meta, DollarAtString package,
DollarAtString type, DollarAtString subtypes, DollarAtString name, DollarAtString signature,
DollarAtString input, DollarAtString parameterName
where
not exists(CharacteristicsImpl::UninterestingToModelCharacteristic u |
u.appliesToEndpoint(endpoint)
@@ -42,10 +43,10 @@ select endpoint,
message + "\nrelated locations: $@, $@." + "\nmetadata: $@, $@, $@, $@, $@, $@, $@.", //
CharacteristicsImpl::getRelatedLocationOrCandidate(endpoint, MethodDoc()), "MethodDoc", //
CharacteristicsImpl::getRelatedLocationOrCandidate(endpoint, ClassDoc()), "ClassDoc", //
package.(DollarAtString), "package", //
type.(DollarAtString), "type", //
subtypes.toString().(DollarAtString), "subtypes", //
name.(DollarAtString), "name", //
signature.(DollarAtString), "signature", //
input.toString().(DollarAtString), "input", //
parameterName.(DollarAtString), "parameterName" //
package, "package", //
type, "type", //
subtypes, "subtypes", //
name, "name", //
signature, "signature", //
input, "input", //
parameterName, "parameterName" //

31
java/ql/src/Telemetry/AutomodelFrameworkModeExtractNegativeExamples.ql
View File

@@ -1,21 +1,22 @@
/**
* Surfaces endpoints that are non-sinks with high confidence, for use as negative examples in the prompt.
*
* @name Negative examples (experimental)
* @name Negative examples (framework mode)
* @kind problem
* @severity info
* @id java/ml/non-sink
* @tags internal automodel extract examples negative
* @problem.severity recommendation
* @id java/ml/extract-automodel-framework-negative-examples
* @tags internal extract automodel framework-mode negative examples
*/
private import AutomodelFrameworkModeCharacteristics
private import AutomodelEndpointTypes
private import AutomodelSharedUtil
private import AutomodelJavaUtil
from
Endpoint endpoint, EndpointCharacteristic characteristic, float confidence, string message,
MetadataExtractor meta, string package, string type, boolean subtypes, string name,
string signature, int input, string parameterName
Endpoint endpoint, EndpointCharacteristic characteristic, float confidence,
DollarAtString message, FrameworkModeMetadataExtractor meta, DollarAtString package,
DollarAtString type, DollarAtString subtypes, DollarAtString name, DollarAtString signature,
DollarAtString input, DollarAtString parameterName
where
characteristic.appliesToEndpoint(endpoint) and
confidence >= SharedCharacteristics::highConfidence() and
@@ -39,10 +40,10 @@ select endpoint,
message + "\nrelated locations: $@, $@." + "\nmetadata: $@, $@, $@, $@, $@, $@, $@.", //
CharacteristicsImpl::getRelatedLocationOrCandidate(endpoint, MethodDoc()), "MethodDoc", //
CharacteristicsImpl::getRelatedLocationOrCandidate(endpoint, ClassDoc()), "ClassDoc", //
package.(DollarAtString), "package", //
type.(DollarAtString), "type", //
subtypes.toString().(DollarAtString), "subtypes", //
name.(DollarAtString), "name", //
signature.(DollarAtString), "signature", //
input.toString().(DollarAtString), "input", //
parameterName.(DollarAtString), "parameterName" //
package, "package", //
type, "type", //
subtypes, "subtypes", //
name, "name", //
signature, "signature", //
input, "input", //
parameterName, "parameterName" //

29
java/ql/src/Telemetry/AutomodelFrameworkModeExtractPositiveExamples.ql
View File

@@ -1,20 +1,21 @@
/**
* Surfaces endpoints that are sinks with high confidence, for use as positive examples in the prompt.
*
* @name Positive examples (experimental)
* @name Positive examples (framework mode)
* @kind problem
* @severity info
* @id java/ml/known-sink
* @tags internal automodel extract examples positive
* @problem.severity recommendation
* @id java/ml/extract-automodel-framework-positive-examples
* @tags internal extract automodel framework-mode positive examples
*/
private import AutomodelFrameworkModeCharacteristics
private import AutomodelEndpointTypes
private import AutomodelSharedUtil
private import AutomodelJavaUtil
from
Endpoint endpoint, SinkType sinkType, MetadataExtractor meta, string package, string type,
boolean subtypes, string name, string signature, int input, string parameterName
Endpoint endpoint, SinkType sinkType, FrameworkModeMetadataExtractor meta, DollarAtString package,
DollarAtString type, DollarAtString subtypes, DollarAtString name, DollarAtString signature,
DollarAtString input, DollarAtString parameterName
where
// Exclude endpoints that have contradictory endpoint characteristics, because we only want examples we're highly
// certain about in the prompt.
@@ -26,10 +27,10 @@ select endpoint,
sinkType + "\nrelated locations: $@, $@." + "\nmetadata: $@, $@, $@, $@, $@, $@, $@.", //
CharacteristicsImpl::getRelatedLocationOrCandidate(endpoint, MethodDoc()), "MethodDoc", //
CharacteristicsImpl::getRelatedLocationOrCandidate(endpoint, ClassDoc()), "ClassDoc", //
package.(DollarAtString), "package", //
type.(DollarAtString), "type", //
subtypes.toString().(DollarAtString), "subtypes", //
name.(DollarAtString), "name", //
signature.(DollarAtString), "signature", //
input.toString().(DollarAtString), "input", //
parameterName.(DollarAtString), "parameterName" //
package, "package", //
type, "type", //
subtypes, "subtypes", //
name, "name", //
signature, "signature", //
input, "input", //
parameterName, "parameterName" //

81
java/ql/src/Telemetry/AutomodelJavaUtil.qll Normal file
View File

@@ -0,0 +1,81 @@
private import java
private import AutomodelEndpointTypes as AutomodelEndpointTypes
/**
* A helper class to represent a string value that can be returned by a query using $@ notation.
*
* It extends `string`, but adds a mock `hasLocationInfo` method that returns the string itself as the file name.
*
* Use this, when you want to return a string value from a query using $@ notation - the string value
* will be included in the sarif file.
*
*
* Background information on `hasLocationInfo`:
* https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/#providing-location-information
*/
class DollarAtString extends string {
bindingset[this]
DollarAtString() { any() }
bindingset[this]
predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
path = this and sl = 1 and sc = 1 and el = 1 and ec = 1
}
}
/**
* Holds for all combinations of MaD kinds (`kind`) and their human readable
* descriptions.
*/
predicate isKnownKind(
string kind, string humanReadableKind, AutomodelEndpointTypes::EndpointType type
) {
kind = "read-file" and
humanReadableKind = "read file" and
type instanceof AutomodelEndpointTypes::TaintedPathSinkType
or
kind = "create-file" and
humanReadableKind = "create file" and
type instanceof AutomodelEndpointTypes::TaintedPathSinkType
or
kind = "sql" and
humanReadableKind = "mad modeled sql" and
type instanceof AutomodelEndpointTypes::SqlSinkType
or
kind = "open-url" and
humanReadableKind = "open url" and
type instanceof AutomodelEndpointTypes::RequestForgerySinkType
or
kind = "jdbc-url" and
humanReadableKind = "jdbc url" and
type instanceof AutomodelEndpointTypes::RequestForgerySinkType
or
kind = "command-injection" and
humanReadableKind = "command injection" and
type instanceof AutomodelEndpointTypes::CommandInjectionSinkType
}
/** Gets the models-as-data description for the method argument with the index `index`. */
bindingset[index]
string getArgumentForIndex(int index) {
index = -1 and result = "Argument[this]"
or
index >= 0 and result = "Argument[" + index + "]"
}
/**
* By convention, the subtypes property of the MaD declaration should only be
* true when there _can_ exist any subtypes with a different implementation.
*
* It would technically be ok to always use the value 'true', but this would
* break convention.
*/
boolean considerSubtypes(Callable callable) {
if
callable.isStatic() or
callable.getDeclaringType().isStatic() or
callable.isFinal() or
callable.getDeclaringType().isFinal()
then result = false
else result = true
}

21
java/ql/src/Telemetry/AutomodelSharedGetCallable.qll Normal file
View File

@@ -0,0 +1,21 @@
/**
* An automodel extraction mode instantiates this interface to define how to access
* the callable that's associated with an endpoint.
*/
signature module GetCallableSig {
/**
* A callable is the definition of a method, function, etc. - something that can be called.
*/
class Callable;
/**
* An endpoint is a potential candidate for modeling. This will typically be bound to the language's
* DataFlow node class, or a subtype thereof.
*/
class Endpoint;
/**
* Gets the callable that's associated with the given endpoint.
*/
Callable getCallable(Endpoint endpoint);
}

21
java/ql/src/Telemetry/AutomodelSharedUtil.qll
View File

@@ -1,21 +0,0 @@
/**
* A helper class to represent a string value that can be returned by a query using $@ notation.
*
* It extends `string`, but adds a mock `hasLocationInfo` method that returns the string itself as the file name.
*
* Use this, when you want to return a string value from a query using $@ notation - the string value
* will be included in the sarif file.
*
*
* Background information on `hasLocationInfo`:
* https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/#providing-location-information
*/
class DollarAtString extends string {
bindingset[this]
DollarAtString() { any() }
bindingset[this]
predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
path = this and sl = 1 and sc = 1 and el = 1 and ec = 1
}
}

2
java/ql/src/Violations of Best Practice/Implementation Hiding/ExposeRepresentation.ql
View File

@@ -128,4 +128,4 @@ where
not exists(Property p | p.getBackingField() = f)
select c,
c.getName() + " exposes the internal representation stored in field " + f.getName() +
". The value may be modified $@.", why.getLocation(), whyText
". The value may be modified $@.", why, whyText

4
java/ql/src/change-notes/2023-06-05-lines-of-code.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The `java/summary/lines-of-code` query now only counts lines of Java code. The new `java/summary/lines-of-code-kotlin` counts lines of Kotlin code.

3
java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql
View File

@@ -16,7 +16,6 @@ import java
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.dataflow.ExternalFlow
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.PathCreation
import JFinalController
import semmle.code.java.security.PathSanitizer
import InjectFilePathFlow::PathGraph
@@ -52,7 +51,7 @@ module InjectFilePathConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSink(DataFlow::Node sink) {
sink.asExpr() = any(PathCreation p).getAnInput() and
sinkNode(sink, "path-injection") and
not sink instanceof NormalizedPathNode
}

3
java/ql/src/experimental/Security/CWE/CWE-089/MyBatisCommonLib.qll
View File

@@ -56,9 +56,6 @@ predicate myBatisMapperXmlElementFromMethod(Method method, MyBatisMapperXmlEleme
)
}
/** DEPRECATED: Alias for myBatisMapperXmlElementFromMethod */
deprecated predicate myBatisMapperXMLElementFromMethod = myBatisMapperXmlElementFromMethod/2;
/** Holds if the specified `method` has Ibatis Sql operation annotation `isoa`. */
predicate myBatisSqlOperationAnnotationFromMethod(Method method, IbatisSqlOperationAnnotation isoa) {
exists(MyBatisSqlOperationAnnotationMethod msoam |

8
java/ql/src/experimental/Security/CWE/CWE-200/AndroidWebResourceResponse.qll
View File

@@ -55,10 +55,14 @@ class WebResourceResponseSink extends DataFlow::Node {
}
/**
* A value step from the URL argument of `WebView::loadUrl` to the URL parameter of
* A taint step from the URL argument of `WebView::loadUrl` to the URL/WebResourceRequest parameter of
* `WebViewClient::shouldInterceptRequest`.
*
* TODO: This ought to be a value step when it is targeting the URL parameter,
* and it ought to check the parameter type in both cases to ensure that we only
* hit the overloads we intend to.
*/
private class FetchUrlStep extends AdditionalValueStep {
private class FetchUrlStep extends AdditionalTaintStep {
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
exists(
// webview.loadUrl(url) -> webview.setWebViewClient(new WebViewClient() { shouldInterceptRequest(view, url) });

6
java/ql/src/experimental/semmle/code/xml/StrutsXML.qll
View File

@@ -10,9 +10,6 @@ class StrutsXmlFile extends XmlFile {
}
}
/** DEPRECATED: Alias for StrutsXmlFile */
deprecated class StrutsXMLFile = StrutsXmlFile;
/**
* An XML element in a `StrutsXMLFile`.
*/
@@ -25,9 +22,6 @@ class StrutsXmlElement extends XmlElement {
string getValue() { result = this.allCharactersString().trim() }
}
/** DEPRECATED: Alias for StrutsXmlElement */
deprecated class StrutsXMLElement = StrutsXmlElement;
/**
* A `<constant>` element in a `StrutsXMLFile`.
*/

6
java/ql/src/semmle/code/xml/MyBatisMapperXML.qll
View File

@@ -14,9 +14,6 @@ class MyBatisMapperXmlFile extends XmlFile {
}
}
/** DEPRECATED: Alias for MyBatisMapperXmlFile */
deprecated class MyBatisMapperXMLFile = MyBatisMapperXmlFile;
/**
* An XML element in a `MyBatisMapperXMLFile`.
*/
@@ -36,9 +33,6 @@ class MyBatisMapperXmlElement extends XmlElement {
}
}
/** DEPRECATED: Alias for MyBatisMapperXmlElement */
deprecated class MyBatisMapperXMLElement = MyBatisMapperXmlElement;
/**
* An MyBatis Mapper sql operation element.
*/

46
java/ql/test/experimental/query-tests/security/CWE-020/Log4jInjectionTest.expected
View File

@@ -2075,28 +2075,28 @@ edges
| Log4jJndiInjectionTest.java:1085:39:1085:46 | source(...) : String | Log4jJndiInjectionTest.java:1085:25:1085:46 | (...)... |
| Log4jJndiInjectionTest.java:1088:47:1088:54 | source(...) : String | Log4jJndiInjectionTest.java:1088:38:1088:54 | (...)... |
| Log4jJndiInjectionTest.java:1089:53:1089:60 | source(...) : String | Log4jJndiInjectionTest.java:1089:44:1089:60 | (...)... |
| Log4jJndiInjectionTest.java:1091:13:1091:15 | map [post update] : Map [<map.value>] : String | Log4jJndiInjectionTest.java:1092:34:1092:36 | map |
| Log4jJndiInjectionTest.java:1091:28:1091:44 | (...)... : String | Log4jJndiInjectionTest.java:1091:13:1091:15 | map [post update] : Map [<map.value>] : String |
| Log4jJndiInjectionTest.java:1091:13:1091:15 | map [post update] : HashMap [<map.value>] : String | Log4jJndiInjectionTest.java:1092:34:1092:36 | map |
| Log4jJndiInjectionTest.java:1091:28:1091:44 | (...)... : String | Log4jJndiInjectionTest.java:1091:13:1091:15 | map [post update] : HashMap [<map.value>] : String |
| Log4jJndiInjectionTest.java:1091:37:1091:44 | source(...) : String | Log4jJndiInjectionTest.java:1091:28:1091:44 | (...)... : String |
| Log4jJndiInjectionTest.java:1095:31:1095:88 | with(...) : MapMessage | Log4jJndiInjectionTest.java:1096:26:1096:29 | mmsg |
| Log4jJndiInjectionTest.java:1095:71:1095:87 | (...)... : String | Log4jJndiInjectionTest.java:1095:31:1095:88 | with(...) : MapMessage |
| Log4jJndiInjectionTest.java:1095:31:1095:88 | with(...) : StringMapMessage | Log4jJndiInjectionTest.java:1096:26:1096:29 | mmsg |
| Log4jJndiInjectionTest.java:1095:71:1095:87 | (...)... : String | Log4jJndiInjectionTest.java:1095:31:1095:88 | with(...) : StringMapMessage |
| Log4jJndiInjectionTest.java:1095:80:1095:87 | source(...) : String | Log4jJndiInjectionTest.java:1095:71:1095:87 | (...)... : String |
| Log4jJndiInjectionTest.java:1100:13:1100:16 | mmsg [post update] : MapMessage | Log4jJndiInjectionTest.java:1101:26:1101:29 | mmsg |
| Log4jJndiInjectionTest.java:1100:35:1100:51 | (...)... : String | Log4jJndiInjectionTest.java:1100:13:1100:16 | mmsg [post update] : MapMessage |
| Log4jJndiInjectionTest.java:1100:13:1100:16 | mmsg [post update] : StringMapMessage | Log4jJndiInjectionTest.java:1101:26:1101:29 | mmsg |
| Log4jJndiInjectionTest.java:1100:35:1100:51 | (...)... : String | Log4jJndiInjectionTest.java:1100:13:1100:16 | mmsg [post update] : StringMapMessage |
| Log4jJndiInjectionTest.java:1100:44:1100:51 | source(...) : String | Log4jJndiInjectionTest.java:1100:35:1100:51 | (...)... : String |
| Log4jJndiInjectionTest.java:1105:13:1105:16 | mmsg [post update] : MapMessage | Log4jJndiInjectionTest.java:1106:26:1106:29 | mmsg |
| Log4jJndiInjectionTest.java:1105:34:1105:50 | (...)... : String | Log4jJndiInjectionTest.java:1105:13:1105:16 | mmsg [post update] : MapMessage |
| Log4jJndiInjectionTest.java:1105:13:1105:16 | mmsg [post update] : StringMapMessage | Log4jJndiInjectionTest.java:1106:26:1106:29 | mmsg |
| Log4jJndiInjectionTest.java:1105:34:1105:50 | (...)... : String | Log4jJndiInjectionTest.java:1105:13:1105:16 | mmsg [post update] : StringMapMessage |
| Log4jJndiInjectionTest.java:1105:43:1105:50 | source(...) : String | Log4jJndiInjectionTest.java:1105:34:1105:50 | (...)... : String |
| Log4jJndiInjectionTest.java:1111:13:1111:15 | map [post update] : Map [<map.value>] : String | Log4jJndiInjectionTest.java:1112:25:1112:27 | map : Map [<map.value>] : String |
| Log4jJndiInjectionTest.java:1111:33:1111:49 | (...)... : String | Log4jJndiInjectionTest.java:1111:13:1111:15 | map [post update] : Map [<map.value>] : String |
| Log4jJndiInjectionTest.java:1111:13:1111:15 | map [post update] : HashMap [<map.value>] : String | Log4jJndiInjectionTest.java:1112:25:1112:27 | map : HashMap [<map.value>] : String |
| Log4jJndiInjectionTest.java:1111:33:1111:49 | (...)... : String | Log4jJndiInjectionTest.java:1111:13:1111:15 | map [post update] : HashMap [<map.value>] : String |
| Log4jJndiInjectionTest.java:1111:42:1111:49 | source(...) : String | Log4jJndiInjectionTest.java:1111:33:1111:49 | (...)... : String |
| Log4jJndiInjectionTest.java:1112:13:1112:16 | mmsg [post update] : MapMessage | Log4jJndiInjectionTest.java:1113:26:1113:29 | mmsg |
| Log4jJndiInjectionTest.java:1112:25:1112:27 | map : Map [<map.value>] : String | Log4jJndiInjectionTest.java:1112:13:1112:16 | mmsg [post update] : MapMessage |
| Log4jJndiInjectionTest.java:1112:13:1112:16 | mmsg [post update] : StringMapMessage | Log4jJndiInjectionTest.java:1113:26:1113:29 | mmsg |
| Log4jJndiInjectionTest.java:1112:25:1112:27 | map : HashMap [<map.value>] : String | Log4jJndiInjectionTest.java:1112:13:1112:16 | mmsg [post update] : StringMapMessage |
| Log4jJndiInjectionTest.java:1116:61:1116:68 | source(...) : String | Log4jJndiInjectionTest.java:1116:52:1116:68 | (...)... |
| Log4jJndiInjectionTest.java:1117:81:1117:88 | source(...) : String | Log4jJndiInjectionTest.java:1117:72:1117:88 | (...)... |
| Log4jJndiInjectionTest.java:1119:13:1119:15 | map [post update] : Map [<map.value>] : String | Log4jJndiInjectionTest.java:1120:43:1120:45 | map |
| Log4jJndiInjectionTest.java:1119:13:1119:15 | map [post update] : Map [<map.value>] : String | Log4jJndiInjectionTest.java:1121:63:1121:65 | map |
| Log4jJndiInjectionTest.java:1119:33:1119:49 | (...)... : String | Log4jJndiInjectionTest.java:1119:13:1119:15 | map [post update] : Map [<map.value>] : String |
| Log4jJndiInjectionTest.java:1119:13:1119:15 | map [post update] : HashMap [<map.value>] : String | Log4jJndiInjectionTest.java:1120:43:1120:45 | map |
| Log4jJndiInjectionTest.java:1119:13:1119:15 | map [post update] : HashMap [<map.value>] : String | Log4jJndiInjectionTest.java:1121:63:1121:65 | map |
| Log4jJndiInjectionTest.java:1119:33:1119:49 | (...)... : String | Log4jJndiInjectionTest.java:1119:13:1119:15 | map [post update] : HashMap [<map.value>] : String |
| Log4jJndiInjectionTest.java:1119:42:1119:49 | source(...) : String | Log4jJndiInjectionTest.java:1119:33:1119:49 | (...)... : String |
nodes
| Log4jJndiInjectionTest.java:24:16:24:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
@@ -4168,33 +4168,33 @@ nodes
| Log4jJndiInjectionTest.java:1088:47:1088:54 | source(...) : String | semmle.label | source(...) : String |
| Log4jJndiInjectionTest.java:1089:44:1089:60 | (...)... | semmle.label | (...)... |
| Log4jJndiInjectionTest.java:1089:53:1089:60 | source(...) : String | semmle.label | source(...) : String |
| Log4jJndiInjectionTest.java:1091:13:1091:15 | map [post update] : Map [<map.value>] : String | semmle.label | map [post update] : Map [<map.value>] : String |
| Log4jJndiInjectionTest.java:1091:13:1091:15 | map [post update] : HashMap [<map.value>] : String | semmle.label | map [post update] : HashMap [<map.value>] : String |
| Log4jJndiInjectionTest.java:1091:28:1091:44 | (...)... : String | semmle.label | (...)... : String |
| Log4jJndiInjectionTest.java:1091:37:1091:44 | source(...) : String | semmle.label | source(...) : String |
| Log4jJndiInjectionTest.java:1092:34:1092:36 | map | semmle.label | map |
| Log4jJndiInjectionTest.java:1095:31:1095:88 | with(...) : MapMessage | semmle.label | with(...) : MapMessage |
| Log4jJndiInjectionTest.java:1095:31:1095:88 | with(...) : StringMapMessage | semmle.label | with(...) : StringMapMessage |
| Log4jJndiInjectionTest.java:1095:71:1095:87 | (...)... : String | semmle.label | (...)... : String |
| Log4jJndiInjectionTest.java:1095:80:1095:87 | source(...) : String | semmle.label | source(...) : String |
| Log4jJndiInjectionTest.java:1096:26:1096:29 | mmsg | semmle.label | mmsg |
| Log4jJndiInjectionTest.java:1100:13:1100:16 | mmsg [post update] : MapMessage | semmle.label | mmsg [post update] : MapMessage |
| Log4jJndiInjectionTest.java:1100:13:1100:16 | mmsg [post update] : StringMapMessage | semmle.label | mmsg [post update] : StringMapMessage |
| Log4jJndiInjectionTest.java:1100:35:1100:51 | (...)... : String | semmle.label | (...)... : String |
| Log4jJndiInjectionTest.java:1100:44:1100:51 | source(...) : String | semmle.label | source(...) : String |
| Log4jJndiInjectionTest.java:1101:26:1101:29 | mmsg | semmle.label | mmsg |
| Log4jJndiInjectionTest.java:1105:13:1105:16 | mmsg [post update] : MapMessage | semmle.label | mmsg [post update] : MapMessage |
| Log4jJndiInjectionTest.java:1105:13:1105:16 | mmsg [post update] : StringMapMessage | semmle.label | mmsg [post update] : StringMapMessage |
| Log4jJndiInjectionTest.java:1105:34:1105:50 | (...)... : String | semmle.label | (...)... : String |
| Log4jJndiInjectionTest.java:1105:43:1105:50 | source(...) : String | semmle.label | source(...) : String |
| Log4jJndiInjectionTest.java:1106:26:1106:29 | mmsg | semmle.label | mmsg |
| Log4jJndiInjectionTest.java:1111:13:1111:15 | map [post update] : Map [<map.value>] : String | semmle.label | map [post update] : Map [<map.value>] : String |
| Log4jJndiInjectionTest.java:1111:13:1111:15 | map [post update] : HashMap [<map.value>] : String | semmle.label | map [post update] : HashMap [<map.value>] : String |
| Log4jJndiInjectionTest.java:1111:33:1111:49 | (...)... : String | semmle.label | (...)... : String |
| Log4jJndiInjectionTest.java:1111:42:1111:49 | source(...) : String | semmle.label | source(...) : String |
| Log4jJndiInjectionTest.java:1112:13:1112:16 | mmsg [post update] : MapMessage | semmle.label | mmsg [post update] : MapMessage |
| Log4jJndiInjectionTest.java:1112:25:1112:27 | map : Map [<map.value>] : String | semmle.label | map : Map [<map.value>] : String |
| Log4jJndiInjectionTest.java:1112:13:1112:16 | mmsg [post update] : StringMapMessage | semmle.label | mmsg [post update] : StringMapMessage |
| Log4jJndiInjectionTest.java:1112:25:1112:27 | map : HashMap [<map.value>] : String | semmle.label | map : HashMap [<map.value>] : String |
| Log4jJndiInjectionTest.java:1113:26:1113:29 | mmsg | semmle.label | mmsg |
| Log4jJndiInjectionTest.java:1116:52:1116:68 | (...)... | semmle.label | (...)... |
| Log4jJndiInjectionTest.java:1116:61:1116:68 | source(...) : String | semmle.label | source(...) : String |
| Log4jJndiInjectionTest.java:1117:72:1117:88 | (...)... | semmle.label | (...)... |
| Log4jJndiInjectionTest.java:1117:81:1117:88 | source(...) : String | semmle.label | source(...) : String |
| Log4jJndiInjectionTest.java:1119:13:1119:15 | map [post update] : Map [<map.value>] : String | semmle.label | map [post update] : Map [<map.value>] : String |
| Log4jJndiInjectionTest.java:1119:13:1119:15 | map [post update] : HashMap [<map.value>] : String | semmle.label | map [post update] : HashMap [<map.value>] : String |
| Log4jJndiInjectionTest.java:1119:33:1119:49 | (...)... : String | semmle.label | (...)... : String |
| Log4jJndiInjectionTest.java:1119:42:1119:49 | source(...) : String | semmle.label | source(...) : String |
| Log4jJndiInjectionTest.java:1120:43:1120:45 | map | semmle.label | map |

11
java/ql/test/experimental/query-tests/security/CWE-073/FilePathInjection.expected
View File

@@ -2,7 +2,12 @@ edges
| FilePathInjection.java:21:21:21:34 | getPara(...) : String | FilePathInjection.java:26:47:26:59 | finalFilePath |
| FilePathInjection.java:64:21:64:34 | getPara(...) : String | FilePathInjection.java:72:47:72:59 | finalFilePath |
| FilePathInjection.java:87:21:87:34 | getPara(...) : String | FilePathInjection.java:95:47:95:59 | finalFilePath |
| FilePathInjection.java:177:50:177:58 | file : File | FilePathInjection.java:182:30:182:33 | file |
| FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:209:24:209:31 | filePath |
| FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:209:24:209:31 | filePath : String |
| FilePathInjection.java:209:15:209:32 | new File(...) : File | FilePathInjection.java:217:19:217:22 | file : File |
| FilePathInjection.java:209:24:209:31 | filePath : String | FilePathInjection.java:209:15:209:32 | new File(...) : File |
| FilePathInjection.java:217:19:217:22 | file : File | FilePathInjection.java:177:50:177:58 | file : File |
nodes
| FilePathInjection.java:21:21:21:34 | getPara(...) : String | semmle.label | getPara(...) : String |
| FilePathInjection.java:26:47:26:59 | finalFilePath | semmle.label | finalFilePath |
@@ -10,11 +15,17 @@ nodes
| FilePathInjection.java:72:47:72:59 | finalFilePath | semmle.label | finalFilePath |
| FilePathInjection.java:87:21:87:34 | getPara(...) : String | semmle.label | getPara(...) : String |
| FilePathInjection.java:95:47:95:59 | finalFilePath | semmle.label | finalFilePath |
| FilePathInjection.java:177:50:177:58 | file : File | semmle.label | file : File |
| FilePathInjection.java:182:30:182:33 | file | semmle.label | file |
| FilePathInjection.java:205:17:205:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| FilePathInjection.java:209:15:209:32 | new File(...) : File | semmle.label | new File(...) : File |
| FilePathInjection.java:209:24:209:31 | filePath | semmle.label | filePath |
| FilePathInjection.java:209:24:209:31 | filePath : String | semmle.label | filePath : String |
| FilePathInjection.java:217:19:217:22 | file : File | semmle.label | file : File |
subpaths
#select
| FilePathInjection.java:26:47:26:59 | finalFilePath | FilePathInjection.java:21:21:21:34 | getPara(...) : String | FilePathInjection.java:26:47:26:59 | finalFilePath | External control of file name or path due to $@. | FilePathInjection.java:21:21:21:34 | getPara(...) | user-provided value |
| FilePathInjection.java:72:47:72:59 | finalFilePath | FilePathInjection.java:64:21:64:34 | getPara(...) : String | FilePathInjection.java:72:47:72:59 | finalFilePath | External control of file name or path due to $@. | FilePathInjection.java:64:21:64:34 | getPara(...) | user-provided value |
| FilePathInjection.java:95:47:95:59 | finalFilePath | FilePathInjection.java:87:21:87:34 | getPara(...) : String | FilePathInjection.java:95:47:95:59 | finalFilePath | External control of file name or path due to $@. | FilePathInjection.java:87:21:87:34 | getPara(...) | user-provided value |
| FilePathInjection.java:182:30:182:33 | file | FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:182:30:182:33 | file | External control of file name or path due to $@. | FilePathInjection.java:205:17:205:44 | getParameter(...) | user-provided value |
| FilePathInjection.java:209:24:209:31 | filePath | FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:209:24:209:31 | filePath | External control of file name or path due to $@. | FilePathInjection.java:205:17:205:44 | getParameter(...) | user-provided value |

246
java/ql/test/experimental/query-tests/security/CWE-200/InsecureWebResourceResponse.expected
View File

@@ -1,152 +1,152 @@
edges
| InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) : Intent | InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object |
| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | InsecureWebResourceResponse.java:30:25:30:32 | inputUrl : Object |
| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | InsecureWebResourceResponse.java:32:25:32:32 | inputUrl : Object |
| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | InsecureWebResourceResponse.java:34:25:34:32 | inputUrl : Object |
| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | InsecureWebResourceResponse.java:36:26:36:33 | inputUrl : Object |
| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | InsecureWebResourceResponse.java:38:26:38:33 | inputUrl : Object |
| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | InsecureWebResourceResponse.java:40:25:40:32 | inputUrl : Object |
| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | InsecureWebResourceResponse.java:42:25:42:32 | inputUrl : Object |
| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | InsecureWebResourceResponse.java:44:26:44:33 | inputUrl : Object |
| InsecureWebResourceResponse.java:30:25:30:32 | inputUrl : Object | InsecureWebResourceResponse.java:59:34:59:43 | url : Object |
| InsecureWebResourceResponse.java:32:25:32:32 | inputUrl : Object | InsecureWebResourceResponse.java:80:34:80:43 | url : Object |
| InsecureWebResourceResponse.java:34:25:34:32 | inputUrl : Object | InsecureWebResourceResponse.java:106:34:106:43 | url : Object |
| InsecureWebResourceResponse.java:36:26:36:33 | inputUrl : Object | InsecureWebResourceResponse.java:131:36:131:45 | url : Object |
| InsecureWebResourceResponse.java:38:26:38:33 | inputUrl : Object | InsecureWebResourceResponse.java:156:35:156:44 | url : Object |
| InsecureWebResourceResponse.java:40:25:40:32 | inputUrl : Object | InsecureWebResourceResponse.java:181:34:181:43 | url : Object |
| InsecureWebResourceResponse.java:42:25:42:32 | inputUrl : Object | InsecureWebResourceResponse.java:188:34:188:43 | url : Object |
| InsecureWebResourceResponse.java:44:26:44:33 | inputUrl : Object | InsecureWebResourceResponse.java:217:35:217:44 | url : Object |
| InsecureWebResourceResponse.java:59:34:59:43 | url : Object | InsecureWebResourceResponse.java:75:20:75:22 | url : Object |
| InsecureWebResourceResponse.java:63:77:63:86 | url : Object | InsecureWebResourceResponse.java:65:41:65:43 | url : Object |
| InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) : Intent | InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String |
| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:30:25:30:32 | inputUrl : String |
| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:32:25:32:32 | inputUrl : String |
| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:34:25:34:32 | inputUrl : String |
| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:36:26:36:33 | inputUrl : String |
| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:38:26:38:33 | inputUrl : String |
| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:40:25:40:32 | inputUrl : String |
| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:42:25:42:32 | inputUrl : String |
| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:44:26:44:33 | inputUrl : String |
| InsecureWebResourceResponse.java:30:25:30:32 | inputUrl : String | InsecureWebResourceResponse.java:59:34:59:43 | url : String |
| InsecureWebResourceResponse.java:32:25:32:32 | inputUrl : String | InsecureWebResourceResponse.java:80:34:80:43 | url : String |
| InsecureWebResourceResponse.java:34:25:34:32 | inputUrl : String | InsecureWebResourceResponse.java:106:34:106:43 | url : String |
| InsecureWebResourceResponse.java:36:26:36:33 | inputUrl : String | InsecureWebResourceResponse.java:131:36:131:45 | url : String |
| InsecureWebResourceResponse.java:38:26:38:33 | inputUrl : String | InsecureWebResourceResponse.java:156:35:156:44 | url : String |
| InsecureWebResourceResponse.java:40:25:40:32 | inputUrl : String | InsecureWebResourceResponse.java:181:34:181:43 | url : String |
| InsecureWebResourceResponse.java:42:25:42:32 | inputUrl : String | InsecureWebResourceResponse.java:188:34:188:43 | url : String |
| InsecureWebResourceResponse.java:44:26:44:33 | inputUrl : String | InsecureWebResourceResponse.java:217:35:217:44 | url : String |
| InsecureWebResourceResponse.java:59:34:59:43 | url : String | InsecureWebResourceResponse.java:75:20:75:22 | url : String |
| InsecureWebResourceResponse.java:63:77:63:86 | url : String | InsecureWebResourceResponse.java:65:41:65:43 | url : String |
| InsecureWebResourceResponse.java:65:31:65:44 | parse(...) : Uri | InsecureWebResourceResponse.java:66:71:66:73 | uri : Uri |
| InsecureWebResourceResponse.java:65:41:65:43 | url : Object | InsecureWebResourceResponse.java:65:31:65:44 | parse(...) : Uri |
| InsecureWebResourceResponse.java:65:41:65:43 | url : String | InsecureWebResourceResponse.java:65:31:65:44 | parse(...) : Uri |
| InsecureWebResourceResponse.java:66:51:66:84 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:68:71:68:81 | inputStream |
| InsecureWebResourceResponse.java:66:71:66:73 | uri : Uri | InsecureWebResourceResponse.java:66:71:66:83 | getPath(...) : String |
| InsecureWebResourceResponse.java:66:71:66:83 | getPath(...) : String | InsecureWebResourceResponse.java:66:51:66:84 | new FileInputStream(...) : FileInputStream |
| InsecureWebResourceResponse.java:75:20:75:22 | url : Object | InsecureWebResourceResponse.java:63:77:63:86 | url : Object |
| InsecureWebResourceResponse.java:75:20:75:22 | url : Object | InsecureWebResourceResponse.java:84:77:84:86 | url : Object |
| InsecureWebResourceResponse.java:75:20:75:22 | url : Object | InsecureWebResourceResponse.java:110:77:110:86 | url : Object |
| InsecureWebResourceResponse.java:75:20:75:22 | url : Object | InsecureWebResourceResponse.java:192:77:192:102 | request : Object |
| InsecureWebResourceResponse.java:75:20:75:22 | url : Object | InsecureWebResourceResponse.java:232:69:232:78 | url : Object |
| InsecureWebResourceResponse.java:80:34:80:43 | url : Object | InsecureWebResourceResponse.java:101:20:101:22 | url : Object |
| InsecureWebResourceResponse.java:84:77:84:86 | url : Object | InsecureWebResourceResponse.java:86:41:86:43 | url : Object |
| InsecureWebResourceResponse.java:75:20:75:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String |
| InsecureWebResourceResponse.java:75:20:75:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String |
| InsecureWebResourceResponse.java:75:20:75:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String |
| InsecureWebResourceResponse.java:75:20:75:22 | url : String | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest |
| InsecureWebResourceResponse.java:75:20:75:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String |
| InsecureWebResourceResponse.java:80:34:80:43 | url : String | InsecureWebResourceResponse.java:101:20:101:22 | url : String |
| InsecureWebResourceResponse.java:84:77:84:86 | url : String | InsecureWebResourceResponse.java:86:41:86:43 | url : String |
| InsecureWebResourceResponse.java:86:31:86:44 | parse(...) : Uri | InsecureWebResourceResponse.java:88:66:88:68 | uri : Uri |
| InsecureWebResourceResponse.java:86:41:86:43 | url : Object | InsecureWebResourceResponse.java:86:31:86:44 | parse(...) : Uri |
| InsecureWebResourceResponse.java:86:41:86:43 | url : String | InsecureWebResourceResponse.java:86:31:86:44 | parse(...) : Uri |
| InsecureWebResourceResponse.java:88:42:88:90 | new File(...) : File | InsecureWebResourceResponse.java:89:75:89:83 | cacheFile : File |
| InsecureWebResourceResponse.java:88:66:88:68 | uri : Uri | InsecureWebResourceResponse.java:88:66:88:89 | getLastPathSegment(...) : String |
| InsecureWebResourceResponse.java:88:66:88:89 | getLastPathSegment(...) : String | InsecureWebResourceResponse.java:88:42:88:90 | new File(...) : File |
| InsecureWebResourceResponse.java:89:55:89:84 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:91:75:91:85 | inputStream |
| InsecureWebResourceResponse.java:89:75:89:83 | cacheFile : File | InsecureWebResourceResponse.java:89:55:89:84 | new FileInputStream(...) : FileInputStream |
| InsecureWebResourceResponse.java:101:20:101:22 | url : Object | InsecureWebResourceResponse.java:63:77:63:86 | url : Object |
| InsecureWebResourceResponse.java:101:20:101:22 | url : Object | InsecureWebResourceResponse.java:84:77:84:86 | url : Object |
| InsecureWebResourceResponse.java:101:20:101:22 | url : Object | InsecureWebResourceResponse.java:110:77:110:86 | url : Object |
| InsecureWebResourceResponse.java:101:20:101:22 | url : Object | InsecureWebResourceResponse.java:192:77:192:102 | request : Object |
| InsecureWebResourceResponse.java:101:20:101:22 | url : Object | InsecureWebResourceResponse.java:232:69:232:78 | url : Object |
| InsecureWebResourceResponse.java:106:34:106:43 | url : Object | InsecureWebResourceResponse.java:127:20:127:22 | url : Object |
| InsecureWebResourceResponse.java:110:77:110:86 | url : Object | InsecureWebResourceResponse.java:112:41:112:43 | url : Object |
| InsecureWebResourceResponse.java:101:20:101:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String |
| InsecureWebResourceResponse.java:101:20:101:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String |
| InsecureWebResourceResponse.java:101:20:101:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String |
| InsecureWebResourceResponse.java:101:20:101:22 | url : String | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest |
| InsecureWebResourceResponse.java:101:20:101:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String |
| InsecureWebResourceResponse.java:106:34:106:43 | url : String | InsecureWebResourceResponse.java:127:20:127:22 | url : String |
| InsecureWebResourceResponse.java:110:77:110:86 | url : String | InsecureWebResourceResponse.java:112:41:112:43 | url : String |
| InsecureWebResourceResponse.java:112:31:112:44 | parse(...) : Uri | InsecureWebResourceResponse.java:113:35:113:37 | uri : Uri |
| InsecureWebResourceResponse.java:112:41:112:43 | url : Object | InsecureWebResourceResponse.java:112:31:112:44 | parse(...) : Uri |
| InsecureWebResourceResponse.java:112:41:112:43 | url : String | InsecureWebResourceResponse.java:112:31:112:44 | parse(...) : Uri |
| InsecureWebResourceResponse.java:113:35:113:37 | uri : Uri | InsecureWebResourceResponse.java:113:35:113:47 | getPath(...) : String |
| InsecureWebResourceResponse.java:113:35:113:47 | getPath(...) : String | InsecureWebResourceResponse.java:113:35:113:60 | substring(...) : String |
| InsecureWebResourceResponse.java:113:35:113:60 | substring(...) : String | InsecureWebResourceResponse.java:115:75:115:78 | path : String |
| InsecureWebResourceResponse.java:115:55:115:108 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:117:75:117:85 | inputStream |
| InsecureWebResourceResponse.java:115:75:115:78 | path : String | InsecureWebResourceResponse.java:115:75:115:107 | substring(...) : String |
| InsecureWebResourceResponse.java:115:75:115:107 | substring(...) : String | InsecureWebResourceResponse.java:115:55:115:108 | new FileInputStream(...) : FileInputStream |
| InsecureWebResourceResponse.java:127:20:127:22 | url : Object | InsecureWebResourceResponse.java:63:77:63:86 | url : Object |
| InsecureWebResourceResponse.java:127:20:127:22 | url : Object | InsecureWebResourceResponse.java:84:77:84:86 | url : Object |
| InsecureWebResourceResponse.java:127:20:127:22 | url : Object | InsecureWebResourceResponse.java:110:77:110:86 | url : Object |
| InsecureWebResourceResponse.java:127:20:127:22 | url : Object | InsecureWebResourceResponse.java:192:77:192:102 | request : Object |
| InsecureWebResourceResponse.java:127:20:127:22 | url : Object | InsecureWebResourceResponse.java:232:69:232:78 | url : Object |
| InsecureWebResourceResponse.java:131:36:131:45 | url : Object | InsecureWebResourceResponse.java:152:20:152:22 | url : Object |
| InsecureWebResourceResponse.java:152:20:152:22 | url : Object | InsecureWebResourceResponse.java:63:77:63:86 | url : Object |
| InsecureWebResourceResponse.java:152:20:152:22 | url : Object | InsecureWebResourceResponse.java:84:77:84:86 | url : Object |
| InsecureWebResourceResponse.java:152:20:152:22 | url : Object | InsecureWebResourceResponse.java:110:77:110:86 | url : Object |
| InsecureWebResourceResponse.java:152:20:152:22 | url : Object | InsecureWebResourceResponse.java:192:77:192:102 | request : Object |
| InsecureWebResourceResponse.java:152:20:152:22 | url : Object | InsecureWebResourceResponse.java:232:69:232:78 | url : Object |
| InsecureWebResourceResponse.java:156:35:156:44 | url : Object | InsecureWebResourceResponse.java:177:20:177:22 | url : Object |
| InsecureWebResourceResponse.java:177:20:177:22 | url : Object | InsecureWebResourceResponse.java:63:77:63:86 | url : Object |
| InsecureWebResourceResponse.java:177:20:177:22 | url : Object | InsecureWebResourceResponse.java:84:77:84:86 | url : Object |
| InsecureWebResourceResponse.java:177:20:177:22 | url : Object | InsecureWebResourceResponse.java:110:77:110:86 | url : Object |
| InsecureWebResourceResponse.java:177:20:177:22 | url : Object | InsecureWebResourceResponse.java:192:77:192:102 | request : Object |
| InsecureWebResourceResponse.java:177:20:177:22 | url : Object | InsecureWebResourceResponse.java:232:69:232:78 | url : Object |
| InsecureWebResourceResponse.java:181:34:181:43 | url : Object | InsecureWebResourceResponse.java:184:20:184:22 | url : Object |
| InsecureWebResourceResponse.java:184:20:184:22 | url : Object | InsecureWebResourceResponse.java:63:77:63:86 | url : Object |
| InsecureWebResourceResponse.java:184:20:184:22 | url : Object | InsecureWebResourceResponse.java:84:77:84:86 | url : Object |
| InsecureWebResourceResponse.java:184:20:184:22 | url : Object | InsecureWebResourceResponse.java:110:77:110:86 | url : Object |
| InsecureWebResourceResponse.java:184:20:184:22 | url : Object | InsecureWebResourceResponse.java:192:77:192:102 | request : Object |
| InsecureWebResourceResponse.java:184:20:184:22 | url : Object | InsecureWebResourceResponse.java:232:69:232:78 | url : Object |
| InsecureWebResourceResponse.java:188:34:188:43 | url : Object | InsecureWebResourceResponse.java:209:20:209:22 | url : Object |
| InsecureWebResourceResponse.java:192:77:192:102 | request : Object | InsecureWebResourceResponse.java:194:31:194:37 | request : Object |
| InsecureWebResourceResponse.java:194:31:194:37 | request : Object | InsecureWebResourceResponse.java:194:31:194:46 | getUrl(...) : Uri |
| InsecureWebResourceResponse.java:127:20:127:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String |
| InsecureWebResourceResponse.java:127:20:127:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String |
| InsecureWebResourceResponse.java:127:20:127:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String |
| InsecureWebResourceResponse.java:127:20:127:22 | url : String | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest |
| InsecureWebResourceResponse.java:127:20:127:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String |
| InsecureWebResourceResponse.java:131:36:131:45 | url : String | InsecureWebResourceResponse.java:152:20:152:22 | url : String |
| InsecureWebResourceResponse.java:152:20:152:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String |
| InsecureWebResourceResponse.java:152:20:152:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String |
| InsecureWebResourceResponse.java:152:20:152:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String |
| InsecureWebResourceResponse.java:152:20:152:22 | url : String | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest |
| InsecureWebResourceResponse.java:152:20:152:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String |
| InsecureWebResourceResponse.java:156:35:156:44 | url : String | InsecureWebResourceResponse.java:177:20:177:22 | url : String |
| InsecureWebResourceResponse.java:177:20:177:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String |
| InsecureWebResourceResponse.java:177:20:177:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String |
| InsecureWebResourceResponse.java:177:20:177:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String |
| InsecureWebResourceResponse.java:177:20:177:22 | url : String | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest |
| InsecureWebResourceResponse.java:177:20:177:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String |
| InsecureWebResourceResponse.java:181:34:181:43 | url : String | InsecureWebResourceResponse.java:184:20:184:22 | url : String |
| InsecureWebResourceResponse.java:184:20:184:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String |
| InsecureWebResourceResponse.java:184:20:184:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String |
| InsecureWebResourceResponse.java:184:20:184:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String |
| InsecureWebResourceResponse.java:184:20:184:22 | url : String | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest |
| InsecureWebResourceResponse.java:184:20:184:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String |
| InsecureWebResourceResponse.java:188:34:188:43 | url : String | InsecureWebResourceResponse.java:209:20:209:22 | url : String |
| InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest | InsecureWebResourceResponse.java:194:31:194:37 | request : WebResourceRequest |
| InsecureWebResourceResponse.java:194:31:194:37 | request : WebResourceRequest | InsecureWebResourceResponse.java:194:31:194:46 | getUrl(...) : Uri |
| InsecureWebResourceResponse.java:194:31:194:46 | getUrl(...) : Uri | InsecureWebResourceResponse.java:196:66:196:68 | uri : Uri |
| InsecureWebResourceResponse.java:196:42:196:90 | new File(...) : File | InsecureWebResourceResponse.java:197:75:197:83 | cacheFile : File |
| InsecureWebResourceResponse.java:196:66:196:68 | uri : Uri | InsecureWebResourceResponse.java:196:66:196:89 | getLastPathSegment(...) : String |
| InsecureWebResourceResponse.java:196:66:196:89 | getLastPathSegment(...) : String | InsecureWebResourceResponse.java:196:42:196:90 | new File(...) : File |
| InsecureWebResourceResponse.java:197:55:197:84 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:199:75:199:85 | inputStream |
| InsecureWebResourceResponse.java:197:75:197:83 | cacheFile : File | InsecureWebResourceResponse.java:197:55:197:84 | new FileInputStream(...) : FileInputStream |
| InsecureWebResourceResponse.java:209:20:209:22 | url : Object | InsecureWebResourceResponse.java:63:77:63:86 | url : Object |
| InsecureWebResourceResponse.java:209:20:209:22 | url : Object | InsecureWebResourceResponse.java:84:77:84:86 | url : Object |
| InsecureWebResourceResponse.java:209:20:209:22 | url : Object | InsecureWebResourceResponse.java:110:77:110:86 | url : Object |
| InsecureWebResourceResponse.java:209:20:209:22 | url : Object | InsecureWebResourceResponse.java:192:77:192:102 | request : Object |
| InsecureWebResourceResponse.java:209:20:209:22 | url : Object | InsecureWebResourceResponse.java:232:69:232:78 | url : Object |
| InsecureWebResourceResponse.java:217:35:217:44 | url : Object | InsecureWebResourceResponse.java:226:20:226:22 | url : Object |
| InsecureWebResourceResponse.java:226:20:226:22 | url : Object | InsecureWebResourceResponse.java:63:77:63:86 | url : Object |
| InsecureWebResourceResponse.java:226:20:226:22 | url : Object | InsecureWebResourceResponse.java:84:77:84:86 | url : Object |
| InsecureWebResourceResponse.java:226:20:226:22 | url : Object | InsecureWebResourceResponse.java:110:77:110:86 | url : Object |
| InsecureWebResourceResponse.java:226:20:226:22 | url : Object | InsecureWebResourceResponse.java:192:77:192:102 | request : Object |
| InsecureWebResourceResponse.java:226:20:226:22 | url : Object | InsecureWebResourceResponse.java:232:69:232:78 | url : Object |
| InsecureWebResourceResponse.java:232:69:232:78 | url : Object | InsecureWebResourceResponse.java:234:33:234:35 | url : Object |
| InsecureWebResourceResponse.java:209:20:209:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String |
| InsecureWebResourceResponse.java:209:20:209:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String |
| InsecureWebResourceResponse.java:209:20:209:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String |
| InsecureWebResourceResponse.java:209:20:209:22 | url : String | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest |
| InsecureWebResourceResponse.java:209:20:209:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String |
| InsecureWebResourceResponse.java:217:35:217:44 | url : String | InsecureWebResourceResponse.java:226:20:226:22 | url : String |
| InsecureWebResourceResponse.java:226:20:226:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String |
| InsecureWebResourceResponse.java:226:20:226:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String |
| InsecureWebResourceResponse.java:226:20:226:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String |
| InsecureWebResourceResponse.java:226:20:226:22 | url : String | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest |
| InsecureWebResourceResponse.java:226:20:226:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String |
| InsecureWebResourceResponse.java:232:69:232:78 | url : String | InsecureWebResourceResponse.java:234:33:234:35 | url : String |
| InsecureWebResourceResponse.java:234:23:234:36 | parse(...) : Uri | InsecureWebResourceResponse.java:235:63:235:65 | uri : Uri |
| InsecureWebResourceResponse.java:234:33:234:35 | url : Object | InsecureWebResourceResponse.java:234:23:234:36 | parse(...) : Uri |
| InsecureWebResourceResponse.java:234:33:234:35 | url : String | InsecureWebResourceResponse.java:234:23:234:36 | parse(...) : Uri |
| InsecureWebResourceResponse.java:235:43:235:76 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:237:63:237:73 | inputStream |
| InsecureWebResourceResponse.java:235:63:235:65 | uri : Uri | InsecureWebResourceResponse.java:235:63:235:75 | getPath(...) : String |
| InsecureWebResourceResponse.java:235:63:235:75 | getPath(...) : String | InsecureWebResourceResponse.java:235:43:235:76 | new FileInputStream(...) : FileInputStream |
| InsecureWebViewActivity.java:27:27:27:37 | getIntent(...) : Intent | InsecureWebViewActivity.java:27:27:27:64 | getStringExtra(...) : Object |
| InsecureWebViewActivity.java:27:27:27:64 | getStringExtra(...) : Object | InsecureWebViewActivity.java:28:20:28:27 | inputUrl : Object |
| InsecureWebViewActivity.java:28:20:28:27 | inputUrl : Object | InsecureWebViewActivity.java:42:28:42:37 | url : Object |
| InsecureWebViewActivity.java:42:28:42:37 | url : Object | InsecureWebViewActivity.java:43:25:43:27 | url : Object |
| InsecureWebViewActivity.java:43:25:43:27 | url : Object | InsecureWebViewActivity.java:53:77:53:86 | url : Object |
| InsecureWebViewActivity.java:53:77:53:86 | url : Object | InsecureWebViewActivity.java:55:41:55:43 | url : Object |
| InsecureWebViewActivity.java:27:27:27:37 | getIntent(...) : Intent | InsecureWebViewActivity.java:27:27:27:64 | getStringExtra(...) : String |
| InsecureWebViewActivity.java:27:27:27:64 | getStringExtra(...) : String | InsecureWebViewActivity.java:28:20:28:27 | inputUrl : String |
| InsecureWebViewActivity.java:28:20:28:27 | inputUrl : String | InsecureWebViewActivity.java:42:28:42:37 | url : String |
| InsecureWebViewActivity.java:42:28:42:37 | url : String | InsecureWebViewActivity.java:43:25:43:27 | url : String |
| InsecureWebViewActivity.java:43:25:43:27 | url : String | InsecureWebViewActivity.java:53:77:53:86 | url : String |
| InsecureWebViewActivity.java:53:77:53:86 | url : String | InsecureWebViewActivity.java:55:41:55:43 | url : String |
| InsecureWebViewActivity.java:55:31:55:44 | parse(...) : Uri | InsecureWebViewActivity.java:56:71:56:73 | uri : Uri |
| InsecureWebViewActivity.java:55:41:55:43 | url : Object | InsecureWebViewActivity.java:55:31:55:44 | parse(...) : Uri |
| InsecureWebViewActivity.java:55:41:55:43 | url : String | InsecureWebViewActivity.java:55:31:55:44 | parse(...) : Uri |
| InsecureWebViewActivity.java:56:51:56:84 | new FileInputStream(...) : FileInputStream | InsecureWebViewActivity.java:58:71:58:81 | inputStream |
| InsecureWebViewActivity.java:56:71:56:73 | uri : Uri | InsecureWebViewActivity.java:56:71:56:83 | getPath(...) : String |
| InsecureWebViewActivity.java:56:71:56:83 | getPath(...) : String | InsecureWebViewActivity.java:56:51:56:84 | new FileInputStream(...) : FileInputStream |
nodes
| InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | semmle.label | getStringExtra(...) : Object |
| InsecureWebResourceResponse.java:30:25:30:32 | inputUrl : Object | semmle.label | inputUrl : Object |
| InsecureWebResourceResponse.java:32:25:32:32 | inputUrl : Object | semmle.label | inputUrl : Object |
| InsecureWebResourceResponse.java:34:25:34:32 | inputUrl : Object | semmle.label | inputUrl : Object |
| InsecureWebResourceResponse.java:36:26:36:33 | inputUrl : Object | semmle.label | inputUrl : Object |
| InsecureWebResourceResponse.java:38:26:38:33 | inputUrl : Object | semmle.label | inputUrl : Object |
| InsecureWebResourceResponse.java:40:25:40:32 | inputUrl : Object | semmle.label | inputUrl : Object |
| InsecureWebResourceResponse.java:42:25:42:32 | inputUrl : Object | semmle.label | inputUrl : Object |
| InsecureWebResourceResponse.java:44:26:44:33 | inputUrl : Object | semmle.label | inputUrl : Object |
| InsecureWebResourceResponse.java:59:34:59:43 | url : Object | semmle.label | url : Object |
| InsecureWebResourceResponse.java:63:77:63:86 | url : Object | semmle.label | url : Object |
| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String |
| InsecureWebResourceResponse.java:30:25:30:32 | inputUrl : String | semmle.label | inputUrl : String |
| InsecureWebResourceResponse.java:32:25:32:32 | inputUrl : String | semmle.label | inputUrl : String |
| InsecureWebResourceResponse.java:34:25:34:32 | inputUrl : String | semmle.label | inputUrl : String |
| InsecureWebResourceResponse.java:36:26:36:33 | inputUrl : String | semmle.label | inputUrl : String |
| InsecureWebResourceResponse.java:38:26:38:33 | inputUrl : String | semmle.label | inputUrl : String |
| InsecureWebResourceResponse.java:40:25:40:32 | inputUrl : String | semmle.label | inputUrl : String |
| InsecureWebResourceResponse.java:42:25:42:32 | inputUrl : String | semmle.label | inputUrl : String |
| InsecureWebResourceResponse.java:44:26:44:33 | inputUrl : String | semmle.label | inputUrl : String |
| InsecureWebResourceResponse.java:59:34:59:43 | url : String | semmle.label | url : String |
| InsecureWebResourceResponse.java:63:77:63:86 | url : String | semmle.label | url : String |
| InsecureWebResourceResponse.java:65:31:65:44 | parse(...) : Uri | semmle.label | parse(...) : Uri |
| InsecureWebResourceResponse.java:65:41:65:43 | url : Object | semmle.label | url : Object |
| InsecureWebResourceResponse.java:65:41:65:43 | url : String | semmle.label | url : String |
| InsecureWebResourceResponse.java:66:51:66:84 | new FileInputStream(...) : FileInputStream | semmle.label | new FileInputStream(...) : FileInputStream |
| InsecureWebResourceResponse.java:66:71:66:73 | uri : Uri | semmle.label | uri : Uri |
| InsecureWebResourceResponse.java:66:71:66:83 | getPath(...) : String | semmle.label | getPath(...) : String |
| InsecureWebResourceResponse.java:68:71:68:81 | inputStream | semmle.label | inputStream |
| InsecureWebResourceResponse.java:75:20:75:22 | url : Object | semmle.label | url : Object |
| InsecureWebResourceResponse.java:80:34:80:43 | url : Object | semmle.label | url : Object |
| InsecureWebResourceResponse.java:84:77:84:86 | url : Object | semmle.label | url : Object |
| InsecureWebResourceResponse.java:75:20:75:22 | url : String | semmle.label | url : String |
| InsecureWebResourceResponse.java:80:34:80:43 | url : String | semmle.label | url : String |
| InsecureWebResourceResponse.java:84:77:84:86 | url : String | semmle.label | url : String |
| InsecureWebResourceResponse.java:86:31:86:44 | parse(...) : Uri | semmle.label | parse(...) : Uri |
| InsecureWebResourceResponse.java:86:41:86:43 | url : Object | semmle.label | url : Object |
| InsecureWebResourceResponse.java:86:41:86:43 | url : String | semmle.label | url : String |
| InsecureWebResourceResponse.java:88:42:88:90 | new File(...) : File | semmle.label | new File(...) : File |
| InsecureWebResourceResponse.java:88:66:88:68 | uri : Uri | semmle.label | uri : Uri |
| InsecureWebResourceResponse.java:88:66:88:89 | getLastPathSegment(...) : String | semmle.label | getLastPathSegment(...) : String |
| InsecureWebResourceResponse.java:89:55:89:84 | new FileInputStream(...) : FileInputStream | semmle.label | new FileInputStream(...) : FileInputStream |
| InsecureWebResourceResponse.java:89:75:89:83 | cacheFile : File | semmle.label | cacheFile : File |
| InsecureWebResourceResponse.java:91:75:91:85 | inputStream | semmle.label | inputStream |
| InsecureWebResourceResponse.java:101:20:101:22 | url : Object | semmle.label | url : Object |
| InsecureWebResourceResponse.java:106:34:106:43 | url : Object | semmle.label | url : Object |
| InsecureWebResourceResponse.java:110:77:110:86 | url : Object | semmle.label | url : Object |
| InsecureWebResourceResponse.java:101:20:101:22 | url : String | semmle.label | url : String |
| InsecureWebResourceResponse.java:106:34:106:43 | url : String | semmle.label | url : String |
| InsecureWebResourceResponse.java:110:77:110:86 | url : String | semmle.label | url : String |
| InsecureWebResourceResponse.java:112:31:112:44 | parse(...) : Uri | semmle.label | parse(...) : Uri |
| InsecureWebResourceResponse.java:112:41:112:43 | url : Object | semmle.label | url : Object |
| InsecureWebResourceResponse.java:112:41:112:43 | url : String | semmle.label | url : String |
| InsecureWebResourceResponse.java:113:35:113:37 | uri : Uri | semmle.label | uri : Uri |
| InsecureWebResourceResponse.java:113:35:113:47 | getPath(...) : String | semmle.label | getPath(...) : String |
| InsecureWebResourceResponse.java:113:35:113:60 | substring(...) : String | semmle.label | substring(...) : String |
@@ -154,16 +154,16 @@ nodes
| InsecureWebResourceResponse.java:115:75:115:78 | path : String | semmle.label | path : String |
| InsecureWebResourceResponse.java:115:75:115:107 | substring(...) : String | semmle.label | substring(...) : String |
| InsecureWebResourceResponse.java:117:75:117:85 | inputStream | semmle.label | inputStream |
| InsecureWebResourceResponse.java:127:20:127:22 | url : Object | semmle.label | url : Object |
| InsecureWebResourceResponse.java:131:36:131:45 | url : Object | semmle.label | url : Object |
| InsecureWebResourceResponse.java:152:20:152:22 | url : Object | semmle.label | url : Object |
| InsecureWebResourceResponse.java:156:35:156:44 | url : Object | semmle.label | url : Object |
| InsecureWebResourceResponse.java:177:20:177:22 | url : Object | semmle.label | url : Object |
| InsecureWebResourceResponse.java:181:34:181:43 | url : Object | semmle.label | url : Object |
| InsecureWebResourceResponse.java:184:20:184:22 | url : Object | semmle.label | url : Object |
| InsecureWebResourceResponse.java:188:34:188:43 | url : Object | semmle.label | url : Object |
| InsecureWebResourceResponse.java:192:77:192:102 | request : Object | semmle.label | request : Object |
| InsecureWebResourceResponse.java:194:31:194:37 | request : Object | semmle.label | request : Object |
| InsecureWebResourceResponse.java:127:20:127:22 | url : String | semmle.label | url : String |
| InsecureWebResourceResponse.java:131:36:131:45 | url : String | semmle.label | url : String |
| InsecureWebResourceResponse.java:152:20:152:22 | url : String | semmle.label | url : String |
| InsecureWebResourceResponse.java:156:35:156:44 | url : String | semmle.label | url : String |
| InsecureWebResourceResponse.java:177:20:177:22 | url : String | semmle.label | url : String |
| InsecureWebResourceResponse.java:181:34:181:43 | url : String | semmle.label | url : String |
| InsecureWebResourceResponse.java:184:20:184:22 | url : String | semmle.label | url : String |
| InsecureWebResourceResponse.java:188:34:188:43 | url : String | semmle.label | url : String |
| InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest | semmle.label | request : WebResourceRequest |
| InsecureWebResourceResponse.java:194:31:194:37 | request : WebResourceRequest | semmle.label | request : WebResourceRequest |
| InsecureWebResourceResponse.java:194:31:194:46 | getUrl(...) : Uri | semmle.label | getUrl(...) : Uri |
| InsecureWebResourceResponse.java:196:42:196:90 | new File(...) : File | semmle.label | new File(...) : File |
| InsecureWebResourceResponse.java:196:66:196:68 | uri : Uri | semmle.label | uri : Uri |
@@ -171,24 +171,24 @@ nodes
| InsecureWebResourceResponse.java:197:55:197:84 | new FileInputStream(...) : FileInputStream | semmle.label | new FileInputStream(...) : FileInputStream |
| InsecureWebResourceResponse.java:197:75:197:83 | cacheFile : File | semmle.label | cacheFile : File |
| InsecureWebResourceResponse.java:199:75:199:85 | inputStream | semmle.label | inputStream |
| InsecureWebResourceResponse.java:209:20:209:22 | url : Object | semmle.label | url : Object |
| InsecureWebResourceResponse.java:217:35:217:44 | url : Object | semmle.label | url : Object |
| InsecureWebResourceResponse.java:226:20:226:22 | url : Object | semmle.label | url : Object |
| InsecureWebResourceResponse.java:232:69:232:78 | url : Object | semmle.label | url : Object |
| InsecureWebResourceResponse.java:209:20:209:22 | url : String | semmle.label | url : String |
| InsecureWebResourceResponse.java:217:35:217:44 | url : String | semmle.label | url : String |
| InsecureWebResourceResponse.java:226:20:226:22 | url : String | semmle.label | url : String |
| InsecureWebResourceResponse.java:232:69:232:78 | url : String | semmle.label | url : String |
| InsecureWebResourceResponse.java:234:23:234:36 | parse(...) : Uri | semmle.label | parse(...) : Uri |
| InsecureWebResourceResponse.java:234:33:234:35 | url : Object | semmle.label | url : Object |
| InsecureWebResourceResponse.java:234:33:234:35 | url : String | semmle.label | url : String |
| InsecureWebResourceResponse.java:235:43:235:76 | new FileInputStream(...) : FileInputStream | semmle.label | new FileInputStream(...) : FileInputStream |
| InsecureWebResourceResponse.java:235:63:235:65 | uri : Uri | semmle.label | uri : Uri |
| InsecureWebResourceResponse.java:235:63:235:75 | getPath(...) : String | semmle.label | getPath(...) : String |
| InsecureWebResourceResponse.java:237:63:237:73 | inputStream | semmle.label | inputStream |
| InsecureWebViewActivity.java:27:27:27:37 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
| InsecureWebViewActivity.java:27:27:27:64 | getStringExtra(...) : Object | semmle.label | getStringExtra(...) : Object |
| InsecureWebViewActivity.java:28:20:28:27 | inputUrl : Object | semmle.label | inputUrl : Object |
| InsecureWebViewActivity.java:42:28:42:37 | url : Object | semmle.label | url : Object |
| InsecureWebViewActivity.java:43:25:43:27 | url : Object | semmle.label | url : Object |
| InsecureWebViewActivity.java:53:77:53:86 | url : Object | semmle.label | url : Object |
| InsecureWebViewActivity.java:27:27:27:64 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String |
| InsecureWebViewActivity.java:28:20:28:27 | inputUrl : String | semmle.label | inputUrl : String |
| InsecureWebViewActivity.java:42:28:42:37 | url : String | semmle.label | url : String |
| InsecureWebViewActivity.java:43:25:43:27 | url : String | semmle.label | url : String |
| InsecureWebViewActivity.java:53:77:53:86 | url : String | semmle.label | url : String |
| InsecureWebViewActivity.java:55:31:55:44 | parse(...) : Uri | semmle.label | parse(...) : Uri |
| InsecureWebViewActivity.java:55:41:55:43 | url : Object | semmle.label | url : Object |
| InsecureWebViewActivity.java:55:41:55:43 | url : String | semmle.label | url : String |
| InsecureWebViewActivity.java:56:51:56:84 | new FileInputStream(...) : FileInputStream | semmle.label | new FileInputStream(...) : FileInputStream |
| InsecureWebViewActivity.java:56:71:56:73 | uri : Uri | semmle.label | uri : Uri |
| InsecureWebViewActivity.java:56:71:56:83 | getPath(...) : String | semmle.label | getPath(...) : String |

48
java/ql/test/experimental/query-tests/security/CWE-200/SensitiveAndroidFileLeak.expected
View File

@@ -1,47 +1,47 @@
edges
| FileService.java:20:31:20:43 | intent : Intent | FileService.java:21:28:21:33 | intent : Intent |
| FileService.java:21:28:21:33 | intent : Intent | FileService.java:21:28:21:64 | getStringExtra(...) : Object |
| FileService.java:21:28:21:64 | getStringExtra(...) : Object | FileService.java:25:42:25:50 | localPath : Object |
| FileService.java:21:28:21:33 | intent : Intent | FileService.java:21:28:21:64 | getStringExtra(...) : String |
| FileService.java:21:28:21:64 | getStringExtra(...) : String | FileService.java:25:42:25:50 | localPath : String |
| FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] | FileService.java:40:41:40:55 | params : Object[] |
| FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : Object | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] |
| FileService.java:25:42:25:50 | localPath : Object | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : Object |
| FileService.java:25:42:25:50 | localPath : Object | FileService.java:32:13:32:28 | sourceUri : Object |
| FileService.java:32:13:32:28 | sourceUri : Object | FileService.java:35:17:35:25 | sourceUri : Object |
| FileService.java:34:20:36:13 | {...} : Object[] [[]] : Object | FileService.java:34:20:36:13 | new Object[] : Object[] [[]] : Object |
| FileService.java:35:17:35:25 | sourceUri : Object | FileService.java:34:20:36:13 | {...} : Object[] [[]] : Object |
| FileService.java:40:41:40:55 | params : Object[] | FileService.java:44:33:44:52 | (...)... : Object |
| FileService.java:44:33:44:52 | (...)... : Object | FileService.java:45:53:45:59 | ...[...] |
| FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : String | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] |
| FileService.java:25:42:25:50 | localPath : String | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : String |
| FileService.java:25:42:25:50 | localPath : String | FileService.java:32:13:32:28 | sourceUri : String |
| FileService.java:32:13:32:28 | sourceUri : String | FileService.java:35:17:35:25 | sourceUri : String |
| FileService.java:34:20:36:13 | {...} : Object[] [[]] : String | FileService.java:34:20:36:13 | new Object[] : Object[] [[]] : String |
| FileService.java:35:17:35:25 | sourceUri : String | FileService.java:34:20:36:13 | {...} : Object[] [[]] : String |
| FileService.java:40:41:40:55 | params : Object[] | FileService.java:44:33:44:52 | (...)... : String[] |
| FileService.java:44:33:44:52 | (...)... : String[] | FileService.java:45:53:45:59 | ...[...] |
| LeakFileActivity2.java:15:13:15:18 | intent : Intent | LeakFileActivity2.java:16:26:16:31 | intent : Intent |
| LeakFileActivity2.java:16:26:16:31 | intent : Intent | FileService.java:20:31:20:43 | intent : Intent |
| LeakFileActivity.java:14:35:14:38 | data : Intent | LeakFileActivity.java:18:40:18:59 | contentIntent : Intent |
| LeakFileActivity.java:18:40:18:59 | contentIntent : Intent | LeakFileActivity.java:19:31:19:43 | contentIntent : Intent |
| LeakFileActivity.java:19:31:19:43 | contentIntent : Intent | LeakFileActivity.java:19:31:19:53 | getData(...) : Object |
| LeakFileActivity.java:19:31:19:53 | getData(...) : Object | LeakFileActivity.java:21:58:21:72 | streamsToUpload : Object |
| LeakFileActivity.java:21:58:21:72 | streamsToUpload : Object | LeakFileActivity.java:21:58:21:82 | getPath(...) |
| LeakFileActivity.java:19:31:19:43 | contentIntent : Intent | LeakFileActivity.java:19:31:19:53 | getData(...) : Uri |
| LeakFileActivity.java:19:31:19:53 | getData(...) : Uri | LeakFileActivity.java:21:58:21:72 | streamsToUpload : Uri |
| LeakFileActivity.java:21:58:21:72 | streamsToUpload : Uri | LeakFileActivity.java:21:58:21:82 | getPath(...) |
nodes
| FileService.java:20:31:20:43 | intent : Intent | semmle.label | intent : Intent |
| FileService.java:21:28:21:33 | intent : Intent | semmle.label | intent : Intent |
| FileService.java:21:28:21:64 | getStringExtra(...) : Object | semmle.label | getStringExtra(...) : Object |
| FileService.java:21:28:21:64 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String |
| FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] | semmle.label | makeParamsToExecute(...) : Object[] |
| FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : Object | semmle.label | makeParamsToExecute(...) : Object[] [[]] : Object |
| FileService.java:25:42:25:50 | localPath : Object | semmle.label | localPath : Object |
| FileService.java:32:13:32:28 | sourceUri : Object | semmle.label | sourceUri : Object |
| FileService.java:34:20:36:13 | new Object[] : Object[] [[]] : Object | semmle.label | new Object[] : Object[] [[]] : Object |
| FileService.java:34:20:36:13 | {...} : Object[] [[]] : Object | semmle.label | {...} : Object[] [[]] : Object |
| FileService.java:35:17:35:25 | sourceUri : Object | semmle.label | sourceUri : Object |
| FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : String | semmle.label | makeParamsToExecute(...) : Object[] [[]] : String |
| FileService.java:25:42:25:50 | localPath : String | semmle.label | localPath : String |
| FileService.java:32:13:32:28 | sourceUri : String | semmle.label | sourceUri : String |
| FileService.java:34:20:36:13 | new Object[] : Object[] [[]] : String | semmle.label | new Object[] : Object[] [[]] : String |
| FileService.java:34:20:36:13 | {...} : Object[] [[]] : String | semmle.label | {...} : Object[] [[]] : String |
| FileService.java:35:17:35:25 | sourceUri : String | semmle.label | sourceUri : String |
| FileService.java:40:41:40:55 | params : Object[] | semmle.label | params : Object[] |
| FileService.java:44:33:44:52 | (...)... : Object | semmle.label | (...)... : Object |
| FileService.java:44:33:44:52 | (...)... : String[] | semmle.label | (...)... : String[] |
| FileService.java:45:53:45:59 | ...[...] | semmle.label | ...[...] |
| LeakFileActivity2.java:15:13:15:18 | intent : Intent | semmle.label | intent : Intent |
| LeakFileActivity2.java:16:26:16:31 | intent : Intent | semmle.label | intent : Intent |
| LeakFileActivity.java:14:35:14:38 | data : Intent | semmle.label | data : Intent |
| LeakFileActivity.java:18:40:18:59 | contentIntent : Intent | semmle.label | contentIntent : Intent |
| LeakFileActivity.java:19:31:19:43 | contentIntent : Intent | semmle.label | contentIntent : Intent |
| LeakFileActivity.java:19:31:19:53 | getData(...) : Object | semmle.label | getData(...) : Object |
| LeakFileActivity.java:21:58:21:72 | streamsToUpload : Object | semmle.label | streamsToUpload : Object |
| LeakFileActivity.java:19:31:19:53 | getData(...) : Uri | semmle.label | getData(...) : Uri |
| LeakFileActivity.java:21:58:21:72 | streamsToUpload : Uri | semmle.label | streamsToUpload : Uri |
| LeakFileActivity.java:21:58:21:82 | getPath(...) | semmle.label | getPath(...) |
subpaths
| FileService.java:25:42:25:50 | localPath : Object | FileService.java:32:13:32:28 | sourceUri : Object | FileService.java:34:20:36:13 | new Object[] : Object[] [[]] : Object | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : Object |
| FileService.java:25:42:25:50 | localPath : String | FileService.java:32:13:32:28 | sourceUri : String | FileService.java:34:20:36:13 | new Object[] : Object[] [[]] : String | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : String |
#select
| FileService.java:45:53:45:59 | ...[...] | LeakFileActivity2.java:15:13:15:18 | intent : Intent | FileService.java:45:53:45:59 | ...[...] | Leaking arbitrary Android file from $@. | LeakFileActivity2.java:15:13:15:18 | intent | this user input |
| FileService.java:45:53:45:59 | ...[...] | LeakFileActivity2.java:16:26:16:31 | intent : Intent | FileService.java:45:53:45:59 | ...[...] | Leaking arbitrary Android file from $@. | LeakFileActivity2.java:16:26:16:31 | intent | this user input |

14
java/ql/test/experimental/query-tests/security/CWE-470/UnsafeReflection.expected
View File

@@ -6,17 +6,17 @@ edges
| UnsafeReflection.java:34:33:34:70 | getParameter(...) : String | UnsafeReflection.java:39:58:39:71 | parameterValue |
| UnsafeReflection.java:46:24:46:82 | beanIdOrClassName : String | UnsafeReflection.java:53:30:53:46 | beanIdOrClassName : String |
| UnsafeReflection.java:46:132:46:168 | body : Map | UnsafeReflection.java:49:37:49:40 | body : Map |
| UnsafeReflection.java:49:23:49:59 | (...)... : Object | UnsafeReflection.java:53:67:53:73 | rawData : Object |
| UnsafeReflection.java:49:23:49:59 | (...)... : List | UnsafeReflection.java:53:67:53:73 | rawData : List |
| UnsafeReflection.java:49:37:49:40 | body : Map | UnsafeReflection.java:49:37:49:59 | get(...) : Object |
| UnsafeReflection.java:49:37:49:59 | get(...) : Object | UnsafeReflection.java:49:23:49:59 | (...)... : Object |
| UnsafeReflection.java:49:37:49:59 | get(...) : Object | UnsafeReflection.java:49:23:49:59 | (...)... : List |
| UnsafeReflection.java:53:30:53:46 | beanIdOrClassName : String | UnsafeReflection.java:104:34:104:57 | beanIdOrClassName : String |
| UnsafeReflection.java:53:67:53:73 | rawData : Object | UnsafeReflection.java:104:102:104:118 | data : Object |
| UnsafeReflection.java:53:67:53:73 | rawData : List | UnsafeReflection.java:104:102:104:118 | data : List |
| UnsafeReflection.java:62:33:62:70 | getParameter(...) : String | UnsafeReflection.java:68:76:68:89 | parameterValue |
| UnsafeReflection.java:77:33:77:70 | getParameter(...) : String | UnsafeReflection.java:83:76:83:89 | parameterValue |
| UnsafeReflection.java:92:33:92:70 | getParameter(...) : String | UnsafeReflection.java:98:76:98:89 | parameterValue |
| UnsafeReflection.java:104:34:104:57 | beanIdOrClassName : String | UnsafeReflection.java:119:21:119:26 | method |
| UnsafeReflection.java:104:34:104:57 | beanIdOrClassName : String | UnsafeReflection.java:119:35:119:38 | bean |
| UnsafeReflection.java:104:102:104:118 | data : Object | UnsafeReflection.java:119:41:119:44 | data |
| UnsafeReflection.java:104:102:104:118 | data : List | UnsafeReflection.java:119:41:119:44 | data |
nodes
| UnsafeReflection.java:21:28:21:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| UnsafeReflection.java:22:33:22:70 | getParameter(...) : String | semmle.label | getParameter(...) : String |
@@ -29,11 +29,11 @@ nodes
| UnsafeReflection.java:39:58:39:71 | parameterValue | semmle.label | parameterValue |
| UnsafeReflection.java:46:24:46:82 | beanIdOrClassName : String | semmle.label | beanIdOrClassName : String |
| UnsafeReflection.java:46:132:46:168 | body : Map | semmle.label | body : Map |
| UnsafeReflection.java:49:23:49:59 | (...)... : Object | semmle.label | (...)... : Object |
| UnsafeReflection.java:49:23:49:59 | (...)... : List | semmle.label | (...)... : List |
| UnsafeReflection.java:49:37:49:40 | body : Map | semmle.label | body : Map |
| UnsafeReflection.java:49:37:49:59 | get(...) : Object | semmle.label | get(...) : Object |
| UnsafeReflection.java:53:30:53:46 | beanIdOrClassName : String | semmle.label | beanIdOrClassName : String |
| UnsafeReflection.java:53:67:53:73 | rawData : Object | semmle.label | rawData : Object |
| UnsafeReflection.java:53:67:53:73 | rawData : List | semmle.label | rawData : List |
| UnsafeReflection.java:62:33:62:70 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| UnsafeReflection.java:68:76:68:89 | parameterValue | semmle.label | parameterValue |
| UnsafeReflection.java:77:33:77:70 | getParameter(...) : String | semmle.label | getParameter(...) : String |
@@ -41,7 +41,7 @@ nodes
| UnsafeReflection.java:92:33:92:70 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| UnsafeReflection.java:98:76:98:89 | parameterValue | semmle.label | parameterValue |
| UnsafeReflection.java:104:34:104:57 | beanIdOrClassName : String | semmle.label | beanIdOrClassName : String |
| UnsafeReflection.java:104:102:104:118 | data : Object | semmle.label | data : Object |
| UnsafeReflection.java:104:102:104:118 | data : List | semmle.label | data : List |
| UnsafeReflection.java:119:21:119:26 | method | semmle.label | method |
| UnsafeReflection.java:119:35:119:38 | bean | semmle.label | bean |
| UnsafeReflection.java:119:41:119:44 | data | semmle.label | data |

16
java/ql/test/experimental/query-tests/security/CWE-552/UnsafeUrlForward.expected
View File

@@ -3,13 +3,14 @@ edges
| UnsafeLoadSpringResource.java:31:27:31:57 | new ClassPathResource(...) : ClassPathResource | UnsafeLoadSpringResource.java:35:31:35:33 | clr |
| UnsafeLoadSpringResource.java:31:49:31:56 | fileName : String | UnsafeLoadSpringResource.java:31:27:31:57 | new ClassPathResource(...) : ClassPathResource |
| UnsafeLoadSpringResource.java:68:32:68:77 | fileName : String | UnsafeLoadSpringResource.java:76:38:76:45 | fileName |
| UnsafeLoadSpringResource.java:108:32:108:77 | fileName : String | UnsafeLoadSpringResource.java:116:51:116:58 | fileName |
| UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) : String | UnsafeRequestPath.java:23:33:23:36 | path |
| UnsafeResourceGet2.java:16:32:16:79 | getRequestParameterMap(...) : Map | UnsafeResourceGet2.java:17:20:17:25 | params : Map |
| UnsafeResourceGet2.java:17:20:17:25 | params : Map | UnsafeResourceGet2.java:17:20:17:40 | get(...) : Object |
| UnsafeResourceGet2.java:17:20:17:40 | get(...) : Object | UnsafeResourceGet2.java:19:93:19:99 | loadUrl |
| UnsafeResourceGet2.java:17:20:17:25 | params : Map | UnsafeResourceGet2.java:17:20:17:40 | get(...) : String |
| UnsafeResourceGet2.java:17:20:17:40 | get(...) : String | UnsafeResourceGet2.java:19:93:19:99 | loadUrl |
| UnsafeResourceGet2.java:32:32:32:79 | getRequestParameterMap(...) : Map | UnsafeResourceGet2.java:33:20:33:25 | params : Map |
| UnsafeResourceGet2.java:33:20:33:25 | params : Map | UnsafeResourceGet2.java:33:20:33:40 | get(...) : Object |
| UnsafeResourceGet2.java:33:20:33:40 | get(...) : Object | UnsafeResourceGet2.java:37:20:37:22 | url |
| UnsafeResourceGet2.java:33:20:33:25 | params : Map | UnsafeResourceGet2.java:33:20:33:40 | get(...) : String |
| UnsafeResourceGet2.java:33:20:33:40 | get(...) : String | UnsafeResourceGet2.java:37:20:37:22 | url |
| UnsafeResourceGet.java:32:23:32:56 | getParameter(...) : String | UnsafeResourceGet.java:41:20:41:22 | url |
| UnsafeResourceGet.java:111:24:111:58 | getParameter(...) : String | UnsafeResourceGet.java:115:68:115:78 | requestPath |
| UnsafeResourceGet.java:143:23:143:56 | getParameter(...) : String | UnsafeResourceGet.java:150:20:150:22 | url |
@@ -35,15 +36,17 @@ nodes
| UnsafeLoadSpringResource.java:35:31:35:33 | clr | semmle.label | clr |
| UnsafeLoadSpringResource.java:68:32:68:77 | fileName : String | semmle.label | fileName : String |
| UnsafeLoadSpringResource.java:76:38:76:45 | fileName | semmle.label | fileName |
| UnsafeLoadSpringResource.java:108:32:108:77 | fileName : String | semmle.label | fileName : String |
| UnsafeLoadSpringResource.java:116:51:116:58 | fileName | semmle.label | fileName |
| UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) : String | semmle.label | getServletPath(...) : String |
| UnsafeRequestPath.java:23:33:23:36 | path | semmle.label | path |
| UnsafeResourceGet2.java:16:32:16:79 | getRequestParameterMap(...) : Map | semmle.label | getRequestParameterMap(...) : Map |
| UnsafeResourceGet2.java:17:20:17:25 | params : Map | semmle.label | params : Map |
| UnsafeResourceGet2.java:17:20:17:40 | get(...) : Object | semmle.label | get(...) : Object |
| UnsafeResourceGet2.java:17:20:17:40 | get(...) : String | semmle.label | get(...) : String |
| UnsafeResourceGet2.java:19:93:19:99 | loadUrl | semmle.label | loadUrl |
| UnsafeResourceGet2.java:32:32:32:79 | getRequestParameterMap(...) : Map | semmle.label | getRequestParameterMap(...) : Map |
| UnsafeResourceGet2.java:33:20:33:25 | params : Map | semmle.label | params : Map |
| UnsafeResourceGet2.java:33:20:33:40 | get(...) : Object | semmle.label | get(...) : Object |
| UnsafeResourceGet2.java:33:20:33:40 | get(...) : String | semmle.label | get(...) : String |
| UnsafeResourceGet2.java:37:20:37:22 | url | semmle.label | url |
| UnsafeResourceGet.java:32:23:32:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| UnsafeResourceGet.java:41:20:41:22 | url | semmle.label | url |
@@ -83,6 +86,7 @@ subpaths
#select
| UnsafeLoadSpringResource.java:35:31:35:33 | clr | UnsafeLoadSpringResource.java:27:32:27:77 | fileName : String | UnsafeLoadSpringResource.java:35:31:35:33 | clr | Potentially untrusted URL forward due to $@. | UnsafeLoadSpringResource.java:27:32:27:77 | fileName | user-provided value |
| UnsafeLoadSpringResource.java:76:38:76:45 | fileName | UnsafeLoadSpringResource.java:68:32:68:77 | fileName : String | UnsafeLoadSpringResource.java:76:38:76:45 | fileName | Potentially untrusted URL forward due to $@. | UnsafeLoadSpringResource.java:68:32:68:77 | fileName | user-provided value |
| UnsafeLoadSpringResource.java:116:51:116:58 | fileName | UnsafeLoadSpringResource.java:108:32:108:77 | fileName : String | UnsafeLoadSpringResource.java:116:51:116:58 | fileName | Potentially untrusted URL forward due to $@. | UnsafeLoadSpringResource.java:108:32:108:77 | fileName | user-provided value |
| UnsafeRequestPath.java:23:33:23:36 | path | UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) : String | UnsafeRequestPath.java:23:33:23:36 | path | Potentially untrusted URL forward due to $@. | UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) | user-provided value |
| UnsafeResourceGet2.java:19:93:19:99 | loadUrl | UnsafeResourceGet2.java:16:32:16:79 | getRequestParameterMap(...) : Map | UnsafeResourceGet2.java:19:93:19:99 | loadUrl | Potentially untrusted URL forward due to $@. | UnsafeResourceGet2.java:16:32:16:79 | getRequestParameterMap(...) | user-provided value |
| UnsafeResourceGet2.java:37:20:37:22 | url | UnsafeResourceGet2.java:32:32:32:79 | getRequestParameterMap(...) : Map | UnsafeResourceGet2.java:37:20:37:22 | url | Potentially untrusted URL forward due to $@. | UnsafeResourceGet2.java:32:32:32:79 | getRequestParameterMap(...) | user-provided value |

16
java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.expected
View File

@@ -1,11 +1,11 @@
edges
| SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | SensitiveGetQuery2.java:14:30:14:32 | map : Map |
| SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object | SensitiveGetQuery2.java:15:29:15:36 | password |
| SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object | SensitiveGetQuery2.java:15:29:15:36 | password : Object |
| SensitiveGetQuery2.java:14:21:14:48 | (...)... : String | SensitiveGetQuery2.java:15:29:15:36 | password |
| SensitiveGetQuery2.java:14:21:14:48 | (...)... : String | SensitiveGetQuery2.java:15:29:15:36 | password : String |
| SensitiveGetQuery2.java:14:30:14:32 | map : Map | SensitiveGetQuery2.java:14:30:14:48 | get(...) : Object |
| SensitiveGetQuery2.java:14:30:14:48 | get(...) : Object | SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object |
| SensitiveGetQuery2.java:15:29:15:36 | password : Object | SensitiveGetQuery2.java:18:40:18:54 | password : Object |
| SensitiveGetQuery2.java:18:40:18:54 | password : Object | SensitiveGetQuery2.java:19:61:19:68 | password |
| SensitiveGetQuery2.java:14:30:14:48 | get(...) : Object | SensitiveGetQuery2.java:14:21:14:48 | (...)... : String |
| SensitiveGetQuery2.java:15:29:15:36 | password : String | SensitiveGetQuery2.java:18:40:18:54 | password : String |
| SensitiveGetQuery2.java:18:40:18:54 | password : String | SensitiveGetQuery2.java:19:61:19:68 | password |
| SensitiveGetQuery3.java:12:21:12:60 | getRequestParameter(...) : String | SensitiveGetQuery3.java:13:57:13:64 | password |
| SensitiveGetQuery3.java:17:10:17:40 | getParameter(...) : String | SensitiveGetQuery3.java:12:21:12:60 | getRequestParameter(...) : String |
| SensitiveGetQuery4.java:14:24:14:66 | getRequestParameter(...) : String | SensitiveGetQuery4.java:16:37:16:47 | accessToken |
@@ -16,12 +16,12 @@ edges
| SensitiveGetQuery.java:17:40:17:54 | password : String | SensitiveGetQuery.java:18:61:18:68 | password |
nodes
| SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | semmle.label | getParameterMap(...) : Map |
| SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object | semmle.label | (...)... : Object |
| SensitiveGetQuery2.java:14:21:14:48 | (...)... : String | semmle.label | (...)... : String |
| SensitiveGetQuery2.java:14:30:14:32 | map : Map | semmle.label | map : Map |
| SensitiveGetQuery2.java:14:30:14:48 | get(...) : Object | semmle.label | get(...) : Object |
| SensitiveGetQuery2.java:15:29:15:36 | password | semmle.label | password |
| SensitiveGetQuery2.java:15:29:15:36 | password : Object | semmle.label | password : Object |
| SensitiveGetQuery2.java:18:40:18:54 | password : Object | semmle.label | password : Object |
| SensitiveGetQuery2.java:15:29:15:36 | password : String | semmle.label | password : String |
| SensitiveGetQuery2.java:18:40:18:54 | password : String | semmle.label | password : String |
| SensitiveGetQuery2.java:19:61:19:68 | password | semmle.label | password |
| SensitiveGetQuery3.java:12:21:12:60 | getRequestParameter(...) : String | semmle.label | getRequestParameter(...) : String |
| SensitiveGetQuery3.java:13:57:13:64 | password | semmle.label | password |

26
java/ql/test/experimental/query-tests/security/CWE-755/NFEAndroidDoS.expected
View File

@@ -1,25 +1,25 @@
edges
| NFEAndroidDoS.java:13:24:13:34 | getIntent(...) : Intent | NFEAndroidDoS.java:13:24:13:61 | getStringExtra(...) : Object |
| NFEAndroidDoS.java:13:24:13:61 | getStringExtra(...) : Object | NFEAndroidDoS.java:14:21:14:51 | parseDouble(...) |
| NFEAndroidDoS.java:22:21:22:31 | getIntent(...) : Intent | NFEAndroidDoS.java:22:21:22:55 | getStringExtra(...) : Object |
| NFEAndroidDoS.java:22:21:22:55 | getStringExtra(...) : Object | NFEAndroidDoS.java:23:15:23:40 | parseInt(...) |
| NFEAndroidDoS.java:25:22:25:32 | getIntent(...) : Intent | NFEAndroidDoS.java:25:22:25:57 | getStringExtra(...) : Object |
| NFEAndroidDoS.java:25:22:25:57 | getStringExtra(...) : Object | NFEAndroidDoS.java:26:16:26:42 | parseInt(...) |
| NFEAndroidDoS.java:43:24:43:34 | getIntent(...) : Intent | NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : Object |
| NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : Object | NFEAndroidDoS.java:44:21:44:43 | new Double(...) |
| NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : Object | NFEAndroidDoS.java:47:21:47:47 | valueOf(...) |
| NFEAndroidDoS.java:13:24:13:34 | getIntent(...) : Intent | NFEAndroidDoS.java:13:24:13:61 | getStringExtra(...) : String |
| NFEAndroidDoS.java:13:24:13:61 | getStringExtra(...) : String | NFEAndroidDoS.java:14:21:14:51 | parseDouble(...) |
| NFEAndroidDoS.java:22:21:22:31 | getIntent(...) : Intent | NFEAndroidDoS.java:22:21:22:55 | getStringExtra(...) : String |
| NFEAndroidDoS.java:22:21:22:55 | getStringExtra(...) : String | NFEAndroidDoS.java:23:15:23:40 | parseInt(...) |
| NFEAndroidDoS.java:25:22:25:32 | getIntent(...) : Intent | NFEAndroidDoS.java:25:22:25:57 | getStringExtra(...) : String |
| NFEAndroidDoS.java:25:22:25:57 | getStringExtra(...) : String | NFEAndroidDoS.java:26:16:26:42 | parseInt(...) |
| NFEAndroidDoS.java:43:24:43:34 | getIntent(...) : Intent | NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : String |
| NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : String | NFEAndroidDoS.java:44:21:44:43 | new Double(...) |
| NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : String | NFEAndroidDoS.java:47:21:47:47 | valueOf(...) |
nodes
| NFEAndroidDoS.java:13:24:13:34 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
| NFEAndroidDoS.java:13:24:13:61 | getStringExtra(...) : Object | semmle.label | getStringExtra(...) : Object |
| NFEAndroidDoS.java:13:24:13:61 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String |
| NFEAndroidDoS.java:14:21:14:51 | parseDouble(...) | semmle.label | parseDouble(...) |
| NFEAndroidDoS.java:22:21:22:31 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
| NFEAndroidDoS.java:22:21:22:55 | getStringExtra(...) : Object | semmle.label | getStringExtra(...) : Object |
| NFEAndroidDoS.java:22:21:22:55 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String |
| NFEAndroidDoS.java:23:15:23:40 | parseInt(...) | semmle.label | parseInt(...) |
| NFEAndroidDoS.java:25:22:25:32 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
| NFEAndroidDoS.java:25:22:25:57 | getStringExtra(...) : Object | semmle.label | getStringExtra(...) : Object |
| NFEAndroidDoS.java:25:22:25:57 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String |
| NFEAndroidDoS.java:26:16:26:42 | parseInt(...) | semmle.label | parseInt(...) |
| NFEAndroidDoS.java:43:24:43:34 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
| NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : Object | semmle.label | getStringExtra(...) : Object |
| NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String |
| NFEAndroidDoS.java:44:21:44:43 | new Double(...) | semmle.label | new Double(...) |
| NFEAndroidDoS.java:47:21:47:47 | valueOf(...) | semmle.label | valueOf(...) |
subpaths

2
java/ql/test/ext/TestModels/Test.java
View File

@@ -82,7 +82,7 @@ public class Test {
Connection con = DriverManager.getConnection("");
PreparedStatement ps1 = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?");
ps1.setString(1, (String)source());
sink(ps1); // $hasValueFlow
sink(ps1); // safe
// java.util.concurrent.atomic
AtomicReference ar = new AtomicReference(source());

11
java/ql/test/kotlin/library-tests/dataflow/summaries/use.kt Normal file
View File

@@ -0,0 +1,11 @@
import java.io.Closeable
class UseFlowTest {
fun <T> taint(t: T) = t
fun sink(s: Closeable) { }
fun test(input: Closeable) {
taint(input).use { it -> sink(it) } // $ hasValueFlow
sink(taint(input).use { it }) // $ hasValueFlow
}
}

9
java/ql/test/kotlin/library-tests/dataflow/summaries/with.kt Normal file
View File

@@ -0,0 +1,9 @@
class WithFlowTest {
fun <T> taint(t: T) = t
fun sink(s: String) { }
fun test(input: String) {
with(taint(input)) { sink(this) } // $ hasValueFlow
sink(with(taint(input)) { this }) // $ hasValueFlow
}
}

Some files were not shown because too many files have changed in this diff Show More