mirror of
https://github.com/github/codeql.git
synced 2026-04-28 10:15:14 +02:00
Merge branch 'main' into xslt-injection
This commit is contained in:
Grzegorz Golawski
@@ -0,0 +1,63 @@
|
||||
edges
|
||||
| MvelInjection.java:29:54:29:65 | read(...) : String | MvelInjection.java:30:28:30:37 | expression |
|
||||
| MvelInjection.java:34:58:34:69 | read(...) : String | MvelInjection.java:36:5:36:13 | statement |
|
||||
| MvelInjection.java:34:58:34:69 | read(...) : String | MvelInjection.java:37:5:37:13 | statement |
|
||||
| MvelInjection.java:41:58:41:69 | read(...) : String | MvelInjection.java:43:5:43:14 | expression |
|
||||
| MvelInjection.java:48:7:48:18 | read(...) : String | MvelInjection.java:49:5:49:14 | expression |
|
||||
| MvelInjection.java:53:20:53:31 | read(...) : String | MvelInjection.java:57:5:57:18 | compiledScript |
|
||||
| MvelInjection.java:53:20:53:31 | read(...) : String | MvelInjection.java:60:21:60:26 | script |
|
||||
| MvelInjection.java:65:58:65:69 | read(...) : String | MvelInjection.java:68:5:68:10 | script |
|
||||
| MvelInjection.java:77:40:77:51 | read(...) : String | MvelInjection.java:77:7:77:52 | compileTemplate(...) |
|
||||
| MvelInjection.java:81:54:81:65 | read(...) : String | MvelInjection.java:82:29:82:46 | compile(...) |
|
||||
| MvelInjection.java:86:58:86:69 | read(...) : String | MvelInjection.java:88:32:88:41 | expression |
|
||||
| MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:95:14:95:36 | new String(...) : String |
|
||||
| MvelInjection.java:95:14:95:36 | new String(...) : String | MvelInjection.java:25:15:25:26 | read(...) |
|
||||
| MvelInjection.java:95:14:95:36 | new String(...) : String | MvelInjection.java:29:54:29:65 | read(...) : String |
|
||||
| MvelInjection.java:95:14:95:36 | new String(...) : String | MvelInjection.java:34:58:34:69 | read(...) : String |
|
||||
| MvelInjection.java:95:14:95:36 | new String(...) : String | MvelInjection.java:41:58:41:69 | read(...) : String |
|
||||
| MvelInjection.java:95:14:95:36 | new String(...) : String | MvelInjection.java:48:7:48:18 | read(...) : String |
|
||||
| MvelInjection.java:95:14:95:36 | new String(...) : String | MvelInjection.java:53:20:53:31 | read(...) : String |
|
||||
| MvelInjection.java:95:14:95:36 | new String(...) : String | MvelInjection.java:65:58:65:69 | read(...) : String |
|
||||
| MvelInjection.java:95:14:95:36 | new String(...) : String | MvelInjection.java:72:26:72:37 | read(...) |
|
||||
| MvelInjection.java:95:14:95:36 | new String(...) : String | MvelInjection.java:77:40:77:51 | read(...) : String |
|
||||
| MvelInjection.java:95:14:95:36 | new String(...) : String | MvelInjection.java:81:54:81:65 | read(...) : String |
|
||||
| MvelInjection.java:95:14:95:36 | new String(...) : String | MvelInjection.java:86:58:86:69 | read(...) : String |
|
||||
nodes
|
||||
| MvelInjection.java:25:15:25:26 | read(...) | semmle.label | read(...) |
|
||||
| MvelInjection.java:29:54:29:65 | read(...) : String | semmle.label | read(...) : String |
|
||||
| MvelInjection.java:30:28:30:37 | expression | semmle.label | expression |
|
||||
| MvelInjection.java:34:58:34:69 | read(...) : String | semmle.label | read(...) : String |
|
||||
| MvelInjection.java:36:5:36:13 | statement | semmle.label | statement |
|
||||
| MvelInjection.java:37:5:37:13 | statement | semmle.label | statement |
|
||||
| MvelInjection.java:41:58:41:69 | read(...) : String | semmle.label | read(...) : String |
|
||||
| MvelInjection.java:43:5:43:14 | expression | semmle.label | expression |
|
||||
| MvelInjection.java:48:7:48:18 | read(...) : String | semmle.label | read(...) : String |
|
||||
| MvelInjection.java:49:5:49:14 | expression | semmle.label | expression |
|
||||
| MvelInjection.java:53:20:53:31 | read(...) : String | semmle.label | read(...) : String |
|
||||
| MvelInjection.java:57:5:57:18 | compiledScript | semmle.label | compiledScript |
|
||||
| MvelInjection.java:60:21:60:26 | script | semmle.label | script |
|
||||
| MvelInjection.java:65:58:65:69 | read(...) : String | semmle.label | read(...) : String |
|
||||
| MvelInjection.java:68:5:68:10 | script | semmle.label | script |
|
||||
| MvelInjection.java:72:26:72:37 | read(...) | semmle.label | read(...) |
|
||||
| MvelInjection.java:77:7:77:52 | compileTemplate(...) | semmle.label | compileTemplate(...) |
|
||||
| MvelInjection.java:77:40:77:51 | read(...) : String | semmle.label | read(...) : String |
|
||||
| MvelInjection.java:81:54:81:65 | read(...) : String | semmle.label | read(...) : String |
|
||||
| MvelInjection.java:82:29:82:46 | compile(...) | semmle.label | compile(...) |
|
||||
| MvelInjection.java:86:58:86:69 | read(...) : String | semmle.label | read(...) : String |
|
||||
| MvelInjection.java:88:32:88:41 | expression | semmle.label | expression |
|
||||
| MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| MvelInjection.java:95:14:95:36 | new String(...) : String | semmle.label | new String(...) : String |
|
||||
#select
|
||||
| MvelInjection.java:25:15:25:26 | read(...) | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:25:15:25:26 | read(...) | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
| MvelInjection.java:30:28:30:37 | expression | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:30:28:30:37 | expression | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
| MvelInjection.java:36:5:36:13 | statement | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:36:5:36:13 | statement | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
| MvelInjection.java:37:5:37:13 | statement | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:37:5:37:13 | statement | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
| MvelInjection.java:43:5:43:14 | expression | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:43:5:43:14 | expression | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
| MvelInjection.java:49:5:49:14 | expression | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:49:5:49:14 | expression | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
| MvelInjection.java:57:5:57:18 | compiledScript | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:57:5:57:18 | compiledScript | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
| MvelInjection.java:60:21:60:26 | script | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:60:21:60:26 | script | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
| MvelInjection.java:68:5:68:10 | script | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:68:5:68:10 | script | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
| MvelInjection.java:72:26:72:37 | read(...) | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:72:26:72:37 | read(...) | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
| MvelInjection.java:77:7:77:52 | compileTemplate(...) | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:77:7:77:52 | compileTemplate(...) | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
| MvelInjection.java:82:29:82:46 | compile(...) | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:82:29:82:46 | compile(...) | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
| MvelInjection.java:88:32:88:41 | expression | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:88:32:88:41 | expression | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
@@ -0,0 +1,98 @@
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.io.Serializable;
|
||||
import java.net.Socket;
|
||||
import java.util.HashMap;
|
||||
import javax.script.CompiledScript;
|
||||
import javax.script.SimpleScriptContext;
|
||||
import org.mvel2.MVEL;
|
||||
import org.mvel2.MVELRuntime;
|
||||
import org.mvel2.ParserContext;
|
||||
import org.mvel2.compiler.CompiledAccExpression;
|
||||
import org.mvel2.compiler.CompiledExpression;
|
||||
import org.mvel2.compiler.ExecutableStatement;
|
||||
import org.mvel2.compiler.ExpressionCompiler;
|
||||
import org.mvel2.integration.impl.ImmutableDefaultFactory;
|
||||
import org.mvel2.jsr223.MvelCompiledScript;
|
||||
import org.mvel2.jsr223.MvelScriptEngine;
|
||||
import org.mvel2.templates.CompiledTemplate;
|
||||
import org.mvel2.templates.TemplateCompiler;
|
||||
import org.mvel2.templates.TemplateRuntime;
|
||||
|
||||
public class MvelInjection {
|
||||
|
||||
public static void testWithMvelEval(Socket socket) throws IOException {
|
||||
MVEL.eval(read(socket));
|
||||
}
|
||||
|
||||
public static void testWithMvelCompileAndExecute(Socket socket) throws IOException {
|
||||
Serializable expression = MVEL.compileExpression(read(socket));
|
||||
MVEL.executeExpression(expression);
|
||||
}
|
||||
|
||||
public static void testWithExpressionCompiler(Socket socket) throws IOException {
|
||||
ExpressionCompiler compiler = new ExpressionCompiler(read(socket));
|
||||
ExecutableStatement statement = compiler.compile();
|
||||
statement.getValue(new Object(), new ImmutableDefaultFactory());
|
||||
statement.getValue(new Object(), new Object(), new ImmutableDefaultFactory());
|
||||
}
|
||||
|
||||
public static void testWithCompiledExpressionGetDirectValue(Socket socket) throws IOException {
|
||||
ExpressionCompiler compiler = new ExpressionCompiler(read(socket));
|
||||
CompiledExpression expression = compiler.compile();
|
||||
expression.getDirectValue(new Object(), new ImmutableDefaultFactory());
|
||||
}
|
||||
|
||||
public static void testCompiledAccExpressionGetValue(Socket socket) throws IOException {
|
||||
CompiledAccExpression expression = new CompiledAccExpression(
|
||||
read(socket).toCharArray(), Object.class, new ParserContext());
|
||||
expression.getValue(new Object(), new ImmutableDefaultFactory());
|
||||
}
|
||||
|
||||
public static void testMvelScriptEngineCompileAndEvaluate(Socket socket) throws Exception {
|
||||
String input = read(socket);
|
||||
|
||||
MvelScriptEngine engine = new MvelScriptEngine();
|
||||
CompiledScript compiledScript = engine.compile(input);
|
||||
compiledScript.eval();
|
||||
|
||||
Serializable script = engine.compiledScript(input);
|
||||
engine.evaluate(script, new SimpleScriptContext());
|
||||
}
|
||||
|
||||
public static void testMvelCompiledScriptCompileAndEvaluate(Socket socket) throws Exception {
|
||||
MvelScriptEngine engine = new MvelScriptEngine();
|
||||
ExpressionCompiler compiler = new ExpressionCompiler(read(socket));
|
||||
ExecutableStatement statement = compiler.compile();
|
||||
MvelCompiledScript script = new MvelCompiledScript(engine, statement);
|
||||
script.eval(new SimpleScriptContext());
|
||||
}
|
||||
|
||||
public static void testTemplateRuntimeEval(Socket socket) throws Exception {
|
||||
TemplateRuntime.eval(read(socket), new HashMap());
|
||||
}
|
||||
|
||||
public static void testTemplateRuntimeCompileTemplateAndExecute(Socket socket) throws Exception {
|
||||
TemplateRuntime.execute(
|
||||
TemplateCompiler.compileTemplate(read(socket)), new HashMap());
|
||||
}
|
||||
|
||||
public static void testTemplateRuntimeCompileAndExecute(Socket socket) throws Exception {
|
||||
TemplateCompiler compiler = new TemplateCompiler(read(socket));
|
||||
TemplateRuntime.execute(compiler.compile(), new HashMap());
|
||||
}
|
||||
|
||||
public static void testMvelRuntimeExecute(Socket socket) throws Exception {
|
||||
ExpressionCompiler compiler = new ExpressionCompiler(read(socket));
|
||||
CompiledExpression expression = compiler.compile();
|
||||
MVELRuntime.execute(false, expression, new Object(), new ImmutableDefaultFactory());
|
||||
}
|
||||
|
||||
public static String read(Socket socket) throws IOException {
|
||||
try (InputStream is = socket.getInputStream()) {
|
||||
byte[] bytes = new byte[1024];
|
||||
int n = is.read(bytes);
|
||||
return new String(bytes, 0, n);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
experimental/Security/CWE/CWE-094/MvelInjection.ql
|
||||
@@ -0,0 +1,27 @@
|
||||
edges
|
||||
| SpelInjection.java:15:22:15:44 | getInputStream(...) : InputStream | SpelInjection.java:23:5:23:14 | expression |
|
||||
| SpelInjection.java:27:22:27:44 | getInputStream(...) : InputStream | SpelInjection.java:34:5:34:14 | expression |
|
||||
| SpelInjection.java:38:22:38:44 | getInputStream(...) : InputStream | SpelInjection.java:48:5:48:14 | expression |
|
||||
| SpelInjection.java:52:22:52:44 | getInputStream(...) : InputStream | SpelInjection.java:59:5:59:14 | expression |
|
||||
| SpelInjection.java:63:22:63:44 | getInputStream(...) : InputStream | SpelInjection.java:70:5:70:14 | expression |
|
||||
| SpelInjection.java:74:22:74:44 | getInputStream(...) : InputStream | SpelInjection.java:83:5:83:14 | expression |
|
||||
nodes
|
||||
| SpelInjection.java:15:22:15:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SpelInjection.java:23:5:23:14 | expression | semmle.label | expression |
|
||||
| SpelInjection.java:27:22:27:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SpelInjection.java:34:5:34:14 | expression | semmle.label | expression |
|
||||
| SpelInjection.java:38:22:38:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SpelInjection.java:48:5:48:14 | expression | semmle.label | expression |
|
||||
| SpelInjection.java:52:22:52:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SpelInjection.java:59:5:59:14 | expression | semmle.label | expression |
|
||||
| SpelInjection.java:63:22:63:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SpelInjection.java:70:5:70:14 | expression | semmle.label | expression |
|
||||
| SpelInjection.java:74:22:74:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| SpelInjection.java:83:5:83:14 | expression | semmle.label | expression |
|
||||
#select
|
||||
| SpelInjection.java:23:5:23:14 | expression | SpelInjection.java:15:22:15:44 | getInputStream(...) : InputStream | SpelInjection.java:23:5:23:14 | expression | SpEL injection from $@. | SpelInjection.java:15:22:15:44 | getInputStream(...) | this user input |
|
||||
| SpelInjection.java:34:5:34:14 | expression | SpelInjection.java:27:22:27:44 | getInputStream(...) : InputStream | SpelInjection.java:34:5:34:14 | expression | SpEL injection from $@. | SpelInjection.java:27:22:27:44 | getInputStream(...) | this user input |
|
||||
| SpelInjection.java:48:5:48:14 | expression | SpelInjection.java:38:22:38:44 | getInputStream(...) : InputStream | SpelInjection.java:48:5:48:14 | expression | SpEL injection from $@. | SpelInjection.java:38:22:38:44 | getInputStream(...) | this user input |
|
||||
| SpelInjection.java:59:5:59:14 | expression | SpelInjection.java:52:22:52:44 | getInputStream(...) : InputStream | SpelInjection.java:59:5:59:14 | expression | SpEL injection from $@. | SpelInjection.java:52:22:52:44 | getInputStream(...) | this user input |
|
||||
| SpelInjection.java:70:5:70:14 | expression | SpelInjection.java:63:22:63:44 | getInputStream(...) : InputStream | SpelInjection.java:70:5:70:14 | expression | SpEL injection from $@. | SpelInjection.java:63:22:63:44 | getInputStream(...) | this user input |
|
||||
| SpelInjection.java:83:5:83:14 | expression | SpelInjection.java:74:22:74:44 | getInputStream(...) : InputStream | SpelInjection.java:83:5:83:14 | expression | SpEL injection from $@. | SpelInjection.java:74:22:74:44 | getInputStream(...) | this user input |
|
||||
@@ -0,0 +1,100 @@
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.net.Socket;
|
||||
import org.springframework.expression.Expression;
|
||||
import org.springframework.expression.ExpressionParser;
|
||||
import org.springframework.expression.spel.standard.SpelExpressionParser;
|
||||
import org.springframework.expression.spel.support.SimpleEvaluationContext;
|
||||
import org.springframework.expression.spel.support.StandardEvaluationContext;
|
||||
|
||||
public class SpelInjection {
|
||||
|
||||
private static final ExpressionParser PARSER = new SpelExpressionParser();
|
||||
|
||||
public void testGetValue(Socket socket) throws IOException {
|
||||
InputStream in = socket.getInputStream();
|
||||
|
||||
byte[] bytes = new byte[1024];
|
||||
int n = in.read(bytes);
|
||||
String input = new String(bytes, 0, n);
|
||||
|
||||
ExpressionParser parser = new SpelExpressionParser();
|
||||
Expression expression = parser.parseExpression(input);
|
||||
expression.getValue();
|
||||
}
|
||||
|
||||
public void testGetValueWithChainedCalls(Socket socket) throws IOException {
|
||||
InputStream in = socket.getInputStream();
|
||||
|
||||
byte[] bytes = new byte[1024];
|
||||
int n = in.read(bytes);
|
||||
String input = new String(bytes, 0, n);
|
||||
|
||||
Expression expression = new SpelExpressionParser().parseExpression(input);
|
||||
expression.getValue();
|
||||
}
|
||||
|
||||
public void testSetValueWithRootObject(Socket socket) throws IOException {
|
||||
InputStream in = socket.getInputStream();
|
||||
|
||||
byte[] bytes = new byte[1024];
|
||||
int n = in.read(bytes);
|
||||
String input = new String(bytes, 0, n);
|
||||
|
||||
Expression expression = new SpelExpressionParser().parseExpression(input);
|
||||
|
||||
Object root = new Object();
|
||||
Object value = new Object();
|
||||
expression.setValue(root, value);
|
||||
}
|
||||
|
||||
public void testGetValueWithStaticParser(Socket socket) throws IOException {
|
||||
InputStream in = socket.getInputStream();
|
||||
|
||||
byte[] bytes = new byte[1024];
|
||||
int n = in.read(bytes);
|
||||
String input = new String(bytes, 0, n);
|
||||
|
||||
Expression expression = PARSER.parseExpression(input);
|
||||
expression.getValue();
|
||||
}
|
||||
|
||||
public void testGetValueType(Socket socket) throws IOException {
|
||||
InputStream in = socket.getInputStream();
|
||||
|
||||
byte[] bytes = new byte[1024];
|
||||
int n = in.read(bytes);
|
||||
String input = new String(bytes, 0, n);
|
||||
|
||||
Expression expression = PARSER.parseExpression(input);
|
||||
expression.getValueType();
|
||||
}
|
||||
|
||||
public void testWithStandardEvaluationContext(Socket socket) throws IOException {
|
||||
InputStream in = socket.getInputStream();
|
||||
|
||||
byte[] bytes = new byte[1024];
|
||||
int n = in.read(bytes);
|
||||
String input = new String(bytes, 0, n);
|
||||
|
||||
Expression expression = PARSER.parseExpression(input);
|
||||
|
||||
StandardEvaluationContext context = new StandardEvaluationContext();
|
||||
expression.getValue(context);
|
||||
}
|
||||
|
||||
public void testWithSimpleEvaluationContext(Socket socket) throws IOException {
|
||||
InputStream in = socket.getInputStream();
|
||||
|
||||
byte[] bytes = new byte[1024];
|
||||
int n = in.read(bytes);
|
||||
String input = new String(bytes, 0, n);
|
||||
|
||||
Expression expression = PARSER.parseExpression(input);
|
||||
SimpleEvaluationContext context = SimpleEvaluationContext.forReadWriteDataBinding().build();
|
||||
|
||||
// the expression is evaluated in a limited context
|
||||
expression.getValue(context);
|
||||
}
|
||||
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
experimental/Security/CWE/CWE-094/SpelInjection.ql
|
||||
1
java/ql/test/experimental/Security/CWE/CWE-094/options
Normal file
1
java/ql/test/experimental/Security/CWE/CWE-094/options
Normal file
@@ -0,0 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api
|
||||
@@ -0,0 +1,17 @@
|
||||
edges
|
||||
| DisabledRevocationChecking.java:17:5:17:8 | this <.field> [post update] [flag] : Boolean | DisabledRevocationChecking.java:21:5:21:31 | this <.method> [post update] [flag] : Boolean |
|
||||
| DisabledRevocationChecking.java:17:12:17:16 | false : Boolean | DisabledRevocationChecking.java:17:5:17:8 | this <.field> [post update] [flag] : Boolean |
|
||||
| DisabledRevocationChecking.java:21:5:21:31 | this <.method> [post update] [flag] : Boolean | DisabledRevocationChecking.java:22:5:22:31 | this <.method> [flag] : Boolean |
|
||||
| DisabledRevocationChecking.java:22:5:22:31 | this <.method> [flag] : Boolean | DisabledRevocationChecking.java:25:15:25:22 | parameter this [flag] : Boolean |
|
||||
| DisabledRevocationChecking.java:25:15:25:22 | parameter this [flag] : Boolean | DisabledRevocationChecking.java:28:33:28:36 | this <.field> [flag] : Boolean |
|
||||
| DisabledRevocationChecking.java:28:33:28:36 | this <.field> [flag] : Boolean | DisabledRevocationChecking.java:28:33:28:36 | flag |
|
||||
nodes
|
||||
| DisabledRevocationChecking.java:17:5:17:8 | this <.field> [post update] [flag] : Boolean | semmle.label | this <.field> [post update] [flag] : Boolean |
|
||||
| DisabledRevocationChecking.java:17:12:17:16 | false : Boolean | semmle.label | false : Boolean |
|
||||
| DisabledRevocationChecking.java:21:5:21:31 | this <.method> [post update] [flag] : Boolean | semmle.label | this <.method> [post update] [flag] : Boolean |
|
||||
| DisabledRevocationChecking.java:22:5:22:31 | this <.method> [flag] : Boolean | semmle.label | this <.method> [flag] : Boolean |
|
||||
| DisabledRevocationChecking.java:25:15:25:22 | parameter this [flag] : Boolean | semmle.label | parameter this [flag] : Boolean |
|
||||
| DisabledRevocationChecking.java:28:33:28:36 | flag | semmle.label | flag |
|
||||
| DisabledRevocationChecking.java:28:33:28:36 | this <.field> [flag] : Boolean | semmle.label | this <.field> [flag] : Boolean |
|
||||
#select
|
||||
| DisabledRevocationChecking.java:17:12:17:16 | false | DisabledRevocationChecking.java:17:12:17:16 | false : Boolean | DisabledRevocationChecking.java:28:33:28:36 | flag | Revocation checking is disabled $@. | DisabledRevocationChecking.java:17:12:17:16 | false | here |
|
||||
@@ -0,0 +1,80 @@
|
||||
import java.security.KeyStore;
|
||||
import java.security.cert.CertPath;
|
||||
import java.security.cert.CertPathValidator;
|
||||
import java.security.cert.PKIXCertPathChecker;
|
||||
import java.security.cert.PKIXParameters;
|
||||
import java.security.cert.PKIXRevocationChecker;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
|
||||
public class DisabledRevocationChecking {
|
||||
|
||||
private boolean flag = true;
|
||||
|
||||
public void disableRevocationChecking() {
|
||||
flag = false;
|
||||
}
|
||||
|
||||
public void testDisabledRevocationChecking(KeyStore cacerts, CertPath certPath) throws Exception {
|
||||
disableRevocationChecking();
|
||||
validate(cacerts, certPath);
|
||||
}
|
||||
|
||||
public void validate(KeyStore cacerts, CertPath certPath) throws Exception {
|
||||
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
|
||||
PKIXParameters params = new PKIXParameters(cacerts);
|
||||
params.setRevocationEnabled(flag);
|
||||
validator.validate(certPath, params);
|
||||
}
|
||||
|
||||
public void testSettingRevocationCheckerWithCollectionsSingletonList(KeyStore cacerts, CertPath certPath) throws Exception {
|
||||
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
|
||||
PKIXParameters params = new PKIXParameters(cacerts);
|
||||
params.setRevocationEnabled(false);
|
||||
PKIXRevocationChecker checker = (PKIXRevocationChecker) validator.getRevocationChecker();
|
||||
params.setCertPathCheckers(Collections.singletonList(checker));
|
||||
validator.validate(certPath, params);
|
||||
}
|
||||
|
||||
public void testSettingRevocationCheckerWithArraysAsList(KeyStore cacerts, CertPath certPath) throws Exception {
|
||||
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
|
||||
PKIXParameters params = new PKIXParameters(cacerts);
|
||||
params.setRevocationEnabled(false);
|
||||
PKIXRevocationChecker checker = (PKIXRevocationChecker) validator.getRevocationChecker();
|
||||
params.setCertPathCheckers(Arrays.asList(checker));
|
||||
validator.validate(certPath, params);
|
||||
}
|
||||
|
||||
public void testSettingRevocationCheckerWithAddingToArrayList(KeyStore cacerts, CertPath certPath) throws Exception {
|
||||
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
|
||||
PKIXParameters params = new PKIXParameters(cacerts);
|
||||
params.setRevocationEnabled(false);
|
||||
PKIXRevocationChecker checker = (PKIXRevocationChecker) validator.getRevocationChecker();
|
||||
List<PKIXCertPathChecker> checkers = new ArrayList<>();
|
||||
checkers.add(checker);
|
||||
params.setCertPathCheckers(checkers);
|
||||
validator.validate(certPath, params);
|
||||
}
|
||||
|
||||
public void testSettingRevocationCheckerWithListOf(KeyStore cacerts, CertPath certPath) throws Exception {
|
||||
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
|
||||
PKIXParameters params = new PKIXParameters(cacerts);
|
||||
params.setRevocationEnabled(false);
|
||||
PKIXRevocationChecker checker = (PKIXRevocationChecker) validator.getRevocationChecker();
|
||||
List<PKIXCertPathChecker> checkers = List.of(checker);
|
||||
params.setCertPathCheckers(checkers);
|
||||
validator.validate(certPath, params);
|
||||
}
|
||||
|
||||
public void testAddingRevocationChecker(KeyStore cacerts, CertPath certPath) throws Exception {
|
||||
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
|
||||
PKIXParameters params = new PKIXParameters(cacerts);
|
||||
params.setRevocationEnabled(false);
|
||||
PKIXRevocationChecker checker = (PKIXRevocationChecker) validator.getRevocationChecker();
|
||||
params.addCertPathChecker(checker);
|
||||
validator.validate(certPath, params);
|
||||
}
|
||||
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
experimental/Security/CWE/CWE-299/DisabledRevocationChecking.ql
|
||||
@@ -0,0 +1,150 @@
|
||||
edges
|
||||
| UnsafeTlsVersion.java:31:5:31:46 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:43:74:43:92 | protocols : String[] |
|
||||
| UnsafeTlsVersion.java:31:39:31:45 | "SSLv3" : String | UnsafeTlsVersion.java:31:5:31:46 | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:32:5:32:44 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:43:74:43:92 | protocols : String[] |
|
||||
| UnsafeTlsVersion.java:32:39:32:43 | "TLS" : String | UnsafeTlsVersion.java:32:5:32:44 | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:33:5:33:46 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:43:74:43:92 | protocols : String[] |
|
||||
| UnsafeTlsVersion.java:33:39:33:45 | "TLSv1" : String | UnsafeTlsVersion.java:33:5:33:46 | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:34:5:34:48 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:43:74:43:92 | protocols : String[] |
|
||||
| UnsafeTlsVersion.java:34:39:34:47 | "TLSv1.1" : String | UnsafeTlsVersion.java:34:5:34:48 | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:35:5:35:68 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:43:74:43:92 | protocols : String[] |
|
||||
| UnsafeTlsVersion.java:35:39:35:45 | "TLSv1" : String | UnsafeTlsVersion.java:35:5:35:68 | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:35:48:35:56 | "TLSv1.1" : String | UnsafeTlsVersion.java:35:5:35:68 | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:43:74:43:92 | protocols : String[] | UnsafeTlsVersion.java:44:44:44:52 | protocols |
|
||||
| UnsafeTlsVersion.java:50:53:50:59 | "SSLv3" : String | UnsafeTlsVersion.java:50:38:50:61 | new String[] |
|
||||
| UnsafeTlsVersion.java:51:53:51:57 | "TLS" : String | UnsafeTlsVersion.java:51:38:51:59 | new String[] |
|
||||
| UnsafeTlsVersion.java:52:53:52:59 | "TLSv1" : String | UnsafeTlsVersion.java:52:38:52:61 | new String[] |
|
||||
| UnsafeTlsVersion.java:53:53:53:61 | "TLSv1.1" : String | UnsafeTlsVersion.java:53:38:53:63 | new String[] |
|
||||
| UnsafeTlsVersion.java:56:44:56:52 | "TLSv1.1" : String | UnsafeTlsVersion.java:56:29:56:65 | new String[] |
|
||||
| UnsafeTlsVersion.java:68:5:68:28 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:79:43:79:61 | protocols : String[] |
|
||||
| UnsafeTlsVersion.java:68:21:68:27 | "SSLv3" : String | UnsafeTlsVersion.java:68:5:68:28 | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:69:5:69:26 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:79:43:79:61 | protocols : String[] |
|
||||
| UnsafeTlsVersion.java:69:21:69:25 | "TLS" : String | UnsafeTlsVersion.java:69:5:69:26 | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:70:5:70:28 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:79:43:79:61 | protocols : String[] |
|
||||
| UnsafeTlsVersion.java:70:21:70:27 | "TLSv1" : String | UnsafeTlsVersion.java:70:5:70:28 | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:71:5:71:30 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:79:43:79:61 | protocols : String[] |
|
||||
| UnsafeTlsVersion.java:71:21:71:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:71:5:71:30 | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:72:5:72:41 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:79:43:79:61 | protocols : String[] |
|
||||
| UnsafeTlsVersion.java:72:21:72:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:72:5:72:41 | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:79:43:79:61 | protocols : String[] | UnsafeTlsVersion.java:81:32:81:40 | protocols |
|
||||
| UnsafeTlsVersion.java:88:5:88:34 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:99:55:99:73 | protocols : String[] |
|
||||
| UnsafeTlsVersion.java:88:27:88:33 | "SSLv3" : String | UnsafeTlsVersion.java:88:5:88:34 | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:89:5:89:32 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:99:55:99:73 | protocols : String[] |
|
||||
| UnsafeTlsVersion.java:89:27:89:31 | "TLS" : String | UnsafeTlsVersion.java:89:5:89:32 | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:90:5:90:34 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:99:55:99:73 | protocols : String[] |
|
||||
| UnsafeTlsVersion.java:90:27:90:33 | "TLSv1" : String | UnsafeTlsVersion.java:90:5:90:34 | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:91:5:91:36 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:99:55:99:73 | protocols : String[] |
|
||||
| UnsafeTlsVersion.java:91:27:91:35 | "TLSv1.1" : String | UnsafeTlsVersion.java:91:5:91:36 | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:92:5:92:47 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:99:55:99:73 | protocols : String[] |
|
||||
| UnsafeTlsVersion.java:92:27:92:35 | "TLSv1.1" : String | UnsafeTlsVersion.java:92:5:92:47 | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:99:55:99:73 | protocols : String[] | UnsafeTlsVersion.java:101:32:101:40 | protocols |
|
||||
| UnsafeTlsVersion.java:108:5:108:28 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:119:43:119:61 | protocols : String[] |
|
||||
| UnsafeTlsVersion.java:108:21:108:27 | "SSLv3" : String | UnsafeTlsVersion.java:108:5:108:28 | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:109:5:109:26 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:119:43:119:61 | protocols : String[] |
|
||||
| UnsafeTlsVersion.java:109:21:109:25 | "TLS" : String | UnsafeTlsVersion.java:109:5:109:26 | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:110:5:110:28 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:119:43:119:61 | protocols : String[] |
|
||||
| UnsafeTlsVersion.java:110:21:110:27 | "TLSv1" : String | UnsafeTlsVersion.java:110:5:110:28 | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:111:5:111:30 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:119:43:119:61 | protocols : String[] |
|
||||
| UnsafeTlsVersion.java:111:21:111:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:111:5:111:30 | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:112:5:112:41 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:119:43:119:61 | protocols : String[] |
|
||||
| UnsafeTlsVersion.java:112:21:112:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:112:5:112:41 | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:119:43:119:61 | protocols : String[] | UnsafeTlsVersion.java:121:32:121:40 | protocols |
|
||||
nodes
|
||||
| UnsafeTlsVersion.java:16:28:16:32 | "SSL" | semmle.label | "SSL" |
|
||||
| UnsafeTlsVersion.java:17:28:17:34 | "SSLv2" | semmle.label | "SSLv2" |
|
||||
| UnsafeTlsVersion.java:18:28:18:34 | "SSLv3" | semmle.label | "SSLv3" |
|
||||
| UnsafeTlsVersion.java:19:28:19:32 | "TLS" | semmle.label | "TLS" |
|
||||
| UnsafeTlsVersion.java:20:28:20:34 | "TLSv1" | semmle.label | "TLSv1" |
|
||||
| UnsafeTlsVersion.java:21:28:21:36 | "TLSv1.1" | semmle.label | "TLSv1.1" |
|
||||
| UnsafeTlsVersion.java:31:5:31:46 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:31:39:31:45 | "SSLv3" : String | semmle.label | "SSLv3" : String |
|
||||
| UnsafeTlsVersion.java:32:5:32:44 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:32:39:32:43 | "TLS" : String | semmle.label | "TLS" : String |
|
||||
| UnsafeTlsVersion.java:33:5:33:46 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:33:39:33:45 | "TLSv1" : String | semmle.label | "TLSv1" : String |
|
||||
| UnsafeTlsVersion.java:34:5:34:48 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:34:39:34:47 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
|
||||
| UnsafeTlsVersion.java:35:5:35:68 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:35:39:35:45 | "TLSv1" : String | semmle.label | "TLSv1" : String |
|
||||
| UnsafeTlsVersion.java:35:48:35:56 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
|
||||
| UnsafeTlsVersion.java:43:74:43:92 | protocols : String[] | semmle.label | protocols : String[] |
|
||||
| UnsafeTlsVersion.java:44:44:44:52 | protocols | semmle.label | protocols |
|
||||
| UnsafeTlsVersion.java:50:38:50:61 | new String[] | semmle.label | new String[] |
|
||||
| UnsafeTlsVersion.java:50:53:50:59 | "SSLv3" : String | semmle.label | "SSLv3" : String |
|
||||
| UnsafeTlsVersion.java:51:38:51:59 | new String[] | semmle.label | new String[] |
|
||||
| UnsafeTlsVersion.java:51:53:51:57 | "TLS" : String | semmle.label | "TLS" : String |
|
||||
| UnsafeTlsVersion.java:52:38:52:61 | new String[] | semmle.label | new String[] |
|
||||
| UnsafeTlsVersion.java:52:53:52:59 | "TLSv1" : String | semmle.label | "TLSv1" : String |
|
||||
| UnsafeTlsVersion.java:53:38:53:63 | new String[] | semmle.label | new String[] |
|
||||
| UnsafeTlsVersion.java:53:53:53:61 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
|
||||
| UnsafeTlsVersion.java:56:29:56:65 | new String[] | semmle.label | new String[] |
|
||||
| UnsafeTlsVersion.java:56:44:56:52 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
|
||||
| UnsafeTlsVersion.java:68:5:68:28 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:68:21:68:27 | "SSLv3" : String | semmle.label | "SSLv3" : String |
|
||||
| UnsafeTlsVersion.java:69:5:69:26 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:69:21:69:25 | "TLS" : String | semmle.label | "TLS" : String |
|
||||
| UnsafeTlsVersion.java:70:5:70:28 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:70:21:70:27 | "TLSv1" : String | semmle.label | "TLSv1" : String |
|
||||
| UnsafeTlsVersion.java:71:5:71:30 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:71:21:71:29 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
|
||||
| UnsafeTlsVersion.java:72:5:72:41 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:72:21:72:29 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
|
||||
| UnsafeTlsVersion.java:79:43:79:61 | protocols : String[] | semmle.label | protocols : String[] |
|
||||
| UnsafeTlsVersion.java:81:32:81:40 | protocols | semmle.label | protocols |
|
||||
| UnsafeTlsVersion.java:88:5:88:34 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:88:27:88:33 | "SSLv3" : String | semmle.label | "SSLv3" : String |
|
||||
| UnsafeTlsVersion.java:89:5:89:32 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:89:27:89:31 | "TLS" : String | semmle.label | "TLS" : String |
|
||||
| UnsafeTlsVersion.java:90:5:90:34 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:90:27:90:33 | "TLSv1" : String | semmle.label | "TLSv1" : String |
|
||||
| UnsafeTlsVersion.java:91:5:91:36 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:91:27:91:35 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
|
||||
| UnsafeTlsVersion.java:92:5:92:47 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:92:27:92:35 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
|
||||
| UnsafeTlsVersion.java:99:55:99:73 | protocols : String[] | semmle.label | protocols : String[] |
|
||||
| UnsafeTlsVersion.java:101:32:101:40 | protocols | semmle.label | protocols |
|
||||
| UnsafeTlsVersion.java:108:5:108:28 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:108:21:108:27 | "SSLv3" : String | semmle.label | "SSLv3" : String |
|
||||
| UnsafeTlsVersion.java:109:5:109:26 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:109:21:109:25 | "TLS" : String | semmle.label | "TLS" : String |
|
||||
| UnsafeTlsVersion.java:110:5:110:28 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:110:21:110:27 | "TLSv1" : String | semmle.label | "TLSv1" : String |
|
||||
| UnsafeTlsVersion.java:111:5:111:30 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:111:21:111:29 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
|
||||
| UnsafeTlsVersion.java:112:5:112:41 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
|
||||
| UnsafeTlsVersion.java:112:21:112:29 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
|
||||
| UnsafeTlsVersion.java:119:43:119:61 | protocols : String[] | semmle.label | protocols : String[] |
|
||||
| UnsafeTlsVersion.java:121:32:121:40 | protocols | semmle.label | protocols |
|
||||
#select
|
||||
| UnsafeTlsVersion.java:16:28:16:32 | "SSL" | UnsafeTlsVersion.java:16:28:16:32 | "SSL" | UnsafeTlsVersion.java:16:28:16:32 | "SSL" | $@ is unsafe | UnsafeTlsVersion.java:16:28:16:32 | "SSL" | SSL |
|
||||
| UnsafeTlsVersion.java:17:28:17:34 | "SSLv2" | UnsafeTlsVersion.java:17:28:17:34 | "SSLv2" | UnsafeTlsVersion.java:17:28:17:34 | "SSLv2" | $@ is unsafe | UnsafeTlsVersion.java:17:28:17:34 | "SSLv2" | SSLv2 |
|
||||
| UnsafeTlsVersion.java:18:28:18:34 | "SSLv3" | UnsafeTlsVersion.java:18:28:18:34 | "SSLv3" | UnsafeTlsVersion.java:18:28:18:34 | "SSLv3" | $@ is unsafe | UnsafeTlsVersion.java:18:28:18:34 | "SSLv3" | SSLv3 |
|
||||
| UnsafeTlsVersion.java:19:28:19:32 | "TLS" | UnsafeTlsVersion.java:19:28:19:32 | "TLS" | UnsafeTlsVersion.java:19:28:19:32 | "TLS" | $@ is unsafe | UnsafeTlsVersion.java:19:28:19:32 | "TLS" | TLS |
|
||||
| UnsafeTlsVersion.java:20:28:20:34 | "TLSv1" | UnsafeTlsVersion.java:20:28:20:34 | "TLSv1" | UnsafeTlsVersion.java:20:28:20:34 | "TLSv1" | $@ is unsafe | UnsafeTlsVersion.java:20:28:20:34 | "TLSv1" | TLSv1 |
|
||||
| UnsafeTlsVersion.java:21:28:21:36 | "TLSv1.1" | UnsafeTlsVersion.java:21:28:21:36 | "TLSv1.1" | UnsafeTlsVersion.java:21:28:21:36 | "TLSv1.1" | $@ is unsafe | UnsafeTlsVersion.java:21:28:21:36 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:44:44:44:52 | protocols | UnsafeTlsVersion.java:31:39:31:45 | "SSLv3" : String | UnsafeTlsVersion.java:44:44:44:52 | protocols | $@ is unsafe | UnsafeTlsVersion.java:31:39:31:45 | "SSLv3" | SSLv3 |
|
||||
| UnsafeTlsVersion.java:44:44:44:52 | protocols | UnsafeTlsVersion.java:32:39:32:43 | "TLS" : String | UnsafeTlsVersion.java:44:44:44:52 | protocols | $@ is unsafe | UnsafeTlsVersion.java:32:39:32:43 | "TLS" | TLS |
|
||||
| UnsafeTlsVersion.java:44:44:44:52 | protocols | UnsafeTlsVersion.java:33:39:33:45 | "TLSv1" : String | UnsafeTlsVersion.java:44:44:44:52 | protocols | $@ is unsafe | UnsafeTlsVersion.java:33:39:33:45 | "TLSv1" | TLSv1 |
|
||||
| UnsafeTlsVersion.java:44:44:44:52 | protocols | UnsafeTlsVersion.java:34:39:34:47 | "TLSv1.1" : String | UnsafeTlsVersion.java:44:44:44:52 | protocols | $@ is unsafe | UnsafeTlsVersion.java:34:39:34:47 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:44:44:44:52 | protocols | UnsafeTlsVersion.java:35:39:35:45 | "TLSv1" : String | UnsafeTlsVersion.java:44:44:44:52 | protocols | $@ is unsafe | UnsafeTlsVersion.java:35:39:35:45 | "TLSv1" | TLSv1 |
|
||||
| UnsafeTlsVersion.java:44:44:44:52 | protocols | UnsafeTlsVersion.java:35:48:35:56 | "TLSv1.1" : String | UnsafeTlsVersion.java:44:44:44:52 | protocols | $@ is unsafe | UnsafeTlsVersion.java:35:48:35:56 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:50:38:50:61 | new String[] | UnsafeTlsVersion.java:50:53:50:59 | "SSLv3" : String | UnsafeTlsVersion.java:50:38:50:61 | new String[] | $@ is unsafe | UnsafeTlsVersion.java:50:53:50:59 | "SSLv3" | SSLv3 |
|
||||
| UnsafeTlsVersion.java:51:38:51:59 | new String[] | UnsafeTlsVersion.java:51:53:51:57 | "TLS" : String | UnsafeTlsVersion.java:51:38:51:59 | new String[] | $@ is unsafe | UnsafeTlsVersion.java:51:53:51:57 | "TLS" | TLS |
|
||||
| UnsafeTlsVersion.java:52:38:52:61 | new String[] | UnsafeTlsVersion.java:52:53:52:59 | "TLSv1" : String | UnsafeTlsVersion.java:52:38:52:61 | new String[] | $@ is unsafe | UnsafeTlsVersion.java:52:53:52:59 | "TLSv1" | TLSv1 |
|
||||
| UnsafeTlsVersion.java:53:38:53:63 | new String[] | UnsafeTlsVersion.java:53:53:53:61 | "TLSv1.1" : String | UnsafeTlsVersion.java:53:38:53:63 | new String[] | $@ is unsafe | UnsafeTlsVersion.java:53:53:53:61 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:56:29:56:65 | new String[] | UnsafeTlsVersion.java:56:44:56:52 | "TLSv1.1" : String | UnsafeTlsVersion.java:56:29:56:65 | new String[] | $@ is unsafe | UnsafeTlsVersion.java:56:44:56:52 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:81:32:81:40 | protocols | UnsafeTlsVersion.java:68:21:68:27 | "SSLv3" : String | UnsafeTlsVersion.java:81:32:81:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:68:21:68:27 | "SSLv3" | SSLv3 |
|
||||
| UnsafeTlsVersion.java:81:32:81:40 | protocols | UnsafeTlsVersion.java:69:21:69:25 | "TLS" : String | UnsafeTlsVersion.java:81:32:81:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:69:21:69:25 | "TLS" | TLS |
|
||||
| UnsafeTlsVersion.java:81:32:81:40 | protocols | UnsafeTlsVersion.java:70:21:70:27 | "TLSv1" : String | UnsafeTlsVersion.java:81:32:81:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:70:21:70:27 | "TLSv1" | TLSv1 |
|
||||
| UnsafeTlsVersion.java:81:32:81:40 | protocols | UnsafeTlsVersion.java:71:21:71:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:81:32:81:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:71:21:71:29 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:81:32:81:40 | protocols | UnsafeTlsVersion.java:72:21:72:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:81:32:81:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:72:21:72:29 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:101:32:101:40 | protocols | UnsafeTlsVersion.java:88:27:88:33 | "SSLv3" : String | UnsafeTlsVersion.java:101:32:101:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:88:27:88:33 | "SSLv3" | SSLv3 |
|
||||
| UnsafeTlsVersion.java:101:32:101:40 | protocols | UnsafeTlsVersion.java:89:27:89:31 | "TLS" : String | UnsafeTlsVersion.java:101:32:101:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:89:27:89:31 | "TLS" | TLS |
|
||||
| UnsafeTlsVersion.java:101:32:101:40 | protocols | UnsafeTlsVersion.java:90:27:90:33 | "TLSv1" : String | UnsafeTlsVersion.java:101:32:101:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:90:27:90:33 | "TLSv1" | TLSv1 |
|
||||
| UnsafeTlsVersion.java:101:32:101:40 | protocols | UnsafeTlsVersion.java:91:27:91:35 | "TLSv1.1" : String | UnsafeTlsVersion.java:101:32:101:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:91:27:91:35 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:101:32:101:40 | protocols | UnsafeTlsVersion.java:92:27:92:35 | "TLSv1.1" : String | UnsafeTlsVersion.java:101:32:101:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:92:27:92:35 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:121:32:121:40 | protocols | UnsafeTlsVersion.java:108:21:108:27 | "SSLv3" : String | UnsafeTlsVersion.java:121:32:121:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:108:21:108:27 | "SSLv3" | SSLv3 |
|
||||
| UnsafeTlsVersion.java:121:32:121:40 | protocols | UnsafeTlsVersion.java:109:21:109:25 | "TLS" : String | UnsafeTlsVersion.java:121:32:121:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:109:21:109:25 | "TLS" | TLS |
|
||||
| UnsafeTlsVersion.java:121:32:121:40 | protocols | UnsafeTlsVersion.java:110:21:110:27 | "TLSv1" : String | UnsafeTlsVersion.java:121:32:121:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:110:21:110:27 | "TLSv1" | TLSv1 |
|
||||
| UnsafeTlsVersion.java:121:32:121:40 | protocols | UnsafeTlsVersion.java:111:21:111:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:121:32:121:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:111:21:111:29 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:121:32:121:40 | protocols | UnsafeTlsVersion.java:112:21:112:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:121:32:121:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:112:21:112:29 | "TLSv1.1" | TLSv1.1 |
|
||||
@@ -0,0 +1,124 @@
|
||||
import java.io.IOException;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import javax.net.ssl.SSLContext;
|
||||
import javax.net.ssl.SSLEngine;
|
||||
import javax.net.ssl.SSLParameters;
|
||||
import javax.net.ssl.SSLServerSocket;
|
||||
import javax.net.ssl.SSLServerSocketFactory;
|
||||
import javax.net.ssl.SSLSocket;
|
||||
import javax.net.ssl.SSLSocketFactory;
|
||||
|
||||
public class UnsafeTlsVersion {
|
||||
|
||||
public static void testSslContextWithProtocol() throws NoSuchAlgorithmException {
|
||||
|
||||
// unsafe
|
||||
SSLContext.getInstance("SSL");
|
||||
SSLContext.getInstance("SSLv2");
|
||||
SSLContext.getInstance("SSLv3");
|
||||
SSLContext.getInstance("TLS");
|
||||
SSLContext.getInstance("TLSv1");
|
||||
SSLContext.getInstance("TLSv1.1");
|
||||
|
||||
// safe
|
||||
SSLContext.getInstance("TLSv1.2");
|
||||
SSLContext.getInstance("TLSv1.3");
|
||||
}
|
||||
|
||||
public static void testCreateSslParametersWithProtocol(String[] cipherSuites) {
|
||||
|
||||
// unsafe
|
||||
createSslParameters(cipherSuites, "SSLv3");
|
||||
createSslParameters(cipherSuites, "TLS");
|
||||
createSslParameters(cipherSuites, "TLSv1");
|
||||
createSslParameters(cipherSuites, "TLSv1.1");
|
||||
createSslParameters(cipherSuites, "TLSv1", "TLSv1.1", "TLSv1.2");
|
||||
createSslParameters(cipherSuites, "TLSv1.2");
|
||||
|
||||
// safe
|
||||
createSslParameters(cipherSuites, "TLSv1.2");
|
||||
createSslParameters(cipherSuites, "TLSv1.3");
|
||||
}
|
||||
|
||||
public static SSLParameters createSslParameters(String[] cipherSuites, String... protocols) {
|
||||
return new SSLParameters(cipherSuites, protocols);
|
||||
}
|
||||
|
||||
public static void testSettingProtocolsForSslParameters() {
|
||||
|
||||
// unsafe
|
||||
new SSLParameters().setProtocols(new String[] { "SSLv3" });
|
||||
new SSLParameters().setProtocols(new String[] { "TLS" });
|
||||
new SSLParameters().setProtocols(new String[] { "TLSv1" });
|
||||
new SSLParameters().setProtocols(new String[] { "TLSv1.1" });
|
||||
|
||||
SSLParameters parameters = new SSLParameters();
|
||||
parameters.setProtocols(new String[] { "TLSv1.1", "TLSv1.2" });
|
||||
|
||||
// safe
|
||||
new SSLParameters().setProtocols(new String[] { "TLSv1.2" });
|
||||
|
||||
parameters = new SSLParameters();
|
||||
parameters.setProtocols(new String[] { "TLSv1.2", "TLSv1.3" });
|
||||
}
|
||||
|
||||
public static void testSettingProtocolForSslSocket() throws IOException {
|
||||
|
||||
// unsafe
|
||||
createSslSocket("SSLv3");
|
||||
createSslSocket("TLS");
|
||||
createSslSocket("TLSv1");
|
||||
createSslSocket("TLSv1.1");
|
||||
createSslSocket("TLSv1.1", "TLSv1.2");
|
||||
|
||||
// safe
|
||||
createSslSocket("TLSv1.2");
|
||||
createSslSocket("TLSv1.3");
|
||||
}
|
||||
|
||||
public static SSLSocket createSslSocket(String... protocols) throws IOException {
|
||||
SSLSocket socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket();
|
||||
socket.setEnabledProtocols(protocols);
|
||||
return socket;
|
||||
}
|
||||
|
||||
public static void testSettingProtocolForSslServerSocket() throws IOException {
|
||||
|
||||
// unsafe
|
||||
createSslServerSocket("SSLv3");
|
||||
createSslServerSocket("TLS");
|
||||
createSslServerSocket("TLSv1");
|
||||
createSslServerSocket("TLSv1.1");
|
||||
createSslServerSocket("TLSv1.1", "TLSv1.2");
|
||||
|
||||
// safe
|
||||
createSslServerSocket("TLSv1.2");
|
||||
createSslServerSocket("TLSv1.3");
|
||||
}
|
||||
|
||||
public static SSLServerSocket createSslServerSocket(String... protocols) throws IOException {
|
||||
SSLServerSocket socket = (SSLServerSocket) SSLServerSocketFactory.getDefault().createServerSocket();
|
||||
socket.setEnabledProtocols(protocols);
|
||||
return socket;
|
||||
}
|
||||
|
||||
public static void testSettingProtocolForSslEngine() throws NoSuchAlgorithmException {
|
||||
|
||||
// unsafe
|
||||
createSslEngine("SSLv3");
|
||||
createSslEngine("TLS");
|
||||
createSslEngine("TLSv1");
|
||||
createSslEngine("TLSv1.1");
|
||||
createSslEngine("TLSv1.1", "TLSv1.2");
|
||||
|
||||
// safe
|
||||
createSslEngine("TLSv1.2");
|
||||
createSslEngine("TLSv1.3");
|
||||
}
|
||||
|
||||
public static SSLEngine createSslEngine(String... protocols) throws NoSuchAlgorithmException {
|
||||
SSLEngine engine = SSLContext.getDefault().createSSLEngine();
|
||||
engine.setEnabledProtocols(protocols);
|
||||
return engine;
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
experimental/Security/CWE/CWE-327/UnsafeTlsVersion.ql
|
||||
@@ -0,0 +1,7 @@
|
||||
| SpringBootActuators.java:6:88:6:120 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
|
||||
| SpringBootActuators.java:10:5:10:137 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
|
||||
| SpringBootActuators.java:14:5:14:149 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
|
||||
| SpringBootActuators.java:18:5:18:101 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
|
||||
| SpringBootActuators.java:22:5:22:89 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
|
||||
| SpringBootActuators.java:26:40:26:108 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
|
||||
| SpringBootActuators.java:30:5:30:113 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. |
|
||||
@@ -0,0 +1,104 @@
|
||||
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
|
||||
public class SpringBootActuators {
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests(requests -> requests.anyRequest().permitAll());
|
||||
}
|
||||
|
||||
protected void configure2(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll();
|
||||
}
|
||||
|
||||
protected void configure3(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll();
|
||||
}
|
||||
|
||||
protected void configure4(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll();
|
||||
}
|
||||
|
||||
protected void configure5(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll();
|
||||
}
|
||||
|
||||
protected void configure6(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll());
|
||||
}
|
||||
|
||||
protected void configure7(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll();
|
||||
}
|
||||
|
||||
protected void configureOk1(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint());
|
||||
}
|
||||
|
||||
protected void configureOk2(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers().requestMatchers(EndpointRequest.toAnyEndpoint());
|
||||
}
|
||||
|
||||
protected void configureOk3(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests().anyRequest().permitAll();
|
||||
}
|
||||
|
||||
protected void configureOk4(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests(authz -> authz.anyRequest().permitAll());
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints1(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.to("health", "info")).authorizeRequests(requests -> requests.anyRequest().permitAll());
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints2(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.to("health")).authorizeRequests().requestMatchers(EndpointRequest.to("health")).permitAll();
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints3(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeRequests().requestMatchers(EndpointRequest.to("health", "info")).permitAll();
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints4(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.to("health", "info")).authorizeRequests().anyRequest().permitAll();
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints5(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests().requestMatchers(EndpointRequest.to("health", "info")).permitAll();
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints6(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.to("health", "info")).permitAll());
|
||||
}
|
||||
|
||||
protected void configureOkSafeEndpoints7(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeRequests().anyRequest().permitAll();
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll1(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests(requests -> requests.anyRequest());
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll2(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint());
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll3(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint());
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll4(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest();
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll5(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint());
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll6(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint()));
|
||||
}
|
||||
|
||||
protected void configureOkNoPermitAll7(HttpSecurity http) throws Exception {
|
||||
http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest();
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
experimental/Security/CWE/CWE-016/SpringBootActuators.ql
|
||||
@@ -0,0 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3
|
||||
@@ -0,0 +1,180 @@
|
||||
edges
|
||||
| JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:34:16:34:22 | nameStr |
|
||||
| JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:35:20:35:26 | nameStr |
|
||||
| JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:36:29:36:35 | nameStr |
|
||||
| JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:37:16:37:22 | nameStr |
|
||||
| JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:38:14:38:20 | nameStr |
|
||||
| JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:39:22:39:28 | nameStr |
|
||||
| JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:41:16:41:19 | name |
|
||||
| JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:42:20:42:23 | name |
|
||||
| JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:43:29:43:32 | name |
|
||||
| JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:44:16:44:19 | name |
|
||||
| JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:45:14:45:17 | name |
|
||||
| JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:46:22:46:25 | name |
|
||||
| JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:54:16:54:22 | nameStr |
|
||||
| JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:55:20:55:26 | nameStr |
|
||||
| JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:56:16:56:22 | nameStr |
|
||||
| JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:57:14:57:20 | nameStr |
|
||||
| JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:58:22:58:28 | nameStr |
|
||||
| JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:60:16:60:19 | name |
|
||||
| JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:61:20:61:23 | name |
|
||||
| JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:62:16:62:19 | name |
|
||||
| JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:63:14:63:17 | name |
|
||||
| JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:64:22:64:25 | name |
|
||||
| JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:72:16:72:22 | nameStr |
|
||||
| JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:73:20:73:26 | nameStr |
|
||||
| JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:74:16:74:22 | nameStr |
|
||||
| JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:75:14:75:20 | nameStr |
|
||||
| JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:76:22:76:28 | nameStr |
|
||||
| JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:78:16:78:19 | name |
|
||||
| JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:79:20:79:23 | name |
|
||||
| JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:80:16:80:19 | name |
|
||||
| JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:81:14:81:17 | name |
|
||||
| JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:82:22:82:25 | name |
|
||||
| JndiInjection.java:86:42:86:69 | nameStr : String | JndiInjection.java:89:16:89:22 | nameStr |
|
||||
| JndiInjection.java:86:42:86:69 | nameStr : String | JndiInjection.java:90:16:90:22 | nameStr |
|
||||
| JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:98:16:98:22 | nameStr |
|
||||
| JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:99:23:99:29 | nameStr |
|
||||
| JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:100:18:100:21 | name |
|
||||
| JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:101:16:101:19 | name |
|
||||
| JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:102:14:102:17 | name |
|
||||
| JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:103:22:103:25 | name |
|
||||
| JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:104:16:104:22 | nameStr |
|
||||
| JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:106:16:106:22 | nameStr |
|
||||
| JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:107:16:107:22 | nameStr |
|
||||
| JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:108:16:108:22 | nameStr |
|
||||
| JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:109:16:109:22 | nameStr |
|
||||
| JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:111:25:111:31 | nameStr |
|
||||
| JndiInjection.java:115:41:115:68 | nameStr : String | JndiInjection.java:118:16:118:22 | nameStr |
|
||||
| JndiInjection.java:115:41:115:68 | nameStr : String | JndiInjection.java:119:16:119:22 | nameStr |
|
||||
| JndiInjection.java:123:37:123:63 | urlStr : String | JndiInjection.java:124:33:124:57 | new JMXServiceURL(...) |
|
||||
| JndiInjection.java:123:37:123:63 | urlStr : String | JndiInjection.java:128:5:128:13 | connector |
|
||||
| JndiInjection.java:132:27:132:53 | urlStr : String | JndiInjection.java:135:35:135:40 | urlStr |
|
||||
| JndiInjection.java:140:27:140:53 | urlStr : String | JndiInjection.java:143:41:143:46 | urlStr |
|
||||
| JndiInjection.java:148:52:148:78 | urlStr : String | JndiInjection.java:151:37:151:42 | urlStr |
|
||||
| JndiInjection.java:156:52:156:78 | urlStr : String | JndiInjection.java:159:51:159:56 | urlStr |
|
||||
| JndiInjection.java:164:52:164:78 | urlStr : String | JndiInjection.java:167:51:167:56 | urlStr |
|
||||
nodes
|
||||
| JndiInjection.java:30:38:30:65 | nameStr : String | semmle.label | nameStr : String |
|
||||
| JndiInjection.java:34:16:34:22 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:35:20:35:26 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:36:29:36:35 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:37:16:37:22 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:38:14:38:20 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:39:22:39:28 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:41:16:41:19 | name | semmle.label | name |
|
||||
| JndiInjection.java:42:20:42:23 | name | semmle.label | name |
|
||||
| JndiInjection.java:43:29:43:32 | name | semmle.label | name |
|
||||
| JndiInjection.java:44:16:44:19 | name | semmle.label | name |
|
||||
| JndiInjection.java:45:14:45:17 | name | semmle.label | name |
|
||||
| JndiInjection.java:46:22:46:25 | name | semmle.label | name |
|
||||
| JndiInjection.java:50:41:50:68 | nameStr : String | semmle.label | nameStr : String |
|
||||
| JndiInjection.java:54:16:54:22 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:55:20:55:26 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:56:16:56:22 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:57:14:57:20 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:58:22:58:28 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:60:16:60:19 | name | semmle.label | name |
|
||||
| JndiInjection.java:61:20:61:23 | name | semmle.label | name |
|
||||
| JndiInjection.java:62:16:62:19 | name | semmle.label | name |
|
||||
| JndiInjection.java:63:14:63:17 | name | semmle.label | name |
|
||||
| JndiInjection.java:64:22:64:25 | name | semmle.label | name |
|
||||
| JndiInjection.java:68:42:68:69 | nameStr : String | semmle.label | nameStr : String |
|
||||
| JndiInjection.java:72:16:72:22 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:73:20:73:26 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:74:16:74:22 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:75:14:75:20 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:76:22:76:28 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:78:16:78:19 | name | semmle.label | name |
|
||||
| JndiInjection.java:79:20:79:23 | name | semmle.label | name |
|
||||
| JndiInjection.java:80:16:80:19 | name | semmle.label | name |
|
||||
| JndiInjection.java:81:14:81:17 | name | semmle.label | name |
|
||||
| JndiInjection.java:82:22:82:25 | name | semmle.label | name |
|
||||
| JndiInjection.java:86:42:86:69 | nameStr : String | semmle.label | nameStr : String |
|
||||
| JndiInjection.java:89:16:89:22 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:90:16:90:22 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:94:42:94:69 | nameStr : String | semmle.label | nameStr : String |
|
||||
| JndiInjection.java:98:16:98:22 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:99:23:99:29 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:100:18:100:21 | name | semmle.label | name |
|
||||
| JndiInjection.java:101:16:101:19 | name | semmle.label | name |
|
||||
| JndiInjection.java:102:14:102:17 | name | semmle.label | name |
|
||||
| JndiInjection.java:103:22:103:25 | name | semmle.label | name |
|
||||
| JndiInjection.java:104:16:104:22 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:106:16:106:22 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:107:16:107:22 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:108:16:108:22 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:109:16:109:22 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:111:25:111:31 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:115:41:115:68 | nameStr : String | semmle.label | nameStr : String |
|
||||
| JndiInjection.java:118:16:118:22 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:119:16:119:22 | nameStr | semmle.label | nameStr |
|
||||
| JndiInjection.java:123:37:123:63 | urlStr : String | semmle.label | urlStr : String |
|
||||
| JndiInjection.java:124:33:124:57 | new JMXServiceURL(...) | semmle.label | new JMXServiceURL(...) |
|
||||
| JndiInjection.java:128:5:128:13 | connector | semmle.label | connector |
|
||||
| JndiInjection.java:132:27:132:53 | urlStr : String | semmle.label | urlStr : String |
|
||||
| JndiInjection.java:135:35:135:40 | urlStr | semmle.label | urlStr |
|
||||
| JndiInjection.java:140:27:140:53 | urlStr : String | semmle.label | urlStr : String |
|
||||
| JndiInjection.java:143:41:143:46 | urlStr | semmle.label | urlStr |
|
||||
| JndiInjection.java:148:52:148:78 | urlStr : String | semmle.label | urlStr : String |
|
||||
| JndiInjection.java:151:37:151:42 | urlStr | semmle.label | urlStr |
|
||||
| JndiInjection.java:156:52:156:78 | urlStr : String | semmle.label | urlStr : String |
|
||||
| JndiInjection.java:159:51:159:56 | urlStr | semmle.label | urlStr |
|
||||
| JndiInjection.java:164:52:164:78 | urlStr : String | semmle.label | urlStr : String |
|
||||
| JndiInjection.java:167:51:167:56 | urlStr | semmle.label | urlStr |
|
||||
#select
|
||||
| JndiInjection.java:34:16:34:22 | nameStr | JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:34:16:34:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:30:38:30:65 | nameStr | this user input |
|
||||
| JndiInjection.java:35:20:35:26 | nameStr | JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:35:20:35:26 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:30:38:30:65 | nameStr | this user input |
|
||||
| JndiInjection.java:36:29:36:35 | nameStr | JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:36:29:36:35 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:30:38:30:65 | nameStr | this user input |
|
||||
| JndiInjection.java:37:16:37:22 | nameStr | JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:37:16:37:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:30:38:30:65 | nameStr | this user input |
|
||||
| JndiInjection.java:38:14:38:20 | nameStr | JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:38:14:38:20 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:30:38:30:65 | nameStr | this user input |
|
||||
| JndiInjection.java:39:22:39:28 | nameStr | JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:39:22:39:28 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:30:38:30:65 | nameStr | this user input |
|
||||
| JndiInjection.java:41:16:41:19 | name | JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:41:16:41:19 | name | JNDI lookup might include name from $@. | JndiInjection.java:30:38:30:65 | nameStr | this user input |
|
||||
| JndiInjection.java:42:20:42:23 | name | JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:42:20:42:23 | name | JNDI lookup might include name from $@. | JndiInjection.java:30:38:30:65 | nameStr | this user input |
|
||||
| JndiInjection.java:43:29:43:32 | name | JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:43:29:43:32 | name | JNDI lookup might include name from $@. | JndiInjection.java:30:38:30:65 | nameStr | this user input |
|
||||
| JndiInjection.java:44:16:44:19 | name | JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:44:16:44:19 | name | JNDI lookup might include name from $@. | JndiInjection.java:30:38:30:65 | nameStr | this user input |
|
||||
| JndiInjection.java:45:14:45:17 | name | JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:45:14:45:17 | name | JNDI lookup might include name from $@. | JndiInjection.java:30:38:30:65 | nameStr | this user input |
|
||||
| JndiInjection.java:46:22:46:25 | name | JndiInjection.java:30:38:30:65 | nameStr : String | JndiInjection.java:46:22:46:25 | name | JNDI lookup might include name from $@. | JndiInjection.java:30:38:30:65 | nameStr | this user input |
|
||||
| JndiInjection.java:54:16:54:22 | nameStr | JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:54:16:54:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:50:41:50:68 | nameStr | this user input |
|
||||
| JndiInjection.java:55:20:55:26 | nameStr | JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:55:20:55:26 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:50:41:50:68 | nameStr | this user input |
|
||||
| JndiInjection.java:56:16:56:22 | nameStr | JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:56:16:56:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:50:41:50:68 | nameStr | this user input |
|
||||
| JndiInjection.java:57:14:57:20 | nameStr | JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:57:14:57:20 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:50:41:50:68 | nameStr | this user input |
|
||||
| JndiInjection.java:58:22:58:28 | nameStr | JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:58:22:58:28 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:50:41:50:68 | nameStr | this user input |
|
||||
| JndiInjection.java:60:16:60:19 | name | JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:60:16:60:19 | name | JNDI lookup might include name from $@. | JndiInjection.java:50:41:50:68 | nameStr | this user input |
|
||||
| JndiInjection.java:61:20:61:23 | name | JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:61:20:61:23 | name | JNDI lookup might include name from $@. | JndiInjection.java:50:41:50:68 | nameStr | this user input |
|
||||
| JndiInjection.java:62:16:62:19 | name | JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:62:16:62:19 | name | JNDI lookup might include name from $@. | JndiInjection.java:50:41:50:68 | nameStr | this user input |
|
||||
| JndiInjection.java:63:14:63:17 | name | JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:63:14:63:17 | name | JNDI lookup might include name from $@. | JndiInjection.java:50:41:50:68 | nameStr | this user input |
|
||||
| JndiInjection.java:64:22:64:25 | name | JndiInjection.java:50:41:50:68 | nameStr : String | JndiInjection.java:64:22:64:25 | name | JNDI lookup might include name from $@. | JndiInjection.java:50:41:50:68 | nameStr | this user input |
|
||||
| JndiInjection.java:72:16:72:22 | nameStr | JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:72:16:72:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:68:42:68:69 | nameStr | this user input |
|
||||
| JndiInjection.java:73:20:73:26 | nameStr | JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:73:20:73:26 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:68:42:68:69 | nameStr | this user input |
|
||||
| JndiInjection.java:74:16:74:22 | nameStr | JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:74:16:74:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:68:42:68:69 | nameStr | this user input |
|
||||
| JndiInjection.java:75:14:75:20 | nameStr | JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:75:14:75:20 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:68:42:68:69 | nameStr | this user input |
|
||||
| JndiInjection.java:76:22:76:28 | nameStr | JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:76:22:76:28 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:68:42:68:69 | nameStr | this user input |
|
||||
| JndiInjection.java:78:16:78:19 | name | JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:78:16:78:19 | name | JNDI lookup might include name from $@. | JndiInjection.java:68:42:68:69 | nameStr | this user input |
|
||||
| JndiInjection.java:79:20:79:23 | name | JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:79:20:79:23 | name | JNDI lookup might include name from $@. | JndiInjection.java:68:42:68:69 | nameStr | this user input |
|
||||
| JndiInjection.java:80:16:80:19 | name | JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:80:16:80:19 | name | JNDI lookup might include name from $@. | JndiInjection.java:68:42:68:69 | nameStr | this user input |
|
||||
| JndiInjection.java:81:14:81:17 | name | JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:81:14:81:17 | name | JNDI lookup might include name from $@. | JndiInjection.java:68:42:68:69 | nameStr | this user input |
|
||||
| JndiInjection.java:82:22:82:25 | name | JndiInjection.java:68:42:68:69 | nameStr : String | JndiInjection.java:82:22:82:25 | name | JNDI lookup might include name from $@. | JndiInjection.java:68:42:68:69 | nameStr | this user input |
|
||||
| JndiInjection.java:89:16:89:22 | nameStr | JndiInjection.java:86:42:86:69 | nameStr : String | JndiInjection.java:89:16:89:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:86:42:86:69 | nameStr | this user input |
|
||||
| JndiInjection.java:90:16:90:22 | nameStr | JndiInjection.java:86:42:86:69 | nameStr : String | JndiInjection.java:90:16:90:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:86:42:86:69 | nameStr | this user input |
|
||||
| JndiInjection.java:98:16:98:22 | nameStr | JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:98:16:98:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:94:42:94:69 | nameStr | this user input |
|
||||
| JndiInjection.java:99:23:99:29 | nameStr | JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:99:23:99:29 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:94:42:94:69 | nameStr | this user input |
|
||||
| JndiInjection.java:100:18:100:21 | name | JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:100:18:100:21 | name | JNDI lookup might include name from $@. | JndiInjection.java:94:42:94:69 | nameStr | this user input |
|
||||
| JndiInjection.java:101:16:101:19 | name | JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:101:16:101:19 | name | JNDI lookup might include name from $@. | JndiInjection.java:94:42:94:69 | nameStr | this user input |
|
||||
| JndiInjection.java:102:14:102:17 | name | JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:102:14:102:17 | name | JNDI lookup might include name from $@. | JndiInjection.java:94:42:94:69 | nameStr | this user input |
|
||||
| JndiInjection.java:103:22:103:25 | name | JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:103:22:103:25 | name | JNDI lookup might include name from $@. | JndiInjection.java:94:42:94:69 | nameStr | this user input |
|
||||
| JndiInjection.java:104:16:104:22 | nameStr | JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:104:16:104:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:94:42:94:69 | nameStr | this user input |
|
||||
| JndiInjection.java:106:16:106:22 | nameStr | JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:106:16:106:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:94:42:94:69 | nameStr | this user input |
|
||||
| JndiInjection.java:107:16:107:22 | nameStr | JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:107:16:107:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:94:42:94:69 | nameStr | this user input |
|
||||
| JndiInjection.java:108:16:108:22 | nameStr | JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:108:16:108:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:94:42:94:69 | nameStr | this user input |
|
||||
| JndiInjection.java:109:16:109:22 | nameStr | JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:109:16:109:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:94:42:94:69 | nameStr | this user input |
|
||||
| JndiInjection.java:111:25:111:31 | nameStr | JndiInjection.java:94:42:94:69 | nameStr : String | JndiInjection.java:111:25:111:31 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:94:42:94:69 | nameStr | this user input |
|
||||
| JndiInjection.java:118:16:118:22 | nameStr | JndiInjection.java:115:41:115:68 | nameStr : String | JndiInjection.java:118:16:118:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:115:41:115:68 | nameStr | this user input |
|
||||
| JndiInjection.java:119:16:119:22 | nameStr | JndiInjection.java:115:41:115:68 | nameStr : String | JndiInjection.java:119:16:119:22 | nameStr | JNDI lookup might include name from $@. | JndiInjection.java:115:41:115:68 | nameStr | this user input |
|
||||
| JndiInjection.java:124:33:124:57 | new JMXServiceURL(...) | JndiInjection.java:123:37:123:63 | urlStr : String | JndiInjection.java:124:33:124:57 | new JMXServiceURL(...) | JNDI lookup might include name from $@. | JndiInjection.java:123:37:123:63 | urlStr | this user input |
|
||||
| JndiInjection.java:128:5:128:13 | connector | JndiInjection.java:123:37:123:63 | urlStr : String | JndiInjection.java:128:5:128:13 | connector | JNDI lookup might include name from $@. | JndiInjection.java:123:37:123:63 | urlStr | this user input |
|
||||
| JndiInjection.java:135:35:135:40 | urlStr | JndiInjection.java:132:27:132:53 | urlStr : String | JndiInjection.java:135:35:135:40 | urlStr | JNDI lookup might include name from $@. | JndiInjection.java:132:27:132:53 | urlStr | this user input |
|
||||
| JndiInjection.java:143:41:143:46 | urlStr | JndiInjection.java:140:27:140:53 | urlStr : String | JndiInjection.java:143:41:143:46 | urlStr | JNDI lookup might include name from $@. | JndiInjection.java:140:27:140:53 | urlStr | this user input |
|
||||
| JndiInjection.java:151:37:151:42 | urlStr | JndiInjection.java:148:52:148:78 | urlStr : String | JndiInjection.java:151:37:151:42 | urlStr | JNDI lookup might include name from $@. | JndiInjection.java:148:52:148:78 | urlStr | this user input |
|
||||
| JndiInjection.java:159:51:159:56 | urlStr | JndiInjection.java:156:52:156:78 | urlStr : String | JndiInjection.java:159:51:159:56 | urlStr | JNDI lookup might include name from $@. | JndiInjection.java:156:52:156:78 | urlStr | this user input |
|
||||
| JndiInjection.java:167:51:167:56 | urlStr | JndiInjection.java:164:52:164:78 | urlStr : String | JndiInjection.java:167:51:167:56 | urlStr | JNDI lookup might include name from $@. | JndiInjection.java:164:52:164:78 | urlStr | this user input |
|
||||
@@ -0,0 +1,209 @@
|
||||
import java.io.IOException;
|
||||
import java.util.Hashtable;
|
||||
import java.util.Properties;
|
||||
|
||||
import javax.management.remote.JMXConnector;
|
||||
import javax.management.remote.JMXConnectorFactory;
|
||||
import javax.management.remote.JMXServiceURL;
|
||||
import javax.naming.CompositeName;
|
||||
import javax.naming.CompoundName;
|
||||
import javax.naming.Context;
|
||||
import javax.naming.InitialContext;
|
||||
import javax.naming.Name;
|
||||
import javax.naming.NamingException;
|
||||
import javax.naming.directory.InitialDirContext;
|
||||
import javax.naming.directory.SearchControls;
|
||||
import javax.naming.ldap.InitialLdapContext;
|
||||
|
||||
import org.springframework.jndi.JndiTemplate;
|
||||
import org.springframework.ldap.core.AttributesMapper;
|
||||
import org.springframework.ldap.core.ContextMapper;
|
||||
import org.springframework.ldap.core.LdapTemplate;
|
||||
import org.springframework.ldap.core.NameClassPairCallbackHandler;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
|
||||
@Controller
|
||||
public class JndiInjection {
|
||||
@RequestMapping
|
||||
public void testInitialContextBad1(@RequestParam String nameStr) throws NamingException {
|
||||
Name name = new CompositeName(nameStr);
|
||||
InitialContext ctx = new InitialContext();
|
||||
|
||||
ctx.lookup(nameStr);
|
||||
ctx.lookupLink(nameStr);
|
||||
InitialContext.doLookup(nameStr);
|
||||
ctx.rename(nameStr, "");
|
||||
ctx.list(nameStr);
|
||||
ctx.listBindings(nameStr);
|
||||
|
||||
ctx.lookup(name);
|
||||
ctx.lookupLink(name);
|
||||
InitialContext.doLookup(name);
|
||||
ctx.rename(name, null);
|
||||
ctx.list(name);
|
||||
ctx.listBindings(name);
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testInitialDirContextBad1(@RequestParam String nameStr) throws NamingException {
|
||||
Name name = new CompoundName(nameStr, new Properties());
|
||||
InitialDirContext ctx = new InitialDirContext();
|
||||
|
||||
ctx.lookup(nameStr);
|
||||
ctx.lookupLink(nameStr);
|
||||
ctx.rename(nameStr, "");
|
||||
ctx.list(nameStr);
|
||||
ctx.listBindings(nameStr);
|
||||
|
||||
ctx.lookup(name);
|
||||
ctx.lookupLink(name);
|
||||
ctx.rename(name, null);
|
||||
ctx.list(name);
|
||||
ctx.listBindings(name);
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testInitialLdapContextBad1(@RequestParam String nameStr) throws NamingException {
|
||||
Name name = new CompositeName(nameStr);
|
||||
InitialLdapContext ctx = new InitialLdapContext();
|
||||
|
||||
ctx.lookup(nameStr);
|
||||
ctx.lookupLink(nameStr);
|
||||
ctx.rename(nameStr, "");
|
||||
ctx.list(nameStr);
|
||||
ctx.listBindings(nameStr);
|
||||
|
||||
ctx.lookup(name);
|
||||
ctx.lookupLink(name);
|
||||
ctx.rename(name, null);
|
||||
ctx.list(name);
|
||||
ctx.listBindings(name);
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testSpringJndiTemplateBad1(@RequestParam String nameStr) throws NamingException {
|
||||
JndiTemplate ctx = new JndiTemplate();
|
||||
|
||||
ctx.lookup(nameStr);
|
||||
ctx.lookup(nameStr, null);
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testSpringLdapTemplateBad1(@RequestParam String nameStr) throws NamingException {
|
||||
LdapTemplate ctx = new LdapTemplate();
|
||||
Name name = new CompositeName(nameStr);
|
||||
|
||||
ctx.lookup(nameStr);
|
||||
ctx.lookupContext(nameStr);
|
||||
ctx.findByDn(name, null);
|
||||
ctx.rename(name, null);
|
||||
ctx.list(name);
|
||||
ctx.listBindings(name);
|
||||
ctx.unbind(nameStr, true);
|
||||
|
||||
ctx.search(nameStr, "", 0, true, null);
|
||||
ctx.search(nameStr, "", 0, new String[] {}, (ContextMapper<Object>) new Object());
|
||||
ctx.search(nameStr, "", 0, (ContextMapper<Object>) new Object());
|
||||
ctx.search(nameStr, "", (ContextMapper) new Object());
|
||||
|
||||
ctx.searchForObject(nameStr, "", (ContextMapper) new Object());
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testShiroJndiTemplateBad1(@RequestParam String nameStr) throws NamingException {
|
||||
org.apache.shiro.jndi.JndiTemplate ctx = new org.apache.shiro.jndi.JndiTemplate();
|
||||
|
||||
ctx.lookup(nameStr);
|
||||
ctx.lookup(nameStr, null);
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testJMXServiceUrlBad1(@RequestParam String urlStr) throws IOException {
|
||||
JMXConnectorFactory.connect(new JMXServiceURL(urlStr));
|
||||
|
||||
JMXServiceURL url = new JMXServiceURL(urlStr);
|
||||
JMXConnector connector = JMXConnectorFactory.newJMXConnector(url, null);
|
||||
connector.connect();
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testEnvBad1(@RequestParam String urlStr) throws NamingException {
|
||||
Hashtable<String, String> env = new Hashtable<String, String>();
|
||||
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
|
||||
env.put(Context.PROVIDER_URL, urlStr);
|
||||
new InitialContext(env);
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testEnvBad2(@RequestParam String urlStr) throws NamingException {
|
||||
Hashtable<String, String> env = new Hashtable<String, String>();
|
||||
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
|
||||
env.put("java.naming.provider.url", urlStr);
|
||||
new InitialDirContext(env);
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testSpringJndiTemplatePropertiesBad1(@RequestParam String urlStr) throws NamingException {
|
||||
Properties props = new Properties();
|
||||
props.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
|
||||
props.put(Context.PROVIDER_URL, urlStr);
|
||||
new JndiTemplate(props);
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testSpringJndiTemplatePropertiesBad2(@RequestParam String urlStr) throws NamingException {
|
||||
Properties props = new Properties();
|
||||
props.setProperty(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
|
||||
props.setProperty("java.naming.provider.url", urlStr);
|
||||
new JndiTemplate(props);
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testSpringJndiTemplatePropertiesBad3(@RequestParam String urlStr) throws NamingException {
|
||||
Properties props = new Properties();
|
||||
props.setProperty(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
|
||||
props.setProperty("java.naming.provider.url", urlStr);
|
||||
JndiTemplate template = new JndiTemplate();
|
||||
template.setEnvironment(props);
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testSpringLdapTemplateOk1(@RequestParam String nameStr) throws NamingException {
|
||||
LdapTemplate ctx = new LdapTemplate();
|
||||
|
||||
ctx.unbind(nameStr);
|
||||
ctx.unbind(nameStr, false);
|
||||
|
||||
ctx.search(nameStr, "", 0, false, null);
|
||||
ctx.search(nameStr, "", new SearchControls(), (NameClassPairCallbackHandler) new Object());
|
||||
ctx.search(nameStr, "", new SearchControls(), (NameClassPairCallbackHandler) new Object(), null);
|
||||
ctx.search(nameStr, "", (NameClassPairCallbackHandler) new Object());
|
||||
ctx.search(nameStr, "", 0, new String[] {}, (AttributesMapper<Object>) new Object());
|
||||
ctx.search(nameStr, "", 0, (AttributesMapper<Object>) new Object());
|
||||
ctx.search(nameStr, "", (AttributesMapper) new Object());
|
||||
ctx.search(nameStr, "", new SearchControls(), (ContextMapper) new Object());
|
||||
ctx.search(nameStr, "", new SearchControls(), (AttributesMapper) new Object());
|
||||
ctx.search(nameStr, "", new SearchControls(), (ContextMapper) new Object(), null);
|
||||
ctx.search(nameStr, "", new SearchControls(), (AttributesMapper) new Object(), null);
|
||||
|
||||
ctx.searchForObject(nameStr, "", new SearchControls(), (ContextMapper) new Object());
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testEnvOk1(@RequestParam String urlStr) throws NamingException {
|
||||
Hashtable<String, String> env = new Hashtable<String, String>();
|
||||
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
|
||||
env.put(Context.SECURITY_PRINCIPAL, urlStr);
|
||||
new InitialContext(env);
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testEnvOk2(@RequestParam String urlStr) throws NamingException {
|
||||
Hashtable<String, String> env = new Hashtable<String, String>();
|
||||
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
|
||||
env.put("java.naming.security.principal", urlStr);
|
||||
new InitialContext(env);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
experimental/Security/CWE/CWE-074/JndiInjection.ql
|
||||
@@ -0,0 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/shiro-core-1.5.2:${testdir}/../../../../stubs/spring-ldap-2.3.2
|
||||
@@ -0,0 +1,7 @@
|
||||
| UnsafeCertTrustTest.java:27:4:27:74 | init(...) | Unsafe configuration of trusted certificates |
|
||||
| UnsafeCertTrustTest.java:42:4:42:38 | init(...) | Unsafe configuration of trusted certificates |
|
||||
| UnsafeCertTrustTest.java:55:3:60:4 | setDefaultHostnameVerifier(...) | Unsafe configuration of trusted certificates |
|
||||
| UnsafeCertTrustTest.java:73:3:73:57 | setDefaultHostnameVerifier(...) | Unsafe configuration of trusted certificates |
|
||||
| UnsafeCertTrustTest.java:124:25:124:52 | createSSLEngine(...) | Unsafe configuration of trusted certificates |
|
||||
| UnsafeCertTrustTest.java:135:25:135:52 | createSSLEngine(...) | Unsafe configuration of trusted certificates |
|
||||
| UnsafeCertTrustTest.java:144:34:144:83 | createSocket(...) | Unsafe configuration of trusted certificates |
|
||||
@@ -0,0 +1 @@
|
||||
experimental/Security/CWE/CWE-273/UnsafeCertTrust.ql
|
||||
@@ -0,0 +1,162 @@
|
||||
import javax.net.ssl.HostnameVerifier;
|
||||
import javax.net.ssl.HttpsURLConnection;
|
||||
import javax.net.ssl.SSLSession;
|
||||
import javax.net.ssl.SSLSocket;
|
||||
import javax.net.ssl.SSLContext;
|
||||
import javax.net.ssl.SSLEngine;
|
||||
import javax.net.ssl.SSLParameters;
|
||||
import javax.net.ssl.SSLSocketFactory;
|
||||
import javax.net.ssl.TrustManager;
|
||||
import javax.net.ssl.X509TrustManager;
|
||||
|
||||
import java.net.Socket;
|
||||
import javax.net.SocketFactory;
|
||||
import java.security.cert.CertificateException;
|
||||
import java.security.cert.X509Certificate;
|
||||
|
||||
//import com.rabbitmq.client.ConnectionFactory;
|
||||
|
||||
public class UnsafeCertTrustTest {
|
||||
|
||||
/**
|
||||
* Test the implementation of trusting all server certs as a variable
|
||||
*/
|
||||
public SSLSocketFactory testTrustAllCertManager() {
|
||||
try {
|
||||
final SSLContext context = SSLContext.getInstance("TLS");
|
||||
context.init(null, new TrustManager[] { TRUST_ALL_CERTIFICATES }, null);
|
||||
final SSLSocketFactory socketFactory = context.getSocketFactory();
|
||||
return socketFactory;
|
||||
} catch (final Exception x) {
|
||||
throw new RuntimeException(x);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Test the implementation of trusting all server certs as an anonymous class
|
||||
*/
|
||||
public SSLSocketFactory testTrustAllCertManagerOfVariable() {
|
||||
try {
|
||||
SSLContext context = SSLContext.getInstance("TLS");
|
||||
TrustManager[] serverTMs = new TrustManager[] { new X509TrustAllManager() };
|
||||
context.init(null, serverTMs, null);
|
||||
|
||||
final SSLSocketFactory socketFactory = context.getSocketFactory();
|
||||
return socketFactory;
|
||||
} catch (final Exception x) {
|
||||
throw new RuntimeException(x);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Test the implementation of trusting all hostnames as an anonymous class
|
||||
*/
|
||||
public void testTrustAllHostnameOfAnonymousClass() {
|
||||
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
|
||||
@Override
|
||||
public boolean verify(String hostname, SSLSession session) {
|
||||
return true; // Noncompliant
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* Test the implementation of trusting all hostnames as a variable
|
||||
*/
|
||||
public void testTrustAllHostnameOfVariable() {
|
||||
HostnameVerifier verifier = new HostnameVerifier() {
|
||||
@Override
|
||||
public boolean verify(String hostname, SSLSession session) {
|
||||
return true; // Noncompliant
|
||||
}
|
||||
};
|
||||
HttpsURLConnection.setDefaultHostnameVerifier(verifier);
|
||||
}
|
||||
|
||||
private static final X509TrustManager TRUST_ALL_CERTIFICATES = new X509TrustManager() {
|
||||
@Override
|
||||
public void checkClientTrusted(final X509Certificate[] chain, final String authType)
|
||||
throws CertificateException {
|
||||
}
|
||||
|
||||
@Override
|
||||
public void checkServerTrusted(final X509Certificate[] chain, final String authType)
|
||||
throws CertificateException {
|
||||
// Noncompliant
|
||||
}
|
||||
|
||||
@Override
|
||||
public X509Certificate[] getAcceptedIssuers() {
|
||||
return null; // Noncompliant
|
||||
}
|
||||
};
|
||||
|
||||
private class X509TrustAllManager implements X509TrustManager {
|
||||
@Override
|
||||
public void checkClientTrusted(final X509Certificate[] chain, final String authType)
|
||||
throws CertificateException {
|
||||
}
|
||||
|
||||
@Override
|
||||
public void checkServerTrusted(final X509Certificate[] chain, final String authType)
|
||||
throws CertificateException {
|
||||
// Noncompliant
|
||||
}
|
||||
|
||||
@Override
|
||||
public X509Certificate[] getAcceptedIssuers() {
|
||||
return null; // Noncompliant
|
||||
}
|
||||
};
|
||||
|
||||
public static final HostnameVerifier ALLOW_ALL_HOSTNAME_VERIFIER = new HostnameVerifier() {
|
||||
@Override
|
||||
public boolean verify(String hostname, SSLSession session) {
|
||||
return true; // Noncompliant
|
||||
}
|
||||
};
|
||||
|
||||
/**
|
||||
* Test the endpoint identification of SSL engine is set to null
|
||||
*/
|
||||
public void testSSLEngineEndpointIdSetNull() {
|
||||
SSLContext sslContext = SSLContext.getInstance("TLS");
|
||||
SSLEngine sslEngine = sslContext.createSSLEngine();
|
||||
SSLParameters sslParameters = sslEngine.getSSLParameters();
|
||||
sslParameters.setEndpointIdentificationAlgorithm(null);
|
||||
sslEngine.setSSLParameters(sslParameters);
|
||||
}
|
||||
|
||||
/**
|
||||
* Test the endpoint identification of SSL engine is not set
|
||||
*/
|
||||
public void testSSLEngineEndpointIdNotSet() {
|
||||
SSLContext sslContext = SSLContext.getInstance("TLS");
|
||||
SSLEngine sslEngine = sslContext.createSSLEngine();
|
||||
}
|
||||
|
||||
/**
|
||||
* Test the endpoint identification of SSL socket is not set
|
||||
*/
|
||||
public void testSSLSocketEndpointIdNotSet() {
|
||||
SSLContext sslContext = SSLContext.getInstance("TLS");
|
||||
final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
|
||||
SSLSocket socket = (SSLSocket) socketFactory.createSocket("www.example.com", 443);
|
||||
}
|
||||
|
||||
/**
|
||||
* Test the endpoint identification of regular socket is not set
|
||||
*/
|
||||
public void testSocketEndpointIdNotSet() {
|
||||
SocketFactory socketFactory = SocketFactory.getDefault();
|
||||
Socket socket = socketFactory.createSocket("www.example.com", 80);
|
||||
}
|
||||
|
||||
// /**
|
||||
// * Test the enableHostnameVerification of RabbitMQConnectionFactory is not set
|
||||
// */
|
||||
// public void testEnableHostnameVerificationOfRabbitMQFactoryNotSet() {
|
||||
// ConnectionFactory connectionFactory = new ConnectionFactory();
|
||||
// connectionFactory.useSslProtocol();
|
||||
// }
|
||||
}
|
||||
@@ -0,0 +1,2 @@
|
||||
| InsecureJavaMail.java:29:27:29:72 | getInstance(...) | Java mailing has insecure SSL configuration |
|
||||
| InsecureJavaMail.java:37:3:37:29 | setSSLOnConnect(...) | Java mailing has insecure SSL configuration |
|
||||
@@ -0,0 +1,45 @@
|
||||
import java.util.Properties;
|
||||
|
||||
import javax.mail.Authenticator;
|
||||
import javax.mail.PasswordAuthentication;
|
||||
import javax.mail.Session;
|
||||
|
||||
import org.apache.commons.mail.DefaultAuthenticator;
|
||||
import org.apache.commons.mail.Email;
|
||||
import org.apache.commons.mail.SimpleEmail;
|
||||
|
||||
import java.util.Properties;
|
||||
|
||||
class InsecureJavaMail {
|
||||
public void testJavaMail() {
|
||||
final Properties properties = new Properties();
|
||||
properties.put("mail.transport.protocol", "protocol");
|
||||
properties.put("mail.smtp.host", "hostname");
|
||||
properties.put("mail.smtp.socketFactory.class", "classname");
|
||||
|
||||
final javax.mail.Authenticator authenticator = new javax.mail.Authenticator() {
|
||||
protected PasswordAuthentication getPasswordAuthentication() {
|
||||
return new PasswordAuthentication("username", "password");
|
||||
}
|
||||
};
|
||||
if (null != authenticator) {
|
||||
properties.put("mail.smtp.auth", "true");
|
||||
// properties.put("mail.smtp.ssl.checkserveridentity", "true");
|
||||
}
|
||||
final Session session = Session.getInstance(properties, authenticator);
|
||||
}
|
||||
|
||||
public void testSimpleMail() {
|
||||
Email email = new SimpleEmail();
|
||||
email.setHostName("config.hostName");
|
||||
email.setSmtpPort(25);
|
||||
email.setAuthenticator(new DefaultAuthenticator("config.username", "config.password"));
|
||||
email.setSSLOnConnect(true);
|
||||
// email.setSSLCheckServerIdentity(true);
|
||||
email.setFrom("fromAddress");
|
||||
email.setSubject("subject");
|
||||
email.setMsg("body");
|
||||
email.addTo("toAddress");
|
||||
email.send();
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
experimental/Security/CWE/CWE-297/InsecureJavaMail.ql
|
||||
@@ -0,0 +1 @@
|
||||
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-commons-email-1.6.0:${testdir}/../../../../stubs/javamail-api-1.6.2
|
||||
@@ -0,0 +1,43 @@
|
||||
edges
|
||||
| InsecureBasicAuth.java:20:39:20:52 | ... + ... : String | InsecureBasicAuth.java:28:3:28:6 | post |
|
||||
| InsecureBasicAuth.java:35:19:35:64 | "http://www.example.com:8000/payment/retrieve" : String | InsecureBasicAuth.java:38:3:38:5 | get |
|
||||
| InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:54:3:54:6 | post |
|
||||
| InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:71:3:71:6 | post |
|
||||
| InsecureBasicAuth.java:78:47:78:52 | "http" : String | InsecureBasicAuth.java:86:3:86:6 | post |
|
||||
| InsecureBasicAuth.java:93:19:93:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:102:3:102:6 | post |
|
||||
| InsecureBasicAuth.java:109:19:109:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:119:3:119:6 | post |
|
||||
| InsecureBasicAuth.java:126:19:126:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:130:28:130:67 | (...)... : URLConnection |
|
||||
| InsecureBasicAuth.java:130:28:130:67 | (...)... : URLConnection | InsecureBasicAuth.java:133:3:133:6 | conn |
|
||||
| InsecureBasicAuth.java:145:21:145:28 | protocol : String | InsecureBasicAuth.java:146:28:146:67 | (...)... : URLConnection |
|
||||
| InsecureBasicAuth.java:146:28:146:67 | (...)... : URLConnection | InsecureBasicAuth.java:149:3:149:6 | conn |
|
||||
nodes
|
||||
| InsecureBasicAuth.java:20:39:20:52 | ... + ... : String | semmle.label | ... + ... : String |
|
||||
| InsecureBasicAuth.java:28:3:28:6 | post | semmle.label | post |
|
||||
| InsecureBasicAuth.java:35:19:35:64 | "http://www.example.com:8000/payment/retrieve" : String | semmle.label | "http://www.example.com:8000/payment/retrieve" : String |
|
||||
| InsecureBasicAuth.java:38:3:38:5 | get | semmle.label | get |
|
||||
| InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String |
|
||||
| InsecureBasicAuth.java:54:3:54:6 | post | semmle.label | post |
|
||||
| InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String |
|
||||
| InsecureBasicAuth.java:71:3:71:6 | post | semmle.label | post |
|
||||
| InsecureBasicAuth.java:78:47:78:52 | "http" : String | semmle.label | "http" : String |
|
||||
| InsecureBasicAuth.java:86:3:86:6 | post | semmle.label | post |
|
||||
| InsecureBasicAuth.java:93:19:93:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String |
|
||||
| InsecureBasicAuth.java:102:3:102:6 | post | semmle.label | post |
|
||||
| InsecureBasicAuth.java:109:19:109:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String |
|
||||
| InsecureBasicAuth.java:119:3:119:6 | post | semmle.label | post |
|
||||
| InsecureBasicAuth.java:126:19:126:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String |
|
||||
| InsecureBasicAuth.java:130:28:130:67 | (...)... : URLConnection | semmle.label | (...)... : URLConnection |
|
||||
| InsecureBasicAuth.java:133:3:133:6 | conn | semmle.label | conn |
|
||||
| InsecureBasicAuth.java:145:21:145:28 | protocol : String | semmle.label | protocol : String |
|
||||
| InsecureBasicAuth.java:146:28:146:67 | (...)... : URLConnection | semmle.label | (...)... : URLConnection |
|
||||
| InsecureBasicAuth.java:149:3:149:6 | conn | semmle.label | conn |
|
||||
#select
|
||||
| InsecureBasicAuth.java:28:3:28:6 | post | InsecureBasicAuth.java:20:39:20:52 | ... + ... : String | InsecureBasicAuth.java:28:3:28:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:20:39:20:52 | ... + ... | HTTP url |
|
||||
| InsecureBasicAuth.java:38:3:38:5 | get | InsecureBasicAuth.java:35:19:35:64 | "http://www.example.com:8000/payment/retrieve" : String | InsecureBasicAuth.java:38:3:38:5 | get | Insecure basic authentication from $@. | InsecureBasicAuth.java:35:19:35:64 | "http://www.example.com:8000/payment/retrieve" | HTTP url |
|
||||
| InsecureBasicAuth.java:54:3:54:6 | post | InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:54:3:54:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | HTTP url |
|
||||
| InsecureBasicAuth.java:71:3:71:6 | post | InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:71:3:71:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | HTTP url |
|
||||
| InsecureBasicAuth.java:86:3:86:6 | post | InsecureBasicAuth.java:78:47:78:52 | "http" : String | InsecureBasicAuth.java:86:3:86:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:78:47:78:52 | "http" | HTTP url |
|
||||
| InsecureBasicAuth.java:102:3:102:6 | post | InsecureBasicAuth.java:93:19:93:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:102:3:102:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:93:19:93:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | HTTP url |
|
||||
| InsecureBasicAuth.java:119:3:119:6 | post | InsecureBasicAuth.java:109:19:109:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:119:3:119:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:109:19:109:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | HTTP url |
|
||||
| InsecureBasicAuth.java:133:3:133:6 | conn | InsecureBasicAuth.java:126:19:126:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:133:3:133:6 | conn | Insecure basic authentication from $@. | InsecureBasicAuth.java:126:19:126:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | HTTP url |
|
||||
| InsecureBasicAuth.java:149:3:149:6 | conn | InsecureBasicAuth.java:145:21:145:28 | protocol : String | InsecureBasicAuth.java:149:3:149:6 | conn | Insecure basic authentication from $@. | InsecureBasicAuth.java:145:21:145:28 | protocol | HTTP url |
|
||||
@@ -0,0 +1,164 @@
|
||||
import org.apache.http.RequestLine;
|
||||
import org.apache.http.client.methods.HttpRequestBase;
|
||||
import org.apache.http.client.methods.HttpGet;
|
||||
import org.apache.http.client.methods.HttpPost;
|
||||
import org.apache.http.message.BasicHttpRequest;
|
||||
import org.apache.http.message.BasicRequestLine;
|
||||
|
||||
import java.net.URI;
|
||||
import java.net.URL;
|
||||
import java.net.HttpURLConnection;
|
||||
import java.net.URLConnection;
|
||||
import java.util.Base64;
|
||||
|
||||
public class InsecureBasicAuth {
|
||||
/**
|
||||
* Test basic authentication with Apache HTTP POST request using string constructor.
|
||||
*/
|
||||
public void testApacheHttpRequest(String username, String password) {
|
||||
String host = "www.example.com";
|
||||
HttpRequestBase post = new HttpPost("http://"+host+"/rest/getuser.do?uid=abcdx");
|
||||
post.setHeader("Accept", "application/json");
|
||||
post.setHeader("Content-type", "application/json");
|
||||
|
||||
String authString = username + ":" + password;
|
||||
byte[] authEncBytes = Base64.getEncoder().encode(authString.getBytes());
|
||||
String authStringEnc = new String(authEncBytes);
|
||||
|
||||
post.addHeader("Authorization", "Basic " + authStringEnc);
|
||||
}
|
||||
|
||||
/**
|
||||
* Test basic authentication with Apache HTTP GET request.
|
||||
*/
|
||||
public void testApacheHttpRequest2(String url) throws java.io.IOException {
|
||||
String urlStr = "http://www.example.com:8000/payment/retrieve";
|
||||
HttpGet get = new HttpGet(urlStr);
|
||||
get.setHeader("Accept", "application/json");
|
||||
get.setHeader("Authorization", "Basic " + new String(Base64.getEncoder().encode("admin:test".getBytes())));
|
||||
}
|
||||
|
||||
/**
|
||||
* Test basic authentication with Apache HTTP POST request using URI create method.
|
||||
*/
|
||||
public void testApacheHttpRequest3(String username, String password) {
|
||||
String uriStr = "http://www.example.com/rest/getuser.do?uid=abcdx";
|
||||
HttpRequestBase post = new HttpPost(URI.create(uriStr));
|
||||
post.setHeader("Accept", "application/json");
|
||||
post.setHeader("Content-type", "application/json");
|
||||
|
||||
String authString = username + ":" + password;
|
||||
byte[] authEncBytes = Base64.getEncoder().encode(authString.getBytes());
|
||||
String authStringEnc = new String(authEncBytes);
|
||||
|
||||
post.addHeader("Authorization", "Basic " + authStringEnc);
|
||||
}
|
||||
|
||||
/**
|
||||
* Test basic authentication with Apache HTTP POST request using the URI constructor with one argument.
|
||||
*/
|
||||
public void testApacheHttpRequest4(String username, String password) {
|
||||
String uriStr = "http://www.example.com/rest/getuser.do?uid=abcdx";
|
||||
URI uri = new URI(uriStr);
|
||||
HttpRequestBase post = new HttpPost(uri);
|
||||
post.setHeader("Accept", "application/json");
|
||||
post.setHeader("Content-type", "application/json");
|
||||
|
||||
String authString = username + ":" + password;
|
||||
byte[] authEncBytes = Base64.getEncoder().encode(authString.getBytes());
|
||||
String authStringEnc = new String(authEncBytes);
|
||||
|
||||
post.addHeader("Authorization", "Basic " + authStringEnc);
|
||||
}
|
||||
|
||||
/**
|
||||
* Test basic authentication with Apache HTTP POST request using a URI constructor with multiple arguments.
|
||||
*/
|
||||
public void testApacheHttpRequest5(String username, String password) {
|
||||
HttpRequestBase post = new HttpPost(new URI("http", "www.example.com", "/test", "abc=123", null));
|
||||
post.setHeader("Accept", "application/json");
|
||||
post.setHeader("Content-type", "application/json");
|
||||
|
||||
String authString = username + ":" + password;
|
||||
byte[] authEncBytes = Base64.getEncoder().encode(authString.getBytes());
|
||||
String authStringEnc = new String(authEncBytes);
|
||||
|
||||
post.addHeader("Authorization", "Basic " + authStringEnc);
|
||||
}
|
||||
|
||||
/**
|
||||
* Test basic authentication with Apache HTTP `BasicHttpRequest` using string constructor.
|
||||
*/
|
||||
public void testApacheHttpRequest6(String username, String password) {
|
||||
String uriStr = "http://www.example.com/rest/getuser.do?uid=abcdx";
|
||||
BasicHttpRequest post = new BasicHttpRequest("POST", uriStr);
|
||||
post.setHeader("Accept", "application/json");
|
||||
post.setHeader("Content-type", "application/json");
|
||||
|
||||
String authString = username + ":" + password;
|
||||
byte[] authEncBytes = Base64.getEncoder().encode(authString.getBytes());
|
||||
String authStringEnc = new String(authEncBytes);
|
||||
|
||||
post.addHeader("Authorization", "Basic " + authStringEnc);
|
||||
}
|
||||
|
||||
/**
|
||||
* Test basic authentication with Apache HTTP `BasicHttpRequest` using `RequestLine`.
|
||||
*/
|
||||
public void testApacheHttpRequest7(String username, String password) {
|
||||
String uriStr = "http://www.example.com/rest/getuser.do?uid=abcdx";
|
||||
RequestLine requestLine = new BasicRequestLine("POST", uriStr, null);
|
||||
BasicHttpRequest post = new BasicHttpRequest(requestLine);
|
||||
post.setHeader("Accept", "application/json");
|
||||
post.setHeader("Content-type", "application/json");
|
||||
|
||||
String authString = username + ":" + password;
|
||||
byte[] authEncBytes = Base64.getEncoder().encode(authString.getBytes());
|
||||
String authStringEnc = new String(authEncBytes);
|
||||
|
||||
post.addHeader("Authorization", "Basic " + authStringEnc);
|
||||
}
|
||||
|
||||
/**
|
||||
* Test basic authentication with Java HTTP URL connection using the `URL(String spec)` constructor.
|
||||
*/
|
||||
public void testHttpUrlConnection(String username, String password) {
|
||||
String urlStr = "http://www.example.com/rest/getuser.do?uid=abcdx";
|
||||
String authString = username + ":" + password;
|
||||
String encoding = Base64.getEncoder().encodeToString(authString.getBytes("UTF-8"));
|
||||
URL url = new URL(urlStr);
|
||||
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
|
||||
conn.setRequestMethod("POST");
|
||||
conn.setDoOutput(true);
|
||||
conn.setRequestProperty("Authorization", "Basic " + encoding);
|
||||
}
|
||||
|
||||
/**
|
||||
* Test basic authentication with Java HTTP URL connection using the `URL(String protocol, String host, String file)` constructor.
|
||||
*/
|
||||
public void testHttpUrlConnection2(String username, String password) {
|
||||
String host = "www.example.com";
|
||||
String path = "/rest/getuser.do?uid=abcdx";
|
||||
String protocol = "http";
|
||||
String authString = username + ":" + password;
|
||||
String encoding = Base64.getEncoder().encodeToString(authString.getBytes("UTF-8"));
|
||||
URL url = new URL(protocol, host, path);
|
||||
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
|
||||
conn.setRequestMethod("POST");
|
||||
conn.setDoOutput(true);
|
||||
conn.setRequestProperty("Authorization", "Basic " + encoding);
|
||||
}
|
||||
|
||||
/**
|
||||
* Test basic authentication with Java HTTP URL connection using a constructor with private URL.
|
||||
*/
|
||||
public void testHttpUrlConnection3(String username, String password) {
|
||||
String host = "LOCALHOST";
|
||||
String authString = username + ":" + password;
|
||||
String encoding = Base64.getEncoder().encodeToString(authString.getBytes("UTF-8"));
|
||||
HttpURLConnection conn = (HttpURLConnection) new URL("http://"+(((host+"/rest/getuser.do")+"?uid=abcdx"))).openConnection();
|
||||
conn.setRequestMethod("POST");
|
||||
conn.setDoOutput(true);
|
||||
conn.setRequestProperty("Authorization", "Basic " + encoding);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
experimental/Security/CWE/CWE-522/InsecureBasicAuth.ql
|
||||
@@ -0,0 +1 @@
|
||||
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13
|
||||
@@ -0,0 +1 @@
|
||||
| insecure-web.xml:16:9:19:22 | init-param | Directory listing should be disabled to mitigate filename and path disclosure |
|
||||
@@ -0,0 +1 @@
|
||||
experimental/Security/CWE/CWE-548/InsecureDirectoryConfig.ql
|
||||
@@ -0,0 +1,29 @@
|
||||
<?xml version="1.0" encoding="UTF-8" ?>
|
||||
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
|
||||
http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd" version="4.0">
|
||||
|
||||
<!-- The default servlet for all web applications, that serves static -->
|
||||
<!-- resources. It processes all requests that are not mapped to other -->
|
||||
<!-- servlets with servlet mappings (defined either here or in your own -->
|
||||
<!-- web.xml file). -->
|
||||
<servlet>
|
||||
<servlet-name>default</servlet-name>
|
||||
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
|
||||
<init-param>
|
||||
<param-name>debug</param-name>
|
||||
<param-value>0</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>listings</param-name>
|
||||
<param-value>true</param-value>
|
||||
</init-param>
|
||||
<load-on-startup>1</load-on-startup>
|
||||
</servlet>
|
||||
|
||||
<!-- The mapping for the default servlet -->
|
||||
<servlet-mapping>
|
||||
<servlet-name>default</servlet-name>
|
||||
<url-pattern>/</url-pattern>
|
||||
</servlet-mapping>
|
||||
|
||||
</web-app>
|
||||
@@ -0,0 +1,48 @@
|
||||
edges
|
||||
| OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:17:19:17:22 | tree |
|
||||
| OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:18:19:18:22 | tree |
|
||||
| OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:20:17:20:27 | (...)... : Object |
|
||||
| OgnlInjection.java:20:17:20:27 | (...)... : Object | OgnlInjection.java:21:5:21:8 | node |
|
||||
| OgnlInjection.java:20:17:20:27 | (...)... : Object | OgnlInjection.java:22:5:22:8 | node |
|
||||
| OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:28:19:28:22 | tree |
|
||||
| OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:29:19:29:22 | tree |
|
||||
| OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:31:5:31:8 | tree |
|
||||
| OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:32:5:32:8 | tree |
|
||||
| OgnlInjection.java:36:40:36:64 | expr : String | OgnlInjection.java:37:19:37:22 | expr |
|
||||
| OgnlInjection.java:36:40:36:64 | expr : String | OgnlInjection.java:38:19:38:22 | expr |
|
||||
| OgnlInjection.java:42:26:42:50 | expr : String | OgnlInjection.java:44:19:44:22 | expr |
|
||||
| OgnlInjection.java:42:26:42:50 | expr : String | OgnlInjection.java:45:19:45:22 | expr |
|
||||
| OgnlInjection.java:42:26:42:50 | expr : String | OgnlInjection.java:46:31:46:34 | expr |
|
||||
nodes
|
||||
| OgnlInjection.java:15:39:15:63 | expr : String | semmle.label | expr : String |
|
||||
| OgnlInjection.java:17:19:17:22 | tree | semmle.label | tree |
|
||||
| OgnlInjection.java:18:19:18:22 | tree | semmle.label | tree |
|
||||
| OgnlInjection.java:20:17:20:27 | (...)... : Object | semmle.label | (...)... : Object |
|
||||
| OgnlInjection.java:21:5:21:8 | node | semmle.label | node |
|
||||
| OgnlInjection.java:22:5:22:8 | node | semmle.label | node |
|
||||
| OgnlInjection.java:26:41:26:65 | expr : String | semmle.label | expr : String |
|
||||
| OgnlInjection.java:28:19:28:22 | tree | semmle.label | tree |
|
||||
| OgnlInjection.java:29:19:29:22 | tree | semmle.label | tree |
|
||||
| OgnlInjection.java:31:5:31:8 | tree | semmle.label | tree |
|
||||
| OgnlInjection.java:32:5:32:8 | tree | semmle.label | tree |
|
||||
| OgnlInjection.java:36:40:36:64 | expr : String | semmle.label | expr : String |
|
||||
| OgnlInjection.java:37:19:37:22 | expr | semmle.label | expr |
|
||||
| OgnlInjection.java:38:19:38:22 | expr | semmle.label | expr |
|
||||
| OgnlInjection.java:42:26:42:50 | expr : String | semmle.label | expr : String |
|
||||
| OgnlInjection.java:44:19:44:22 | expr | semmle.label | expr |
|
||||
| OgnlInjection.java:45:19:45:22 | expr | semmle.label | expr |
|
||||
| OgnlInjection.java:46:31:46:34 | expr | semmle.label | expr |
|
||||
#select
|
||||
| OgnlInjection.java:17:19:17:22 | tree | OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:17:19:17:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:15:39:15:63 | expr | this user input |
|
||||
| OgnlInjection.java:18:19:18:22 | tree | OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:18:19:18:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:15:39:15:63 | expr | this user input |
|
||||
| OgnlInjection.java:21:5:21:8 | node | OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:21:5:21:8 | node | OGNL expression might include input from $@. | OgnlInjection.java:15:39:15:63 | expr | this user input |
|
||||
| OgnlInjection.java:22:5:22:8 | node | OgnlInjection.java:15:39:15:63 | expr : String | OgnlInjection.java:22:5:22:8 | node | OGNL expression might include input from $@. | OgnlInjection.java:15:39:15:63 | expr | this user input |
|
||||
| OgnlInjection.java:28:19:28:22 | tree | OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:28:19:28:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:26:41:26:65 | expr | this user input |
|
||||
| OgnlInjection.java:29:19:29:22 | tree | OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:29:19:29:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:26:41:26:65 | expr | this user input |
|
||||
| OgnlInjection.java:31:5:31:8 | tree | OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:31:5:31:8 | tree | OGNL expression might include input from $@. | OgnlInjection.java:26:41:26:65 | expr | this user input |
|
||||
| OgnlInjection.java:32:5:32:8 | tree | OgnlInjection.java:26:41:26:65 | expr : String | OgnlInjection.java:32:5:32:8 | tree | OGNL expression might include input from $@. | OgnlInjection.java:26:41:26:65 | expr | this user input |
|
||||
| OgnlInjection.java:37:19:37:22 | expr | OgnlInjection.java:36:40:36:64 | expr : String | OgnlInjection.java:37:19:37:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:36:40:36:64 | expr | this user input |
|
||||
| OgnlInjection.java:38:19:38:22 | expr | OgnlInjection.java:36:40:36:64 | expr : String | OgnlInjection.java:38:19:38:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:36:40:36:64 | expr | this user input |
|
||||
| OgnlInjection.java:44:19:44:22 | expr | OgnlInjection.java:42:26:42:50 | expr : String | OgnlInjection.java:44:19:44:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:42:26:42:50 | expr | this user input |
|
||||
| OgnlInjection.java:45:19:45:22 | expr | OgnlInjection.java:42:26:42:50 | expr : String | OgnlInjection.java:45:19:45:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:42:26:42:50 | expr | this user input |
|
||||
| OgnlInjection.java:46:31:46:34 | expr | OgnlInjection.java:42:26:42:50 | expr : String | OgnlInjection.java:46:31:46:34 | expr | OGNL expression might include input from $@. | OgnlInjection.java:42:26:42:50 | expr | this user input |
|
||||
@@ -0,0 +1,48 @@
|
||||
import ognl.Node;
|
||||
import ognl.Ognl;
|
||||
|
||||
import java.util.HashMap;
|
||||
|
||||
import com.opensymphony.xwork2.ognl.OgnlUtil;
|
||||
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
|
||||
@Controller
|
||||
public class OgnlInjection {
|
||||
@RequestMapping
|
||||
public void testOgnlParseExpression(@RequestParam String expr) throws Exception {
|
||||
Object tree = Ognl.parseExpression(expr);
|
||||
Ognl.getValue(tree, new HashMap<>(), new Object());
|
||||
Ognl.setValue(tree, new HashMap<>(), new Object());
|
||||
|
||||
Node node = (Node) tree;
|
||||
node.getValue(null, new Object());
|
||||
node.setValue(null, new Object(), new Object());
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testOgnlCompileExpression(@RequestParam String expr) throws Exception {
|
||||
Node tree = Ognl.compileExpression(null, new Object(), expr);
|
||||
Ognl.getValue(tree, new HashMap<>(), new Object());
|
||||
Ognl.setValue(tree, new HashMap<>(), new Object());
|
||||
|
||||
tree.getValue(null, new Object());
|
||||
tree.setValue(null, new Object(), new Object());
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testOgnlDirectlyToGetSet(@RequestParam String expr) throws Exception {
|
||||
Ognl.getValue(expr, new Object());
|
||||
Ognl.setValue(expr, new Object(), new Object());
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testStruts(@RequestParam String expr) throws Exception {
|
||||
OgnlUtil ognl = new OgnlUtil();
|
||||
ognl.getValue(expr, new HashMap<>(), new Object());
|
||||
ognl.setValue(expr, new HashMap<>(), new Object(), new Object());
|
||||
new OgnlUtil().callMethod(expr, new HashMap<>(), new Object());
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
experimental/Security/CWE/CWE-917/OgnlInjection.ql
|
||||
@@ -0,0 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/ognl-3.2.14:${testdir}/../../../stubs/struts2-core-2.5.22
|
||||
@@ -0,0 +1,3 @@
|
||||
package ognl;
|
||||
|
||||
public interface JavaSource {}
|
||||
@@ -0,0 +1,6 @@
|
||||
package ognl;
|
||||
|
||||
public interface Node extends JavaSource {
|
||||
public Object getValue(OgnlContext context, Object source) throws OgnlException;
|
||||
public void setValue(OgnlContext context, Object target, Object value) throws OgnlException;
|
||||
}
|
||||
26
java/ql/test/experimental/stubs/ognl-3.2.14/ognl/Ognl.java
Normal file
26
java/ql/test/experimental/stubs/ognl-3.2.14/ognl/Ognl.java
Normal file
@@ -0,0 +1,26 @@
|
||||
package ognl;
|
||||
|
||||
import java.util.*;
|
||||
|
||||
public abstract class Ognl {
|
||||
public static Object parseExpression(String expression) throws OgnlException {
|
||||
return new Object();
|
||||
}
|
||||
|
||||
public static Object getValue(Object tree, Map context, Object root) throws OgnlException {
|
||||
return new Object();
|
||||
}
|
||||
|
||||
public static void setValue(Object tree, Object root, Object value) throws OgnlException {}
|
||||
|
||||
public static Node compileExpression(OgnlContext context, Object root, String expression)
|
||||
throws Exception {
|
||||
return null;
|
||||
}
|
||||
|
||||
public static Object getValue(String expression, Object root) throws OgnlException {
|
||||
return new Object();
|
||||
}
|
||||
|
||||
public static void setValue(String expression, Object root, Object value) throws OgnlException {}
|
||||
}
|
||||
@@ -0,0 +1,71 @@
|
||||
package ognl;
|
||||
|
||||
import java.util.*;
|
||||
|
||||
public class OgnlContext extends Object implements Map {
|
||||
@Override
|
||||
public int size() {
|
||||
return 0;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isEmpty() {
|
||||
return false;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean containsKey(Object key) {
|
||||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean containsValue(Object value) {
|
||||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Object get(Object key) {
|
||||
return new Object();
|
||||
}
|
||||
|
||||
@Override
|
||||
public Object put(Object key, Object value) {
|
||||
return new Object();
|
||||
}
|
||||
|
||||
@Override
|
||||
public Object remove(Object key) {
|
||||
return new Object();
|
||||
}
|
||||
|
||||
@Override
|
||||
public void putAll(Map t) { }
|
||||
|
||||
@Override
|
||||
public void clear() {}
|
||||
|
||||
@Override
|
||||
public Set keySet() {
|
||||
return new HashSet();
|
||||
}
|
||||
|
||||
@Override
|
||||
public Collection values() {
|
||||
return new HashSet();
|
||||
}
|
||||
|
||||
@Override
|
||||
public Set entrySet() {
|
||||
return new HashSet();
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean equals(Object o) {
|
||||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
public int hashCode() {
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
package ognl;
|
||||
|
||||
public class OgnlException extends Exception {}
|
||||
@@ -0,0 +1,13 @@
|
||||
package org.apache.shiro.jndi;
|
||||
|
||||
import javax.naming.NamingException;
|
||||
|
||||
public class JndiTemplate {
|
||||
public Object lookup(final String name) throws NamingException {
|
||||
return new Object();
|
||||
}
|
||||
|
||||
public Object lookup(String name, Class requiredType) throws NamingException {
|
||||
return new Object();
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,16 @@
|
||||
package com.opensymphony.xwork2.ognl;
|
||||
|
||||
import java.util.*;
|
||||
import ognl.OgnlException;
|
||||
|
||||
public class OgnlUtil {
|
||||
public Object getValue(final String name, final Map<String, Object> context, final Object root) throws OgnlException {
|
||||
return new Object();
|
||||
}
|
||||
|
||||
public void setValue(final String name, final Map<String, Object> context, final Object root, final Object value) throws OgnlException {}
|
||||
|
||||
public Object callMethod(final String name, final Map<String, Object> context, final Object root) throws OgnlException {
|
||||
return new Object();
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user