mirror of
https://github.com/github/codeql.git
synced 2026-05-05 05:35:13 +02:00
Merged simplified query
This commit is contained in:
Chris Smowton
committed by
Timo Mueller
Timo Mueller
parent
75f6ec1f0d
commit
4ddf4558a7
@@ -1,36 +1,4 @@
|
||||
edges
|
||||
| ../../../stubs/javax-management-remote-rmi-0.0.1/javax/management/remote/rmi/RMIConnectorServer.java:26:12:26:29 | this <constr(this)> [post update] : RMIConnectorServer | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:25:31:25:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:27:34:27:36 | env |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:33:31:33:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:35:59:35:61 | env |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:40:31:40:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:44:59:44:61 | env |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:49:31:49:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:53:34:53:36 | env |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:58:31:58:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:62:59:62:61 | env |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:67:31:67:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:71:34:71:36 | env |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:76:31:76:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:80:59:80:61 | env |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:85:31:85:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:89:34:89:36 | env |
|
||||
nodes
|
||||
| ../../../stubs/javax-management-remote-rmi-0.0.1/javax/management/remote/rmi/RMIConnectorServer.java:26:12:26:29 | this <constr(this)> [post update] : RMIConnectorServer | semmle.label | this <constr(this)> [post update] : RMIConnectorServer |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:13:5:13:69 | newJMXConnectorServer(...) | semmle.label | newJMXConnectorServer(...) |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | semmle.label | new RMIConnectorServer(...) |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:25:31:25:45 | new HashMap<String,Object>(...) : HashMap | semmle.label | new HashMap<String,Object>(...) : HashMap |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:27:34:27:36 | env | semmle.label | env |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:33:31:33:45 | new HashMap<String,Object>(...) : HashMap | semmle.label | new HashMap<String,Object>(...) : HashMap |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:35:59:35:61 | env | semmle.label | env |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:40:31:40:45 | new HashMap<String,Object>(...) : HashMap | semmle.label | new HashMap<String,Object>(...) : HashMap |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:44:59:44:61 | env | semmle.label | env |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:49:31:49:45 | new HashMap<String,Object>(...) : HashMap | semmle.label | new HashMap<String,Object>(...) : HashMap |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:53:34:53:36 | env | semmle.label | env |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:58:31:58:45 | new HashMap<String,Object>(...) : HashMap | semmle.label | new HashMap<String,Object>(...) : HashMap |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:62:59:62:61 | env | semmle.label | env |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:67:31:67:45 | new HashMap<String,Object>(...) : HashMap | semmle.label | new HashMap<String,Object>(...) : HashMap |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:71:34:71:36 | env | semmle.label | env |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:76:31:76:45 | new HashMap<String,Object>(...) : HashMap | semmle.label | new HashMap<String,Object>(...) : HashMap |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:80:59:80:61 | env | semmle.label | env |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:85:31:85:45 | new HashMap<String,Object>(...) : HashMap | semmle.label | new HashMap<String,Object>(...) : HashMap |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:89:34:89:36 | env | semmle.label | env |
|
||||
#select
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:13:5:13:69 | newJMXConnectorServer(...) | InsecureRmiJmxEnvironmentConfiguration.java:13:5:13:69 | newJMXConnectorServer(...) | InsecureRmiJmxEnvironmentConfiguration.java:13:5:13:69 | newJMXConnectorServer(...) | RMI/JMX server initialized with 'null' environment $@. Missing type restriction in RMI authentication method exposes the application to deserialization attacks. | InsecureRmiJmxEnvironmentConfiguration.java:13:5:13:69 | newJMXConnectorServer(...) | here | InsecureRmiJmxEnvironmentConfiguration.java:13:5:13:69 | newJMXConnectorServer(...) | source environment 'Map' |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | ../../../stubs/javax-management-remote-rmi-0.0.1/javax/management/remote/rmi/RMIConnectorServer.java:26:12:26:29 | this <constr(this)> [post update] : RMIConnectorServer | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | RMI/JMX server initialized with 'null' environment $@. Missing type restriction in RMI authentication method exposes the application to deserialization attacks. | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | here | ../../../stubs/javax-management-remote-rmi-0.0.1/javax/management/remote/rmi/RMIConnectorServer.java:26:12:26:29 | this <constr(this)> [post update] | source environment 'Map' |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | RMI/JMX server initialized with 'null' environment $@. Missing type restriction in RMI authentication method exposes the application to deserialization attacks. | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | here | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | source environment 'Map' |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:27:34:27:36 | env | InsecureRmiJmxEnvironmentConfiguration.java:25:31:25:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:27:34:27:36 | env | RMI/JMX server initialized with insecure environment $@. The $@ never restricts accepted client objects to 'java.lang.String'. This exposes to deserialization attacks against the RMI authentication method. | InsecureRmiJmxEnvironmentConfiguration.java:27:34:27:36 | env | here | InsecureRmiJmxEnvironmentConfiguration.java:25:31:25:45 | new HashMap<String,Object>(...) | source environment 'Map' |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:35:59:35:61 | env | InsecureRmiJmxEnvironmentConfiguration.java:33:31:33:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:35:59:35:61 | env | RMI/JMX server initialized with insecure environment $@. The $@ never restricts accepted client objects to 'java.lang.String'. This exposes to deserialization attacks against the RMI authentication method. | InsecureRmiJmxEnvironmentConfiguration.java:35:59:35:61 | env | here | InsecureRmiJmxEnvironmentConfiguration.java:33:31:33:45 | new HashMap<String,Object>(...) | source environment 'Map' |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:12:5:12:69 | newJMXConnectorServer(...) | RMI/JMX server initialized with a null environment. Missing type restriction in RMI authentication method exposes the application to deserialization attacks. | InsecureRmiJmxEnvironmentConfiguration.java:12:59:12:62 | null | null |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:17:5:17:50 | new RMIConnectorServer(...) | RMI/JMX server initialized with a null environment. Missing type restriction in RMI authentication method exposes the application to deserialization attacks. | InsecureRmiJmxEnvironmentConfiguration.java:17:34:17:37 | null | null |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:25:5:25:49 | new RMIConnectorServer(...) | RMI/JMX server initialized with insecure environment $@, which never restricts accepted client objects to 'java.lang.String'. This exposes to deserialization attacks against the RMI authentication method. | InsecureRmiJmxEnvironmentConfiguration.java:25:34:25:36 | env | env |
|
||||
| InsecureRmiJmxEnvironmentConfiguration.java:33:5:33:68 | newJMXConnectorServer(...) | RMI/JMX server initialized with insecure environment $@, which never restricts accepted client objects to 'java.lang.String'. This exposes to deserialization attacks against the RMI authentication method. | InsecureRmiJmxEnvironmentConfiguration.java:33:59:33:61 | env | env |
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
import java.io.IOException;
|
||||
import javax.management.remote.JMXConnectorServerFactory;
|
||||
|
||||
import javax.management.remote.rmi.RMIConnectorServer;
|
||||
|
||||
import java.util.HashMap;
|
||||
@@ -16,7 +15,6 @@ public class InsecureRmiJmxEnvironmentConfiguration {
|
||||
public void initInsecureRmiDueToNullEnv() throws IOException {
|
||||
// Bad initializing env (arg1) with null
|
||||
new RMIConnectorServer(null, null, null, null);
|
||||
|
||||
}
|
||||
|
||||
public void initInsecureRmiDueToMissingEnvKeyValue() throws IOException {
|
||||
@@ -71,7 +69,7 @@ public class InsecureRmiJmxEnvironmentConfiguration {
|
||||
new RMIConnectorServer(null, env, null, null);
|
||||
}
|
||||
|
||||
public void secureeJmxConnectorServerConstants2() throws IOException {
|
||||
public void secureJmxConnectorServerConstants2() throws IOException {
|
||||
// Good
|
||||
Map<String, Object> env = new HashMap<>();
|
||||
env.put("jmx.remote.x.daemon", "true");
|
||||
@@ -80,7 +78,7 @@ public class InsecureRmiJmxEnvironmentConfiguration {
|
||||
JMXConnectorServerFactory.newJMXConnectorServer(null, env, null);
|
||||
}
|
||||
|
||||
public void secureeRmiConnectorServerConstants2() throws IOException {
|
||||
public void secureRmiConnectorServerConstants2() throws IOException {
|
||||
// Good
|
||||
Map<String, Object> env = new HashMap<>();
|
||||
env.put("jmx.remote.x.daemon", "true");
|
||||
|
||||
@@ -1 +1 @@
|
||||
//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../../experimental/stubs/javax-management-remote-rmi-0.0.1
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/rmi-remote-0.0.0
|
||||
|
||||
1
java/ql/test/experimental/stubs/rmi-remote-0.0.0/README
Normal file
1
java/ql/test/experimental/stubs/rmi-remote-0.0.0/README
Normal file
@@ -0,0 +1 @@
|
||||
This is a workaround for a bug in which the extractor can't resolve type javax.management.remote.rmi.RMIConnectorServer even though it has been part of the JDK since Java 5
|
||||
@@ -0,0 +1,6 @@
|
||||
package javax.management.remote.rmi;
|
||||
|
||||
import java.rmi.Remote;
|
||||
import java.io.Closeable;
|
||||
|
||||
interface RMIConnection extends Closeable, Remote { }
|
||||
@@ -0,0 +1,34 @@
|
||||
package javax.management.remote.rmi;
|
||||
|
||||
import java.util.Map;
|
||||
|
||||
import javax.management.remote.JMXConnectorServer;
|
||||
import javax.management.remote.JMXConnector;
|
||||
import javax.management.remote.JMXServiceURL;
|
||||
import javax.management.remote.MBeanServerForwarder;
|
||||
import javax.management.MBeanServer;
|
||||
|
||||
// Note this is a partial stub sufficient to the needs of tests for CWE-665
|
||||
public class RMIConnectorServer extends JMXConnectorServer {
|
||||
|
||||
public RMIConnectorServer(JMXServiceURL url, Map<String,?> environment) { }
|
||||
public RMIConnectorServer(JMXServiceURL url, Map<String,?> environment, MBeanServer mbeanServer) { }
|
||||
public RMIConnectorServer(JMXServiceURL url, Map<String,?> environment, RMIServerImpl rmiServerImpl, MBeanServer mbeanServer) { }
|
||||
|
||||
public static String CREDENTIAL_TYPES = "";
|
||||
public static String CREDENTIALS_FILTER_PATTERN = "";
|
||||
public static String JNDI_REBIND_ATTRIBUTE = "";
|
||||
public static String RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE = "";
|
||||
public static String RMI_SERVER_SOCKET_FACTORY_ATTRIBUTE = "";
|
||||
public static String SERIAL_FILTER_PATTERN = "";
|
||||
|
||||
public Map<String,?> getAttributes() { return null; }
|
||||
public JMXServiceURL getAddress() { return null; }
|
||||
public String[] getConnectionIds() { return null; }
|
||||
public boolean isActive() { return true; }
|
||||
public void setMBeanServerForwarder(MBeanServerForwarder mbsf) { }
|
||||
public void start() { }
|
||||
public void stop() { }
|
||||
public JMXConnector toJMXConnector(Map<String,?> env) { return null; }
|
||||
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
package javax.management.remote.rmi;
|
||||
|
||||
interface RMIServer { }
|
||||
@@ -0,0 +1,12 @@
|
||||
package javax.management.remote.rmi;
|
||||
|
||||
import java.io.Closeable;
|
||||
import java.rmi.Remote;
|
||||
|
||||
public class RMIServerImpl implements Closeable, RMIServer {
|
||||
|
||||
public void close() { }
|
||||
public String getVersion() { return null; }
|
||||
public RMIConnection newClient(Object credentials) { return null; }
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user