hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 20:25:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Remove LogOperationSink and PrintSink

Browse Source
This commit is contained in:
haby0
2021-04-27 14:12:33 +08:00
parent 407dcea751
commit 5be9fbbc5a
11 changed files with 10 additions and 548 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected
View File

@@ -1,48 +1,11 @@
edges
| UseOfLessTrustedSource.java:20:21:20:56 | getHeader(...) : String | UseOfLessTrustedSource.java:22:60:22:61 | ip |
| UseOfLessTrustedSource.java:20:21:20:56 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... |
| UseOfLessTrustedSource.java:25:18:25:53 | getHeader(...) : String | UseOfLessTrustedSource.java:26:64:26:65 | ip |
| UseOfLessTrustedSource.java:25:18:25:53 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... |
| UseOfLessTrustedSource.java:29:18:29:56 | getHeader(...) : String | UseOfLessTrustedSource.java:30:67:30:68 | ip |
| UseOfLessTrustedSource.java:29:18:29:56 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... |
| UseOfLessTrustedSource.java:33:18:33:52 | getHeader(...) : String | UseOfLessTrustedSource.java:34:63:34:64 | ip |
| UseOfLessTrustedSource.java:33:18:33:52 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... |
| UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) : String | UseOfLessTrustedSource.java:38:69:38:70 | ip |
| UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... |
| UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) : String | UseOfLessTrustedSource.java:42:58:42:59 | ip |
| UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... |
| UseOfLessTrustedSource.java:53:21:53:33 | getClientIP(...) : String | UseOfLessTrustedSource.java:54:37:54:38 | ip |
| UseOfLessTrustedSource.java:74:27:74:62 | getHeader(...) : String | UseOfLessTrustedSource.java:78:16:78:37 | ...[...] : String |
| UseOfLessTrustedSource.java:78:16:78:37 | ...[...] : String | UseOfLessTrustedSource.java:53:21:53:33 | getClientIP(...) : String |
| UseOfLessTrustedSource.java:16:21:16:33 | getClientIP(...) : String | UseOfLessTrustedSource.java:17:37:17:38 | ip |
| UseOfLessTrustedSource.java:37:27:37:62 | getHeader(...) : String | UseOfLessTrustedSource.java:41:16:41:37 | ...[...] : String |
| UseOfLessTrustedSource.java:41:16:41:37 | ...[...] : String | UseOfLessTrustedSource.java:16:21:16:33 | getClientIP(...) : String |
nodes
| UseOfLessTrustedSource.java:20:21:20:56 | getHeader(...) : String | semmle.label | getHeader(...) : String |
| UseOfLessTrustedSource.java:22:60:22:61 | ip | semmle.label | ip |
| UseOfLessTrustedSource.java:25:18:25:53 | getHeader(...) : String | semmle.label | getHeader(...) : String |
| UseOfLessTrustedSource.java:26:64:26:65 | ip | semmle.label | ip |
| UseOfLessTrustedSource.java:29:18:29:56 | getHeader(...) : String | semmle.label | getHeader(...) : String |
| UseOfLessTrustedSource.java:30:67:30:68 | ip | semmle.label | ip |
| UseOfLessTrustedSource.java:33:18:33:52 | getHeader(...) : String | semmle.label | getHeader(...) : String |
| UseOfLessTrustedSource.java:34:63:34:64 | ip | semmle.label | ip |
| UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) : String | semmle.label | getHeader(...) : String |
| UseOfLessTrustedSource.java:38:69:38:70 | ip | semmle.label | ip |
| UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) : String | semmle.label | getHeader(...) : String |
| UseOfLessTrustedSource.java:42:58:42:59 | ip | semmle.label | ip |
| UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | semmle.label | ... + ... |
| UseOfLessTrustedSource.java:53:21:53:33 | getClientIP(...) : String | semmle.label | getClientIP(...) : String |
| UseOfLessTrustedSource.java:54:37:54:38 | ip | semmle.label | ip |
| UseOfLessTrustedSource.java:74:27:74:62 | getHeader(...) : String | semmle.label | getHeader(...) : String |
| UseOfLessTrustedSource.java:78:16:78:37 | ...[...] : String | semmle.label | ...[...] : String |
| UseOfLessTrustedSource.java:16:21:16:33 | getClientIP(...) : String | semmle.label | getClientIP(...) : String |
| UseOfLessTrustedSource.java:17:37:17:38 | ip | semmle.label | ip |
| UseOfLessTrustedSource.java:37:27:37:62 | getHeader(...) : String | semmle.label | getHeader(...) : String |
| UseOfLessTrustedSource.java:41:16:41:37 | ...[...] : String | semmle.label | ...[...] : String |
#select
| UseOfLessTrustedSource.java:22:60:22:61 | ip | UseOfLessTrustedSource.java:20:21:20:56 | getHeader(...) : String | UseOfLessTrustedSource.java:22:60:22:61 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:20:21:20:56 | getHeader(...) | this user input |
| UseOfLessTrustedSource.java:26:64:26:65 | ip | UseOfLessTrustedSource.java:25:18:25:53 | getHeader(...) : String | UseOfLessTrustedSource.java:26:64:26:65 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:25:18:25:53 | getHeader(...) | this user input |
| UseOfLessTrustedSource.java:30:67:30:68 | ip | UseOfLessTrustedSource.java:29:18:29:56 | getHeader(...) : String | UseOfLessTrustedSource.java:30:67:30:68 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:29:18:29:56 | getHeader(...) | this user input |
| UseOfLessTrustedSource.java:34:63:34:64 | ip | UseOfLessTrustedSource.java:33:18:33:52 | getHeader(...) : String | UseOfLessTrustedSource.java:34:63:34:64 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:33:18:33:52 | getHeader(...) | this user input |
| UseOfLessTrustedSource.java:38:69:38:70 | ip | UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) : String | UseOfLessTrustedSource.java:38:69:38:70 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) | this user input |
| UseOfLessTrustedSource.java:42:58:42:59 | ip | UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) : String | UseOfLessTrustedSource.java:42:58:42:59 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) | this user input |
| UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | UseOfLessTrustedSource.java:20:21:20:56 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:20:21:20:56 | getHeader(...) | this user input |
| UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | UseOfLessTrustedSource.java:25:18:25:53 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:25:18:25:53 | getHeader(...) | this user input |
| UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | UseOfLessTrustedSource.java:29:18:29:56 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:29:18:29:56 | getHeader(...) | this user input |
| UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | UseOfLessTrustedSource.java:33:18:33:52 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:33:18:33:52 | getHeader(...) | this user input |
| UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) | this user input |
| UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) | this user input |
| UseOfLessTrustedSource.java:54:37:54:38 | ip | UseOfLessTrustedSource.java:74:27:74:62 | getHeader(...) : String | UseOfLessTrustedSource.java:54:37:54:38 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:74:27:74:62 | getHeader(...) | this user input |
| UseOfLessTrustedSource.java:17:37:17:38 | ip | UseOfLessTrustedSource.java:37:27:37:62 | getHeader(...) : String | UseOfLessTrustedSource.java:17:37:17:38 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:37:27:37:62 | getHeader(...) | this user input |

37
java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.java
View File

@@ -1,7 +1,5 @@
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
@@ -10,46 +8,11 @@ import org.springframework.web.bind.annotation.ResponseBody;
@Controller
public class UseOfLessTrustedSource {
private static final Logger log = LoggerFactory.getLogger(UseOfLessTrustedSource.class);
@Autowired
private HttpServletRequest request;
@GetMapping(value = "bad1")
public void bad1(HttpServletRequest request) {
String ip = request.getHeader("X-Forwarded-For");
log.debug("getClientIP header X-Forwarded-For:{}", ip);
if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
ip = request.getHeader("Proxy-Client-IP");
log.debug("getClientIP header Proxy-Client-IP:{}", ip);
}
if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
ip = request.getHeader("WL-Proxy-Client-IP");
log.debug("getClientIP header WL-Proxy-Client-IP:{}", ip);
}
if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
ip = request.getHeader("HTTP_CLIENT_IP");
log.debug("getClientIP header HTTP_CLIENT_IP:{}", ip);
}
if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
ip = request.getHeader("HTTP_X_FORWARDED_FOR");
log.debug("getClientIP header HTTP_X_FORWARDED_FOR:{}", ip);
}
if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
ip = request.getHeader("X-Real-IP");
log.debug("getClientIP header X-Real-IP:{}", ip);
}
if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
ip = request.getRemoteAddr();
log.debug("getRemoteAddr IP:{}", ip);
}
System.out.println("client ip is: " + ip);
}
@GetMapping(value = "bad2")
public void bad2(HttpServletRequest request) {
String ip = getClientIP();
if (!StringUtils.startsWith(ip, "192.168.")) {
new Exception("ip illegal");

2
java/ql/test/experimental/query-tests/security/CWE-348/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.2.3/:${testdir}/../../../../stubs/slf4j-api-1.6.4/:${testdir}/../../../../stubs/apache-commons-lang3-3.7/
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.2.3/:${testdir}/../../../../stubs/apache-commons-lang3-3.7/

127
java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/Logger.java
View File

@@ -1,127 +0,0 @@
package org.slf4j;
public interface Logger {
String ROOT_LOGGER_NAME = "ROOT";
String getName();
boolean isTraceEnabled();
void trace(String var1);
void trace(String var1, Object var2);
void trace(String var1, Object var2, Object var3);
void trace(String var1, Object[] var2);
void trace(String var1, Throwable var2);
boolean isTraceEnabled(Marker var1);
void trace(Marker var1, String var2);
void trace(Marker var1, String var2, Object var3);
void trace(Marker var1, String var2, Object var3, Object var4);
void trace(Marker var1, String var2, Object[] var3);
void trace(Marker var1, String var2, Throwable var3);
boolean isDebugEnabled();
void debug(String var1);
void debug(String var1, Object var2);
void debug(String var1, Object var2, Object var3);
void debug(String var1, Object[] var2);
void debug(String var1, Throwable var2);
boolean isDebugEnabled(Marker var1);
void debug(Marker var1, String var2);
void debug(Marker var1, String var2, Object var3);
void debug(Marker var1, String var2, Object var3, Object var4);
void debug(Marker var1, String var2, Object[] var3);
void debug(Marker var1, String var2, Throwable var3);
boolean isInfoEnabled();
void info(String var1);
void info(String var1, Object var2);
void info(String var1, Object var2, Object var3);
void info(String var1, Object[] var2);
void info(String var1, Throwable var2);
boolean isInfoEnabled(Marker var1);
void info(Marker var1, String var2);
void info(Marker var1, String var2, Object var3);
void info(Marker var1, String var2, Object var3, Object var4);
void info(Marker var1, String var2, Object[] var3);
void info(Marker var1, String var2, Throwable var3);
boolean isWarnEnabled();
void warn(String var1);
void warn(String var1, Object var2);
void warn(String var1, Object[] var2);
void warn(String var1, Object var2, Object var3);
void warn(String var1, Throwable var2);
boolean isWarnEnabled(Marker var1);
void warn(Marker var1, String var2);
void warn(Marker var1, String var2, Object var3);
void warn(Marker var1, String var2, Object var3, Object var4);
void warn(Marker var1, String var2, Object[] var3);
void warn(Marker var1, String var2, Throwable var3);
boolean isErrorEnabled();
void error(String var1);
void error(String var1, Object var2);
void error(String var1, Object var2, Object var3);
void error(String var1, Object[] var2);
void error(String var1, Throwable var2);
boolean isErrorEnabled(Marker var1);
void error(Marker var1, String var2);
void error(Marker var1, String var2, Object var3);
void error(Marker var1, String var2, Object var3, Object var4);
void error(Marker var1, String var2, Object[] var3);
void error(Marker var1, String var2, Throwable var3);
}

21
java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/LoggerFactory.java
View File

@@ -1,21 +0,0 @@
package org.slf4j;
import java.io.IOException;
import java.net.URL;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
public final class LoggerFactory {
public static Logger getLogger(String name) {
return null;
}
public static Logger getLogger(Class clazz) {
return null;
}
}

30
java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/Marker.java
View File

@@ -1,30 +0,0 @@
package org.slf4j;
import java.io.Serializable;
import java.util.Iterator;
public interface Marker extends Serializable {
String ANY_MARKER = "*";
String ANY_NON_NULL_MARKER = "+";
String getName();
void add(Marker var1);
boolean remove(Marker var1);
/** @deprecated */
boolean hasChildren();
boolean hasReferences();
Iterator iterator();
boolean contains(Marker var1);
boolean contains(String var1);
boolean equals(Object var1);
int hashCode();
}

202
java/ql/test/stubs/springframework-5.2.3/org/springframework/util/ObjectUtils.java
View File

@@ -1,202 +0,0 @@
package org.springframework.util;
import java.lang.reflect.Array;
import java.util.Arrays;
import java.util.Collection;
import java.util.Map;
import java.util.Optional;
import java.util.StringJoiner;
import org.springframework.lang.Nullable;
public abstract class ObjectUtils {
private static final int INITIAL_HASH = 7;
private static final int MULTIPLIER = 31;
private static final String EMPTY_STRING = "";
private static final String NULL_STRING = "null";
private static final String ARRAY_START = "{";
private static final String ARRAY_END = "}";
private static final String EMPTY_ARRAY = "{}";
private static final String ARRAY_ELEMENT_SEPARATOR = ", ";
private static final Object[] EMPTY_OBJECT_ARRAY = new Object[0];
public ObjectUtils() {
}
public static boolean isCheckedException(Throwable ex) {
return false;
}
public static boolean isCompatibleWithThrowsClause(Throwable ex, @Nullable Class<?>... declaredExceptions) {
return false;
}
public static boolean isArray(@Nullable Object obj) {
return false;
}
public static boolean isEmpty(@Nullable Object[] array) {
return false;
}
public static boolean isEmpty(@Nullable Object obj) {
return false;
}
@Nullable
public static Object unwrapOptional(@Nullable Object obj) {
return null;
}
public static boolean containsElement(@Nullable Object[] array, Object element) {
return true;
}
public static boolean containsConstant(Enum<?>[] enumValues, String constant) {
return true;
}
public static boolean containsConstant(Enum<?>[] enumValues, String constant, boolean caseSensitive) {
return true;
}
public static <E extends Enum<?>> E caseInsensitiveValueOf(E[] enumValues, String constant) {
return null;
}
public static <A, O extends A> A[] addObjectToArray(@Nullable A[] array, @Nullable O obj) {
return null;
}
public static Object[] toObjectArray(@Nullable Object source) {
return null;
}
public static boolean nullSafeEquals(@Nullable Object o1, @Nullable Object o2) {
return false;
}
private static boolean arrayEquals(Object o1, Object o2) {
return false;
}
public static int nullSafeHashCode(@Nullable Object obj) {
return 1;
}
public static int nullSafeHashCode(@Nullable Object[] array) {
return 1;
}
public static int nullSafeHashCode(@Nullable boolean[] array) {
return 1;
}
public static int nullSafeHashCode(@Nullable byte[] array) {
return 1;
}
public static int nullSafeHashCode(@Nullable char[] array) {
return 1;
}
public static int nullSafeHashCode(@Nullable double[] array) {
return 1;
}
public static int nullSafeHashCode(@Nullable float[] array) {
return 1;
}
public static int nullSafeHashCode(@Nullable int[] array) {
return 1;
}
public static int nullSafeHashCode(@Nullable long[] array) {
return 1;
}
public static int nullSafeHashCode(@Nullable short[] array) {
return 1;
}
/** @deprecated */
@Deprecated
public static int hashCode(boolean bool) {
return 1;
}
/** @deprecated */
@Deprecated
public static int hashCode(double dbl) {
return 1;
}
/** @deprecated */
@Deprecated
public static int hashCode(float flt) {
return 1;
}
/** @deprecated */
@Deprecated
public static int hashCode(long lng) {
return 1;
}
public static String identityToString(@Nullable Object obj) {
return "";
}
public static String getIdentityHexString(Object obj) {
return "";
}
public static String getDisplayString(@Nullable Object obj) {
return "";
}
public static String nullSafeClassName(@Nullable Object obj) {
return "";
}
public static String nullSafeToString(@Nullable Object obj) {
return "";
}
public static String nullSafeToString(@Nullable Object[] array) {
return "";
}
public static String nullSafeToString(@Nullable boolean[] array) {
return "";
}
public static String nullSafeToString(@Nullable byte[] array) {
return "";
}
public static String nullSafeToString(@Nullable char[] array) {
return "";
}
public static String nullSafeToString(@Nullable double[] array) {
return "";
}
public static String nullSafeToString(@Nullable float[] array) {
return "";
}
public static String nullSafeToString(@Nullable int[] array) {
return "";
}
public static String nullSafeToString(@Nullable long[] array) {
return "";
}
public static String nullSafeToString(@Nullable short[] array) {
return "";
}
}

30
java/ql/test/stubs/springframework-5.2.3/org/springframework/util/StringUtils.java
View File

@@ -1,30 +0,0 @@
package org.springframework.util;
import java.io.ByteArrayOutputStream;
import java.nio.charset.Charset;
import java.util.ArrayDeque;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Deque;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Locale;
import java.util.Properties;
import java.util.Set;
import java.util.StringJoiner;
import java.util.StringTokenizer;
import java.util.TimeZone;
import org.springframework.lang.Nullable;
public abstract class StringUtils {
@Deprecated
public static boolean isEmpty(@Nullable Object str) {
return true;
}
}