hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 03:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5337 from smowton/smowton/feature/commons-lang-random-sources

Browse Source 
Java: Add support for Commons-Lang's RandomUtils
This commit is contained in:
Anders Schack-Mulligen
2021-03-15 16:21:01 +01:00
committed by GitHub
parent 9268050eb8 92d61354d4
commit 45c9428668
30 changed files with 470 additions and 152 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
java/ql/test/query-tests/BadAbsOfRandom/BadAbsOfRandom.expected Normal file
View File

@@ -0,0 +1,6 @@
| Test.java:10:5:10:25 | abs(...) | Incorrect computation of abs of signed integral random value. |
| Test.java:11:5:11:26 | abs(...) | Incorrect computation of abs of signed integral random value. |
| Test.java:14:5:14:35 | abs(...) | Incorrect computation of abs of signed integral random value. |
| Test.java:15:5:15:36 | abs(...) | Incorrect computation of abs of signed integral random value. |
| Test.java:20:5:20:27 | abs(...) | Incorrect computation of abs of signed integral random value. |
| Test.java:21:5:21:28 | abs(...) | Incorrect computation of abs of signed integral random value. |

1
java/ql/test/query-tests/BadAbsOfRandom/BadAbsOfRandom.qlref Normal file
View File

@@ -0,0 +1 @@
Likely Bugs/Arithmetic/BadAbsOfRandom.ql

29
java/ql/test/query-tests/BadAbsOfRandom/Test.java Normal file
View File

@@ -0,0 +1,29 @@
import java.util.Random;
import java.util.concurrent.ThreadLocalRandom;
import org.apache.commons.lang3.RandomUtils;
public class Test {
public static void test() {
Random r = new Random();
Math.abs(r.nextInt());
Math.abs(r.nextLong());
Math.abs(r.nextInt(100)); // GOOD: random value already has a restricted range
Math.abs(RandomUtils.nextInt());
Math.abs(RandomUtils.nextLong());
Math.abs(RandomUtils.nextInt(1, 10)); // GOOD: random value already has a restricted range
Math.abs(RandomUtils.nextLong(1, 10)); // GOOD: random value already has a restricted range
ThreadLocalRandom tlr = ThreadLocalRandom.current();
Math.abs(tlr.nextInt());
Math.abs(tlr.nextLong());
Math.abs(tlr.nextInt(10)); // GOOD: random value already has a restricted range
Math.abs(tlr.nextLong(10)); // GOOD: random value already has a restricted range
Math.abs(tlr.nextInt(1, 10)); // GOOD: random value already has a restricted range
Math.abs(tlr.nextLong(1, 10)); // GOOD: random value already has a restricted range
}
}

1
java/ql/test/query-tests/BadAbsOfRandom/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../stubs/apache-commons-lang3-3.7

1
java/ql/test/query-tests/RandomUsedOnce/RandomUsedOnce.expected Normal file
View File

@@ -0,0 +1 @@
| Test.java:7:5:7:28 | nextInt(...) | Random object created and used only once. |

1
java/ql/test/query-tests/RandomUsedOnce/RandomUsedOnce.qlref Normal file
View File

@@ -0,0 +1 @@
Likely Bugs/Arithmetic/RandomUsedOnce.ql

11
java/ql/test/query-tests/RandomUsedOnce/Test.java Normal file
View File

@@ -0,0 +1,11 @@
import java.util.Random;
public class Test {
public static void test() {
(new Random()).nextInt();
}
}

10
java/ql/test/query-tests/RangeAnalysis/A.java
View File

@@ -1,3 +1,6 @@
import java.util.Random;
import org.apache.commons.lang3.RandomUtils;
public class A {
private static final int[] arr1 = new int[] { 1, 2, 3, 4, 5, 6, 7, 8 };
private final int[] arr2;
@@ -194,4 +197,11 @@ public class A {
}
}
}
static int m16() {
return A.arr1[(new Random()).nextInt(arr1.length + 1)] + // BAD: random int may be out of range
A.arr1[(new Random()).nextInt(arr1.length)] + // GOOD: random int must be in range
A.arr1[RandomUtils.nextInt(0, arr1.length + 1)] + // BAD: random int may be out of range
A.arr1[RandomUtils.nextInt(0, arr1.length)]; // GOOD: random int must be in range
}
}

30
java/ql/test/query-tests/RangeAnalysis/ArrayIndexOutOfBounds.expected
View File

@@ -1,14 +1,16 @@
| A.java:16:14:16:17 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
| A.java:23:21:23:28 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
| A.java:42:14:42:22 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
| A.java:46:14:46:22 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
| A.java:55:14:55:19 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
| A.java:64:14:64:19 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
| A.java:86:12:86:16 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
| A.java:97:18:97:31 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length + 8. |
| A.java:110:14:110:21 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
| A.java:111:14:111:21 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length + 1. |
| A.java:122:16:122:23 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length + 3. |
| A.java:134:16:134:23 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
| A.java:182:9:182:13 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
| A.java:192:9:192:13 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
| A.java:19:14:19:17 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
| A.java:26:21:26:28 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
| A.java:45:14:45:22 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
| A.java:49:14:49:22 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
| A.java:58:14:58:19 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
| A.java:67:14:67:19 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
| A.java:89:12:89:16 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
| A.java:100:18:100:31 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length + 8. |
| A.java:113:14:113:21 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
| A.java:114:14:114:21 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length + 1. |
| A.java:125:16:125:23 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length + 3. |
| A.java:137:16:137:23 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
| A.java:185:9:185:13 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
| A.java:195:9:195:13 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
| A.java:202:12:202:58 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |
| A.java:204:7:204:53 | ...[...] | This array access might be out of bounds, as the index might be equal to the array length. |

1
java/ql/test/query-tests/RangeAnalysis/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../stubs/apache-commons-lang3-3.7

8
java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstructionCodeSpecified.expected
View File

@@ -1,7 +1,7 @@
edges
| Test.java:86:16:86:16 | 0 : Number | Test.java:88:27:88:30 | size |
| Test.java:105:16:105:16 | 0 : Number | Test.java:107:27:107:30 | size |
nodes
| Test.java:86:16:86:16 | 0 : Number | semmle.label | 0 : Number |
| Test.java:88:27:88:30 | size | semmle.label | size |
| Test.java:105:16:105:16 | 0 : Number | semmle.label | 0 : Number |
| Test.java:107:27:107:30 | size | semmle.label | size |
#select
| Test.java:91:30:91:30 | 0 | Test.java:86:16:86:16 | 0 : Number | Test.java:88:27:88:30 | size | The $@ is accessed here, but the array is initialized using $@ which may be zero. | Test.java:88:19:88:31 | new int[] | array | Test.java:86:16:86:16 | 0 | literal value 0 |
| Test.java:110:30:110:30 | 0 | Test.java:105:16:105:16 | 0 : Number | Test.java:107:27:107:30 | size | The $@ is accessed here, but the array is initialized using $@ which may be zero. | Test.java:107:19:107:31 | new int[] | array | Test.java:105:16:105:16 | 0 | literal value 0 |

14
java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstructionLocal.expected
View File

@@ -1,10 +1,10 @@
edges
| Test.java:57:27:57:60 | getProperty(...) : String | Test.java:61:31:61:34 | size |
| Test.java:57:27:57:60 | getProperty(...) : String | Test.java:67:34:67:37 | size |
| Test.java:76:27:76:60 | getProperty(...) : String | Test.java:80:31:80:34 | size |
| Test.java:76:27:76:60 | getProperty(...) : String | Test.java:86:34:86:37 | size |
nodes
| Test.java:57:27:57:60 | getProperty(...) : String | semmle.label | getProperty(...) : String |
| Test.java:61:31:61:34 | size | semmle.label | size |
| Test.java:67:34:67:37 | size | semmle.label | size |
| Test.java:76:27:76:60 | getProperty(...) : String | semmle.label | getProperty(...) : String |
| Test.java:80:31:80:34 | size | semmle.label | size |
| Test.java:86:34:86:37 | size | semmle.label | size |
#select
| Test.java:64:34:64:34 | 0 | Test.java:57:27:57:60 | getProperty(...) : String | Test.java:61:31:61:34 | size | The $@ is accessed here, but the array is initialized using $@ which may be zero. | Test.java:61:23:61:35 | new int[] | array | Test.java:57:27:57:60 | getProperty(...) | User-provided value |
| Test.java:70:37:70:37 | 0 | Test.java:57:27:57:60 | getProperty(...) : String | Test.java:67:34:67:37 | size | The $@ is accessed here, but the array is initialized using $@ which may be zero. | Test.java:67:26:67:38 | new int[] | array | Test.java:57:27:57:60 | getProperty(...) | User-provided value |
| Test.java:83:34:83:34 | 0 | Test.java:76:27:76:60 | getProperty(...) : String | Test.java:80:31:80:34 | size | The $@ is accessed here, but the array is initialized using $@ which may be zero. | Test.java:80:23:80:35 | new int[] | array | Test.java:76:27:76:60 | getProperty(...) | User-provided value |
| Test.java:89:37:89:37 | 0 | Test.java:76:27:76:60 | getProperty(...) : String | Test.java:86:34:86:37 | size | The $@ is accessed here, but the array is initialized using $@ which may be zero. | Test.java:86:26:86:38 | new int[] | array | Test.java:76:27:76:60 | getProperty(...) | User-provided value |

42
java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndexCodeSpecified.expected
View File

@@ -1,19 +1,29 @@
edges
| Test.java:40:17:40:48 | nextInt(...) : Number | Test.java:43:30:43:34 | index |
| Test.java:40:17:40:48 | nextInt(...) : Number | Test.java:47:32:47:36 | index |
| Test.java:40:17:40:48 | nextInt(...) : Number | Test.java:51:39:51:43 | index |
| Test.java:93:17:93:17 | 0 : Number | Test.java:96:32:96:36 | index |
| ../../../../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/RandomUtils.java:34:14:34:14 | 0 : Number | Test.java:59:17:59:42 | nextInt(...) : Number |
| Test.java:41:17:41:48 | nextInt(...) : Number | Test.java:44:30:44:34 | index |
| Test.java:41:17:41:48 | nextInt(...) : Number | Test.java:48:32:48:36 | index |
| Test.java:41:17:41:48 | nextInt(...) : Number | Test.java:52:39:52:43 | index |
| Test.java:59:17:59:42 | nextInt(...) : Number | Test.java:62:30:62:34 | index |
| Test.java:59:17:59:42 | nextInt(...) : Number | Test.java:66:32:66:36 | index |
| Test.java:59:17:59:42 | nextInt(...) : Number | Test.java:70:39:70:43 | index |
| Test.java:112:17:112:17 | 0 : Number | Test.java:115:32:115:36 | index |
nodes
| Test.java:40:17:40:48 | nextInt(...) : Number | semmle.label | nextInt(...) : Number |
| Test.java:43:30:43:34 | index | semmle.label | index |
| Test.java:47:32:47:36 | index | semmle.label | index |
| Test.java:51:39:51:43 | index | semmle.label | index |
| Test.java:64:34:64:34 | 0 | semmle.label | 0 |
| Test.java:70:37:70:37 | 0 | semmle.label | 0 |
| Test.java:77:39:77:39 | 0 | semmle.label | 0 |
| Test.java:91:30:91:30 | 0 | semmle.label | 0 |
| Test.java:93:17:93:17 | 0 : Number | semmle.label | 0 : Number |
| Test.java:96:32:96:36 | index | semmle.label | index |
| Test.java:102:30:102:30 | 0 | semmle.label | 0 |
| ../../../../../stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/RandomUtils.java:34:14:34:14 | 0 : Number | semmle.label | 0 : Number |
| Test.java:41:17:41:48 | nextInt(...) : Number | semmle.label | nextInt(...) : Number |
| Test.java:44:30:44:34 | index | semmle.label | index |
| Test.java:48:32:48:36 | index | semmle.label | index |
| Test.java:52:39:52:43 | index | semmle.label | index |
| Test.java:59:17:59:42 | nextInt(...) : Number | semmle.label | nextInt(...) : Number |
| Test.java:62:30:62:34 | index | semmle.label | index |
| Test.java:66:32:66:36 | index | semmle.label | index |
| Test.java:70:39:70:43 | index | semmle.label | index |
| Test.java:83:34:83:34 | 0 | semmle.label | 0 |
| Test.java:89:37:89:37 | 0 | semmle.label | 0 |
| Test.java:96:39:96:39 | 0 | semmle.label | 0 |
| Test.java:110:30:110:30 | 0 | semmle.label | 0 |
| Test.java:112:17:112:17 | 0 : Number | semmle.label | 0 : Number |
| Test.java:115:32:115:36 | index | semmle.label | index |
| Test.java:121:30:121:30 | 0 | semmle.label | 0 |
#select
| Test.java:43:30:43:34 | index | Test.java:40:17:40:48 | nextInt(...) : Number | Test.java:43:30:43:34 | index | $@ flows to the index used in this array access, and may cause the operation to throw an ArrayIndexOutOfBoundsException. | Test.java:40:17:40:48 | nextInt(...) | Random value |
| Test.java:44:30:44:34 | index | Test.java:41:17:41:48 | nextInt(...) : Number | Test.java:44:30:44:34 | index | $@ flows to the index used in this array access, and may cause the operation to throw an ArrayIndexOutOfBoundsException. | Test.java:41:17:41:48 | nextInt(...) | Random value |
| Test.java:62:30:62:34 | index | Test.java:59:17:59:42 | nextInt(...) : Number | Test.java:62:30:62:34 | index | $@ flows to the index used in this array access, and may cause the operation to throw an ArrayIndexOutOfBoundsException. | Test.java:59:17:59:42 | nextInt(...) | Random value |

8
java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndexLocal.expected
View File

@@ -1,7 +1,7 @@
edges
| Test.java:13:27:13:60 | getProperty(...) : String | Test.java:18:34:18:38 | index |
| Test.java:14:27:14:60 | getProperty(...) : String | Test.java:19:34:19:38 | index |
nodes
| Test.java:13:27:13:60 | getProperty(...) : String | semmle.label | getProperty(...) : String |
| Test.java:18:34:18:38 | index | semmle.label | index |
| Test.java:14:27:14:60 | getProperty(...) : String | semmle.label | getProperty(...) : String |
| Test.java:19:34:19:38 | index | semmle.label | index |
#select
| Test.java:18:34:18:38 | index | Test.java:13:27:13:60 | getProperty(...) : String | Test.java:18:34:18:38 | index | $@ flows to here and is used as an index causing an ArrayIndexOutOfBoundsException. | Test.java:13:27:13:60 | getProperty(...) | User-provided value |
| Test.java:19:34:19:38 | index | Test.java:14:27:14:60 | getProperty(...) : String | Test.java:19:34:19:38 | index | $@ flows to here and is used as an index causing an ArrayIndexOutOfBoundsException. | Test.java:14:27:14:60 | getProperty(...) | User-provided value |

21
java/ql/test/query-tests/security/CWE-129/semmle/tests/Test.java
View File

@@ -5,6 +5,7 @@
package test.cwe129.cwe.examples;
import java.security.SecureRandom;
import org.apache.commons.lang3.RandomUtils;
class Test {
public static void basic() {
@@ -52,6 +53,24 @@ class Test {
}
}
public static void apacheRandom() {
int array[] = { 0, 1, 2, 3, 4 };
int index = RandomUtils.nextInt(0, 10);
// BAD Accessing array without conditional check
System.out.println(array[index]);
if (index < array.length) {
// GOOD Accessing array under conditions
System.out.println(array[index]);
}
// GOOD, the array access is protected by short-circuiting
if (index < array.length && array[index] > 0) {
}
}
public static void construction() {
String userProperty = System.getProperty("userProperty");
@@ -101,4 +120,4 @@ class Test {
// GOOD array size is guaranteed to be larger than zero
System.out.println(array[0]);
}
}
}

1
java/ql/test/query-tests/security/CWE-129/semmle/tests/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/apache-commons-lang3-3.7

21
java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticUncontrolled.expected
View File

@@ -1,10 +1,17 @@
edges
| Test.java:205:14:205:57 | nextInt(...) : Number | Test.java:209:17:209:20 | data |
| Test.java:205:14:205:57 | nextInt(...) : Number | Test.java:240:37:240:40 | data |
| Test.java:206:14:206:57 | nextInt(...) : Number | Test.java:210:17:210:20 | data |
| Test.java:206:14:206:57 | nextInt(...) : Number | Test.java:241:37:241:40 | data |
| Test.java:245:15:245:35 | nextInt(...) : Number | Test.java:249:17:249:21 | data2 |
| Test.java:245:15:245:35 | nextInt(...) : Number | Test.java:280:37:280:41 | data2 |
nodes
| Test.java:205:14:205:57 | nextInt(...) : Number | semmle.label | nextInt(...) : Number |
| Test.java:209:17:209:20 | data | semmle.label | data |
| Test.java:240:37:240:40 | data | semmle.label | data |
| Test.java:206:14:206:57 | nextInt(...) : Number | semmle.label | nextInt(...) : Number |
| Test.java:210:17:210:20 | data | semmle.label | data |
| Test.java:241:37:241:40 | data | semmle.label | data |
| Test.java:245:15:245:35 | nextInt(...) : Number | semmle.label | nextInt(...) : Number |
| Test.java:249:17:249:21 | data2 | semmle.label | data2 |
| Test.java:280:37:280:41 | data2 | semmle.label | data2 |
#select
| Test.java:209:17:209:24 | ... + ... | Test.java:205:14:205:57 | nextInt(...) : Number | Test.java:209:17:209:20 | data | $@ flows to here and is used in arithmetic, potentially causing an overflow. | Test.java:205:14:205:57 | nextInt(...) | Uncontrolled value |
| Test.java:240:37:240:46 | ... + ... | Test.java:205:14:205:57 | nextInt(...) : Number | Test.java:240:37:240:40 | data | $@ flows to here and is used in arithmetic, potentially causing an overflow. | Test.java:205:14:205:57 | nextInt(...) | Uncontrolled value |
| Test.java:210:17:210:24 | ... + ... | Test.java:206:14:206:57 | nextInt(...) : Number | Test.java:210:17:210:20 | data | $@ flows to here and is used in arithmetic, potentially causing an overflow. | Test.java:206:14:206:57 | nextInt(...) | Uncontrolled value |
| Test.java:241:37:241:46 | ... + ... | Test.java:206:14:206:57 | nextInt(...) : Number | Test.java:241:37:241:40 | data | $@ flows to here and is used in arithmetic, potentially causing an overflow. | Test.java:206:14:206:57 | nextInt(...) | Uncontrolled value |
| Test.java:249:17:249:25 | ... + ... | Test.java:245:15:245:35 | nextInt(...) : Number | Test.java:249:17:249:21 | data2 | $@ flows to here and is used in arithmetic, potentially causing an overflow. | Test.java:245:15:245:35 | nextInt(...) | Uncontrolled value |
| Test.java:280:37:280:47 | ... + ... | Test.java:245:15:245:35 | nextInt(...) : Number | Test.java:280:37:280:41 | data2 | $@ flows to here and is used in arithmetic, potentially causing an overflow. | Test.java:245:15:245:35 | nextInt(...) | Uncontrolled value |

56
java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticWithExtremeValues.expected
View File

@@ -1,31 +1,31 @@
edges
| Test.java:92:8:92:24 | Integer.MAX_VALUE : Number | Test.java:95:8:95:8 | i |
| Test.java:108:13:108:26 | Long.MIN_VALUE : Number | Test.java:110:13:110:13 | i |
| Test.java:137:9:137:25 | Integer.MAX_VALUE : Number | Test.java:138:14:138:14 | i |
| Test.java:143:12:143:28 | Integer.MAX_VALUE : Number | Test.java:146:14:146:14 | i |
| Test.java:184:13:184:26 | Byte.MAX_VALUE : Number | Test.java:187:39:187:39 | b |
| Test.java:191:14:191:28 | Short.MAX_VALUE : Number | Test.java:194:41:194:41 | s |
| Test.java:198:12:198:28 | Integer.MAX_VALUE : Number | Test.java:201:37:201:37 | i |
| Test.java:93:8:93:24 | Integer.MAX_VALUE : Number | Test.java:96:8:96:8 | i |
| Test.java:109:13:109:26 | Long.MIN_VALUE : Number | Test.java:111:13:111:13 | i |
| Test.java:138:9:138:25 | Integer.MAX_VALUE : Number | Test.java:139:14:139:14 | i |
| Test.java:144:12:144:28 | Integer.MAX_VALUE : Number | Test.java:147:14:147:14 | i |
| Test.java:185:13:185:26 | Byte.MAX_VALUE : Number | Test.java:188:39:188:39 | b |
| Test.java:192:14:192:28 | Short.MAX_VALUE : Number | Test.java:195:41:195:41 | s |
| Test.java:199:12:199:28 | Integer.MAX_VALUE : Number | Test.java:202:37:202:37 | i |
nodes
| Test.java:92:8:92:24 | Integer.MAX_VALUE : Number | semmle.label | Integer.MAX_VALUE : Number |
| Test.java:95:8:95:8 | i | semmle.label | i |
| Test.java:108:13:108:26 | Long.MIN_VALUE : Number | semmle.label | Long.MIN_VALUE : Number |
| Test.java:110:13:110:13 | i | semmle.label | i |
| Test.java:137:9:137:25 | Integer.MAX_VALUE : Number | semmle.label | Integer.MAX_VALUE : Number |
| Test.java:138:14:138:14 | i | semmle.label | i |
| Test.java:143:12:143:28 | Integer.MAX_VALUE : Number | semmle.label | Integer.MAX_VALUE : Number |
| Test.java:146:14:146:14 | i | semmle.label | i |
| Test.java:184:13:184:26 | Byte.MAX_VALUE : Number | semmle.label | Byte.MAX_VALUE : Number |
| Test.java:187:39:187:39 | b | semmle.label | b |
| Test.java:191:14:191:28 | Short.MAX_VALUE : Number | semmle.label | Short.MAX_VALUE : Number |
| Test.java:194:41:194:41 | s | semmle.label | s |
| Test.java:198:12:198:28 | Integer.MAX_VALUE : Number | semmle.label | Integer.MAX_VALUE : Number |
| Test.java:201:37:201:37 | i | semmle.label | i |
| Test.java:93:8:93:24 | Integer.MAX_VALUE : Number | semmle.label | Integer.MAX_VALUE : Number |
| Test.java:96:8:96:8 | i | semmle.label | i |
| Test.java:109:13:109:26 | Long.MIN_VALUE : Number | semmle.label | Long.MIN_VALUE : Number |
| Test.java:111:13:111:13 | i | semmle.label | i |
| Test.java:138:9:138:25 | Integer.MAX_VALUE : Number | semmle.label | Integer.MAX_VALUE : Number |
| Test.java:139:14:139:14 | i | semmle.label | i |
| Test.java:144:12:144:28 | Integer.MAX_VALUE : Number | semmle.label | Integer.MAX_VALUE : Number |
| Test.java:147:14:147:14 | i | semmle.label | i |
| Test.java:185:13:185:26 | Byte.MAX_VALUE : Number | semmle.label | Byte.MAX_VALUE : Number |
| Test.java:188:39:188:39 | b | semmle.label | b |
| Test.java:192:14:192:28 | Short.MAX_VALUE : Number | semmle.label | Short.MAX_VALUE : Number |
| Test.java:195:41:195:41 | s | semmle.label | s |
| Test.java:199:12:199:28 | Integer.MAX_VALUE : Number | semmle.label | Integer.MAX_VALUE : Number |
| Test.java:202:37:202:37 | i | semmle.label | i |
#select
| Test.java:95:8:95:12 | ... + ... | Test.java:92:8:92:24 | Integer.MAX_VALUE : Number | Test.java:95:8:95:8 | i | Variable i is assigned an extreme value $@, and may cause an overflow. | Test.java:92:8:92:24 | Integer.MAX_VALUE | MAX_VALUE |
| Test.java:110:13:110:17 | ... - ... | Test.java:108:13:108:26 | Long.MIN_VALUE : Number | Test.java:110:13:110:13 | i | Variable i is assigned an extreme value $@, and may cause an underflow. | Test.java:108:13:108:26 | Long.MIN_VALUE | MIN_VALUE |
| Test.java:138:14:138:18 | ... + ... | Test.java:137:9:137:25 | Integer.MAX_VALUE : Number | Test.java:138:14:138:14 | i | Variable i is assigned an extreme value $@, and may cause an overflow. | Test.java:137:9:137:25 | Integer.MAX_VALUE | MAX_VALUE |
| Test.java:146:14:146:18 | ... + ... | Test.java:143:12:143:28 | Integer.MAX_VALUE : Number | Test.java:146:14:146:14 | i | Variable i is assigned an extreme value $@, and may cause an overflow. | Test.java:143:12:143:28 | Integer.MAX_VALUE | MAX_VALUE |
| Test.java:187:39:187:43 | ... + ... | Test.java:184:13:184:26 | Byte.MAX_VALUE : Number | Test.java:187:39:187:39 | b | Variable b is assigned an extreme value $@, and may cause an overflow. | Test.java:184:13:184:26 | Byte.MAX_VALUE | MAX_VALUE |
| Test.java:194:41:194:45 | ... + ... | Test.java:191:14:191:28 | Short.MAX_VALUE : Number | Test.java:194:41:194:41 | s | Variable s is assigned an extreme value $@, and may cause an overflow. | Test.java:191:14:191:28 | Short.MAX_VALUE | MAX_VALUE |
| Test.java:201:37:201:42 | ... + ... | Test.java:198:12:198:28 | Integer.MAX_VALUE : Number | Test.java:201:37:201:37 | i | Variable i is assigned an extreme value $@, and may cause an overflow. | Test.java:198:12:198:28 | Integer.MAX_VALUE | MAX_VALUE |
| Test.java:96:8:96:12 | ... + ... | Test.java:93:8:93:24 | Integer.MAX_VALUE : Number | Test.java:96:8:96:8 | i | Variable i is assigned an extreme value $@, and may cause an overflow. | Test.java:93:8:93:24 | Integer.MAX_VALUE | MAX_VALUE |
| Test.java:111:13:111:17 | ... - ... | Test.java:109:13:109:26 | Long.MIN_VALUE : Number | Test.java:111:13:111:13 | i | Variable i is assigned an extreme value $@, and may cause an underflow. | Test.java:109:13:109:26 | Long.MIN_VALUE | MIN_VALUE |
| Test.java:139:14:139:18 | ... + ... | Test.java:138:9:138:25 | Integer.MAX_VALUE : Number | Test.java:139:14:139:14 | i | Variable i is assigned an extreme value $@, and may cause an overflow. | Test.java:138:9:138:25 | Integer.MAX_VALUE | MAX_VALUE |
| Test.java:147:14:147:18 | ... + ... | Test.java:144:12:144:28 | Integer.MAX_VALUE : Number | Test.java:147:14:147:14 | i | Variable i is assigned an extreme value $@, and may cause an overflow. | Test.java:144:12:144:28 | Integer.MAX_VALUE | MAX_VALUE |
| Test.java:188:39:188:43 | ... + ... | Test.java:185:13:185:26 | Byte.MAX_VALUE : Number | Test.java:188:39:188:39 | b | Variable b is assigned an extreme value $@, and may cause an overflow. | Test.java:185:13:185:26 | Byte.MAX_VALUE | MAX_VALUE |
| Test.java:195:41:195:45 | ... + ... | Test.java:192:14:192:28 | Short.MAX_VALUE : Number | Test.java:195:41:195:41 | s | Variable s is assigned an extreme value $@, and may cause an overflow. | Test.java:192:14:192:28 | Short.MAX_VALUE | MAX_VALUE |
| Test.java:202:37:202:42 | ... + ... | Test.java:199:12:199:28 | Integer.MAX_VALUE : Number | Test.java:202:37:202:37 | i | Variable i is assigned an extreme value $@, and may cause an overflow. | Test.java:199:12:199:28 | Integer.MAX_VALUE | MAX_VALUE |

4
java/ql/test/query-tests/security/CWE-190/semmle/tests/InformationLoss.expected
View File

@@ -1,2 +1,2 @@
| Test.java:67:5:67:25 | ...+=... | Implicit cast of source type long to narrower destination type int. |
| Test.java:86:4:86:9 | ...+=... | Implicit cast of source type long to narrower destination type int. |
| Test.java:68:5:68:25 | ...+=... | Implicit cast of source type long to narrower destination type int. |
| Test.java:87:4:87:9 | ...+=... | Implicit cast of source type long to narrower destination type int. |

6
java/ql/test/query-tests/security/CWE-190/semmle/tests/IntMultToLong.expected
View File

@@ -1,3 +1,3 @@
| Test.java:20:23:20:48 | ... * ... | Potential overflow in $@ before it is converted to long by use in an assignment context. | Test.java:20:23:20:48 | ... * ... | int multiplication |
| Test.java:27:23:27:52 | ... + ... | Potential overflow in $@ before it is converted to long by use in an assignment context. | Test.java:27:23:27:48 | ... * ... | int multiplication |
| Test.java:34:23:34:63 | ...?...:... | Potential overflow in $@ before it is converted to long by use in an assignment context. | Test.java:34:30:34:55 | ... * ... | int multiplication |
| Test.java:21:23:21:48 | ... * ... | Potential overflow in $@ before it is converted to long by use in an assignment context. | Test.java:21:23:21:48 | ... * ... | int multiplication |
| Test.java:28:23:28:52 | ... + ... | Potential overflow in $@ before it is converted to long by use in an assignment context. | Test.java:28:23:28:48 | ... * ... | int multiplication |
| Test.java:35:23:35:63 | ...?...:... | Potential overflow in $@ before it is converted to long by use in an assignment context. | Test.java:35:30:35:55 | ... * ... | int multiplication |

40
java/ql/test/query-tests/security/CWE-190/semmle/tests/Test.java
View File

@@ -7,6 +7,7 @@ import java.io.InputStreamReader;
import java.io.IOException;
import java.security.SecureRandom;
import java.util.HashMap;
import org.apache.commons.lang3.RandomUtils;
class Test {
public static void main(String[] args) {
@@ -239,6 +240,45 @@ class Test {
// subsequently cast to narrower type int
int widenedThenNarrowed = (int) (data + 10L);
}
// ArithmeticUncontrolled using Apache RandomUtils
int data2 = RandomUtils.nextInt();
{
// BAD: may overflow if data is large
int output = data2 + 1;
}
{
// GOOD: guarded
if (data2 < Integer.MAX_VALUE) {
int output = data2 + 1;
}
}
{
// guard against underflow
if (data2 > Integer.MIN_VALUE) {
int stillLarge = data2 - 1;
// FALSE NEGATIVE: stillLarge could still be very large, even
// after
// it has had arithmetic done on it
int output = stillLarge + 100;
}
}
{
// GOOD: uncontrolled int value is widened to type long, thus
// avoiding overflow
// (see binary numeric promotions in JLS 5.6.2)
long widened = data2 + 10L;
}
{
// BAD: uncontrolled int value is widened to type long, but
// subsequently cast to narrower type int
int widenedThenNarrowed = (int) (data2 + 10L);
}
}
public static long getLargeNumber() {

1
java/ql/test/query-tests/security/CWE-190/semmle/tests/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/apache-commons-lang3-3.7