hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into thirdpartyapitelemtry

Browse Source
This commit is contained in:
Benjamin Muskalla
2021-09-03 14:23:31 +02:00
parent ab5c1d6bdd 2689c13bde
commit 51475d2fb0
2136 changed files with 47113 additions and 9212 deletions
Download Patch File Download Diff File Expand all files Collapse all files

180
java/ql/test/experimental/query-tests/security/CWE-074-JndiInjection/JndiInjection.expected
View File

@@ -1,180 +0,0 @@
edges
| JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:34:16:34:22 | nameStr |
| JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:35:20:35:26 | nameStr |
| JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:36:29:36:35 | nameStr |
| JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:37:16:37:22 | nameStr |
| JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:38:14:38:20 | nameStr |
| JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:39:22:39:28 | nameStr |
| JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:41:16:41:19 | name |
| JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:42:20:42:23 | name |
| JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:43:29:43:32 | name |
| JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:44:16:44:19 | name |
| JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:45:14:45:17 | name |
| JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:46:22:46:25 | name |
| JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:54:16:54:22 | nameStr |
| JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:55:20:55:26 | nameStr |
| JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:56:16:56:22 | nameStr |
| JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:57:14:57:20 | nameStr |
| JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:58:22:58:28 | nameStr |
| JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:60:16:60:19 | name |
| JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:61:20:61:23 | name |
| JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:62:16:62:19 | name |
| JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:63:14:63:17 | name |
| JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:64:22:64:25 | name |
| JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:72:16:72:22 | nameStr |
| JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:73:20:73:26 | nameStr |
| JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:74:16:74:22 | nameStr |
| JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:75:14:75:20 | nameStr |
| JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:76:22:76:28 | nameStr |
| JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:78:16:78:19 | name |
| JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:79:20:79:23 | name |
| JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:80:16:80:19 | name |
| JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:81:14:81:17 | name |
| JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:82:22:82:25 | name |
| JndiInjection.java:86:42:86:69 | nameStr : String | JndiInjection.java:89:16:89:22 | nameStr |
| JndiInjection.java:86:42:86:69 | nameStr : String | JndiInjection.java:90:16:90:22 | nameStr |
| JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:98:16:98:22 | nameStr |
| JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:99:23:99:29 | nameStr |
| JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:100:18:100:21 | name |
| JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:101:16:101:19 | name |
| JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:102:14:102:17 | name |
| JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:103:22:103:25 | name |
| JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:104:16:104:22 | nameStr |
| JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:106:16:106:22 | nameStr |
| JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:107:16:107:22 | nameStr |
| JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:108:16:108:22 | nameStr |
| JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:109:16:109:22 | nameStr |
| JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:111:25:111:31 | nameStr |
| JndiInjection.java:115:41:115:68 | nameStr : String | JndiInjection.java:118:16:118:22 | nameStr |
| JndiInjection.java:115:41:115:68 | nameStr : String | JndiInjection.java:119:16:119:22 | nameStr |
| JndiInjection.java:123:37:123:63 | urlStr : String | JndiInjection.java:124:33:124:57 | new JMXServiceURL(...) |
| JndiInjection.java:123:37:123:63 | urlStr : String | JndiInjection.java:128:5:128:13 | connector |
| JndiInjection.java:132:27:132:53 | urlStr : String | JndiInjection.java:135:35:135:40 | urlStr |
| JndiInjection.java:140:27:140:53 | urlStr : String | JndiInjection.java:143:41:143:46 | urlStr |
| JndiInjection.java:148:52:148:78 | urlStr : String | JndiInjection.java:151:37:151:42 | urlStr |
| JndiInjection.java:156:52:156:78 | urlStr : String | JndiInjection.java:159:51:159:56 | urlStr |
| JndiInjection.java:164:52:164:78 | urlStr : String | JndiInjection.java:167:51:167:56 | urlStr |
nodes
| JndiInjection.java:30:38:30:65 | nameStr : String | semmle.label | nameStr : String |
| JndiInjection.java:34:16:34:22 | nameStr | semmle.label | nameStr |
| JndiInjection.java:35:20:35:26 | nameStr | semmle.label | nameStr |
| JndiInjection.java:36:29:36:35 | nameStr | semmle.label | nameStr |
| JndiInjection.java:37:16:37:22 | nameStr | semmle.label | nameStr |
| JndiInjection.java:38:14:38:20 | nameStr | semmle.label | nameStr |
| JndiInjection.java:39:22:39:28 | nameStr | semmle.label | nameStr |
| JndiInjection.java:41:16:41:19 | name | semmle.label | name |
| JndiInjection.java:42:20:42:23 | name | semmle.label | name |
| JndiInjection.java:43:29:43:32 | name | semmle.label | name |
| JndiInjection.java:44:16:44:19 | name | semmle.label | name |
| JndiInjection.java:45:14:45:17 | name | semmle.label | name |
| JndiInjection.java:46:22:46:25 | name | semmle.label | name |
| JndiInjection.java:50:41:50:68 | nameStr : String | semmle.label | nameStr : String |
| JndiInjection.java:54:16:54:22 | nameStr | semmle.label | nameStr |
| JndiInjection.java:55:20:55:26 | nameStr | semmle.label | nameStr |
| JndiInjection.java:56:16:56:22 | nameStr | semmle.label | nameStr |
| JndiInjection.java:57:14:57:20 | nameStr | semmle.label | nameStr |
| JndiInjection.java:58:22:58:28 | nameStr | semmle.label | nameStr |
| JndiInjection.java:60:16:60:19 | name | semmle.label | name |
| JndiInjection.java:61:20:61:23 | name | semmle.label | name |
| JndiInjection.java:62:16:62:19 | name | semmle.label | name |
| JndiInjection.java:63:14:63:17 | name | semmle.label | name |
| JndiInjection.java:64:22:64:25 | name | semmle.label | name |
| JndiInjection.java:68:42:68:69 | nameStr : String | semmle.label | nameStr : String |
| JndiInjection.java:72:16:72:22 | nameStr | semmle.label | nameStr |
| JndiInjection.java:73:20:73:26 | nameStr | semmle.label | nameStr |
| JndiInjection.java:74:16:74:22 | nameStr | semmle.label | nameStr |
| JndiInjection.java:75:14:75:20 | nameStr | semmle.label | nameStr |
| JndiInjection.java:76:22:76:28 | nameStr | semmle.label | nameStr |
| JndiInjection.java:78:16:78:19 | name | semmle.label | name |
| JndiInjection.java:79:20:79:23 | name | semmle.label | name |
| JndiInjection.java:80:16:80:19 | name | semmle.label | name |
| JndiInjection.java:81:14:81:17 | name | semmle.label | name |
| JndiInjection.java:82:22:82:25 | name | semmle.label | name |
| JndiInjection.java:86:42:86:69 | nameStr : String | semmle.label | nameStr : String |
| JndiInjection.java:89:16:89:22 | nameStr | semmle.label | nameStr |
| JndiInjection.java:90:16:90:22 | nameStr | semmle.label | nameStr |
| JndiInjection.java:94:42:94:69 | nameStr : String | semmle.label | nameStr : String |
| JndiInjection.java:98:16:98:22 | nameStr | semmle.label | nameStr |
| JndiInjection.java:99:23:99:29 | nameStr | semmle.label | nameStr |
| JndiInjection.java:100:18:100:21 | name | semmle.label | name |
| JndiInjection.java:101:16:101:19 | name | semmle.label | name |
| JndiInjection.java:102:14:102:17 | name | semmle.label | name |
| JndiInjection.java:103:22:103:25 | name | semmle.label | name |
| JndiInjection.java:104:16:104:22 | nameStr | semmle.label | nameStr |
| JndiInjection.java:106:16:106:22 | nameStr | semmle.label | nameStr |
| JndiInjection.java:107:16:107:22 | nameStr | semmle.label | nameStr |
| JndiInjection.java:108:16:108:22 | nameStr | semmle.label | nameStr |
| JndiInjection.java:109:16:109:22 | nameStr | semmle.label | nameStr |
| JndiInjection.java:111:25:111:31 | nameStr | semmle.label | nameStr |
| JndiInjection.java:115:41:115:68 | nameStr : String | semmle.label | nameStr : String |
| JndiInjection.java:118:16:118:22 | nameStr | semmle.label | nameStr |
| JndiInjection.java:119:16:119:22 | nameStr | semmle.label | nameStr |
| JndiInjection.java:123:37:123:63 | urlStr : String | semmle.label | urlStr : String |
| JndiInjection.java:124:33:124:57 | new JMXServiceURL(...) | semmle.label | new JMXServiceURL(...) |
| JndiInjection.java:128:5:128:13 | connector | semmle.label | connector |
| JndiInjection.java:132:27:132:53 | urlStr : String | semmle.label | urlStr : String |
| JndiInjection.java:135:35:135:40 | urlStr | semmle.label | urlStr |
| JndiInjection.java:140:27:140:53 | urlStr : String | semmle.label | urlStr : String |
| JndiInjection.java:143:41:143:46 | urlStr | semmle.label | urlStr |
| JndiInjection.java:148:52:148:78 | urlStr : String | semmle.label | urlStr : String |
| JndiInjection.java:151:37:151:42 | urlStr | semmle.label | urlStr |
| JndiInjection.java:156:52:156:78 | urlStr : String | semmle.label | urlStr : String |
| JndiInjection.java:159:51:159:56 | urlStr | semmle.label | urlStr |
| JndiInjection.java:164:52:164:78 | urlStr : String | semmle.label | urlStr : String |
| JndiInjection.java:167:51:167:56 | urlStr | semmle.label | urlStr |
#select
| JndiInjection.java:34:16:34:22 | nameStr | JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:34:16:34:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:30:38:30:65 | nameStr | this user input |
| JndiInjection.java:35:20:35:26 | nameStr | JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:35:20:35:26 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:30:38:30:65 | nameStr | this user input |
| JndiInjection.java:36:29:36:35 | nameStr | JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:36:29:36:35 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:30:38:30:65 | nameStr | this user input |
| JndiInjection.java:37:16:37:22 | nameStr | JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:37:16:37:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:30:38:30:65 | nameStr | this user input |
| JndiInjection.java:38:14:38:20 | nameStr | JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:38:14:38:20 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:30:38:30:65 | nameStr | this user input |
| JndiInjection.java:39:22:39:28 | nameStr | JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:39:22:39:28 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:30:38:30:65 | nameStr | this user input |
| JndiInjection.java:41:16:41:19 | name | JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:41:16:41:19 | name | JNDI lookup might include name from $@. | JndiInjection.java:30:38:30:65 | nameStr | this user input |
| JndiInjection.java:42:20:42:23 | name | JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:42:20:42:23 | name | JNDI lookup might include name from $@. | JndiInjection.java:30:38:30:65 | nameStr | this user input |
| JndiInjection.java:43:29:43:32 | name | JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:43:29:43:32 | name | JNDI lookup might include name from $@. | JndiInjection.java:30:38:30:65 | nameStr | this user input |
| JndiInjection.java:44:16:44:19 | name | JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:44:16:44:19 | name | JNDI lookup might include name from $@. | JndiInjection.java:30:38:30:65 | nameStr | this user input |
| JndiInjection.java:45:14:45:17 | name | JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:45:14:45:17 | name | JNDI lookup might include name from $@. | JndiInjection.java:30:38:30:65 | nameStr | this user input |
| JndiInjection.java:46:22:46:25 | name | JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:46:22:46:25 | name | JNDI lookup might include name from $@. | JndiInjection.java:30:38:30:65 | nameStr | this user input |
| JndiInjection.java:54:16:54:22 | nameStr | JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:54:16:54:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:50:41:50:68 | nameStr | this user input |
| JndiInjection.java:55:20:55:26 | nameStr | JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:55:20:55:26 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:50:41:50:68 | nameStr | this user input |
| JndiInjection.java:56:16:56:22 | nameStr | JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:56:16:56:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:50:41:50:68 | nameStr | this user input |
| JndiInjection.java:57:14:57:20 | nameStr | JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:57:14:57:20 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:50:41:50:68 | nameStr | this user input |
| JndiInjection.java:58:22:58:28 | nameStr | JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:58:22:58:28 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:50:41:50:68 | nameStr | this user input |
| JndiInjection.java:60:16:60:19 | name | JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:60:16:60:19 | name | JNDI lookup might include name from $@. | JndiInjection.java:50:41:50:68 | nameStr | this user input |
| JndiInjection.java:61:20:61:23 | name | JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:61:20:61:23 | name | JNDI lookup might include name from $@. | JndiInjection.java:50:41:50:68 | nameStr | this user input |
| JndiInjection.java:62:16:62:19 | name | JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:62:16:62:19 | name | JNDI lookup might include name from $@. | JndiInjection.java:50:41:50:68 | nameStr | this user input |
| JndiInjection.java:63:14:63:17 | name | JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:63:14:63:17 | name | JNDI lookup might include name from $@. | JndiInjection.java:50:41:50:68 | nameStr | this user input |
| JndiInjection.java:64:22:64:25 | name | JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:64:22:64:25 | name | JNDI lookup might include name from $@. | JndiInjection.java:50:41:50:68 | nameStr | this user input |
| JndiInjection.java:72:16:72:22 | nameStr | JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:72:16:72:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:68:42:68:69 | nameStr | this user input |
| JndiInjection.java:73:20:73:26 | nameStr | JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:73:20:73:26 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:68:42:68:69 | nameStr | this user input |
| JndiInjection.java:74:16:74:22 | nameStr | JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:74:16:74:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:68:42:68:69 | nameStr | this user input |
| JndiInjection.java:75:14:75:20 | nameStr | JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:75:14:75:20 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:68:42:68:69 | nameStr | this user input |
| JndiInjection.java:76:22:76:28 | nameStr | JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:76:22:76:28 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:68:42:68:69 | nameStr | this user input |
| JndiInjection.java:78:16:78:19 | name | JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:78:16:78:19 | name | JNDI lookup might include name from $@. | JndiInjection.java:68:42:68:69 | nameStr | this user input |
| JndiInjection.java:79:20:79:23 | name | JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:79:20:79:23 | name | JNDI lookup might include name from $@. | JndiInjection.java:68:42:68:69 | nameStr | this user input |
| JndiInjection.java:80:16:80:19 | name | JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:80:16:80:19 | name | JNDI lookup might include name from $@. | JndiInjection.java:68:42:68:69 | nameStr | this user input |
| JndiInjection.java:81:14:81:17 | name | JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:81:14:81:17 | name | JNDI lookup might include name from $@. | JndiInjection.java:68:42:68:69 | nameStr | this user input |
| JndiInjection.java:82:22:82:25 | name | JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:82:22:82:25 | name | JNDI lookup might include name from $@. | JndiInjection.java:68:42:68:69 | nameStr | this user input |
| JndiInjection.java:89:16:89:22 | nameStr | JndiInjection.java:86:42:86:69 | nameStr : String | JndiInjection.java:89:16:89:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:86:42:86:69 | nameStr | this user input |
| JndiInjection.java:90:16:90:22 | nameStr | JndiInjection.java:86:42:86:69 | nameStr : String | JndiInjection.java:90:16:90:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:86:42:86:69 | nameStr | this user input |
| JndiInjection.java:98:16:98:22 | nameStr | JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:98:16:98:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:94:42:94:69 | nameStr | this user input |
| JndiInjection.java:99:23:99:29 | nameStr | JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:99:23:99:29 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:94:42:94:69 | nameStr | this user input |
| JndiInjection.java:100:18:100:21 | name | JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:100:18:100:21 | name | JNDI lookup might include name from $@. | JndiInjection.java:94:42:94:69 | nameStr | this user input |
| JndiInjection.java:101:16:101:19 | name | JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:101:16:101:19 | name | JNDI lookup might include name from $@. | JndiInjection.java:94:42:94:69 | nameStr | this user input |
| JndiInjection.java:102:14:102:17 | name | JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:102:14:102:17 | name | JNDI lookup might include name from $@. | JndiInjection.java:94:42:94:69 | nameStr | this user input |
| JndiInjection.java:103:22:103:25 | name | JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:103:22:103:25 | name | JNDI lookup might include name from $@. | JndiInjection.java:94:42:94:69 | nameStr | this user input |
| JndiInjection.java:104:16:104:22 | nameStr | JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:104:16:104:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:94:42:94:69 | nameStr | this user input |
| JndiInjection.java:106:16:106:22 | nameStr | JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:106:16:106:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:94:42:94:69 | nameStr | this user input |
| JndiInjection.java:107:16:107:22 | nameStr | JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:107:16:107:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:94:42:94:69 | nameStr | this user input |
| JndiInjection.java:108:16:108:22 | nameStr | JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:108:16:108:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:94:42:94:69 | nameStr | this user input |
| JndiInjection.java:109:16:109:22 | nameStr | JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:109:16:109:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:94:42:94:69 | nameStr | this user input |
| JndiInjection.java:111:25:111:31 | nameStr | JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:111:25:111:31 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:94:42:94:69 | nameStr | this user input |
| JndiInjection.java:118:16:118:22 | nameStr | JndiInjection.java:115:41:115:68 | nameStr : String | JndiInjection.java:118:16:118:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:115:41:115:68 | nameStr | this user input |
| JndiInjection.java:119:16:119:22 | nameStr | JndiInjection.java:115:41:115:68 | nameStr : String | JndiInjection.java:119:16:119:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:115:41:115:68 | nameStr | this user input |
| JndiInjection.java:124:33:124:57 | new JMXServiceURL(...) | JndiInjection.java:123:37:123:63 | urlStr : String | JndiInjection.java:124:33:124:57 | new JMXServiceURL(...) | JNDI lookup might include name from $@. | JndiInjection.java:123:37:123:63 | urlStr | this user input |
| JndiInjection.java:128:5:128:13 | connector | JndiInjection.java:123:37:123:63 | urlStr : String | JndiInjection.java:128:5:128:13 | connector | JNDI lookup might include name from $@. | JndiInjection.java:123:37:123:63 | urlStr | this user input |
| JndiInjection.java:135:35:135:40 | urlStr | JndiInjection.java:132:27:132:53 | urlStr : String | JndiInjection.java:135:35:135:40 | urlStr | JNDI lookup might include name from $@. | JndiInjection.java:132:27:132:53 | urlStr | this user input |
| JndiInjection.java:143:41:143:46 | urlStr | JndiInjection.java:140:27:140:53 | urlStr : String | JndiInjection.java:143:41:143:46 | urlStr | JNDI lookup might include name from $@. | JndiInjection.java:140:27:140:53 | urlStr | this user input |
| JndiInjection.java:151:37:151:42 | urlStr | JndiInjection.java:148:52:148:78 | urlStr : String | JndiInjection.java:151:37:151:42 | urlStr | JNDI lookup might include name from $@. | JndiInjection.java:148:52:148:78 | urlStr | this user input |
| JndiInjection.java:159:51:159:56 | urlStr | JndiInjection.java:156:52:156:78 | urlStr : String | JndiInjection.java:159:51:159:56 | urlStr | JNDI lookup might include name from $@. | JndiInjection.java:156:52:156:78 | urlStr | this user input |
| JndiInjection.java:167:51:167:56 | urlStr | JndiInjection.java:164:52:164:78 | urlStr : String | JndiInjection.java:167:51:167:56 | urlStr | JNDI lookup might include name from $@. | JndiInjection.java:164:52:164:78 | urlStr | this user input |

209
java/ql/test/experimental/query-tests/security/CWE-074-JndiInjection/JndiInjection.java
View File

@@ -1,209 +0,0 @@
import java.io.IOException;
import java.util.Hashtable;
import java.util.Properties;
import javax.management.remote.JMXConnector;
import javax.management.remote.JMXConnectorFactory;
import javax.management.remote.JMXServiceURL;
import javax.naming.CompositeName;
import javax.naming.CompoundName;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.Name;
import javax.naming.NamingException;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.ldap.InitialLdapContext;
import org.springframework.jndi.JndiTemplate;
import org.springframework.ldap.core.AttributesMapper;
import org.springframework.ldap.core.ContextMapper;
import org.springframework.ldap.core.LdapTemplate;
import org.springframework.ldap.core.NameClassPairCallbackHandler;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class JndiInjection {
@RequestMapping
public void testInitialContextBad1(@RequestParam String nameStr) throws NamingException {
Name name = new CompositeName(nameStr);
InitialContext ctx = new InitialContext();
ctx.lookup(nameStr);
ctx.lookupLink(nameStr);
InitialContext.doLookup(nameStr);
ctx.rename(nameStr, "");
ctx.list(nameStr);
ctx.listBindings(nameStr);
ctx.lookup(name);
ctx.lookupLink(name);
InitialContext.doLookup(name);
ctx.rename(name, null);
ctx.list(name);
ctx.listBindings(name);
}
@RequestMapping
public void testInitialDirContextBad1(@RequestParam String nameStr) throws NamingException {
Name name = new CompoundName(nameStr, new Properties());
InitialDirContext ctx = new InitialDirContext();
ctx.lookup(nameStr);
ctx.lookupLink(nameStr);
ctx.rename(nameStr, "");
ctx.list(nameStr);
ctx.listBindings(nameStr);
ctx.lookup(name);
ctx.lookupLink(name);
ctx.rename(name, null);
ctx.list(name);
ctx.listBindings(name);
}
@RequestMapping
public void testInitialLdapContextBad1(@RequestParam String nameStr) throws NamingException {
Name name = new CompositeName(nameStr);
InitialLdapContext ctx = new InitialLdapContext();
ctx.lookup(nameStr);
ctx.lookupLink(nameStr);
ctx.rename(nameStr, "");
ctx.list(nameStr);
ctx.listBindings(nameStr);
ctx.lookup(name);
ctx.lookupLink(name);
ctx.rename(name, null);
ctx.list(name);
ctx.listBindings(name);
}
@RequestMapping
public void testSpringJndiTemplateBad1(@RequestParam String nameStr) throws NamingException {
JndiTemplate ctx = new JndiTemplate();
ctx.lookup(nameStr);
ctx.lookup(nameStr, null);
}
@RequestMapping
public void testSpringLdapTemplateBad1(@RequestParam String nameStr) throws NamingException {
LdapTemplate ctx = new LdapTemplate();
Name name = new CompositeName(nameStr);
ctx.lookup(nameStr);
ctx.lookupContext(nameStr);
ctx.findByDn(name, null);
ctx.rename(name, null);
ctx.list(name);
ctx.listBindings(name);
ctx.unbind(nameStr, true);
ctx.search(nameStr, "", 0, true, null);
ctx.search(nameStr, "", 0, new String[] {}, (ContextMapper<Object>) new Object());
ctx.search(nameStr, "", 0, (ContextMapper<Object>) new Object());
ctx.search(nameStr, "", (ContextMapper) new Object());
ctx.searchForObject(nameStr, "", (ContextMapper) new Object());
}
@RequestMapping
public void testShiroJndiTemplateBad1(@RequestParam String nameStr) throws NamingException {
org.apache.shiro.jndi.JndiTemplate ctx = new org.apache.shiro.jndi.JndiTemplate();
ctx.lookup(nameStr);
ctx.lookup(nameStr, null);
}
@RequestMapping
public void testJMXServiceUrlBad1(@RequestParam String urlStr) throws IOException {
JMXConnectorFactory.connect(new JMXServiceURL(urlStr));
JMXServiceURL url = new JMXServiceURL(urlStr);
JMXConnector connector = JMXConnectorFactory.newJMXConnector(url, null);
connector.connect();
}
@RequestMapping
public void testEnvBad1(@RequestParam String urlStr) throws NamingException {
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
env.put(Context.PROVIDER_URL, urlStr);
new InitialContext(env);
}
@RequestMapping
public void testEnvBad2(@RequestParam String urlStr) throws NamingException {
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
env.put("java.naming.provider.url", urlStr);
new InitialDirContext(env);
}
@RequestMapping
public void testSpringJndiTemplatePropertiesBad1(@RequestParam String urlStr) throws NamingException {
Properties props = new Properties();
props.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
props.put(Context.PROVIDER_URL, urlStr);
new JndiTemplate(props);
}
@RequestMapping
public void testSpringJndiTemplatePropertiesBad2(@RequestParam String urlStr) throws NamingException {
Properties props = new Properties();
props.setProperty(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
props.setProperty("java.naming.provider.url", urlStr);
new JndiTemplate(props);
}
@RequestMapping
public void testSpringJndiTemplatePropertiesBad3(@RequestParam String urlStr) throws NamingException {
Properties props = new Properties();
props.setProperty(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
props.setProperty("java.naming.provider.url", urlStr);
JndiTemplate template = new JndiTemplate();
template.setEnvironment(props);
}
@RequestMapping
public void testSpringLdapTemplateOk1(@RequestParam String nameStr) throws NamingException {
LdapTemplate ctx = new LdapTemplate();
ctx.unbind(nameStr);
ctx.unbind(nameStr, false);
ctx.search(nameStr, "", 0, false, null);
ctx.search(nameStr, "", new SearchControls(), (NameClassPairCallbackHandler) new Object());
ctx.search(nameStr, "", new SearchControls(), (NameClassPairCallbackHandler) new Object(), null);
ctx.search(nameStr, "", (NameClassPairCallbackHandler) new Object());
ctx.search(nameStr, "", 0, new String[] {}, (AttributesMapper<Object>) new Object());
ctx.search(nameStr, "", 0, (AttributesMapper<Object>) new Object());
ctx.search(nameStr, "", (AttributesMapper) new Object());
ctx.search(nameStr, "", new SearchControls(), (ContextMapper) new Object());
ctx.search(nameStr, "", new SearchControls(), (AttributesMapper) new Object());
ctx.search(nameStr, "", new SearchControls(), (ContextMapper) new Object(), null);
ctx.search(nameStr, "", new SearchControls(), (AttributesMapper) new Object(), null);
ctx.searchForObject(nameStr, "", new SearchControls(), (ContextMapper) new Object());
}
@RequestMapping
public void testEnvOk1(@RequestParam String urlStr) throws NamingException {
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
env.put(Context.SECURITY_PRINCIPAL, urlStr);
new InitialContext(env);
}
@RequestMapping
public void testEnvOk2(@RequestParam String urlStr) throws NamingException {
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
env.put("java.naming.security.principal", urlStr);
new InitialContext(env);
}
}

1
java/ql/test/experimental/query-tests/security/CWE-074-JndiInjection/JndiInjection.qlref
View File

@@ -1 +0,0 @@
experimental/Security/CWE/CWE-074/JndiInjection.ql

1
java/ql/test/experimental/query-tests/security/CWE-074-JndiInjection/options
View File

@@ -1 +0,0 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/shiro-core-1.5.2:${testdir}/../../../../stubs/spring-ldap-2.3.2

39
java/ql/test/experimental/query-tests/security/CWE-094/GroovyClassLoaderTest.java
View File

@@ -1,39 +0,0 @@
import groovy.lang.GroovyClassLoader;
import groovy.lang.GroovyCodeSource;
import groovy.lang.GroovyObject;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class GroovyClassLoaderTest extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
String script = request.getParameter("script");
final GroovyClassLoader classLoader = new GroovyClassLoader();
Class groovy = classLoader.parseClass(script);
GroovyObject groovyObj = (GroovyObject) groovy.newInstance();
} catch (Exception e) {
// Ignore
}
}
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
String script = request.getParameter("script");
final GroovyClassLoader classLoader = new GroovyClassLoader();
GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
Class groovy = classLoader.parseClass(gcs);
GroovyObject groovyObj = (GroovyObject) groovy.newInstance();
} catch (Exception e) {
// Ignore
}
}
}

41
java/ql/test/experimental/query-tests/security/CWE-094/GroovyEvalTest.java
View File

@@ -1,41 +0,0 @@
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import groovy.util.Eval;
public class GroovyEvalTest extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String script = request.getParameter("script");
Eval.me(script);
}
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String script = request.getParameter("script");
Eval.me("test", "result", script);
}
protected void doPut(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String script = request.getParameter("script");
Eval.x("result2", script);
}
protected void doDelete(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String script = request.getParameter("script");
Eval.xy("result3", "result4", script);
}
protected void doPatch(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String script = request.getParameter("script");
Eval.xyz("result3", "result4", "aaa", script);
}
}

73
java/ql/test/experimental/query-tests/security/CWE-094/GroovyInjection.expected
View File

@@ -1,73 +0,0 @@
edges
| ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:22:29:22:51 | expression : String | ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:23:31:23:40 | expression |
| ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:30:44:30:66 | expression : String | ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:31:27:31:36 | expression |
| GroovyClassLoaderTest.java:16:29:16:58 | getParameter(...) : String | GroovyClassLoaderTest.java:18:51:18:56 | script |
| GroovyClassLoaderTest.java:29:29:29:58 | getParameter(...) : String | GroovyClassLoaderTest.java:32:51:32:53 | gcs |
| GroovyEvalTest.java:12:25:12:54 | getParameter(...) : String | GroovyEvalTest.java:13:17:13:22 | script |
| GroovyEvalTest.java:12:25:12:54 | getParameter(...) : String | GroovyEvalTest.java:13:17:13:22 | script : String |
| GroovyEvalTest.java:13:17:13:22 | script : String | ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:22:29:22:51 | expression : String |
| GroovyEvalTest.java:18:25:18:54 | getParameter(...) : String | GroovyEvalTest.java:19:35:19:40 | script |
| GroovyEvalTest.java:24:25:24:54 | getParameter(...) : String | GroovyEvalTest.java:25:27:25:32 | script |
| GroovyEvalTest.java:24:25:24:54 | getParameter(...) : String | GroovyEvalTest.java:25:27:25:32 | script : String |
| GroovyEvalTest.java:25:27:25:32 | script : String | ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:30:44:30:66 | expression : String |
| GroovyEvalTest.java:31:25:31:54 | getParameter(...) : String | GroovyEvalTest.java:32:39:32:44 | script |
| GroovyEvalTest.java:37:25:37:54 | getParameter(...) : String | GroovyEvalTest.java:38:47:38:52 | script |
| GroovyShellTest.java:15:25:15:54 | getParameter(...) : String | GroovyShellTest.java:16:24:16:29 | script |
| GroovyShellTest.java:22:25:22:54 | getParameter(...) : String | GroovyShellTest.java:23:24:23:29 | script |
| GroovyShellTest.java:29:25:29:54 | getParameter(...) : String | GroovyShellTest.java:30:24:30:29 | script |
| GroovyShellTest.java:36:25:36:54 | getParameter(...) : String | GroovyShellTest.java:37:19:37:24 | script |
| GroovyShellTest.java:43:25:43:54 | getParameter(...) : String | GroovyShellTest.java:45:19:45:21 | gcs |
| GroovyShellTest.java:51:25:51:54 | getParameter(...) : String | GroovyShellTest.java:53:24:53:26 | gcs |
| GroovyShellTest.java:59:25:59:54 | getParameter(...) : String | GroovyShellTest.java:60:21:60:26 | script |
nodes
| ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:22:29:22:51 | expression : String | semmle.label | expression : String |
| ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:23:31:23:40 | expression | semmle.label | expression |
| ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:30:44:30:66 | expression : String | semmle.label | expression : String |
| ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:31:27:31:36 | expression | semmle.label | expression |
| GroovyClassLoaderTest.java:16:29:16:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| GroovyClassLoaderTest.java:18:51:18:56 | script | semmle.label | script |
| GroovyClassLoaderTest.java:29:29:29:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| GroovyClassLoaderTest.java:32:51:32:53 | gcs | semmle.label | gcs |
| GroovyEvalTest.java:12:25:12:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| GroovyEvalTest.java:13:17:13:22 | script | semmle.label | script |
| GroovyEvalTest.java:13:17:13:22 | script : String | semmle.label | script : String |
| GroovyEvalTest.java:18:25:18:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| GroovyEvalTest.java:19:35:19:40 | script | semmle.label | script |
| GroovyEvalTest.java:24:25:24:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| GroovyEvalTest.java:25:27:25:32 | script | semmle.label | script |
| GroovyEvalTest.java:25:27:25:32 | script : String | semmle.label | script : String |
| GroovyEvalTest.java:31:25:31:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| GroovyEvalTest.java:32:39:32:44 | script | semmle.label | script |
| GroovyEvalTest.java:37:25:37:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| GroovyEvalTest.java:38:47:38:52 | script | semmle.label | script |
| GroovyShellTest.java:15:25:15:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| GroovyShellTest.java:16:24:16:29 | script | semmle.label | script |
| GroovyShellTest.java:22:25:22:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| GroovyShellTest.java:23:24:23:29 | script | semmle.label | script |
| GroovyShellTest.java:29:25:29:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| GroovyShellTest.java:30:24:30:29 | script | semmle.label | script |
| GroovyShellTest.java:36:25:36:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| GroovyShellTest.java:37:19:37:24 | script | semmle.label | script |
| GroovyShellTest.java:43:25:43:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| GroovyShellTest.java:45:19:45:21 | gcs | semmle.label | gcs |
| GroovyShellTest.java:51:25:51:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| GroovyShellTest.java:53:24:53:26 | gcs | semmle.label | gcs |
| GroovyShellTest.java:59:25:59:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| GroovyShellTest.java:60:21:60:26 | script | semmle.label | script |
#select
| ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:23:31:23:40 | expression | GroovyEvalTest.java:12:25:12:54 | getParameter(...) : String | ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:23:31:23:40 | expression | Groovy Injection from $@. | GroovyEvalTest.java:12:25:12:54 | getParameter(...) | this user input |
| ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:31:27:31:36 | expression | GroovyEvalTest.java:24:25:24:54 | getParameter(...) : String | ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:31:27:31:36 | expression | Groovy Injection from $@. | GroovyEvalTest.java:24:25:24:54 | getParameter(...) | this user input |
| GroovyClassLoaderTest.java:18:51:18:56 | script | GroovyClassLoaderTest.java:16:29:16:58 | getParameter(...) : String | GroovyClassLoaderTest.java:18:51:18:56 | script | Groovy Injection from $@. | GroovyClassLoaderTest.java:16:29:16:58 | getParameter(...) | this user input |
| GroovyClassLoaderTest.java:32:51:32:53 | gcs | GroovyClassLoaderTest.java:29:29:29:58 | getParameter(...) : String | GroovyClassLoaderTest.java:32:51:32:53 | gcs | Groovy Injection from $@. | GroovyClassLoaderTest.java:29:29:29:58 | getParameter(...) | this user input |
| GroovyEvalTest.java:13:17:13:22 | script | GroovyEvalTest.java:12:25:12:54 | getParameter(...) : String | GroovyEvalTest.java:13:17:13:22 | script | Groovy Injection from $@. | GroovyEvalTest.java:12:25:12:54 | getParameter(...) | this user input |
| GroovyEvalTest.java:19:35:19:40 | script | GroovyEvalTest.java:18:25:18:54 | getParameter(...) : String | GroovyEvalTest.java:19:35:19:40 | script | Groovy Injection from $@. | GroovyEvalTest.java:18:25:18:54 | getParameter(...) | this user input |
| GroovyEvalTest.java:25:27:25:32 | script | GroovyEvalTest.java:24:25:24:54 | getParameter(...) : String | GroovyEvalTest.java:25:27:25:32 | script | Groovy Injection from $@. | GroovyEvalTest.java:24:25:24:54 | getParameter(...) | this user input |
| GroovyEvalTest.java:32:39:32:44 | script | GroovyEvalTest.java:31:25:31:54 | getParameter(...) : String | GroovyEvalTest.java:32:39:32:44 | script | Groovy Injection from $@. | GroovyEvalTest.java:31:25:31:54 | getParameter(...) | this user input |
| GroovyEvalTest.java:38:47:38:52 | script | GroovyEvalTest.java:37:25:37:54 | getParameter(...) : String | GroovyEvalTest.java:38:47:38:52 | script | Groovy Injection from $@. | GroovyEvalTest.java:37:25:37:54 | getParameter(...) | this user input |
| GroovyShellTest.java:16:24:16:29 | script | GroovyShellTest.java:15:25:15:54 | getParameter(...) : String | GroovyShellTest.java:16:24:16:29 | script | Groovy Injection from $@. | GroovyShellTest.java:15:25:15:54 | getParameter(...) | this user input |
| GroovyShellTest.java:23:24:23:29 | script | GroovyShellTest.java:22:25:22:54 | getParameter(...) : String | GroovyShellTest.java:23:24:23:29 | script | Groovy Injection from $@. | GroovyShellTest.java:22:25:22:54 | getParameter(...) | this user input |
| GroovyShellTest.java:30:24:30:29 | script | GroovyShellTest.java:29:25:29:54 | getParameter(...) : String | GroovyShellTest.java:30:24:30:29 | script | Groovy Injection from $@. | GroovyShellTest.java:29:25:29:54 | getParameter(...) | this user input |
| GroovyShellTest.java:37:19:37:24 | script | GroovyShellTest.java:36:25:36:54 | getParameter(...) : String | GroovyShellTest.java:37:19:37:24 | script | Groovy Injection from $@. | GroovyShellTest.java:36:25:36:54 | getParameter(...) | this user input |
| GroovyShellTest.java:45:19:45:21 | gcs | GroovyShellTest.java:43:25:43:54 | getParameter(...) : String | GroovyShellTest.java:45:19:45:21 | gcs | Groovy Injection from $@. | GroovyShellTest.java:43:25:43:54 | getParameter(...) | this user input |
| GroovyShellTest.java:53:24:53:26 | gcs | GroovyShellTest.java:51:25:51:54 | getParameter(...) : String | GroovyShellTest.java:53:24:53:26 | gcs | Groovy Injection from $@. | GroovyShellTest.java:51:25:51:54 | getParameter(...) | this user input |
| GroovyShellTest.java:60:21:60:26 | script | GroovyShellTest.java:59:25:59:54 | getParameter(...) : String | GroovyShellTest.java:60:21:60:26 | script | Groovy Injection from $@. | GroovyShellTest.java:59:25:59:54 | getParameter(...) | this user input |

1
java/ql/test/experimental/query-tests/security/CWE-094/GroovyInjection.qlref
View File

@@ -1 +0,0 @@
experimental/Security/CWE/CWE-094/GroovyInjection.ql

63
java/ql/test/experimental/query-tests/security/CWE-094/GroovyShellTest.java
View File

@@ -1,63 +0,0 @@
import groovy.lang.GroovyCodeSource;
import groovy.lang.GroovyShell;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class GroovyShellTest extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
shell.evaluate(script);
}
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
shell.evaluate(script, "test");
}
protected void doPut(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
shell.evaluate(script, "test", "test2");
}
protected void doOptions(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
shell.run(script, "_", new String[]{});
}
protected void doHead(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
shell.run(gcs, new String[]{});
}
protected void doDelete(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
shell.evaluate(gcs);
}
protected void doPatch(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
shell.parse(script);
}
}

2
java/ql/test/experimental/query-tests/security/CWE-094/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jython-2.7.2:${testdir}/../../../../experimental/stubs/rhino-1.7.13:${testdir}/../../../../stubs/bsh-2.0b5:${testdir}/../../../../experimental/stubs/jshell
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jython-2.7.2:${testdir}/../../../../experimental/stubs/rhino-1.7.13:${testdir}/../../../../stubs/bsh-2.0b5:${testdir}/../../../../experimental/stubs/jshell

15
java/ql/test/experimental/query-tests/security/CWE-208/NotConstantTimeCheckOnSignature/Test.expected Normal file
View File

@@ -0,0 +1,15 @@
edges
| Test.java:14:28:14:44 | doFinal(...) : byte[] | Test.java:15:43:15:51 | actualMac |
| Test.java:30:28:30:40 | sign(...) : byte[] | Test.java:31:40:31:48 | signature |
| Test.java:47:22:47:46 | doFinal(...) : byte[] | Test.java:48:40:48:42 | tag |
nodes
| Test.java:14:28:14:44 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
| Test.java:15:43:15:51 | actualMac | semmle.label | actualMac |
| Test.java:30:28:30:40 | sign(...) : byte[] | semmle.label | sign(...) : byte[] |
| Test.java:31:40:31:48 | signature | semmle.label | signature |
| Test.java:47:22:47:46 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
| Test.java:48:40:48:42 | tag | semmle.label | tag |
#select
| Test.java:15:43:15:51 | actualMac | Test.java:14:28:14:44 | doFinal(...) : byte[] | Test.java:15:43:15:51 | actualMac | Possible timing attack against $@ validation. | Test.java:14:28:14:44 | doFinal(...) : byte[] | MAC |
| Test.java:31:40:31:48 | signature | Test.java:30:28:30:40 | sign(...) : byte[] | Test.java:31:40:31:48 | signature | Possible timing attack against $@ validation. | Test.java:30:28:30:40 | sign(...) : byte[] | signature |
| Test.java:48:40:48:42 | tag | Test.java:47:22:47:46 | doFinal(...) : byte[] | Test.java:48:40:48:42 | tag | Possible timing attack against $@ validation. | Test.java:47:22:47:46 | doFinal(...) : byte[] | ciphertext |

59
java/ql/test/experimental/query-tests/security/CWE-208/NotConstantTimeCheckOnSignature/Test.java Normal file
View File

@@ -0,0 +1,59 @@
import java.security.Key;
import java.security.MessageDigest;
import java.security.PrivateKey;
import java.security.Signature;
import java.util.Arrays;
import javax.crypto.Cipher;
import javax.crypto.Mac;
public class Test {
// BAD: compare MACs using a not-constant time method
public boolean unsafeMacCheck(byte[] expectedMac, byte[] data) throws Exception {
Mac mac = Mac.getInstance("HmacSHA256");
byte[] actualMac = mac.doFinal(data);
return Arrays.equals(expectedMac, actualMac);
}
// GOOD: compare MACs using a constant time method
public boolean saferMacCheck(byte[] expectedMac, byte[] data) throws Exception {
Mac mac = Mac.getInstance("HmacSHA256");
byte[] actualMac = mac.doFinal(data);
return MessageDigest.isEqual(expectedMac, actualMac);
}
// BAD: compare signatures using a not-constant time method
public boolean unsafeCheckSignatures(byte[] expected, byte[] data, PrivateKey key) throws Exception {
Signature engine = Signature.getInstance("SHA256withRSA");
engine.initSign(key);
engine.update(data);
byte[] signature = engine.sign();
return Arrays.equals(expected, signature);
}
// GOOD: compare signatures using a constant time method
public boolean saferCheckSignatures(byte[] expected, byte[] data, PrivateKey key) throws Exception {
Signature engine = Signature.getInstance("SHA256withRSA");
engine.initSign(key);
engine.update(data);
byte[] signature = engine.sign();
return MessageDigest.isEqual(expected, signature);
}
// BAD: compare ciphertexts using a not-constant time method
public boolean unsafeCheckCustomMac(byte[] expected, byte[] plaintext, Key key) throws Exception {
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, key);
byte[] tag = cipher.doFinal(plaintext);
return Arrays.equals(expected, tag);
}
// GOOD: compare ciphertexts using a constant time method
public boolean saferCheckCustomMac(byte[] expected, byte[] plaintext, Key key) throws Exception {
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, key);
byte[] tag = cipher.doFinal(plaintext);
return MessageDigest.isEqual(expected, tag);
}
}

1
java/ql/test/experimental/query-tests/security/CWE-208/NotConstantTimeCheckOnSignature/Test.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-208/PossibleTimingAttackAgainstSignature.ql

44
java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSignagure/Test.expected Normal file
View File

@@ -0,0 +1,44 @@
edges
| Test.java:21:32:21:48 | doFinal(...) : byte[] | Test.java:23:47:23:55 | actualMac |
| Test.java:34:25:34:33 | actualMac : byte[] | Test.java:36:47:36:55 | actualMac |
| Test.java:59:32:59:44 | sign(...) : byte[] | Test.java:61:44:61:52 | signature |
| Test.java:73:25:73:33 | signature : byte[] | Test.java:75:44:75:52 | signature |
| Test.java:99:26:99:45 | doFinal(...) : byte[] | Test.java:101:49:101:51 | tag |
| Test.java:116:28:116:30 | tag : byte[] | Test.java:118:44:118:46 | tag |
| Test.java:134:56:134:58 | tag : ByteBuffer | Test.java:136:44:136:46 | tag : ByteBuffer |
| Test.java:136:44:136:46 | tag : ByteBuffer | Test.java:136:44:136:54 | array(...) |
| Test.java:148:56:148:58 | tag : ByteBuffer | Test.java:150:53:150:55 | tag |
| Test.java:174:26:174:50 | doFinal(...) : byte[] | Test.java:176:44:176:46 | tag |
| Test.java:201:34:201:50 | doFinal(...) : byte[] | Test.java:204:26:204:36 | computedTag |
nodes
| Test.java:21:32:21:48 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
| Test.java:23:47:23:55 | actualMac | semmle.label | actualMac |
| Test.java:34:25:34:33 | actualMac : byte[] | semmle.label | actualMac : byte[] |
| Test.java:36:47:36:55 | actualMac | semmle.label | actualMac |
| Test.java:59:32:59:44 | sign(...) : byte[] | semmle.label | sign(...) : byte[] |
| Test.java:61:44:61:52 | signature | semmle.label | signature |
| Test.java:73:25:73:33 | signature : byte[] | semmle.label | signature : byte[] |
| Test.java:75:44:75:52 | signature | semmle.label | signature |
| Test.java:99:26:99:45 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
| Test.java:101:49:101:51 | tag | semmle.label | tag |
| Test.java:116:28:116:30 | tag : byte[] | semmle.label | tag : byte[] |
| Test.java:118:44:118:46 | tag | semmle.label | tag |
| Test.java:134:56:134:58 | tag : ByteBuffer | semmle.label | tag : ByteBuffer |
| Test.java:136:44:136:46 | tag : ByteBuffer | semmle.label | tag : ByteBuffer |
| Test.java:136:44:136:54 | array(...) | semmle.label | array(...) |
| Test.java:148:56:148:58 | tag : ByteBuffer | semmle.label | tag : ByteBuffer |
| Test.java:150:53:150:55 | tag | semmle.label | tag |
| Test.java:174:26:174:50 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
| Test.java:176:44:176:46 | tag | semmle.label | tag |
| Test.java:201:34:201:50 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
| Test.java:204:26:204:36 | computedTag | semmle.label | computedTag |
#select
| Test.java:23:47:23:55 | actualMac | Test.java:21:32:21:48 | doFinal(...) : byte[] | Test.java:23:47:23:55 | actualMac | Timing attack against $@ validation. | Test.java:21:32:21:48 | doFinal(...) : byte[] | MAC |
| Test.java:36:47:36:55 | actualMac | Test.java:34:25:34:33 | actualMac : byte[] | Test.java:36:47:36:55 | actualMac | Timing attack against $@ validation. | Test.java:34:25:34:33 | actualMac : byte[] | MAC |
| Test.java:61:44:61:52 | signature | Test.java:59:32:59:44 | sign(...) : byte[] | Test.java:61:44:61:52 | signature | Timing attack against $@ validation. | Test.java:59:32:59:44 | sign(...) : byte[] | signature |
| Test.java:75:44:75:52 | signature | Test.java:73:25:73:33 | signature : byte[] | Test.java:75:44:75:52 | signature | Timing attack against $@ validation. | Test.java:73:25:73:33 | signature : byte[] | signature |
| Test.java:101:49:101:51 | tag | Test.java:99:26:99:45 | doFinal(...) : byte[] | Test.java:101:49:101:51 | tag | Timing attack against $@ validation. | Test.java:99:26:99:45 | doFinal(...) : byte[] | ciphertext |
| Test.java:118:44:118:46 | tag | Test.java:116:28:116:30 | tag : byte[] | Test.java:118:44:118:46 | tag | Timing attack against $@ validation. | Test.java:116:28:116:30 | tag : byte[] | ciphertext |
| Test.java:136:44:136:54 | array(...) | Test.java:134:56:134:58 | tag : ByteBuffer | Test.java:136:44:136:54 | array(...) | Timing attack against $@ validation. | Test.java:134:56:134:58 | tag : ByteBuffer | ciphertext |
| Test.java:150:53:150:55 | tag | Test.java:148:56:148:58 | tag : ByteBuffer | Test.java:150:53:150:55 | tag | Timing attack against $@ validation. | Test.java:148:56:148:58 | tag : ByteBuffer | ciphertext |
| Test.java:176:44:176:46 | tag | Test.java:174:26:174:50 | doFinal(...) : byte[] | Test.java:176:44:176:46 | tag | Timing attack against $@ validation. | Test.java:174:26:174:50 | doFinal(...) : byte[] | ciphertext |

236
java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSignagure/Test.java Normal file
View File

@@ -0,0 +1,236 @@
import java.io.InputStream;
import java.net.Socket;
import java.nio.ByteBuffer;
import java.security.Key;
import java.security.MessageDigest;
import java.security.PrivateKey;
import java.security.Signature;
import java.util.Arrays;
import java.util.Objects;
import javax.crypto.Cipher;
import javax.crypto.Mac;
public class Test {
// BAD: compare MACs using a non-constant-time method
public boolean unsafeMacCheckWithArrayEquals(Socket socket) throws Exception {
try (InputStream is = socket.getInputStream()) {
Mac mac = Mac.getInstance("HmacSHA256");
byte[] data = new byte[1024];
is.read(data);
byte[] actualMac = mac.doFinal(data);
byte[] expectedMac = is.readNBytes(32);
return Arrays.equals(expectedMac, actualMac);
}
}
// BAD: compare MACs using a non-constant-time method
public boolean unsafeMacCheckWithDoFinalWithOutputArray(Socket socket) throws Exception {
try (InputStream is = socket.getInputStream()) {
byte[] data = is.readNBytes(100);
Mac mac = Mac.getInstance("HmacSHA256");
byte[] actualMac = new byte[256];
mac.update(data);
mac.doFinal(actualMac, 0);
byte[] expectedMac = socket.getInputStream().readNBytes(256);
return Arrays.equals(expectedMac, actualMac);
}
}
// GOOD: compare MACs using a constant-time method
public boolean saferMacCheck(Socket socket) throws Exception {
try (InputStream is = socket.getInputStream()) {
Mac mac = Mac.getInstance("HmacSHA256");
byte[] data = new byte[1024];
is.read(data);
byte[] actualMac = mac.doFinal(data);
byte[] expectedMac = is.readNBytes(32);
return MessageDigest.isEqual(expectedMac, actualMac);
}
}
// BAD: compare signatures using a non-constant-time method
public boolean unsafeCheckSignatures(Socket socket, PrivateKey key) throws Exception {
try (InputStream is = socket.getInputStream()) {
Signature engine = Signature.getInstance("SHA256withRSA");
engine.initSign(key);
byte[] data = socket.getInputStream().readAllBytes();
engine.update(data);
byte[] signature = engine.sign();
byte[] expected = is.readNBytes(256);
return Arrays.equals(expected, signature);
}
}
// BAD: compare signatures using a non-constant-time method
public boolean unsafeCheckSignaturesWithOutputArray(Socket socket, PrivateKey key) throws Exception {
try (InputStream is = socket.getInputStream()) {
Signature engine = Signature.getInstance("SHA256withRSA");
engine.initSign(key);
byte[] data = socket.getInputStream().readAllBytes();
engine.update(data);
byte[] signature = new byte[1024];
engine.sign(signature, 0, 1024);
byte[] expected = is.readNBytes(256);
return Arrays.equals(expected, signature);
}
}
// GOOD: compare signatures using a constant-time method
public boolean saferCheckSignatures(Socket socket, PrivateKey key) throws Exception {
try (InputStream is = socket.getInputStream()) {
Signature engine = Signature.getInstance("SHA256withRSA");
engine.initSign(key);
byte[] data = socket.getInputStream().readAllBytes();
engine.update(data);
byte[] signature = engine.sign();
byte[] expected = is.readNBytes(256);
return MessageDigest.isEqual(expected, signature);
}
}
// BAD: compare ciphertexts (custom MAC) using a non-constant-time method
public boolean unsafeCheckCiphertext(Socket socket, Key key) throws Exception {
try (InputStream is = socket.getInputStream()) {
byte[] plaintext = is.readNBytes(100);
byte[] hash = MessageDigest.getInstance("SHA-256").digest(plaintext);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, key);
byte[] tag = cipher.doFinal(hash);
byte[] expected = socket.getInputStream().readAllBytes();
return Objects.deepEquals(expected, tag);
}
}
// BAD: compare ciphertexts (custom MAC) using a non-constant-time method
public boolean unsafeCheckCiphertextWithOutputArray(Socket socket, Key key) throws Exception {
try (InputStream is = socket.getInputStream()) {
byte[] plaintext = socket.getInputStream().readAllBytes();
MessageDigest md = MessageDigest.getInstance("SHA-512");
md.update(plaintext);
byte[] hash = md.digest();
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, key);
cipher.update(hash);
byte[] tag = new byte[1024];
cipher.doFinal(tag, 0);
byte[] expected = is.readNBytes(32);
return Arrays.equals(expected, tag);
}
}
// BAD: compare ciphertexts (custom MAC) using a non-constant-time method
public boolean unsafeCheckCiphertextWithByteBuffer(Socket socket, Key key) throws Exception {
try (InputStream is = socket.getInputStream()) {
byte[] plaintext = is.readNBytes(300);
MessageDigest md = MessageDigest.getInstance("SHA-512");
md.update(plaintext);
byte[] hash = new byte[1024];
md.digest(hash, 0, hash.length);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, key);
cipher.update(hash);
ByteBuffer tag = ByteBuffer.wrap(new byte[1024]);
cipher.doFinal(ByteBuffer.wrap(plaintext), tag);
byte[] expected = socket.getInputStream().readNBytes(1024);
return Arrays.equals(expected, tag.array());
}
}
// BAD: compare ciphertexts (custom MAC) using a non-constant-time method
public boolean unsafeCheckCiphertextWithByteBufferEquals(Socket socket, Key key) throws Exception {
try (InputStream is = socket.getInputStream()) {
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, key);
byte[] plaintext = socket.getInputStream().readAllBytes();
cipher.update(plaintext);
ByteBuffer tag = ByteBuffer.wrap(new byte[1024]);
cipher.doFinal(ByteBuffer.wrap(plaintext), tag);
byte[] expected = is.readNBytes(32);
return ByteBuffer.wrap(expected).equals(tag);
}
}
// GOOD: compare ciphertexts (custom MAC) using a constant-time method
public boolean saferCheckCiphertext(Socket socket, Key key) throws Exception {
try (InputStream is = socket.getInputStream()) {
byte[] plaintext = is.readNBytes(200);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, key);
byte[] hash = MessageDigest.getInstance("SHA-256").digest(plaintext);
byte[] tag = cipher.doFinal(hash);
byte[] expected = socket.getInputStream().readAllBytes();
return MessageDigest.isEqual(expected, tag);
}
}
// GOOD: compare ciphertexts using a constant-time method, but no user input
// but NonConstantTimeCheckOnSignature.ql still detects it
public boolean noUserInputWhenCheckingCiphertext(Socket socket, Key key) throws Exception {
try (InputStream is = socket.getInputStream()) {
byte[] plaintext = is.readNBytes(100);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, key);
byte[] tag = cipher.doFinal(plaintext);
byte[] expected = is.readNBytes(32);
return Arrays.equals(expected, tag);
}
}
// GOOD: compare MAC with constant using a constant-time method
public boolean compareMacWithConstant(Socket socket) throws Exception {
try (InputStream is = socket.getInputStream()) {
Mac mac = Mac.getInstance("HmacSHA256");
byte[] data = new byte[1024];
socket.getInputStream().read(data);
byte[] actualMac = mac.doFinal(data);
return "constant".equals(new String(actualMac));
}
}
// BAD: compare MAC using a non-constant-time loop
public boolean unsafeMacCheckWithLoop(Socket socket) throws Exception {
try (InputStream is = socket.getInputStream()) {
byte[] data = new byte[256];
byte[] tag = new byte[32];
is.read(data);
is.read(tag);
Mac mac = Mac.getInstance("Hmac256");
byte[] computedTag = mac.doFinal(data);
for (int i = 0; i < computedTag.length; i++) {
byte a = computedTag[i];
byte b = tag[i];
if (a != b) {
return false;
}
}
return true;
}
}
// GOOD: compare MAC using a constant-time loop
public boolean safeMacCheckWithLoop(Socket socket) throws Exception {
try (InputStream is = socket.getInputStream()) {
byte[] data = new byte[256];
byte[] tag = new byte[32];
is.read(data);
is.read(tag);
Mac mac = Mac.getInstance("Hmac256");
byte[] computedTag = mac.doFinal(data);
int result = 0;
for (int i = 0; i < computedTag.length; i++) {
result |= computedTag[i] ^ tag[i];
}
return result == 0;
}
}
}

1
java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSignagure/Test.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-208/TimingAttackAgainstSignature.ql

8
java/ql/test/experimental/query-tests/security/CWE-347/MissingJWTSignatureCheck.expected
View File

@@ -1,8 +0,0 @@
| MissingJWTSignatureCheck.java:96:9:96:27 | parse(...) | A signing key is set $@, but the signature is not verified. | MissingJWTSignatureCheck.java:18:16:18:66 | setSigningKey(...) | here |
| MissingJWTSignatureCheck.java:96:9:96:27 | parse(...) | A signing key is set $@, but the signature is not verified. | MissingJWTSignatureCheck.java:22:16:22:73 | setSigningKey(...) | here |
| MissingJWTSignatureCheck.java:96:9:96:27 | parse(...) | A signing key is set $@, but the signature is not verified. | MissingJWTSignatureCheck.java:26:16:26:75 | setSigningKey(...) | here |
| MissingJWTSignatureCheck.java:100:9:105:22 | parse(...) | A signing key is set $@, but the signature is not verified. | MissingJWTSignatureCheck.java:18:16:18:66 | setSigningKey(...) | here |
| MissingJWTSignatureCheck.java:100:9:105:22 | parse(...) | A signing key is set $@, but the signature is not verified. | MissingJWTSignatureCheck.java:22:16:22:73 | setSigningKey(...) | here |
| MissingJWTSignatureCheck.java:100:9:105:22 | parse(...) | A signing key is set $@, but the signature is not verified. | MissingJWTSignatureCheck.java:26:16:26:75 | setSigningKey(...) | here |
| MissingJWTSignatureCheck.java:127:9:129:33 | parse(...) | A signing key is set $@, but the signature is not verified. | MissingJWTSignatureCheck.java:127:9:128:58 | setSigningKey(...) | here |
| MissingJWTSignatureCheck.java:133:9:140:22 | parse(...) | A signing key is set $@, but the signature is not verified. | MissingJWTSignatureCheck.java:133:9:134:58 | setSigningKey(...) | here |

1
java/ql/test/experimental/query-tests/security/CWE-347/MissingJWTSignatureCheck.qlref
View File

@@ -1 +0,0 @@
experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql

2
java/ql/test/experimental/query-tests/security/CWE-352/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/fastjson-1.2.74/:${testdir}/../../../../stubs/gson-2.8.6/:${testdir}/../../../../stubs/jackson-databind-2.10/:${testdir}/../../../../stubs/springframework-5.3.8/
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/fastjson-1.2.74/:${testdir}/../../../../stubs/gson-2.8.6/:${testdir}/../../../../stubs/jackson-databind-2.12/:${testdir}/../../../../stubs/jackson-core-2.12:${testdir}/../../../../stubs/springframework-5.3.8/

5
java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.expected
View File

@@ -14,7 +14,10 @@ edges
| InsecureBasicAuth.java:109:19:109:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:110:58:110:63 | uriStr : String |
| InsecureBasicAuth.java:110:29:110:70 | new BasicRequestLine(...) : BasicRequestLine | InsecureBasicAuth.java:119:3:119:6 | post |
| InsecureBasicAuth.java:110:58:110:63 | uriStr : String | InsecureBasicAuth.java:110:29:110:70 | new BasicRequestLine(...) : BasicRequestLine |
| InsecureBasicAuth.java:126:19:126:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:129:21:129:26 | urlStr : String |
| InsecureBasicAuth.java:126:19:126:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:130:28:130:67 | (...)... : URLConnection |
| InsecureBasicAuth.java:129:13:129:27 | new URL(...) : URL | InsecureBasicAuth.java:130:28:130:67 | (...)... : URLConnection |
| InsecureBasicAuth.java:129:21:129:26 | urlStr : String | InsecureBasicAuth.java:129:13:129:27 | new URL(...) : URL |
| InsecureBasicAuth.java:130:28:130:67 | (...)... : URLConnection | InsecureBasicAuth.java:133:3:133:6 | conn |
| InsecureBasicAuth.java:145:21:145:28 | protocol : String | InsecureBasicAuth.java:146:28:146:67 | (...)... : URLConnection |
| InsecureBasicAuth.java:146:28:146:67 | (...)... : URLConnection | InsecureBasicAuth.java:149:3:149:6 | conn |
@@ -40,6 +43,8 @@ nodes
| InsecureBasicAuth.java:110:58:110:63 | uriStr : String | semmle.label | uriStr : String |
| InsecureBasicAuth.java:119:3:119:6 | post | semmle.label | post |
| InsecureBasicAuth.java:126:19:126:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String |
| InsecureBasicAuth.java:129:13:129:27 | new URL(...) : URL | semmle.label | new URL(...) : URL |
| InsecureBasicAuth.java:129:21:129:26 | urlStr : String | semmle.label | urlStr : String |
| InsecureBasicAuth.java:130:28:130:67 | (...)... : URLConnection | semmle.label | (...)... : URLConnection |
| InsecureBasicAuth.java:133:3:133:6 | conn | semmle.label | conn |
| InsecureBasicAuth.java:145:21:145:28 | protocol : String | semmle.label | protocol : String |

31
java/ql/test/experimental/query-tests/security/CWE-749/UnsafeAndroidAccess.expected
View File

@@ -1,31 +0,0 @@
edges
| UnsafeActivity1.java:31:20:31:30 | getIntent(...) : Intent | UnsafeActivity1.java:32:14:32:20 | thisUrl |
| UnsafeActivity2.java:31:20:31:30 | getIntent(...) : Intent | UnsafeActivity2.java:32:14:32:20 | thisUrl |
| UnsafeActivity3.java:31:20:31:30 | getIntent(...) : Intent | UnsafeActivity3.java:32:14:32:20 | thisUrl |
| UnsafeAndroidAccess.java:31:20:31:30 | getIntent(...) : Intent | UnsafeAndroidAccess.java:32:14:32:20 | thisUrl |
| UnsafeAndroidAccess.java:54:20:54:30 | getIntent(...) : Intent | UnsafeAndroidAccess.java:55:14:55:20 | thisUrl |
| UnsafeAndroidAccess.java:96:20:96:30 | getIntent(...) : Intent | UnsafeAndroidAccess.java:97:14:97:20 | thisUrl |
| UnsafeAndroidBroadcastReceiver.java:16:41:16:53 | intent : Intent | UnsafeAndroidBroadcastReceiver.java:32:14:32:20 | thisUrl |
nodes
| UnsafeActivity1.java:31:20:31:30 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
| UnsafeActivity1.java:32:14:32:20 | thisUrl | semmle.label | thisUrl |
| UnsafeActivity2.java:31:20:31:30 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
| UnsafeActivity2.java:32:14:32:20 | thisUrl | semmle.label | thisUrl |
| UnsafeActivity3.java:31:20:31:30 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
| UnsafeActivity3.java:32:14:32:20 | thisUrl | semmle.label | thisUrl |
| UnsafeAndroidAccess.java:31:20:31:30 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
| UnsafeAndroidAccess.java:32:14:32:20 | thisUrl | semmle.label | thisUrl |
| UnsafeAndroidAccess.java:54:20:54:30 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
| UnsafeAndroidAccess.java:55:14:55:20 | thisUrl | semmle.label | thisUrl |
| UnsafeAndroidAccess.java:96:20:96:30 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
| UnsafeAndroidAccess.java:97:14:97:20 | thisUrl | semmle.label | thisUrl |
| UnsafeAndroidBroadcastReceiver.java:16:41:16:53 | intent : Intent | semmle.label | intent : Intent |
| UnsafeAndroidBroadcastReceiver.java:32:14:32:20 | thisUrl | semmle.label | thisUrl |
#select
| UnsafeActivity1.java:32:3:32:21 | loadUrl(...) | UnsafeActivity1.java:31:20:31:30 | getIntent(...) : Intent | UnsafeActivity1.java:32:14:32:20 | thisUrl | Unsafe resource fetching in Android webview due to $@. | UnsafeActivity1.java:31:20:31:30 | getIntent(...) | user input vulnerable to cross-origin and sensitive resource disclosure attacks |
| UnsafeActivity2.java:32:3:32:21 | loadUrl(...) | UnsafeActivity2.java:31:20:31:30 | getIntent(...) : Intent | UnsafeActivity2.java:32:14:32:20 | thisUrl | Unsafe resource fetching in Android webview due to $@. | UnsafeActivity2.java:31:20:31:30 | getIntent(...) | user input vulnerable to cross-origin and sensitive resource disclosure attacks |
| UnsafeActivity3.java:32:3:32:21 | loadUrl(...) | UnsafeActivity3.java:31:20:31:30 | getIntent(...) : Intent | UnsafeActivity3.java:32:14:32:20 | thisUrl | Unsafe resource fetching in Android webview due to $@. | UnsafeActivity3.java:31:20:31:30 | getIntent(...) | user input vulnerable to cross-origin and sensitive resource disclosure attacks |
| UnsafeAndroidAccess.java:32:3:32:21 | loadUrl(...) | UnsafeAndroidAccess.java:31:20:31:30 | getIntent(...) : Intent | UnsafeAndroidAccess.java:32:14:32:20 | thisUrl | Unsafe resource fetching in Android webview due to $@. | UnsafeAndroidAccess.java:31:20:31:30 | getIntent(...) | user input vulnerable to cross-origin and sensitive resource disclosure attacks |
| UnsafeAndroidAccess.java:55:3:55:21 | loadUrl(...) | UnsafeAndroidAccess.java:54:20:54:30 | getIntent(...) : Intent | UnsafeAndroidAccess.java:55:14:55:20 | thisUrl | Unsafe resource fetching in Android webview due to $@. | UnsafeAndroidAccess.java:54:20:54:30 | getIntent(...) | user input vulnerable to cross-origin and sensitive resource disclosure attacks |
| UnsafeAndroidAccess.java:97:3:97:21 | loadUrl(...) | UnsafeAndroidAccess.java:96:20:96:30 | getIntent(...) : Intent | UnsafeAndroidAccess.java:97:14:97:20 | thisUrl | Unsafe resource fetching in Android webview due to $@. | UnsafeAndroidAccess.java:96:20:96:30 | getIntent(...) | user input vulnerable to XSS attacks |
| UnsafeAndroidBroadcastReceiver.java:32:3:32:21 | loadUrl(...) | UnsafeAndroidBroadcastReceiver.java:16:41:16:53 | intent : Intent | UnsafeAndroidBroadcastReceiver.java:32:14:32:20 | thisUrl | Unsafe resource fetching in Android webview due to $@. | UnsafeAndroidBroadcastReceiver.java:16:41:16:53 | intent | user input vulnerable to cross-origin and sensitive resource disclosure attacks |

1
java/ql/test/experimental/query-tests/security/CWE-749/UnsafeAndroidAccess.qlref
View File

@@ -1 +0,0 @@
experimental/Security/CWE/CWE-749/UnsafeAndroidAccess.ql

1
java/ql/test/experimental/query-tests/security/CWE-749/options
View File

@@ -1 +0,0 @@
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/google-android-9.0.0

48
java/ql/test/experimental/query-tests/security/CWE-917/OgnlInjection.expected
View File

@@ -1,48 +0,0 @@
edges
| OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:17:19:17:22 | tree |
| OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:18:19:18:22 | tree |
| OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:20:17:20:27 | (...)... : Object |
| OgnlInjection.java:20:17:20:27 | (...)... : Object | OgnlInjection.java:21:5:21:8 | node |
| OgnlInjection.java:20:17:20:27 | (...)... : Object | OgnlInjection.java:22:5:22:8 | node |
| OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:28:19:28:22 | tree |
| OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:29:19:29:22 | tree |
| OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:31:5:31:8 | tree |
| OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:32:5:32:8 | tree |
| OgnlInjection.java:36:40:36:64 | expr : String | OgnlInjection.java:37:19:37:22 | expr |
| OgnlInjection.java:36:40:36:64 | expr : String | OgnlInjection.java:38:19:38:22 | expr |
| OgnlInjection.java:42:26:42:50 | expr : String | OgnlInjection.java:44:19:44:22 | expr |
| OgnlInjection.java:42:26:42:50 | expr : String | OgnlInjection.java:45:19:45:22 | expr |
| OgnlInjection.java:42:26:42:50 | expr : String | OgnlInjection.java:46:31:46:34 | expr |
nodes
| OgnlInjection.java:15:39:15:63 | expr : String | semmle.label | expr : String |
| OgnlInjection.java:17:19:17:22 | tree | semmle.label | tree |
| OgnlInjection.java:18:19:18:22 | tree | semmle.label | tree |
| OgnlInjection.java:20:17:20:27 | (...)... : Object | semmle.label | (...)... : Object |
| OgnlInjection.java:21:5:21:8 | node | semmle.label | node |
| OgnlInjection.java:22:5:22:8 | node | semmle.label | node |
| OgnlInjection.java:26:41:26:65 | expr : String | semmle.label | expr : String |
| OgnlInjection.java:28:19:28:22 | tree | semmle.label | tree |
| OgnlInjection.java:29:19:29:22 | tree | semmle.label | tree |
| OgnlInjection.java:31:5:31:8 | tree | semmle.label | tree |
| OgnlInjection.java:32:5:32:8 | tree | semmle.label | tree |
| OgnlInjection.java:36:40:36:64 | expr : String | semmle.label | expr : String |
| OgnlInjection.java:37:19:37:22 | expr | semmle.label | expr |
| OgnlInjection.java:38:19:38:22 | expr | semmle.label | expr |
| OgnlInjection.java:42:26:42:50 | expr : String | semmle.label | expr : String |
| OgnlInjection.java:44:19:44:22 | expr | semmle.label | expr |
| OgnlInjection.java:45:19:45:22 | expr | semmle.label | expr |
| OgnlInjection.java:46:31:46:34 | expr | semmle.label | expr |
#select
| OgnlInjection.java:17:19:17:22 | tree | OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:17:19:17:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:15:39:15:63 | expr | this user input |
| OgnlInjection.java:18:19:18:22 | tree | OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:18:19:18:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:15:39:15:63 | expr | this user input |
| OgnlInjection.java:21:5:21:8 | node | OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:21:5:21:8 | node | OGNL expression might include input from $@. | OgnlInjection.java:15:39:15:63 | expr | this user input |
| OgnlInjection.java:22:5:22:8 | node | OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:22:5:22:8 | node | OGNL expression might include input from $@. | OgnlInjection.java:15:39:15:63 | expr | this user input |
| OgnlInjection.java:28:19:28:22 | tree | OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:28:19:28:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:26:41:26:65 | expr | this user input |
| OgnlInjection.java:29:19:29:22 | tree | OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:29:19:29:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:26:41:26:65 | expr | this user input |
| OgnlInjection.java:31:5:31:8 | tree | OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:31:5:31:8 | tree | OGNL expression might include input from $@. | OgnlInjection.java:26:41:26:65 | expr | this user input |
| OgnlInjection.java:32:5:32:8 | tree | OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:32:5:32:8 | tree | OGNL expression might include input from $@. | OgnlInjection.java:26:41:26:65 | expr | this user input |
| OgnlInjection.java:37:19:37:22 | expr | OgnlInjection.java:36:40:36:64 | expr : String | OgnlInjection.java:37:19:37:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:36:40:36:64 | expr | this user input |
| OgnlInjection.java:38:19:38:22 | expr | OgnlInjection.java:36:40:36:64 | expr : String | OgnlInjection.java:38:19:38:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:36:40:36:64 | expr | this user input |
| OgnlInjection.java:44:19:44:22 | expr | OgnlInjection.java:42:26:42:50 | expr : String | OgnlInjection.java:44:19:44:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:42:26:42:50 | expr | this user input |
| OgnlInjection.java:45:19:45:22 | expr | OgnlInjection.java:42:26:42:50 | expr : String | OgnlInjection.java:45:19:45:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:42:26:42:50 | expr | this user input |
| OgnlInjection.java:46:31:46:34 | expr | OgnlInjection.java:42:26:42:50 | expr : String | OgnlInjection.java:46:31:46:34 | expr | OGNL expression might include input from $@. | OgnlInjection.java:42:26:42:50 | expr | this user input |

48
java/ql/test/experimental/query-tests/security/CWE-917/OgnlInjection.java
View File

@@ -1,48 +0,0 @@
import ognl.Node;
import ognl.Ognl;
import java.util.HashMap;
import com.opensymphony.xwork2.ognl.OgnlUtil;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class OgnlInjection {
@RequestMapping
public void testOgnlParseExpression(@RequestParam String expr) throws Exception {
Object tree = Ognl.parseExpression(expr);
Ognl.getValue(tree, new HashMap<>(), new Object());
Ognl.setValue(tree, new HashMap<>(), new Object());
Node node = (Node) tree;
node.getValue(null, new Object());
node.setValue(null, new Object(), new Object());
}
@RequestMapping
public void testOgnlCompileExpression(@RequestParam String expr) throws Exception {
Node tree = Ognl.compileExpression(null, new Object(), expr);
Ognl.getValue(tree, new HashMap<>(), new Object());
Ognl.setValue(tree, new HashMap<>(), new Object());
tree.getValue(null, new Object());
tree.setValue(null, new Object(), new Object());
}
@RequestMapping
public void testOgnlDirectlyToGetSet(@RequestParam String expr) throws Exception {
Ognl.getValue(expr, new Object());
Ognl.setValue(expr, new Object(), new Object());
}
@RequestMapping
public void testStruts(@RequestParam String expr) throws Exception {
OgnlUtil ognl = new OgnlUtil();
ognl.getValue(expr, new HashMap<>(), new Object());
ognl.setValue(expr, new HashMap<>(), new Object(), new Object());
new OgnlUtil().callMethod(expr, new HashMap<>(), new Object());
}
}

1
java/ql/test/experimental/query-tests/security/CWE-917/OgnlInjection.qlref
View File

@@ -1 +0,0 @@
experimental/Security/CWE/CWE-917/OgnlInjection.ql

1
java/ql/test/experimental/query-tests/security/CWE-917/options
View File

@@ -1 +0,0 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/ognl-3.2.14:${testdir}/../../../stubs/struts2-core-2.5.22

32
java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/lang/GroovyClassLoader.java
View File

@@ -1,32 +0,0 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package groovy.lang;
public class GroovyClassLoader {
public GroovyClassLoader() {
}
public Class parseClass(String text) {
return null;
}
public Class parseClass(GroovyCodeSource gcs) {
return null;
}
}

66
java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/lang/GroovyShell.java
View File

@@ -1,66 +0,0 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package groovy.lang;
import java.util.*;
public class GroovyShell {
public GroovyShell() {}
public Object evaluate(GroovyCodeSource codeSource) {
return null;
}
public Object evaluate(String scriptText) {
return null;
}
public Object evaluate(String scriptText, String fileName) {
return null;
}
public Object evaluate(String scriptText, final String fileName, final String codeBase) {
return null;
}
public Object run(String scriptText, String fileName, List<String> list) {
return null;
}
public Object run(String scriptText, String fileName, String[] args) {
return null;
}
public Object run(GroovyCodeSource source, List<String> args) {
return null;
}
public Object run(GroovyCodeSource source, String[] args) {
return null;
}
public Script parse(String scriptText) {
return null;
}
public Script parse(final String scriptText, final String fileName) {
return null;
}
}

41
java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/util/Eval.java
View File

@@ -1,41 +0,0 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package groovy.util;
public class Eval {
public static Object me(final String expression) {
return me(null, null, expression);
}
public static Object me(final String symbol, final Object object, final String expression) {
return null;
}
public static Object x(final Object x, final String expression) {
return me("x", x, expression);
}
public static Object xy(final Object x, final Object y, final String expression) {
return null;
}
public static Object xyz(final Object x, final Object y, final Object z, final String expression) {
return null;
}
}

6
java/ql/test/library-tests/dataflow/taint-jackson/Test.java
View File

@@ -29,7 +29,7 @@ class Test {
public static void sink(Object any) {}
public static void jacksonObjectMapper() throws java.io.FileNotFoundException, java.io.UnsupportedEncodingException {
public static void jacksonObjectMapper() throws Exception {
String s = taint();
ObjectMapper om = new ObjectMapper();
File file = new File("testFile");
@@ -52,7 +52,7 @@ class Test {
sink(reconstructed); //$hasTaintFlow
}
public static void jacksonObjectWriter() throws java.io.FileNotFoundException, java.io.UnsupportedEncodingException {
public static void jacksonObjectWriter() throws Exception {
String s = taint();
ObjectWriter ow = new ObjectWriter();
File file = new File("testFile");
@@ -89,7 +89,7 @@ class Test {
ObjectMapper om = new ObjectMapper();
ObjectReader reader = om.readerFor(Potato.class);
sink(reader.readValues(s)); //$hasTaintFlow
Iterator<Potato> pIterator = reader.readValues(s, Potato.class);
Iterator<Potato> pIterator = reader.readValues(s);
while(pIterator.hasNext()) {
Potato p = pIterator.next();
sink(p); //$hasTaintFlow

2
java/ql/test/library-tests/dataflow/taint-jackson/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jackson-databind-2.10
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jackson-databind-2.12:${testdir}/../../../stubs/jackson-core-2.12

10
java/ql/test/library-tests/dataflow/taint/B.java
View File

@@ -34,6 +34,12 @@ public class B {
// tainted - data preserving constructors
String constructed = new String(complex);
sink(constructed);
// tainted - data preserving method
String valueOf = String.valueOf(complex.toCharArray());
sink(valueOf);
// tainted - data preserving method
String valueOfSubstring = String.valueOf(complex.toCharArray(), 0, 1);
sink(valueOfSubstring);
// tainted - unsafe escape
String badEscape = constructed.replaceAll("(<script>)", "");
sink(badEscape);
@@ -49,7 +55,11 @@ public class B {
// non-whitelisted constructors don't pass taint
StringWrapper herring = new StringWrapper(complex);
sink(herring);
// toString does not pass taint yet
String valueOfObject = String.valueOf(args);
sink(valueOfObject);
// tainted equality check with constant
boolean cond = "foo" == s;
sink(cond);

52
java/ql/test/library-tests/dataflow/taint/test.expected
View File

@@ -10,31 +10,33 @@
| B.java:15:21:15:27 | taint(...) | B.java:30:10:30:15 | method |
| B.java:15:21:15:27 | taint(...) | B.java:33:10:33:16 | complex |
| B.java:15:21:15:27 | taint(...) | B.java:36:10:36:20 | constructed |
| B.java:15:21:15:27 | taint(...) | B.java:39:10:39:18 | badEscape |
| B.java:15:21:15:27 | taint(...) | B.java:42:10:42:14 | token |
| B.java:15:21:15:27 | taint(...) | B.java:55:10:55:13 | cond |
| B.java:15:21:15:27 | taint(...) | B.java:58:10:58:14 | logic |
| B.java:15:21:15:27 | taint(...) | B.java:60:10:60:39 | endsWith(...) |
| B.java:15:21:15:27 | taint(...) | B.java:63:10:63:14 | logic |
| B.java:15:21:15:27 | taint(...) | B.java:66:10:66:14 | logic |
| B.java:15:21:15:27 | taint(...) | B.java:74:10:74:16 | trimmed |
| B.java:15:21:15:27 | taint(...) | B.java:76:10:76:14 | split |
| B.java:15:21:15:27 | taint(...) | B.java:78:10:78:14 | lower |
| B.java:15:21:15:27 | taint(...) | B.java:80:10:80:14 | upper |
| B.java:15:21:15:27 | taint(...) | B.java:82:10:82:14 | bytes |
| B.java:15:21:15:27 | taint(...) | B.java:84:10:84:17 | toString |
| B.java:15:21:15:27 | taint(...) | B.java:86:10:86:13 | subs |
| B.java:15:21:15:27 | taint(...) | B.java:88:10:88:13 | repl |
| B.java:15:21:15:27 | taint(...) | B.java:90:10:90:16 | replAll |
| B.java:15:21:15:27 | taint(...) | B.java:92:10:92:18 | replFirst |
| B.java:15:21:15:27 | taint(...) | B.java:105:12:105:25 | serializedData |
| B.java:15:21:15:27 | taint(...) | B.java:117:12:117:27 | deserializedData |
| B.java:15:21:15:27 | taint(...) | B.java:126:10:126:21 | taintedArray |
| B.java:15:21:15:27 | taint(...) | B.java:128:10:128:22 | taintedArray2 |
| B.java:15:21:15:27 | taint(...) | B.java:130:10:130:22 | taintedArray3 |
| B.java:15:21:15:27 | taint(...) | B.java:133:10:133:44 | toURL(...) |
| B.java:15:21:15:27 | taint(...) | B.java:136:10:136:37 | toPath(...) |
| B.java:15:21:15:27 | taint(...) | B.java:139:10:139:46 | toFile(...) |
| B.java:15:21:15:27 | taint(...) | B.java:39:10:39:16 | valueOf |
| B.java:15:21:15:27 | taint(...) | B.java:42:10:42:25 | valueOfSubstring |
| B.java:15:21:15:27 | taint(...) | B.java:45:10:45:18 | badEscape |
| B.java:15:21:15:27 | taint(...) | B.java:48:10:48:14 | token |
| B.java:15:21:15:27 | taint(...) | B.java:65:10:65:13 | cond |
| B.java:15:21:15:27 | taint(...) | B.java:68:10:68:14 | logic |
| B.java:15:21:15:27 | taint(...) | B.java:70:10:70:39 | endsWith(...) |
| B.java:15:21:15:27 | taint(...) | B.java:73:10:73:14 | logic |
| B.java:15:21:15:27 | taint(...) | B.java:76:10:76:14 | logic |
| B.java:15:21:15:27 | taint(...) | B.java:84:10:84:16 | trimmed |
| B.java:15:21:15:27 | taint(...) | B.java:86:10:86:14 | split |
| B.java:15:21:15:27 | taint(...) | B.java:88:10:88:14 | lower |
| B.java:15:21:15:27 | taint(...) | B.java:90:10:90:14 | upper |
| B.java:15:21:15:27 | taint(...) | B.java:92:10:92:14 | bytes |
| B.java:15:21:15:27 | taint(...) | B.java:94:10:94:17 | toString |
| B.java:15:21:15:27 | taint(...) | B.java:96:10:96:13 | subs |
| B.java:15:21:15:27 | taint(...) | B.java:98:10:98:13 | repl |
| B.java:15:21:15:27 | taint(...) | B.java:100:10:100:16 | replAll |
| B.java:15:21:15:27 | taint(...) | B.java:102:10:102:18 | replFirst |
| B.java:15:21:15:27 | taint(...) | B.java:115:12:115:25 | serializedData |
| B.java:15:21:15:27 | taint(...) | B.java:127:12:127:27 | deserializedData |
| B.java:15:21:15:27 | taint(...) | B.java:136:10:136:21 | taintedArray |
| B.java:15:21:15:27 | taint(...) | B.java:138:10:138:22 | taintedArray2 |
| B.java:15:21:15:27 | taint(...) | B.java:140:10:140:22 | taintedArray3 |
| B.java:15:21:15:27 | taint(...) | B.java:143:10:143:44 | toURL(...) |
| B.java:15:21:15:27 | taint(...) | B.java:146:10:146:37 | toPath(...) |
| B.java:15:21:15:27 | taint(...) | B.java:149:10:149:46 | toFile(...) |
| MethodFlow.java:7:22:7:28 | taint(...) | MethodFlow.java:8:10:8:16 | tainted |
| MethodFlow.java:9:31:9:37 | taint(...) | MethodFlow.java:10:10:10:17 | tainted2 |
| MethodFlow.java:11:35:11:41 | taint(...) | MethodFlow.java:12:10:12:17 | tainted3 |

2
java/ql/test/library-tests/dataflow/taintsources/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/google-android-9.0.0:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jackson-databind-2.10:${testdir}/../../../stubs/akka-2.6.x
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/google-android-9.0.0:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jackson-databind-2.12:${testdir}/../../../stubs/jackson-core-2.12:${testdir}/../../../stubs/akka-2.6.x

4
java/ql/test/library-tests/fields/FieldDecl.expected
View File

@@ -5,3 +5,7 @@
| fields/FieldTest.java:5:9:5:39 | Object obj, ...; | 1/2 | fields/FieldTest.java:5:35:5:38 | obj2 |
| fields/FieldTest.java:6:9:6:58 | List<> l, ...; | 0/2 | fields/FieldTest.java:6:54:6:54 | l |
| fields/FieldTest.java:6:9:6:58 | List<> l, ...; | 1/2 | fields/FieldTest.java:6:57:6:57 | m |
| fields/FieldTest.java:7:9:7:18 | int x, ...; | 0/1 | fields/FieldTest.java:7:13:7:13 | x |
| fields/FieldTest.java:8:9:8:22 | int y, ...; | 0/1 | fields/FieldTest.java:8:13:8:13 | y |
| fields/FieldTest.java:12:9:12:25 | int z, ...; | 0/1 | fields/FieldTest.java:12:20:12:20 | z |
| fields/FieldTest.java:13:9:13:29 | int w, ...; | 0/1 | fields/FieldTest.java:13:20:13:20 | w |

4
java/ql/test/library-tests/fields/FieldDeclLocation.expected
View File

@@ -1,3 +1,7 @@
| List<> l, ...; | 6 | 9 | 6 | 58 |
| Object obj, ...; | 5 | 9 | 5 | 39 |
| float ff, ...; | 4 | 9 | 4 | 32 |
| int w, ...; | 13 | 9 | 13 | 29 |
| int x, ...; | 7 | 9 | 7 | 18 |
| int y, ...; | 8 | 9 | 8 | 22 |
| int z, ...; | 12 | 9 | 12 | 25 |

6
java/ql/test/library-tests/fields/FieldInitializers.expected Normal file
View File

@@ -0,0 +1,6 @@
| fields/FieldTest.java:4:19:4:19 | g | fields/FieldTest.java:4:23:4:26 | 2.3f |
| fields/FieldTest.java:5:23:5:25 | obj | fields/FieldTest.java:5:29:5:32 | null |
| fields/FieldTest.java:7:13:7:13 | x | fields/FieldTest.java:7:17:7:17 | 0 |
| fields/FieldTest.java:8:13:8:13 | y | fields/FieldTest.java:8:17:8:21 | ...=... |
| fields/FieldTest.java:12:20:12:20 | z | fields/FieldTest.java:12:24:12:24 | 0 |
| fields/FieldTest.java:13:20:13:20 | w | fields/FieldTest.java:13:24:13:28 | ...=... |

4
java/ql/test/library-tests/fields/FieldInitializers.ql Normal file
View File

@@ -0,0 +1,4 @@
import java
from Field f
select f, f.getInitializer()

4
java/ql/test/library-tests/fields/FieldLocation.expected
View File

@@ -5,3 +5,7 @@
| fields/FieldTest.java:5:35:5:38 | obj2 | 5 | 35 | 5 | 38 |
| fields/FieldTest.java:6:54:6:54 | l | 6 | 54 | 6 | 54 |
| fields/FieldTest.java:6:57:6:57 | m | 6 | 57 | 6 | 57 |
| fields/FieldTest.java:7:13:7:13 | x | 7 | 13 | 7 | 13 |
| fields/FieldTest.java:8:13:8:13 | y | 8 | 13 | 8 | 13 |
| fields/FieldTest.java:12:20:12:20 | z | 12 | 20 | 12 | 20 |
| fields/FieldTest.java:13:20:13:20 | w | 13 | 20 | 13 | 20 |

26
java/ql/test/library-tests/fields/PrintAst.expected
View File

@@ -12,3 +12,29 @@ fields/FieldTest.java:
# 6| 1: [Annotation] SuppressWarnings
# 6| 1: [StringLiteral] "rawtypes"
# 6| -1: [TypeAccess] List<>
# 7| 7: [FieldDeclaration] int x, ...;
# 7| -1: [TypeAccess] int
# 7| 0: [IntegerLiteral] 0
# 8| 8: [FieldDeclaration] int y, ...;
# 8| -1: [TypeAccess] int
# 8| 0: [AssignExpr] ...=...
# 8| 0: [VarAccess] x
# 8| 1: [IntegerLiteral] 1
# 9| 9: [BlockStmt] { ... }
# 10| 0: [ExprStmt] <Expr>;
# 10| 0: [AssignExpr] ...=...
# 10| 0: [VarAccess] x
# 10| 1: [IntegerLiteral] 2
# 12| 10: [FieldDeclaration] int z, ...;
# 12| -1: [TypeAccess] int
# 12| 0: [IntegerLiteral] 0
# 13| 11: [FieldDeclaration] int w, ...;
# 13| -1: [TypeAccess] int
# 13| 0: [AssignExpr] ...=...
# 13| 0: [VarAccess] z
# 13| 1: [IntegerLiteral] 1
# 14| 12: [BlockStmt] { ... }
# 15| 0: [ExprStmt] <Expr>;
# 15| 0: [AssignExpr] ...=...
# 15| 0: [VarAccess] z
# 15| 1: [IntegerLiteral] 2

10
java/ql/test/library-tests/fields/fields/FieldTest.java
View File

@@ -4,4 +4,14 @@ public class FieldTest {
float ff, g = 2.3f, hhh;
static Object obj = null, obj2;
@SuppressWarnings("rawtypes") java.util.List l, m;
int x = 0;
int y = x = 1;
{
x = 2; // Shouldn't show up as an initializer
}
static int z = 0;
static int w = z = 1;
static {
z = 2; // Shouldn't show up as an initializer
}
}

2
java/ql/test/library-tests/frameworks/JaxWs/JakartaRs1.java
View File

@@ -71,7 +71,7 @@ public class JakartaRs1 { // $ RootResourceClass
@Produces("text/html") // $ ProducesAnnotation=text/html
@POST
boolean Post() { // $ ResourceMethod=text/html ResourceMethodOnResourceClass
return false;
return false; // $ XssSink
}
@Produces(MediaType.TEXT_PLAIN) // $ ProducesAnnotation=text/plain

5
java/ql/test/library-tests/frameworks/JaxWs/JaxRs.ql
View File

@@ -25,7 +25,8 @@ class JaxRsTest extends InlineExpectationsTest {
element = resourceMethod.toString() and
if exists(resourceMethod.getProducesAnnotation())
then
value = resourceMethod.getProducesAnnotation().getADeclaredContentType() and
value =
getContentTypeString(resourceMethod.getProducesAnnotation().getADeclaredContentTypeExpr()) and
value != ""
else
// Filter out empty strings that stem from using stubs.
@@ -143,7 +144,7 @@ class JaxRsTest extends InlineExpectationsTest {
exists(JaxRSProducesAnnotation producesAnnotation |
producesAnnotation.getLocation() = location and
element = producesAnnotation.toString() and
value = producesAnnotation.getADeclaredContentType() and
value = getContentTypeString(producesAnnotation.getADeclaredContentTypeExpr()) and
value != ""
// Filter out empty strings that stem from using stubs.
// If we built the test against the real JAR then the field

2
java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java
View File

@@ -71,7 +71,7 @@ public class JaxRs1 { // $ RootResourceClass
@Produces("text/html") // $ ProducesAnnotation=text/html
@POST
boolean Post() { // $ ResourceMethod=text/html ResourceMethodOnResourceClass
return false;
return false; // $ XssSink
}
@Produces(MediaType.TEXT_PLAIN) // $ ProducesAnnotation=text/plain

3217
java/ql/test/library-tests/frameworks/apache-collections/Test.java
View File

File diff suppressed because it is too large Load Diff

2
java/ql/test/library-tests/frameworks/apache-collections/test.ql
View File

@@ -9,6 +9,8 @@ class SummaryModelTest extends SummaryModelCsv {
row =
[
//"package;type;overrides;name;signature;ext;inputspec;outputspec;kind",
// This is temporarily modelled for the helper function newEnumerationWithElement, until the relevant package is modelled
"org.apache.commons.collections4.iterators;IteratorEnumeration;true;IteratorEnumeration;;;Element of Argument[0];Element of Argument[-1];value",
"generatedtest;Test;false;newRBWithMapValue;;;Argument[0];MapValue of ReturnValue;value",
"generatedtest;Test;false;newRBWithMapKey;;;Argument[0];MapKey of ReturnValue;value"
]

181
java/ql/test/library-tests/frameworks/guava/generated/cache/Test.java vendored Normal file
View File

@@ -0,0 +1,181 @@
package generatedtest;
import com.google.common.cache.Cache;
import com.google.common.cache.LoadingCache;
import com.google.common.cache.CacheBuilder;
import com.google.common.collect.ImmutableMap;
import java.util.Map;
import java.util.concurrent.ConcurrentMap;
import java.util.HashMap;
import java.util.List;
import java.util.ArrayList;
// Test case generated by GenerateFlowTestCase.ql
public class Test {
<K,V> K getMapKey(Map<K,V> container) { return container.keySet().iterator().next(); }
<K,V> K getMapKey(Cache<K,V> container) { return getMapKey(container.asMap()); }
<K,V> V getMapValue(Map<K,V> container) { return container.values().iterator().next(); }
<K,V> V getMapValue(Cache<K,V> container) { return getMapValue(container.asMap()); }
<T> Iterable<T> newWithElement(T element) {
List<T> l = new ArrayList();
l.add(element);
return l;
}
<K,V> Map<K,V> newMapWithMapKey(K element) {
Map<K,V> m = new HashMap<K,V>();
m.put(element, null);
return m;
}
<K,V> LoadingCache<K,V> newCacheWithMapKey(K element) {
LoadingCache<K,V> lc = CacheBuilder.newBuilder().build(null);
lc.put(element, null);
return lc;
}
<K,V> Map<K,V> newMapWithMapValue(V element) {
Map<K,V> m = new HashMap<K,V>();
m.put(null, element);
return m;
}
<K,V> LoadingCache<K,V> newCacheWithMapValue(V element) {
LoadingCache<K,V> lc = CacheBuilder.newBuilder().build(null);
lc.put(null, element);
return lc;
}
<T> T source() { return null; }
void sink(Object o) { }
public void test() throws Exception {
{
// "com.google.common.cache;Cache;true;asMap;();;MapKey of Argument[-1];MapKey of ReturnValue;value"
ConcurrentMap out = null;
LoadingCache in = newCacheWithMapKey(source());
out = in.asMap();
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "com.google.common.cache;Cache;true;asMap;();;MapKey of Argument[-1];MapKey of ReturnValue;value"
ConcurrentMap out = null;
Cache in = newCacheWithMapKey(source());
out = in.asMap();
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "com.google.common.cache;Cache;true;asMap;();;MapValue of Argument[-1];MapValue of ReturnValue;value"
ConcurrentMap out = null;
LoadingCache in = newCacheWithMapValue(source());
out = in.asMap();
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "com.google.common.cache;Cache;true;asMap;();;MapValue of Argument[-1];MapValue of ReturnValue;value"
ConcurrentMap out = null;
Cache in = newCacheWithMapValue(source());
out = in.asMap();
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "com.google.common.cache;Cache;true;get;(Object,Callable);;MapValue of Argument[-1];ReturnValue;value"
Object out = null;
Cache in = newCacheWithMapValue(source());
out = in.get(null, null);
sink(out); // $ hasValueFlow
}
{
// "com.google.common.cache;Cache;true;getAllPresent;(Iterable);;Element of Argument[0];MapKey of ReturnValue;value"
ImmutableMap out = null;
Iterable in = newWithElement(source());
Cache instance = null;
out = instance.getAllPresent(in);
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "com.google.common.cache;Cache;true;getAllPresent;(Iterable);;MapKey of Argument[-1];MapKey of ReturnValue;value"
ImmutableMap out = null;
Cache in = newCacheWithMapKey(source());
out = in.getAllPresent(null);
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "com.google.common.cache;Cache;true;getIfPresent;;;MapValue of Argument[-1];ReturnValue;value"
Object out = null;
Cache in = newCacheWithMapValue(source());
out = in.getIfPresent(null);
sink(out); // $ hasValueFlow
}
{
// "com.google.common.cache;Cache;true;put;(Object,Object);;Argument[0];MapKey of Argument[-1];value"
Cache out = null;
Object in = source();
out.put(in, null);
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "com.google.common.cache;Cache;true;put;(Object,Object);;Argument[1];MapValue of Argument[-1];value"
Cache out = null;
Object in = source();
out.put(null, in);
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "com.google.common.cache;Cache;true;putAll;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value"
Cache out = null;
Map in = newMapWithMapKey(source());
out.putAll(in);
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "com.google.common.cache;Cache;true;putAll;(Map);;MapValue of Argument[0];MapValue of Argument[-1];value"
Cache out = null;
Map in = newMapWithMapValue(source());
out.putAll(in);
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "com.google.common.cache;LoadingCache;true;apply;;;MapValue of Argument[-1];ReturnValue;value"
Object out = null;
LoadingCache in = newCacheWithMapValue(source());
out = in.apply(null);
sink(out); // $ hasValueFlow
}
{
// "com.google.common.cache;LoadingCache;true;get;;;MapValue of Argument[-1];ReturnValue;value"
Object out = null;
LoadingCache in = newCacheWithMapValue(source());
out = in.get(null);
sink(out); // $ hasValueFlow
}
{
// "com.google.common.cache;LoadingCache;true;getAll;(Iterable);;Element of Argument[0];MapKey of Argument[-1];value"
LoadingCache out = null;
Iterable in = (Iterable)newWithElement(source());
out.getAll(in);
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "com.google.common.cache;LoadingCache;true;getAll;(Iterable);;Element of Argument[0];MapKey of ReturnValue;value"
ImmutableMap out = null;
Iterable in = (Iterable)newWithElement(source());
LoadingCache instance = null;
out = instance.getAll(in);
sink(getMapKey(out)); // $ hasValueFlow
}
{
// "com.google.common.cache;LoadingCache;true;getAll;(Iterable);;MapValue of Argument[-1];MapValue of ReturnValue;value"
ImmutableMap out = null;
LoadingCache in = newCacheWithMapValue(source());
out = in.getAll(null);
sink(getMapValue(out)); // $ hasValueFlow
}
{
// "com.google.common.cache;LoadingCache;true;getUnchecked;;;MapValue of Argument[-1];ReturnValue;value"
Object out = null;
LoadingCache in = newCacheWithMapValue(source());
out = in.getUnchecked(null);
sink(out); // $ hasValueFlow
}
}
}

1
java/ql/test/library-tests/frameworks/guava/generated/cache/options vendored Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/guava-30.0

0
java/ql/test/library-tests/frameworks/guava/generated/cache/test.expected vendored Normal file
View File

53
java/ql/test/library-tests/frameworks/guava/generated/cache/test.ql vendored Normal file
View File

@@ -0,0 +1,53 @@
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.ExternalFlow
import semmle.code.java.dataflow.TaintTracking
import TestUtilities.InlineExpectationsTest
class ValueFlowConf extends DataFlow::Configuration {
ValueFlowConf() { this = "qltest:valueFlowConf" }
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("source")
}
override predicate isSink(DataFlow::Node n) {
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
}
}
class TaintFlowConf extends TaintTracking::Configuration {
TaintFlowConf() { this = "qltest:taintFlowConf" }
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("source")
}
override predicate isSink(DataFlow::Node n) {
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
}
}
class HasFlowTest extends InlineExpectationsTest {
HasFlowTest() { this = "HasFlowTest" }
override string getARelevantTag() { result = ["hasValueFlow", "hasTaintFlow"] }
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasValueFlow" and
exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf conf | conf.hasFlow(src, sink) |
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
or
tag = "hasTaintFlow" and
exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf conf |
conf.hasFlow(src, sink) and not any(ValueFlowConf c).hasFlow(src, sink)
|
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}

316
java/ql/test/library-tests/frameworks/jackson/Test.java Normal file
View File

@@ -0,0 +1,316 @@
package generatedtest;
import com.fasterxml.jackson.core.JsonFactory;
import com.fasterxml.jackson.core.JsonParser;
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.JavaType;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.ObjectReader;
import java.io.DataInput;
import java.io.File;
import java.io.InputStream;
import java.io.Reader;
import java.net.URL;
import java.util.Map;
// Test case generated by GenerateFlowTestCase.ql
public class Test {
Object newWithMapValue(Object element) {
return Map.of(null, element);
}
Object source() {
return null;
}
void sink(Object o) {}
public void test() throws Exception {
{
// "com.fasterxml.jackson.core;JsonFactory;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
char[] in = (char[]) source();
JsonFactory instance = null;
out = instance.createParser(in, 0, 0);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.core;JsonFactory;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
char[] in = (char[]) source();
JsonFactory instance = null;
out = instance.createParser(in);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.core;JsonFactory;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
byte[] in = (byte[]) source();
JsonFactory instance = null;
out = instance.createParser(in, 0, 0);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.core;JsonFactory;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
byte[] in = (byte[]) source();
JsonFactory instance = null;
out = instance.createParser(in);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.core;JsonFactory;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
URL in = (URL) source();
JsonFactory instance = null;
out = instance.createParser(in);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.core;JsonFactory;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
String in = (String) source();
JsonFactory instance = null;
out = instance.createParser(in);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.core;JsonFactory;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
Reader in = (Reader) source();
JsonFactory instance = null;
out = instance.createParser(in);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.core;JsonFactory;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
InputStream in = (InputStream) source();
JsonFactory instance = null;
out = instance.createParser(in);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.core;JsonFactory;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
File in = (File) source();
JsonFactory instance = null;
out = instance.createParser(in);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.core;JsonFactory;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
DataInput in = (DataInput) source();
JsonFactory instance = null;
out = instance.createParser(in);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.databind;ObjectMapper;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
char[] in = (char[]) source();
ObjectMapper instance = null;
out = instance.createParser(in, 0, 0);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.databind;ObjectMapper;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
char[] in = (char[]) source();
ObjectMapper instance = null;
out = instance.createParser(in);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.databind;ObjectMapper;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
byte[] in = (byte[]) source();
ObjectMapper instance = null;
out = instance.createParser(in, 0, 0);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.databind;ObjectMapper;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
byte[] in = (byte[]) source();
ObjectMapper instance = null;
out = instance.createParser(in);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.databind;ObjectMapper;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
URL in = (URL) source();
ObjectMapper instance = null;
out = instance.createParser(in);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.databind;ObjectMapper;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
String in = (String) source();
ObjectMapper instance = null;
out = instance.createParser(in);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.databind;ObjectMapper;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
Reader in = (Reader) source();
ObjectMapper instance = null;
out = instance.createParser(in);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.databind;ObjectMapper;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
InputStream in = (InputStream) source();
ObjectMapper instance = null;
out = instance.createParser(in);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.databind;ObjectMapper;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
File in = (File) source();
ObjectMapper instance = null;
out = instance.createParser(in);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.databind;ObjectMapper;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
DataInput in = (DataInput) source();
ObjectMapper instance = null;
out = instance.createParser(in);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.databind;ObjectMapper;true;convertValue;;;Argument[0];ReturnValue;taint"
Object out = null;
Object in = (Object) source();
ObjectMapper instance = null;
out = instance.convertValue(in, (TypeReference) null);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.databind;ObjectMapper;true;convertValue;;;Argument[0];ReturnValue;taint"
Object out = null;
Object in = (Object) source();
ObjectMapper instance = null;
out = instance.convertValue(in, (JavaType) null);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.databind;ObjectMapper;true;convertValue;;;Argument[0];ReturnValue;taint"
Object out = null;
Object in = (Object) source();
ObjectMapper instance = null;
out = instance.convertValue(in, (Class) null);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.databind;ObjectMapper;true;valueToTree;;;Argument[0];ReturnValue;taint"
JsonNode out = null;
Object in = (Object) source();
ObjectMapper instance = null;
out = instance.valueToTree(in);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.databind;ObjectMapper;true;valueToTree;;;MapValue of
// Argument[0];ReturnValue;taint"
JsonNode out = null;
Object in = (Object) newWithMapValue(source());
ObjectMapper instance = null;
out = instance.valueToTree(in);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.databind;ObjectReader;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
char[] in = (char[]) source();
ObjectReader instance = null;
out = instance.createParser(in, 0, 0);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.databind;ObjectReader;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
char[] in = (char[]) source();
ObjectReader instance = null;
out = instance.createParser(in);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.databind;ObjectReader;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
byte[] in = (byte[]) source();
ObjectReader instance = null;
out = instance.createParser(in, 0, 0);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.databind;ObjectReader;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
byte[] in = (byte[]) source();
ObjectReader instance = null;
out = instance.createParser(in);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.databind;ObjectReader;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
URL in = (URL) source();
ObjectReader instance = null;
out = instance.createParser(in);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.databind;ObjectReader;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
String in = (String) source();
ObjectReader instance = null;
out = instance.createParser(in);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.databind;ObjectReader;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
Reader in = (Reader) source();
ObjectReader instance = null;
out = instance.createParser(in);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.databind;ObjectReader;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
InputStream in = (InputStream) source();
ObjectReader instance = null;
out = instance.createParser(in);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.databind;ObjectReader;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
File in = (File) source();
ObjectReader instance = null;
out = instance.createParser(in);
sink(out); // $ hasTaintFlow
}
{
// "com.fasterxml.jackson.databind;ObjectReader;false;createParser;;;Argument[0];ReturnValue;taint"
JsonParser out = null;
DataInput in = (DataInput) source();
ObjectReader instance = null;
out = instance.createParser(in);
sink(out); // $ hasTaintFlow
}
}
}

1
java/ql/test/library-tests/frameworks/jackson/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jackson-databind-2.12:${testdir}/../../../stubs/jackson-core-2.12

0
java/ql/test/library-tests/frameworks/jackson/test.expected Normal file
View File

53
java/ql/test/library-tests/frameworks/jackson/test.ql Normal file
View File

@@ -0,0 +1,53 @@
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.ExternalFlow
import semmle.code.java.dataflow.TaintTracking
import TestUtilities.InlineExpectationsTest
class ValueFlowConf extends DataFlow::Configuration {
ValueFlowConf() { this = "qltest:valueFlowConf" }
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("source")
}
override predicate isSink(DataFlow::Node n) {
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
}
}
class TaintFlowConf extends TaintTracking::Configuration {
TaintFlowConf() { this = "qltest:taintFlowConf" }
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("source")
}
override predicate isSink(DataFlow::Node n) {
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
}
}
class HasFlowTest extends InlineExpectationsTest {
HasFlowTest() { this = "HasFlowTest" }
override string getARelevantTag() { result = ["hasValueFlow", "hasTaintFlow"] }
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasValueFlow" and
exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf conf | conf.hasFlow(src, sink) |
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
or
tag = "hasTaintFlow" and
exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf conf |
conf.hasFlow(src, sink) and not any(ValueFlowConf c).hasFlow(src, sink)
|
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}

2390
java/ql/test/library-tests/frameworks/json-java/Test.java Normal file
View File

File diff suppressed because it is too large Load Diff

1
java/ql/test/library-tests/frameworks/json-java/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/json-java-20210307

0
java/ql/test/library-tests/frameworks/json-java/test.expected Normal file
View File

52
java/ql/test/library-tests/frameworks/json-java/test.ql Normal file
View File

@@ -0,0 +1,52 @@
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.TaintTracking
import TestUtilities.InlineExpectationsTest
class ValueFlowConf extends DataFlow::Configuration {
ValueFlowConf() { this = "qltest:valueFlowConf" }
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("source")
}
override predicate isSink(DataFlow::Node n) {
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
}
}
class TaintFlowConf extends TaintTracking::Configuration {
TaintFlowConf() { this = "qltest:taintFlowConf" }
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("source")
}
override predicate isSink(DataFlow::Node n) {
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
}
}
class HasFlowTest extends InlineExpectationsTest {
HasFlowTest() { this = "HasFlowTest" }
override string getARelevantTag() { result = ["hasValueFlow", "hasTaintFlow"] }
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasValueFlow" and
exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf conf | conf.hasFlow(src, sink) |
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
or
tag = "hasTaintFlow" and
exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf conf |
conf.hasFlow(src, sink) and not any(ValueFlowConf c).hasFlow(src, sink)
|
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}

2
java/ql/test/library-tests/frameworks/play/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jackson-databind-2.10:${testdir}/../../../stubs/akka-2.6.x
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jackson-databind-2.12:${testdir}/../../../stubs/jackson-core-2.12:${testdir}/../../../stubs/akka-2.6.x

2663
java/ql/test/library-tests/frameworks/spring/webutil/Test.java Normal file
View File

File diff suppressed because it is too large Load Diff

1
java/ql/test/library-tests/frameworks/spring/webutil/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8:${testdir}/../../../../stubs/javax-servlet-2.5:${testdir}/../../../../stubs/apache-commons-logging-1.2

0
java/ql/test/library-tests/frameworks/spring/webutil/test.expected Normal file
View File

52
java/ql/test/library-tests/frameworks/spring/webutil/test.ql Normal file
View File

@@ -0,0 +1,52 @@
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.TaintTracking
import TestUtilities.InlineExpectationsTest
class ValueFlowConf extends DataFlow::Configuration {
ValueFlowConf() { this = "qltest:valueFlowConf" }
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("source")
}
override predicate isSink(DataFlow::Node n) {
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
}
}
class TaintFlowConf extends TaintTracking::Configuration {
TaintFlowConf() { this = "qltest:taintFlowConf" }
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("source")
}
override predicate isSink(DataFlow::Node n) {
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
}
}
class HasFlowTest extends InlineExpectationsTest {
HasFlowTest() { this = "HasFlowTest" }
override string getARelevantTag() { result = ["hasValueFlow", "hasTaintFlow"] }
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasValueFlow" and
exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf conf | conf.hasFlow(src, sink) |
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
or
tag = "hasTaintFlow" and
exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf conf |
conf.hasFlow(src, sink) and not any(ValueFlowConf c).hasFlow(src, sink)
|
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}

4
java/ql/test/qlpack.lock.yml Normal file
View File

@@ -0,0 +1,4 @@
---
dependencies: {}
compiled: false
lockVersion: 1.0.0

6
java/ql/test/qlpack.yml
View File

@@ -1,5 +1,7 @@
name: codeql-java-tests
name: codeql/java-tests
version: 0.0.0
libraryPathDependencies: codeql-java
dependencies:
codeql/java-all: ^0.0.1
codeql/java-queries: ^0.0.1
extractor: java
tests: .

0
java/ql/test/query-tests/security/CWE-074/JndiInjectionTest.expected Normal file
View File

264
java/ql/test/query-tests/security/CWE-074/JndiInjectionTest.java Normal file
View File

@@ -0,0 +1,264 @@
import java.io.IOException;
import java.util.Hashtable;
import java.util.Properties;
import javax.management.remote.JMXConnector;
import javax.management.remote.JMXConnectorFactory;
import javax.management.remote.JMXServiceURL;
import javax.naming.CompositeName;
import javax.naming.CompoundName;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.Name;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.ldap.InitialLdapContext;
import org.springframework.jndi.JndiTemplate;
import org.springframework.ldap.core.AttributesMapper;
import org.springframework.ldap.core.ContextMapper;
import org.springframework.ldap.core.DirContextProcessor;
import org.springframework.ldap.core.LdapTemplate;
import org.springframework.ldap.core.NameClassPairCallbackHandler;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class JndiInjectionTest {
@RequestMapping
public void testInitialContextBad1(@RequestParam String nameStr) throws NamingException {
Name name = new CompositeName(nameStr);
InitialContext ctx = new InitialContext();
ctx.lookup(nameStr); // $hasJndiInjection
ctx.lookupLink(nameStr); // $hasJndiInjection
InitialContext.doLookup(nameStr); // $hasJndiInjection
ctx.rename(nameStr, ""); // $hasJndiInjection
ctx.list(nameStr); // $hasJndiInjection
ctx.listBindings(nameStr); // $hasJndiInjection
ctx.lookup(name); // $hasJndiInjection
ctx.lookupLink(name); // $hasJndiInjection
InitialContext.doLookup(name); // $hasJndiInjection
ctx.rename(name, null); // $hasJndiInjection
ctx.list(name); // $hasJndiInjection
ctx.listBindings(name); // $hasJndiInjection
}
@RequestMapping
public void testDirContextBad1(@RequestParam String nameStr) throws NamingException {
Name name = new CompoundName(nameStr, new Properties());
DirContext ctx = new InitialDirContext();
ctx.lookup(nameStr); // $hasJndiInjection
ctx.lookupLink(nameStr); // $hasJndiInjection
ctx.rename(nameStr, ""); // $hasJndiInjection
ctx.list(nameStr); // $hasJndiInjection
ctx.listBindings(nameStr); // $hasJndiInjection
ctx.lookup(name); // $hasJndiInjection
ctx.lookupLink(name); // $hasJndiInjection
ctx.rename(name, null); // $hasJndiInjection
ctx.list(name); // $hasJndiInjection
ctx.listBindings(name); // $hasJndiInjection
SearchControls searchControls = new SearchControls();
searchControls.setReturningObjFlag(true);
ctx.search(nameStr, "", searchControls); // $hasJndiInjection
ctx.search(nameStr, "", new Object[] {}, searchControls); // $hasJndiInjection
SearchControls searchControls2 = new SearchControls(1, 0, 0, null, true, false);
ctx.search(nameStr, "", searchControls2); // $hasJndiInjection
ctx.search(nameStr, "", new Object[] {}, searchControls2); // $hasJndiInjection
SearchControls searchControls3 = new SearchControls(1, 0, 0, null, false, false);
ctx.search(nameStr, "", searchControls3); // Safe
ctx.search(nameStr, "", new Object[] {}, searchControls3); // Safe
}
@RequestMapping
public void testInitialLdapContextBad1(@RequestParam String nameStr) throws NamingException {
Name name = new CompositeName(nameStr);
InitialLdapContext ctx = new InitialLdapContext();
ctx.lookup(nameStr); // $hasJndiInjection
ctx.lookupLink(nameStr); // $hasJndiInjection
ctx.rename(nameStr, ""); // $hasJndiInjection
ctx.list(nameStr); // $hasJndiInjection
ctx.listBindings(nameStr); // $hasJndiInjection
ctx.lookup(name); // $hasJndiInjection
ctx.lookupLink(name); // $hasJndiInjection
ctx.rename(name, null); // $hasJndiInjection
ctx.list(name); // $hasJndiInjection
ctx.listBindings(name); // $hasJndiInjection
}
@RequestMapping
public void testSpringJndiTemplateBad1(@RequestParam String nameStr) throws NamingException {
JndiTemplate ctx = new JndiTemplate();
ctx.lookup(nameStr); // $hasJndiInjection
ctx.lookup(nameStr, null); // $hasJndiInjection
}
@RequestMapping
public void testSpringLdapTemplateBad1(@RequestParam String nameStr) throws NamingException {
LdapTemplate ctx = new LdapTemplate();
Name name = new CompositeName().add(nameStr);
ctx.lookup(nameStr); // $hasJndiInjection
ctx.lookupContext(nameStr); // $hasJndiInjection
ctx.findByDn(name, null); // $hasJndiInjection
ctx.rename(name, null); // $hasJndiInjection
ctx.list(name); // $hasJndiInjection
ctx.listBindings(name); // $hasJndiInjection
ctx.unbind(nameStr, true); // $hasJndiInjection
ctx.search(nameStr, "", 0, true, null); // $hasJndiInjection
ctx.search(nameStr, "", 0, new String[] {}, (ContextMapper<Object>) null); // $hasJndiInjection
ctx.search(nameStr, "", 0, (ContextMapper<Object>) null); // $hasJndiInjection
ctx.search(nameStr, "", (ContextMapper<Object>) null); // $hasJndiInjection
SearchControls searchControls = new SearchControls();
searchControls.setReturningObjFlag(true);
ctx.search(nameStr, "", searchControls, (AttributesMapper<Object>) null); // $hasJndiInjection
ctx.search(nameStr, "", searchControls, (AttributesMapper<Object>) null, // $hasJndiInjection
(DirContextProcessor) null);
ctx.search(nameStr, "", searchControls, (ContextMapper<Object>) null); // $hasJndiInjection
ctx.search(nameStr, "", searchControls, (ContextMapper<Object>) null, // $hasJndiInjection
(DirContextProcessor) null);
ctx.search(nameStr, "", searchControls, (NameClassPairCallbackHandler) null); // $hasJndiInjection
ctx.search(nameStr, "", searchControls, (NameClassPairCallbackHandler) null, // $hasJndiInjection
(DirContextProcessor) null);
SearchControls searchControls2 = new SearchControls(1, 0, 0, null, true, false);
ctx.search(nameStr, "", searchControls2, (AttributesMapper<Object>) null); // $hasJndiInjection
ctx.search(nameStr, "", searchControls2, (AttributesMapper<Object>) null, // $hasJndiInjection
(DirContextProcessor) null);
ctx.search(nameStr, "", searchControls2, (ContextMapper<Object>) null); // $hasJndiInjection
ctx.search(nameStr, "", searchControls2, (ContextMapper<Object>) null, // $hasJndiInjection
(DirContextProcessor) null);
ctx.search(nameStr, "", searchControls2, (NameClassPairCallbackHandler) null); // $hasJndiInjection
ctx.search(nameStr, "", searchControls2, (NameClassPairCallbackHandler) null, // $hasJndiInjection
(DirContextProcessor) null);
SearchControls searchControls3 = new SearchControls(1, 0, 0, null, false, false);
ctx.search(nameStr, "", searchControls3, (AttributesMapper<Object>) null); // Safe
ctx.search(nameStr, "", searchControls3, (AttributesMapper<Object>) null, // Safe
(DirContextProcessor) null);
ctx.search(nameStr, "", searchControls3, (ContextMapper<Object>) null); // Safe
ctx.search(nameStr, "", searchControls3, (ContextMapper<Object>) null, // Safe
(DirContextProcessor) null);
ctx.search(nameStr, "", searchControls3, (NameClassPairCallbackHandler) null); // Safe
ctx.search(nameStr, "", searchControls3, (NameClassPairCallbackHandler) null, // Safe
(DirContextProcessor) null);
ctx.searchForObject(nameStr, "", (ContextMapper<Object>) null); // $hasJndiInjection
}
@RequestMapping
public void testShiroJndiTemplateBad1(@RequestParam String nameStr) throws NamingException {
org.apache.shiro.jndi.JndiTemplate ctx = new org.apache.shiro.jndi.JndiTemplate();
ctx.lookup(nameStr); // $hasJndiInjection
ctx.lookup(nameStr, null); // $hasJndiInjection
}
@RequestMapping
public void testJMXServiceUrlBad1(@RequestParam String urlStr) throws IOException {
JMXConnectorFactory.connect(new JMXServiceURL(urlStr)); // $hasJndiInjection
JMXServiceURL url = new JMXServiceURL(urlStr);
JMXConnector connector = JMXConnectorFactory.newJMXConnector(url, null);
connector.connect(); // $hasJndiInjection
}
@RequestMapping
public void testEnvBad1(@RequestParam String urlStr) throws NamingException {
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
env.put(Context.PROVIDER_URL, urlStr); // $hasJndiInjection
new InitialContext(env);
}
@RequestMapping
public void testEnvBad2(@RequestParam String urlStr) throws NamingException {
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
env.put("java.naming.provider.url", urlStr); // $hasJndiInjection
new InitialDirContext(env);
}
@RequestMapping
public void testSpringJndiTemplatePropertiesBad1(@RequestParam String urlStr)
throws NamingException {
Properties props = new Properties();
props.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
props.put(Context.PROVIDER_URL, urlStr); // $hasJndiInjection
new JndiTemplate(props);
}
@RequestMapping
public void testSpringJndiTemplatePropertiesBad2(@RequestParam String urlStr)
throws NamingException {
Properties props = new Properties();
props.setProperty(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.rmi.registry.RegistryContextFactory");
props.setProperty("java.naming.provider.url", urlStr); // $hasJndiInjection
new JndiTemplate(props);
}
@RequestMapping
public void testSpringJndiTemplatePropertiesBad3(@RequestParam String urlStr)
throws NamingException {
Properties props = new Properties();
props.setProperty(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.rmi.registry.RegistryContextFactory");
props.setProperty("java.naming.provider.url", urlStr); // $hasJndiInjection
JndiTemplate template = new JndiTemplate();
template.setEnvironment(props);
}
@RequestMapping
public void testSpringLdapTemplateOk1(@RequestParam String nameStr) throws NamingException {
LdapTemplate ctx = new LdapTemplate();
ctx.unbind(nameStr); // Safe
ctx.unbind(nameStr, false); // Safe
ctx.search(nameStr, "", 0, false, null); // Safe
ctx.search(nameStr, "", new SearchControls(), (NameClassPairCallbackHandler) new Object()); // Safe
ctx.search(nameStr, "", new SearchControls(), (NameClassPairCallbackHandler) new Object(), // Safe
null);
ctx.search(nameStr, "", (NameClassPairCallbackHandler) new Object()); // Safe
ctx.search(nameStr, "", 0, new String[] {}, (AttributesMapper<Object>) new Object()); // Safe
ctx.search(nameStr, "", 0, (AttributesMapper<Object>) new Object()); // Safe
ctx.search(nameStr, "", (AttributesMapper) new Object()); // Safe
ctx.search(nameStr, "", new SearchControls(), (ContextMapper) new Object()); // Safe
ctx.search(nameStr, "", new SearchControls(), (AttributesMapper) new Object()); // Safe
ctx.search(nameStr, "", new SearchControls(), (ContextMapper) new Object(), null); // Safe
ctx.search(nameStr, "", new SearchControls(), (AttributesMapper) new Object(), null); // Safe
ctx.searchForObject(nameStr, "", new SearchControls(), (ContextMapper) new Object()); // Safe
}
@RequestMapping
public void testEnvOk1(@RequestParam String urlStr) throws NamingException {
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
env.put(Context.SECURITY_PRINCIPAL, urlStr); // Safe
new InitialContext(env);
}
@RequestMapping
public void testEnvOk2(@RequestParam String urlStr) throws NamingException {
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
env.put("java.naming.security.principal", urlStr); // Safe
new InitialContext(env);
}
}

20
java/ql/test/query-tests/security/CWE-074/JndiInjectionTest.ql Normal file
View File

@@ -0,0 +1,20 @@
import java
import semmle.code.java.security.JndiInjectionQuery
import TestUtilities.InlineExpectationsTest
class HasJndiInjectionTest extends InlineExpectationsTest {
HasJndiInjectionTest() { this = "HasJndiInjectionTest" }
override string getARelevantTag() { result = "hasJndiInjection" }
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasJndiInjection" and
exists(DataFlow::Node src, DataFlow::Node sink, JndiInjectionFlowConfig conf |
conf.hasFlow(src, sink)
|
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}

1
java/ql/test/query-tests/security/CWE-074/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/shiro-core-1.5.2:${testdir}/../../../stubs/spring-ldap-2.3.2

48
java/ql/test/query-tests/security/CWE-079/semmle/tests/JaxXSS.java
View File

@@ -37,18 +37,18 @@ public class JaxXSS {
else {
if(chainDirectly) {
if(contentTypeFirst)
return builder.type(MediaType.APPLICATION_JSON).entity(userControlled).build(); // $SPURIOUS: xss
return builder.type(MediaType.APPLICATION_JSON).entity(userControlled).build();
else
return builder.entity(userControlled).type(MediaType.APPLICATION_JSON).build(); // $SPURIOUS: xss
return builder.entity(userControlled).type(MediaType.APPLICATION_JSON).build();
}
else {
if(contentTypeFirst) {
Response.ResponseBuilder builder2 = builder.type(MediaType.APPLICATION_JSON);
return builder2.entity(userControlled).build(); // $SPURIOUS: xss
return builder2.entity(userControlled).build();
}
else {
Response.ResponseBuilder builder2 = builder.entity(userControlled);
return builder2.type(MediaType.APPLICATION_JSON).build(); // $SPURIOUS: xss
return builder2.type(MediaType.APPLICATION_JSON).build();
}
}
}
@@ -63,39 +63,43 @@ public class JaxXSS {
if(safeContentType) {
if(route == 0) {
// via ok, as a string literal:
return Response.ok(userControlled, "application/json").build(); // $SPURIOUS: xss
return Response.ok(userControlled, "application/json").build();
}
else if(route == 1) {
// via ok, as a string constant:
return Response.ok(userControlled, MediaType.APPLICATION_JSON).build(); // $SPURIOUS: xss
return Response.ok(userControlled, MediaType.APPLICATION_JSON).build();
}
else if(route == 2) {
// via ok, as a MediaType constant:
return Response.ok(userControlled, MediaType.APPLICATION_JSON_TYPE).build(); // $SPURIOUS: xss
return Response.ok(userControlled, MediaType.APPLICATION_JSON_TYPE).build();
}
else if(route == 3) {
// via ok, as a Variant, via constructor:
return Response.ok(userControlled, new Variant(MediaType.APPLICATION_JSON_TYPE, "language", "encoding")).build(); // $SPURIOUS: xss
return Response.ok(userControlled, new Variant(MediaType.APPLICATION_JSON_TYPE, "language", "encoding")).build();
}
else if(route == 4) {
// via ok, as a Variant, via static method:
return Response.ok(userControlled, Variant.mediaTypes(MediaType.APPLICATION_JSON_TYPE).build().get(0)).build(); // $SPURIOUS: xss
return Response.ok(userControlled, Variant.mediaTypes(MediaType.APPLICATION_JSON_TYPE).build().get(0)).build();
}
else if(route == -4) {
// via ok, as a Variant, via static method (testing multiple media types):
return Response.ok(userControlled, Variant.mediaTypes(MediaType.APPLICATION_JSON_TYPE, MediaType.APPLICATION_OCTET_STREAM_TYPE).build().get(0)).build();
}
else if(route == 5) {
// via ok, as a Variant, via instance method:
return Response.ok(userControlled, Variant.languages(Locale.UK).mediaTypes(MediaType.APPLICATION_JSON_TYPE).build().get(0)).build(); // $SPURIOUS: xss
return Response.ok(userControlled, Variant.languages(Locale.UK).mediaTypes(MediaType.APPLICATION_JSON_TYPE).build().get(0)).build();
}
else if(route == 6) {
// via builder variant, before entity:
return Response.ok().variant(new Variant(MediaType.APPLICATION_JSON_TYPE, "language", "encoding")).entity(userControlled).build(); // $SPURIOUS: xss
return Response.ok().variant(new Variant(MediaType.APPLICATION_JSON_TYPE, "language", "encoding")).entity(userControlled).build();
}
else if(route == 7) {
// via builder variant, after entity:
return Response.ok().entity(userControlled).variant(new Variant(MediaType.APPLICATION_JSON_TYPE, "language", "encoding")).build(); // $SPURIOUS: xss
return Response.ok().entity(userControlled).variant(new Variant(MediaType.APPLICATION_JSON_TYPE, "language", "encoding")).build();
}
else if(route == 8) {
// provide entity via ok, then content-type via builder:
return Response.ok(userControlled).type(MediaType.APPLICATION_JSON_TYPE).build(); // $SPURIOUS: xss
return Response.ok(userControlled).type(MediaType.APPLICATION_JSON_TYPE).build();
}
}
else {
@@ -158,27 +162,27 @@ public class JaxXSS {
@GET @Produces(MediaType.TEXT_HTML)
public static Response methodContentTypeUnsafe(String userControlled) {
return Response.ok(userControlled).build(); // $MISSING: xss
return Response.ok(userControlled).build(); // $xss
}
@POST @Produces(MediaType.TEXT_HTML)
public static Response methodContentTypeUnsafePost(String userControlled) {
return Response.ok(userControlled).build(); // $MISSING: xss
return Response.ok(userControlled).build(); // $xss
}
@GET @Produces("text/html")
public static Response methodContentTypeUnsafeStringLiteral(String userControlled) {
return Response.ok(userControlled).build(); // $MISSING: xss
return Response.ok(userControlled).build(); // $xss
}
@GET @Produces({MediaType.TEXT_HTML, MediaType.APPLICATION_JSON})
public static Response methodContentTypeMaybeSafe(String userControlled) {
return Response.ok(userControlled).build(); // $MISSING: xss
return Response.ok(userControlled).build(); // $xss
}
@GET @Produces(MediaType.APPLICATION_JSON)
public static Response methodContentTypeSafeOverriddenWithUnsafe(String userControlled) {
return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $MISSING: xss
return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $xss
}
@GET @Produces(MediaType.TEXT_HTML)
@@ -201,12 +205,12 @@ public class JaxXSS {
@GET @Produces({"text/html"})
public Response overridesWithUnsafe(String userControlled) {
return Response.ok(userControlled).build(); // $MISSING: xss
return Response.ok(userControlled).build(); // $xss
}
@GET
public Response overridesWithUnsafe2(String userControlled) {
return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $MISSING: xss
return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $xss
}
}
@@ -215,12 +219,12 @@ public class JaxXSS {
public static class ClassContentTypeUnsafe {
@GET
public Response test(String userControlled) {
return Response.ok(userControlled).build(); // $MISSING: xss
return Response.ok(userControlled).build(); // $xss
}
@GET
public String testDirectReturn(String userControlled) {
return userControlled; // $MISSING: xss
return userControlled; // $xss
}
@GET @Produces({"application/json"})

8
java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java
View File

@@ -5,6 +5,7 @@ import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.util.HtmlUtils;
import java.util.Optional;
@@ -157,4 +158,9 @@ public class SpringXSS {
return userControlled; // $xss
}
}
@GetMapping(value = "/abc")
public static String sanitizedString(String userControlled) {
return HtmlUtils.htmlEscape(userControlled);
}
}

55
java/ql/test/query-tests/security/CWE-094/GroovyClassLoaderTest.java Normal file
View File

@@ -0,0 +1,55 @@
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.StringReader;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import groovy.lang.GroovyClassLoader;
import groovy.lang.GroovyCodeSource;
public class GroovyClassLoaderTest extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource);;Argument[0];groovy",
{
String script = request.getParameter("script");
final GroovyClassLoader classLoader = new GroovyClassLoader();
GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
classLoader.parseClass(gcs); // $hasGroovyInjection
}
// "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource,boolean);;Argument[0];groovy",
{
String script = request.getParameter("script");
final GroovyClassLoader classLoader = new GroovyClassLoader();
GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
classLoader.parseClass(gcs, true); // $hasGroovyInjection
}
// "groovy.lang;GroovyClassLoader;false;parseClass;(InputStream,String);;Argument[0];groovy",
{
String script = request.getParameter("script");
final GroovyClassLoader classLoader = new GroovyClassLoader();
classLoader.parseClass(new ByteArrayInputStream(script.getBytes()), "test"); // $hasGroovyInjection
}
// "groovy.lang;GroovyClassLoader;false;parseClass;(Reader,String);;Argument[0];groovy",
{
String script = request.getParameter("script");
final GroovyClassLoader classLoader = new GroovyClassLoader();
classLoader.parseClass(new StringReader(script), "test"); // $hasGroovyInjection
}
// "groovy.lang;GroovyClassLoader;false;parseClass;(String);;Argument[0];groovy",
{
String script = request.getParameter("script");
final GroovyClassLoader classLoader = new GroovyClassLoader();
classLoader.parseClass(script); // $hasGroovyInjection
}
// "groovy.lang;GroovyClassLoader;false;parseClass;(String,String);;Argument[0];groovy",
{
String script = request.getParameter("script");
final GroovyClassLoader classLoader = new GroovyClassLoader();
classLoader.parseClass(script, "test"); // $hasGroovyInjection
}
}
}

97
java/ql/test/query-tests/security/CWE-094/GroovyCompilationUnitTest.java Normal file
View File

@@ -0,0 +1,97 @@
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.URL;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.codehaus.groovy.control.CompilationUnit;
import org.codehaus.groovy.control.SourceUnit;
import org.codehaus.groovy.control.io.ReaderSource;
import org.codehaus.groovy.control.io.StringReaderSource;
import org.codehaus.groovy.tools.javac.JavaAwareCompilationUnit;
import org.codehaus.groovy.tools.javac.JavaStubCompilationUnit;
public class GroovyCompilationUnitTest extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// "org.codehaus.groovy.control;CompilationUnit;false;compile;;;Argument[-1];groovy"
{
CompilationUnit cu = new CompilationUnit();
cu.addSource("test", request.getParameter("source"));
cu.compile(); // $hasGroovyInjection
}
{
CompilationUnit cu = new CompilationUnit();
cu.addSource(request.getParameter("source"), "safe");
cu.compile(); // Safe
}
{
CompilationUnit cu = new CompilationUnit();
cu.addSource("test",
new ByteArrayInputStream(request.getParameter("source").getBytes()));
cu.compile(); // $hasGroovyInjection
}
{
CompilationUnit cu = new CompilationUnit();
cu.addSource(new URL(request.getParameter("source")));
cu.compile(); // $hasGroovyInjection
}
{
CompilationUnit cu = new CompilationUnit();
SourceUnit su =
new SourceUnit("test", request.getParameter("source"), null, null, null);
cu.addSource(su);
cu.compile(); // $hasGroovyInjection
}
{
CompilationUnit cu = new CompilationUnit();
SourceUnit su =
new SourceUnit(request.getParameter("source"), "safe", null, null, null);
cu.addSource(su);
cu.compile(); // Safe
}
{
CompilationUnit cu = new CompilationUnit();
StringReaderSource rs = new StringReaderSource(request.getParameter("source"), null);
SourceUnit su = new SourceUnit("test", rs, null, null, null);
cu.addSource(su);
cu.compile(); // $hasGroovyInjection
}
{
CompilationUnit cu = new CompilationUnit();
SourceUnit su =
new SourceUnit(new URL(request.getParameter("source")), null, null, null);
cu.addSource(su);
cu.compile(); // $hasGroovyInjection
}
{
CompilationUnit cu = new CompilationUnit();
SourceUnit su = SourceUnit.create("test", request.getParameter("source"));
cu.addSource(su);
cu.compile(); // $hasGroovyInjection
}
{
CompilationUnit cu = new CompilationUnit();
SourceUnit su = SourceUnit.create("test", request.getParameter("source"), 0);
cu.addSource(su);
cu.compile(); // $hasGroovyInjection
}
{
CompilationUnit cu = new CompilationUnit();
SourceUnit su = SourceUnit.create(request.getParameter("source"), "safe", 0);
cu.addSource(su);
cu.compile(); // Safe
}
{
JavaAwareCompilationUnit cu = new JavaAwareCompilationUnit();
cu.addSource("test", request.getParameter("source"));
cu.compile(); // $hasGroovyInjection
}
{
JavaStubCompilationUnit cu = new JavaStubCompilationUnit(null, null);
cu.addSource("test", request.getParameter("source"));
cu.compile(); // Safe - JavaStubCompilationUnit only creates stubs
}
}
}

40
java/ql/test/query-tests/security/CWE-094/GroovyEvalTest.java Normal file
View File

@@ -0,0 +1,40 @@
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import groovy.util.Eval;
public class GroovyEvalTest extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// "groovy.util;Eval;false;me;(String);;Argument[0];groovy",
{
String script = request.getParameter("script");
Eval.me(script); // $hasGroovyInjection
}
// "groovy.util;Eval;false;me;(String,Object,String);;Argument[2];groovy",
{
String script = request.getParameter("script");
Eval.me("test", "result", script); // $hasGroovyInjection
}
// "groovy.util;Eval;false;x;(Object,String);;Argument[1];groovy",
{
String script = request.getParameter("script");
Eval.x("result2", script); // $hasGroovyInjection
}
// "groovy.util;Eval;false;xy;(Object,Object,String);;Argument[2];groovy",
{
String script = request.getParameter("script");
Eval.xy("result3", "result4", script); // $hasGroovyInjection
}
// "groovy.util;Eval;false;xyz;(Object,Object,Object,String);;Argument[3];groovy",
{
String script = request.getParameter("script");
Eval.xyz("result3", "result4", "aaa", script); // $hasGroovyInjection
}
}
}

0
java/ql/test/query-tests/security/CWE-094/GroovyInjectionTest.expected Normal file
View File

22
java/ql/test/query-tests/security/CWE-094/GroovyInjectionTest.ql Normal file
View File

@@ -0,0 +1,22 @@
import java
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.GroovyInjectionQuery
import TestUtilities.InlineExpectationsTest
class HasGroovyInjectionTest extends InlineExpectationsTest {
HasGroovyInjectionTest() { this = "HasGroovyInjectionTest" }
override string getARelevantTag() { result = "hasGroovyInjection" }
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasGroovyInjection" and
exists(DataFlow::Node src, DataFlow::Node sink, GroovyInjectionConfig conf |
conf.hasFlow(src, sink)
|
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}

154
java/ql/test/query-tests/security/CWE-094/GroovyShellTest.java Normal file
View File

@@ -0,0 +1,154 @@
import java.io.IOException;
import java.io.Reader;
import java.io.StringReader;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayList;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import groovy.lang.GroovyCodeSource;
import groovy.lang.GroovyShell;
public class GroovyShellTest extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// "groovy.lang;GroovyShell;false;evaluate;(GroovyCodeSource);;Argument[0];groovy",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
shell.evaluate(gcs); // $hasGroovyInjection
}
// "groovy.lang;GroovyShell;false;evaluate;(Reader);;Argument[0];groovy",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
Reader reader = new StringReader(script);
shell.evaluate(reader); // $hasGroovyInjection
}
// "groovy.lang;GroovyShell;false;evaluate;(Reader,String);;Argument[0];groovy",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
Reader reader = new StringReader(script);
shell.evaluate(reader, "_"); // $hasGroovyInjection
}
// "groovy.lang;GroovyShell;false;evaluate;(String);;Argument[0];groovy",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
shell.evaluate(script); // $hasGroovyInjection
}
// "groovy.lang;GroovyShell;false;evaluate;(String,String);;Argument[0];groovy",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
shell.evaluate(script, "test"); // $hasGroovyInjection
}
// "groovy.lang;GroovyShell;false;evaluate;(String,String,String);;Argument[0];groovy",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
shell.evaluate(script, "test", "test2"); // $hasGroovyInjection
}
// "groovy.lang;GroovyShell;false;evaluate;(URI);;Argument[0];groovy",
try {
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
shell.parse(new URI(script)); // $hasGroovyInjection
} catch (URISyntaxException e) {
}
// "groovy.lang;GroovyShell;false;parse;(Reader);;Argument[0];groovy",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
Reader reader = new StringReader(script);
shell.parse(reader); // $hasGroovyInjection
}
// "groovy.lang;GroovyShell;false;parse;(Reader,String);;Argument[0];groovy",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
Reader reader = new StringReader(script);
shell.parse(reader, "_"); // $hasGroovyInjection
}
// "groovy.lang;GroovyShell;false;parse;(String);;Argument[0];groovy",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
shell.parse(script); // $hasGroovyInjection
}
// "groovy.lang;GroovyShell;false;parse;(String,String);;Argument[0];groovy",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
shell.parse(script, "_"); // $hasGroovyInjection
}
// "groovy.lang;GroovyShell;false;parse;(URI);;Argument[0];groovy",
try {
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
shell.parse(new URI(script)); // $hasGroovyInjection
} catch (URISyntaxException e) {
}
// "groovy.lang;GroovyShell;false;run;(GroovyCodeSource,String[]);;Argument[0];groovy",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
shell.run(gcs, new String[] {}); // $hasGroovyInjection
}
// "groovy.lang;GroovyShell;false;run;(GroovyCodeSource,List);;Argument[0];groovy",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
shell.run(gcs, new ArrayList<String>()); // $hasGroovyInjection
}
// "groovy.lang;GroovyShell;false;run;(Reader,String,String[]);;Argument[0];groovy",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
Reader reader = new StringReader(script);
shell.run(reader, "test", new String[] {}); // $hasGroovyInjection
}
// "groovy.lang;GroovyShell;false;run;(Reader,String,List);;Argument[0];groovy",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
Reader reader = new StringReader(script);
shell.run(reader, "test", new ArrayList<String>()); // $hasGroovyInjection
}
// "groovy.lang;GroovyShell;false;run;(String,String,String[]);;Argument[0];groovy",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
shell.run(script, "_", new String[] {}); // $hasGroovyInjection
}
// "groovy.lang;GroovyShell;false;run;(String,String,List);;Argument[0];groovy",
{
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
shell.run(script, "_", new ArrayList<String>()); // $hasGroovyInjection
}
// "groovy.lang;GroovyShell;false;run;(URI,String[]);;Argument[0];groovy",
try {
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
shell.run(new URI(script), new String[] {}); // $hasGroovyInjection
} catch (URISyntaxException e) {
}
// "groovy.lang;GroovyShell;false;run;(URI,List);;Argument[0];groovy",
try {
GroovyShell shell = new GroovyShell();
String script = request.getParameter("script");
shell.run(new URI(script), new ArrayList<String>()); // $hasGroovyInjection
} catch (URISyntaxException e) {
}
}
}

2
java/ql/test/query-tests/security/CWE-094/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../stubs/apache-commons-logging-1.2:${testdir}/../../../stubs/mvel2-2.4.7:${testdir}/../../../stubs/scriptengine:${testdir}/../../../stubs/jsr223-api
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../stubs/apache-commons-logging-1.2:${testdir}/../../../stubs/mvel2-2.4.7:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/scriptengine:${testdir}/../../../stubs/jsr223-api

5
java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrls.expected
View File

@@ -1,10 +1,15 @@
edges
| HttpsUrlsTest.java:23:23:23:31 | "http://" : String | HttpsUrlsTest.java:24:21:24:56 | ... + ... : String |
| HttpsUrlsTest.java:23:23:23:31 | "http://" : String | HttpsUrlsTest.java:28:50:28:50 | u |
| HttpsUrlsTest.java:24:13:24:57 | new URL(...) : URL | HttpsUrlsTest.java:28:50:28:50 | u |
| HttpsUrlsTest.java:24:21:24:56 | ... + ... : String | HttpsUrlsTest.java:24:13:24:57 | new URL(...) : URL |
| HttpsUrlsTest.java:36:23:36:28 | "http" : String | HttpsUrlsTest.java:41:50:41:50 | u |
| HttpsUrlsTest.java:49:23:49:31 | "http://" : String | HttpsUrlsTest.java:55:50:55:50 | u |
| HttpsUrlsTest.java:87:23:87:28 | "http" : String | HttpsUrlsTest.java:92:50:92:50 | u |
nodes
| HttpsUrlsTest.java:23:23:23:31 | "http://" : String | semmle.label | "http://" : String |
| HttpsUrlsTest.java:24:13:24:57 | new URL(...) : URL | semmle.label | new URL(...) : URL |
| HttpsUrlsTest.java:24:21:24:56 | ... + ... : String | semmle.label | ... + ... : String |
| HttpsUrlsTest.java:28:50:28:50 | u | semmle.label | u |
| HttpsUrlsTest.java:36:23:36:28 | "http" : String | semmle.label | "http" : String |
| HttpsUrlsTest.java:41:50:41:50 | u | semmle.label | u |

0
java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.expected Normal file
View File

109
java/ql/test/experimental/query-tests/security/CWE-347/MissingJWTSignatureCheck.java → java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.java
View File

@@ -1,18 +1,13 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jwtk-jjwt-0.11.2
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.JwtParser;
import io.jsonwebtoken.Jwt;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.Header;
import io.jsonwebtoken.JwtParserBuilder;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.Jwt;
import io.jsonwebtoken.JwtHandlerAdapter;
import io.jsonwebtoken.JwtParser;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.impl.DefaultJwtParser;
import io.jsonwebtoken.impl.DefaultJwtParserBuilder;
public class MissingJWTSignatureCheck {
// SIGNED
public class MissingJWTSignatureCheckTest {
private JwtParser getASignedParser() {
return Jwts.parser().setSigningKey("someBase64EncodedKey");
@@ -46,10 +41,6 @@ public class MissingJWTSignatureCheck {
goodJwtHandler(parser3, "");
}
// SIGNED END
// UNSIGNED
private JwtParser getAnUnsignedParser() {
return Jwts.parser();
}
@@ -84,81 +75,67 @@ public class MissingJWTSignatureCheck {
private void signParserAfterParseCall() {
JwtParser parser = getAnUnsignedParser();
parser.parse(""); // Should not be detected
parser.parse(""); // Safe
parser.setSigningKey("someBase64EncodedKey");
}
// UNSIGNED END
// INDIRECT
private void badJwtOnParserBuilder(JwtParser parser, String token) {
parser.parse(token); // BAD: Does not verify the signature
parser.parse(token); // $hasMissingJwtSignatureCheck
}
private void badJwtHandlerOnParserBuilder(JwtParser parser, String token) {
parser.parse(token, new JwtHandlerAdapter<Jwt<Header, String>>() { // BAD: The handler is called on an unverified JWT
@Override
public Jwt<Header, String> onPlaintextJwt(Jwt<Header, String> jwt) {
return jwt;
}
});
parser.parse(token, new JwtHandlerAdapter<Jwt<Header, String>>() { // $hasMissingJwtSignatureCheck
@Override
public Jwt<Header, String> onPlaintextJwt(Jwt<Header, String> jwt) {
return jwt;
}
});
}
private void goodJwtOnParserBuilder(JwtParser parser, String token) {
parser.parseClaimsJws(token) // GOOD: Verify the signature
.getBody();
parser.parseClaimsJws(token) // Safe
.getBody();
}
private void goodJwtHandler(JwtParser parser, String token) {
parser.parse(token, new JwtHandlerAdapter<Jws<String>>() { // GOOD: The handler is called on a verified JWS
@Override
public Jws<String> onPlaintextJws(Jws<String> jws) {
return jws;
}
});
parser.parse(token, new JwtHandlerAdapter<Jws<String>>() { // Safe
@Override
public Jws<String> onPlaintextJws(Jws<String> jws) {
return jws;
}
});
}
// INDIRECT END
// DIRECT
private void badJwtOnParserBuilder(String token) {
Jwts.parserBuilder()
.setSigningKey("someBase64EncodedKey").build()
.parse(token); // BAD: Does not verify the signature
Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $hasMissingJwtSignatureCheck
}
private void badJwtOnDefaultParserBuilder(String token) {
new DefaultJwtParserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $hasMissingJwtSignatureCheck
}
private void badJwtHandlerOnParser(String token) {
Jwts.parser()
.setSigningKey("someBase64EncodedKey")
.parse(token, new JwtHandlerAdapter<Jwt<Header, String>>() { // BAD: The handler is called on an unverified JWT
@Override
public Jwt<Header, String> onPlaintextJwt(Jwt<Header, String> jwt) {
return jwt;
}
});
Jwts.parser().setSigningKey("someBase64EncodedKey").parse(token, // $hasMissingJwtSignatureCheck
new JwtHandlerAdapter<Jwt<Header, String>>() {
@Override
public Jwt<Header, String> onPlaintextJwt(Jwt<Header, String> jwt) {
return jwt;
}
});
}
private void goodJwtOnParser(String token) {
Jwts.parser()
.setSigningKey("someBase64EncodedKey")
.parseClaimsJws(token) // GOOD: Verify the signature
.getBody();
Jwts.parser().setSigningKey("someBase64EncodedKey").parseClaimsJws(token) // Safe
.getBody();
}
private void goodJwtHandlerOnParserBuilder(String token) {
Jwts.parserBuilder()
.setSigningKey("someBase64EncodedKey").build()
.parse(token, new JwtHandlerAdapter<Jws<String>>() { // GOOD: The handler is called on a verified JWS
@Override
public Jws<String> onPlaintextJws(Jws<String> jws) {
return jws;
}
});
Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token, // Safe
new JwtHandlerAdapter<Jws<String>>() {
@Override
public Jws<String> onPlaintextJws(Jws<String> jws) {
return jws;
}
});
}
// DIRECT END
}

20
java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.ql Normal file
View File

@@ -0,0 +1,20 @@
import java
import semmle.code.java.security.MissingJWTSignatureCheckQuery
import TestUtilities.InlineExpectationsTest
class HasMissingJwtSignatureCheckTest extends InlineExpectationsTest {
HasMissingJwtSignatureCheckTest() { this = "HasMissingJwtSignatureCheckTest" }
override string getARelevantTag() { result = "hasMissingJwtSignatureCheck" }
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasMissingJwtSignatureCheck" and
exists(DataFlow::Node source, DataFlow::Node sink, MissingJwtSignatureCheckConf conf |
conf.hasFlow(source, sink)
|
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}

1
java/ql/test/query-tests/security/CWE-347/options Normal file
View File

@@ -0,0 +1 @@
semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jwtk-jjwt-0.11.2

121
java/ql/test/query-tests/security/CWE-502/JabsorbServlet.java Normal file
View File

@@ -0,0 +1,121 @@
import java.io.IOException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.json.JSONObject;
import org.jabsorb.JSONSerializer;
import org.jabsorb.serializer.SerializerState;
import org.jabsorb.serializer.ObjectMatch;
import com.example.User;
import com.thirdparty.Person;
public class JabsorbServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
@Override
// GOOD: final class type specified
public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String json = req.getParameter("json");
String clazz = req.getParameter("class");
try {
Object jsonObject = new JSONObject(json);
JSONSerializer serializer = new JSONSerializer();
serializer.registerDefaultSerializers();
serializer.setMarshallClassHints(true);
serializer.setMarshallNullAttributes(true);
SerializerState state = new SerializerState();
User user = (User) serializer.unmarshall(state, User.class, jsonObject);
} catch (Exception e) {
throw new IOException(e.getMessage());
}
}
// GOOD: concrete class type specified even if it has vulnerable subclasses
public void doHead(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String json = req.getParameter("json");
String clazz = req.getParameter("class");
try {
Object jsonObject = new JSONObject(json);
JSONSerializer serializer = new JSONSerializer();
serializer.registerDefaultSerializers();
serializer.setMarshallClassHints(true);
serializer.setMarshallNullAttributes(true);
SerializerState state = new SerializerState();
Person person = (Person) serializer.unmarshall(state, Person.class, jsonObject);
} catch (Exception e) {
throw new IOException(e.getMessage());
}
}
@Override
// GOOD: try unmarshall but doesn't actually marshall the object
public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String json = req.getParameter("json");
String clazz = req.getParameter("class");
try {
Object jsonObject = new JSONObject(json);
JSONSerializer serializer = new JSONSerializer();
serializer.registerDefaultSerializers();
serializer.setMarshallClassHints(true);
serializer.setMarshallNullAttributes(true);
SerializerState state = new SerializerState();
ObjectMatch objMatch = serializer.tryUnmarshall(state, Class.forName(clazz), jsonObject);
User obj = new User();
boolean result = objMatch.equals(obj);
} catch (Exception e) {
throw new IOException(e.getMessage());
}
}
@Override
// BAD: allow class name to be controlled by remote source
public void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String json = req.getParameter("json");
String clazz = req.getParameter("class");
try {
Object jsonObject = new JSONObject(json);
JSONSerializer serializer = new JSONSerializer();
serializer.registerDefaultSerializers();
serializer.setMarshallClassHints(true);
serializer.setMarshallNullAttributes(true);
SerializerState state = new SerializerState();
User user = (User) serializer.unmarshall(state, Class.forName(clazz), jsonObject); // $unsafeDeserialization
} catch (Exception e) {
throw new IOException(e.getMessage());
}
}
// BAD: allow explicit class type controlled by remote source in the format of "json={\"javaClass\":\"com.thirdparty.Attacker\", ...}"
public void doPut2(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String json = req.getParameter("json");
try {
JSONSerializer serializer = new JSONSerializer();
serializer.registerDefaultSerializers();
User user = (User) serializer.fromJSON(json); // $unsafeDeserialization
} catch (Exception e) {
throw new IOException(e.getMessage());
}
}
}

102
java/ql/test/query-tests/security/CWE-502/JoddJsonServlet.java Normal file
View File

@@ -0,0 +1,102 @@
import java.io.IOException;
import java.io.Reader;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import jodd.json.JsonParser;
import com.example.User;
import com.thirdparty.Person;
public class JoddJsonServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
@Override
// GOOD: class type specified (despite a dangerous configuration)
public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String json = req.getParameter("json");
String clazz = req.getParameter("class");
JsonParser parser = new JsonParser();
parser.setClassMetadataName("class");
Person person = parser.parse(json, Person.class);
}
@Override
// BAD: dangerously configured parser with no class restriction passed to `parse`,
// using a few different possible call sequences.
public void doHead(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String json = req.getParameter("json");
String clazz = req.getParameter("class");
int callOrder;
try {
callOrder = Integer.parseInt(req.getParameter("callOrder"));
}
catch(NumberFormatException e) {
throw new RuntimeException(e);
}
JsonParser parser = new JsonParser();
if(callOrder == 0) {
parser.setClassMetadataName("class");
User obj = parser.parse(json, null); // $unsafeDeserialization
} else if(callOrder == 1) {
parser.setClassMetadataName("class").parse(json, null); // $unsafeDeserialization
} else if(callOrder == 2) {
parser.setClassMetadataName("class").lazy(true).parse(json, null); // $unsafeDeserialization
} else if(callOrder == 3) {
parser.withClassMetadata(true).lazy(true).parse(json, null); // $unsafeDeserialization
}
}
@Override
// BAD: allow class name to be controlled by remote source
public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String json = req.getParameter("json");
String clazz = req.getParameter("class");
try {
JsonParser parser = new JsonParser();
Object obj = parser.parse(json, Class.forName(clazz)); // $unsafeDeserialization
} catch (ClassNotFoundException cne) {
throw new IOException(cne.getMessage());
}
}
@Override
// GOOD: dangerously configured parser is ameliorated by setting a list of allowed classes, using various call orders,
// or by explicitly disabling the class metadata option.
public void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String json = req.getParameter("json");
String clazz = req.getParameter("class");
int callOrder;
try {
callOrder = Integer.parseInt(req.getParameter("callOrder"));
}
catch(NumberFormatException e) {
throw new RuntimeException(e);
}
JsonParser parser = new JsonParser();
if(callOrder == 0) {
parser.setClassMetadataName("class");
parser.allowClass("example.Class");
User obj = parser.parse(json, null);
} else if(callOrder == 1) {
parser.allowClass("example.Class");
parser.setClassMetadataName("class");
User obj = parser.parse(json, null);
} else if(callOrder == 2) {
parser.setClassMetadataName("class").allowClass("example.Class").parse(json, null);
} else if(callOrder == 3) {
parser.allowClass("example.Class").setClassMetadataName("class").parse(json, null);
} else if(callOrder == 4) {
parser.setClassMetadataName("class").withClassMetadata(false).parse(json, null);
} else if(callOrder == 5) {
parser.withClassMetadata(true).setClassMetadataName(null).parse(json, null);
}
}
}

29
java/ql/test/query-tests/security/CWE-502/com/example/User.java Normal file
View File

@@ -0,0 +1,29 @@
package com.example;
public final class User {
private String uid;
private String name;
public User() {
}
public String getUid() {
return uid;
}
public void setUid(String uid) {
this.uid = uid;
}
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String toString() {
return "User[ name = "+name+", uid: "+uid+ "]";
}
}

29
java/ql/test/query-tests/security/CWE-502/com/thirdparty/Person.java vendored Normal file
View File

@@ -0,0 +1,29 @@
package com.thirdparty;
public class Person {
private int snum;
private String name;
public Person() {
}
public int getSnum() {
return snum;
}
public void setSnum(int snum) {
this.snum = snum;
}
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String toString() {
return "Person[ name = "+name+", snum: "+snum+ "]";
}
}

2
java/ql/test/query-tests/security/CWE-502/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/snakeyaml-1.21:${testdir}/../../../stubs/xstream-1.4.10:${testdir}/../../../stubs/kryo-4.0.2:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/fastjson-1.2.74:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/jyaml-1.3:${testdir}/../../../stubs/json-io-4.10.0:${testdir}/../../../stubs/yamlbeans-1.09:${testdir}/../../../stubs/hessian-4.0.38:${testdir}/../../../stubs/castor-1.4.1:${testdir}/../../../stubs/jackson-databind-2.10
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/snakeyaml-1.21:${testdir}/../../../stubs/xstream-1.4.10:${testdir}/../../../stubs/kryo-4.0.2:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/fastjson-1.2.74:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/jyaml-1.3:${testdir}/../../../stubs/json-io-4.10.0:${testdir}/../../../stubs/yamlbeans-1.09:${testdir}/../../../stubs/hessian-4.0.38:${testdir}/../../../stubs/castor-1.4.1:${testdir}/../../../stubs/jackson-databind-2.12:${testdir}/../../../stubs/jackson-core-2.12:${testdir}/../../../stubs/jabsorb-1.3.2:${testdir}/../../../stubs/json-java-20210307:${testdir}/../../../stubs/joddjson-6.0.3

0
java/ql/test/experimental/query-tests/security/CWE-749/AndroidManifest.xml → java/ql/test/query-tests/security/CWE-749/AndroidManifest.xml
View File

0
java/ql/test/experimental/query-tests/security/CWE-749/IntentUtils.java → java/ql/test/query-tests/security/CWE-749/IntentUtils.java
View File

8
java/ql/test/experimental/query-tests/security/CWE-749/SafeActivity1.java → java/ql/test/query-tests/security/CWE-749/SafeActivity1.java
View File

@@ -9,7 +9,9 @@ import android.webkit.WebView;
import android.webkit.WebViewClient;
public class SafeActivity1 extends Activity {
//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
// Test onCreate with both JavaScript and cross-origin resource access enabled while taking
// remote user inputs from bundle extras.
// The Activity is explicitly not exported, even though it has an intent-filter.
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(-1);
@@ -29,6 +31,6 @@ public class SafeActivity1 extends Activity {
});
String thisUrl = getIntent().getExtras().getString("url");
wv.loadUrl(thisUrl);
wv.loadUrl(thisUrl); // Safe
}
}
}

8
java/ql/test/experimental/query-tests/security/CWE-749/SafeActivity2.java → java/ql/test/query-tests/security/CWE-749/SafeActivity2.java
View File

@@ -9,7 +9,9 @@ import android.webkit.WebView;
import android.webkit.WebViewClient;
public class SafeActivity2 extends Activity {
//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
// Test onCreate with both JavaScript and cross-origin resource access enabled while taking
// remote user inputs from bundle extras.
// The Activity is explicitly not exported.
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(-1);
@@ -29,6 +31,6 @@ public class SafeActivity2 extends Activity {
});
String thisUrl = getIntent().getExtras().getString("url");
wv.loadUrl(thisUrl);
wv.loadUrl(thisUrl); // Safe
}
}
}

8
java/ql/test/experimental/query-tests/security/CWE-749/SafeActivity3.java → java/ql/test/query-tests/security/CWE-749/SafeActivity3.java
View File

@@ -9,7 +9,9 @@ import android.webkit.WebView;
import android.webkit.WebViewClient;
public class SafeActivity3 extends Activity {
//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
// Test onCreate with both JavaScript and cross-origin resource access enabled while taking
// remote user inputs from bundle extras.
// The Activity is implicitly not exported.
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(-1);
@@ -29,6 +31,6 @@ public class SafeActivity3 extends Activity {
});
String thisUrl = getIntent().getExtras().getString("url");
wv.loadUrl(thisUrl);
wv.loadUrl(thisUrl); // Safe
}
}
}

8
java/ql/test/experimental/query-tests/security/CWE-749/UnsafeActivity1.java → java/ql/test/query-tests/security/CWE-749/UnsafeActivity1.java
View File

@@ -9,7 +9,9 @@ import android.webkit.WebView;
import android.webkit.WebViewClient;
public class UnsafeActivity1 extends Activity {
//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
// Test onCreate with both JavaScript and cross-origin resource access enabled while taking
// remote user inputs from bundle extras.
// The Activity is exported and has an intent-filter.
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(-1);
@@ -29,6 +31,6 @@ public class UnsafeActivity1 extends Activity {
});
String thisUrl = getIntent().getExtras().getString("url");
wv.loadUrl(thisUrl);
wv.loadUrl(thisUrl); // $hasUnsafeAndroidAccess
}
}
}

8
java/ql/test/experimental/query-tests/security/CWE-749/UnsafeActivity2.java → java/ql/test/query-tests/security/CWE-749/UnsafeActivity2.java
View File

@@ -9,7 +9,9 @@ import android.webkit.WebView;
import android.webkit.WebViewClient;
public class UnsafeActivity2 extends Activity {
//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
// Test onCreate with both JavaScript and cross-origin resource access enabled while taking
// remote user inputs from bundle extras.
// The Activity is implicitly exported because it has an intent-filter.
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(-1);
@@ -29,6 +31,6 @@ public class UnsafeActivity2 extends Activity {
});
String thisUrl = getIntent().getExtras().getString("url");
wv.loadUrl(thisUrl);
wv.loadUrl(thisUrl); // $hasUnsafeAndroidAccess
}
}
}

8
java/ql/test/experimental/query-tests/security/CWE-749/UnsafeActivity3.java → java/ql/test/query-tests/security/CWE-749/UnsafeActivity3.java
View File

@@ -9,7 +9,9 @@ import android.webkit.WebView;
import android.webkit.WebViewClient;
public class UnsafeActivity3 extends Activity {
//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
// Test onCreate with both JavaScript and cross-origin resource access enabled while taking
// remote user inputs from bundle extras.
// The Activity is explicitly exported.
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(-1);
@@ -29,6 +31,6 @@ public class UnsafeActivity3 extends Activity {
});
String thisUrl = getIntent().getExtras().getString("url");
wv.loadUrl(thisUrl);
wv.loadUrl(thisUrl); // $hasUnsafeAndroidAccess
}
}
}

16
java/ql/test/experimental/query-tests/security/CWE-749/UnsafeActivity4.java → java/ql/test/query-tests/security/CWE-749/UnsafeActivity4.java
View File

@@ -9,9 +9,15 @@ import android.webkit.WebView;
import android.webkit.WebViewClient;
public class UnsafeActivity4 extends Activity {
/**
* Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
* Note this case of invoking utility method that takes an Activity a then calls `a.getIntent().getStringExtra(...)` is not yet detected thus is beyond what the query is capable of.
/*
* Test onCreate with both JavaScript and cross-origin resource access enabled while taking
* remote user inputs from bundle extras.
*
* The Activity is explicitly exported.
*
* Note this case of invoking a utility method that takes an Activity and then calls
* `a.getIntent().getStringExtra(...)` is not yet detected thus is beyond what the query is
* capable of.
*/
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
@@ -33,6 +39,6 @@ public class UnsafeActivity4 extends Activity {
String thisUrl = IntentUtils.getIntentUrl(this);
thisUrl = IntentUtils.getBundleUrl(this);
wv.loadUrl(thisUrl);
wv.loadUrl(thisUrl); // $ MISSING: hasUnsafeAndroidAccess
}
}
}

52
java/ql/test/experimental/query-tests/security/CWE-749/UnsafeAndroidAccess.java → java/ql/test/query-tests/security/CWE-749/UnsafeAndroidAccess.java
View File

@@ -8,8 +8,10 @@ import android.webkit.WebSettings;
import android.webkit.WebView;
import android.webkit.WebViewClient;
// The Activity is implicitly exported because it has an intent-filter.
public class UnsafeAndroidAccess extends Activity {
//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
// Test onCreate with both JavaScript and cross-origin resource access enabled while taking
// remote user inputs from bundle extras
public void testOnCreate1(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(-1);
@@ -29,10 +31,11 @@ public class UnsafeAndroidAccess extends Activity {
});
String thisUrl = getIntent().getExtras().getString("url");
wv.loadUrl(thisUrl);
wv.loadUrl(thisUrl); // $hasUnsafeAndroidAccess
}
//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from string extra
// Test onCreate with both JavaScript and cross-origin resource access enabled while taking
// remote user inputs from string extra
public void testOnCreate2(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(-1);
@@ -52,10 +55,11 @@ public class UnsafeAndroidAccess extends Activity {
});
String thisUrl = getIntent().getStringExtra("url");
wv.loadUrl(thisUrl);
wv.loadUrl(thisUrl); // $hasUnsafeAndroidAccess
}
//Test onCreate with both JavaScript and cross-origin resource access disabled by default while taking remote user inputs
// Test onCreate with both JavaScript and cross-origin resource access disabled by default while
// taking remote user inputs
public void testOnCreate3(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(-1);
@@ -72,10 +76,11 @@ public class UnsafeAndroidAccess extends Activity {
});
String thisUrl = getIntent().getStringExtra("url");
wv.loadUrl(thisUrl);
wv.loadUrl(thisUrl); // Safe
}
//Test onCreate with JavaScript enabled but cross-origin resource access disabled while taking remote user inputs
// Test onCreate with JavaScript enabled but cross-origin resource access disabled while taking
// remote user inputs
public void testOnCreate4(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(-1);
@@ -94,10 +99,11 @@ public class UnsafeAndroidAccess extends Activity {
});
String thisUrl = getIntent().getStringExtra("url");
wv.loadUrl(thisUrl);
wv.loadUrl(thisUrl); // $hasUnsafeAndroidAccess
}
//Test onCreate with both JavaScript and cross-origin resource access enabled while not taking remote user inputs
// Test onCreate with both JavaScript and cross-origin resource access enabled while not taking
// remote user inputs
public void testOnCreate5(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(-1);
@@ -116,6 +122,30 @@ public class UnsafeAndroidAccess extends Activity {
}
});
wv.loadUrl("https://www.mycorp.com");
wv.loadUrl("https://www.mycorp.com"); // Safe
}
}
// Test onCreate with both JavaScript and cross-origin resource access enabled while taking
// remote user inputs and concatenating them to a safe URL.
public void testOnCreate6(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(-1);
WebView wv = (WebView) findViewById(-1);
WebSettings webSettings = wv.getSettings();
webSettings.setJavaScriptEnabled(true);
webSettings.setAllowFileAccessFromFileURLs(true);
wv.setWebViewClient(new WebViewClient() {
@Override
public boolean shouldOverrideUrlLoading(WebView view, String url) {
view.loadUrl(url);
return true;
}
});
String thisUrl = getIntent().getStringExtra("url");
wv.loadUrl("https://www.mycorp.com/" + thisUrl); // Safe
}
}

0
java/ql/test/query-tests/security/CWE-749/UnsafeAndroidAccessTest.expected Normal file
View File

Some files were not shown because too many files have changed in this diff Show More