hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 01:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

[Java] CWE-348: Use of less trusted source

Browse Source
This commit is contained in:
haby0
2021-04-08 17:14:03 +08:00
parent a9527fd913
commit 3f0a3266aa
20 changed files with 885 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected Normal file
View File

@@ -0,0 +1,14 @@
edges
| UseOfLessTrustedSource.java:19:26:19:61 | getHeader(...) : String | UseOfLessTrustedSource.java:25:16:25:25 | remoteAddr |
| UseOfLessTrustedSource.java:30:21:30:56 | getHeader(...) : String | UseOfLessTrustedSource.java:32:60:32:61 | ip |
| UseOfLessTrustedSource.java:30:21:30:56 | getHeader(...) : String | UseOfLessTrustedSource.java:58:28:58:48 | ... + ... |
nodes
| UseOfLessTrustedSource.java:19:26:19:61 | getHeader(...) : String | semmle.label | getHeader(...) : String |
| UseOfLessTrustedSource.java:25:16:25:25 | remoteAddr | semmle.label | remoteAddr |
| UseOfLessTrustedSource.java:30:21:30:56 | getHeader(...) : String | semmle.label | getHeader(...) : String |
| UseOfLessTrustedSource.java:32:60:32:61 | ip | semmle.label | ip |
| UseOfLessTrustedSource.java:58:28:58:48 | ... + ... | semmle.label | ... + ... |
#select
| UseOfLessTrustedSource.java:25:16:25:25 | remoteAddr | UseOfLessTrustedSource.java:19:26:19:61 | getHeader(...) : String | UseOfLessTrustedSource.java:25:16:25:25 | remoteAddr | X-Forwarded-For spoofing might include code from $@. | UseOfLessTrustedSource.java:19:26:19:61 | getHeader(...) | this user input |
| UseOfLessTrustedSource.java:32:60:32:61 | ip | UseOfLessTrustedSource.java:30:21:30:56 | getHeader(...) : String | UseOfLessTrustedSource.java:32:60:32:61 | ip | X-Forwarded-For spoofing might include code from $@. | UseOfLessTrustedSource.java:30:21:30:56 | getHeader(...) | this user input |
| UseOfLessTrustedSource.java:58:28:58:48 | ... + ... | UseOfLessTrustedSource.java:30:21:30:56 | getHeader(...) : String | UseOfLessTrustedSource.java:58:28:58:48 | ... + ... | X-Forwarded-For spoofing might include code from $@. | UseOfLessTrustedSource.java:30:21:30:56 | getHeader(...) | this user input |

74
java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.java Normal file
View File

@@ -0,0 +1,74 @@
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody;
@Controller
public class UseOfLessTrustedSource {
private static final Logger log = LoggerFactory.getLogger(UseOfLessTrustedSource.class);
@GetMapping(value = "bad1")
@ResponseBody
public String bad1(HttpServletRequest request) {
String remoteAddr = "";
if (request != null) {
remoteAddr = request.getHeader("X-FORWARDED-FOR");
remoteAddr = remoteAddr.split(",")[0];
if (remoteAddr == null || "".equals(remoteAddr)) {
remoteAddr = request.getRemoteAddr();
}
}
return remoteAddr;
}
@GetMapping(value = "bad2")
public void bad2(HttpServletRequest request) {
String ip = request.getHeader("X-Forwarded-For");
log.debug("getClientIP header X-Forwarded-For:{}", ip);
if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
ip = request.getHeader("Proxy-Client-IP");
log.debug("getClientIP header Proxy-Client-IP:{}", ip);
}
if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
ip = request.getHeader("WL-Proxy-Client-IP");
log.debug("getClientIP header WL-Proxy-Client-IP:{}", ip);
}
if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
ip = request.getHeader("HTTP_CLIENT_IP");
log.debug("getClientIP header HTTP_CLIENT_IP:{}", ip);
}
if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
ip = request.getHeader("HTTP_X_FORWARDED_FOR");
log.debug("getClientIP header HTTP_X_FORWARDED_FOR:{}", ip);
}
if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
ip = request.getHeader("X-Real-IP");
log.debug("getClientIP header X-Real-IP:{}", ip);
}
if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
ip = request.getRemoteAddr();
log.debug("getRemoteAddr IP:{}", ip);
}
System.out.println("client ip is: " + ip);
}
@GetMapping(value = "good1")
@ResponseBody
public String good1(HttpServletRequest request) {
String remoteAddr = "";
if (request != null) {
remoteAddr = request.getHeader("X-FORWARDED-FOR");
remoteAddr = remoteAddr.split(",")[remoteAddr.split(",").length - 1]; // good
if (remoteAddr == null || "".equals(remoteAddr)) {
remoteAddr = request.getRemoteAddr();
}
}
return remoteAddr;
}
}

1
java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql

2
java/ql/test/experimental/query-tests/security/CWE-348/options Normal file
View File

@@ -0,0 +1,2 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.2.3/:${tes
tdir}/../../../../stubs/slf4j-api-1.6.4/:${testdir}/../../../../stubs/apache-commons-lang3-3.7/