mirror of
https://github.com/github/codeql.git
synced 2025-12-18 01:33:15 +01:00
Merge branch 'main' into redsun82/rust-config
This commit is contained in:
Paolo Tranquilli
@@ -42,5 +42,5 @@ MySql.Data.MySqlClient,48,,,,,,,,,,,,48,,,,,,,,,,
|
||||
Newtonsoft.Json,,,91,,,,,,,,,,,,,,,,,,,73,18
|
||||
ServiceStack,194,,7,27,,,,,75,,,,92,,,,,,,,,7,
|
||||
SourceGenerators,,,5,,,,,,,,,,,,,,,,,,,,5
|
||||
System,54,47,12221,,6,5,5,,,4,1,,33,2,,6,15,17,4,3,,5921,6300
|
||||
System,54,47,12241,,6,5,5,,,4,1,,33,2,,6,15,17,4,3,,5941,6300
|
||||
Windows.Security.Cryptography.Core,1,,,,,,,1,,,,,,,,,,,,,,,
|
||||
|
||||
|
@@ -8,7 +8,7 @@ C# framework & library support
|
||||
|
||||
Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE-079` :sub:`Cross-site scripting`
|
||||
`ServiceStack <https://servicestack.net/>`_,"``ServiceStack.*``, ``ServiceStack``",,7,194,
|
||||
System,"``System.*``, ``System``",47,12221,54,5
|
||||
System,"``System.*``, ``System``",47,12241,54,5
|
||||
Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.AspNetCore.Components``, ``Microsoft.AspNetCore.Http``, ``Microsoft.AspNetCore.Mvc``, ``Microsoft.AspNetCore.WebUtilities``, ``Microsoft.CSharp``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.DotNet.PlatformAbstractions``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.JSInterop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.VisualBasic``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",60,2272,152,4
|
||||
Totals,,107,14500,400,9
|
||||
Totals,,107,14520,400,9
|
||||
|
||||
|
||||
@@ -16,7 +16,7 @@ container/ring,,,5,,,,,,,,,,,,,,,,,,,,,,,5,
|
||||
context,,,5,,,,,,,,,,,,,,,,,,,,,,,5,
|
||||
crypto,,,10,,,,,,,,,,,,,,,,,,,,,,,10,
|
||||
database/sql,30,18,12,,,,,,,,,,,,30,,,,,,18,,,,,12,
|
||||
encoding,,,77,,,,,,,,,,,,,,,,,,,,,,,77,
|
||||
encoding,,,81,,,,,,,,,,,,,,,,,,,,,,,81,
|
||||
errors,,,3,,,,,,,,,,,,,,,,,,,,,,,3,
|
||||
expvar,,,6,,,,,,,,,,,,,,,,,,,,,,,6,
|
||||
fmt,3,,16,,,,3,,,,,,,,,,,,,,,,,,,16,
|
||||
@@ -139,4 +139,5 @@ syscall,5,2,8,5,,,,,,,,,,,,,,,,,,2,,,,8,
|
||||
text/scanner,,,3,,,,,,,,,,,,,,,,,,,,,,,3,
|
||||
text/tabwriter,,,1,,,,,,,,,,,,,,,,,,,,,,,1,
|
||||
text/template,,,4,,,,,,,,,,,,,,,,,,,,,,,4,
|
||||
weak,,,2,,,,,,,,,,,,,,,,,,,,,,,2,
|
||||
xorm.io/xorm,34,,,,,,,,,,,,,,34,,,,,,,,,,,,
|
||||
|
||||
|
@@ -26,7 +26,7 @@ Go framework & library support
|
||||
`Macaron <https://gopkg.in/macaron.v1>`_,``gopkg.in/macaron*``,12,1,1
|
||||
`Revel <http://revel.github.io/>`_,"``github.com/revel/revel*``, ``github.com/robfig/revel*``",46,20,4
|
||||
`SendGrid <https://github.com/sendgrid/sendgrid-go>`_,``github.com/sendgrid/sendgrid-go*``,,1,
|
||||
`Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``",52,603,104
|
||||
`Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``",52,607,104
|
||||
`XPath <https://github.com/antchfx/xpath>`_,``github.com/antchfx/xpath*``,,,4
|
||||
`appleboy/gin-jwt <https://github.com/appleboy/gin-jwt>`_,``github.com/appleboy/gin-jwt*``,,,1
|
||||
`beego <https://beego.me/>`_,"``github.com/astaxie/beego*``, ``github.com/beego/beego*``",102,63,213
|
||||
@@ -60,6 +60,6 @@ Go framework & library support
|
||||
`xpathparser <https://github.com/santhosh-tekuri/xpathparser>`_,``github.com/santhosh-tekuri/xpathparser*``,,,2
|
||||
`yaml <https://gopkg.in/yaml.v3>`_,``gopkg.in/yaml*``,,9,
|
||||
`zap <https://go.uber.org/zap>`_,``go.uber.org/zap*``,,11,33
|
||||
Others,"``github.com/Masterminds/squirrel``, ``github.com/caarlos0/env``, ``github.com/go-gorm/gorm``, ``github.com/go-xorm/xorm``, ``github.com/gobuffalo/envy``, ``github.com/gogf/gf/database/gdb``, ``github.com/hashicorp/go-envparse``, ``github.com/jinzhu/gorm``, ``github.com/jmoiron/sqlx``, ``github.com/joho/godotenv``, ``github.com/kelseyhightower/envconfig``, ``github.com/lann/squirrel``, ``github.com/raindog308/gorqlite``, ``github.com/rqlite/gorqlite``, ``github.com/uptrace/bun``, ``go.mongodb.org/mongo-driver/mongo``, ``gopkg.in/Masterminds/squirrel``, ``gorm.io/gorm``, ``xorm.io/xorm``",117,16,391
|
||||
Totals,,459,941,1532
|
||||
Others,"``github.com/Masterminds/squirrel``, ``github.com/caarlos0/env``, ``github.com/go-gorm/gorm``, ``github.com/go-xorm/xorm``, ``github.com/gobuffalo/envy``, ``github.com/gogf/gf/database/gdb``, ``github.com/hashicorp/go-envparse``, ``github.com/jinzhu/gorm``, ``github.com/jmoiron/sqlx``, ``github.com/joho/godotenv``, ``github.com/kelseyhightower/envconfig``, ``github.com/lann/squirrel``, ``github.com/raindog308/gorqlite``, ``github.com/rqlite/gorqlite``, ``github.com/uptrace/bun``, ``go.mongodb.org/mongo-driver/mongo``, ``gopkg.in/Masterminds/squirrel``, ``gorm.io/gorm``, ``weak``, ``xorm.io/xorm``",117,18,391
|
||||
Totals,,459,947,1532
|
||||
|
||||
|
||||
@@ -4,6 +4,7 @@ public class SQLInjection extends HttpServlet {
|
||||
|
||||
StringBuilder sqlQueryBuilder = new StringBuilder();
|
||||
sqlQueryBuilder.append("SELECT * FROM user WHERE user_id='");
|
||||
// BAD: a request parameter is concatenated directly into a SQL query
|
||||
sqlQueryBuilder.append(request.getParameter("user_id"));
|
||||
sqlQueryBuilder.append("'");
|
||||
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
public class PartialPathTraversalBad {
|
||||
public void example(File dir, File parent) throws IOException {
|
||||
// BAD: dir.getCanonicalPath() not slash-terminated
|
||||
if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath())) {
|
||||
throw new IOException("Path traversal attempt: " + dir.getCanonicalPath());
|
||||
}
|
||||
|
||||
@@ -2,6 +2,7 @@ import java.io.File;
|
||||
|
||||
public class PartialPathTraversalGood {
|
||||
public void example(File dir, File parent) throws IOException {
|
||||
// GOOD: Check if dir.Path() is normalised
|
||||
if (!dir.toPath().normalize().startsWith(parent.toPath())) {
|
||||
throw new IOException("Path traversal attempt: " + dir.getCanonicalPath());
|
||||
}
|
||||
|
||||
@@ -20,4 +20,5 @@ webview.addJavaScriptInterface(new ExposedObject(), "exposedObject");
|
||||
webview.loadData("", "text/html", null);
|
||||
|
||||
String name = "Robert'; DROP TABLE students; --";
|
||||
// BAD: Untrusted input loaded into WebView
|
||||
webview.loadUrl("javascript:alert(exposedObject.studentEmail(\""+ name +"\"))");
|
||||
|
||||
@@ -1,2 +1,2 @@
|
||||
WebSettings settings = webview.getSettings();
|
||||
settings.setJavaScriptEnabled(false);
|
||||
settings.setJavaScriptEnabled(false); // GOOD: webview has JavaScript disabled
|
||||
|
||||
@@ -1,2 +1,2 @@
|
||||
WebSettings settings = webview.getSettings();
|
||||
settings.setJavaScriptEnabled(true);
|
||||
settings.setJavaScriptEnabled(true); // BAD: webview has JavaScript enabled
|
||||
|
||||
@@ -2,26 +2,26 @@ public class GroovyInjection {
|
||||
void injectionViaClassLoader(HttpServletRequest request) {
|
||||
String script = request.getParameter("script");
|
||||
final GroovyClassLoader classLoader = new GroovyClassLoader();
|
||||
Class groovy = classLoader.parseClass(script);
|
||||
Class groovy = classLoader.parseClass(script); // BAD: Groovy code injection
|
||||
GroovyObject groovyObj = (GroovyObject) groovy.newInstance();
|
||||
}
|
||||
|
||||
void injectionViaEval(HttpServletRequest request) {
|
||||
String script = request.getParameter("script");
|
||||
Eval.me(script);
|
||||
Eval.me(script); // BAD: Groovy code injection
|
||||
}
|
||||
|
||||
void injectionViaGroovyShell(HttpServletRequest request) {
|
||||
GroovyShell shell = new GroovyShell();
|
||||
String script = request.getParameter("script");
|
||||
shell.evaluate(script);
|
||||
shell.evaluate(script); // BAD: Groovy code injection
|
||||
}
|
||||
|
||||
void injectionViaGroovyShellGroovyCodeSource(HttpServletRequest request) {
|
||||
GroovyShell shell = new GroovyShell();
|
||||
String script = request.getParameter("script");
|
||||
GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
|
||||
shell.evaluate(gcs);
|
||||
shell.evaluate(gcs); // BAD: Groovy code injection
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -9,6 +9,7 @@ import java.io.File;
|
||||
File file = new File(Environment.getExternalStorageDirectory(), "myapp.apk");
|
||||
Intent intent = new Intent(Intent.ACTION_VIEW);
|
||||
/* Set the mimetype to APK */
|
||||
// BAD: The file may be altered by another app
|
||||
intent.setDataAndType(Uri.fromFile(file), "application/vnd.android.package-archive");
|
||||
|
||||
startActivity(intent);
|
||||
|
||||
@@ -21,6 +21,7 @@ try (InputStream is = getAssets().open(assetName);
|
||||
|
||||
/* Expose temporary file with FileProvider */
|
||||
File toInstall = new File(this.getFilesDir(), tempFilename);
|
||||
// GOOD: The file is protected by FileProvider
|
||||
Uri applicationUri = FileProvider.getUriForFile(this, "com.example.apkprovider", toInstall);
|
||||
|
||||
/* Create Intent and set data to APK file. */
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
// GOOD: Package installed using PackageInstaller
|
||||
import android.content.Context;
|
||||
import android.content.Intent;
|
||||
import android.content.pm.PackageInstaller;
|
||||
|
||||
@@ -14,6 +14,7 @@ public class VelocitySSTI {
|
||||
|
||||
StringWriter w = new StringWriter();
|
||||
// evaluate( Context context, Writer out, String logTag, String instring )
|
||||
// BAD: code is controlled by the user
|
||||
Velocity.evaluate(context, w, "mystring", code);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -11,7 +11,7 @@ public class VelocitySSTI {
|
||||
|
||||
String s = "We are using $project $name to render this.";
|
||||
StringWriter w = new StringWriter();
|
||||
Velocity.evaluate(context, w, "mystring", s);
|
||||
Velocity.evaluate(context, w, "mystring", s); // GOOD: s is a constant string
|
||||
System.out.println(" string : " + w);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -4,7 +4,7 @@ public void evaluate(Socket socket) throws IOException {
|
||||
|
||||
JexlSandbox onlyMath = new JexlSandbox(false);
|
||||
onlyMath.white("java.lang.Math");
|
||||
JexlEngine jexl = new JexlBuilder().sandbox(onlyMath).create();
|
||||
JexlEngine jexl = new JexlBuilder().sandbox(onlyMath).create(); // GOOD: using a sandbox
|
||||
|
||||
String input = reader.readLine();
|
||||
JexlExpression expression = jexl.createExpression(input);
|
||||
|
||||
@@ -6,7 +6,7 @@ public void evaluate(Socket socket) throws IOException {
|
||||
JexlEngine jexl = new JexlBuilder().uberspect(sandbox).create();
|
||||
|
||||
String input = reader.readLine();
|
||||
JexlExpression expression = jexl.createExpression(input);
|
||||
JexlExpression expression = jexl.createExpression(input); // GOOD: jexl uses a sandbox
|
||||
JexlContext context = new MapContext();
|
||||
expression.evaluate(context);
|
||||
}
|
||||
|
||||
@@ -4,9 +4,11 @@ public Object evaluate(Socket socket) throws IOException {
|
||||
|
||||
String string = reader.readLine();
|
||||
ExpressionParser parser = new SpelExpressionParser();
|
||||
// AVOID: string is controlled by the user
|
||||
Expression expression = parser.parseExpression(string);
|
||||
SimpleEvaluationContext context
|
||||
= SimpleEvaluationContext.forReadWriteDataBinding().build();
|
||||
// OK: Untrusted expressions are evaluated in a restricted context
|
||||
return expression.getValue(context);
|
||||
}
|
||||
}
|
||||
@@ -4,6 +4,7 @@ public void evaluate(Socket socket) throws IOException {
|
||||
|
||||
String input = reader.readLine();
|
||||
JexlEngine jexl = new JexlBuilder().create();
|
||||
// BAD: input is controlled by the user
|
||||
JexlExpression expression = jexl.createExpression(input);
|
||||
JexlContext context = new MapContext();
|
||||
expression.evaluate(context);
|
||||
|
||||
@@ -4,6 +4,7 @@ public Object evaluate(Socket socket) throws IOException {
|
||||
|
||||
String string = reader.readLine();
|
||||
ExpressionParser parser = new SpelExpressionParser();
|
||||
// BAD: string is controlled by the user
|
||||
Expression expression = parser.parseExpression(string);
|
||||
return expression.getValue();
|
||||
}
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
byte[] iv = new byte[16]; // all zeroes
|
||||
byte[] iv = new byte[16]; // BAD: all zeroes
|
||||
GCMParameterSpec params = new GCMParameterSpec(128, iv);
|
||||
Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
|
||||
cipher.init(Cipher.ENCRYPT_MODE, key, params);
|
||||
@@ -1,6 +1,6 @@
|
||||
byte[] iv = new byte[16];
|
||||
SecureRandom random = SecureRandom.getInstanceStrong();
|
||||
random.nextBytes(iv);
|
||||
random.nextBytes(iv); // GOOD: random initialization vector
|
||||
GCMParameterSpec params = new GCMParameterSpec(128, iv);
|
||||
Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
|
||||
cipher.init(Cipher.ENCRYPT_MODE, key, params);
|
||||
@@ -1,2 +1,2 @@
|
||||
TextView pwView = getViewById(R.id.pw_text);
|
||||
pwView.setText("Your password is: " + password);
|
||||
pwView.setText("Your password is: " + password); // BAD: password is shown immediately
|
||||
@@ -5,6 +5,6 @@ pwView.setText("Your password is: " + password);
|
||||
Button showButton = findViewById(R.id.show_pw_button);
|
||||
showButton.setOnClickListener(new View.OnClickListener() {
|
||||
public void onClick(View v) {
|
||||
pwView.setVisibility(View.VISIBLE);
|
||||
pwView.setVisibility(View.VISIBLE); // GOOD: password is only shown when the user clicks the button
|
||||
}
|
||||
});
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
WebSettings settings = webview.getSettings();
|
||||
|
||||
// GOOD: WebView is configured to disallow content access
|
||||
settings.setAllowContentAccess(false);
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
WebSettings settings = webview.getSettings();
|
||||
|
||||
// BAD: WebView is configured to allow content access
|
||||
settings.setAllowContentAccess(true);
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
WebSettings settings = view.getSettings();
|
||||
|
||||
// GOOD: WebView is configured to disallow file access
|
||||
settings.setAllowFileAccess(false);
|
||||
settings.setAllowFileAccessFromURLs(false);
|
||||
settings.setAllowUniversalAccessFromURLs(false);
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
WebSettings settings = view.getSettings();
|
||||
|
||||
// BAD: WebView is configured to allow file access
|
||||
settings.setAllowFileAccess(true);
|
||||
settings.setAllowFileAccessFromURLs(true);
|
||||
settings.setAllowUniversalAccessFromURLs(true);
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
Random r = new Random();
|
||||
Random r = new Random(); // BAD: Random is not cryptographically secure
|
||||
|
||||
byte[] bytes = new byte[16];
|
||||
r.nextBytes(bytes);
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
SecureRandom r = new SecureRandom();
|
||||
SecureRandom r = new SecureRandom(); // GOOD: SecureRandom is cryptographically secure
|
||||
|
||||
byte[] bytes = new byte[16];
|
||||
r.nextBytes(bytes);
|
||||
|
||||
@@ -12,14 +12,14 @@ class Resource {
|
||||
|
||||
public synchronized void bad(Resource r) {
|
||||
if (r.isReady()) {
|
||||
// r might no longer be ready, another thread might
|
||||
// BAD: r might no longer be ready, another thread might
|
||||
// have called setReady(false)
|
||||
r.act();
|
||||
}
|
||||
}
|
||||
|
||||
public synchronized void good(Resource r) {
|
||||
synchronized(r) {
|
||||
synchronized(r) { // GOOD: r is locked
|
||||
if (r.isReady()) {
|
||||
r.act();
|
||||
}
|
||||
|
||||
@@ -7,6 +7,6 @@ public MyObject {
|
||||
|
||||
public MyObject deserialize(Socket sock) {
|
||||
try(ObjectInputStream in = new ObjectInputStream(sock.getInputStream())) {
|
||||
return (MyObject)in.readObject(); // unsafe
|
||||
return (MyObject)in.readObject(); // BAD: in is from untrusted source
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
public MyObject deserialize(Socket sock) {
|
||||
try(DataInputStream in = new DataInputStream(sock.getInputStream())) {
|
||||
return new MyObject(in.readInt());
|
||||
return new MyObject(in.readInt()); // GOOD: read only an int
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
// BAD: LDAP authentication is used
|
||||
String ldapUrl = "ldap://ad.your-server.com:389";
|
||||
Hashtable<String, String> environment = new Hashtable<String, String>();
|
||||
environment.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
// GOOD: LDAP connection using LDAPS
|
||||
String ldapUrl = "ldaps://ad.your-server.com:636";
|
||||
Hashtable<String, String> environment = new Hashtable<String, String>();
|
||||
environment.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
// GOOD: LDAP is used but SASL authentication is enabled
|
||||
String ldapUrl = "ldap://ad.your-server.com:389";
|
||||
Hashtable<String, String> environment = new Hashtable<String, String>();
|
||||
environment.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
public void parse(Socket sock) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
builder.parse(sock.getInputStream()); //unsafe
|
||||
builder.parse(sock.getInputStream()); // BAD: DTD parsing is enabled
|
||||
}
|
||||
|
||||
@@ -2,5 +2,5 @@ public void disableDTDParse(Socket sock) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
builder.parse(sock.getInputStream()); //safe
|
||||
builder.parse(sock.getInputStream()); // GOOD: DTD parsing is disabled
|
||||
}
|
||||
|
||||
@@ -3,7 +3,7 @@ import com.amazonaws.auth.BasicAWSCredentials;
|
||||
|
||||
public class HardcodedAWSCredentials {
|
||||
public static void main(String[] args) {
|
||||
//Hardcoded credentials for connecting to AWS services
|
||||
// BAD: Hardcoded credentials for connecting to AWS services
|
||||
//To fix the problem, use other approaches including AWS credentials file, environment variables, or instance/container credentials instead
|
||||
AWSCredentials creds = new BasicAWSCredentials("ACCESS_KEY", "SECRET_KEY"); //sensitive call
|
||||
}
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
private static final String p = "123456"; // hard-coded credential
|
||||
private static final String p = "123456"; // BAD: hard-coded credential
|
||||
|
||||
public static void main(String[] args) throws SQLException {
|
||||
String url = "jdbc:mysql://localhost/test";
|
||||
String u = "admin"; // hard-coded credential
|
||||
String u = "admin"; // BAD: hard-coded credential
|
||||
|
||||
getConn(url, u, p);
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
for (int i=0; i<10; i++) {
|
||||
for (int j=0; i<10; j++) {
|
||||
for (int j=0; i<10; j++) { // BAD: Potential infinite loop: i should be j
|
||||
// do stuff
|
||||
if (shouldBreak()) break;
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
for (int i=0; i<10; i++) {
|
||||
for (int j=0; j<10; j++) {
|
||||
for (int j=0; j<10; j++) { // GOOD: correct variable j
|
||||
// do stuff
|
||||
if (shouldBreak()) break;
|
||||
}
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
public class ShutdownReceiver extends BroadcastReceiver {
|
||||
@Override
|
||||
public void onReceive(final Context context, final Intent intent) {
|
||||
// BAD: The code does not check if the intent is an ACTION_SHUTDOWN intent
|
||||
mainActivity.saveLocalData();
|
||||
mainActivity.stopActivity();
|
||||
}
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
public class ShutdownReceiver extends BroadcastReceiver {
|
||||
@Override
|
||||
public void onReceive(final Context context, final Intent intent) {
|
||||
// GOOD: The code checks if the intent is an ACTION_SHUTDOWN intent
|
||||
if (!intent.getAction().equals(Intent.ACTION_SHUTDOWN)) {
|
||||
return;
|
||||
}
|
||||
|
||||
1
rust/ql/.generated.list
generated
1
rust/ql/.generated.list
generated
@@ -427,7 +427,6 @@ lib/codeql/rust/elements/internal/TypeBoundImpl.qll 4d6763884968be0dee85cd1a6a18
|
||||
lib/codeql/rust/elements/internal/TypeBoundListConstructor.qll 4b634b3a4ca8909ce8c0d172d9258168c5271435474089902456c2e3e47ae1c5 3af74623ced55b3263c096810a685517d36b75229431b81f3bb8101294940025
|
||||
lib/codeql/rust/elements/internal/TypeBoundListImpl.qll 23557f993a1de15a3b08652f53fd99dea8b3af4b8a65d7331e99f50735a7942c 8d91dbad037268ec37907ef6c2b0e927f648551afb57f706ed4d79d6aad5f5d6
|
||||
lib/codeql/rust/elements/internal/TypeParamConstructor.qll a6e57cccd6b54fa68742d7b8ce70678a79ac133ea8c1bfa89d60b5f74ad07e05 0e5f45d250d736aaf40387be22e55288543bdb55bbb20ecb43f2f056e8be8b09
|
||||
lib/codeql/rust/elements/internal/TypeParamImpl.qll 9e7169e8254e2d9d13b11a17cbe04e874f72fb67a75c3585e70eddec71ba5c7f b8c862b2cd53bc211caea23261d9832613418aae51f63ef08922d300c2d1f4f2
|
||||
lib/codeql/rust/elements/internal/TypeReprImpl.qll 504b137313407be57c93fe0acee31716a02f91e23ce417e7c67bae2ae9937564 28fa8b680d5cd782c5c5fb048a9deb9b9debd196e3bc7df1129843e61eb342ea
|
||||
lib/codeql/rust/elements/internal/UnderscoreExprConstructor.qll 8dc27831adb49c1a47b9f8997d6065e82b4e48e41e3c35bd8d35255cea459905 6c5a5272d37f83f1c1b17475f8adb7d867e95025d201320e20a32dab1f69f7bf
|
||||
lib/codeql/rust/elements/internal/UnextractedImpl.qll 5c23df7e448184d76ccab2c22757ace24663b8be2592a3fa2a44bef43159ebd3 77b0c9fe75a307adc08c422cc88423c5349756878793cf9e79c006c83b4c403b
|
||||
|
||||
1
rust/ql/.gitattributes
generated
vendored
1
rust/ql/.gitattributes
generated
vendored
@@ -429,7 +429,6 @@
|
||||
/lib/codeql/rust/elements/internal/TypeBoundListConstructor.qll linguist-generated
|
||||
/lib/codeql/rust/elements/internal/TypeBoundListImpl.qll linguist-generated
|
||||
/lib/codeql/rust/elements/internal/TypeParamConstructor.qll linguist-generated
|
||||
/lib/codeql/rust/elements/internal/TypeParamImpl.qll linguist-generated
|
||||
/lib/codeql/rust/elements/internal/TypeReprImpl.qll linguist-generated
|
||||
/lib/codeql/rust/elements/internal/UnderscoreExprConstructor.qll linguist-generated
|
||||
/lib/codeql/rust/elements/internal/UnextractedImpl.qll linguist-generated
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
// generated by codegen, remove this comment if you wish to edit this file
|
||||
/**
|
||||
* This module provides a hand-modifiable wrapper around the generated class `TypeParam`.
|
||||
*
|
||||
@@ -12,11 +11,16 @@ private import codeql.rust.elements.internal.generated.TypeParam
|
||||
* be referenced directly.
|
||||
*/
|
||||
module Impl {
|
||||
// the following QLdoc is generated: if you need to edit it, do it in the schema file
|
||||
/**
|
||||
* A TypeParam. For example:
|
||||
* ```rust
|
||||
* todo!()
|
||||
* ```
|
||||
*/
|
||||
class TypeParam extends Generated::TypeParam { }
|
||||
class TypeParam extends Generated::TypeParam {
|
||||
override string toAbbreviatedString() { result = this.getName().getText() }
|
||||
|
||||
override string toString() { result = this.getName().getText() }
|
||||
}
|
||||
}
|
||||
|
||||
20
rust/ql/lib/codeql/rust/frameworks/rusqlite.model.yml
Normal file
20
rust/ql/lib/codeql/rust/frameworks/rusqlite.model.yml
Normal file
@@ -0,0 +1,20 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: codeql/rust-all
|
||||
extensible: sinkModel
|
||||
data:
|
||||
- ["repo:https://github.com/rusqlite/rusqlite:rusqlite", "<crate::Connection>::execute", "Argument[0]", "sql-injection", "manual"]
|
||||
- ["repo:https://github.com/rusqlite/rusqlite:rusqlite", "<crate::Connection>::execute_batch", "Argument[0]", "sql-injection", "manual"]
|
||||
- ["repo:https://github.com/rusqlite/rusqlite:rusqlite", "<crate::Connection>::prepare", "Argument[0]", "sql-injection", "manual"]
|
||||
- ["repo:https://github.com/rusqlite/rusqlite:rusqlite", "<crate::Connection>::prepare_with_flags", "Argument[0]", "sql-injection", "manual"]
|
||||
- ["repo:https://github.com/rusqlite/rusqlite:rusqlite", "<crate::Connection>::query_row", "Argument[0]", "sql-injection", "manual"]
|
||||
- ["repo:https://github.com/rusqlite/rusqlite:rusqlite", "<crate::Connection>::query_row_and_then", "Argument[0]", "sql-injection", "manual"]
|
||||
|
||||
- addsTo:
|
||||
pack: codeql/rust-all
|
||||
extensible: sourceModel
|
||||
data:
|
||||
- ["repo:https://github.com/rusqlite/rusqlite:rusqlite", "<crate::row::Row>::get", "ReturnValue.Variant[crate::result::Result::Ok(0)]", "database", "manual"]
|
||||
- ["repo:https://github.com/rusqlite/rusqlite:rusqlite", "<crate::row::Row>::get_unwrap", "ReturnValue", "database", "manual"]
|
||||
- ["repo:https://github.com/rusqlite/rusqlite:rusqlite", "<crate::row::Row>::get_ref", "ReturnValue.Variant[crate::result::Result::Ok(0)]", "database", "manual"]
|
||||
- ["repo:https://github.com/rusqlite/rusqlite:rusqlite", "<crate::row::Row>::get_ref_unwrap", "ReturnValue", "database", "manual"]
|
||||
@@ -7,7 +7,7 @@
|
||||
| utf8_identifiers.rs:1:7:4:1 | GenericParamList |
|
||||
| utf8_identifiers.rs:2:5:2:6 | ''\u03b2 |
|
||||
| utf8_identifiers.rs:2:5:2:6 | LifetimeParam |
|
||||
| utf8_identifiers.rs:3:5:3:5 | TypeParam |
|
||||
| utf8_identifiers.rs:3:5:3:5 | \u03b3 |
|
||||
| utf8_identifiers.rs:3:5:3:5 | \u03b3 |
|
||||
| utf8_identifiers.rs:4:2:4:3 | ParamList |
|
||||
| utf8_identifiers.rs:4:5:4:6 | StmtList |
|
||||
|
||||
28
rust/ql/test/library-tests/frameworks/rusqlite/Rusqlite.ql
Normal file
28
rust/ql/test/library-tests/frameworks/rusqlite/Rusqlite.ql
Normal file
@@ -0,0 +1,28 @@
|
||||
import rust
|
||||
import codeql.rust.security.SqlInjectionExtensions
|
||||
import codeql.rust.Concepts
|
||||
import utils.test.InlineExpectationsTest
|
||||
|
||||
module RusqliteTest implements TestSig {
|
||||
string getARelevantTag() { result = ["sql-sink", "database-read"] }
|
||||
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(SqlInjection::Sink sink |
|
||||
location = sink.getLocation() and
|
||||
location.getFile().getBaseName() != "" and
|
||||
element = sink.toString() and
|
||||
tag = "sql-sink" and
|
||||
value = ""
|
||||
)
|
||||
or
|
||||
exists(ModeledDatabaseSource sink |
|
||||
location = sink.getLocation() and
|
||||
location.getFile().getBaseName() != "" and
|
||||
element = sink.toString() and
|
||||
tag = "database-read" and
|
||||
value = ""
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
import MakeTest<RusqliteTest>
|
||||
@@ -0,0 +1,13 @@
|
||||
[workspace]
|
||||
|
||||
[package]
|
||||
name = "rusqlite-test"
|
||||
version = "0.1.0"
|
||||
edition = "2021"
|
||||
|
||||
[dependencies]
|
||||
rusqlite = { version = "0.33", features = ["bundled"] }
|
||||
|
||||
[[bin]]
|
||||
name = "rusqlite"
|
||||
path = "./main.rs"
|
||||
50
rust/ql/test/library-tests/frameworks/rusqlite/main.rs
Normal file
50
rust/ql/test/library-tests/frameworks/rusqlite/main.rs
Normal file
@@ -0,0 +1,50 @@
|
||||
|
||||
use rusqlite::Connection;
|
||||
|
||||
#[derive(Debug)]
|
||||
struct Person {
|
||||
id: i32,
|
||||
name: String,
|
||||
age: i32,
|
||||
}
|
||||
|
||||
fn main() -> Result<(), Box<dyn std::error::Error>> {
|
||||
// Get input from CLI
|
||||
let args: Vec<String> = std::env::args().collect();
|
||||
let name = &args[1];
|
||||
let age = &args[2];
|
||||
|
||||
let connection = Connection::open_in_memory()?;
|
||||
|
||||
connection.execute( // $ sql-sink
|
||||
"CREATE TABLE person (
|
||||
id INTEGER PRIMARY KEY AUTOINCREMENT,
|
||||
name VARCHAR NOT NULL,
|
||||
age INT NOT NULL
|
||||
)",
|
||||
(),
|
||||
)?;
|
||||
|
||||
let query = format!("INSERT INTO person (name, age) VALUES ('{}', '{}')", name, age);
|
||||
|
||||
connection.execute(&query, ())?; // $ sql-sink
|
||||
|
||||
let person = connection.query_row(&query, (), |row| { // $ sql-sink
|
||||
Ok(Person {
|
||||
id: row.get(0)?, // $ database-read
|
||||
name: row.get(1)?, // $ database-read
|
||||
age: row.get(2)?, // $ database-read
|
||||
})
|
||||
})?;
|
||||
|
||||
let mut stmt = connection.prepare("SELECT id, name, age FROM person")?; // $ sql-sink
|
||||
let people = stmt.query_map([], |row| {
|
||||
Ok(Person {
|
||||
id: row.get_unwrap(0), // $ database-read
|
||||
name: row.get_unwrap(1), // $ database-read
|
||||
age: row.get_unwrap(2), // $ database-read
|
||||
})
|
||||
})?;
|
||||
|
||||
Ok(())
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
qltest_cargo_check: true
|
||||
qltest_dependencies:
|
||||
- rusqlite = { version = "0.33", features = ["bundled"] }
|
||||
@@ -99,10 +99,10 @@ resolvePath
|
||||
| main.rs:188:19:188:32 | ...::MyStruct | main.rs:185:5:185:26 | struct MyStruct |
|
||||
| main.rs:190:9:190:12 | self | main.rs:184:1:192:1 | mod m9 |
|
||||
| main.rs:190:9:190:22 | ...::MyStruct | main.rs:185:5:185:26 | struct MyStruct |
|
||||
| main.rs:200:12:200:12 | T | main.rs:197:7:197:7 | TypeParam |
|
||||
| main.rs:205:12:205:12 | T | main.rs:204:14:204:14 | TypeParam |
|
||||
| main.rs:200:12:200:12 | T | main.rs:197:7:197:7 | T |
|
||||
| main.rs:205:12:205:12 | T | main.rs:204:14:204:14 | T |
|
||||
| main.rs:207:7:209:7 | MyStruct::<...> | main.rs:195:5:201:5 | struct MyStruct |
|
||||
| main.rs:208:9:208:9 | T | main.rs:204:14:204:14 | TypeParam |
|
||||
| main.rs:208:9:208:9 | T | main.rs:204:14:204:14 | T |
|
||||
| main.rs:211:9:211:16 | MyStruct | main.rs:195:5:201:5 | struct MyStruct |
|
||||
| main.rs:221:17:221:19 | Foo | main.rs:216:5:216:21 | struct Foo |
|
||||
| main.rs:222:9:222:11 | Foo | main.rs:218:5:218:15 | fn Foo |
|
||||
@@ -115,7 +115,7 @@ resolvePath
|
||||
| main.rs:246:9:246:12 | ...::C | main.rs:243:9:243:9 | C |
|
||||
| main.rs:249:17:249:17 | S | main.rs:241:5:241:13 | struct S |
|
||||
| main.rs:250:17:250:17 | C | main.rs:243:9:243:9 | C |
|
||||
| main.rs:263:16:263:16 | T | main.rs:257:7:257:7 | TypeParam |
|
||||
| main.rs:263:16:263:16 | T | main.rs:257:7:257:7 | T |
|
||||
| main.rs:264:14:264:17 | Self | main.rs:255:5:265:5 | trait MyParamTrait |
|
||||
| main.rs:264:14:264:33 | ...::AssociatedType | main.rs:259:9:259:28 | TypeAlias |
|
||||
| main.rs:273:13:273:17 | crate | main.rs:1:1:302:2 | SourceFile |
|
||||
|
||||
Reference in New Issue
Block a user