hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into java/update-mad-decls-after-triage-2023-03-20T12-45-37

Browse Source
This commit is contained in:
Stephan Brandauer
2023-03-24 16:17:07 +01:00
committed by GitHub
parent 3134ad859e f1fe7af4fb
commit 4b458b2898
528 changed files with 9816 additions and 4161 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
java/ql/integration-tests/all-platforms/java/diagnostics/maven-http-repository/.gitattributes vendored Normal file
View File

@@ -0,0 +1,6 @@
#
# https://help.github.com/articles/dealing-with-line-endings/
#
# These are explicitly windows files and should use crlf
*.bat text eol=crlf
*.cmd text eol=crlf

BIN
java/ql/integration-tests/all-platforms/java/diagnostics/maven-http-repository/.mvn/wrapper/maven-wrapper.jar vendored Normal file
View File

Binary file not shown.

18
java/ql/integration-tests/all-platforms/java/diagnostics/maven-http-repository/.mvn/wrapper/maven-wrapper.properties vendored Normal file
View File

@@ -0,0 +1,18 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.0/apache-maven-3.9.0-bin.zip
wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.1/maven-wrapper-3.1.1.jar

287
java/ql/integration-tests/all-platforms/java/diagnostics/maven-http-repository/mvnw vendored Executable file
View File

@@ -0,0 +1,287 @@
#!/bin/sh
# ----------------------------------------------------------------------------
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# ----------------------------------------------------------------------------
# ----------------------------------------------------------------------------
# Apache Maven Wrapper startup batch script, version 3.1.1
#
# Required ENV vars:
# ------------------
# JAVA_HOME - location of a JDK home dir
#
# Optional ENV vars
# -----------------
# MAVEN_OPTS - parameters passed to the Java VM when running Maven
# e.g. to debug Maven itself, use
# set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
# MAVEN_SKIP_RC - flag to disable loading of mavenrc files
# ----------------------------------------------------------------------------
if [ -z "$MAVEN_SKIP_RC" ] ; then
if [ -f /usr/local/etc/mavenrc ] ; then
. /usr/local/etc/mavenrc
fi
if [ -f /etc/mavenrc ] ; then
. /etc/mavenrc
fi
if [ -f "$HOME/.mavenrc" ] ; then
. "$HOME/.mavenrc"
fi
fi
# OS specific support. $var _must_ be set to either true or false.
cygwin=false;
darwin=false;
mingw=false
case "`uname`" in
CYGWIN*) cygwin=true ;;
MINGW*) mingw=true;;
Darwin*) darwin=true
# Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home
# See https://developer.apple.com/library/mac/qa/qa1170/_index.html
if [ -z "$JAVA_HOME" ]; then
if [ -x "/usr/libexec/java_home" ]; then
JAVA_HOME="`/usr/libexec/java_home`"; export JAVA_HOME
else
JAVA_HOME="/Library/Java/Home"; export JAVA_HOME
fi
fi
;;
esac
if [ -z "$JAVA_HOME" ] ; then
if [ -r /etc/gentoo-release ] ; then
JAVA_HOME=`java-config --jre-home`
fi
fi
# For Cygwin, ensure paths are in UNIX format before anything is touched
if $cygwin ; then
[ -n "$JAVA_HOME" ] &&
JAVA_HOME=`cygpath --unix "$JAVA_HOME"`
[ -n "$CLASSPATH" ] &&
CLASSPATH=`cygpath --path --unix "$CLASSPATH"`
fi
# For Mingw, ensure paths are in UNIX format before anything is touched
if $mingw ; then
[ -n "$JAVA_HOME" ] &&
JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`"
fi
if [ -z "$JAVA_HOME" ]; then
javaExecutable="`which javac`"
if [ -n "$javaExecutable" ] && ! [ "`expr \"$javaExecutable\" : '\([^ ]*\)'`" = "no" ]; then
# readlink(1) is not available as standard on Solaris 10.
readLink=`which readlink`
if [ ! `expr "$readLink" : '\([^ ]*\)'` = "no" ]; then
if $darwin ; then
javaHome="`dirname \"$javaExecutable\"`"
javaExecutable="`cd \"$javaHome\" && pwd -P`/javac"
else
javaExecutable="`readlink -f \"$javaExecutable\"`"
fi
javaHome="`dirname \"$javaExecutable\"`"
javaHome=`expr "$javaHome" : '\(.*\)/bin'`
JAVA_HOME="$javaHome"
export JAVA_HOME
fi
fi
fi
if [ -z "$JAVACMD" ] ; then
if [ -n "$JAVA_HOME" ] ; then
if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
# IBM's JDK on AIX uses strange locations for the executables
JAVACMD="$JAVA_HOME/jre/sh/java"
else
JAVACMD="$JAVA_HOME/bin/java"
fi
else
JAVACMD="`\\unset -f command; \\command -v java`"
fi
fi
if [ ! -x "$JAVACMD" ] ; then
echo "Error: JAVA_HOME is not defined correctly." >&2
echo " We cannot execute $JAVACMD" >&2
exit 1
fi
if [ -z "$JAVA_HOME" ] ; then
echo "Warning: JAVA_HOME environment variable is not set."
fi
# traverses directory structure from process work directory to filesystem root
# first directory with .mvn subdirectory is considered project base directory
find_maven_basedir() {
if [ -z "$1" ]
then
echo "Path not specified to find_maven_basedir"
return 1
fi
basedir="$1"
wdir="$1"
while [ "$wdir" != '/' ] ; do
if [ -d "$wdir"/.mvn ] ; then
basedir=$wdir
break
fi
# workaround for JBEAP-8937 (on Solaris 10/Sparc)
if [ -d "${wdir}" ]; then
wdir=`cd "$wdir/.."; pwd`
fi
# end of workaround
done
printf '%s' "$(cd "$basedir"; pwd)"
}
# concatenates all lines of a file
concat_lines() {
if [ -f "$1" ]; then
echo "$(tr -s '\n' ' ' < "$1")"
fi
}
BASE_DIR=$(find_maven_basedir "$(dirname $0)")
if [ -z "$BASE_DIR" ]; then
exit 1;
fi
MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"}; export MAVEN_PROJECTBASEDIR
if [ "$MVNW_VERBOSE" = true ]; then
echo $MAVEN_PROJECTBASEDIR
fi
##########################################################################################
# Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
# This allows using the maven wrapper in projects that prohibit checking in binary data.
##########################################################################################
if [ -r "$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" ]; then
if [ "$MVNW_VERBOSE" = true ]; then
echo "Found .mvn/wrapper/maven-wrapper.jar"
fi
else
if [ "$MVNW_VERBOSE" = true ]; then
echo "Couldn't find .mvn/wrapper/maven-wrapper.jar, downloading it ..."
fi
if [ -n "$MVNW_REPOURL" ]; then
wrapperUrl="$MVNW_REPOURL/org/apache/maven/wrapper/maven-wrapper/3.1.1/maven-wrapper-3.1.1.jar"
else
wrapperUrl="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.1/maven-wrapper-3.1.1.jar"
fi
while IFS="=" read key value; do
case "$key" in (wrapperUrl) wrapperUrl="$value"; break ;;
esac
done < "$BASE_DIR/.mvn/wrapper/maven-wrapper.properties"
if [ "$MVNW_VERBOSE" = true ]; then
echo "Downloading from: $wrapperUrl"
fi
wrapperJarPath="$BASE_DIR/.mvn/wrapper/maven-wrapper.jar"
if $cygwin; then
wrapperJarPath=`cygpath --path --windows "$wrapperJarPath"`
fi
if command -v wget > /dev/null; then
QUIET="--quiet"
if [ "$MVNW_VERBOSE" = true ]; then
echo "Found wget ... using wget"
QUIET=""
fi
if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
wget $QUIET "$wrapperUrl" -O "$wrapperJarPath"
else
wget $QUIET --http-user="$MVNW_USERNAME" --http-password="$MVNW_PASSWORD" "$wrapperUrl" -O "$wrapperJarPath"
fi
[ $? -eq 0 ] || rm -f "$wrapperJarPath"
elif command -v curl > /dev/null; then
QUIET="--silent"
if [ "$MVNW_VERBOSE" = true ]; then
echo "Found curl ... using curl"
QUIET=""
fi
if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
curl $QUIET -o "$wrapperJarPath" "$wrapperUrl" -f -L
else
curl $QUIET --user "$MVNW_USERNAME:$MVNW_PASSWORD" -o "$wrapperJarPath" "$wrapperUrl" -f -L
fi
[ $? -eq 0 ] || rm -f "$wrapperJarPath"
else
if [ "$MVNW_VERBOSE" = true ]; then
echo "Falling back to using Java to download"
fi
javaSource="$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.java"
javaClass="$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class"
# For Cygwin, switch paths to Windows format before running javac
if $cygwin; then
javaSource=`cygpath --path --windows "$javaSource"`
javaClass=`cygpath --path --windows "$javaClass"`
fi
if [ -e "$javaSource" ]; then
if [ ! -e "$javaClass" ]; then
if [ "$MVNW_VERBOSE" = true ]; then
echo " - Compiling MavenWrapperDownloader.java ..."
fi
# Compiling the Java class
("$JAVA_HOME/bin/javac" "$javaSource")
fi
if [ -e "$javaClass" ]; then
# Running the downloader
if [ "$MVNW_VERBOSE" = true ]; then
echo " - Running MavenWrapperDownloader.java ..."
fi
("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$MAVEN_PROJECTBASEDIR")
fi
fi
fi
fi
##########################################################################################
# End of extension
##########################################################################################
MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS"
# For Cygwin, switch paths to Windows format before running java
if $cygwin; then
[ -n "$JAVA_HOME" ] &&
JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"`
[ -n "$CLASSPATH" ] &&
CLASSPATH=`cygpath --path --windows "$CLASSPATH"`
[ -n "$MAVEN_PROJECTBASEDIR" ] &&
MAVEN_PROJECTBASEDIR=`cygpath --path --windows "$MAVEN_PROJECTBASEDIR"`
fi
# Provide a "standardized" way to retrieve the CLI args that will
# work with both Windows and non-Windows executions.
MAVEN_CMD_LINE_ARGS="$MAVEN_CONFIG $@"
export MAVEN_CMD_LINE_ARGS
WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
exec "$JAVACMD" \
$MAVEN_OPTS \
$MAVEN_DEBUG_OPTS \
-classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \
"-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \
${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@"

187
java/ql/integration-tests/all-platforms/java/diagnostics/maven-http-repository/mvnw.cmd vendored Normal file
View File

@@ -0,0 +1,187 @@
@REM ----------------------------------------------------------------------------
@REM Licensed to the Apache Software Foundation (ASF) under one
@REM or more contributor license agreements. See the NOTICE file
@REM distributed with this work for additional information
@REM regarding copyright ownership. The ASF licenses this file
@REM to you under the Apache License, Version 2.0 (the
@REM "License"); you may not use this file except in compliance
@REM with the License. You may obtain a copy of the License at
@REM
@REM http://www.apache.org/licenses/LICENSE-2.0
@REM
@REM Unless required by applicable law or agreed to in writing,
@REM software distributed under the License is distributed on an
@REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
@REM KIND, either express or implied. See the License for the
@REM specific language governing permissions and limitations
@REM under the License.
@REM ----------------------------------------------------------------------------
@REM ----------------------------------------------------------------------------
@REM Apache Maven Wrapper startup batch script, version 3.1.1
@REM
@REM Required ENV vars:
@REM JAVA_HOME - location of a JDK home dir
@REM
@REM Optional ENV vars
@REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands
@REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a keystroke before ending
@REM MAVEN_OPTS - parameters passed to the Java VM when running Maven
@REM e.g. to debug Maven itself, use
@REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
@REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files
@REM ----------------------------------------------------------------------------
@REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on'
@echo off
@REM set title of command window
title %0
@REM enable echoing by setting MAVEN_BATCH_ECHO to 'on'
@if "%MAVEN_BATCH_ECHO%" == "on" echo %MAVEN_BATCH_ECHO%
@REM set %HOME% to equivalent of $HOME
if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%")
@REM Execute a user defined script before this one
if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre
@REM check for pre script, once with legacy .bat ending and once with .cmd ending
if exist "%USERPROFILE%\mavenrc_pre.bat" call "%USERPROFILE%\mavenrc_pre.bat" %*
if exist "%USERPROFILE%\mavenrc_pre.cmd" call "%USERPROFILE%\mavenrc_pre.cmd" %*
:skipRcPre
@setlocal
set ERROR_CODE=0
@REM To isolate internal variables from possible post scripts, we use another setlocal
@setlocal
@REM ==== START VALIDATION ====
if not "%JAVA_HOME%" == "" goto OkJHome
echo.
echo Error: JAVA_HOME not found in your environment. >&2
echo Please set the JAVA_HOME variable in your environment to match the >&2
echo location of your Java installation. >&2
echo.
goto error
:OkJHome
if exist "%JAVA_HOME%\bin\java.exe" goto init
echo.
echo Error: JAVA_HOME is set to an invalid directory. >&2
echo JAVA_HOME = "%JAVA_HOME%" >&2
echo Please set the JAVA_HOME variable in your environment to match the >&2
echo location of your Java installation. >&2
echo.
goto error
@REM ==== END VALIDATION ====
:init
@REM Find the project base dir, i.e. the directory that contains the folder ".mvn".
@REM Fallback to current working directory if not found.
set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR%
IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir
set EXEC_DIR=%CD%
set WDIR=%EXEC_DIR%
:findBaseDir
IF EXIST "%WDIR%"\.mvn goto baseDirFound
cd ..
IF "%WDIR%"=="%CD%" goto baseDirNotFound
set WDIR=%CD%
goto findBaseDir
:baseDirFound
set MAVEN_PROJECTBASEDIR=%WDIR%
cd "%EXEC_DIR%"
goto endDetectBaseDir
:baseDirNotFound
set MAVEN_PROJECTBASEDIR=%EXEC_DIR%
cd "%EXEC_DIR%"
:endDetectBaseDir
IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig
@setlocal EnableExtensions EnableDelayedExpansion
for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a
@endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS%
:endReadAdditionalConfig
SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe"
set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar"
set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
set WRAPPER_URL="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.1/maven-wrapper-3.1.1.jar"
FOR /F "usebackq tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
IF "%%A"=="wrapperUrl" SET WRAPPER_URL=%%B
)
@REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
@REM This allows using the maven wrapper in projects that prohibit checking in binary data.
if exist %WRAPPER_JAR% (
if "%MVNW_VERBOSE%" == "true" (
echo Found %WRAPPER_JAR%
)
) else (
if not "%MVNW_REPOURL%" == "" (
SET WRAPPER_URL="%MVNW_REPOURL%/org/apache/maven/wrapper/maven-wrapper/3.1.1/maven-wrapper-3.1.1.jar"
)
if "%MVNW_VERBOSE%" == "true" (
echo Couldn't find %WRAPPER_JAR%, downloading it ...
echo Downloading from: %WRAPPER_URL%
)
powershell -Command "&{"^
"$webclient = new-object System.Net.WebClient;"^
"if (-not ([string]::IsNullOrEmpty('%MVNW_USERNAME%') -and [string]::IsNullOrEmpty('%MVNW_PASSWORD%'))) {"^
"$webclient.Credentials = new-object System.Net.NetworkCredential('%MVNW_USERNAME%', '%MVNW_PASSWORD%');"^
"}"^
"[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%WRAPPER_URL%', '%WRAPPER_JAR%')"^
"}"
if "%MVNW_VERBOSE%" == "true" (
echo Finished downloading %WRAPPER_JAR%
)
)
@REM End of extension
@REM Provide a "standardized" way to retrieve the CLI args that will
@REM work with both Windows and non-Windows executions.
set MAVEN_CMD_LINE_ARGS=%*
%MAVEN_JAVA_EXE% ^
%JVM_CONFIG_MAVEN_PROPS% ^
%MAVEN_OPTS% ^
%MAVEN_DEBUG_OPTS% ^
-classpath %WRAPPER_JAR% ^
"-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" ^
%WRAPPER_LAUNCHER% %MAVEN_CONFIG% %*
if ERRORLEVEL 1 goto error
goto end
:error
set ERROR_CODE=1
:end
@endlocal & set ERROR_CODE=%ERROR_CODE%
if not "%MAVEN_SKIP_RC%"=="" goto skipRcPost
@REM check for post script, once with legacy .bat ending and once with .cmd ending
if exist "%USERPROFILE%\mavenrc_post.bat" call "%USERPROFILE%\mavenrc_post.bat"
if exist "%USERPROFILE%\mavenrc_post.cmd" call "%USERPROFILE%\mavenrc_post.cmd"
:skipRcPost
@REM pause the script if MAVEN_BATCH_PAUSE is set to 'on'
if "%MAVEN_BATCH_PAUSE%"=="on" pause
if "%MAVEN_TERMINATE_CMD%"=="on" exit %ERROR_CODE%
cmd /C exit /B %ERROR_CODE%

31
java/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,34 @@
## 0.5.5
### New Features
* Added support for merging two `PathGraph`s via disjoint union to allow results from multiple data flow computations in a single `path-problem` query.
### Major Analysis Improvements
* Removed low-confidence call edges to known neutral call targets from the call graph used in data flow analysis. This includes, for example, custom `List.contains` implementations when the best inferrable type at the call site is simply `List`.
* Added more sink and summary dataflow models for the following packages:
* `java.io`
* `java.lang`
* `java.sql`
* `javafx.scene.web`
* `org.apache.commons.compress.archivers.tar`
* `org.apache.http.client.utils`
* `org.codehaus.cargo.container.installer`
* The main data flow and taint tracking APIs have been changed. The old APIs
remain in place for now and translate to the new through a
backwards-compatible wrapper. If multiple configurations are in scope
simultaneously, then this may affect results slightly. The new API is quite
similar to the old, but makes use of a configuration module instead of a
configuration class.
### Minor Analysis Improvements
* Deleted the deprecated `getPath` and `getFolder` predicates from the `XmlFile` class.
* Deleted the deprecated `getRepresentedString` predicate from the `StringLiteral` class.
* Deleted the deprecated `ServletWriterSource` class.
* Deleted the deprecated `getGroupID`, `getArtefactID`, and `artefactMatches` predicates from the `MavenRepoJar` class.
## 0.5.4
### Minor Analysis Improvements

4
java/ql/lib/change-notes/2023-02-15-add-top-jdk-models.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added more dataflow models for frequently-used JDK APIs.

9
java/ql/lib/change-notes/2023-03-02-dataflow-conf-module.md
View File

@@ -1,9 +0,0 @@
---
category: majorAnalysis
---
* The main data flow and taint tracking APIs have been changed. The old APIs
remain in place for now and translate to the new through a
backwards-compatible wrapper. If multiple configurations are in scope
simultaneously, then this may affect results slightly. The new API is quite
similar to the old, but makes use of a configuration module instead of a
configuration class.

7
java/ql/lib/change-notes/2023-03-03-delete-deps.md
View File

@@ -1,7 +0,0 @@
---
category: minorAnalysis
---
* Deleted the deprecated `getPath` and `getFolder` predicates from the `XmlFile` class.
* Deleted the deprecated `getRepresentedString` predicate from the `StringLiteral` class.
* Deleted the deprecated `ServletWriterSource` class.
* Deleted the deprecated `getGroupID`, `getArtefactID`, and `artefactMatches` predicates from the `MavenRepoJar` class.

11
java/ql/lib/change-notes/2023-03-09-more-models.md
View File

@@ -1,11 +0,0 @@
---
category: majorAnalysis
---
* Added more sink and summary dataflow models for the following packages:
* `java.io`
* `java.lang`
* `java.sql`
* `javafx.scene.web`
* `org.apache.commons.compress.archivers.tar`
* `org.apache.http.client.utils`
* `org.codehaus.cargo.container.installer`

4
java/ql/lib/change-notes/2023-03-13-mergepathgraph.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* Added support for merging two `PathGraph`s via disjoint union to allow results from multiple data flow computations in a single `path-problem` query.

4
java/ql/lib/change-notes/2023-03-14-neutral-dispatch.md
View File

@@ -1,4 +0,0 @@
---
category: majorAnalysis
---
* Removed low-confidence call edges to known neutral call targets from the call graph used in data flow analysis. This includes, for example, custom `List.contains` implementations when the best inferrable type at the call site is simply `List`.

4
java/ql/lib/change-notes/2023-03-20-nativesql-summary.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added a summary model for the `nativeSQL` method of the `java.sql.Connection` interface.

6
java/ql/lib/change-notes/2023-03-23-dataflow-renaming.md Normal file
View File

@@ -0,0 +1,6 @@
---
category: deprecated
---
* The recently introduced new data flow and taint tracking APIs have had a
number of module and predicate renamings. The old APIs remain in place for
now.

4
java/ql/lib/change-notes/2023-03-23-jndi-sanitizer.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added the extensible abstract class `JndiInjectionSanitizer`. Now this class can be extended to add more sanitizers to the `java/jndi-injection` query.

30
java/ql/lib/change-notes/released/0.5.5.md Normal file
View File

@@ -0,0 +1,30 @@
## 0.5.5
### New Features
* Added support for merging two `PathGraph`s via disjoint union to allow results from multiple data flow computations in a single `path-problem` query.
### Major Analysis Improvements
* Removed low-confidence call edges to known neutral call targets from the call graph used in data flow analysis. This includes, for example, custom `List.contains` implementations when the best inferrable type at the call site is simply `List`.
* Added more sink and summary dataflow models for the following packages:
* `java.io`
* `java.lang`
* `java.sql`
* `javafx.scene.web`
* `org.apache.commons.compress.archivers.tar`
* `org.apache.http.client.utils`
* `org.codehaus.cargo.container.installer`
* The main data flow and taint tracking APIs have been changed. The old APIs
remain in place for now and translate to the new through a
backwards-compatible wrapper. If multiple configurations are in scope
simultaneously, then this may affect results slightly. The new API is quite
similar to the old, but makes use of a configuration module instead of a
configuration class.
### Minor Analysis Improvements
* Deleted the deprecated `getPath` and `getFolder` predicates from the `XmlFile` class.
* Deleted the deprecated `getRepresentedString` predicate from the `StringLiteral` class.
* Deleted the deprecated `ServletWriterSource` class.
* Deleted the deprecated `getGroupID`, `getArtefactID`, and `artefactMatches` predicates from the `MavenRepoJar` class.

2
java/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.5.4
lastReleaseVersion: 0.5.5

16
java/ql/lib/ext/java.awt.model.yml Normal file
View File

@@ -0,0 +1,16 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["java.awt", "Container", True, "add", "(Component)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
- ["java.awt", "Container", True, "add", "(Component)", "", "Argument[0]", "ReturnValue", "value", "manual"]
- ["java.awt", "Container", True, "add", "(Component,Object)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
- addsTo:
pack: codeql/java-all
extensible: neutralModel
data:
# The below APIs have numeric flow and are currently being stored as neutral models.
# These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
- ["java.awt", "Insets", "Insets", "(int,int,int,int)", "manual"] # value-numeric

22
java/ql/lib/ext/java.io.model.yml
View File

@@ -69,6 +69,9 @@ extensions:
- ["java.io", "File", True, "getCanonicalFile", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.io", "File", True, "getCanonicalPath", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.io", "File", True, "getName", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.io", "File", True, "getParentFile", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.io", "File", True, "getPath", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.io", "File", True, "listFiles", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.io", "File", True, "toPath", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.io", "File", True, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.io", "File", True, "toURI", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
@@ -88,9 +91,28 @@ extensions:
- ["java.io", "OutputStream", True, "write", "(int)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["java.io", "Reader", True, "read", "", "", "Argument[this]", "Argument[0]", "taint", "manual"]
- ["java.io", "StringReader", False, "StringReader", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["java.io", "StringWriter", False, "toString", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.io", "UncheckedIOException", False, "UncheckedIOException", "(IOException)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.cause]", "value", "manual"]
- ["java.io", "Writer", True, "write", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- addsTo:
pack: codeql/java-all
extensible: neutralModel
data:
- ["java.io", "Closeable", "close", "()", "manual"]
- ["java.io", "DataOutput", "writeBoolean", "(boolean)", "manual"]
- ["java.io", "File", "delete", "()", "manual"]
- ["java.io", "File", "exists", "()", "manual"]
- ["java.io", "File", "isFile", "()", "manual"]
- ["java.io", "File", "length", "()", "manual"]
- ["java.io", "File", "isDirectory", "()", "manual"]
- ["java.io", "File", "mkdirs", "()", "manual"]
- ["java.io", "FileInputStream", "FileInputStream", "(File)", "manual"]
- ["java.io", "InputStream", "close", "()", "manual"]
- ["java.io", "OutputStream", "flush", "()", "manual"]
# The below APIs have numeric flow and are currently being stored as neutral models.
# These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
- ["java.io", "DataInput", "readInt", "()", "manual"] # taint-numeric
- ["java.io", "DataInput", "readLong", "()", "manual"] # taint-numeric
- ["java.io", "DataOutput", "writeInt", "(int)", "manual"] # taint-numeric
- ["java.io", "DataOutput", "writeLong", "(long)", "manual"] # taint-numeric

6
java/ql/lib/ext/java.lang.invoke.model.yml Normal file
View File

@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: neutralModel
data:
- ["java.lang.invoke", "MethodHandles", "lookup", "()", "manual"]

82
java/ql/lib/ext/java.lang.model.yml
View File

@@ -37,6 +37,8 @@ extensions:
- ["java.lang", "AbstractStringBuilder", True, "AbstractStringBuilder", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["java.lang", "AbstractStringBuilder", True, "append", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["java.lang", "AbstractStringBuilder", True, "append", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
# When `WithoutElement` is implemented for Java, `java.lang.AbstractStringBuilder#delete` might require a `taint` step of the form `Argument[this].WithoutElement -> Argument[this]` in addition to the below `value` step.
- ["java.lang", "AbstractStringBuilder", True, "delete", "(int,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["java.lang", "AbstractStringBuilder", True, "getChars", "", "", "Argument[this]", "Argument[2]", "taint", "manual"]
- ["java.lang", "AbstractStringBuilder", True, "insert", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["java.lang", "AbstractStringBuilder", True, "insert", "", "", "Argument[1]", "Argument[this]", "taint", "manual"]
@@ -48,16 +50,21 @@ extensions:
- ["java.lang", "AbstractStringBuilder", True, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.lang", "Appendable", True, "append", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["java.lang", "Appendable", True, "append", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["java.lang", "AssertionError", False, "AssertionError", "(Object)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
- ["java.lang", "CharSequence", True, "charAt", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.lang", "CharSequence", True, "subSequence", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.lang", "CharSequence", True, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.lang", "Class", False, "cast", "(Object)", "", "Argument[0]", "ReturnValue", "value", "manual"]
- ["java.lang", "Exception", False, "Exception", "(String)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
- ["java.lang", "Exception", False, "Exception", "(String,Throwable)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
- ["java.lang", "Exception", False, "Exception", "(String,Throwable)", "", "Argument[1]", "Argument[this].SyntheticField[java.lang.Throwable.cause]", "value", "manual"]
- ["java.lang", "IllegalArgumentException", False, "IllegalArgumentException", "(String)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
- ["java.lang", "IllegalStateException", False, "IllegalStateException", "(String)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
- ["java.lang", "IndexOutOfBoundsException", False, "IndexOutOfBoundsException", "(String)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
- ["java.lang", "Iterable", True, "forEach", "(Consumer)", "", "Argument[this].Element", "Argument[0].Parameter[0]", "value", "manual"]
- ["java.lang", "Iterable", True, "iterator", "()", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
- ["java.lang", "Iterable", True, "spliterator", "()", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
- ["java.lang", "NullPointerException", False, "NullPointerException", "(String)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
- ["java.lang", "Object", True, "clone", "", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
- ["java.lang", "Object", True, "clone", "", "", "Argument[this].MapKey", "ReturnValue.MapKey", "value", "manual"]
- ["java.lang", "Object", True, "clone", "", "", "Argument[this].MapValue", "ReturnValue.MapValue", "value", "manual"]
@@ -107,50 +114,105 @@ extensions:
- ["java.lang", "StringBuffer", True, "StringBuffer", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["java.lang", "StringBuilder", True, "StringBuilder", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["java.lang", "System", False, "arraycopy", "", "", "Argument[0]", "Argument[2]", "taint", "manual"]
- ["java.lang", "Thread", False, "Thread", "(Runnable)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["java.lang", "Thread", False, "Thread", "(String)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Thread.name]", "value", "manual"]
- ["java.lang", "Thread", True, "getName", "()", "", "Argument[this].SyntheticField[java.lang.Thread.name]", "ReturnValue", "value", "manual"]
- ["java.lang", "ThreadLocal", True, "get", "()", "", "Argument[this].SyntheticField[java.lang.ThreadLocal.value]", "ReturnValue", "value", "manual"]
- ["java.lang", "ThreadLocal", True, "set", "(Object)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.ThreadLocal.value]", "value", "manual"]
- ["java.lang", "Throwable", False, "Throwable", "(Throwable)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.cause]", "value", "manual"]
- ["java.lang", "Throwable", False, "Throwable", "(String)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
- ["java.lang", "Throwable", True, "getCause", "()", "", "Argument[this].SyntheticField[java.lang.Throwable.cause]", "ReturnValue", "value", "manual"]
- ["java.lang", "Throwable", True, "getMessage", "()", "", "Argument[this].SyntheticField[java.lang.Throwable.message]", "ReturnValue", "value", "manual"]
- ["java.lang", "Throwable", True, "getLocalizedMessage", "()", "", "Argument[this].SyntheticField[java.lang.Throwable.message]", "ReturnValue", "value", "manual"]
- ["java.lang", "Throwable", True, "toString", "()", "", "Argument[this].SyntheticField[java.lang.Throwable.message]", "ReturnValue", "taint", "manual"]
- addsTo:
pack: codeql/java-all
extensible: neutralModel
data:
- ["java.lang", "AbstractStringBuilder", "length", "()", "manual"]
- ["java.lang", "AbstractStringBuilder", "setCharAt", "(int,char)", "manual"]
- ["java.lang", "AbstractStringBuilder", "setLength", "(int)", "manual"]
- ["java.lang", "Boolean", "booleanValue", "()", "manual"]
- ["java.lang", "Boolean", "equals", "(Object)", "manual"]
- ["java.lang", "Boolean", "parseBoolean", "(String)", "manual"]
- ["java.lang", "Boolean", "valueOf", "(boolean)", "manual"]
- ["java.lang", "CharSequence", "length", "()", "manual"]
- ["java.lang", "Class", "forName", "(String)", "manual"]
- ["java.lang", "Class", "getCanonicalName", "()", "manual"]
- ["java.lang", "Class", "getClassLoader", "()", "manual"]
- ["java.lang", "Class", "getDeclaredConstructor", "(Class[])", "manual"] # This model may be changed to a taint step for an unsafe reflection query in the future.
- ["java.lang", "Class", "getDeclaredField", "(String)", "manual"] # This model may be changed to a taint step for an unsafe reflection query in the future.
- ["java.lang", "Class", "getMethod", "(String,Class[])", "manual"] # This model may be changed to a taint step for an unsafe reflection query in the future.
- ["java.lang", "Class", "getName", "()", "manual"]
- ["java.lang", "Class", "getResource", "(String)", "manual"]
- ["java.lang", "Class", "getResourceAsStream", "(String)", "manual"]
- ["java.lang", "Class", "getSimpleName", "()", "manual"]
- ["java.lang", "Class", "isAssignableFrom", "(Class)", "manual"]
- ["java.lang", "Class", "isInstance", "(Object)", "manual"]
- ["java.lang", "Class", "toString", "()", "manual"]
- ["java.lang", "ClassLoader", "getResource", "(String)", "manual"]
- ["java.lang", "ClassLoader", "getResourceAsStream", "(String)", "manual"]
- ["java.lang", "Enum", "Enum", "(String,int)", "manual"]
- ["java.lang", "Enum", "equals", "(Object)", "manual"]
- ["java.lang", "Enum", "hashCode", "()", "manual"]
- ["java.lang", "Enum", "name", "()", "manual"]
- ["java.lang", "Enum", "ordinal", "()", "manual"]
- ["java.lang", "Enum", "toString", "()", "manual"]
- ["java.lang", "Integer", "equals", "(Object)", "manual"]
- ["java.lang", "Long", "equals", "(Object)", "manual"]
- ["java.lang", "Object", "equals", "(Object)", "manual"]
- ["java.lang", "Object", "getClass", "()", "manual"]
- ["java.lang", "Object", "hashCode", "()", "manual"]
- ["java.lang", "Object", "toString", "()", "manual"]
- ["java.lang", "Runnable", "run", "()", "manual"]
- ["java.lang", "Runtime", "getRuntime", "()", "manual"]
- ["java.lang", "String", "compareTo", "(String)", "manual"]
- ["java.lang", "String", "contains", "(CharSequence)", "manual"]
- ["java.lang", "String", "endsWith", "(String)", "manual"]
- ["java.lang", "String", "equals", "(Object)", "manual"]
- ["java.lang", "String", "equalsIgnoreCase", "(String)", "manual"]
- ["java.lang", "String", "hashCode", "()", "manual"]
- ["java.lang", "String", "indexOf", "(int)", "manual"]
- ["java.lang", "String", "indexOf", "(String)", "manual"]
- ["java.lang", "String", "isEmpty", "()", "manual"]
- ["java.lang", "String", "lastIndexOf", "(int)", "manual"]
- ["java.lang", "String", "lastIndexOf", "(String)", "manual"]
- ["java.lang", "String", "length", "()", "manual"]
- ["java.lang", "String", "startsWith", "(String)", "manual"]
- ["java.lang", "String", "valueOf", "(boolean)", "manual"]
- ["java.lang", "System", "currentTimeMillis", "()", "manual"]
- ["java.lang", "System", "exit", "(int)", "manual"]
- ["java.lang", "System", "getenv", "(String)", "manual"]
- ["java.lang", "System", "identityHashCode", "(Object)", "manual"]
- ["java.lang", "System", "lineSeparator", "()", "manual"]
- ["java.lang", "System", "nanoTime", "()", "manual"]
- ["java.lang", "Thread", "currentThread", "()", "manual"]
- ["java.lang", "Thread", "getContextClassLoader", "()", "manual"]
- ["java.lang", "Thread", "interrupt", "()", "manual"]
- ["java.lang", "Thread", "sleep", "(long)", "manual"]
- ["java.lang", "Thread", "start", "()", "manual"]
# The below APIs have numeric flow and are currently being stored as neutral models.
# These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
- ["java.lang", "Integer", "intValue", "()", "manual"] # taint-numeric
- ["java.lang", "Integer", "parseInt", "(String)", "manual"] # taint-numeric
- ["java.lang", "Integer", "toString", "(int)", "manual"] # taint-numeric
- ["java.lang", "Integer", "valueOf", "(int)", "manual"] # taint-numeric
- ["java.lang", "Long", "longValue", "()", "manual"] # taint-numeric
- ["java.lang", "Long", "parseLong", "(String)", "manual"] # taint-numeric
- ["java.lang", "Long", "toString", "()", "manual"] # taint-numeric
- ["java.lang", "Math", "min", "(int,int)", "manual"] # value-numeric
- ["java.lang", "String", "valueOf", "(int)", "manual"] # taint-numeric
- ["java.lang", "String", "valueOf", "(long)", "manual"] # taint-numeric
- ["java.lang", "Double", "doubleToLongBits", "(double)", "manual"] # taint-numeric
- ["java.lang", "Double", "parseDouble", "(String)", "manual"] # taint-numeric
- ["java.lang", "Double", "valueOf", "(double)", "manual"] # taint-numeric
- ["java.lang", "Integer", "Integer", "(int)", "manual"] # taint-numeric
- ["java.lang", "Integer", "intValue", "()", "manual"] # taint-numeric
- ["java.lang", "Integer", "parseInt", "(String)", "manual"] # taint-numeric
- ["java.lang", "Integer", "toHexString", "(int)", "manual"] # taint-numeric
- ["java.lang", "Integer", "toString", "", "manual"] # taint-numeric
- ["java.lang", "Integer", "valueOf", "", "manual"] # taint-numeric
- ["java.lang", "Long", "Long", "(long)", "manual"] # taint-numeric
- ["java.lang", "Long", "intValue", "()", "manual"] # taint-numeric
- ["java.lang", "Long", "longValue", "()", "manual"] # taint-numeric
- ["java.lang", "Long", "parseLong", "(String)", "manual"] # taint-numeric
- ["java.lang", "Long", "toString", "", "manual"] # taint-numeric
- ["java.lang", "Long", "valueOf", "", "manual"] # taint-numeric
- ["java.lang", "Math", "max", "", "manual"] # value-numeric
- ["java.lang", "Math", "min", "", "manual"] # value-numeric
- ["java.lang", "Number", "doubleValue", "()", "manual"] # taint-numeric
- ["java.lang", "Number", "intValue", "()", "manual"] # taint-numeric
- ["java.lang", "Number", "longValue", "()", "manual"] # taint-numeric
- ["java.lang", "String", "valueOf", "(int)", "manual"] # taint-numeric
- ["java.lang", "String", "valueOf", "(long)", "manual"] # taint-numeric

10
java/ql/lib/ext/java.lang.reflect.model.yml Normal file
View File

@@ -0,0 +1,10 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: neutralModel
data:
# The below models may be changed to taint steps for an unsafe reflection query in the future.
- ["java.lang.reflect", "Constructor", "newInstance", "(Object[])", "manual"]
- ["java.lang.reflect", "Field", "get", "(Object)", "manual"]
- ["java.lang.reflect", "Method", "getName", "()", "manual"]
- ["java.lang.reflect", "Method", "invoke", "(Object,Object[])", "manual"]

16
java/ql/lib/ext/java.math.model.yml
View File

@@ -7,6 +7,16 @@ extensions:
# The below APIs have numeric flow and are currently being stored as neutral models.
# These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
- ["java.math", "BigDecimal", "BigDecimal", "(String)", "manual"] # taint-numeric
- ["java.math", "BigDecimal", "valueOf", "(double)", "manual"] # taint-numeric
- ["java.math", "BigDecimal", "valueOf", "(long)", "manual"] # taint-numeric
- ["java.math", "BigDecimal", "BigDecimal", "", "manual"] # taint-numeric
- ["java.math", "BigDecimal", "add", "(BigDecimal)", "manual"] # taint-numeric
- ["java.math", "BigDecimal", "doubleValue", "()", "manual"] # taint-numeric
- ["java.math", "BigDecimal", "intValue", "()", "manual"] # taint-numeric
- ["java.math", "BigDecimal", "multiply", "(BigDecimal)", "manual"] # taint-numeric
- ["java.math", "BigDecimal", "setScale", "(int,RoundingMode)", "manual"] # taint-numeric
- ["java.math", "BigDecimal", "subtract", "(BigDecimal)", "manual"] # taint-numeric
- ["java.math", "BigDecimal", "toBigInteger", "()", "manual"] # taint-numeric
- ["java.math", "BigDecimal", "toString", "()", "manual"] # taint-numeric
- ["java.math", "BigDecimal", "valueOf", "", "manual"] # taint-numeric
- ["java.math", "BigInteger", "BigInteger", "(String)", "manual"] # taint-numeric
- ["java.math", "BigInteger", "or", "(BigInteger)", "manual"] # taint-numeric
- ["java.math", "BigInteger", "valueOf", "(long)", "manual"] # taint-numeric

6
java/ql/lib/ext/java.nio.charset.model.yml Normal file
View File

@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: neutralModel
data:
- ["java.nio.charset", "Charset", "name", "()", "manual"]

7
java/ql/lib/ext/java.nio.file.model.yml
View File

@@ -43,6 +43,7 @@ extensions:
- ["java.nio.file", "FileSystem", True, "getPath", "(String,String[])", "", "Argument[1]", "ReturnValue", "taint", "ai-generated"]
- ["java.nio.file", "FileSystem", True, "getPathMatcher", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
- ["java.nio.file", "FileSystem", True, "getRootDirectories", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["java.nio.file", "Path", True, "getFileName", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.nio.file", "Path", True, "getParent", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.nio.file", "Path", True, "normalize", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.nio.file", "Path", True, "of", "(String,String[])", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
@@ -61,3 +62,9 @@ extensions:
# - ["java.nio.file", "Files", True, "walkFileTree", "(Path,FileVisitor)", "", "Argument[0]", "Argument[1].Method[preVisitDirectory(Path,BasicFileAttributes)].Parameter[0]", "taint", "ai-generated"]
# - ["java.nio.file", "Files", True, "walkFileTree", "(Path,FileVisitor)", "", "Argument[0]" "Argument[1].Method[visitFile(Path,BasicFileAttributes)].Parameter[0]", "taint", "ai-generated"]
# - ["java.nio.file", "Files", True, "walkFileTree", "(Path,FileVisitor)", "", "Argument[0]", "Argument[1].Method[visitFileFailed(Path,IOException)].Parameter[0]", "taint", "ai-generated"]
- addsTo:
pack: codeql/java-all
extensible: neutralModel
data:
- ["java.nio.file", "Files", "exists", "(Path,LinkOption[])", "manual"]

8
java/ql/lib/ext/java.nio.model.yml
View File

@@ -6,3 +6,11 @@ extensions:
- ["java.nio", "ByteBuffer", False, "array", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.nio", "ByteBuffer", False, "get", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.nio", "ByteBuffer", False, "wrap", "(byte[])", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- addsTo:
pack: codeql/java-all
extensible: neutralModel
data:
- ["java.nio", "Buffer", "position", "()", "manual"]
- ["java.nio", "Buffer", "remaining", "()", "manual"]
- ["java.nio", "ByteBuffer", "allocate", "(int)", "manual"]

18
java/ql/lib/ext/java.sql.model.yml
View File

@@ -20,14 +20,28 @@ extensions:
pack: codeql/java-all
extensible: summaryModel
data:
- ["java.sql", "Connection", True, "nativeSQL", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["java.sql", "PreparedStatement", True, "setString", "(int,String)", "", "Argument[1]", "Argument[this]", "value", "manual"]
- ["java.sql", "ResultSet", True, "getString", "(String)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- addsTo:
pack: codeql/java-all
extensible: neutralModel
data:
- ["java.sql", "Connection", "createStatement", "()", "manual"]
- ["java.sql", "PreparedStatement", "executeUpdate", "()", "manual"]
- ["java.sql", "PreparedStatement", "executeQuery", "()", "manual"]
- ["java.sql", "ResultSet", "next", "()", "manual"]
- ["java.sql", "Statement", "close", "()", "manual"]
# The below APIs have numeric flow and are currently being stored as neutral models.
# These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
- ["java.sql", "PreparedStatement", "setInt", "(int,int)", "manual"] # value-numeric
- ["java.sql", "ResultSet", "getInt", "(String)", "manual"] # taint-numeric
- ["java.sql", "PreparedStatement", "setInt", "(int,int)", "manual"] # value-numeric
- ["java.sql", "PreparedStatement", "setLong", "(int,long)", "manual"] # value-numeric
- ["java.sql", "ResultSet", "getInt", "(int)", "manual"] # taint-numeric
- ["java.sql", "ResultSet", "getInt", "(String)", "manual"] # taint-numeric
- ["java.sql", "ResultSet", "getLong", "(String)", "manual"] # taint-numeric
- ["java.sql", "ResultSet", "getString", "(int)", "manual"] # taint-numeric, potentially interesting for second order SQL injection
- ["java.sql", "ResultSet", "getTimestamp", "(String)", "manual"] # taint-numeric
- ["java.sql", "Timestamp", "Timestamp", "(long)", "manual"] # taint-numeric
- ["java.sql", "Timestamp", "getTime", "()", "manual"] # taint-numeric

1
java/ql/lib/ext/java.text.model.yml
View File

@@ -6,4 +6,5 @@ extensions:
# The below APIs have numeric flow and are currently being stored as neutral models.
# These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
- ["java.text", "DateFormat", "format", "(Date)", "manual"] # taint-numeric
- ["java.text", "DateFormat", "parse", "(String)", "manual"] # taint-numeric
- ["java.text", "SimpleDateFormat", "SimpleDateFormat", "(String)", "manual"] # taint-numeric

6
java/ql/lib/ext/java.time.chrono.model.yml Normal file
View File

@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: neutralModel
data:
- ["java.time.chrono", "ChronoZonedDateTime", "toInstant", "()", "manual"]

7
java/ql/lib/ext/java.time.format.model.yml Normal file
View File

@@ -0,0 +1,7 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: neutralModel
data:
- ["java.time.format", "DateTimeFormatter", "format", "(TemporalAccessor)", "manual"]
- ["java.time.format", "DateTimeFormatter", "ofPattern", "(String)", "manual"]

16
java/ql/lib/ext/java.time.model.yml
View File

@@ -4,8 +4,22 @@ extensions:
extensible: neutralModel
data:
- ["java.time", "Instant", "now", "()", "manual"]
- ["java.time", "LocalDate", "now", "()", "manual"]
- ["java.time", "LocalDateTime", "now", "()", "manual"]
- ["java.time", "ZonedDateTime", "now", "()", "manual"]
- ["java.time", "ZoneId", "of", "(String)", "manual"]
- ["java.time", "ZoneId", "systemDefault", "()", "manual"]
# The below APIs have numeric flow and are currently being stored as neutral models.
# These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
- ["java.time", "LocalDate", "of", "(int,int,int)", "manual"] # taint-numeric
- ["java.time", "Duration", "ofMillis", "(long)", "manual"] # taint-numeric
- ["java.time", "Duration", "ofMinutes", "(long)", "manual"] # taint-numeric
- ["java.time", "Duration", "ofSeconds", "(long)", "manual"] # taint-numeric
- ["java.time", "Duration", "toMillis", "()", "manual"] # taint-numeric
- ["java.time", "Instant", "ofEpochMilli", "(long)", "manual"] # taint-numeric
- ["java.time", "Instant", "parse", "(CharSequence)", "manual"] # taint-numeric
- ["java.time", "Instant", "toEpochMilli", "()", "manual"] # taint-numeric
- ["java.time", "LocalDate", "plusDays", "(long)", "manual"] # taint-numeric
- ["java.time", "LocalDate", "of", "(int,int,int)", "manual"] # taint-numeric
- ["java.time", "LocalDate", "parse", "(CharSequence)", "manual"] # taint-numeric
- ["java.time", "LocalDateTime", "of", "(int,int,int,int,int,int)", "manual"] # taint-numeric

11
java/ql/lib/ext/java.util.concurrent.atomic.model.yml
View File

@@ -5,12 +5,23 @@ extensions:
data:
- ["java.util.concurrent.atomic", "AtomicReference", False, "AtomicReference", "(Object)", "", "Argument[0]", "Argument[this].SyntheticField[java.util.concurrent.atomic.AtomicReference.value]", "value", "manual"]
- ["java.util.concurrent.atomic", "AtomicReference", False, "get", "()", "", "Argument[this].SyntheticField[java.util.concurrent.atomic.AtomicReference.value]", "ReturnValue", "value", "manual"]
- ["java.util.concurrent.atomic", "AtomicReference", False, "set", "(Object)", "", "Argument[0]", "Argument[this].SyntheticField[java.util.concurrent.atomic.AtomicReference.value]", "value", "manual"]
- addsTo:
pack: codeql/java-all
extensible: neutralModel
data:
- ["java.util.concurrent.atomic", "AtomicBoolean", "AtomicBoolean", "(boolean)", "manual"]
- ["java.util.concurrent.atomic", "AtomicBoolean", "compareAndSet", "(boolean,boolean)", "manual"]
- ["java.util.concurrent.atomic", "AtomicBoolean", "get", "()", "manual"]
- ["java.util.concurrent.atomic", "AtomicBoolean", "set", "(boolean)", "manual"]
# The below APIs have numeric flow and are currently being stored as neutral models.
# These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
- ["java.util.concurrent.atomic", "AtomicInteger", "AtomicInteger", "(int)", "manual"] # value-numeric
- ["java.util.concurrent.atomic", "AtomicInteger", "get", "()", "manual"] # value-numeric
- ["java.util.concurrent.atomic", "AtomicInteger", "incrementAndGet", "()", "manual"] # taint-numeric
- ["java.util.concurrent.atomic", "AtomicLong", "AtomicLong", "(long)", "manual"] # value-numeric
- ["java.util.concurrent.atomic", "AtomicLong", "addAndGet", "(long)", "manual"] # taint-numeric
- ["java.util.concurrent.atomic", "AtomicLong", "get", "()", "manual"] # value-numeric
- ["java.util.concurrent.atomic", "AtomicLong", "incrementAndGet", "()", "manual"] # taint-numeric

7
java/ql/lib/ext/java.util.concurrent.locks.model.yml Normal file
View File

@@ -0,0 +1,7 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: neutralModel
data:
- ["java.util.concurrent.locks", "Lock", "lock", "()", "manual"]
- ["java.util.concurrent.locks", "Lock", "unlock", "()", "manual"]

12
java/ql/lib/ext/java.util.concurrent.model.yml
View File

@@ -17,7 +17,13 @@ extensions:
- ["java.util.concurrent", "BlockingQueue", True, "poll", "(long,TimeUnit)", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
- ["java.util.concurrent", "BlockingQueue", True, "put", "(Object)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
- ["java.util.concurrent", "BlockingQueue", True, "take", "()", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
- ["java.util.concurrent", "CompletableFuture", False, "complete", "(Object)", "", "Argument[0]", "Argument[this].SyntheticField[java.util.concurrent.Future.value]", "value", "manual"]
- ["java.util.concurrent", "CompletableFuture", False, "completedFuture", "(Object)", "", "Argument[0]", "ReturnValue.SyntheticField[java.util.concurrent.Future.value]", "value", "manual"]
- ["java.util.concurrent", "CompletableFuture", False, "join", "()", "", "Argument[this].SyntheticField[java.util.concurrent.Future.value]", "ReturnValue", "value", "manual"]
- ["java.util.concurrent", "CompletionStage", False, "toCompletableFuture", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.util.concurrent", "ConcurrentHashMap", True, "elements", "()", "", "Argument[this].MapValue", "ReturnValue.Element", "value", "manual"]
- ["java.util.concurrent", "ExecutorService", True, "submit", "(Runnable)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["java.util.concurrent", "Future", True, "get", "()", "", "Argument[this].SyntheticField[java.util.concurrent.Future.value]", "ReturnValue", "value", "manual"]
- ["java.util.concurrent", "TransferQueue", True, "transfer", "(Object)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
- ["java.util.concurrent", "TransferQueue", True, "tryTransfer", "(Object)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
- ["java.util.concurrent", "TransferQueue", True, "tryTransfer", "(Object,long,TimeUnit)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
@@ -26,9 +32,15 @@ extensions:
pack: codeql/java-all
extensible: neutralModel
data:
- ["java.util.concurrent", "CompletableFuture", "completeExceptionally", "(Throwable)", "manual"]
- ["java.util.concurrent", "CompletableFuture", "isDone", "()", "manual"]
- ["java.util.concurrent", "CountDownLatch", "await", "", "manual"]
- ["java.util.concurrent", "CountDownLatch", "countDown", "()", "manual"]
- ["java.util.concurrent", "Executor", "execute", "(Runnable)", "manual"]
- ["java.util.concurrent", "ExecutorService", "shutdown", "()", "manual"]
# The below APIs have numeric flow and are currently being stored as neutral models.
# These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
- ["java.util.concurrent", "CountDownLatch", "CountDownLatch", "(int)", "manual"] # value-numeric
- ["java.util.concurrent", "CountDownLatch", "getCount", "()", "manual"] # value-numeric
- ["java.util.concurrent", "TimeUnit", "toMillis", "(long)", "manual"] # taint-numeric

6
java/ql/lib/ext/java.util.function.model.yml
View File

@@ -4,3 +4,9 @@ extensions:
extensible: sinkModel
data:
- ["java.util.function", "Predicate", False, "test", "(Object)", "", "Argument[this]", "regex-use[0]", "manual"]
- addsTo:
pack: codeql/java-all
extensible: neutralModel
data:
- ["java.util.function", "Function", "identity", "()", "manual"]

8
java/ql/lib/ext/java.util.logging.model.yml
View File

@@ -41,4 +41,12 @@ extensions:
pack: codeql/java-all
extensible: summaryModel
data:
- ["java.util.logging", "Logger", False, "getLogger", "(String)", "", "Argument[0]", "ReturnValue.SyntheticField[java.util.logging.Logger.name]", "value", "manual"]
- ["java.util.logging", "Logger", False, "getName", "()", "", "Argument[this].SyntheticField[java.util.logging.Logger.name]", "ReturnValue", "value", "manual"]
- ["java.util.logging", "LogRecord", False, "LogRecord", "", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- addsTo:
pack: codeql/java-all
extensible: neutralModel
data:
- ["java.util.logging", "Logger", "isLoggable", "(Level)", "manual"]

45
java/ql/lib/ext/java.util.model.yml
View File

@@ -124,6 +124,8 @@ extensions:
- ["java.util", "EnumMap", False, "EnumMap", "(Map)", "", "Argument[0].MapValue", "Argument[this].MapValue", "value", "manual"]
- ["java.util", "Enumeration", True, "asIterator", "", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
- ["java.util", "Enumeration", True, "nextElement", "", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
- ["java.util", "EventObject", False, "EventObject", "(Object)", "", "Argument[0]", "Argument[this].Field[java.util.EventObject.source]", "value", "manual"]
- ["java.util", "EventObject", True, "getSource", "()", "", "Argument[this].Field[java.util.EventObject.source]", "ReturnValue", "value", "manual"]
- ["java.util", "HashMap", False, "HashMap", "(Map)", "", "Argument[0].MapKey", "Argument[this].MapKey", "value", "manual"]
- ["java.util", "HashMap", False, "HashMap", "(Map)", "", "Argument[0].MapValue", "Argument[this].MapValue", "value", "manual"]
- ["java.util", "HashSet", False, "HashSet", "(Collection)", "", "Argument[0].Element", "Argument[this].Element", "value", "manual"]
@@ -290,6 +292,7 @@ extensions:
- ["java.util", "Queue", True, "peek", "()", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
- ["java.util", "Queue", True, "poll", "()", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
- ["java.util", "Queue", True, "remove", "()", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
- ["java.util", "ResourceBundle", True, "getString", "(String)", "", "Argument[this].MapValue", "ReturnValue", "value", "manual"]
- ["java.util", "Scanner", True, "Scanner", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["java.util", "Scanner", True, "findInLine", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.util", "Scanner", True, "findWithinHorizon", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
@@ -363,36 +366,74 @@ extensions:
extensible: neutralModel
data:
- ["java.util", "ArrayList", "ArrayList", "(int)", "manual"]
- ["java.util", "ArrayList", "isEmpty", "()", "manual"]
- ["java.util", "ArrayList", "size", "()", "manual"]
- ["java.util", "Arrays", "toString", "(Object[])", "manual"]
- ["java.util", "Calendar", "getInstance", "()", "manual"]
- ["java.util", "Collection", "contains", "(Object)", "manual"]
- ["java.util", "Collection", "isEmpty", "()", "manual"]
- ["java.util", "Collection", "size", "()", "manual"]
- ["java.util", "Collections", "emptyList", "()", "manual"]
- ["java.util", "Collections", "emptyMap", "()", "manual"]
- ["java.util", "Collections", "emptySet", "()", "manual"]
- ["java.util", "Collections", "sort", "", "manual"]
- ["java.util", "Enumeration", "hasMoreElements", "()", "manual"]
- ["java.util", "HashMap", "containsKey", "(Object)", "manual"]
- ["java.util", "HashMap", "HashMap", "(int)", "manual"]
- ["java.util", "HashMap", "size", "()", "manual"]
- ["java.util", "HashSet", "HashSet", "(int)", "manual"]
- ["java.util", "Iterator", "hasNext", "()", "manual"]
- ["java.util", "List", "contains", "(Object)", "manual"]
- ["java.util", "List", "equals", "(Object)", "manual"]
- ["java.util", "List", "hashCode", "()", "manual"]
- ["java.util", "List", "indexOf", "(Object)", "manual"]
- ["java.util", "List", "isEmpty", "()", "manual"]
- ["java.util", "List", "of", "()", "manual"]
- ["java.util", "List", "sort", "(Comparator)", "manual"]
- ["java.util", "List", "size", "()", "manual"]
- ["java.util", "Locale", "forLanguageTag", "(String)", "manual"]
- ["java.util", "Map", "containsKey", "(Object)", "manual"]
- ["java.util", "Map", "isEmpty", "()", "manual"]
- ["java.util", "Map", "size", "()", "manual"]
- ["java.util", "Objects", "equals", "(Object,Object)", "manual"]
- ["java.util", "Objects", "hash", "(Object[])", "manual"]
- ["java.util", "Objects", "hashCode", "(Object)", "manual"]
- ["java.util", "Objects", "isNull", "(Object)", "manual"]
- ["java.util", "Objects", "nonNull", "(Object)", "manual"]
- ["java.util", "Optional", "empty", "()", "manual"]
- ["java.util", "Optional", "isEmpty", "()", "manual"]
- ["java.util", "Optional", "isPresent", "()", "manual"]
- ["java.util", "Random", "nextInt", "(int)", "manual"]
- ["java.util", "Set", "contains", "(Object)", "manual"]
- ["java.util", "Set", "isEmpty", "()", "manual"]
- ["java.util", "Set", "size", "()", "manual"]
- ["java.util", "UUID", "equals", "(Object)", "manual"]
- ["java.util", "UUID", "fromString", "(String)", "manual"]
- ["java.util", "UUID", "randomUUID", "()", "manual"]
- ["java.util", "UUID", "toString", "()", "manual"]
- ["java.util", "TimeZone", "getTimeZone", "(String)", "manual"]
- ["java.util", "Vector", "size", "()", "manual"]
# The below APIs are currently being stored as neutral models since `WithoutElement` has not yet been implemented for Java.
# When `WithoutElement` is implemented, these should be changed to summary models of the form `Argument[this].WithoutElement -> Argument[this]`.
- ["java.util", "Collection", "removeIf", "(Predicate)", "manual"]
- ["java.util", "Iterator", "remove", "()", "manual"]
- ["java.util", "List", "clear", "()", "manual"]
- ["java.util", "List", "remove", "(Object)", "manual"]
- ["java.util", "Map", "clear", "()", "manual"]
- ["java.util", "Set", "clear", "()", "manual"]
- ["java.util", "Set", "remove", "(Object)", "manual"]
- ["java.util", "Set", "removeAll", "(Collection)", "manual"]
# The below APIs have numeric flow and are currently being stored as neutral models.
# These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
- ["java.util", "Date", "Date", "(long)", "manual"] # taint-numeric
- ["java.util", "Date", "getTime", "()", "manual"] # taint-numeric
- ["java.util", "Calendar", "add", "(int,int)", "manual"] # taint-numeric
- ["java.util", "Calendar", "get", "(int)", "manual"] # value-numeric
- ["java.util", "Calendar", "getTime", "()", "manual"] # taint-numeric
- ["java.util", "Calendar", "getTimeInMillis", "()", "manual"] # taint-numeric
- ["java.util", "Calendar", "set", "(int,int)", "manual"] # value-numeric
- ["java.util", "Calendar", "setTime", "(Date)", "manual"] # taint-numeric
- ["java.util", "Date", "Date", "(long)", "manual"] # taint-numeric
- ["java.util", "Date", "getTime", "()", "manual"] # taint-numeric
- ["java.util", "Date", "from", "(Instant)", "manual"] # taint-numeric
- ["java.util", "Date", "toInstant", "()", "manual"] # taint-numeric

7
java/ql/lib/ext/java.util.regex.model.yml
View File

@@ -21,6 +21,13 @@ extensions:
- ["java.util.regex", "Matcher", False, "replaceAll", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["java.util.regex", "Matcher", False, "replaceFirst", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.util.regex", "Matcher", False, "replaceFirst", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["java.util.regex", "Pattern", False, "compile", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["java.util.regex", "Pattern", False, "matcher", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["java.util.regex", "Pattern", False, "quote", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["java.util.regex", "Pattern", False, "split", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- addsTo:
pack: codeql/java-all
extensible: neutralModel
data:
- ["java.util.regex", "Matcher", "find", "()", "manual"]

6
java/ql/lib/ext/java.util.stream.model.yml
View File

@@ -94,3 +94,9 @@ extensions:
data:
- ["java.util.stream", "Collectors", "toList", "()", "manual"]
- ["java.util.stream", "Collectors", "toSet", "()", "manual"]
- ["java.util.stream", "Stream", "count", "()", "manual"]
# The below APIs have numeric flow and are currently being stored as neutral models.
# These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
- ["java.util.stream", "IntStream", "mapToObj", "(IntFunction)", "manual"] # taint-numeric
- ["java.util.stream", "IntStream", "range", "(int,int)", "manual"] # taint-numeric

2
java/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-all
version: 0.5.5-dev
version: 0.5.6-dev
groups: java
dbscheme: config/semmlecode.dbscheme
extractor: java

2
java/ql/lib/semmle/code/java/ControlFlowGraph.qll
View File

@@ -365,6 +365,7 @@ private module ControlFlowGraphImpl {
/**
* Gets a non-overridable method that always throws an exception or calls `exit`.
*/
pragma[assume_small_delta]
private Method nonReturningMethod() {
result instanceof MethodExit
or
@@ -381,6 +382,7 @@ private module ControlFlowGraphImpl {
/**
* Gets a virtual method that always throws an exception or calls `exit`.
*/
pragma[assume_small_delta]
private EffectivelyNonVirtualMethod likelyNonReturningMethod() {
result.getReturnType() instanceof VoidType and
not exists(ReturnStmt ret | ret.getEnclosingCallable() = result) and

12
java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
View File

@@ -220,7 +220,7 @@ predicate modelCoverage(string package, int pkgs, string kind, string part, int
/** Provides a query predicate to check the MaD models for validation errors. */
module ModelValidation {
private string getInvalidModelInput() {
exists(string pred, string input, string part |
exists(string pred, AccessPath input, AccessPathToken part |
sinkModel(_, _, _, _, _, _, input, _, _) and pred = "sink"
or
summaryModel(_, _, _, _, _, _, input, _, _, _) and pred = "summary"
@@ -229,9 +229,10 @@ module ModelValidation {
invalidSpecComponent(input, part) and
not part = "" and
not (part = "Argument" and pred = "sink") and
not parseArg(part, _)
not parseArg(part, _) and
not part.getName() = "Field"
or
part = input.(AccessPath).getToken(0) and
part = input.getToken(0) and
parseParam(part, _)
or
invalidIndexComponent(input, part)
@@ -241,7 +242,7 @@ module ModelValidation {
}
private string getInvalidModelOutput() {
exists(string pred, string output, string part |
exists(string pred, AccessPath output, AccessPathToken part |
sourceModel(_, _, _, _, _, _, output, _, _) and pred = "source"
or
summaryModel(_, _, _, _, _, _, _, output, _, _) and pred = "summary"
@@ -249,7 +250,8 @@ module ModelValidation {
(
invalidSpecComponent(output, part) and
not part = "" and
not (part = ["Argument", "Parameter"] and pred = "source")
not (part = ["Argument", "Parameter"] and pred = "source") and
not part.getName() = "Field"
or
invalidIndexComponent(output, part)
) and

2
java/ql/lib/semmle/code/java/dataflow/SSA.qll
View File

@@ -451,6 +451,7 @@ private module SsaImpl {
* Holds if `f` is live in `b` at index `i`. The rank of `i` is `rankix` as
* defined by `callDefUseRank`.
*/
pragma[assume_small_delta]
private predicate liveAtRank(TrackedField f, BasicBlock b, int rankix, int i) {
callDefUseRank(f, b, rankix, i) and
(
@@ -564,6 +565,7 @@ private module SsaImpl {
}
/** Holds if a phi node for `v` is needed at the beginning of basic block `b`. */
pragma[assume_small_delta]
cached
predicate phiNode(TrackedVar v, BasicBlock b) {
liveAtEntry(v, b) and

1
java/ql/lib/semmle/code/java/dataflow/internal/BaseSSA.qll
View File

@@ -151,6 +151,7 @@ private module SsaImpl {
}
/** Holds if a phi node for `v` is needed at the beginning of basic block `b`. */
pragma[assume_small_delta]
cached
predicate phiNode(BaseSsaSourceVariable v, BasicBlock b) {
liveAtEntry(v, b) and

42
java/ql/lib/semmle/code/java/dataflow/internal/DataFlow.qll
View File

@@ -2,7 +2,7 @@
* Provides an implementation of global (interprocedural) data flow. This file
* re-exports the local (intraprocedural) data flow analysis from
* `DataFlowImplSpecific::Public` and adds a global analysis, mainly exposed
* through the `Make` and `MakeWithState` modules.
* through the `Global` and `GlobalWithState` modules.
*/
private import DataFlowImplCommon
@@ -73,10 +73,10 @@ signature module ConfigSig {
*/
default FlowFeature getAFeature() { none() }
/** Holds if sources should be grouped in the result of `hasFlowPath`. */
/** Holds if sources should be grouped in the result of `flowPath`. */
default predicate sourceGrouping(Node source, string sourceGroup) { none() }
/** Holds if sinks should be grouped in the result of `hasFlowPath`. */
/** Holds if sinks should be grouped in the result of `flowPath`. */
default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
/**
@@ -166,10 +166,10 @@ signature module StateConfigSig {
*/
default FlowFeature getAFeature() { none() }
/** Holds if sources should be grouped in the result of `hasFlowPath`. */
/** Holds if sources should be grouped in the result of `flowPath`. */
default predicate sourceGrouping(Node source, string sourceGroup) { none() }
/** Holds if sinks should be grouped in the result of `hasFlowPath`. */
/** Holds if sinks should be grouped in the result of `flowPath`. */
default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
/**
@@ -182,15 +182,15 @@ signature module StateConfigSig {
}
/**
* Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
* Gets the exploration limit for `partialFlow` and `partialFlowRev`
* measured in approximate number of interprocedural steps.
*/
signature int explorationLimitSig();
/**
* The output of a data flow computation.
* The output of a global data flow computation.
*/
signature module DataFlowSig {
signature module GlobalFlowSig {
/**
* A `Node` augmented with a call context (except for sinks) and an access path.
* Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
@@ -203,28 +203,28 @@ signature module DataFlowSig {
* The corresponding paths are generated from the end-points and the graph
* included in the module `PathGraph`.
*/
predicate hasFlowPath(PathNode source, PathNode sink);
predicate flowPath(PathNode source, PathNode sink);
/**
* Holds if data can flow from `source` to `sink`.
*/
predicate hasFlow(Node source, Node sink);
predicate flow(Node source, Node sink);
/**
* Holds if data can flow from some source to `sink`.
*/
predicate hasFlowTo(Node sink);
predicate flowTo(Node sink);
/**
* Holds if data can flow from some source to `sink`.
*/
predicate hasFlowToExpr(DataFlowExpr sink);
predicate flowToExpr(DataFlowExpr sink);
}
/**
* Constructs a standard data flow computation.
* Constructs a global data flow computation.
*/
module Make<ConfigSig Config> implements DataFlowSig {
module Global<ConfigSig Config> implements GlobalFlowSig {
private module C implements FullStateConfigSig {
import DefaultState<Config>
import Config
@@ -233,10 +233,15 @@ module Make<ConfigSig Config> implements DataFlowSig {
import Impl<C>
}
/** DEPRECATED: Use `Global` instead. */
deprecated module Make<ConfigSig Config> implements GlobalFlowSig {
import Global<Config>
}
/**
* Constructs a data flow computation using flow state.
* Constructs a global data flow computation using flow state.
*/
module MakeWithState<StateConfigSig Config> implements DataFlowSig {
module GlobalWithState<StateConfigSig Config> implements GlobalFlowSig {
private module C implements FullStateConfigSig {
import Config
}
@@ -244,6 +249,11 @@ module MakeWithState<StateConfigSig Config> implements DataFlowSig {
import Impl<C>
}
/** DEPRECATED: Use `GlobalWithState` instead. */
deprecated module MakeWithState<StateConfigSig Config> implements GlobalFlowSig {
import GlobalWithState<Config>
}
signature class PathNodeSig {
/** Gets a textual representation of this element. */
string toString();

34
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll
View File

@@ -91,10 +91,10 @@ signature module FullStateConfigSig {
*/
FlowFeature getAFeature();
/** Holds if sources should be grouped in the result of `hasFlowPath`. */
/** Holds if sources should be grouped in the result of `flowPath`. */
predicate sourceGrouping(Node source, string sourceGroup);
/** Holds if sinks should be grouped in the result of `hasFlowPath`. */
/** Holds if sinks should be grouped in the result of `flowPath`. */
predicate sinkGrouping(Node sink, string sinkGroup);
/**
@@ -445,11 +445,7 @@ module Impl<FullStateConfigSig Config> {
}
private module Stage1 implements StageSig {
class Ap extends int {
// workaround for bad functionality-induced joins (happens when using `Unit`)
pragma[nomagic]
Ap() { this in [0 .. 1] and this < 1 }
}
class Ap = Unit;
private class Cc = boolean;
@@ -3633,7 +3629,7 @@ module Impl<FullStateConfigSig Config> {
* The corresponding paths are generated from the end-points and the graph
* included in the module `PathGraph`.
*/
predicate hasFlowPath(PathNode source, PathNode sink) {
predicate flowPath(PathNode source, PathNode sink) {
exists(PathNodeImpl flowsource, PathNodeImpl flowsink |
source = flowsource and sink = flowsink
|
@@ -3643,6 +3639,9 @@ module Impl<FullStateConfigSig Config> {
)
}
/** DEPRECATED: Use `flowPath` instead. */
deprecated predicate hasFlowPath = flowPath/2;
private predicate flowsTo(PathNodeImpl flowsource, PathNodeSink flowsink, Node source, Node sink) {
flowsource.isSource() and
flowsource.getNodeEx().asNode() = source and
@@ -3653,17 +3652,26 @@ module Impl<FullStateConfigSig Config> {
/**
* Holds if data can flow from `source` to `sink`.
*/
predicate hasFlow(Node source, Node sink) { flowsTo(_, _, source, sink) }
predicate flow(Node source, Node sink) { flowsTo(_, _, source, sink) }
/** DEPRECATED: Use `flow` instead. */
deprecated predicate hasFlow = flow/2;
/**
* Holds if data can flow from some source to `sink`.
*/
predicate hasFlowTo(Node sink) { sink = any(PathNodeSink n).getNodeEx().asNode() }
predicate flowTo(Node sink) { sink = any(PathNodeSink n).getNodeEx().asNode() }
/** DEPRECATED: Use `flowTo` instead. */
deprecated predicate hasFlowTo = flowTo/1;
/**
* Holds if data can flow from some source to `sink`.
*/
predicate hasFlowToExpr(DataFlowExpr sink) { hasFlowTo(exprNode(sink)) }
predicate flowToExpr(DataFlowExpr sink) { flowTo(exprNode(sink)) }
/** DEPRECATED: Use `flowToExpr` instead. */
deprecated predicate hasFlowToExpr = flowToExpr/1;
private predicate finalStats(
boolean fwd, int nodes, int fields, int conscand, int states, int tuples
@@ -4574,7 +4582,7 @@ module Impl<FullStateConfigSig Config> {
*
* To use this in a `path-problem` query, import the module `PartialPathGraph`.
*/
predicate hasPartialFlow(PartialPathNode source, PartialPathNode node, int dist) {
predicate partialFlow(PartialPathNode source, PartialPathNode node, int dist) {
partialFlow(source, node) and
dist = node.getSourceDistance()
}
@@ -4594,7 +4602,7 @@ module Impl<FullStateConfigSig Config> {
* Note that reverse flow has slightly lower precision than the corresponding
* forward flow, as reverse flow disregards type pruning among other features.
*/
predicate hasPartialFlowRev(PartialPathNode node, PartialPathNode sink, int dist) {
predicate partialFlowRev(PartialPathNode node, PartialPathNode sink, int dist) {
revPartialFlow(node, sink) and
dist = node.getSinkDistance()
}

4
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll
View File

@@ -1,5 +1,5 @@
/**
* DEPRECATED: Use `Make` and `MakeWithState` instead.
* DEPRECATED: Use `Global` and `GlobalWithState` instead.
*
* Provides a `Configuration` class backwards-compatible interface to the data
* flow library.
@@ -388,7 +388,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
hasFlowPath(source, sink) and source.getConfiguration() = config
flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

4
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
View File

@@ -1,5 +1,5 @@
/**
* DEPRECATED: Use `Make` and `MakeWithState` instead.
* DEPRECATED: Use `Global` and `GlobalWithState` instead.
*
* Provides a `Configuration` class backwards-compatible interface to the data
* flow library.
@@ -388,7 +388,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
hasFlowPath(source, sink) and source.getConfiguration() = config
flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

4
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
View File

@@ -1,5 +1,5 @@
/**
* DEPRECATED: Use `Make` and `MakeWithState` instead.
* DEPRECATED: Use `Global` and `GlobalWithState` instead.
*
* Provides a `Configuration` class backwards-compatible interface to the data
* flow library.
@@ -388,7 +388,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
hasFlowPath(source, sink) and source.getConfiguration() = config
flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

4
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
View File

@@ -1,5 +1,5 @@
/**
* DEPRECATED: Use `Make` and `MakeWithState` instead.
* DEPRECATED: Use `Global` and `GlobalWithState` instead.
*
* Provides a `Configuration` class backwards-compatible interface to the data
* flow library.
@@ -388,7 +388,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
hasFlowPath(source, sink) and source.getConfiguration() = config
flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

4
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
View File

@@ -1,5 +1,5 @@
/**
* DEPRECATED: Use `Make` and `MakeWithState` instead.
* DEPRECATED: Use `Global` and `GlobalWithState` instead.
*
* Provides a `Configuration` class backwards-compatible interface to the data
* flow library.
@@ -388,7 +388,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
hasFlowPath(source, sink) and source.getConfiguration() = config
flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

4
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
View File

@@ -1,5 +1,5 @@
/**
* DEPRECATED: Use `Make` and `MakeWithState` instead.
* DEPRECATED: Use `Global` and `GlobalWithState` instead.
*
* Provides a `Configuration` class backwards-compatible interface to the data
* flow library.
@@ -388,7 +388,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
}
private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
hasFlowPath(source, sink) and source.getConfiguration() = config
flowPath(source, sink) and source.getConfiguration() = config
}
private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

15
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll
View File

@@ -140,10 +140,8 @@ private module LambdaFlow {
}
pragma[nomagic]
private TReturnPositionSimple viableReturnPosLambda(
DataFlowCall call, DataFlowCallOption lastCall, ReturnKind kind
) {
result = TReturnPositionSimple0(viableCallableLambda(call, lastCall), kind)
private TReturnPositionSimple viableReturnPosLambda(DataFlowCall call, ReturnKind kind) {
result = TReturnPositionSimple0(viableCallableLambda(call, _), kind)
}
private predicate viableReturnPosOutNonLambda(
@@ -155,11 +153,12 @@ private module LambdaFlow {
)
}
pragma[nomagic]
private predicate viableReturnPosOutLambda(
DataFlowCall call, DataFlowCallOption lastCall, TReturnPositionSimple pos, OutNode out
DataFlowCall call, TReturnPositionSimple pos, OutNode out
) {
exists(ReturnKind kind |
pos = viableReturnPosLambda(call, lastCall, kind) and
pos = viableReturnPosLambda(call, kind) and
out = getAnOutNode(call, kind)
)
}
@@ -188,6 +187,7 @@ private module LambdaFlow {
else any()
}
pragma[assume_small_delta]
pragma[nomagic]
predicate revLambdaFlow0(
DataFlowCall lambdaCall, LambdaCallKind kind, Node node, DataFlowType t, boolean toReturn,
@@ -274,6 +274,7 @@ private module LambdaFlow {
)
}
pragma[assume_small_delta]
pragma[nomagic]
predicate revLambdaFlowOut(
DataFlowCall lambdaCall, LambdaCallKind kind, TReturnPositionSimple pos, DataFlowType t,
@@ -285,7 +286,7 @@ private module LambdaFlow {
or
// non-linear recursion
revLambdaFlowOutLambdaCall(lambdaCall, kind, out, t, toJump, call, lastCall) and
viableReturnPosOutLambda(call, _, pos, out)
viableReturnPosOutLambda(call, pos, out)
)
}

1
java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
View File

@@ -109,6 +109,7 @@ module Public {
}
/** Gets the stack obtained by dropping the first `i` elements, if any. */
pragma[assume_small_delta]
SummaryComponentStack drop(int i) {
i = 0 and result = this
or

4
java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll
View File

@@ -45,10 +45,6 @@ private Sign certainExprSign(Expr e) {
private predicate unknownSign(Expr e) {
not exists(certainExprSign(e)) and
(
exists(IntegerLiteral lit | lit = e and not exists(lit.getValue().toInt()))
or
exists(LongLiteral lit | lit = e and not exists(lit.getValue().toFloat()))
or
exists(CastingExpr cast, Type fromtyp |
cast = e and
fromtyp = cast.getSourceType() and

18
java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTracking.qll
View File

@@ -33,9 +33,9 @@ private module AddTaintDefaults<DataFlowInternal::FullStateConfigSig Config> imp
}
/**
* Constructs a standard taint tracking computation.
* Constructs a global taint tracking computation.
*/
module Make<DataFlow::ConfigSig Config> implements DataFlow::DataFlowSig {
module Global<DataFlow::ConfigSig Config> implements DataFlow::GlobalFlowSig {
private module Config0 implements DataFlowInternal::FullStateConfigSig {
import DataFlowInternal::DefaultState<Config>
import Config
@@ -48,10 +48,15 @@ module Make<DataFlow::ConfigSig Config> implements DataFlow::DataFlowSig {
import DataFlowInternal::Impl<C>
}
/** DEPRECATED: Use `Global` instead. */
deprecated module Make<DataFlow::ConfigSig Config> implements DataFlow::GlobalFlowSig {
import Global<Config>
}
/**
* Constructs a taint tracking computation using flow state.
* Constructs a global taint tracking computation using flow state.
*/
module MakeWithState<DataFlow::StateConfigSig Config> implements DataFlow::DataFlowSig {
module GlobalWithState<DataFlow::StateConfigSig Config> implements DataFlow::GlobalFlowSig {
private module Config0 implements DataFlowInternal::FullStateConfigSig {
import Config
}
@@ -62,3 +67,8 @@ module MakeWithState<DataFlow::StateConfigSig Config> implements DataFlow::DataF
import DataFlowInternal::Impl<C>
}
/** DEPRECATED: Use `GlobalWithState` instead. */
deprecated module MakeWithState<DataFlow::StateConfigSig Config> implements DataFlow::GlobalFlowSig {
import GlobalWithState<Config>
}

2
java/ql/lib/semmle/code/java/frameworks/JaxWS.qll
View File

@@ -53,6 +53,7 @@ private predicate hasPathAnnotation(Annotatable annotatable) {
* A method which is annotated with one or more JaxRS resource type annotations e.g. `@GET`, `@POST` etc.
*/
class JaxRsResourceMethod extends Method {
pragma[assume_small_delta]
JaxRsResourceMethod() {
exists(AnnotationType a |
a = this.getAnAnnotation().getType() and
@@ -91,6 +92,7 @@ class JaxRsResourceMethod extends Method {
* This class contains resource methods, which are executed in response to requests.
*/
class JaxRsResourceClass extends Class {
pragma[assume_small_delta]
JaxRsResourceClass() {
// A root resource class has a @Path annotation on the class.
hasPathAnnotation(this)

4
java/ql/lib/semmle/code/java/frameworks/android/OnActivityResultSource.qll
View File

@@ -28,7 +28,7 @@ class OnActivityResultIncomingIntent extends DataFlow::Node {
*/
predicate isRemoteSource() {
exists(RefType startingType, Expr startActivityForResultArg |
ImplicitStartActivityForResult::hasFlowToExpr(startActivityForResultArg) and
ImplicitStartActivityForResult::flowToExpr(startActivityForResultArg) and
// startingType is the class enclosing the method that calls `startActivityForResult`.
startingType = startActivityForResultArg.getEnclosingCallable().getDeclaringType()
|
@@ -104,7 +104,7 @@ private module ImplicitStartActivityForResultConfig implements DataFlow::ConfigS
}
private module ImplicitStartActivityForResult =
DataFlow::Make<ImplicitStartActivityForResultConfig>;
DataFlow::Global<ImplicitStartActivityForResultConfig>;
/** An Android Activity or Fragment. */
private class ActivityOrFragment extends Class {

4
java/ql/lib/semmle/code/java/frameworks/google/GoogleHttpClientApi.qll
View File

@@ -21,10 +21,10 @@ private module TypeLiteralToParseAsFlowConfig implements DataFlow::ConfigSig {
}
}
private module TypeLiteralToParseAsFlow = DataFlow::Make<TypeLiteralToParseAsFlowConfig>;
private module TypeLiteralToParseAsFlow = DataFlow::Global<TypeLiteralToParseAsFlowConfig>;
private TypeLiteral getSourceWithFlowToParseAs() {
TypeLiteralToParseAsFlow::hasFlow(DataFlow::exprNode(result), _)
TypeLiteralToParseAsFlow::flow(DataFlow::exprNode(result), _)
}
/** A field that is deserialized by `HttpResponse.parseAs`. */

4
java/ql/lib/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
View File

@@ -108,10 +108,10 @@ private module TypeLiteralToJacksonDatabindFlowConfig implements DataFlow::Confi
}
private module TypeLiteralToJacksonDatabindFlow =
DataFlow::Make<TypeLiteralToJacksonDatabindFlowConfig>;
DataFlow::Global<TypeLiteralToJacksonDatabindFlowConfig>;
private TypeLiteral getSourceWithFlowToJacksonDatabind() {
TypeLiteralToJacksonDatabindFlow::hasFlow(DataFlow::exprNode(result), _)
TypeLiteralToJacksonDatabindFlow::flow(DataFlow::exprNode(result), _)
}
/** A type whose values are explicitly deserialized in a call to a Jackson method. */

2
java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll
View File

@@ -173,4 +173,4 @@ private module SensitiveCommunicationConfig implements DataFlow::ConfigSig {
/**
* Tracks taint flow from variables containing sensitive information to broadcast Intents.
*/
module SensitiveCommunicationFlow = TaintTracking::Make<SensitiveCommunicationConfig>;
module SensitiveCommunicationFlow = TaintTracking::Global<SensitiveCommunicationConfig>;

11
java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll
View File

@@ -17,15 +17,15 @@ private module ApkInstallationConfig implements DataFlow::ConfigSig {
ma.getMethod() instanceof SetDataMethod and
ma.getArgument(0) = node.asExpr() and
(
PackageArchiveMimeTypeFlow::hasFlowToExpr(ma.getQualifier())
PackageArchiveMimeTypeFlow::flowToExpr(ma.getQualifier())
or
InstallPackageActionFlow::hasFlowToExpr(ma.getQualifier())
InstallPackageActionFlow::flowToExpr(ma.getQualifier())
)
)
}
}
module ApkInstallationFlow = DataFlow::Make<ApkInstallationConfig>;
module ApkInstallationFlow = DataFlow::Global<ApkInstallationConfig>;
private newtype ActionState =
ActionUnset() or
@@ -72,7 +72,8 @@ private module InstallPackageActionConfig implements DataFlow::StateConfigSig {
predicate isBarrier(DataFlow::Node node, FlowState state) { none() }
}
private module InstallPackageActionFlow = TaintTracking::MakeWithState<InstallPackageActionConfig>;
private module InstallPackageActionFlow =
TaintTracking::GlobalWithState<InstallPackageActionConfig>;
private newtype MimeTypeState =
MimeTypeUnset() or
@@ -117,4 +118,4 @@ private module PackageArchiveMimeTypeConfig implements DataFlow::StateConfigSig
}
private module PackageArchiveMimeTypeFlow =
TaintTracking::MakeWithState<PackageArchiveMimeTypeConfig>;
TaintTracking::GlobalWithState<PackageArchiveMimeTypeConfig>;

2
java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll
View File

@@ -37,4 +37,4 @@ private module FragmentInjectionTaintConfig implements DataFlow::ConfigSig {
* Taint-tracking flow for unsafe user input
* that is used to create Android fragments dynamically.
*/
module FragmentInjectionTaintFlow = TaintTracking::Make<FragmentInjectionTaintConfig>;
module FragmentInjectionTaintFlow = TaintTracking::Global<FragmentInjectionTaintConfig>;

2
java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll
View File

@@ -53,4 +53,4 @@ private module IntentUriPermissionManipulationConfig implements DataFlow::Config
* Taint tracking flow for user-provided Intents being returned to third party apps.
*/
module IntentUriPermissionManipulationFlow =
TaintTracking::Make<IntentUriPermissionManipulationConfig>;
TaintTracking::Global<IntentUriPermissionManipulationConfig>;

3
java/ql/lib/semmle/code/java/security/JndiInjection.qll
View File

@@ -9,6 +9,9 @@ private import semmle.code.java.frameworks.SpringLdap
/** A data flow sink for unvalidated user input that is used in JNDI lookup. */
abstract class JndiInjectionSink extends DataFlow::Node { }
/** A sanitizer for JNDI injection vulnerabilities. */
abstract class JndiInjectionSanitizer extends DataFlow::Node { }
/**
* A unit class for adding additional taint steps.
*

4
java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll
View File

@@ -17,7 +17,9 @@ class JndiInjectionFlowConfig extends TaintTracking::Configuration {
override predicate isSink(DataFlow::Node sink) { sink instanceof JndiInjectionSink }
override predicate isSanitizer(DataFlow::Node node) {
node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
node.getType() instanceof PrimitiveType or
node.getType() instanceof BoxedType or
node instanceof JndiInjectionSanitizer
}
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {

2
java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll
View File

@@ -38,4 +38,4 @@ private module LogInjectionConfig implements DataFlow::ConfigSig {
/**
* Taint-tracking flow for tracking untrusted user input used in log entries.
*/
module LogInjectionFlow = TaintTracking::Make<LogInjectionConfig>;
module LogInjectionFlow = TaintTracking::Global<LogInjectionConfig>;

2
java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll
View File

@@ -53,4 +53,4 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig {
predicate isBarrier(DataFlow::Node node) { node instanceof RequestForgerySanitizer }
}
module RequestForgeryFlow = TaintTracking::Make<RequestForgeryConfig>;
module RequestForgeryFlow = TaintTracking::Global<RequestForgeryConfig>;

2
java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll
View File

@@ -42,4 +42,4 @@ private module RsaWithoutOaepConfig implements DataFlow::ConfigSig {
}
/** Flow for finding RSA ciphers initialized without using OAEP padding. */
module RsaWithoutOaepFlow = DataFlow::Make<RsaWithoutOaepConfig>;
module RsaWithoutOaepFlow = DataFlow::Global<RsaWithoutOaepConfig>;

2
java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll
View File

@@ -65,4 +65,4 @@ private module SensitiveLoggerConfig implements DataFlow::ConfigSig {
predicate isBarrierIn(Node node) { isSource(node) }
}
module SensitiveLoggerFlow = TaintTracking::Make<SensitiveLoggerConfig>;
module SensitiveLoggerFlow = TaintTracking::Global<SensitiveLoggerConfig>;

2
java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll
View File

@@ -41,4 +41,4 @@ private module UnsafeContentResolutionConfig implements DataFlow::ConfigSig {
}
/** Taint-tracking flow to find paths from remote sources to content URI resolutions. */
module UnsafeContentResolutionFlow = TaintTracking::Make<UnsafeContentResolutionConfig>;
module UnsafeContentResolutionFlow = TaintTracking::Global<UnsafeContentResolutionConfig>;

4
java/ql/lib/semmle/code/java/security/XSS.qll
View File

@@ -43,7 +43,7 @@ private class DefaultXssSink extends XssSink {
or
exists(MethodAccess ma |
ma.getMethod() instanceof WritingMethod and
XssVulnerableWriterSourceToWritingMethodFlow::hasFlowToExpr(ma.getQualifier()) and
XssVulnerableWriterSourceToWritingMethodFlow::flowToExpr(ma.getQualifier()) and
this.asExpr() = ma.getArgument(_)
)
}
@@ -71,7 +71,7 @@ private module XssVulnerableWriterSourceToWritingMethodFlowConfig implements Dat
}
private module XssVulnerableWriterSourceToWritingMethodFlow =
TaintTracking::Make<XssVulnerableWriterSourceToWritingMethodFlowConfig>;
TaintTracking::Global<XssVulnerableWriterSourceToWritingMethodFlowConfig>;
/** A method that can be used to output data to an output stream or writer. */
private class WritingMethod extends Method {

2
java/ql/lib/semmle/code/java/security/XxeLocalQuery.qll
View File

@@ -42,4 +42,4 @@ module XxeLocalConfig implements DataFlow::ConfigSig {
/**
* Detect taint flow of unvalidated local user input that is used in XML external entity expansion.
*/
module XxeLocalFlow = TaintTracking::Make<XxeLocalConfig>;
module XxeLocalFlow = TaintTracking::Global<XxeLocalConfig>;

2
java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll
View File

@@ -42,4 +42,4 @@ module XxeConfig implements DataFlow::ConfigSig {
/**
* Detect taint flow of unvalidated remote user input that is used in XML external entity expansion.
*/
module XxeFlow = TaintTracking::Make<XxeConfig>;
module XxeFlow = TaintTracking::Global<XxeConfig>;

2
java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll
View File

@@ -81,4 +81,4 @@ private module PolynomialRedosConfig implements DataFlow::ConfigSig {
}
}
module PolynomialRedosFlow = TaintTracking::Make<PolynomialRedosConfig>;
module PolynomialRedosFlow = TaintTracking::Global<PolynomialRedosConfig>;

6
java/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 0.5.5
### New Queries
* Added a new query, `java/android/arbitrary-apk-installation`, to detect installation of APKs from untrusted sources.
## 0.5.4
No user-facing changes.

6
java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
View File

@@ -41,7 +41,7 @@ module TaintedPathConfig implements DataFlow::ConfigSig {
}
}
module TaintedPath = TaintTracking::Make<TaintedPathConfig>;
module TaintedPath = TaintTracking::Global<TaintedPathConfig>;
import TaintedPath::PathGraph
@@ -53,13 +53,13 @@ import TaintedPath::PathGraph
* continue to report there; otherwise we report directly at `sink`.
*/
DataFlow::Node getReportingNode(DataFlow::Node sink) {
TaintedPath::hasFlowTo(sink) and
TaintedPath::flowTo(sink) and
if exists(PathCreation pc | pc.getAnInput() = sink.asExpr())
then result.asExpr() = any(PathCreation pc | pc.getAnInput() = sink.asExpr())
else result = sink
}
from TaintedPath::PathNode source, TaintedPath::PathNode sink
where TaintedPath::hasFlowPath(source, sink)
where TaintedPath::flowPath(source, sink)
select getReportingNode(sink.getNode()), source, sink, "This path depends on a $@.",
source.getNode(), "user-provided value"

6
java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql
View File

@@ -41,7 +41,7 @@ module TaintedPathLocalConfig implements DataFlow::ConfigSig {
}
}
module TaintedPathLocalFlow = TaintTracking::Make<TaintedPathLocalConfig>;
module TaintedPathLocalFlow = TaintTracking::Global<TaintedPathLocalConfig>;
import TaintedPathLocalFlow::PathGraph
@@ -53,13 +53,13 @@ import TaintedPathLocalFlow::PathGraph
* continue to report there; otherwise we report directly at `sink`.
*/
DataFlow::Node getReportingNode(DataFlow::Node sink) {
TaintedPathLocalFlow::hasFlowTo(sink) and
TaintedPathLocalFlow::flowTo(sink) and
if exists(PathCreation pc | pc.getAnInput() = sink.asExpr())
then result.asExpr() = any(PathCreation pc | pc.getAnInput() = sink.asExpr())
else result = sink
}
from TaintedPathLocalFlow::PathNode source, TaintedPathLocalFlow::PathNode sink
where TaintedPathLocalFlow::hasFlowPath(source, sink)
where TaintedPathLocalFlow::flowPath(source, sink)
select getReportingNode(sink.getNode()), source, sink, "This path depends on a $@.",
source.getNode(), "user-provided value"

4
java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
View File

@@ -44,7 +44,7 @@ module ZipSlipConfig implements DataFlow::ConfigSig {
predicate isBarrier(DataFlow::Node node) { node instanceof PathInjectionSanitizer }
}
module ZipSlipFlow = TaintTracking::Make<ZipSlipConfig>;
module ZipSlipFlow = TaintTracking::Global<ZipSlipConfig>;
import ZipSlipFlow::PathGraph
@@ -56,7 +56,7 @@ private class FileCreationSink extends DataFlow::Node {
}
from ZipSlipFlow::PathNode source, ZipSlipFlow::PathNode sink
where ZipSlipFlow::hasFlowPath(source, sink)
where ZipSlipFlow::flowPath(source, sink)
select source.getNode(), source, sink,
"Unsanitized archive entry, which may contain '..', is used in a $@.", sink.getNode(),
"file system operation"

24
java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql
View File

@@ -16,16 +16,13 @@ import semmle.code.java.Expr
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.ExternalProcess
import semmle.code.java.security.CommandArguments
import DataFlow::PathGraph
class LocalUserInputToArgumentToExecFlowConfig extends TaintTracking::Configuration {
LocalUserInputToArgumentToExecFlowConfig() { this = "LocalUserInputToArgumentToExecFlowConfig" }
module LocalUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
override predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof ArgumentToExec }
override predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof ArgumentToExec }
override predicate isSanitizer(DataFlow::Node node) {
predicate isBarrier(DataFlow::Node node) {
node.getType() instanceof PrimitiveType
or
node.getType() instanceof BoxedType
@@ -34,9 +31,16 @@ class LocalUserInputToArgumentToExecFlowConfig extends TaintTracking::Configurat
}
}
module LocalUserInputToArgumentToExecFlow =
TaintTracking::Global<LocalUserInputToArgumentToExecFlowConfig>;
import LocalUserInputToArgumentToExecFlow::PathGraph
from
DataFlow::PathNode source, DataFlow::PathNode sink, ArgumentToExec execArg,
LocalUserInputToArgumentToExecFlowConfig conf
where conf.hasFlowPath(source, sink) and sink.getNode().asExpr() = execArg
LocalUserInputToArgumentToExecFlow::PathNode source,
LocalUserInputToArgumentToExecFlow::PathNode sink, ArgumentToExec execArg
where
LocalUserInputToArgumentToExecFlow::flowPath(source, sink) and
sink.getNode().asExpr() = execArg
select execArg, source, sink, "This command line depends on a $@.", source.getNode(),
"user-provided value"

4
java/ql/src/Security/CWE/CWE-079/XSS.ql
View File

@@ -29,11 +29,11 @@ module XssConfig implements DataFlow::ConfigSig {
}
}
module XssFlow = TaintTracking::Make<XssConfig>;
module XssFlow = TaintTracking::Global<XssConfig>;
import XssFlow::PathGraph
from XssFlow::PathNode source, XssFlow::PathNode sink
where XssFlow::hasFlowPath(source, sink)
where XssFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to a $@.",
source.getNode(), "user-provided value"

17
java/ql/src/Security/CWE/CWE-079/XSSLocal.ql
View File

@@ -14,17 +14,18 @@
import java
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.XSS
import DataFlow::PathGraph
class XssLocalConfig extends TaintTracking::Configuration {
XssLocalConfig() { this = "XSSLocalConfig" }
module XssLocalConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
}
from DataFlow::PathNode source, DataFlow::PathNode sink, XssLocalConfig conf
where conf.hasFlowPath(source, sink)
module XssLocalFlow = TaintTracking::Global<XssLocalConfig>;
import XssLocalFlow::PathGraph
from XssLocalFlow::PathNode source, XssLocalFlow::PathNode sink
where XssLocalFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
source.getNode(), "user-provided value"

19
java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql
View File

@@ -25,28 +25,27 @@ class UncontrolledStringBuilderSource extends DataFlow::ExprNode {
}
}
class UncontrolledStringBuilderSourceFlowConfig extends TaintTracking::Configuration {
UncontrolledStringBuilderSourceFlowConfig() {
this = "SqlConcatenated::UncontrolledStringBuilderSourceFlowConfig"
}
module UncontrolledStringBuilderSourceFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) { src instanceof UncontrolledStringBuilderSource }
override predicate isSource(DataFlow::Node src) { src instanceof UncontrolledStringBuilderSource }
predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
override predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
override predicate isSanitizer(DataFlow::Node node) {
predicate isBarrier(DataFlow::Node node) {
node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
}
}
module UncontrolledStringBuilderSourceFlow =
TaintTracking::Global<UncontrolledStringBuilderSourceFlowConfig>;
from QueryInjectionSink query, Expr uncontrolled
where
(
builtFromUncontrolledConcat(query.asExpr(), uncontrolled)
or
exists(StringBuilderVar sbv, UncontrolledStringBuilderSourceFlowConfig conf |
exists(StringBuilderVar sbv |
uncontrolledStringBuilderQuery(sbv, uncontrolled) and
conf.hasFlow(DataFlow::exprNode(sbv.getToStringCall()), query)
UncontrolledStringBuilderSourceFlow::flow(DataFlow::exprNode(sbv.getToStringCall()), query)
)
) and
not queryTaintedBy(query, _, _)

23
java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
View File

@@ -15,26 +15,29 @@
import semmle.code.java.Expr
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.SqlInjectionQuery
import DataFlow::PathGraph
class LocalUserInputToQueryInjectionFlowConfig extends TaintTracking::Configuration {
LocalUserInputToQueryInjectionFlowConfig() { this = "LocalUserInputToQueryInjectionFlowConfig" }
module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
override predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
override predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
override predicate isSanitizer(DataFlow::Node node) {
predicate isBarrier(DataFlow::Node node) {
node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
}
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
any(AdditionalQueryInjectionTaintStep s).step(node1, node2)
}
}
module LocalUserInputToQueryInjectionFlow =
TaintTracking::Global<LocalUserInputToQueryInjectionFlowConfig>;
import LocalUserInputToQueryInjectionFlow::PathGraph
from
DataFlow::PathNode source, DataFlow::PathNode sink, LocalUserInputToQueryInjectionFlowConfig conf
where conf.hasFlowPath(source, sink)
LocalUserInputToQueryInjectionFlow::PathNode source,
LocalUserInputToQueryInjectionFlow::PathNode sink
where LocalUserInputToQueryInjectionFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(),
"user-provided value"

2
java/ql/src/Security/CWE/CWE-090/LdapInjection.ql
View File

@@ -17,6 +17,6 @@ import LdapInjectionLib
import LdapInjectionFlow::PathGraph
from LdapInjectionFlow::PathNode source, LdapInjectionFlow::PathNode sink
where LdapInjectionFlow::hasFlowPath(source, sink)
where LdapInjectionFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "This LDAP query depends on a $@.", source.getNode(),
"user-provided value"

2
java/ql/src/Security/CWE/CWE-090/LdapInjectionLib.qll
View File

@@ -17,4 +17,4 @@ module LdapInjectionFlowConfig implements DataFlow::ConfigSig {
}
}
module LdapInjectionFlow = TaintTracking::Make<LdapInjectionFlowConfig>;
module LdapInjectionFlow = TaintTracking::Global<LdapInjectionFlowConfig>;

2
java/ql/src/Security/CWE/CWE-094/ArbitraryApkInstallation.ql
View File

@@ -15,5 +15,5 @@ import semmle.code.java.security.ArbitraryApkInstallationQuery
import ApkInstallationFlow::PathGraph
from ApkInstallationFlow::PathNode source, ApkInstallationFlow::PathNode sink
where ApkInstallationFlow::hasFlowPath(source, sink)
where ApkInstallationFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "Arbitrary Android APK installation."

4
java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
View File

@@ -61,7 +61,7 @@ module BeanValidationConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink }
}
module BeanValidationFlow = TaintTracking::Make<BeanValidationConfig>;
module BeanValidationFlow = TaintTracking::Global<BeanValidationConfig>;
import BeanValidationFlow::PathGraph
@@ -80,6 +80,6 @@ where
or
exists(SetMessageInterpolatorCall c | not c.isSafe())
) and
BeanValidationFlow::hasFlowPath(source, sink)
BeanValidationFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "Custom constraint error message contains an unsanitized $@.",
source, "user-provided value"

4
java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
View File

@@ -42,12 +42,12 @@ module ResponseSplittingConfig implements DataFlow::ConfigSig {
}
}
module ResponseSplitting = TaintTracking::Make<ResponseSplittingConfig>;
module ResponseSplitting = TaintTracking::Global<ResponseSplittingConfig>;
import ResponseSplitting::PathGraph
from ResponseSplitting::PathNode source, ResponseSplitting::PathNode sink
where ResponseSplitting::hasFlowPath(source, sink)
where ResponseSplitting::flowPath(source, sink)
select sink.getNode(), source, sink,
"This header depends on a $@, which may cause a response-splitting vulnerability.",
source.getNode(), "user-provided value"

4
java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql
View File

@@ -26,12 +26,12 @@ module ResponseSplittingLocalConfig implements DataFlow::ConfigSig {
}
}
module ResponseSplitting = TaintTracking::Make<ResponseSplittingLocalConfig>;
module ResponseSplitting = TaintTracking::Global<ResponseSplittingLocalConfig>;
import ResponseSplitting::PathGraph
from ResponseSplitting::PathNode source, ResponseSplitting::PathNode sink
where ResponseSplitting::hasFlowPath(source, sink)
where ResponseSplitting::flowPath(source, sink)
select sink.getNode(), source, sink,
"This header depends on a $@, which may cause a response-splitting vulnerability.",
source.getNode(), "user-provided value"

2
java/ql/src/Security/CWE/CWE-117/LogInjection.ql
View File

@@ -16,6 +16,6 @@ import semmle.code.java.security.LogInjectionQuery
import LogInjectionFlow::PathGraph
from LogInjectionFlow::PathNode source, LogInjectionFlow::PathNode sink
where LogInjectionFlow::hasFlowPath(source, sink)
where LogInjectionFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "This log entry depends on a $@.", source.getNode(),
"user-provided value"

19
java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql
View File

@@ -13,25 +13,28 @@
import java
import ArraySizing
import semmle.code.java.dataflow.FlowSources
import DataFlow::PathGraph
class Conf extends TaintTracking::Configuration {
Conf() { this = "RemoteUserInputTocanThrowOutOfBoundsDueToEmptyArrayConfig" }
private module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)
}
}
module ImproperValidationOfArrayConstructionFlow =
TaintTracking::Global<ImproperValidationOfArrayConstructionConfig>;
import ImproperValidationOfArrayConstructionFlow::PathGraph
from
DataFlow::PathNode source, DataFlow::PathNode sink, Expr sizeExpr,
ImproperValidationOfArrayConstructionFlow::PathNode source,
ImproperValidationOfArrayConstructionFlow::PathNode sink, Expr sizeExpr,
ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess
where
arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sizeExpr, arrayCreation) and
sizeExpr = sink.getNode().asExpr() and
any(Conf conf).hasFlowPath(source, sink)
ImproperValidationOfArrayConstructionFlow::flowPath(source, sink)
select arrayAccess.getIndexExpr(), source, sink,
"This accesses the $@, but the array is initialized using a $@ which may be zero.", arrayCreation,
"array", source.getNode(), "user-provided value"

21
java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql
View File

@@ -13,30 +13,33 @@
import java
import ArraySizing
import DataFlow::PathGraph
import semmle.code.java.dataflow.TaintTracking
class BoundedFlowSourceConf extends DataFlow::Configuration {
BoundedFlowSourceConf() { this = "BoundedFlowSource" }
override predicate isSource(DataFlow::Node source) {
module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof BoundedFlowSource and
// There is not a fixed lower bound which is greater than zero.
not source.(BoundedFlowSource).lowerBound() > 0
}
override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)
}
}
module BoundedFlowSourceFlow = DataFlow::Global<BoundedFlowSourceConfig>;
import BoundedFlowSourceFlow::PathGraph
from
DataFlow::PathNode source, DataFlow::PathNode sink, BoundedFlowSource boundedsource,
Expr sizeExpr, ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess
BoundedFlowSourceFlow::PathNode source, BoundedFlowSourceFlow::PathNode sink,
BoundedFlowSource boundedsource, Expr sizeExpr, ArrayCreationExpr arrayCreation,
CheckableArrayAccess arrayAccess
where
arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sizeExpr, arrayCreation) and
sizeExpr = sink.getNode().asExpr() and
boundedsource = source.getNode() and
any(BoundedFlowSourceConf conf).hasFlowPath(source, sink)
BoundedFlowSourceFlow::flowPath(source, sink)
select arrayAccess.getIndexExpr(), source, sink,
"This accesses the $@, but the array is initialized using $@ which may be zero.", arrayCreation,
"array", boundedsource, boundedsource.getDescription().toLowerCase()

19
java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql
View File

@@ -14,25 +14,28 @@
import java
import ArraySizing
import semmle.code.java.dataflow.FlowSources
import DataFlow::PathGraph
class Conf extends TaintTracking::Configuration {
Conf() { this = "LocalUserInputTocanThrowOutOfBoundsDueToEmptyArrayConfig" }
module ImproperValidationOfArrayConstructionLocalConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)
}
}
module ImproperValidationOfArrayConstructionLocalFlow =
TaintTracking::Global<ImproperValidationOfArrayConstructionLocalConfig>;
import ImproperValidationOfArrayConstructionLocalFlow::PathGraph
from
DataFlow::PathNode source, DataFlow::PathNode sink, Expr sizeExpr,
ImproperValidationOfArrayConstructionLocalFlow::PathNode source,
ImproperValidationOfArrayConstructionLocalFlow::PathNode sink, Expr sizeExpr,
ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess
where
arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sizeExpr, arrayCreation) and
sizeExpr = sink.getNode().asExpr() and
any(Conf conf).hasFlowPath(source, sink)
ImproperValidationOfArrayConstructionLocalFlow::flowPath(source, sink)
select arrayAccess.getIndexExpr(), source, sink,
"This accesses the $@, but the array is initialized using a $@ which may be zero.", arrayCreation,
"array", source.getNode(), "user-provided value"

22
java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql
View File

@@ -13,24 +13,28 @@
import java
import ArraySizing
import semmle.code.java.dataflow.FlowSources
import DataFlow::PathGraph
class Conf extends TaintTracking::Configuration {
Conf() { this = "RemoteUserInputTocanThrowOutOfBoundsDueToEmptyArrayConfig" }
module ImproperValidationOfArrayIndexConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
any(CheckableArrayAccess caa).canThrowOutOfBounds(sink.asExpr())
}
override predicate isSanitizer(DataFlow::Node node) { node.getType() instanceof BooleanType }
predicate isBarrier(DataFlow::Node node) { node.getType() instanceof BooleanType }
}
from DataFlow::PathNode source, DataFlow::PathNode sink, CheckableArrayAccess arrayAccess
module ImproperValidationOfArrayIndexFlow =
TaintTracking::Global<ImproperValidationOfArrayIndexConfig>;
import ImproperValidationOfArrayIndexFlow::PathGraph
from
ImproperValidationOfArrayIndexFlow::PathNode source,
ImproperValidationOfArrayIndexFlow::PathNode sink, CheckableArrayAccess arrayAccess
where
arrayAccess.canThrowOutOfBounds(sink.getNode().asExpr()) and
any(Conf conf).hasFlowPath(source, sink)
ImproperValidationOfArrayIndexFlow::flowPath(source, sink)
select arrayAccess.getIndexExpr(), source, sink,
"This index depends on a $@ which can cause an ArrayIndexOutOfBoundsException.", source.getNode(),
"user-provided value"

20
java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql
View File

@@ -14,25 +14,27 @@
import java
import ArraySizing
import BoundingChecks
import DataFlow::PathGraph
import semmle.code.java.dataflow.TaintTracking
class BoundedFlowSourceConf extends DataFlow::Configuration {
BoundedFlowSourceConf() { this = "BoundedFlowSource" }
module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof BoundedFlowSource }
override predicate isSource(DataFlow::Node source) { source instanceof BoundedFlowSource }
override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
exists(CheckableArrayAccess arrayAccess | arrayAccess.canThrowOutOfBounds(sink.asExpr()))
}
}
module BoundedFlowSourceFlow = DataFlow::Global<BoundedFlowSourceConfig>;
import BoundedFlowSourceFlow::PathGraph
from
DataFlow::PathNode source, DataFlow::PathNode sink, BoundedFlowSource boundedsource,
CheckableArrayAccess arrayAccess
BoundedFlowSourceFlow::PathNode source, BoundedFlowSourceFlow::PathNode sink,
BoundedFlowSource boundedsource, CheckableArrayAccess arrayAccess
where
arrayAccess.canThrowOutOfBounds(sink.getNode().asExpr()) and
boundedsource = source.getNode() and
any(BoundedFlowSourceConf conf).hasFlowPath(source, sink) and
BoundedFlowSourceFlow::flowPath(source, sink) and
boundedsource != sink.getNode() and
not (
(

20
java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql
View File

@@ -14,22 +14,26 @@
import java
import ArraySizing
import semmle.code.java.dataflow.FlowSources
import DataFlow::PathGraph
class Conf extends TaintTracking::Configuration {
Conf() { this = "LocalUserInputTocanThrowOutOfBoundsDueToEmptyArrayConfig" }
module ImproperValidationOfArrayIndexLocalConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
any(CheckableArrayAccess caa).canThrowOutOfBounds(sink.asExpr())
}
}
from DataFlow::PathNode source, DataFlow::PathNode sink, CheckableArrayAccess arrayAccess
module ImproperValidationOfArrayIndexLocalFlow =
TaintTracking::Global<ImproperValidationOfArrayIndexLocalConfig>;
import ImproperValidationOfArrayIndexLocalFlow::PathGraph
from
ImproperValidationOfArrayIndexLocalFlow::PathNode source,
ImproperValidationOfArrayIndexLocalFlow::PathNode sink, CheckableArrayAccess arrayAccess
where
arrayAccess.canThrowOutOfBounds(sink.getNode().asExpr()) and
any(Conf conf).hasFlowPath(source, sink)
ImproperValidationOfArrayIndexLocalFlow::flowPath(source, sink)
select arrayAccess.getIndexExpr(), source, sink,
"This index depends on a $@ which can cause an ArrayIndexOutOfBoundsException.", source.getNode(),
"user-provided value"

4
java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql
View File

@@ -27,7 +27,7 @@ module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig {
}
module ExternallyControlledFormatStringFlow =
TaintTracking::Make<ExternallyControlledFormatStringConfig>;
TaintTracking::Global<ExternallyControlledFormatStringConfig>;
import ExternallyControlledFormatStringFlow::PathGraph
@@ -35,7 +35,7 @@ from
ExternallyControlledFormatStringFlow::PathNode source,
ExternallyControlledFormatStringFlow::PathNode sink, StringFormat formatCall
where
ExternallyControlledFormatStringFlow::hasFlowPath(source, sink) and
ExternallyControlledFormatStringFlow::flowPath(source, sink) and
sink.getNode().asExpr() = formatCall.getFormatArgument()
select formatCall.getFormatArgument(), source, sink, "Format string depends on a $@.",
source.getNode(), "user-provided value"

4
java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql
View File

@@ -23,7 +23,7 @@ module ExternallyControlledFormatStringLocalConfig implements DataFlow::ConfigSi
}
module ExternallyControlledFormatStringLocalFlow =
TaintTracking::Make<ExternallyControlledFormatStringLocalConfig>;
TaintTracking::Global<ExternallyControlledFormatStringLocalConfig>;
import ExternallyControlledFormatStringLocalFlow::PathGraph
@@ -31,7 +31,7 @@ from
ExternallyControlledFormatStringLocalFlow::PathNode source,
ExternallyControlledFormatStringLocalFlow::PathNode sink, StringFormat formatCall
where
ExternallyControlledFormatStringLocalFlow::hasFlowPath(source, sink) and
ExternallyControlledFormatStringLocalFlow::flowPath(source, sink) and
sink.getNode().asExpr() = formatCall.getFormatArgument()
select formatCall.getFormatArgument(), source, sink, "Format string depends on a $@.",
source.getNode(), "user-provided value"

11
java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
View File

@@ -32,22 +32,23 @@ module RemoteUserInputUnderflowConfig implements DataFlow::ConfigSig {
predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) }
}
module RemoteUserInputOverflow = TaintTracking::Make<RemoteUserInputOverflowConfig>;
module RemoteUserInputOverflow = TaintTracking::Global<RemoteUserInputOverflowConfig>;
module RemoteUserInputUnderflow = TaintTracking::Make<RemoteUserInputUnderflowConfig>;
module RemoteUserInputUnderflow = TaintTracking::Global<RemoteUserInputUnderflowConfig>;
module Flow =
DataFlow::MergePathGraph<RemoteUserInputOverflow::PathNode, RemoteUserInputUnderflow::PathNode, RemoteUserInputOverflow::PathGraph, RemoteUserInputUnderflow::PathGraph>;
DataFlow::MergePathGraph<RemoteUserInputOverflow::PathNode, RemoteUserInputUnderflow::PathNode,
RemoteUserInputOverflow::PathGraph, RemoteUserInputUnderflow::PathGraph>;
import Flow::PathGraph
from Flow::PathNode source, Flow::PathNode sink, ArithExpr exp, string effect
where
RemoteUserInputOverflow::hasFlowPath(source.asPathNode1(), sink.asPathNode1()) and
RemoteUserInputOverflow::flowPath(source.asPathNode1(), sink.asPathNode1()) and
overflowSink(exp, sink.getNode().asExpr()) and
effect = "overflow"
or
RemoteUserInputUnderflow::hasFlowPath(source.asPathNode2(), sink.asPathNode2()) and
RemoteUserInputUnderflow::flowPath(source.asPathNode2(), sink.asPathNode2()) and
underflowSink(exp, sink.getNode().asExpr()) and
effect = "underflow"
select exp, source, sink,

Some files were not shown because too many files have changed in this diff Show More