hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-24 00:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12886 from atorralba/atorralba/java/path-injection-mad-sinks

Browse Source 
Java: Refactor path injection sinks
This commit is contained in:
Tony Torralba
2024-02-09 10:48:49 +01:00
committed by GitHub
parent d46028f552 e2bf9ea2eb
commit 4c0d535cc2
21 changed files with 229 additions and 937 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
java/ql/lib/change-notes/2024-01-26-deprecated-path-creation.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: deprecated
---
* The `PathCreation` class in `PathCreation.qll` has been deprecated.

9
java/ql/lib/ext/java.io.model.yml
View File

@@ -3,18 +3,18 @@ extensions:
pack: codeql/java-all
extensible: sinkModel
data:
- ["java.io", "File", False, "File", "(File,String)", "", "Argument[1]", "path-injection", "manual"] # old PathCreation
- ["java.io", "File", False, "File", "(String)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
- ["java.io", "File", False, "File", "(String,String)", "", "Argument[0..1]", "path-injection", "manual"] # old PathCreation
- ["java.io", "File", False, "File", "(URI)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
- ["java.io", "File", True, "createNewFile", "()", "", "Argument[this]", "path-injection", "ai-manual"]
- ["java.io", "File", True, "createTempFile", "(String,String,File)", "", "Argument[2]", "path-injection", "ai-manual"]
- ["java.io", "File", True, "exists", "()", "", "Argument[this]", "path-injection", "manual"]
- ["java.io", "File", True, "renameTo", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.io", "FileInputStream", True, "FileInputStream", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.io", "FileInputStream", True, "FileInputStream", "(FileDescriptor)", "", "Argument[0]", "path-injection", "manual"]
- ["java.io", "FileInputStream", True, "FileInputStream", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.io", "FileOutputStream", False, "FileOutputStream", "", "", "Argument[0]", "path-injection", "manual"]
- ["java.io", "FileOutputStream", False, "write", "", "", "Argument[0]", "file-content-store", "manual"]
- ["java.io", "FileReader", True, "FileReader", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.io", "FileReader", True, "FileReader", "(FileDescriptor)", "", "Argument[0]", "path-injection", "manual"]
- ["java.io", "FileReader", True, "FileReader", "(File,Charset)", "", "Argument[0]", "path-injection", "manual"]
- ["java.io", "FileReader", True, "FileReader", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.io", "FileReader", True, "FileReader", "(String,Charset)", "", "Argument[0]", "path-injection", "manual"]
- ["java.io", "FileSystem", True, "createDirectory", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
@@ -127,7 +127,6 @@ extensions:
- ["java.io", "DataOutput", "writeLong", "(long)", "summary", "manual"] # taint-numeric
# sink neutrals
- ["java.io", "File", "compareTo", "", "sink", "hq-manual"]
- ["java.io", "File", "exists", "()", "sink", "hq-manual"]
- addsTo:
pack: codeql/java-all
extensible: sourceModel

16
java/ql/lib/ext/java.nio.file.model.yml
View File

@@ -18,6 +18,7 @@ extensions:
- ["java.nio.file", "Files", False, "delete", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.nio.file", "Files", False, "deleteIfExists", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.nio.file", "Files", False, "getFileStore", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"] # the FileStore class is unlikely to be used for later sanitization
- ["java.nio.file", "Files", False, "exists", "(Path,LinkOption[])", "", "Argument[0]", "path-injection", "manual"]
- ["java.nio.file", "Files", False, "lines", "(Path,Charset)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.nio.file", "Files", False, "lines", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.nio.file", "Files", False, "move", "", "", "Argument[1]", "path-injection", "manual"]
@@ -27,6 +28,7 @@ extensions:
- ["java.nio.file", "Files", False, "newBufferedWriter", "", "", "Argument[0]", "path-injection", "manual"]
- ["java.nio.file", "Files", False, "newInputStream", "(Path,OpenOption[])", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.nio.file", "Files", False, "newOutputStream", "", "", "Argument[0]", "path-injection", "manual"]
- ["java.nio.file", "Files", False, "notExists", "(Path,LinkOption[])", "", "Argument[0]", "path-injection", "manual"]
- ["java.nio.file", "Files", False, "probeContentType", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"] # accesses the file based on user input, but only reads its content type from it
- ["java.nio.file", "Files", False, "readAllBytes", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.nio.file", "Files", False, "readAllLines", "(Path,Charset)", "", "Argument[0]", "path-injection", "ai-manual"]
@@ -37,15 +39,8 @@ extensions:
- ["java.nio.file", "Files", False, "write", "", "", "Argument[1]", "file-content-store", "manual"]
- ["java.nio.file", "Files", False, "writeString", "", "", "Argument[0]", "path-injection", "manual"]
- ["java.nio.file", "Files", False, "writeString", "", "", "Argument[1]", "file-content-store", "manual"]
- ["java.nio.file", "FileSystem", False, "getPath", "", "", "Argument[0..1]", "path-injection", "manual"] # old PathCreation
- ["java.nio.file", "FileSystems", False, "newFileSystem", "(URI,Map)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.nio.file", "FileSystems", False, "newFileSystem", "(URI,Map)", "", "Argument[0]", "request-forgery", "ai-manual"]
- ["java.nio.file", "Path", False, "of", "(String,String[])", "", "Argument[0..1]", "path-injection", "manual"] # old PathCreation
- ["java.nio.file", "Path", False, "of", "(URI)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
- ["java.nio.file", "Path", False, "resolve", "(String)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
- ["java.nio.file", "Path", False, "resolveSibling", "(String)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
- ["java.nio.file", "Paths", False, "get", "(String,String[])", "", "Argument[0..1]", "path-injection", "manual"] # old PathCreation
- ["java.nio.file", "Paths", False, "get", "(URI)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
- ["java.nio.file", "SecureDirectoryStream", True, "deleteDirectory", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["java.nio.file", "SecureDirectoryStream", True, "deleteFile", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
- addsTo:
@@ -63,7 +58,7 @@ extensions:
- ["java.nio.file", "Files", True, "newDirectoryStream", "(Path,DirectoryStream$Filter)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
- ["java.nio.file", "Files", True, "newDirectoryStream", "(Path)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
- ["java.nio.file", "Files", True, "walk", "(Path,FileVisitOption[])", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
- ["java.nio.file", "FileSystem", True, "getPath", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["java.nio.file", "FileSystem", True, "getPath", "(String,String[])", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["java.nio.file", "FileSystem", True, "getPath", "(String,String[])", "", "Argument[1]", "ReturnValue", "taint", "ai-manual"]
- ["java.nio.file", "FileSystem", True, "getPathMatcher", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
- ["java.nio.file", "FileSystem", True, "getRootDirectories", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
@@ -76,7 +71,8 @@ extensions:
- ["java.nio.file", "Path", True, "relativize", "(Path)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
- ["java.nio.file", "Path", True, "resolve", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["java.nio.file", "Path", True, "resolve", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.nio.file", "Path", True, "resolveSibling", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
- ["java.nio.file", "Path", True, "resolveSibling", "", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
- ["java.nio.file", "Path", True, "resolveSibling", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.nio.file", "Path", True, "toAbsolutePath", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.nio.file", "Path", False, "toFile", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.nio.file", "Path", True, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
@@ -95,7 +91,6 @@ extensions:
# summary neutrals
- ["java.nio.file", "Files", "exists", "(Path,LinkOption[])", "summary", "manual"]
# sink neutrals
- ["java.nio.file", "Files", "exists", "", "sink", "hq-manual"]
- ["java.nio.file", "Files", "getLastModifiedTime", "", "sink", "hq-manual"]
- ["java.nio.file", "Files", "getOwner", "", "sink", "hq-manual"]
- ["java.nio.file", "Files", "getPosixFilePermissions", "", "sink", "hq-manual"]
@@ -107,6 +102,5 @@ extensions:
- ["java.nio.file", "Files", "isSameFile", "", "sink", "hq-manual"]
- ["java.nio.file", "Files", "isSymbolicLink", "", "sink", "hq-manual"]
- ["java.nio.file", "Files", "isWritable", "", "sink", "hq-manual"]
- ["java.nio.file", "Files", "notExists", "", "sink", "hq-manual"]
- ["java.nio.file", "Files", "setLastModifiedTime", "", "sink", "hq-manual"]
- ["java.nio.file", "Files", "size", "", "sink", "hq-manual"]

26
java/ql/lib/semmle/code/java/security/PathCreation.qll
View File

@@ -1,11 +1,13 @@
/**
* DEPRECATED.
*
* Models the different ways to create paths. Either by using `java.io.File`-related APIs or `java.nio.file.Path`-related APIs.
*/
import java
/** Models the creation of a path. */
abstract class PathCreation extends Expr {
/** DEPRECATED: Models the creation of a path. */
abstract deprecated class PathCreation extends Expr {
/**
* Gets an input that is used in the creation of this path.
* This excludes inputs of type `File` and `Path`.
@@ -14,7 +16,7 @@ abstract class PathCreation extends Expr {
}
/** Models the `java.nio.file.Paths.get` method. */
private class PathsGet extends PathCreation, MethodCall {
deprecated private class PathsGet extends PathCreation, MethodCall {
PathsGet() {
exists(Method m | m = this.getMethod() |
m.getDeclaringType() instanceof TypePaths and
@@ -26,7 +28,7 @@ private class PathsGet extends PathCreation, MethodCall {
}
/** Models the `java.nio.file.FileSystem.getPath` method. */
private class FileSystemGetPath extends PathCreation, MethodCall {
deprecated private class FileSystemGetPath extends PathCreation, MethodCall {
FileSystemGetPath() {
exists(Method m | m = this.getMethod() |
m.getDeclaringType() instanceof TypeFileSystem and
@@ -38,7 +40,7 @@ private class FileSystemGetPath extends PathCreation, MethodCall {
}
/** Models the `new java.io.File(...)` constructor. */
private class FileCreation extends PathCreation, ClassInstanceExpr {
deprecated private class FileCreation extends PathCreation, ClassInstanceExpr {
FileCreation() { this.getConstructedType() instanceof TypeFile }
override Expr getAnInput() {
@@ -49,7 +51,7 @@ private class FileCreation extends PathCreation, ClassInstanceExpr {
}
/** Models the `java.nio.file.Path.resolveSibling` method. */
private class PathResolveSiblingCreation extends PathCreation, MethodCall {
deprecated private class PathResolveSiblingCreation extends PathCreation, MethodCall {
PathResolveSiblingCreation() {
exists(Method m | m = this.getMethod() |
m.getDeclaringType() instanceof TypePath and
@@ -65,7 +67,7 @@ private class PathResolveSiblingCreation extends PathCreation, MethodCall {
}
/** Models the `java.nio.file.Path.resolve` method. */
private class PathResolveCreation extends PathCreation, MethodCall {
deprecated private class PathResolveCreation extends PathCreation, MethodCall {
PathResolveCreation() {
exists(Method m | m = this.getMethod() |
m.getDeclaringType() instanceof TypePath and
@@ -81,7 +83,7 @@ private class PathResolveCreation extends PathCreation, MethodCall {
}
/** Models the `java.nio.file.Path.of` method. */
private class PathOfCreation extends PathCreation, MethodCall {
deprecated private class PathOfCreation extends PathCreation, MethodCall {
PathOfCreation() {
exists(Method m | m = this.getMethod() |
m.getDeclaringType() instanceof TypePath and
@@ -93,7 +95,7 @@ private class PathOfCreation extends PathCreation, MethodCall {
}
/** Models the `new java.io.FileWriter(...)` constructor. */
private class FileWriterCreation extends PathCreation, ClassInstanceExpr {
deprecated private class FileWriterCreation extends PathCreation, ClassInstanceExpr {
FileWriterCreation() { this.getConstructedType().hasQualifiedName("java.io", "FileWriter") }
override Expr getAnInput() {
@@ -104,7 +106,7 @@ private class FileWriterCreation extends PathCreation, ClassInstanceExpr {
}
/** Models the `new java.io.FileReader(...)` constructor. */
private class FileReaderCreation extends PathCreation, ClassInstanceExpr {
deprecated private class FileReaderCreation extends PathCreation, ClassInstanceExpr {
FileReaderCreation() { this.getConstructedType().hasQualifiedName("java.io", "FileReader") }
override Expr getAnInput() {
@@ -115,7 +117,7 @@ private class FileReaderCreation extends PathCreation, ClassInstanceExpr {
}
/** Models the `new java.io.FileInputStream(...)` constructor. */
private class FileInputStreamCreation extends PathCreation, ClassInstanceExpr {
deprecated private class FileInputStreamCreation extends PathCreation, ClassInstanceExpr {
FileInputStreamCreation() {
this.getConstructedType().hasQualifiedName("java.io", "FileInputStream")
}
@@ -128,7 +130,7 @@ private class FileInputStreamCreation extends PathCreation, ClassInstanceExpr {
}
/** Models the `new java.io.FileOutputStream(...)` constructor. */
private class FileOutputStreamCreation extends PathCreation, ClassInstanceExpr {
deprecated private class FileOutputStreamCreation extends PathCreation, ClassInstanceExpr {
FileOutputStreamCreation() {
this.getConstructedType().hasQualifiedName("java.io", "FileOutputStream")
}

11
java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll
View File

@@ -8,6 +8,13 @@ private import semmle.code.java.dataflow.ExternalFlow
import semmle.code.java.security.PathSanitizer
private import semmle.code.java.security.Sanitizers
/** A sink for tainted path flow configurations. */
abstract class TaintedPathSink extends DataFlow::Node { }
private class DefaultTaintedPathSink extends TaintedPathSink {
DefaultTaintedPathSink() { sinkNode(this, "path-injection") }
}
/**
* A unit class for adding additional taint steps.
*
@@ -55,7 +62,7 @@ private class TaintPreservingUriCtorParam extends Parameter {
module TaintedPathConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) { sinkNode(sink, "path-injection") }
predicate isSink(DataFlow::Node sink) { sink instanceof TaintedPathSink }
predicate isBarrier(DataFlow::Node sanitizer) {
sanitizer instanceof SimpleTypeSanitizer or
@@ -76,7 +83,7 @@ module TaintedPathFlow = TaintTracking::Global<TaintedPathConfig>;
module TaintedPathLocalConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
predicate isSink(DataFlow::Node sink) { sinkNode(sink, "path-injection") }
predicate isSink(DataFlow::Node sink) { sink instanceof TaintedPathSink }
predicate isBarrier(DataFlow::Node sanitizer) {
sanitizer instanceof SimpleTypeSanitizer or

25
java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll
View File

@@ -41,28 +41,5 @@ module ZipSlipFlow = TaintTracking::Global<ZipSlipConfig>;
* A sink that represents a file creation, such as a file write, copy or move operation.
*/
private class FileCreationSink extends DataFlow::Node {
FileCreationSink() {
sinkNode(this, "path-injection") and
not isPathCreation(this)
}
}
/**
* Holds if `sink` is a path creation node that doesn't imply a read/write filesystem operation.
* This is to avoid creating new spurious alerts, since `PathCreation` sinks weren't
* previously part of this query.
*/
private predicate isPathCreation(DataFlow::Node sink) {
exists(PathCreation pc |
pc.getAnInput() = sink.asExpr()
or
pc.getAnInput().(Argument).isVararg() and sink.(DataFlow::ImplicitVarargsArray).getCall() = pc
|
// exclude actual read/write operations included in `PathCreation`
not pc.(Call)
.getCallee()
.getDeclaringType()
.hasQualifiedName("java.io",
["FileInputStream", "FileOutputStream", "FileReader", "FileWriter"])
)
FileCreationSink() { sinkNode(this, "path-injection") }
}

18
java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
View File

@@ -18,21 +18,7 @@ import semmle.code.java.security.PathCreation
import semmle.code.java.security.TaintedPathQuery
import TaintedPathFlow::PathGraph
/**
* Gets the data-flow node at which to report a path ending at `sink`.
*
* Previously this query flagged alerts exclusively at `PathCreation` sites,
* so to avoid perturbing existing alerts, where a `PathCreation` exists we
* continue to report there; otherwise we report directly at `sink`.
*/
DataFlow::Node getReportingNode(DataFlow::Node sink) {
TaintedPathFlow::flowTo(sink) and
if exists(PathCreation pc | pc.getAnInput() = sink.asExpr())
then result.asExpr() = any(PathCreation pc | pc.getAnInput() = sink.asExpr())
else result = sink
}
from TaintedPathFlow::PathNode source, TaintedPathFlow::PathNode sink
where TaintedPathFlow::flowPath(source, sink)
select getReportingNode(sink.getNode()), source, sink, "This path depends on a $@.",
source.getNode(), "user-provided value"
select sink.getNode(), source, sink, "This path depends on a $@.", source.getNode(),
"user-provided value"

18
java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql
View File

@@ -18,21 +18,7 @@ import semmle.code.java.security.PathCreation
import semmle.code.java.security.TaintedPathQuery
import TaintedPathLocalFlow::PathGraph
/**
* Gets the data-flow node at which to report a path ending at `sink`.
*
* Previously this query flagged alerts exclusively at `PathCreation` sites,
* so to avoid perturbing existing alerts, where a `PathCreation` exists we
* continue to report there; otherwise we report directly at `sink`.
*/
DataFlow::Node getReportingNode(DataFlow::Node sink) {
TaintedPathLocalFlow::flowTo(sink) and
if exists(PathCreation pc | pc.getAnInput() = sink.asExpr())
then result.asExpr() = any(PathCreation pc | pc.getAnInput() = sink.asExpr())
else result = sink
}
from TaintedPathLocalFlow::PathNode source, TaintedPathLocalFlow::PathNode sink
where TaintedPathLocalFlow::flowPath(source, sink)
select getReportingNode(sink.getNode()), source, sink, "This path depends on a $@.",
source.getNode(), "user-provided value"
select sink.getNode(), source, sink, "This path depends on a $@.", source.getNode(),
"user-provided value"

4
java/ql/src/change-notes/2024-01-26-path-injection-precision-improved.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: majorAnalysis
---
* The sinks of the queries `java/path-injection` and `java/path-injection-local` have been reworked. Path creation sinks have been converted to summaries instead, while sinks now are actual file read/write operations only. This has reduced the false positive ratio of both queries.

3
java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql
View File

@@ -16,6 +16,7 @@ import java
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.dataflow.ExternalFlow
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.TaintedPathQuery
import JFinalController
import semmle.code.java.security.PathSanitizer
private import semmle.code.java.security.Sanitizers
@@ -52,7 +53,7 @@ module InjectFilePathConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) {
sinkNode(sink, "path-injection") and
sink instanceof TaintedPathSink and
not sink instanceof NormalizedPathNode
}

6
java/ql/test/experimental/query-tests/security/CWE-073/FilePathInjection.expected
View File

@@ -3,8 +3,8 @@ edges
| FilePathInjection.java:64:21:64:34 | getPara(...) : String | FilePathInjection.java:72:47:72:59 | finalFilePath |
| FilePathInjection.java:87:21:87:34 | getPara(...) : String | FilePathInjection.java:95:47:95:59 | finalFilePath |
| FilePathInjection.java:177:50:177:58 | file : File | FilePathInjection.java:182:30:182:33 | file |
| FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:209:24:209:31 | filePath |
| FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:209:24:209:31 | filePath : String |
| FilePathInjection.java:209:15:209:32 | new File(...) : File | FilePathInjection.java:210:23:210:26 | file |
| FilePathInjection.java:209:15:209:32 | new File(...) : File | FilePathInjection.java:217:19:217:22 | file : File |
| FilePathInjection.java:209:24:209:31 | filePath : String | FilePathInjection.java:209:15:209:32 | new File(...) : File |
| FilePathInjection.java:217:19:217:22 | file : File | FilePathInjection.java:177:50:177:58 | file : File |
@@ -19,8 +19,8 @@ nodes
| FilePathInjection.java:182:30:182:33 | file | semmle.label | file |
| FilePathInjection.java:205:17:205:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| FilePathInjection.java:209:15:209:32 | new File(...) : File | semmle.label | new File(...) : File |
| FilePathInjection.java:209:24:209:31 | filePath | semmle.label | filePath |
| FilePathInjection.java:209:24:209:31 | filePath : String | semmle.label | filePath : String |
| FilePathInjection.java:210:23:210:26 | file | semmle.label | file |
| FilePathInjection.java:217:19:217:22 | file : File | semmle.label | file : File |
subpaths
#select
@@ -28,4 +28,4 @@ subpaths
| FilePathInjection.java:72:47:72:59 | finalFilePath | FilePathInjection.java:64:21:64:34 | getPara(...) : String | FilePathInjection.java:72:47:72:59 | finalFilePath | External control of file name or path due to $@. | FilePathInjection.java:64:21:64:34 | getPara(...) | user-provided value |
| FilePathInjection.java:95:47:95:59 | finalFilePath | FilePathInjection.java:87:21:87:34 | getPara(...) : String | FilePathInjection.java:95:47:95:59 | finalFilePath | External control of file name or path due to $@. | FilePathInjection.java:87:21:87:34 | getPara(...) | user-provided value |
| FilePathInjection.java:182:30:182:33 | file | FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:182:30:182:33 | file | External control of file name or path due to $@. | FilePathInjection.java:205:17:205:44 | getParameter(...) | user-provided value |
| FilePathInjection.java:209:24:209:31 | filePath | FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:209:24:209:31 | filePath | External control of file name or path due to $@. | FilePathInjection.java:205:17:205:44 | getParameter(...) | user-provided value |
| FilePathInjection.java:210:23:210:26 | file | FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:210:23:210:26 | file | External control of file name or path due to $@. | FilePathInjection.java:205:17:205:44 | getParameter(...) | user-provided value |

3
java/ql/test/library-tests/neutrals/neutralsinks/Test.java
View File

@@ -14,11 +14,9 @@ public class Test {
// java.io
File file = null;
file.exists(); // $ isNeutralSink
file.compareTo(null); // $ isNeutralSink
// java.nio.file
Files.exists(null, (LinkOption[])null); // $ isNeutralSink
Files.getLastModifiedTime(null, (LinkOption[])null); // $ isNeutralSink
Files.getOwner(null, (LinkOption[])null); // $ isNeutralSink
Files.getPosixFilePermissions(null, (LinkOption[])null); // $ isNeutralSink
@@ -30,7 +28,6 @@ public class Test {
Files.isSameFile(null, null); // $ isNeutralSink
Files.isSymbolicLink(null); // $ isNeutralSink
Files.isWritable(null); // $ isNeutralSink
Files.notExists(null, (LinkOption[])null); // $ isNeutralSink
Files.setLastModifiedTime(null, null); // $ isNeutralSink
Files.size(null); // $ isNeutralSink

1
java/ql/test/library-tests/pathcreation/PathCreation.expected
View File

@@ -1,3 +1,4 @@
WARNING: Type PathCreation has been deprecated and may be removed in future (PathCreation.ql:4,6-18)
| PathCreation.java:13:18:13:32 | new File(...) | PathCreation.java:13:27:13:31 | "dir" |
| PathCreation.java:14:19:14:40 | new File(...) | PathCreation.java:14:28:14:32 | "dir" |
| PathCreation.java:14:19:14:40 | new File(...) | PathCreation.java:14:35:14:39 | "sub" |

1
java/ql/test/query-tests/Telemetry/SupportedExternalSinks/SupportedExternalSinks.expected
View File

@@ -1,3 +1,2 @@
| java.io.File#File(String) | 1 |
| java.io.FileWriter#FileWriter(File) | 1 |
| java.net.URL#openStream() | 1 |

494
java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected
View File

@@ -1,494 +0,0 @@
edges
| TaintedPath.java:12:38:12:110 | new BufferedReader(...) : BufferedReader | TaintedPath.java:13:24:13:37 | filenameReader : BufferedReader |
| TaintedPath.java:12:57:12:109 | new InputStreamReader(...) : InputStreamReader | TaintedPath.java:12:38:12:110 | new BufferedReader(...) : BufferedReader |
| TaintedPath.java:12:79:12:99 | getInputStream(...) : InputStream | TaintedPath.java:12:57:12:109 | new InputStreamReader(...) : InputStreamReader |
| TaintedPath.java:13:24:13:37 | filenameReader : BufferedReader | TaintedPath.java:13:24:13:48 | readLine(...) : String |
| TaintedPath.java:13:24:13:48 | readLine(...) : String | TaintedPath.java:15:68:15:75 | filename |
| TaintedPath.java:38:41:39:70 | new BufferedReader(...) : BufferedReader | TaintedPath.java:40:27:40:40 | filenameReader : BufferedReader |
| TaintedPath.java:39:17:39:69 | new InputStreamReader(...) : InputStreamReader | TaintedPath.java:38:41:39:70 | new BufferedReader(...) : BufferedReader |
| TaintedPath.java:39:39:39:59 | getInputStream(...) : InputStream | TaintedPath.java:39:17:39:69 | new InputStreamReader(...) : InputStreamReader |
| TaintedPath.java:40:27:40:40 | filenameReader : BufferedReader | TaintedPath.java:40:27:40:51 | readLine(...) : String |
| TaintedPath.java:40:27:40:51 | readLine(...) : String | TaintedPath.java:43:46:43:53 | filename |
| Test.java:19:18:19:38 | getHostName(...) : String | Test.java:24:20:24:23 | temp |
| Test.java:19:18:19:38 | getHostName(...) : String | Test.java:27:21:27:24 | temp |
| Test.java:19:18:19:38 | getHostName(...) : String | Test.java:30:44:30:47 | temp |
| Test.java:19:18:19:38 | getHostName(...) : String | Test.java:34:21:34:24 | temp |
| Test.java:79:33:79:99 | new BufferedReader(...) : BufferedReader | Test.java:80:31:80:32 | br : BufferedReader |
| Test.java:79:52:79:98 | new InputStreamReader(...) : InputStreamReader | Test.java:79:33:79:99 | new BufferedReader(...) : BufferedReader |
| Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | Test.java:79:52:79:98 | new InputStreamReader(...) : InputStreamReader |
| Test.java:80:31:80:32 | br : BufferedReader | Test.java:80:31:80:43 | readLine(...) : String |
| Test.java:80:31:80:43 | readLine(...) : String | Test.java:82:67:82:81 | ... + ... |
| Test.java:88:17:88:37 | getHostName(...) : String | Test.java:90:26:90:29 | temp |
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:26:97:26 | t : String |
| Test.java:97:26:97:26 | t : String | Test.java:97:12:97:33 | new URI(...) |
| Test.java:97:26:97:26 | t : String | Test.java:98:23:98:23 | t : String |
| Test.java:98:23:98:23 | t : String | Test.java:98:12:98:33 | new URI(...) |
| Test.java:98:23:98:23 | t : String | Test.java:99:29:99:29 | t : String |
| Test.java:99:29:99:29 | t : String | Test.java:99:12:99:33 | new URI(...) |
| Test.java:99:29:99:29 | t : String | Test.java:100:32:100:32 | t : String |
| Test.java:100:32:100:32 | t : String | Test.java:100:12:100:45 | new URI(...) |
| Test.java:100:32:100:32 | t : String | Test.java:101:41:101:41 | t : String |
| Test.java:101:41:101:41 | t : String | Test.java:101:12:101:54 | new URI(...) |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:45:61:45:68 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:47:41:47:48 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:49:56:49:63 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:51:46:51:53 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:53:38:53:45 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:55:36:55:43 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:57:31:57:38 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:59:33:59:40 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:61:27:61:34 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:63:27:63:34 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:65:40:65:47 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:67:47:67:54 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:69:40:69:47 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:71:38:71:45 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:73:33:73:40 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:75:33:75:40 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:77:41:77:48 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:79:42:79:49 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:81:37:81:44 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:83:29:83:36 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:85:37:85:44 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:87:28:87:35 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:89:33:89:40 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:91:40:91:47 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:93:40:93:47 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:94:40:94:47 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:96:38:96:45 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:98:28:98:35 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:99:28:99:35 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:100:28:100:35 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:102:34:102:41 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:103:34:103:41 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:105:33:105:40 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:107:42:107:49 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:109:50:109:57 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:111:54:111:61 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:113:50:113:57 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:115:35:115:42 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:117:48:117:55 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:119:37:119:44 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:121:35:121:42 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:123:55:123:62 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:125:47:125:54 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:127:47:127:54 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:131:35:131:42 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:135:56:135:63 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:137:56:137:63 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:141:59:141:66 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:143:59:143:66 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:145:58:145:65 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:147:34:147:41 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:149:34:149:41 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:151:44:151:51 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:153:31:153:38 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:155:46:155:53 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:157:46:157:53 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:159:67:159:74 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:161:67:161:74 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:163:73:163:80 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:166:37:166:44 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:168:48:168:55 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:170:54:170:61 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:172:69:172:76 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:174:47:174:54 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:176:49:176:56 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:178:64:178:71 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:180:49:180:56 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:182:64:182:71 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:184:61:184:68 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:190:37:190:44 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:192:74:192:81 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:194:68:194:75 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:196:68:196:75 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:198:30:198:37 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:203:30:203:37 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:208:33:208:40 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:210:27:210:34 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:212:28:212:35 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:214:29:214:36 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:219:27:219:34 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:221:26:221:33 | source(...) : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:226:29:226:36 | source(...) : String |
| mad/Test.java:45:61:45:68 | source(...) : String | mad/Test.java:45:52:45:68 | (...)... |
| mad/Test.java:47:41:47:48 | source(...) : String | mad/Test.java:47:32:47:48 | (...)... |
| mad/Test.java:49:56:49:63 | source(...) : String | mad/Test.java:49:47:49:63 | (...)... |
| mad/Test.java:51:46:51:53 | source(...) : String | mad/Test.java:51:39:51:53 | (...)... |
| mad/Test.java:53:38:53:45 | source(...) : String | mad/Test.java:53:31:53:45 | (...)... |
| mad/Test.java:55:36:55:43 | source(...) : String | mad/Test.java:55:29:55:43 | (...)... |
| mad/Test.java:57:31:57:38 | source(...) : String | mad/Test.java:57:24:57:38 | (...)... |
| mad/Test.java:59:33:59:40 | source(...) : String | mad/Test.java:59:24:59:40 | (...)... |
| mad/Test.java:61:27:61:34 | source(...) : String | mad/Test.java:61:20:61:34 | (...)... |
| mad/Test.java:63:27:63:34 | source(...) : String | mad/Test.java:63:20:63:34 | (...)... |
| mad/Test.java:65:40:65:47 | source(...) : String | mad/Test.java:65:33:65:47 | (...)... |
| mad/Test.java:67:47:67:54 | source(...) : String | mad/Test.java:67:40:67:54 | (...)... |
| mad/Test.java:69:40:69:47 | source(...) : String | mad/Test.java:69:33:69:47 | (...)... |
| mad/Test.java:71:38:71:45 | source(...) : String | mad/Test.java:71:31:71:45 | (...)... |
| mad/Test.java:73:33:73:40 | source(...) : String | mad/Test.java:73:26:73:40 | (...)... |
| mad/Test.java:75:33:75:40 | source(...) : String | mad/Test.java:75:26:75:40 | (...)... |
| mad/Test.java:77:41:77:48 | source(...) : String | mad/Test.java:77:34:77:48 | (...)... |
| mad/Test.java:79:42:79:49 | source(...) : String | mad/Test.java:79:35:79:49 | (...)... |
| mad/Test.java:81:37:81:44 | source(...) : String | mad/Test.java:81:30:81:44 | (...)... |
| mad/Test.java:83:29:83:36 | source(...) : String | mad/Test.java:83:22:83:36 | (...)... |
| mad/Test.java:85:37:85:44 | source(...) : String | mad/Test.java:85:30:85:44 | (...)... |
| mad/Test.java:87:28:87:35 | source(...) : String | mad/Test.java:87:21:87:35 | (...)... |
| mad/Test.java:89:33:89:40 | source(...) : String | mad/Test.java:89:26:89:40 | (...)... |
| mad/Test.java:91:40:91:47 | source(...) : String | mad/Test.java:91:33:91:47 | (...)... |
| mad/Test.java:93:40:93:47 | source(...) : String | mad/Test.java:93:33:93:47 | (...)... |
| mad/Test.java:94:40:94:47 | source(...) : String | mad/Test.java:94:33:94:47 | (...)... |
| mad/Test.java:96:38:96:45 | source(...) : String | mad/Test.java:96:31:96:45 | (...)... |
| mad/Test.java:98:28:98:35 | source(...) : String | mad/Test.java:98:21:98:35 | (...)... |
| mad/Test.java:99:28:99:35 | source(...) : String | mad/Test.java:99:21:99:35 | (...)... |
| mad/Test.java:100:28:100:35 | source(...) : String | mad/Test.java:100:21:100:35 | (...)... |
| mad/Test.java:102:34:102:41 | source(...) : String | mad/Test.java:102:27:102:41 | (...)... |
| mad/Test.java:103:34:103:41 | source(...) : String | mad/Test.java:103:27:103:41 | (...)... |
| mad/Test.java:105:33:105:40 | source(...) : String | mad/Test.java:105:26:105:40 | (...)... |
| mad/Test.java:107:42:107:49 | source(...) : String | mad/Test.java:107:35:107:49 | (...)... |
| mad/Test.java:109:50:109:57 | source(...) : String | mad/Test.java:109:41:109:57 | (...)... |
| mad/Test.java:111:54:111:61 | source(...) : String | mad/Test.java:111:45:111:61 | (...)... |
| mad/Test.java:113:50:113:57 | source(...) : String | mad/Test.java:113:43:113:57 | (...)... |
| mad/Test.java:115:35:115:42 | source(...) : String | mad/Test.java:115:28:115:42 | (...)... |
| mad/Test.java:117:48:117:55 | source(...) : String | mad/Test.java:117:41:117:55 | (...)... |
| mad/Test.java:119:37:119:44 | source(...) : String | mad/Test.java:119:28:119:44 | (...)... |
| mad/Test.java:121:35:121:42 | source(...) : String | mad/Test.java:121:28:121:42 | (...)... |
| mad/Test.java:123:55:123:62 | source(...) : String | mad/Test.java:123:46:123:62 | (...)... |
| mad/Test.java:125:47:125:54 | source(...) : String | mad/Test.java:125:40:125:54 | (...)... |
| mad/Test.java:127:47:127:54 | source(...) : String | mad/Test.java:127:40:127:54 | (...)... |
| mad/Test.java:131:35:131:42 | source(...) : String | mad/Test.java:131:26:131:42 | (...)... |
| mad/Test.java:135:56:135:63 | source(...) : String | mad/Test.java:135:49:135:63 | (...)... |
| mad/Test.java:137:56:137:63 | source(...) : String | mad/Test.java:137:49:137:63 | (...)... |
| mad/Test.java:141:59:141:66 | source(...) : String | mad/Test.java:141:52:141:66 | (...)... |
| mad/Test.java:143:59:143:66 | source(...) : String | mad/Test.java:143:52:143:66 | (...)... |
| mad/Test.java:145:58:145:65 | source(...) : String | mad/Test.java:145:49:145:65 | (...)... |
| mad/Test.java:147:34:147:41 | source(...) : String | mad/Test.java:147:25:147:41 | (...)... |
| mad/Test.java:149:34:149:41 | source(...) : String | mad/Test.java:149:25:149:41 | (...)... |
| mad/Test.java:151:44:151:51 | source(...) : String | mad/Test.java:151:35:151:51 | (...)... |
| mad/Test.java:153:31:153:38 | source(...) : String | mad/Test.java:153:24:153:38 | (...)... |
| mad/Test.java:155:46:155:53 | source(...) : String | mad/Test.java:155:37:155:53 | (...)... |
| mad/Test.java:157:46:157:53 | source(...) : String | mad/Test.java:157:37:157:53 | (...)... |
| mad/Test.java:159:67:159:74 | source(...) : String | mad/Test.java:159:58:159:74 | (...)... |
| mad/Test.java:161:67:161:74 | source(...) : String | mad/Test.java:161:58:161:74 | (...)... |
| mad/Test.java:163:73:163:80 | source(...) : String | mad/Test.java:163:64:163:80 | (...)... |
| mad/Test.java:166:37:166:44 | source(...) : String | mad/Test.java:166:28:166:44 | (...)... |
| mad/Test.java:168:48:168:55 | source(...) : String | mad/Test.java:168:39:168:55 | (...)... |
| mad/Test.java:170:54:170:61 | source(...) : String | mad/Test.java:170:45:170:61 | (...)... |
| mad/Test.java:172:69:172:76 | source(...) : String | mad/Test.java:172:60:172:76 | (...)... |
| mad/Test.java:174:47:174:54 | source(...) : String | mad/Test.java:174:40:174:54 | (...)... |
| mad/Test.java:176:49:176:56 | source(...) : String | mad/Test.java:176:40:176:56 | (...)... |
| mad/Test.java:178:64:178:71 | source(...) : String | mad/Test.java:178:55:178:71 | (...)... |
| mad/Test.java:180:49:180:56 | source(...) : String | mad/Test.java:180:40:180:56 | (...)... |
| mad/Test.java:182:64:182:71 | source(...) : String | mad/Test.java:182:55:182:71 | (...)... |
| mad/Test.java:184:61:184:68 | source(...) : String | mad/Test.java:184:54:184:68 | (...)... |
| mad/Test.java:190:37:190:44 | source(...) : String | mad/Test.java:190:30:190:44 | (...)... |
| mad/Test.java:192:74:192:81 | source(...) : String | mad/Test.java:192:40:192:81 | (...)... |
| mad/Test.java:194:68:194:75 | source(...) : String | mad/Test.java:194:34:194:75 | (...)... |
| mad/Test.java:196:68:196:75 | source(...) : String | mad/Test.java:196:34:196:75 | (...)... |
| mad/Test.java:198:30:198:37 | source(...) : String | mad/Test.java:198:23:198:37 | (...)... |
| mad/Test.java:203:30:203:37 | source(...) : String | mad/Test.java:203:23:203:37 | (...)... |
| mad/Test.java:208:33:208:40 | source(...) : String | mad/Test.java:208:23:208:40 | (...)... |
| mad/Test.java:210:27:210:34 | source(...) : String | mad/Test.java:210:20:210:34 | (...)... |
| mad/Test.java:212:28:212:35 | source(...) : String | mad/Test.java:212:21:212:35 | (...)... |
| mad/Test.java:214:29:214:36 | source(...) : String | mad/Test.java:214:22:214:36 | (...)... |
| mad/Test.java:219:27:219:34 | source(...) : String | mad/Test.java:219:20:219:34 | (...)... |
| mad/Test.java:221:26:221:33 | source(...) : String | mad/Test.java:221:19:221:33 | (...)... |
| mad/Test.java:226:29:226:36 | source(...) : String | mad/Test.java:226:20:226:36 | (...)... |
nodes
| TaintedPath.java:12:38:12:110 | new BufferedReader(...) : BufferedReader | semmle.label | new BufferedReader(...) : BufferedReader |
| TaintedPath.java:12:57:12:109 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
| TaintedPath.java:12:79:12:99 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| TaintedPath.java:13:24:13:37 | filenameReader : BufferedReader | semmle.label | filenameReader : BufferedReader |
| TaintedPath.java:13:24:13:48 | readLine(...) : String | semmle.label | readLine(...) : String |
| TaintedPath.java:15:68:15:75 | filename | semmle.label | filename |
| TaintedPath.java:38:41:39:70 | new BufferedReader(...) : BufferedReader | semmle.label | new BufferedReader(...) : BufferedReader |
| TaintedPath.java:39:17:39:69 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
| TaintedPath.java:39:39:39:59 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| TaintedPath.java:40:27:40:40 | filenameReader : BufferedReader | semmle.label | filenameReader : BufferedReader |
| TaintedPath.java:40:27:40:51 | readLine(...) : String | semmle.label | readLine(...) : String |
| TaintedPath.java:43:46:43:53 | filename | semmle.label | filename |
| Test.java:19:18:19:38 | getHostName(...) : String | semmle.label | getHostName(...) : String |
| Test.java:24:20:24:23 | temp | semmle.label | temp |
| Test.java:27:21:27:24 | temp | semmle.label | temp |
| Test.java:30:44:30:47 | temp | semmle.label | temp |
| Test.java:34:21:34:24 | temp | semmle.label | temp |
| Test.java:79:33:79:99 | new BufferedReader(...) : BufferedReader | semmle.label | new BufferedReader(...) : BufferedReader |
| Test.java:79:52:79:98 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
| Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
| Test.java:80:31:80:32 | br : BufferedReader | semmle.label | br : BufferedReader |
| Test.java:80:31:80:43 | readLine(...) : String | semmle.label | readLine(...) : String |
| Test.java:82:67:82:81 | ... + ... | semmle.label | ... + ... |
| Test.java:88:17:88:37 | getHostName(...) : String | semmle.label | getHostName(...) : String |
| Test.java:90:26:90:29 | temp | semmle.label | temp |
| Test.java:95:14:95:34 | getHostName(...) : String | semmle.label | getHostName(...) : String |
| Test.java:97:12:97:33 | new URI(...) | semmle.label | new URI(...) |
| Test.java:97:26:97:26 | t : String | semmle.label | t : String |
| Test.java:98:12:98:33 | new URI(...) | semmle.label | new URI(...) |
| Test.java:98:23:98:23 | t : String | semmle.label | t : String |
| Test.java:99:12:99:33 | new URI(...) | semmle.label | new URI(...) |
| Test.java:99:29:99:29 | t : String | semmle.label | t : String |
| Test.java:100:12:100:45 | new URI(...) | semmle.label | new URI(...) |
| Test.java:100:32:100:32 | t : String | semmle.label | t : String |
| Test.java:101:12:101:54 | new URI(...) | semmle.label | new URI(...) |
| Test.java:101:41:101:41 | t : String | semmle.label | t : String |
| mad/Test.java:40:16:40:36 | getHostName(...) : String | semmle.label | getHostName(...) : String |
| mad/Test.java:45:52:45:68 | (...)... | semmle.label | (...)... |
| mad/Test.java:45:61:45:68 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:47:32:47:48 | (...)... | semmle.label | (...)... |
| mad/Test.java:47:41:47:48 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:49:47:49:63 | (...)... | semmle.label | (...)... |
| mad/Test.java:49:56:49:63 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:51:39:51:53 | (...)... | semmle.label | (...)... |
| mad/Test.java:51:46:51:53 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:53:31:53:45 | (...)... | semmle.label | (...)... |
| mad/Test.java:53:38:53:45 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:55:29:55:43 | (...)... | semmle.label | (...)... |
| mad/Test.java:55:36:55:43 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:57:24:57:38 | (...)... | semmle.label | (...)... |
| mad/Test.java:57:31:57:38 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:59:24:59:40 | (...)... | semmle.label | (...)... |
| mad/Test.java:59:33:59:40 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:61:20:61:34 | (...)... | semmle.label | (...)... |
| mad/Test.java:61:27:61:34 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:63:20:63:34 | (...)... | semmle.label | (...)... |
| mad/Test.java:63:27:63:34 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:65:33:65:47 | (...)... | semmle.label | (...)... |
| mad/Test.java:65:40:65:47 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:67:40:67:54 | (...)... | semmle.label | (...)... |
| mad/Test.java:67:47:67:54 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:69:33:69:47 | (...)... | semmle.label | (...)... |
| mad/Test.java:69:40:69:47 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:71:31:71:45 | (...)... | semmle.label | (...)... |
| mad/Test.java:71:38:71:45 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:73:26:73:40 | (...)... | semmle.label | (...)... |
| mad/Test.java:73:33:73:40 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:75:26:75:40 | (...)... | semmle.label | (...)... |
| mad/Test.java:75:33:75:40 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:77:34:77:48 | (...)... | semmle.label | (...)... |
| mad/Test.java:77:41:77:48 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:79:35:79:49 | (...)... | semmle.label | (...)... |
| mad/Test.java:79:42:79:49 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:81:30:81:44 | (...)... | semmle.label | (...)... |
| mad/Test.java:81:37:81:44 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:83:22:83:36 | (...)... | semmle.label | (...)... |
| mad/Test.java:83:29:83:36 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:85:30:85:44 | (...)... | semmle.label | (...)... |
| mad/Test.java:85:37:85:44 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:87:21:87:35 | (...)... | semmle.label | (...)... |
| mad/Test.java:87:28:87:35 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:89:26:89:40 | (...)... | semmle.label | (...)... |
| mad/Test.java:89:33:89:40 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:91:33:91:47 | (...)... | semmle.label | (...)... |
| mad/Test.java:91:40:91:47 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:93:33:93:47 | (...)... | semmle.label | (...)... |
| mad/Test.java:93:40:93:47 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:94:33:94:47 | (...)... | semmle.label | (...)... |
| mad/Test.java:94:40:94:47 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:96:31:96:45 | (...)... | semmle.label | (...)... |
| mad/Test.java:96:38:96:45 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:98:21:98:35 | (...)... | semmle.label | (...)... |
| mad/Test.java:98:28:98:35 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:99:21:99:35 | (...)... | semmle.label | (...)... |
| mad/Test.java:99:28:99:35 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:100:21:100:35 | (...)... | semmle.label | (...)... |
| mad/Test.java:100:28:100:35 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:102:27:102:41 | (...)... | semmle.label | (...)... |
| mad/Test.java:102:34:102:41 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:103:27:103:41 | (...)... | semmle.label | (...)... |
| mad/Test.java:103:34:103:41 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:105:26:105:40 | (...)... | semmle.label | (...)... |
| mad/Test.java:105:33:105:40 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:107:35:107:49 | (...)... | semmle.label | (...)... |
| mad/Test.java:107:42:107:49 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:109:41:109:57 | (...)... | semmle.label | (...)... |
| mad/Test.java:109:50:109:57 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:111:45:111:61 | (...)... | semmle.label | (...)... |
| mad/Test.java:111:54:111:61 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:113:43:113:57 | (...)... | semmle.label | (...)... |
| mad/Test.java:113:50:113:57 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:115:28:115:42 | (...)... | semmle.label | (...)... |
| mad/Test.java:115:35:115:42 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:117:41:117:55 | (...)... | semmle.label | (...)... |
| mad/Test.java:117:48:117:55 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:119:28:119:44 | (...)... | semmle.label | (...)... |
| mad/Test.java:119:37:119:44 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:121:28:121:42 | (...)... | semmle.label | (...)... |
| mad/Test.java:121:35:121:42 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:123:46:123:62 | (...)... | semmle.label | (...)... |
| mad/Test.java:123:55:123:62 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:125:40:125:54 | (...)... | semmle.label | (...)... |
| mad/Test.java:125:47:125:54 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:127:40:127:54 | (...)... | semmle.label | (...)... |
| mad/Test.java:127:47:127:54 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:131:26:131:42 | (...)... | semmle.label | (...)... |
| mad/Test.java:131:35:131:42 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:135:49:135:63 | (...)... | semmle.label | (...)... |
| mad/Test.java:135:56:135:63 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:137:49:137:63 | (...)... | semmle.label | (...)... |
| mad/Test.java:137:56:137:63 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:141:52:141:66 | (...)... | semmle.label | (...)... |
| mad/Test.java:141:59:141:66 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:143:52:143:66 | (...)... | semmle.label | (...)... |
| mad/Test.java:143:59:143:66 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:145:49:145:65 | (...)... | semmle.label | (...)... |
| mad/Test.java:145:58:145:65 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:147:25:147:41 | (...)... | semmle.label | (...)... |
| mad/Test.java:147:34:147:41 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:149:25:149:41 | (...)... | semmle.label | (...)... |
| mad/Test.java:149:34:149:41 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:151:35:151:51 | (...)... | semmle.label | (...)... |
| mad/Test.java:151:44:151:51 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:153:24:153:38 | (...)... | semmle.label | (...)... |
| mad/Test.java:153:31:153:38 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:155:37:155:53 | (...)... | semmle.label | (...)... |
| mad/Test.java:155:46:155:53 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:157:37:157:53 | (...)... | semmle.label | (...)... |
| mad/Test.java:157:46:157:53 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:159:58:159:74 | (...)... | semmle.label | (...)... |
| mad/Test.java:159:67:159:74 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:161:58:161:74 | (...)... | semmle.label | (...)... |
| mad/Test.java:161:67:161:74 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:163:64:163:80 | (...)... | semmle.label | (...)... |
| mad/Test.java:163:73:163:80 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:166:28:166:44 | (...)... | semmle.label | (...)... |
| mad/Test.java:166:37:166:44 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:168:39:168:55 | (...)... | semmle.label | (...)... |
| mad/Test.java:168:48:168:55 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:170:45:170:61 | (...)... | semmle.label | (...)... |
| mad/Test.java:170:54:170:61 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:172:60:172:76 | (...)... | semmle.label | (...)... |
| mad/Test.java:172:69:172:76 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:174:40:174:54 | (...)... | semmle.label | (...)... |
| mad/Test.java:174:47:174:54 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:176:40:176:56 | (...)... | semmle.label | (...)... |
| mad/Test.java:176:49:176:56 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:178:55:178:71 | (...)... | semmle.label | (...)... |
| mad/Test.java:178:64:178:71 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:180:40:180:56 | (...)... | semmle.label | (...)... |
| mad/Test.java:180:49:180:56 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:182:55:182:71 | (...)... | semmle.label | (...)... |
| mad/Test.java:182:64:182:71 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:184:54:184:68 | (...)... | semmle.label | (...)... |
| mad/Test.java:184:61:184:68 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:190:30:190:44 | (...)... | semmle.label | (...)... |
| mad/Test.java:190:37:190:44 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:192:40:192:81 | (...)... | semmle.label | (...)... |
| mad/Test.java:192:74:192:81 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:194:34:194:75 | (...)... | semmle.label | (...)... |
| mad/Test.java:194:68:194:75 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:196:34:196:75 | (...)... | semmle.label | (...)... |
| mad/Test.java:196:68:196:75 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:198:23:198:37 | (...)... | semmle.label | (...)... |
| mad/Test.java:198:30:198:37 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:203:23:203:37 | (...)... | semmle.label | (...)... |
| mad/Test.java:203:30:203:37 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:208:23:208:40 | (...)... | semmle.label | (...)... |
| mad/Test.java:208:33:208:40 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:210:20:210:34 | (...)... | semmle.label | (...)... |
| mad/Test.java:210:27:210:34 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:212:21:212:35 | (...)... | semmle.label | (...)... |
| mad/Test.java:212:28:212:35 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:214:22:214:36 | (...)... | semmle.label | (...)... |
| mad/Test.java:214:29:214:36 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:219:20:219:34 | (...)... | semmle.label | (...)... |
| mad/Test.java:219:27:219:34 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:221:19:221:33 | (...)... | semmle.label | (...)... |
| mad/Test.java:221:26:221:33 | source(...) : String | semmle.label | source(...) : String |
| mad/Test.java:226:20:226:36 | (...)... | semmle.label | (...)... |
| mad/Test.java:226:29:226:36 | source(...) : String | semmle.label | source(...) : String |
subpaths
#select
| TaintedPath.java:15:53:15:76 | new FileReader(...) | TaintedPath.java:12:79:12:99 | getInputStream(...) : InputStream | TaintedPath.java:15:68:15:75 | filename | This path depends on a $@. | TaintedPath.java:12:79:12:99 | getInputStream(...) | user-provided value |
| TaintedPath.java:43:25:43:54 | resolve(...) | TaintedPath.java:39:39:39:59 | getInputStream(...) : InputStream | TaintedPath.java:43:46:43:53 | filename | This path depends on a $@. | TaintedPath.java:39:39:39:59 | getInputStream(...) | user-provided value |
| Test.java:24:11:24:24 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:24:20:24:23 | temp | This path depends on a $@. | Test.java:19:18:19:38 | getHostName(...) | user-provided value |
| Test.java:27:11:27:25 | get(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:27:21:27:24 | temp | This path depends on a $@. | Test.java:19:18:19:38 | getHostName(...) | user-provided value |
| Test.java:30:11:30:48 | getPath(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:30:44:30:47 | temp | This path depends on a $@. | Test.java:19:18:19:38 | getHostName(...) | user-provided value |
| Test.java:34:12:34:25 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:34:21:34:24 | temp | This path depends on a $@. | Test.java:19:18:19:38 | getHostName(...) | user-provided value |
| Test.java:82:52:82:88 | new FileWriter(...) | Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | Test.java:82:67:82:81 | ... + ... | This path depends on a $@. | Test.java:79:74:79:97 | getInputStream(...) | user-provided value |
| Test.java:90:26:90:29 | temp | Test.java:88:17:88:37 | getHostName(...) : String | Test.java:90:26:90:29 | temp | This path depends on a $@. | Test.java:88:17:88:37 | getHostName(...) | user-provided value |
| Test.java:97:3:97:34 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:12:97:33 | new URI(...) | This path depends on a $@. | Test.java:95:14:95:34 | getHostName(...) | user-provided value |
| Test.java:98:3:98:34 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:12:98:33 | new URI(...) | This path depends on a $@. | Test.java:95:14:95:34 | getHostName(...) | user-provided value |
| Test.java:99:3:99:34 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:12:99:33 | new URI(...) | This path depends on a $@. | Test.java:95:14:95:34 | getHostName(...) | user-provided value |
| Test.java:100:3:100:46 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:100:12:100:45 | new URI(...) | This path depends on a $@. | Test.java:95:14:95:34 | getHostName(...) | user-provided value |
| Test.java:101:3:101:55 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:101:12:101:54 | new URI(...) | This path depends on a $@. | Test.java:95:14:95:34 | getHostName(...) | user-provided value |
| mad/Test.java:45:52:45:68 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:45:52:45:68 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:47:32:47:48 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:47:32:47:48 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:49:47:49:63 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:49:47:49:63 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:51:39:51:53 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:51:39:51:53 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:53:31:53:45 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:53:31:53:45 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:55:29:55:43 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:55:29:55:43 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:57:24:57:38 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:57:24:57:38 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:59:9:59:41 | new FileReader(...) | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:59:24:59:40 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:61:20:61:34 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:61:20:61:34 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:63:20:63:34 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:63:20:63:34 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:65:33:65:47 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:65:33:65:47 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:67:40:67:54 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:67:40:67:54 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:69:33:69:47 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:69:33:69:47 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:71:31:71:45 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:71:31:71:45 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:73:26:73:40 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:73:26:73:40 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:75:26:75:40 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:75:26:75:40 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:77:34:77:48 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:77:34:77:48 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:79:35:79:49 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:79:35:79:49 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:81:30:81:44 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:81:30:81:44 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:83:22:83:36 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:83:22:83:36 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:85:30:85:44 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:85:30:85:44 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:87:21:87:35 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:87:21:87:35 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:89:26:89:40 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:89:26:89:40 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:91:33:91:47 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:91:33:91:47 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:93:33:93:47 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:93:33:93:47 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:94:33:94:47 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:94:33:94:47 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:96:31:96:45 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:96:31:96:45 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:98:21:98:35 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:98:21:98:35 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:99:21:99:35 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:99:21:99:35 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:100:21:100:35 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:100:21:100:35 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:102:27:102:41 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:102:27:102:41 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:103:27:103:41 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:103:27:103:41 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:105:26:105:40 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:105:26:105:40 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:107:35:107:49 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:107:35:107:49 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:109:41:109:57 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:109:41:109:57 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:111:45:111:61 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:111:45:111:61 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:113:43:113:57 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:113:43:113:57 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:115:28:115:42 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:115:28:115:42 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:117:41:117:55 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:117:41:117:55 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:119:28:119:44 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:119:28:119:44 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:121:28:121:42 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:121:28:121:42 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:123:46:123:62 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:123:46:123:62 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:125:40:125:54 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:125:40:125:54 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:127:40:127:54 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:127:40:127:54 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:131:26:131:42 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:131:26:131:42 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:135:49:135:63 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:135:49:135:63 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:137:49:137:63 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:137:49:137:63 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:141:52:141:66 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:141:52:141:66 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:143:52:143:66 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:143:52:143:66 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:145:49:145:65 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:145:49:145:65 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:147:25:147:41 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:147:25:147:41 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:149:25:149:41 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:149:25:149:41 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:151:35:151:51 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:151:35:151:51 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:153:24:153:38 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:153:24:153:38 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:155:37:155:53 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:155:37:155:53 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:157:37:157:53 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:157:37:157:53 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:159:58:159:74 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:159:58:159:74 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:161:58:161:74 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:161:58:161:74 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:163:64:163:80 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:163:64:163:80 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:166:28:166:44 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:166:28:166:44 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:168:39:168:55 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:168:39:168:55 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:170:45:170:61 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:170:45:170:61 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:172:60:172:76 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:172:60:172:76 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:174:40:174:54 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:174:40:174:54 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:176:40:176:56 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:176:40:176:56 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:178:55:178:71 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:178:55:178:71 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:180:40:180:56 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:180:40:180:56 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:182:55:182:71 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:182:55:182:71 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:184:54:184:68 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:184:54:184:68 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:190:30:190:44 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:190:30:190:44 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:192:40:192:81 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:192:40:192:81 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:194:34:194:75 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:194:34:194:75 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:196:34:196:75 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:196:34:196:75 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:198:23:198:37 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:198:23:198:37 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:203:23:203:37 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:203:23:203:37 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:208:23:208:40 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:208:23:208:40 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:210:20:210:34 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:210:20:210:34 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:212:21:212:35 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:212:21:212:35 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:214:22:214:36 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:214:22:214:36 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:219:20:219:34 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:219:20:219:34 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:221:19:221:33 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:221:19:221:33 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |
| mad/Test.java:226:20:226:36 | (...)... | mad/Test.java:40:16:40:36 | getHostName(...) : String | mad/Test.java:226:20:226:36 | (...)... | This path depends on a $@. | mad/Test.java:40:16:40:36 | getHostName(...) | user-provided value |

40
java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java
View File

@@ -9,25 +9,27 @@ import java.nio.file.Paths;
public class TaintedPath {
public void sendUserFile(Socket sock, String user) throws IOException {
BufferedReader filenameReader = new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8"));
String filename = filenameReader.readLine();
// BAD: read from a file without checking its path
BufferedReader fileReader = new BufferedReader(new FileReader(filename));
BufferedReader filenameReader =
new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8"));
String filename = filenameReader.readLine();
// BAD: read from a file without checking its path
BufferedReader fileReader = new BufferedReader(new FileReader(filename)); // $ hasTaintFlow
String fileLine = fileReader.readLine();
while(fileLine != null) {
sock.getOutputStream().write(fileLine.getBytes());
fileLine = fileReader.readLine();
while (fileLine != null) {
sock.getOutputStream().write(fileLine.getBytes());
fileLine = fileReader.readLine();
}
}
public void sendUserFileGood(Socket sock, String user) throws IOException {
BufferedReader filenameReader = new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8"));
BufferedReader filenameReader =
new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8"));
String filename = filenameReader.readLine();
// GOOD: ensure that the file is in a designated folder in the user's home directory
if (!filename.contains("..") && filename.startsWith("/home/" + user + "/public/")) {
BufferedReader fileReader = new BufferedReader(new FileReader(filename));
String fileLine = fileReader.readLine();
while(fileLine != null) {
while (fileLine != null) {
sock.getOutputStream().write(fileLine.getBytes());
fileLine = fileReader.readLine();
}
@@ -35,28 +37,28 @@ public class TaintedPath {
}
public void sendUserFileGood2(Socket sock, String user) throws Exception {
BufferedReader filenameReader = new BufferedReader(
new InputStreamReader(sock.getInputStream(), "UTF-8"));
BufferedReader filenameReader =
new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8"));
String filename = filenameReader.readLine();
Path publicFolder = Paths.get("/home/" + user + "/public").normalize().toAbsolutePath();
Path filePath = publicFolder.resolve(filename).normalize().toAbsolutePath(); // FP until the path-injection sinks are reworked
Path filePath = publicFolder.resolve(filename).normalize().toAbsolutePath();
// GOOD: ensure that the path stays within the public folder
if (!filePath.startsWith(publicFolder + File.separator)) {
throw new IllegalArgumentException("Invalid filename");
}
BufferedReader fileReader = new BufferedReader(new FileReader(filePath.toString()));
String fileLine = fileReader.readLine();
while(fileLine != null) {
while (fileLine != null) {
sock.getOutputStream().write(fileLine.getBytes());
fileLine = fileReader.readLine();
}
}
public void sendUserFileGood3(Socket sock, String user) throws Exception {
BufferedReader filenameReader = new BufferedReader(
new InputStreamReader(sock.getInputStream(), "UTF-8"));
BufferedReader filenameReader =
new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8"));
String filename = filenameReader.readLine();
// GOOD: ensure that the filename has no path separators or parent directory references
if (filename.contains("..") || filename.contains("/") || filename.contains("\\")) {
@@ -64,9 +66,9 @@ public class TaintedPath {
}
BufferedReader fileReader = new BufferedReader(new FileReader(filename));
String fileLine = fileReader.readLine();
while(fileLine != null) {
while (fileLine != null) {
sock.getOutputStream().write(fileLine.getBytes());
fileLine = fileReader.readLine();
}
}
}
}

4
java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.ql Normal file
View File

@@ -0,0 +1,4 @@
import java
import TestUtilities.InlineFlowTest
import semmle.code.java.security.TaintedPathQuery
import TaintFlowTest<TaintedPathConfig>

1
java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.qlref
View File

@@ -1 +0,0 @@
Security/CWE/CWE-022/TaintedPath.ql

252
java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java
View File

@@ -1,112 +1,166 @@
// Semmle test case for CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
// http://cwe.mitre.org/data/definitions/22.html
package test.cwe22.semmle.tests;
import javax.servlet.http.*;
import javax.servlet.ServletException;
import java.io.*;
import java.net.*;
import java.io.File;
import java.io.FileDescriptor;
import java.io.FileInputStream;
import java.io.FileReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.InetAddress;
import java.net.URL;
import java.nio.charset.Charset;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.FileSystems;
import javax.xml.transform.stream.StreamResult;
import org.apache.commons.io.FileUtils;
import org.apache.tools.ant.AntClassLoader;
import org.apache.tools.ant.DirectoryScanner;
import org.apache.tools.ant.taskdefs.Copy;
import org.apache.tools.ant.taskdefs.Expand;
import org.apache.tools.ant.types.FileSet;
import org.codehaus.cargo.container.installer.ZipURLInstaller;
import org.kohsuke.stapler.framework.io.LargeText;
import org.openjdk.jmh.runner.options.ChainedOptionsBuilder;
import org.springframework.util.FileCopyUtils;
import org.apache.commons.io.output.LockableFileWriter;
public class Test {
class Test {
void doGet1(InetAddress address)
throws IOException {
String temp = address.getHostName();
File file;
Path path;
private InetAddress address;
// BAD: construct a file path with user input
file = new File(temp);
public Object source() {
return address.getHostName();
}
// BAD: construct a path with user input
path = Paths.get(temp);
void test() throws IOException {
// "java.lang;Module;true;getResourceAsStream;(String);;Argument[0];read-file;ai-generated"
getClass().getModule().getResourceAsStream((String) source()); // $ hasTaintFlow
// "java.lang;Class;false;getResource;(String);;Argument[0];read-file;ai-generated"
getClass().getResource((String) source()); // $ hasTaintFlow
// "java.lang;ClassLoader;true;getSystemResourceAsStream;(String);;Argument[0];read-file;ai-generated"
ClassLoader.getSystemResourceAsStream((String) source()); // $ hasTaintFlow
// "java.io;File;true;createTempFile;(String,String,File);;Argument[2];create-file;ai-generated"
File.createTempFile(";", ";", (File) source()); // $ hasTaintFlow
// "java.io;File;true;renameTo;(File);;Argument[0];create-file;ai-generated"
new File("").renameTo((File) source()); // $ hasTaintFlow
// "java.io;FileInputStream;true;FileInputStream;(File);;Argument[0];read-file;ai-generated"
new FileInputStream((File) source()); // $ hasTaintFlow
// "java.io;FileInputStream;true;FileInputStream;(FileDescriptor);;Argument[0];read-file;manual"
new FileInputStream((FileDescriptor) source()); // $ hasTaintFlow
// "java.io;FileInputStream;true;FileInputStream;(Strrirng);;Argument[0];read-file;manual"
new FileInputStream((String) source()); // $ hasTaintFlow
// "java.io;FileReader;true;FileReader;(File);;Argument[0];read-file;ai-generated"
new FileReader((File) source()); // $ hasTaintFlow
// "java.io;FileReader;true;FileReader;(FileDescriptor);;Argument[0];read-file;manual"
new FileReader((FileDescriptor) source()); // $ hasTaintFlow
// "java.io;FileReader;true;FileReader;(File,Charset);;Argument[0];read-file;manual"
new FileReader((File) source(), null); // $ hasTaintFlow
// "java.io;FileReader;true;FileReader;(String);;Argument[0];read-file;ai-generated"
new FileReader((String) source()); // $ hasTaintFlow
// "java.io;FileReader;true;FileReader;(String,Charset);;Argument[0];read-file;manual"
new FileReader((String) source(), null); // $ hasTaintFlow
// "java.nio.file;Files;false;copy;;;Argument[0];read-file;manual"
Files.copy((Path) source(), (Path) null); // $ hasTaintFlow
Files.copy((Path) source(), (OutputStream) null); // $ hasTaintFlow
// "java.nio.file;Files;false;copy;;;Argument[1];create-file;manual"
Files.copy((Path) null, (Path) source()); // $ hasTaintFlow
Files.copy((InputStream) null, (Path) source()); // $ hasTaintFlow
// "java.nio.file;Files;false;createDirectories;;;Argument[0];create-file;manual"
Files.createDirectories((Path) source()); // $ hasTaintFlow
// "java.nio.file;Files;false;createDirectory;;;Argument[0];create-file;manual"
Files.createDirectory((Path) source()); // $ hasTaintFlow
// "java.nio.file;Files;false;createFile;;;Argument[0];create-file;manual"
Files.createFile((Path) source()); // $ hasTaintFlow
// "java.nio.file;Files;false;createLink;;;Argument[0];create-file;manual"
Files.createLink((Path) source(), null); // $ hasTaintFlow
// "java.nio.file;Files;false;createSymbolicLink;;;Argument[0];create-file;manual"
Files.createSymbolicLink((Path) source(), null); // $ hasTaintFlow
// "java.nio.file;Files;false;createTempDirectory;(Path,String,FileAttribute[]);;Argument[0];create-file;manual"
Files.createTempDirectory((Path) source(), null); // $ hasTaintFlow
// "java.nio.file;Files;false;createTempFile;(Path,String,String,FileAttribute[]);;Argument[0];create-file;manual"
Files.createTempFile((Path) source(), null, null); // $ hasTaintFlow
// "java.nio.file;Files;false;delete;(Path);;Argument[0];delete-file;ai-generated"
Files.delete((Path) source()); // $ hasTaintFlow
// "java.nio.file;Files;false;deleteIfExists;(Path);;Argument[0];delete-file;ai-generated"
Files.deleteIfExists((Path) source()); // $ hasTaintFlow
// "java.nio.file;Files;false;lines;(Path,Charset);;Argument[0];read-file;ai-generated"
Files.lines((Path) source(), null); // $ hasTaintFlow
// "java.nio.file;Files;false;move;;;Argument[1];create-file;manual"
Files.move(null, (Path) source()); // $ hasTaintFlow
// "java.nio.file;Files;false;newBufferedReader;(Path,Charset);;Argument[0];read-file;ai-generated"
Files.newBufferedReader((Path) source(), null); // $ hasTaintFlow
// "java.nio.file;Files;false;newBufferedWriter;;;Argument[0];create-file;manual"
Files.newBufferedWriter((Path) source()); // $ hasTaintFlow
Files.newBufferedWriter((Path) source(), (Charset) null); // $ hasTaintFlow
// "java.nio.file;Files;false;newOutputStream;;;Argument[0];create-file;manual"
Files.newOutputStream((Path) source()); // $ hasTaintFlow
// "java.nio.file;Files;false;write;;;Argument[0];create-file;manual"
Files.write((Path) source(), (byte[]) null); // $ hasTaintFlow
Files.write((Path) source(), (Iterable<CharSequence>) null); // $ hasTaintFlow
Files.write((Path) source(), (Iterable<CharSequence>) null, (Charset) null); // $ hasTaintFlow
// "java.nio.file;Files;false;writeString;;;Argument[0];create-file;manual"
Files.writeString((Path) source(), (CharSequence) null); // $ hasTaintFlow
Files.writeString((Path) source(), (CharSequence) null, (Charset) null); // $ hasTaintFlow
// "javax.xml.transform.stream;StreamResult";true;"StreamResult;(File);;Argument[0];create-file;ai-generated"
new StreamResult((File) source()); // $ hasTaintFlow
// "org.apache.commons.io;FileUtils;true;openInputStream;(File);;Argument[0];read-file;ai-generated"
FileUtils.openInputStream((File) source()); // $ hasTaintFlow
// "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[1];create-file;ai-generated"
new ZipURLInstaller((URL) null, (String) source(), ""); // $ hasTaintFlow
// "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[2];create-file;ai-generated"
new ZipURLInstaller((URL) null, "", (String) source()); // $ hasTaintFlow
// "org.springframework.util;FileCopyUtils;false;copy;(byte[],File);;Argument[1];create-file;manual"
FileCopyUtils.copy((byte[]) null, (File) source()); // $ hasTaintFlow
// "org.springframework.util;FileCopyUtils;false;copy;(File,File);;Argument[0];create-file;manual"
FileCopyUtils.copy((File) source(), null); // $ hasTaintFlow
// "org.springframework.util;FileCopyUtils;false;copy;(File,File);;Argument[1];create-file;manual"
FileCopyUtils.copy((File) null, (File) source()); // $ hasTaintFlow
}
// BAD: construct a path with user input
path = FileSystems.getDefault().getPath(temp);
void test(AntClassLoader acl) {
// "org.apache.tools.ant;AntClassLoader;true;addPathComponent;(File);;Argument[0];read-file;ai-generated"
acl.addPathComponent((File) source()); // $ hasTaintFlow
// "org.apache.tools.ant;AntClassLoader;true;AntClassLoader;(ClassLoader,Project,Path,boolean);;Argument[2];read-file;ai-generated"
new AntClassLoader(null, null, (org.apache.tools.ant.types.Path) source(), false); // $ hasTaintFlow
// "org.apache.tools.ant;AntClassLoader;true;AntClassLoader;(Project,Path,boolean);;Argument[1];read-file;ai-generated"
new AntClassLoader(null, (org.apache.tools.ant.types.Path) source(), false); // $ hasTaintFlow
// "org.apache.tools.ant;AntClassLoader;true;AntClassLoader;(Project,Path);;Argument[1];read-file;ai-generated"
new AntClassLoader(null, (org.apache.tools.ant.types.Path) source()); // $ hasTaintFlow
// "org.kohsuke.stapler.framework.io;LargeText;true;LargeText;(File,Charset,boolean,boolean);;Argument[0];read-file;ai-generated"
new LargeText((File) source(), null, false, false); // $ hasTaintFlow
}
// BAD: insufficient check
if (temp.startsWith("/some_safe_dir/")) {
file = new File(temp);
}
}
void doGet2(InetAddress address)
throws IOException {
String temp = address.getHostName();
File file;
// GOOD: check string is safe
if(isSafe(temp))
file = new File(temp);
}
void doGet3(InetAddress address)
throws IOException {
String temp = address.getHostName();
File file;
// FALSE NEGATIVE: inadequate check - fails to account
// for '.'s
if(isSortOfSafe(temp))
file = new File(temp);
}
boolean isSafe(String pathSpec) {
// no file separators
if (pathSpec.contains(File.separator))
return false;
// at most one dot
int indexOfDot = pathSpec.indexOf('.');
if (indexOfDot != -1 && pathSpec.indexOf('.', indexOfDot + 1) != -1)
return false;
return true;
}
boolean isSortOfSafe(String pathSpec) {
// no file separators
if (pathSpec.contains(File.separator))
return false;
return true;
}
public class MyServlet extends HttpServlet {
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
BufferedReader br = new BufferedReader(new InputStreamReader(request.getInputStream()));
String filename = br.readLine();
// BAD: construct a file path with user input
BufferedWriter bw = new BufferedWriter(new FileWriter("dir/"+filename, true));
void doGet6(String root, InetAddress address) throws IOException {
String temp = address.getHostName();
// GOOD: Use `contains` and `startsWith` to check if the path is safe
if (!temp.contains("..") && temp.startsWith(root + "/")) {
File file = new File(temp);
}
}
void doGet4(InetAddress address)
throws IOException {
String temp = address.getHostName();
// BAD: open a file based on user input, using a MaD-documented API
new LockableFileWriter(temp);
}
void test(DirectoryScanner ds) {
// "org.apache.tools.ant;DirectoryScanner;true;setBasedir;(File);;Argument[0];read-file;ai-generated"
ds.setBasedir((File) source()); // $ hasTaintFlow
}
void doGet5(InetAddress address)
throws URISyntaxException {
String t = address.getHostName();
// BAD: construct a file path with user input
new File(new URI(null, t, null));
new File(new URI(t, t, null, t));
new File(new URI(t, null, t, t));
new File(new URI(null, null, t, null, null));
new File(new URI(null, null, null, 0, t, null, null));
}
void test(Copy cp) {
// "org.apache.tools.ant.taskdefs;Copy;true;addFileset;(FileSet);;Argument[0];read-file;ai-generated"
cp.addFileset((FileSet) source()); // $ hasTaintFlow
// "org.apache.tools.ant.taskdefs;Copy;true;setFile;(File);;Argument[0];read-file;ai-generated"
cp.setFile((File) source()); // $ hasTaintFlow
// "org.apache.tools.ant.taskdefs;Copy;true;setTodir;(File);;Argument[0];create-file;ai-generated"
cp.setTodir((File) source()); // $ hasTaintFlow
// "org.apache.tools.ant.taskdefs;Copy;true;setTofile;(File);;Argument[0];create-file;ai-generated"
cp.setTofile((File) source()); // $ hasTaintFlow
}
void doGet6(String root, InetAddress address)
throws IOException{
String temp = address.getHostName();
// GOOD: Use `contains` and `startsWith` to check if the path is safe
if (!temp.contains("..") && temp.startsWith(root + "/")) {
File file = new File(temp);
}
}
void test(Expand ex) {
// "org.apache.tools.ant.taskdefs;Expand;true;setDest;(File);;Argument[0];create-file;ai-generated"
ex.setDest((File) source()); // $ hasTaintFlow
// "org.apache.tools.ant.taskdefs;Expand;true;setSrc;(File);;Argument[0];read-file;ai-generated"
ex.setSrc((File) source()); // $ hasTaintFlow
}
void test(ChainedOptionsBuilder cob) {
// "org.openjdk.jmh.runner.options;ChainedOptionsBuilder;true;result;(String);;Argument[0];create-file;ai-generated"
cob.result((String) source()); // $ hasTaintFlow
}
}

228
java/ql/test/query-tests/security/CWE-022/semmle/tests/mad/Test.java
View File

@@ -1,228 +0,0 @@
import java.io.File;
import java.io.FileInputStream;
import java.io.FileReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.InetAddress;
import java.net.URL;
import java.nio.charset.Charset;
import java.nio.file.Files;
import java.nio.file.Path;
import javax.activation.FileDataSource;
import javax.xml.transform.stream.StreamResult;
import org.apache.cxf.common.classloader.ClassLoaderUtils;
import org.apache.cxf.common.jaxb.JAXBUtils;
import org.apache.cxf.configuration.jsse.SSLUtils;
import org.apache.cxf.resource.ExtendedURIResolver;
import org.apache.cxf.resource.URIResolver;
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.cxf.tools.corba.utils.FileOutputStreamFactory;
import org.apache.cxf.tools.corba.utils.OutputStreamFactory;
import org.apache.cxf.tools.util.FileWriterUtil;
import org.apache.cxf.tools.util.OutputStreamCreator;
import org.apache.commons.io.FileUtils;
import org.apache.tools.ant.AntClassLoader;
import org.apache.tools.ant.DirectoryScanner;
import org.apache.tools.ant.taskdefs.Copy;
import org.apache.tools.ant.taskdefs.Expand;
import org.apache.tools.ant.types.FileSet;
import org.codehaus.cargo.container.installer.ZipURLInstaller;
import org.kohsuke.stapler.framework.io.LargeText;
import org.openjdk.jmh.runner.options.ChainedOptionsBuilder;
import org.springframework.util.FileCopyUtils;
public class Test {
private InetAddress address;
public Object source() {
return address.getHostName();
}
void test() throws IOException {
// "java.lang;Module;true;getResourceAsStream;(String);;Argument[0];read-file;ai-generated"
getClass().getModule().getResourceAsStream((String) source());
// "java.lang;Class;false;getResource;(String);;Argument[0];read-file;ai-generated"
getClass().getResource((String) source());
// "java.lang;ClassLoader;true;getSystemResourceAsStream;(String);;Argument[0];read-file;ai-generated"
ClassLoader.getSystemResourceAsStream((String) source());
// "java.io;File;true;createTempFile;(String,String,File);;Argument[2];create-file;ai-generated"
File.createTempFile(";", ";", (File) source());
// "java.io;File;true;renameTo;(File);;Argument[0];create-file;ai-generated"
new File("").renameTo((File) source());
// "java.io;FileInputStream;true;FileInputStream;(File);;Argument[0];read-file;ai-generated"
new FileInputStream((File) source());
// "java.io;FileReader;true;FileReader;(File);;Argument[0];read-file;ai-generated"
new FileReader((File) source());
// "java.io;FileReader;true;FileReader;(String);;Argument[0];read-file;ai-generated"
new FileReader((String) source());
// "java.nio.file;Files;false;copy;(Path,OutputStream);;Argument[0];read-file;manual"
Files.copy((Path) source(), (OutputStream) null);
// "java.nio.file;Files;false;copy;(Path,Path,CopyOption[]);;Argument[0];read-file;manual"
Files.copy((Path) source(), (Path) null);
// "java.nio.file;Files;false;copy;(Path,Path,CopyOption[]);;Argument[1];create-file;manual"
Files.copy((Path) null, (Path) source());
// "java.nio.file;Files;false;copy;(InputStream,Path,CopyOption[]);;Argument[1];create-file;manual"
Files.copy((InputStream) null, (Path) source());
// "java.nio.file;Files;false;createDirectories;;;Argument[0];create-file;manual"
Files.createDirectories((Path) source());
// "java.nio.file;Files;false;createDirectory;;;Argument[0];create-file;manual"
Files.createDirectory((Path) source());
// "java.nio.file;Files;false;createFile;;;Argument[0];create-file;manual"
Files.createFile((Path) source());
// "java.nio.file;Files;false;createLink;;;Argument[0];create-file;manual"
Files.createLink((Path) source(), null);
// "java.nio.file;Files;false;createSymbolicLink;;;Argument[0];create-file;manual"
Files.createSymbolicLink((Path) source(), null);
// "java.nio.file;Files;false;createTempDirectory;(Path,String,FileAttribute[]);;Argument[0];create-file;manual"
Files.createTempDirectory((Path) source(), null);
// "java.nio.file;Files;false;createTempFile;(Path,String,String,FileAttribute[]);;Argument[0];create-file;manual"
Files.createTempFile((Path) source(), null, null);
// "java.nio.file;Files;false;delete;(Path);;Argument[0];delete-file;ai-generated"
Files.delete((Path) source());
// "java.nio.file;Files;false;deleteIfExists;(Path);;Argument[0];delete-file;ai-generated"
Files.deleteIfExists((Path) source());
// "java.nio.file;Files;false;lines;(Path,Charset);;Argument[0];read-file;ai-generated"
Files.lines((Path) source(), null);
// "java.nio.file;Files;false;move;;;Argument[1];create-file;manual"
Files.move(null, (Path) source());
// "java.nio.file;Files;false;newBufferedReader;(Path,Charset);;Argument[0];read-file;ai-generated"
Files.newBufferedReader((Path) source(), null);
// "java.nio.file;Files;false;newBufferedWriter;;;Argument[0];create-file;manual"
Files.newBufferedWriter((Path) source());
Files.newBufferedWriter((Path) source(), (Charset) null);
// "java.nio.file;Files;false;newOutputStream;;;Argument[0];create-file;manual"
Files.newOutputStream((Path) source());
// "java.nio.file;Files;false;write;;;Argument[0];create-file;manual"
Files.write((Path) source(), (byte[]) null);
Files.write((Path) source(), (Iterable<CharSequence>) null);
Files.write((Path) source(), (Iterable<CharSequence>) null, (Charset) null);
// "java.nio.file;Files;false;writeString;;;Argument[0];create-file;manual"
Files.writeString((Path) source(), (CharSequence) null);
Files.writeString((Path) source(), (CharSequence) null, (Charset) null);
// "javax.xml.transform.stream;StreamResult";true;"StreamResult;(File);;Argument[0];create-file;ai-generated"
new StreamResult((File) source());
// "org.apache.commons.io;FileUtils;true;openInputStream;(File);;Argument[0];read-file;ai-generated"
FileUtils.openInputStream((File) source());
// "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[1];create-file;ai-generated"
new ZipURLInstaller((URL) null, (String) source(), "");
// "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[2];create-file;ai-generated"
new ZipURLInstaller((URL) null, "", (String) source());
// "org.springframework.util;FileCopyUtils;false;copy;(byte[],File);;Argument[1];create-file;manual"
FileCopyUtils.copy((byte[]) null, (File) source());
// "org.springframework.util;FileCopyUtils;false;copy;(File,File);;Argument[0];create-file;manual"
FileCopyUtils.copy((File) source(), null);
// "org.springframework.util;FileCopyUtils;false;copy;(File,File);;Argument[1];create-file;manual"
FileCopyUtils.copy((File) null, (File) source());
// "javax.activation;FileDataSource;true;FileDataSource;(String);;Argument[0];path-injection;manual"
new FileDataSource((String) source());
// "javax.activation;FileDataSource;true;FileDataSource;(File);;Argument[0];path-injection;manual"
new FileDataSource((File) source());
// "org.apache.cxf.common.classloader;ClassLoaderUtils;true;getResourceAsStream;(String,Class);;Argument[0];path-injection;manual"
ClassLoaderUtils.getResourceAsStream((String) source(), null);
// "org.apache.cxf.common.jaxb;JAXBUtils;true;createFileCodeWriter;(File);;Argument[0];path-injection;manual"
JAXBUtils.createFileCodeWriter((File) source());
// "org.apache.cxf.common.jaxb;JAXBUtils;true;createFileCodeWriter;(File,String);;Argument[0];path-injection;manual"
JAXBUtils.createFileCodeWriter((File) source(), null);
// "org.apache.cxf.configuration.jsse:SSLUtils;true;loadFile;(String);;Argument[0];path-injection;manual"
new SSLUtils() {
public void test() {
loadFile((String) source());
}
};
// "org.apache.cxf.helpers;FileUtils;true;delete;(File);;Argument[0];path-injection;manual"
org.apache.cxf.helpers.FileUtils.delete((File) source());
// "org.apache.cxf.helpers;FileUtils;true;delete;(File,boolean);;Argument[0];path-injection;manual"
org.apache.cxf.helpers.FileUtils.delete((File) source(), false);
// "org.apache.cxf.helpers;FileUtils;true;mkdir;(File);;Argument[0];path-injection;manual"
org.apache.cxf.helpers.FileUtils.mkDir((File) source());
// "org.apache.cxf.helpers;FileUtils;true;readLines;(File);;Argument[0];path-injection;manual"
org.apache.cxf.helpers.FileUtils.readLines((File) source());
// "org.apache.cxf.helpers;FileUtils;true;removeDir;(File);;Argument[0];path-injection;manual"
org.apache.cxf.helpers.FileUtils.removeDir((File) source());
// "org.apache.cxf.resource;ExtendedURIResolver;true;resolve;(String,String);;Argument[1];path-injection;manual"
new ExtendedURIResolver().resolve(null, (String) source()); // $ SSRF
// "org.apache.cxf.resource;URIResolver;true;URIResolver;(String,String);;Argument[0];path-injection;manual"
new URIResolver((String) source(), null); // $ SSRF
// "org.apache.cxf.resource;URIResolver;true;URIResolver;(String,String,Class);;Argument[0];path-injection;manual"
new URIResolver((String) source(), null, null); // $ SSRF
// "org.apache.cxf.resource;URIResolver;true;resolve;(String,String,Class);;Argument[0];path-injection;manual"
new URIResolver().resolve((String) source(), null, null); // $ SSRF
// "org.apache.cxf.staxutils;StaxUtils;true;read;(File);;Argument[0];path-injection;manual"
StaxUtils.read((File) source()); // $ SSRF
// "org.apache.cxf.tools.corba.utils;FileOutputStreamFactory;true;FileOutputStreamFactory;(String);;Argument[0];path-injection;manual"
new FileOutputStreamFactory((String) source()); // $ SSRF
// "org.apache.cxf.tools.corba.utils;FileOutputStreamFactory;true;FileOutputStreamFactory;(String,FileOutputStreamFactory);;Argument[0];path-injection;manual"
new FileOutputStreamFactory((String) source(), null); // $ SSRF
// "org.apache.cxf.tools.corba.utils;OutputStreamFactory;true;createOutputStream;(String);;Argument[0];path-injection;manual"
new FileOutputStreamFactory().createOutputStream((String) source()); // $ SSRF
// "org.apache.cxf.tools.corba.utils;OutputStreamFactory;true;createOutputStream;(String,String);;Argument[0];path-injection;manual"
new FileOutputStreamFactory().createOutputStream((String) source(), null); // $ SSRF
// "org.apache.cxf.tools.corba.utils;OutputStreamFactory;true;createOutputStream;(String,String);;Argument[1];path-injection;manual"
new FileOutputStreamFactory().createOutputStream(null, (String) source()); // $ SSRF
// @formatter:off
// "org.apache.cxf.tools.util;FileWriterUtil;true;FileWriterUtil;(String,OutputStreamCreator);;Argument[0];path-injection;manual"
new FileWriterUtil((String) source(), null); // $ SSRF
// "org.apache.cxf.tools.util;FileWriterUtil;true;buildDir;(String);;Argument[0];path-injection;manual"
new FileWriterUtil().buildDir((String) source()); // $ SSRF
// "org.apache.cxf.tools.util;FileWriterUtil;true;getFileToWrite;(String,String);;Argument[0];path-injection;manual"
new FileWriterUtil().getFileToWrite((String) source(), (String) null); // $ SSRF
// "org.apache.cxf.tools.util;FileWriterUtil;true;getFileToWrite;(String,String);;Argument[1];path-injection;manual"
new FileWriterUtil().getFileToWrite((String) null, (String) source()); // $ SSRF
// "org.apache.cxf.tools.util;FileWriterUtil;true;getWriter;(File,String);;Argument[0];path-injection;manual"
new FileWriterUtil().getWriter((File) source(), (String) null); // $ SSRF
// "org.apache.cxf.tools.util;FileWriterUtil;true;getWriter;(String,String);;Argument[0];path-injection;manual"
new FileWriterUtil().getWriter((String) source(), null); // $ SSRF
// "org.apache.cxf.tools.util;FileWriterUtil;true;getWriter;(String,String);;Argument[1];path-injection;manual"
new FileWriterUtil().getWriter((String) null, (String) source()); // $ SSRF
// "org.apache.cxf.tools.util;FileWriterUtil;true;getWriter;(String,String,String);;Argument[0];path-injection;manual"
new FileWriterUtil().getWriter((String) source(), null, null); // $ SSRF
// "org.apache.cxf.tools.util;FileWriterUtil;true;getWriter;(String,String,String);;Argument[1];path-injection;manual"
new FileWriterUtil().getWriter((String) null, (String) source(), null); // $ SSRF
// "org.apache.cxf.tools.util;OutputStreamCreator;true;createOutputStream;(File);;Argument[0];path-injection;manual"
new OutputStreamCreator().createOutputStream((File) source()); // $ SSRF
// @formatter:on
}
void test(AntClassLoader acl) {
// "org.apache.tools.ant;AntClassLoader;true;addPathComponent;(File);;Argument[0];read-file;ai-generated"
acl.addPathComponent((File) source());
// "org.apache.tools.ant;AntClassLoader;true;AntClassLoader;(ClassLoader,Project,Path,boolean);;Argument[2];read-file;ai-generated"
new AntClassLoader(null, null, (org.apache.tools.ant.types.Path) source(), false);
// "org.apache.tools.ant;AntClassLoader;true;AntClassLoader;(Project,Path,boolean);;Argument[1];read-file;ai-generated"
new AntClassLoader(null, (org.apache.tools.ant.types.Path) source(), false);
// "org.apache.tools.ant;AntClassLoader;true;AntClassLoader;(Project,Path);;Argument[1];read-file;ai-generated"
new AntClassLoader(null, (org.apache.tools.ant.types.Path) source());
// "org.kohsuke.stapler.framework.io;LargeText;true;LargeText;(File,Charset,boolean,boolean);;Argument[0];read-file;ai-generated"
new LargeText((File) source(), null, false, false);
}
void test(DirectoryScanner ds) {
// "org.apache.tools.ant;DirectoryScanner;true;setBasedir;(File);;Argument[0];read-file;ai-generated"
ds.setBasedir((File) source());
}
void test(Copy cp) {
// "org.apache.tools.ant.taskdefs;Copy;true;addFileset;(FileSet);;Argument[0];read-file;ai-generated"
cp.addFileset((FileSet) source());
// "org.apache.tools.ant.taskdefs;Copy;true;setFile;(File);;Argument[0];read-file;ai-generated"
cp.setFile((File) source());
// "org.apache.tools.ant.taskdefs;Copy;true;setTodir;(File);;Argument[0];create-file;ai-generated"
cp.setTodir((File) source());
// "org.apache.tools.ant.taskdefs;Copy;true;setTofile;(File);;Argument[0];create-file;ai-generated"
cp.setTofile((File) source());
}
void test(Expand ex) {
// "org.apache.tools.ant.taskdefs;Expand;true;setDest;(File);;Argument[0];create-file;ai-generated"
ex.setDest((File) source());
// "org.apache.tools.ant.taskdefs;Expand;true;setSrc;(File);;Argument[0];read-file;ai-generated"
ex.setSrc((File) source());
}
void test(ChainedOptionsBuilder cob) {
// "org.openjdk.jmh.runner.options;ChainedOptionsBuilder;true;result;(String);;Argument[0];create-file;ai-generated"
cob.result((String) source());
}
}

2
java/ql/test/utils/modeleditor/ApplicationModeEndpoints.expected
View File

@@ -2,11 +2,9 @@
| com/github/codeql/test/PublicClass.java:8:5:8:27 | println(...) | java.io | PrintStream | println | (String) | true | rt.jar | | sink | source |
| com/github/codeql/test/PublicClass.java:12:5:12:27 | println(...) | java.io | PrintStream | println | (String) | true | rt.jar | | sink | source |
| com/github/codeql/test/PublicClass.java:16:5:16:45 | println(...) | java.io | PrintStream | println | (Object) | true | rt.jar | | sink | source |
| com/github/codeql/test/PublicClass.java:16:24:16:44 | get(...) | java.nio.file | Paths | get | (String,String[]) | true | rt.jar | | sink | source |
| com/github/codeql/test/PublicClass.java:16:24:16:44 | get(...) | java.nio.file | Paths | get | (String,String[]) | true | rt.jar | | summary | source |
| com/github/codeql/test/PublicClass.java:20:5:20:68 | println(...) | java.io | PrintStream | println | (Object) | true | rt.jar | | sink | source |
| com/github/codeql/test/PublicClass.java:20:24:20:47 | getDefault(...) | java.nio.file | FileSystems | getDefault | () | false | rt.jar | | | source |
| com/github/codeql/test/PublicClass.java:20:24:20:67 | getPath(...) | java.nio.file | FileSystem | getPath | (String,String[]) | true | rt.jar | | sink | source |
| com/github/codeql/test/PublicClass.java:20:24:20:67 | getPath(...) | java.nio.file | FileSystem | getPath | (String,String[]) | true | rt.jar | | summary | source |
| com/github/codeql/test/PublicClass.java:24:5:24:27 | println(...) | java.io | PrintStream | println | (String) | true | rt.jar | | sink | source |
| com/github/codeql/test/PublicGenericClass.java:7:5:7:27 | println(...) | java.io | PrintStream | println | (Object) | true | rt.jar | | sink | source |