hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-29 07:06:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

patch upper-case acronyms to be PascalCase

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2022-03-11 11:10:33 +01:00
parent e3a15792fa
commit 69353bb014
422 changed files with 3532 additions and 2244 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
java/ql/lib/semmle/code/java/Expr.qll
View File

@@ -1668,7 +1668,10 @@ class LValue extends VarAccess {
* (such as (`+=`), both the RHS and the LHS of the compound assignment
* are source expressions of the assignment.
*/
Expr getRHS() { exists(Assignment e | e.getDest() = this and e.getSource() = result) }
Expr getRhs() { exists(Assignment e | e.getDest() = this and e.getSource() = result) }
/** DEPRECATED: Alias for getRhs */
deprecated Expr getRHS() { result = getRhs() }
}
/**

27
java/ql/lib/semmle/code/java/dataflow/SSA.qll
View File

@@ -920,7 +920,7 @@ class SsaVariable extends TSsaVariable {
}
/** Gets the `ControlFlowNode` at which this SSA variable is defined. */
ControlFlowNode getCFGNode() {
ControlFlowNode getCfgNode() {
this = TSsaPhiNode(_, result) or
this = TSsaCertainUpdate(_, result, _, _) or
this = TSsaUncertainUpdate(_, result, _, _) or
@@ -928,14 +928,17 @@ class SsaVariable extends TSsaVariable {
this = TSsaUntracked(_, result)
}
/** DEPRECATED: Alias for getCfgNode */
deprecated ControlFlowNode getCFGNode() { result = getCfgNode() }
/** Gets a textual representation of this SSA variable. */
string toString() { none() }
/** Gets the source location for this element. */
Location getLocation() { result = this.getCFGNode().getLocation() }
Location getLocation() { result = this.getCfgNode().getLocation() }
/** Gets the `BasicBlock` in which this SSA variable is defined. */
BasicBlock getBasicBlock() { result = this.getCFGNode().getBasicBlock() }
BasicBlock getBasicBlock() { result = this.getCfgNode().getBasicBlock() }
/** Gets an access of this SSA variable. */
RValue getAUse() {
@@ -990,7 +993,7 @@ class SsaUpdate extends SsaVariable {
class SsaExplicitUpdate extends SsaUpdate, TSsaCertainUpdate {
SsaExplicitUpdate() {
exists(VariableUpdate upd |
upd = this.getCFGNode() and getDestVar(upd) = this.getSourceVariable()
upd = this.getCfgNode() and getDestVar(upd) = this.getSourceVariable()
)
}
@@ -998,7 +1001,7 @@ class SsaExplicitUpdate extends SsaUpdate, TSsaCertainUpdate {
/** Gets the `VariableUpdate` defining the SSA variable. */
VariableUpdate getDefiningExpr() {
result = this.getCFGNode() and getDestVar(result) = this.getSourceVariable()
result = this.getCfgNode() and getDestVar(result) = this.getSourceVariable()
}
}
@@ -1018,10 +1021,10 @@ class SsaImplicitUpdate extends SsaUpdate {
private string getKind() {
this = TSsaUntracked(_, _) and result = "untracked"
or
certainVariableUpdate(this.getSourceVariable().getQualifier(), this.getCFGNode(), _, _) and
certainVariableUpdate(this.getSourceVariable().getQualifier(), this.getCfgNode(), _, _) and
result = "explicit qualifier"
or
if uncertainVariableUpdate(this.getSourceVariable().getQualifier(), this.getCFGNode(), _, _)
if uncertainVariableUpdate(this.getSourceVariable().getQualifier(), this.getCfgNode(), _, _)
then
if exists(this.getANonLocalUpdate())
then result = "nonlocal + nonlocal qualifier"
@@ -1038,7 +1041,7 @@ class SsaImplicitUpdate extends SsaUpdate {
exists(SsaSourceField f, Callable setter |
f = this.getSourceVariable() and
relevantFieldUpdate(setter, f.getField(), result) and
updatesNamedField(this.getCFGNode(), f, setter)
updatesNamedField(this.getCfgNode(), f, setter)
)
}
@@ -1051,8 +1054,8 @@ class SsaImplicitUpdate extends SsaUpdate {
*/
predicate assignsUnknownValue() {
this = TSsaUntracked(_, _) or
certainVariableUpdate(this.getSourceVariable().getQualifier(), this.getCFGNode(), _, _) or
uncertainVariableUpdate(this.getSourceVariable().getQualifier(), this.getCFGNode(), _, _)
certainVariableUpdate(this.getSourceVariable().getQualifier(), this.getCfgNode(), _, _) or
uncertainVariableUpdate(this.getSourceVariable().getQualifier(), this.getCfgNode(), _, _)
}
}
@@ -1086,7 +1089,7 @@ class SsaImplicitInit extends SsaVariable, TSsaEntryDef {
*/
predicate isParameterDefinition(Parameter p) {
this.getSourceVariable() = TLocalVar(p.getCallable(), p) and
p.getCallable().getBody() = this.getCFGNode()
p.getCallable().getBody() = this.getCfgNode()
}
}
@@ -1098,7 +1101,7 @@ class SsaPhiNode extends SsaVariable, TSsaPhiNode {
SsaVariable getAPhiInput() {
exists(BasicBlock phiPred, TrackedVar v |
v = this.getSourceVariable() and
this.getCFGNode().(BasicBlock).getABBPredecessor() = phiPred and
this.getCfgNode().(BasicBlock).getABBPredecessor() = phiPred and
ssaDefReachesEndOfBlock(v, result, phiPred)
)
}

17
java/ql/lib/semmle/code/java/dataflow/internal/BaseSSA.qll
View File

@@ -476,18 +476,21 @@ class BaseSsaVariable extends TBaseSsaVariable {
}
/** Gets the `ControlFlowNode` at which this SSA variable is defined. */
ControlFlowNode getCFGNode() {
ControlFlowNode getCfgNode() {
this = TSsaPhiNode(_, result) or
this = TSsaUpdate(_, result, _, _) or
this = TSsaEntryDef(_, result)
}
/** DEPRECATED: Alias for getCfgNode */
deprecated ControlFlowNode getCFGNode() { result = getCfgNode() }
string toString() { none() }
Location getLocation() { result = this.getCFGNode().getLocation() }
Location getLocation() { result = this.getCfgNode().getLocation() }
/** Gets the `BasicBlock` in which this SSA variable is defined. */
BasicBlock getBasicBlock() { result = this.getCFGNode().getBasicBlock() }
BasicBlock getBasicBlock() { result = this.getCfgNode().getBasicBlock() }
/** Gets an access of this SSA variable. */
RValue getAUse() { ssaDefReachesUse(_, this, result) }
@@ -533,7 +536,7 @@ class BaseSsaVariable extends TBaseSsaVariable {
class BaseSsaUpdate extends BaseSsaVariable, TSsaUpdate {
BaseSsaUpdate() {
exists(VariableUpdate upd |
upd = this.getCFGNode() and getDestVar(upd) = this.getSourceVariable()
upd = this.getCfgNode() and getDestVar(upd) = this.getSourceVariable()
)
}
@@ -541,7 +544,7 @@ class BaseSsaUpdate extends BaseSsaVariable, TSsaUpdate {
/** Gets the `VariableUpdate` defining the SSA variable. */
VariableUpdate getDefiningExpr() {
result = this.getCFGNode() and getDestVar(result) = this.getSourceVariable()
result = this.getCfgNode() and getDestVar(result) = this.getSourceVariable()
}
}
@@ -562,7 +565,7 @@ class BaseSsaImplicitInit extends BaseSsaVariable, TSsaEntryDef {
*/
predicate isParameterDefinition(Parameter p) {
this.getSourceVariable() = TLocalVar(p.getCallable(), p) and
p.getCallable().getBody() = this.getCFGNode()
p.getCallable().getBody() = this.getCfgNode()
}
}
@@ -574,7 +577,7 @@ class BaseSsaPhiNode extends BaseSsaVariable, TSsaPhiNode {
BaseSsaVariable getAPhiInput() {
exists(BasicBlock phiPred, BaseSsaSourceVariable v |
v = this.getSourceVariable() and
this.getCFGNode().(BasicBlock).getABBPredecessor() = phiPred and
this.getCfgNode().(BasicBlock).getABBPredecessor() = phiPred and
ssaDefReachesEndOfBlock(v, result, phiPred)
)
}

2
java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll
View File

@@ -196,7 +196,7 @@ predicate interpretInputSpecific(string c, InterpretNode mid, InterpretNode n) {
exists(FieldWrite fw |
c = "" and
fw.getField() = mid.asElement() and
n.asNode().asExpr() = fw.getRHS()
n.asNode().asExpr() = fw.getRhs()
)
}

7
java/ql/lib/semmle/code/java/deadcode/EntryPoints.qll
View File

@@ -427,8 +427,8 @@ class PersistenceCallbackMethod extends CallableEntryPoint {
* A source class which is referred to by fully qualified name in the value of an arbitrary XML
* attribute which has a name containing "className" or "ClassName".
*/
class ArbitraryXMLEntryPoint extends ReflectivelyConstructedClass {
ArbitraryXMLEntryPoint() {
class ArbitraryXmlEntryPoint extends ReflectivelyConstructedClass {
ArbitraryXmlEntryPoint() {
this.fromSource() and
exists(XMLAttribute attribute |
attribute.getName() = "className" or
@@ -446,6 +446,9 @@ class ArbitraryXMLEntryPoint extends ReflectivelyConstructedClass {
}
}
/** DEPRECATED: Alias for ArbitraryXmlEntryPoint */
deprecated class ArbitraryXMLEntryPoint = ArbitraryXmlEntryPoint;
/** A Selenium PageObject, created by a call to PageFactory.initElements(..). */
class SeleniumPageObjectEntryPoint extends ReflectivelyConstructedClass {
SeleniumPageObjectEntryPoint() { this instanceof SeleniumPageObject }

2
java/ql/lib/semmle/code/java/deadcode/SpringEntryPoints.qll
View File

@@ -13,7 +13,7 @@ class SpringInjectionCallableEntryPoint extends CallableEntryPoint {
this instanceof SpringBeanReflectivelyConstructed or
// A setter method specified in the context.
this instanceof SpringBeanPropertySetterMethod or
exists(this.(SpringBeanXMLAutowiredSetterMethod).getInjectedBean()) or
exists(this.(SpringBeanXmlAutowiredSetterMethod).getInjectedBean()) or
this instanceof SpringBeanAutowiredCallable
}
}

8
java/ql/lib/semmle/code/java/deadcode/WebEntryPoints.qll
View File

@@ -14,7 +14,7 @@ class ServletConstructedClass extends ReflectivelyConstructedClass {
// referred to as a servlet-class in at least one. If no `web.xml` files are found, we assume
// that XML extraction was not enabled, and therefore consider all `Servlet` classes as live.
(
isWebXMLIncluded()
isWebXmlIncluded()
implies
exists(WebServletClass servletClass | this = servletClass.getClass())
)
@@ -29,12 +29,12 @@ class ServletConstructedClass extends ReflectivelyConstructedClass {
*/
class ServletListenerClass extends ReflectivelyConstructedClass {
ServletListenerClass() {
this.getAnAncestor() instanceof ServletWebXMLListenerType and
this.getAnAncestor() instanceof ServletWebXmlListenerType and
// If we have seen any `web.xml` files, this listener will be considered to be live only if it is
// referred to as a listener-class in at least one. If no `web.xml` files are found, we assume
// that XML extraction was not enabled, and therefore consider all listener classes as live.
(
isWebXMLIncluded()
isWebXmlIncluded()
implies
exists(WebListenerClass listenerClass | this = listenerClass.getClass())
)
@@ -51,7 +51,7 @@ class ServletFilterClass extends ReflectivelyConstructedClass {
// If we have seen any `web.xml` files, this filter will be considered to be live only if it is
// referred to as a filter-class in at least one. If no `web.xml` files are found, we assume
// that XML extraction was not enabled, and therefore consider all filter classes as live.
(isWebXMLIncluded() implies exists(WebFilterClass filterClass | this = filterClass.getClass()))
(isWebXmlIncluded() implies exists(WebFilterClass filterClass | this = filterClass.getClass()))
}
}

10
java/ql/lib/semmle/code/java/frameworks/Camel.qll
View File

@@ -12,7 +12,7 @@ import semmle.code.java.frameworks.camel.CamelJavaAnnotations
*/
class CamelToURI extends string {
CamelToURI() {
exists(SpringCamelXMLToElement toXMLElement | this = toXMLElement.getURI()) or
exists(SpringCamelXmlToElement toXmlElement | this = toXmlElement.getURI()) or
exists(CamelJavaDSLToDecl toJavaDSL | this = toJavaDSL.getURI())
}
}
@@ -56,17 +56,17 @@ class CamelToBeanURI extends CamelToURI {
*/
class CamelTargetClass extends Class {
CamelTargetClass() {
exists(SpringCamelXMLBeanRef camelXMLBeanRef |
exists(SpringCamelXmlBeanRef camelXmlBeanRef |
// A target may be defined by referencing an existing Spring Bean.
this = camelXMLBeanRef.getRefBean().getClass()
this = camelXmlBeanRef.getRefBean().getClass()
or
// A target may be defined by referencing a class, which Apache Camel will create into a bean.
this = camelXMLBeanRef.getBeanType()
this = camelXmlBeanRef.getBeanType()
)
or
exists(CamelToBeanURI toBeanURI | this = toBeanURI.getRefBean().getClass())
or
exists(SpringCamelXMLMethodElement xmlMethod |
exists(SpringCamelXmlMethodElement xmlMethod |
this = xmlMethod.getRefBean().getClass() or
this = xmlMethod.getBeanType()
)

11
java/ql/lib/semmle/code/java/frameworks/Networking.qll
View File

@@ -4,7 +4,7 @@
import semmle.code.java.Type
/** The type `java.net.URLConnection`. */
/** The type `java.net.UrlConnection`. */
class TypeUrlConnection extends RefType {
TypeUrlConnection() { this.hasQualifiedName("java.net", "URLConnection") }
}
@@ -29,15 +29,18 @@ class TypeUri extends RefType {
TypeUri() { this.hasQualifiedName("java.net", "URI") }
}
/** The method `java.net.URLConnection::getInputStream`. */
class URLConnectionGetInputStreamMethod extends Method {
URLConnectionGetInputStreamMethod() {
/** The method `java.net.UrlConnection::getInputStream`. */
class UrlConnectionGetInputStreamMethod extends Method {
UrlConnectionGetInputStreamMethod() {
this.getDeclaringType() instanceof TypeUrlConnection and
this.hasName("getInputStream") and
this.hasNoParameters()
}
}
/** DEPRECATED: Alias for UrlConnectionGetInputStreamMethod */
deprecated class URLConnectionGetInputStreamMethod = UrlConnectionGetInputStreamMethod;
/** The method `java.net.Socket::getInputStream`. */
class SocketGetInputStreamMethod extends Method {
SocketGetInputStreamMethod() {

14
java/ql/lib/semmle/code/java/frameworks/Servlets.qll
View File

@@ -120,14 +120,17 @@ library class HttpServletRequestGetHeaderNamesMethod extends Method {
/**
* The method `getRequestURL()` declared in `javax.servlet.http.HttpServletRequest`.
*/
class HttpServletRequestGetRequestURLMethod extends Method {
HttpServletRequestGetRequestURLMethod() {
class HttpServletRequestGetRequestUrlMethod extends Method {
HttpServletRequestGetRequestUrlMethod() {
this.getDeclaringType() instanceof HttpServletRequest and
this.hasName("getRequestURL") and
this.getNumberOfParameters() = 0
}
}
/** DEPRECATED: Alias for HttpServletRequestGetRequestUrlMethod */
deprecated class HttpServletRequestGetRequestURLMethod = HttpServletRequestGetRequestUrlMethod;
/**
* The method `getRequestURI()` declared in `javax.servlet.http.HttpServletRequest`.
*/
@@ -318,8 +321,8 @@ class ServletClass extends Class {
* Note: There are a number of other listener interfaces in the `javax.servlet` package that cannot
* be configured in `web.xml` and therefore are not covered by this class.
*/
class ServletWebXMLListenerType extends RefType {
ServletWebXMLListenerType() {
class ServletWebXmlListenerType extends RefType {
ServletWebXmlListenerType() {
this.hasQualifiedName("javax.servlet", "ServletContextAttributeListener") or
this.hasQualifiedName("javax.servlet", "ServletContextListener") or
this.hasQualifiedName("javax.servlet", "ServletRequestAttributeListener") or
@@ -333,6 +336,9 @@ class ServletWebXMLListenerType extends RefType {
}
}
/** DEPRECATED: Alias for ServletWebXmlListenerType */
deprecated class ServletWebXMLListenerType = ServletWebXmlListenerType;
/** Holds if `m` is a request handler method (for example `doGet` or `doPost`). */
predicate isServletRequestMethod(Method m) {
m.getDeclaringType() instanceof ServletClass and

36
java/ql/lib/semmle/code/java/frameworks/UnboundId.qll
View File

@@ -25,12 +25,15 @@ class TypeUnboundIdLdapFilter extends Class {
}
/** The class `com.unboundid.ldap.sdk.LDAPConnection`. */
class TypeUnboundIdLDAPConnection extends Class {
TypeUnboundIdLDAPConnection() {
class TypeUnboundIdLdapConnection extends Class {
TypeUnboundIdLdapConnection() {
this.hasQualifiedName("com.unboundid.ldap.sdk", "LDAPConnection")
}
}
/** DEPRECATED: Alias for TypeUnboundIdLdapConnection */
deprecated class TypeUnboundIdLDAPConnection = TypeUnboundIdLdapConnection;
/*--- Methods ---*/
/** A method with the name `setBaseDN` declared in `com.unboundid.ldap.sdk.SearchRequest`. */
class MethodUnboundIdSearchRequestSetBaseDN extends Method {
@@ -89,25 +92,36 @@ class MethodUnboundIdFilterSimplifyFilter extends Method {
}
/** A method with the name `search` declared in `com.unboundid.ldap.sdk.LDAPConnection`. */
class MethodUnboundIdLDAPConnectionSearch extends Method {
MethodUnboundIdLDAPConnectionSearch() {
this.getDeclaringType() instanceof TypeUnboundIdLDAPConnection and
class MethodUnboundIdLdapConnectionSearch extends Method {
MethodUnboundIdLdapConnectionSearch() {
this.getDeclaringType() instanceof TypeUnboundIdLdapConnection and
this.hasName("search")
}
}
/** DEPRECATED: Alias for MethodUnboundIdLdapConnectionSearch */
deprecated class MethodUnboundIdLDAPConnectionSearch = MethodUnboundIdLdapConnectionSearch;
/** A method with the name `asyncSearch` declared in `com.unboundid.ldap.sdk.LDAPConnection`. */
class MethodUnboundIdLDAPConnectionAsyncSearch extends Method {
MethodUnboundIdLDAPConnectionAsyncSearch() {
this.getDeclaringType() instanceof TypeUnboundIdLDAPConnection and
class MethodUnboundIdLdapConnectionAsyncSearch extends Method {
MethodUnboundIdLdapConnectionAsyncSearch() {
this.getDeclaringType() instanceof TypeUnboundIdLdapConnection and
this.hasName("asyncSearch")
}
}
/** DEPRECATED: Alias for MethodUnboundIdLdapConnectionAsyncSearch */
deprecated class MethodUnboundIdLDAPConnectionAsyncSearch =
MethodUnboundIdLdapConnectionAsyncSearch;
/** A method with the name `searchForEntry` declared in `com.unboundid.ldap.sdk.LDAPConnection`. */
class MethodUnboundIdLDAPConnectionSearchForEntry extends Method {
MethodUnboundIdLDAPConnectionSearchForEntry() {
this.getDeclaringType() instanceof TypeUnboundIdLDAPConnection and
class MethodUnboundIdLdapConnectionSearchForEntry extends Method {
MethodUnboundIdLdapConnectionSearchForEntry() {
this.getDeclaringType() instanceof TypeUnboundIdLdapConnection and
this.hasName("searchForEntry")
}
}
/** DEPRECATED: Alias for MethodUnboundIdLdapConnectionSearchForEntry */
deprecated class MethodUnboundIdLDAPConnectionSearchForEntry =
MethodUnboundIdLdapConnectionSearchForEntry;

2
java/ql/lib/semmle/code/java/frameworks/gwt/GwtXml.qll
View File

@@ -5,7 +5,7 @@ import semmle.code.xml.XML
/**
* Holds if any `*.gwt.xml` files are included in this snapshot.
*/
predicate isGwtXmlIncluded() { exists(GwtXmlFile webXML) }
predicate isGwtXmlIncluded() { exists(GwtXmlFile webXml) }
/** A GWT module XML file with a `.gwt.xml` suffix. */
class GwtXmlFile extends XMLFile {

6
java/ql/lib/semmle/code/java/frameworks/jOOQ.qll
View File

@@ -10,8 +10,8 @@ import semmle.code.java.dataflow.ExternalFlow
* and is prone to SQL injection.
* https://www.jooq.org/doc/current/manual/sql-building/plain-sql/
*/
private class PlainSQLType extends Annotation {
PlainSQLType() { this.getType().hasQualifiedName("org.jooq", "PlainSQL") }
private class PlainSqlType extends Annotation {
PlainSqlType() { this.getType().hasQualifiedName("org.jooq", "PlainSQL") }
}
/**
@@ -19,7 +19,7 @@ private class PlainSQLType extends Annotation {
* first argument.
*/
predicate jOOQSqlMethod(Method m) {
m.getAnAnnotation() instanceof PlainSQLType and
m.getAnAnnotation() instanceof PlainSqlType and
m.getParameterType(0) instanceof TypeString
}

11
java/ql/lib/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
View File

@@ -14,14 +14,17 @@ private import semmle.code.java.dataflow.ExternalFlow
/**
* A `@com.fasterxml.jackson.annotation.JsonIgnore` annoation.
*/
class JacksonJSONIgnoreAnnotation extends NonReflectiveAnnotation {
JacksonJSONIgnoreAnnotation() {
class JacksonJsonIgnoreAnnotation extends NonReflectiveAnnotation {
JacksonJsonIgnoreAnnotation() {
exists(AnnotationType anntp | anntp = this.getType() |
anntp.hasQualifiedName("com.fasterxml.jackson.annotation", "JsonIgnore")
)
}
}
/** DEPRECATED: Alias for JacksonJsonIgnoreAnnotation */
deprecated class JacksonJSONIgnoreAnnotation = JacksonJsonIgnoreAnnotation;
/** A type whose values may be serialized using the Jackson JSON framework. */
abstract class JacksonSerializableType extends Type { }
@@ -143,7 +146,7 @@ class JacksonSerializableField extends SerializableField {
not superType instanceof TypeObject and
superType.fromSource()
) and
not this.getAnAnnotation() instanceof JacksonJSONIgnoreAnnotation
not this.getAnAnnotation() instanceof JacksonJsonIgnoreAnnotation
}
}
@@ -155,7 +158,7 @@ class JacksonDeserializableField extends DeserializableField {
not superType instanceof TypeObject and
superType.fromSource()
) and
not this.getAnAnnotation() instanceof JacksonJSONIgnoreAnnotation
not this.getAnAnnotation() instanceof JacksonJsonIgnoreAnnotation
}
}

4
java/ql/lib/semmle/code/java/frameworks/javaee/JavaServerFaces.qll
View File

@@ -67,8 +67,8 @@ class FacesComponent extends Class {
)
or
// Or in an XML file
exists(FacesConfigComponentClass componentClassXML |
this = componentClassXML.getFacesComponentClass()
exists(FacesConfigComponentClass componentClassXml |
this = componentClassXml.getFacesComponentClass()
)
)
}

9
java/ql/lib/semmle/code/java/frameworks/javaee/PersistenceXML.qll
View File

@@ -8,8 +8,8 @@ import java
/**
* A JavaEE persistence configuration XML file (persistence.xml).
*/
class PersistenceXMLFile extends XMLFile {
PersistenceXMLFile() { this.getStem() = "persistence" }
class PersistenceXmlFile extends XMLFile {
PersistenceXmlFile() { this.getStem() = "persistence" }
/** Gets the root XML element in this `persistence.xml` file. */
PersistenceXmlRoot getRoot() { result = this.getAChild() }
@@ -26,10 +26,13 @@ class PersistenceXMLFile extends XMLFile {
}
}
/** DEPRECATED: Alias for PersistenceXmlFile */
deprecated class PersistenceXMLFile = PersistenceXmlFile;
/** The root `persistence` XML element in a `persistence.xml` file. */
class PersistenceXmlRoot extends XMLElement {
PersistenceXmlRoot() {
this.getParent() instanceof PersistenceXMLFile and
this.getParent() instanceof PersistenceXmlFile and
this.getName() = "persistence"
}

34
java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJB.qll
View File

@@ -22,7 +22,7 @@ class SessionEJB extends EJB {
this.getAnAnnotation().getType().hasName("Stateless") or
this.getAnAnnotation().getType().hasName("Stateful") or
// XML deployment descriptor.
exists(EjbJarXMLFile f |
exists(EjbJarXmlFile f |
this.getQualifiedName() =
f.getASessionElement().getAnEjbClassElement().getACharactersSet().getCharacters()
)
@@ -121,7 +121,7 @@ class StatefulSessionEJB extends SessionEJB {
this.getAnAnnotation().getType().hasName("Stateful")
or
// XML deployment descriptor.
exists(EjbJarXMLFile f, EjbJarSessionElement se |
exists(EjbJarXmlFile f, EjbJarSessionElement se |
se = f.getASessionElement() and
this.getQualifiedName() = se.getAnEjbClassElement().getACharactersSet().getCharacters() and
se.getASessionTypeElement().isStateful()
@@ -138,7 +138,7 @@ class StatelessSessionEJB extends SessionEJB {
this.getAnAnnotation().getType().hasName("Stateless")
or
// XML deployment descriptor.
exists(EjbJarXMLFile f, EjbJarSessionElement se |
exists(EjbJarXmlFile f, EjbJarSessionElement se |
se = f.getASessionElement() and
this.getQualifiedName() = se.getAnEjbClassElement().getACharactersSet().getCharacters() and
se.getASessionTypeElement().isStateless()
@@ -158,7 +158,7 @@ class MessageDrivenBean extends EJB {
this.getAnAnnotation().getType().hasName("MessageDriven")
or
// XML deployment descriptor.
exists(EjbJarXMLFile f |
exists(EjbJarXmlFile f |
this.getQualifiedName() =
f.getAMessageDrivenElement().getAnEjbClassElement().getACharactersSet().getCharacters()
)
@@ -174,7 +174,7 @@ class EntityEJB extends EJB {
this instanceof EntityBean
or
// XML deployment descriptor.
exists(EjbJarXMLFile f |
exists(EjbJarXmlFile f |
this.getQualifiedName() =
f.getAnEntityElement().getAnEjbClassElement().getACharactersSet().getCharacters()
)
@@ -245,14 +245,14 @@ abstract class BusinessInterface extends Interface {
*/
class XmlSpecifiedBusinessInterface extends BusinessInterface {
XmlSpecifiedBusinessInterface() {
exists(EjbJarXMLFile f |
exists(EjbJarXmlFile f |
this.getQualifiedName() =
f.getASessionElement().getABusinessElement().getACharactersSet().getCharacters()
)
}
override SessionEJB getAnEJB() {
exists(EjbJarXMLFile f, EjbJarSessionElement se |
exists(EjbJarXmlFile f, EjbJarSessionElement se |
se = f.getASessionElement() and
this.getQualifiedName() = se.getABusinessElement().getACharactersSet().getCharacters() and
result.getQualifiedName() = se.getAnEjbClassElement().getACharactersSet().getCharacters()
@@ -260,14 +260,14 @@ class XmlSpecifiedBusinessInterface extends BusinessInterface {
}
override predicate isDeclaredLocal() {
exists(EjbJarXMLFile f |
exists(EjbJarXmlFile f |
this.getQualifiedName() =
f.getASessionElement().getABusinessLocalElement().getACharactersSet().getCharacters()
)
}
override predicate isDeclaredRemote() {
exists(EjbJarXMLFile f |
exists(EjbJarXmlFile f |
this.getQualifiedName() =
f.getASessionElement().getABusinessRemoteElement().getACharactersSet().getCharacters()
)
@@ -411,7 +411,7 @@ class ExtendedRemoteInterface extends LegacyEjbRemoteInterface, RemoteEJBInterfa
/** A legacy remote interface specified within an XML deployment descriptor. */
class XmlSpecifiedRemoteInterface extends LegacyEjbRemoteInterface {
XmlSpecifiedRemoteInterface() {
exists(EjbJarXMLFile f |
exists(EjbJarXmlFile f |
this.getQualifiedName() =
f.getASessionElement().getARemoteElement().getACharactersSet().getCharacters()
)
@@ -422,7 +422,7 @@ class XmlSpecifiedRemoteInterface extends LegacyEjbRemoteInterface {
* for this legacy EJB remote interface.
*/
SessionEJB getAnEJB() {
exists(EjbJarXMLFile f, EjbJarSessionElement se |
exists(EjbJarXmlFile f, EjbJarSessionElement se |
se = f.getASessionElement() and
this.getQualifiedName() = se.getARemoteElement().getACharactersSet().getCharacters() and
result.getQualifiedName() = se.getAnEjbClassElement().getACharactersSet().getCharacters()
@@ -453,7 +453,7 @@ class AnnotatedRemoteHomeInterface extends LegacyEjbRemoteHomeInterface {
/** A legacy remote home interface specified within an XML deployment descriptor. */
class XmlSpecifiedRemoteHomeInterface extends LegacyEjbRemoteHomeInterface {
XmlSpecifiedRemoteHomeInterface() {
exists(EjbJarXMLFile f |
exists(EjbJarXmlFile f |
this.getQualifiedName() =
f.getASessionElement().getARemoteHomeElement().getACharactersSet().getCharacters()
)
@@ -461,7 +461,7 @@ class XmlSpecifiedRemoteHomeInterface extends LegacyEjbRemoteHomeInterface {
/** Gets an EJB to which this interface belongs. */
SessionEJB getAnEJB() {
exists(EjbJarXMLFile f, EjbJarSessionElement se |
exists(EjbJarXmlFile f, EjbJarSessionElement se |
se = f.getASessionElement() and
this.getQualifiedName() = se.getARemoteHomeElement().getACharactersSet().getCharacters() and
result.getQualifiedName() = se.getAnEjbClassElement().getACharactersSet().getCharacters()
@@ -478,7 +478,7 @@ class ExtendedLocalInterface extends LegacyEjbLocalInterface, LocalEJBInterface
/** A legacy local interface specified within an XML deployment descriptor. */
class XmlSpecifiedLocalInterface extends LegacyEjbLocalInterface {
XmlSpecifiedLocalInterface() {
exists(EjbJarXMLFile f |
exists(EjbJarXmlFile f |
this.getQualifiedName() =
f.getASessionElement().getALocalElement().getACharactersSet().getCharacters()
)
@@ -486,7 +486,7 @@ class XmlSpecifiedLocalInterface extends LegacyEjbLocalInterface {
/** Gets an EJB to which this interface belongs. */
SessionEJB getAnEJB() {
exists(EjbJarXMLFile f, EjbJarSessionElement se |
exists(EjbJarXmlFile f, EjbJarSessionElement se |
se = f.getASessionElement() and
this.getQualifiedName() = se.getALocalElement().getACharactersSet().getCharacters() and
result.getQualifiedName() = se.getAnEjbClassElement().getACharactersSet().getCharacters()
@@ -517,7 +517,7 @@ class AnnotatedLocalHomeInterface extends LegacyEjbLocalHomeInterface {
/** A legacy local home interface specified within an XML deployment descriptor. */
class XmlSpecifiedLocalHomeInterface extends LegacyEjbLocalHomeInterface {
XmlSpecifiedLocalHomeInterface() {
exists(EjbJarXMLFile f |
exists(EjbJarXmlFile f |
this.getQualifiedName() =
f.getASessionElement().getALocalHomeElement().getACharactersSet().getCharacters()
)
@@ -525,7 +525,7 @@ class XmlSpecifiedLocalHomeInterface extends LegacyEjbLocalHomeInterface {
/** Gets an EJB to which this interface belongs. */
SessionEJB getAnEJB() {
exists(EjbJarXMLFile f, EjbJarSessionElement se |
exists(EjbJarXmlFile f, EjbJarSessionElement se |
se = f.getASessionElement() and
this.getQualifiedName() = se.getALocalHomeElement().getACharactersSet().getCharacters() and
result.getQualifiedName() = se.getAnEjbClassElement().getACharactersSet().getCharacters()

9
java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJBJarXML.qll
View File

@@ -8,8 +8,8 @@ import java
/**
* An EJB deployment descriptor XML file named `ejb-jar.xml`.
*/
class EjbJarXMLFile extends XMLFile {
EjbJarXMLFile() { this.getStem() = "ejb-jar" }
class EjbJarXmlFile extends XMLFile {
EjbJarXmlFile() { this.getStem() = "ejb-jar" }
/** Gets the root `ejb-jar` XML element of this `ejb-jar.xml` file. */
EjbJarRootElement getRoot() { result = this.getAChild() }
@@ -35,10 +35,13 @@ class EjbJarXMLFile extends XMLFile {
}
}
/** DEPRECATED: Alias for EjbJarXmlFile */
deprecated class EjbJarXMLFile = EjbJarXmlFile;
/** The root `ejb-jar` XML element in an `ejb-jar.xml` file. */
class EjbJarRootElement extends XMLElement {
EjbJarRootElement() {
this.getParent() instanceof EjbJarXMLFile and
this.getParent() instanceof EjbJarXmlFile and
this.getName() = "ejb-jar"
}

22
java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFFacesContextXML.qll
View File

@@ -8,19 +8,22 @@ import default
* A JSF "application configuration resources file", typically called `faces-config.xml`, which
* contains the configuration for a JSF application
*/
class FacesConfigXMLFile extends XMLFile {
FacesConfigXMLFile() {
class FacesConfigXmlFile extends XMLFile {
FacesConfigXmlFile() {
// Contains a single top-level XML node named "faces-Config".
count(XMLElement e | e = this.getAChild()) = 1 and
this.getAChild().getName() = "faces-config"
}
}
/** DEPRECATED: Alias for FacesConfigXmlFile */
deprecated class FacesConfigXMLFile = FacesConfigXmlFile;
/**
* An XML element in a `FacesConfigXMLFile`.
*/
class FacesConfigXMLElement extends XMLElement {
FacesConfigXMLElement() { this.getFile() instanceof FacesConfigXMLFile }
class FacesConfigXmlElement extends XMLElement {
FacesConfigXmlElement() { this.getFile() instanceof FacesConfigXmlFile }
/**
* Gets the value for this element, with leading and trailing whitespace trimmed.
@@ -28,17 +31,20 @@ class FacesConfigXMLElement extends XMLElement {
string getValue() { result = this.allCharactersString().trim() }
}
/** DEPRECATED: Alias for FacesConfigXmlElement */
deprecated class FacesConfigXMLElement = FacesConfigXmlElement;
/**
* An element in a JSF config file that declares a managed bean.
*/
class FacesConfigManagedBean extends FacesConfigXMLElement {
class FacesConfigManagedBean extends FacesConfigXmlElement {
FacesConfigManagedBean() { this.getName() = "managed-bean" }
}
/**
* An element in a JSF config file that declares the Class of a managed bean.
*/
class FacesConfigManagedBeanClass extends FacesConfigXMLElement {
class FacesConfigManagedBeanClass extends FacesConfigXmlElement {
FacesConfigManagedBeanClass() {
this.getName() = "managed-bean-class" and
this.getParent() instanceof FacesConfigManagedBean
@@ -53,14 +59,14 @@ class FacesConfigManagedBeanClass extends FacesConfigXMLElement {
/**
* An element in a JSF config file that declares a custom component.
*/
class FacesConfigComponent extends FacesConfigXMLElement {
class FacesConfigComponent extends FacesConfigXmlElement {
FacesConfigComponent() { this.getName() = "component" }
}
/**
* An element in a JSF config file that declares the Class of a faces component.
*/
class FacesConfigComponentClass extends FacesConfigXMLElement {
class FacesConfigComponentClass extends FacesConfigXmlElement {
FacesConfigComponentClass() {
this.getName() = "component-class" and
this.getParent() instanceof FacesConfigComponent

4
java/ql/lib/semmle/code/java/frameworks/spring/SpringAbstractRef.qll
View File

@@ -3,7 +3,7 @@ import semmle.code.java.frameworks.spring.SpringXMLElement
import semmle.code.java.frameworks.spring.SpringBean
/** A common supertype of `SpringRef` and `SpringIdRef`. */
class SpringAbstractRef extends SpringXMLElement {
class SpringAbstractRef extends SpringXmlElement {
SpringAbstractRef() {
this.getName() = "idref" or
this.getName() = "ref"
@@ -29,7 +29,7 @@ class SpringAbstractRef extends SpringXMLElement {
}
/** Holds if `other` is also a reference and points to the same bean as this reference. */
override predicate isSimilar(SpringXMLElement other) {
override predicate isSimilar(SpringXmlElement other) {
exists(SpringAbstractRef otherRef |
otherRef = other and
this.getBean() = otherRef.getBean()

2
java/ql/lib/semmle/code/java/frameworks/spring/SpringAlias.qll
View File

@@ -3,7 +3,7 @@ import semmle.code.java.frameworks.spring.SpringXMLElement
import semmle.code.java.frameworks.spring.SpringBean
/** An `<alias>` element in Spring XML files. */
class SpringAlias extends SpringXMLElement {
class SpringAlias extends SpringXmlElement {
SpringAlias() { this.getName() = "alias" }
/** Gets the value of the `alias` attribute. */

2
java/ql/lib/semmle/code/java/frameworks/spring/SpringArgType.qll
View File

@@ -2,7 +2,7 @@ import java
import semmle.code.java.frameworks.spring.SpringXMLElement
/** An `<arg-type>` element in Spring XML files. */
class SpringArgType extends SpringXMLElement {
class SpringArgType extends SpringXmlElement {
SpringArgType() { this.getName() = "arg-type" }
/** Gets the value of the `match` attribute. */

2
java/ql/lib/semmle/code/java/frameworks/spring/SpringAttribute.qll
View File

@@ -2,7 +2,7 @@ import java
import semmle.code.java.frameworks.spring.SpringXMLElement
/** An `<attribute>` element in Spring XML files. */
class SpringAttribute extends SpringXMLElement {
class SpringAttribute extends SpringXmlElement {
SpringAttribute() { this.getName() = "attribute" }
/** Gets the value of the `key` attribute. */

7
java/ql/lib/semmle/code/java/frameworks/spring/SpringAutowire.qll
View File

@@ -58,8 +58,8 @@ class SpringBeanPropertySetterMethod extends Method {
*
* Confusingly, this is a different form of autowiring to the `@Autowired` annotation.
*/
class SpringBeanXMLAutowiredSetterMethod extends Method {
SpringBeanXMLAutowiredSetterMethod() {
class SpringBeanXmlAutowiredSetterMethod extends Method {
SpringBeanXmlAutowiredSetterMethod() {
// The bean as marked with some form of autowiring in the XML file.
exists(string xmlAutowire |
xmlAutowire = this.getDeclaringType().(SpringBeanRefType).getSpringBean().getAutowire()
@@ -100,6 +100,9 @@ class SpringBeanXMLAutowiredSetterMethod extends Method {
}
}
/** DEPRECATED: Alias for SpringBeanXmlAutowiredSetterMethod */
deprecated class SpringBeanXMLAutowiredSetterMethod = SpringBeanXmlAutowiredSetterMethod;
/**
* A callable that is annotated with `@Autowired`.
*

4
java/ql/lib/semmle/code/java/frameworks/spring/SpringBean.qll
View File

@@ -12,7 +12,7 @@ import semmle.code.java.frameworks.spring.SpringReplacedMethod
*/
/** A `<bean>` element in a Spring XML file. */
class SpringBean extends SpringXMLElement {
class SpringBean extends SpringXmlElement {
SpringBean() {
this.getName() = "bean" and
// Do not capture Camel beans, which are different
@@ -268,7 +268,7 @@ class SpringBean extends SpringXMLElement {
/**
* Holds if this bean element has the same bean identifier as `other`.
*/
override predicate isSimilar(SpringXMLElement other) {
override predicate isSimilar(SpringXmlElement other) {
this.getBeanIdentifier() = other.(SpringBean).getBeanIdentifier()
}

64
java/ql/lib/semmle/code/java/frameworks/spring/SpringCamel.qll
View File

@@ -9,56 +9,71 @@ import semmle.code.java.frameworks.spring.SpringBean
/**
* An Apache Camel element in a Spring Beans file.
*/
class SpringCamelXMLElement extends SpringXMLElement {
SpringCamelXMLElement() { getNamespace().getURI() = "http://camel.apache.org/schema/spring" }
class SpringCamelXmlElement extends SpringXmlElement {
SpringCamelXmlElement() { getNamespace().getURI() = "http://camel.apache.org/schema/spring" }
}
/** DEPRECATED: Alias for SpringCamelXmlElement */
deprecated class SpringCamelXMLElement = SpringCamelXmlElement;
/**
* An element in a Spring beans file that defines an Apache Camel context.
*
* All Apache Camel Spring elements are nested within a `<camelContext>` or a `<routeContext>`.
*/
class SpringCamelXMLContext extends SpringCamelXMLElement {
SpringCamelXMLContext() { getName() = "camelContext" }
class SpringCamelXmlContext extends SpringCamelXmlElement {
SpringCamelXmlContext() { getName() = "camelContext" }
}
/** DEPRECATED: Alias for SpringCamelXmlContext */
deprecated class SpringCamelXMLContext = SpringCamelXmlContext;
/**
* An element in a Spring beans file that defines an Apache Camel route context.
*
* A `<routeContext>` is a fragment, containing route definitions, that can be included within a
* `<camelContext>`.
*/
class SpringCamelXMLRouteContext extends SpringCamelXMLElement {
SpringCamelXMLRouteContext() { getName() = "routeContext" }
class SpringCamelXmlRouteContext extends SpringCamelXmlElement {
SpringCamelXmlRouteContext() { getName() = "routeContext" }
}
/** DEPRECATED: Alias for SpringCamelXmlRouteContext */
deprecated class SpringCamelXMLRouteContext = SpringCamelXmlRouteContext;
/**
* An element in a Spring beans files that defines an Apache Camel route.
*
* A Camel `<route>` element defines how messages that match certain criteria are handled by Apache
* Camel.
*/
class SpringCamelXMLRoute extends SpringCamelXMLElement {
SpringCamelXMLRoute() {
class SpringCamelXmlRoute extends SpringCamelXmlElement {
SpringCamelXmlRoute() {
// A route must either be in a `<routeContext>` or a `<camelContext>`.
(
getParent() instanceof SpringCamelXMLRouteContext or
getParent() instanceof SpringCamelXMLContext
getParent() instanceof SpringCamelXmlRouteContext or
getParent() instanceof SpringCamelXmlContext
) and
getName() = "route"
}
}
/** DEPRECATED: Alias for SpringCamelXmlRoute */
deprecated class SpringCamelXMLRoute = SpringCamelXmlRoute;
/**
* An element in a Spring bean file that is logically contained in an Apache Camel route.
*/
class SpringCamelXMLRouteElement extends SpringCamelXMLElement {
SpringCamelXMLRouteElement() {
getParent() instanceof SpringCamelXMLRoute or
getParent() instanceof SpringCamelXMLRouteElement
class SpringCamelXmlRouteElement extends SpringCamelXmlElement {
SpringCamelXmlRouteElement() {
getParent() instanceof SpringCamelXmlRoute or
getParent() instanceof SpringCamelXmlRouteElement
}
}
/** DEPRECATED: Alias for SpringCamelXmlRouteElement */
deprecated class SpringCamelXMLRouteElement = SpringCamelXmlRouteElement;
/**
* A reference to a Spring bean in an Apache Camel route defined in a Spring beans file.
*
@@ -66,8 +81,8 @@ class SpringCamelXMLRouteElement extends SpringCamelXMLElement {
* specifies a Spring bean that should be called in response to messages that match the enclosing
* route.
*/
class SpringCamelXMLBeanRef extends SpringCamelXMLRouteElement {
SpringCamelXMLBeanRef() { getName() = "bean" }
class SpringCamelXmlBeanRef extends SpringCamelXmlRouteElement {
SpringCamelXmlBeanRef() { getName() = "bean" }
/**
* Gets the Spring bean that is referenced by this route bean definition, if any.
@@ -83,6 +98,9 @@ class SpringCamelXMLBeanRef extends SpringCamelXMLRouteElement {
RefType getBeanType() { result.getQualifiedName() = getAttribute("beanType").getValue() }
}
/** DEPRECATED: Alias for SpringCamelXmlBeanRef */
deprecated class SpringCamelXMLBeanRef = SpringCamelXmlBeanRef;
/**
* A declaration of a target in an Apache Camel route defined in a Spring beans file.
*
@@ -90,8 +108,8 @@ class SpringCamelXMLBeanRef extends SpringCamelXMLRouteElement {
* determines the type of the target. For example, if the scheme is "bean:" then the rest of the uri
* consists of a bean name and optional method name.
*/
class SpringCamelXMLToElement extends SpringCamelXMLRouteElement {
SpringCamelXMLToElement() { getName() = "to" }
class SpringCamelXmlToElement extends SpringCamelXmlRouteElement {
SpringCamelXmlToElement() { getName() = "to" }
/**
* Gets the URI attribute for this `<to>` element.
@@ -99,6 +117,9 @@ class SpringCamelXMLToElement extends SpringCamelXMLRouteElement {
string getURI() { result = getAttribute("uri").getValue() }
}
/** DEPRECATED: Alias for SpringCamelXmlToElement */
deprecated class SpringCamelXMLToElement = SpringCamelXmlToElement;
/**
* A declaration of a Apache Camel "method" expression defined in a Spring beans file.
*
@@ -107,8 +128,8 @@ class SpringCamelXMLToElement extends SpringCamelXMLRouteElement {
* (when the "ref" or "bean" attributes are used), or a type that should be instantiated as a bean
* (if "beanType" is used.
*/
class SpringCamelXMLMethodElement extends SpringCamelXMLElement {
SpringCamelXMLMethodElement() { getName() = "method" }
class SpringCamelXmlMethodElement extends SpringCamelXmlElement {
SpringCamelXmlMethodElement() { getName() = "method" }
/**
* Gets the `SpringBean` that this method expression refers to.
@@ -123,3 +144,6 @@ class SpringCamelXMLMethodElement extends SpringCamelXMLElement {
*/
RefType getBeanType() { result.getQualifiedName() = getAttribute("beanType").getValue() }
}
/** DEPRECATED: Alias for SpringCamelXmlMethodElement */
deprecated class SpringCamelXMLMethodElement = SpringCamelXmlMethodElement;

19
java/ql/lib/semmle/code/java/frameworks/spring/SpringComponentScan.qll
View File

@@ -8,8 +8,8 @@ import semmle.code.xml.WebXML
* An element in a Spring configuration file that configures which packages are considered to be
* "base" packages when performing the Spring component scan.
*/
class SpringXMLComponentScan extends SpringXMLElement {
SpringXMLComponentScan() {
class SpringXmlComponentScan extends SpringXmlElement {
SpringXmlComponentScan() {
this.getName() = "component-scan" and
this.getNamespace().getPrefix() = "context"
}
@@ -23,6 +23,9 @@ class SpringXMLComponentScan extends SpringXMLElement {
string getAProfileExpr() { result = this.getSpringBeanFile().getAProfileExpr() }
}
/** DEPRECATED: Alias for SpringXmlComponentScan */
deprecated class SpringXMLComponentScan = SpringXmlComponentScan;
/**
* An annotation of a class that configures which packages are considered to be "base" packages
* when performing the Spring component scan.
@@ -59,11 +62,11 @@ class SpringBasePackage extends string {
exists(string basePackages |
// Interpret the contexts of the `web.xml` "contextConfigLocation" parameter as a base package,
// but only if the appropriate context class is chosen.
exists(WebXMLFile webXML |
webXML.getContextParamValue("contextClass") =
exists(WebXmlFile webXml |
webXml.getContextParamValue("contextClass") =
"org.springframework.web.context.support.AnnotationConfigWebApplicationContext"
|
basePackages = webXML.getContextParamValue("contextConfigLocation")
basePackages = webXml.getContextParamValue("contextConfigLocation")
)
or
exists(SpringComponent c, Annotation componentScan |
@@ -75,7 +78,7 @@ class SpringBasePackage extends string {
c.isLive()
)
or
exists(SpringXMLComponentScan xmlComponentScan |
exists(SpringXmlComponentScan xmlComponentScan |
basePackages = xmlComponentScan.getBasePackages() and
// The component scan profile must be active, if one is specified.
(
@@ -110,7 +113,7 @@ class SpringComponentAnnotation extends AnnotationType {
* In order for Spring XML to be "enabled", XML must have been indexed into the snapshot, and that
* XML must contain the appropriate Spring configuration files.
*/
private predicate isSpringXMLEnabled() { exists(SpringXMLElement springXMLElement) }
private predicate isSpringXmlEnabled() { exists(SpringXmlElement springXmlElement) }
/**
* A Spring component class, identified by the presence of a particular annotation.
@@ -178,7 +181,7 @@ class SpringComponent extends RefType {
// only validate whether this class is ever picked up if XML indexing is enabled. If it's
// enabled, then the package of this class must belong in one of the packages defined as a base
// package.
not isSpringXMLEnabled()
not isSpringXmlEnabled()
or
exists(SpringBasePackage sbp |
this.getPackage().getName().prefix(sbp.length() + 1) = sbp + "." or

2
java/ql/lib/semmle/code/java/frameworks/spring/SpringConstructorArg.qll
View File

@@ -5,7 +5,7 @@ import semmle.code.java.frameworks.spring.SpringAbstractRef
import semmle.code.java.frameworks.spring.SpringValue
/** A `<constructor-arg>` element in a Spring XML file. */
class SpringConstructorArg extends SpringXMLElement {
class SpringConstructorArg extends SpringXmlElement {
SpringConstructorArg() { this.getName() = "constructor-arg" }
/** Holds if this `constructor-arg` element has an `index` attribute. */

2
java/ql/lib/semmle/code/java/frameworks/spring/SpringDescription.qll
View File

@@ -6,6 +6,6 @@ import semmle.code.java.frameworks.spring.SpringXMLElement
*
* Its contents can be accessed using `SpringXMLElement.getContentString()`.
*/
class SpringDescription extends SpringXMLElement {
class SpringDescription extends SpringXmlElement {
SpringDescription() { this.getName() = "description" }
}

2
java/ql/lib/semmle/code/java/frameworks/spring/SpringEntry.qll
View File

@@ -6,7 +6,7 @@ import semmle.code.java.frameworks.spring.SpringKey
import semmle.code.java.frameworks.spring.SpringValue
/** An `<entry>` element in Spring XML files. */
class SpringEntry extends SpringXMLElement {
class SpringEntry extends SpringXmlElement {
SpringEntry() { this.getName() = "entry" }
/** Holds if this `entry` has a `key` attribute. */

15
java/ql/lib/semmle/code/java/frameworks/spring/SpringFlex.qll
View File

@@ -9,7 +9,7 @@ import semmle.code.java.frameworks.spring.SpringComponentScan
import semmle.code.java.frameworks.spring.SpringXMLElement
/** Represents a `<remoting-destination>` element in Spring XML files. */
class SpringRemotingDestination extends SpringXMLElement {
class SpringRemotingDestination extends SpringXmlElement {
SpringRemotingDestination() { this.getName() = "remoting-destination" }
/**
@@ -55,7 +55,12 @@ class SpringRemotingDestinationClass extends Class {
/**
* Gets the XML configuration of the remoting destination, if it was configured in XML.
*/
SpringRemotingDestination getRemotingDestinationXML() { this = result.getSpringBean().getClass() }
SpringRemotingDestination getRemotingDestinationXml() { this = result.getSpringBean().getClass() }
/** DEPRECATED: Alias for getRemotingDestinationXml */
deprecated SpringRemotingDestination getRemotingDestinationXML() {
result = getRemotingDestinationXml()
}
/**
* Holds if the class is operating on an "include" or "exclude" basis.
@@ -70,7 +75,7 @@ class SpringRemotingDestinationClass extends Class {
m.hasAnnotation("org.springframework.flex.remoting", "RemotingInclude")
)
or
exists(this.getRemotingDestinationXML().getAnIncludeMethod())
exists(this.getRemotingDestinationXml().getAnIncludeMethod())
}
/**
@@ -81,10 +86,10 @@ class SpringRemotingDestinationClass extends Class {
if this.isIncluding()
then
result.hasAnnotation("org.springframework.flex.remoting", "RemotingInclude") or
result.getName() = this.getRemotingDestinationXML().getAnIncludeMethod()
result.getName() = this.getRemotingDestinationXml().getAnIncludeMethod()
else (
not result.hasAnnotation("org.springframework.flex.remoting", "RemotingExclude") and
not result.getName() = this.getRemotingDestinationXML().getAnExcludeMethod()
not result.getName() = this.getRemotingDestinationXml().getAnExcludeMethod()
)
}
}

2
java/ql/lib/semmle/code/java/frameworks/spring/SpringImport.qll
View File

@@ -2,7 +2,7 @@ import java
import semmle.code.java.frameworks.spring.SpringXMLElement
/** An `<import>` element in a Spring XML file. */
class SpringImport extends SpringXMLElement {
class SpringImport extends SpringXmlElement {
SpringImport() { this.getName() = "import" }
/** Gets the value of the `resource` attribute. */

2
java/ql/lib/semmle/code/java/frameworks/spring/SpringKey.qll
View File

@@ -2,6 +2,6 @@ import java
import semmle.code.java.frameworks.spring.SpringXMLElement
/** A `<key>` element in Spring XML files. */
class SpringKey extends SpringXMLElement {
class SpringKey extends SpringXmlElement {
SpringKey() { this.getName() = "key" }
}

2
java/ql/lib/semmle/code/java/frameworks/spring/SpringLookupMethod.qll
View File

@@ -3,7 +3,7 @@ import semmle.code.java.frameworks.spring.SpringXMLElement
import semmle.code.java.frameworks.spring.SpringBean
/** A `<lookup-method>` element in a Spring XML file. */
class SpringLookupMethod extends SpringXMLElement {
class SpringLookupMethod extends SpringXmlElement {
SpringLookupMethod() { this.getName() = "lookup-method" }
/** Gets the value of the `bean` attribute. */

2
java/ql/lib/semmle/code/java/frameworks/spring/SpringMergable.qll
View File

@@ -4,7 +4,7 @@ import semmle.code.java.frameworks.spring.SpringXMLElement
/**
* A common superclass for mergeable Spring XML elements (`list`, `map`).
*/
/*abstract*/ class SpringMergable extends SpringXMLElement {
/*abstract*/ class SpringMergable extends SpringXmlElement {
string getMergeRaw() { result = this.getAttributeValueWithDefault("merge") }
/** Holds if this element is merged, taking `default-merged` values in `<beans>` into account. */

2
java/ql/lib/semmle/code/java/frameworks/spring/SpringMeta.qll
View File

@@ -2,7 +2,7 @@ import java
import semmle.code.java.frameworks.spring.SpringXMLElement
/** A `<meta>` element in Spring XML files. */
class SpringMeta extends SpringXMLElement {
class SpringMeta extends SpringXmlElement {
SpringMeta() { this.getName() = "meta" }
/** Gets the value of the `key` attribute. */

2
java/ql/lib/semmle/code/java/frameworks/spring/SpringNull.qll
View File

@@ -2,6 +2,6 @@ import java
import semmle.code.java.frameworks.spring.SpringXMLElement
/** A `<null>` element in Spring XML files. */
class SpringNull extends SpringXMLElement {
class SpringNull extends SpringXmlElement {
SpringNull() { this.getName() = "null" }
}

2
java/ql/lib/semmle/code/java/frameworks/spring/SpringProp.qll
View File

@@ -2,7 +2,7 @@ import java
import semmle.code.java.frameworks.spring.SpringXMLElement
/** A `<prop>` element in Spring XML files. */
class SpringProp extends SpringXMLElement {
class SpringProp extends SpringXmlElement {
SpringProp() { this.getName() = "prop" }
/** Gets the value of the `key` attribute. */

4
java/ql/lib/semmle/code/java/frameworks/spring/SpringProperty.qll
View File

@@ -6,7 +6,7 @@ import semmle.code.java.frameworks.spring.SpringList
import semmle.code.java.frameworks.spring.SpringValue
/** A `<property>` element in Spring XML files. */
class SpringProperty extends SpringXMLElement {
class SpringProperty extends SpringXmlElement {
SpringProperty() { this.getName() = "property" }
override string toString() { result = this.getPropertyName() }
@@ -55,7 +55,7 @@ class SpringProperty extends SpringXMLElement {
* Holds if this property is similar to another property.
* Currently only checks the property name and references to beans.
*/
override predicate isSimilar(SpringXMLElement element) {
override predicate isSimilar(SpringXmlElement element) {
exists(SpringProperty other |
other = element and this.getPropertyName() = other.getPropertyName()
|

2
java/ql/lib/semmle/code/java/frameworks/spring/SpringQualifier.qll
View File

@@ -2,7 +2,7 @@ import java
import semmle.code.java.frameworks.spring.SpringXMLElement
/** A `<qualifier>` element in a Spring XML file. */
class SpringQualifier extends SpringXMLElement {
class SpringQualifier extends SpringXmlElement {
SpringQualifier() { this.getName() = "qualifier" }
/** Gets the name of the Java class of this qualifier. */

2
java/ql/lib/semmle/code/java/frameworks/spring/SpringReplacedMethod.qll
View File

@@ -3,7 +3,7 @@ import semmle.code.java.frameworks.spring.SpringXMLElement
import semmle.code.java.frameworks.spring.SpringBean
/** A `<replaced-method>` element in a Spring XML file. */
class SpringReplacedMethod extends SpringXMLElement {
class SpringReplacedMethod extends SpringXmlElement {
SpringReplacedMethod() { this.getName() = "replaced-method" }
/** Gets the value of the `name` attribute. */

2
java/ql/lib/semmle/code/java/frameworks/spring/SpringValue.qll
View File

@@ -2,7 +2,7 @@ import java
import semmle.code.java.frameworks.spring.SpringXMLElement
/** A `<value>` element in a Spring XML file. */
class SpringValue extends SpringXMLElement {
class SpringValue extends SpringXmlElement {
SpringValue() { this.getName() = "value" }
/** Gets the value of the `type` attribute. */

13
java/ql/lib/semmle/code/java/frameworks/spring/SpringXMLElement.qll
View File

@@ -3,11 +3,11 @@ import semmle.code.java.frameworks.spring.SpringBeanFile
import semmle.code.java.frameworks.spring.SpringBean
/** A common superclass for all Spring XML elements. */
class SpringXMLElement extends XMLElement {
SpringXMLElement() { this.getFile() instanceof SpringBeanFile }
class SpringXmlElement extends XMLElement {
SpringXmlElement() { this.getFile() instanceof SpringBeanFile }
/** Gets a child of this Spring XML element. */
SpringXMLElement getASpringChild() { result = this.getAChild() }
SpringXmlElement getASpringChild() { result = this.getAChild() }
/** Gets the bean file of this XML element. */
SpringBeanFile getSpringBeanFile() { result = this.getFile() }
@@ -27,13 +27,16 @@ class SpringXMLElement extends XMLElement {
SpringBean getEnclosingBean() {
if this instanceof SpringBean
then result = this
else result = this.getParent().(SpringXMLElement).getEnclosingBean()
else result = this.getParent().(SpringXmlElement).getEnclosingBean()
}
/**
* Overridden by subclasses. Used to match `value`, `property` and `ref` elements for similarity.
*/
predicate isSimilar(SpringXMLElement other) { none() }
predicate isSimilar(SpringXmlElement other) { none() }
string getContentString() { result = this.allCharactersString() }
}
/** DEPRECATED: Alias for SpringXmlElement */
deprecated class SpringXMLElement = SpringXmlElement;

4
java/ql/lib/semmle/code/java/frameworks/spring/metrics/MetricSpringBean.qll
View File

@@ -2,7 +2,7 @@ import semmle.code.java.frameworks.spring.SpringBean
import semmle.code.java.frameworks.spring.SpringBeanFile
import semmle.code.java.frameworks.spring.SpringEntry
predicate springDepends(SpringBean b1, SpringBean b2, SpringXMLElement cause) {
predicate springDepends(SpringBean b1, SpringBean b2, SpringXmlElement cause) {
b1 != b2 and
b1.getBeanParent() = b2 and
cause = b1
@@ -63,7 +63,7 @@ class MetricSpringBean extends SpringBean {
this.getSpringBeanFile() = result.getSpringBeanFile()
}
SpringXMLElement getBeanDependencyCause(SpringBean dependency) {
SpringXmlElement getBeanDependencyCause(SpringBean dependency) {
springDepends(this, dependency, result)
}
}

6
java/ql/lib/semmle/code/java/frameworks/struts/StrutsActions.qll
View File

@@ -6,7 +6,7 @@ import semmle.code.java.frameworks.struts.StrutsXML
* Gets the custom struts mapper class used for this `refType`, if any.
*/
private string getStrutsMapperClass(RefType refType) {
result = getRootXMLFile(refType).getConstantValue("struts.mapper.class")
result = getRootXmlFile(refType).getConstantValue("struts.mapper.class")
}
/**
@@ -21,7 +21,7 @@ class Struts2ActionClass extends Class {
or
// If there is a struts.xml file, then any class that is specified as an action is considered
// to be reflectively constructed.
exists(StrutsXMLAction strutsAction | this = strutsAction.getActionClass())
exists(StrutsXmlAction strutsAction | this = strutsAction.getActionClass())
or
// We have determined that this is an action class due to the conventions plugin.
this instanceof Struts2ConventionActionClass
@@ -64,7 +64,7 @@ class Struts2ActionClass extends Class {
any()
else (
// Use the default mapping
exists(StrutsXMLAction strutsAction |
exists(StrutsXmlAction strutsAction |
this = strutsAction.getActionClass() and
result = strutsAction.getActionMethod()
)

11
java/ql/lib/semmle/code/java/frameworks/struts/StrutsConventions.qll
View File

@@ -53,7 +53,7 @@ private predicate isStrutsConventionPluginUsed(RefType refType) {
strutsConventionAnnotationUsedInFolder(getSourceFolder(refType.getCompilationUnit()))
or
// The struts configuration file for this file sets a convention property
getRootXMLFile(refType).getAConstant().getName().matches("struts.convention%")
getRootXmlFile(refType).getAConstant().getName().matches("struts.convention%")
or
// We've found the POM for this RefType, and it includes a dependency on the convention plugin
exists(Pom pom |
@@ -68,7 +68,7 @@ private predicate isStrutsConventionPluginUsed(RefType refType) {
* We guess by identifying the "nearest" `struts.xml` configuration file, i.e. the Struts
* configuration file with the lowest common ancestor to this file.
*/
StrutsXMLFile getRootXMLFile(RefType refType) {
StrutsXmlFile getRootXmlFile(RefType refType) {
exists(StrutsFolder strutsFolder |
strutsFolder = refType.getFile().getParentContainer*() and
strutsFolder.isUnique()
@@ -77,14 +77,17 @@ StrutsXMLFile getRootXMLFile(RefType refType) {
)
}
/** DEPRECATED: Alias for getRootXmlFile */
deprecated StrutsXMLFile getRootXMLFile(RefType refType) { result = getRootXmlFile(refType) }
/**
* Gets the suffix used for automatically identifying actions when using the convention plugin.
*
* If no configuration is supplied, or identified, the default is "Action".
*/
private string getConventionSuffix(RefType refType) {
if exists(getRootXMLFile(refType).getConstantValue("struts.convention.action.suffix"))
then result = getRootXMLFile(refType).getConstantValue("struts.convention.action.suffix")
if exists(getRootXmlFile(refType).getConstantValue("struts.convention.action.suffix"))
then result = getRootXmlFile(refType).getConstantValue("struts.convention.action.suffix")
else result = "Action"
}

70
java/ql/lib/semmle/code/java/frameworks/struts/StrutsXML.qll
View File

@@ -4,13 +4,16 @@ import semmle.code.xml.XML
/**
* Holds if any struts XML files are included in this snapshot.
*/
predicate isStrutsXMLIncluded() { exists(StrutsXMLFile strutsXML) }
predicate isStrutsXmlIncluded() { exists(StrutsXmlFile strutsXml) }
/** DEPRECATED: Alias for isStrutsXmlIncluded */
deprecated predicate isStrutsXMLIncluded = isStrutsXmlIncluded/0;
/**
* A struts 2 configuration file.
*/
abstract class StrutsXMLFile extends XMLFile {
StrutsXMLFile() {
abstract class StrutsXmlFile extends XMLFile {
StrutsXmlFile() {
// Contains a single top-level XML node named "struts".
count(XMLElement e | e = this.getAChild()) = 1 and
this.getAChild().getName() = "struts"
@@ -19,55 +22,64 @@ abstract class StrutsXMLFile extends XMLFile {
/**
* Gets a "root" struts configuration file that includes this file.
*/
StrutsRootXMLFile getARoot() { result.getAnIncludedFile() = this }
StrutsRootXmlFile getARoot() { result.getAnIncludedFile() = this }
/**
* Gets a directly included file.
*/
StrutsXMLFile getADirectlyIncludedFile() {
exists(StrutsXMLInclude include | include.getFile() = this | result = include.getIncludedFile())
StrutsXmlFile getADirectlyIncludedFile() {
exists(StrutsXmlInclude include | include.getFile() = this | result = include.getIncludedFile())
}
/**
* Gets a transitively included file.
*/
StrutsXMLFile getAnIncludedFile() { result = this.getADirectlyIncludedFile*() }
StrutsXmlFile getAnIncludedFile() { result = this.getADirectlyIncludedFile*() }
/**
* Gets a `<constant>` defined in this file, or an included file.
*/
StrutsXMLConstant getAConstant() { result.getFile() = this.getAnIncludedFile() }
StrutsXmlConstant getAConstant() { result.getFile() = this.getAnIncludedFile() }
/**
* Gets the value of the constant with the given `name`.
*/
string getConstantValue(string name) {
exists(StrutsXMLConstant constant | constant = this.getAConstant() |
exists(StrutsXmlConstant constant | constant = this.getAConstant() |
constant.getConstantName() = name and
result = constant.getConstantValue()
)
}
}
/** DEPRECATED: Alias for StrutsXmlFile */
deprecated class StrutsXMLFile = StrutsXmlFile;
/**
* A Struts 2 "root" configuration XML file directly read by struts.
*
* Root configurations either have the name `struts.xml` or `struts-plugin.xml`.
*/
class StrutsRootXMLFile extends StrutsXMLFile {
StrutsRootXMLFile() {
class StrutsRootXmlFile extends StrutsXmlFile {
StrutsRootXmlFile() {
this.getBaseName() = "struts.xml" or
this.getBaseName() = "struts-plugin.xml"
}
}
/** DEPRECATED: Alias for StrutsRootXmlFile */
deprecated class StrutsRootXMLFile = StrutsRootXmlFile;
/**
* A Struts 2 configuration XML file included, directly or indirectly, by a root Struts configuration.
*/
class StrutsIncludedXMLFile extends StrutsXMLFile {
StrutsIncludedXMLFile() { exists(StrutsXMLInclude include | this = include.getIncludedFile()) }
class StrutsIncludedXmlFile extends StrutsXmlFile {
StrutsIncludedXmlFile() { exists(StrutsXmlInclude include | this = include.getIncludedFile()) }
}
/** DEPRECATED: Alias for StrutsIncludedXmlFile */
deprecated class StrutsIncludedXMLFile = StrutsIncludedXmlFile;
/**
* A Folder which has one or more Struts 2 root configurations.
*/
@@ -75,7 +87,7 @@ class StrutsFolder extends Folder {
StrutsFolder() {
exists(Container c | c = this.getAChildContainer() |
c instanceof StrutsFolder or
c instanceof StrutsXMLFile
c instanceof StrutsXmlFile
)
}
@@ -87,7 +99,7 @@ class StrutsFolder extends Folder {
/**
* Gets a struts root configuration that applies to this folder.
*/
StrutsRootXMLFile getAStrutsRootFile() {
StrutsRootXmlFile getAStrutsRootFile() {
result = this.getAChildContainer() or
result = this.getAChildContainer().(StrutsFolder).getAStrutsRootFile()
}
@@ -96,8 +108,8 @@ class StrutsFolder extends Folder {
/**
* An XML element in a `StrutsXMLFile`.
*/
class StrutsXMLElement extends XMLElement {
StrutsXMLElement() { this.getFile() instanceof StrutsXMLFile }
class StrutsXmlElement extends XMLElement {
StrutsXmlElement() { this.getFile() instanceof StrutsXmlFile }
/**
* Gets the value for this element, with leading and trailing whitespace trimmed.
@@ -105,14 +117,17 @@ class StrutsXMLElement extends XMLElement {
string getValue() { result = this.allCharactersString().trim() }
}
/** DEPRECATED: Alias for StrutsXmlElement */
deprecated class StrutsXMLElement = StrutsXmlElement;
/**
* A `<include>` element within a `struts.xml` file.
*
* This indicates that the file specified in the `file` attribute should be included in the struts
* configuration. The file is looked up using the classpath.
*/
class StrutsXMLInclude extends StrutsXMLElement {
StrutsXMLInclude() { this.getName() = "include" }
class StrutsXmlInclude extends StrutsXmlElement {
StrutsXmlInclude() { this.getName() = "include" }
/**
* Gets the XMLFile that we believe is included by this include statement.
@@ -127,6 +142,9 @@ class StrutsXMLInclude extends StrutsXMLElement {
}
}
/** DEPRECATED: Alias for StrutsXmlInclude */
deprecated class StrutsXMLInclude = StrutsXmlInclude;
/**
* Escape a string for use as the matcher in a string.match(..) call.
*/
@@ -150,8 +168,8 @@ private predicate strutsWildcardMatching(string matches, string wildcardstring)
/**
* A `<action>` element within a `struts.xml` file.
*/
class StrutsXMLAction extends StrutsXMLElement {
StrutsXMLAction() { this.getName() = "action" }
class StrutsXmlAction extends StrutsXmlElement {
StrutsXmlAction() { this.getName() = "action" }
/**
* Gets the `Class` that is referenced by this Struts action.
@@ -175,13 +193,19 @@ class StrutsXMLAction extends StrutsXMLElement {
}
}
/** DEPRECATED: Alias for StrutsXmlAction */
deprecated class StrutsXMLAction = StrutsXmlAction;
/**
* A `<constant>` property, representing a configuration parameter to struts.
*/
class StrutsXMLConstant extends StrutsXMLElement {
StrutsXMLConstant() { this.getName() = "constant" }
class StrutsXmlConstant extends StrutsXmlElement {
StrutsXmlConstant() { this.getName() = "constant" }
string getConstantName() { result = this.getAttribute("name").getValue() }
string getConstantValue() { result = this.getAttribute("value").getValue() }
}
/** DEPRECATED: Alias for StrutsXmlConstant */
deprecated class StrutsXMLConstant = StrutsXmlConstant;

15
java/ql/lib/semmle/code/java/security/Encryption.qll
View File

@@ -17,10 +17,13 @@ class X509TrustManager extends RefType {
X509TrustManager() { this.hasQualifiedName("javax.net.ssl", "X509TrustManager") }
}
class HttpsURLConnection extends RefType {
HttpsURLConnection() { this.hasQualifiedName("javax.net.ssl", "HttpsURLConnection") }
class HttpsUrlConnection extends RefType {
HttpsUrlConnection() { this.hasQualifiedName("javax.net.ssl", "HttpsURLConnection") }
}
/** DEPRECATED: Alias for HttpsUrlConnection */
deprecated class HttpsURLConnection = HttpsUrlConnection;
class SSLSocketFactory extends RefType {
SSLSocketFactory() { this.hasQualifiedName("javax.net.ssl", "SSLSocketFactory") }
}
@@ -105,22 +108,22 @@ class CreateSslEngineMethod extends Method {
class SetConnectionFactoryMethod extends Method {
SetConnectionFactoryMethod() {
this.hasName("setSSLSocketFactory") and
this.getDeclaringType().getAnAncestor() instanceof HttpsURLConnection
this.getDeclaringType().getAnAncestor() instanceof HttpsUrlConnection
}
}
class SetHostnameVerifierMethod extends Method {
SetHostnameVerifierMethod() {
this.hasName("setHostnameVerifier") and
this.getDeclaringType().getAnAncestor() instanceof HttpsURLConnection
this.getDeclaringType().getAnAncestor() instanceof HttpsUrlConnection
}
}
/** The `setDefaultHostnameVerifier` method of the class `javax.net.ssl.HttpsURLConnection`. */
/** The `setDefaultHostnameVerifier` method of the class `javax.net.ssl.HttpsUrlConnection`. */
class SetDefaultHostnameVerifierMethod extends Method {
SetDefaultHostnameVerifierMethod() {
this.hasName("setDefaultHostnameVerifier") and
this.getDeclaringType().getAnAncestor() instanceof HttpsURLConnection
this.getDeclaringType().getAnAncestor() instanceof HttpsUrlConnection
}
}

55
java/ql/lib/semmle/code/java/security/ExternalAPIs.qll
View File

@@ -10,11 +10,14 @@ import semmle.code.java.dataflow.TaintTracking
/**
* A `Method` that is considered a "safe" external API from a security perspective.
*/
abstract class SafeExternalAPIMethod extends Method { }
abstract class SafeExternalApiMethod extends Method { }
/** DEPRECATED: Alias for SafeExternalApiMethod */
deprecated class SafeExternalAPIMethod = SafeExternalApiMethod;
/** The default set of "safe" external APIs. */
private class DefaultSafeExternalAPIMethod extends SafeExternalAPIMethod {
DefaultSafeExternalAPIMethod() {
private class DefaultSafeExternalApiMethod extends SafeExternalApiMethod {
DefaultSafeExternalApiMethod() {
this instanceof EqualsMethod
or
this.getName().regexpMatch("size|length|compareTo|getClass|lastIndexOf")
@@ -53,11 +56,11 @@ private class DefaultSafeExternalAPIMethod extends SafeExternalAPIMethod {
}
/** A node representing data being passed to an external API. */
class ExternalAPIDataNode extends DataFlow::Node {
class ExternalApiDataNode extends DataFlow::Node {
Call call;
int i;
ExternalAPIDataNode() {
ExternalApiDataNode() {
(
// Argument to call to a method
this.asExpr() = call.getArgument(i)
@@ -79,7 +82,7 @@ class ExternalAPIDataNode extends DataFlow::Node {
not exists(DataFlow::Node next | TaintTracking::localTaintStep(this, next)) and
not exists(DataFlow::Node next | TaintTracking::defaultAdditionalTaintStep(this, next)) and
// Not a call to a known safe external API
not call.getCallee() instanceof SafeExternalAPIMethod
not call.getCallee() instanceof SafeExternalApiMethod
}
/** Gets the called API `Method`. */
@@ -95,38 +98,47 @@ class ExternalAPIDataNode extends DataFlow::Node {
}
}
/** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalAPIDataNode`s. */
class UntrustedDataToExternalAPIConfig extends TaintTracking::Configuration {
UntrustedDataToExternalAPIConfig() { this = "UntrustedDataToExternalAPIConfig" }
/** DEPRECATED: Alias for ExternalApiDataNode */
deprecated class ExternalAPIDataNode = ExternalApiDataNode;
/** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
UntrustedDataToExternalApiConfig() { this = "UntrustedDataToExternalAPIConfig" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalAPIDataNode }
override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
}
/** DEPRECATED: Alias for UntrustedDataToExternalApiConfig */
deprecated class UntrustedDataToExternalAPIConfig = UntrustedDataToExternalApiConfig;
/** A node representing untrusted data being passed to an external API. */
class UntrustedExternalAPIDataNode extends ExternalAPIDataNode {
UntrustedExternalAPIDataNode() { any(UntrustedDataToExternalAPIConfig c).hasFlow(_, this) }
class UntrustedExternalApiDataNode extends ExternalApiDataNode {
UntrustedExternalApiDataNode() { any(UntrustedDataToExternalApiConfig c).hasFlow(_, this) }
/** Gets a source of untrusted data which is passed to this external API data node. */
DataFlow::Node getAnUntrustedSource() {
any(UntrustedDataToExternalAPIConfig c).hasFlow(result, this)
any(UntrustedDataToExternalApiConfig c).hasFlow(result, this)
}
}
private newtype TExternalAPI =
TExternalAPIParameter(Method m, int index) {
exists(UntrustedExternalAPIDataNode n |
/** DEPRECATED: Alias for UntrustedExternalApiDataNode */
deprecated class UntrustedExternalAPIDataNode = UntrustedExternalApiDataNode;
private newtype TExternalApi =
TExternalApiParameter(Method m, int index) {
exists(UntrustedExternalApiDataNode n |
m = n.getMethod() and
index = n.getIndex()
)
}
/** An external API which is used with untrusted data. */
class ExternalAPIUsedWithUntrustedData extends TExternalAPI {
class ExternalApiUsedWithUntrustedData extends TExternalApi {
/** Gets a possibly untrusted use of this external API. */
UntrustedExternalAPIDataNode getUntrustedDataNode() {
this = TExternalAPIParameter(result.getMethod(), result.getIndex())
UntrustedExternalApiDataNode getUntrustedDataNode() {
this = TExternalApiParameter(result.getMethod(), result.getIndex())
}
/** Gets the number of untrusted sources used with this external API. */
@@ -139,9 +151,12 @@ class ExternalAPIUsedWithUntrustedData extends TExternalAPI {
exists(Method m, int index, string indexString |
if index = -1 then indexString = "qualifier" else indexString = "param " + index
|
this = TExternalAPIParameter(m, index) and
this = TExternalApiParameter(m, index) and
result =
m.getDeclaringType().getQualifiedName() + "." + m.getSignature() + " [" + indexString + "]"
)
}
}
/** DEPRECATED: Alias for ExternalApiUsedWithUntrustedData */
deprecated class ExternalAPIUsedWithUntrustedData = ExternalApiUsedWithUntrustedData;

2
java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll
View File

@@ -18,7 +18,7 @@ class RequestForgeryConfiguration extends TaintTracking::Configuration {
// Exclude results of remote HTTP requests: fetching something else based on that result
// is no worse than following a redirect returned by the remote server, and typically
// we're requesting a resource via https which we trust to only send us to safe URLs.
not source.asExpr().(MethodAccess).getCallee() instanceof URLConnectionGetInputStreamMethod
not source.asExpr().(MethodAccess).getCallee() instanceof UrlConnectionGetInputStreamMethod
}
override predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }

6
java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll
View File

@@ -28,8 +28,8 @@ private class ObjectInputStreamReadObjectMethod extends Method {
}
}
private class XMLDecoderReadObjectMethod extends Method {
XMLDecoderReadObjectMethod() {
private class XmlDecoderReadObjectMethod extends Method {
XmlDecoderReadObjectMethod() {
this.getDeclaringType().hasQualifiedName("java.beans", "XMLDecoder") and
this.hasName("readObject")
}
@@ -140,7 +140,7 @@ predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
.hasQualifiedName("org.apache.commons.io.serialization", "ValidatingObjectInputStream")
)
or
m instanceof XMLDecoderReadObjectMethod and
m instanceof XmlDecoderReadObjectMethod and
sink = ma.getQualifier()
or
m instanceof XStreamReadObjectMethod and

4
java/ql/lib/semmle/code/java/security/XSS.qll
View File

@@ -50,8 +50,8 @@ private class DefaultXssSink extends XssSink {
}
/** A default sanitizer that considers numeric and boolean typed data safe for writing to output. */
private class DefaultXSSSanitizer extends XssSanitizer {
DefaultXSSSanitizer() {
private class DefaultXssSanitizer extends XssSanitizer {
DefaultXssSanitizer() {
this.getType() instanceof NumericType or
this.getType() instanceof BooleanType or
// Match `org.springframework.web.util.HtmlUtils.htmlEscape` and possibly other methods like it.

381
java/ql/lib/semmle/code/java/security/XmlParsers.qll
View File

@@ -358,21 +358,24 @@ class SafeXmlInputFactory extends VarAccess {
/**
* The class `org.jdom.input.SAXBuilder.`
*/
class SAXBuilder extends RefType {
SAXBuilder() {
class SaxBuilder extends RefType {
SaxBuilder() {
this.hasQualifiedName("org.jdom.input", "SAXBuilder") or
this.hasQualifiedName("org.jdom2.input", "SAXBuilder")
}
}
/** DEPRECATED: Alias for SaxBuilder */
deprecated class SAXBuilder = SaxBuilder;
/**
* A call to `SAXBuilder.build.`
*/
class SAXBuilderParse extends XmlParserCall {
SAXBuilderParse() {
class SaxBuilderParse extends XmlParserCall {
SaxBuilderParse() {
exists(Method m |
m = this.getMethod() and
m.getDeclaringType() instanceof SAXBuilder and
m.getDeclaringType() instanceof SaxBuilder and
m.hasName("build")
)
}
@@ -380,19 +383,22 @@ class SAXBuilderParse extends XmlParserCall {
override Expr getSink() { result = this.getArgument(0) }
override predicate isSafe() {
exists(SafeSAXBuilderToSAXBuilderParseFlowConfig conf | conf.hasFlowToExpr(this.getQualifier()))
exists(SafeSaxBuilderToSaxBuilderParseFlowConfig conf | conf.hasFlowToExpr(this.getQualifier()))
}
}
private class SafeSAXBuilderToSAXBuilderParseFlowConfig extends DataFlow2::Configuration {
SafeSAXBuilderToSAXBuilderParseFlowConfig() {
/** DEPRECATED: Alias for SaxBuilderParse */
deprecated class SAXBuilderParse = SaxBuilderParse;
private class SafeSaxBuilderToSaxBuilderParseFlowConfig extends DataFlow2::Configuration {
SafeSaxBuilderToSaxBuilderParseFlowConfig() {
this = "XmlParsers::SafeSAXBuilderToSAXBuilderParseFlowConfig"
}
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSAXBuilder }
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxBuilder }
override predicate isSink(DataFlow::Node sink) {
sink.asExpr() = any(SAXBuilderParse sax).getQualifier()
sink.asExpr() = any(SaxBuilderParse sax).getQualifier()
}
override int fieldFlowBranchLimit() { result = 0 }
@@ -401,22 +407,25 @@ private class SafeSAXBuilderToSAXBuilderParseFlowConfig extends DataFlow2::Confi
/**
* A `ParserConfig` specific to `SAXBuilder`.
*/
class SAXBuilderConfig extends ParserConfig {
SAXBuilderConfig() {
class SaxBuilderConfig extends ParserConfig {
SaxBuilderConfig() {
exists(Method m |
m = this.getMethod() and
m.getDeclaringType() instanceof SAXBuilder and
m.getDeclaringType() instanceof SaxBuilder and
m.hasName("setFeature")
)
}
}
/** A safely configured `SAXBuilder`. */
class SafeSAXBuilder extends VarAccess {
SafeSAXBuilder() {
/** DEPRECATED: Alias for SaxBuilderConfig */
deprecated class SAXBuilderConfig = SaxBuilderConfig;
/** A safely configured `SaxBuilder`. */
class SafeSaxBuilder extends VarAccess {
SafeSaxBuilder() {
exists(Variable v |
v = this.getVariable() and
exists(SAXBuilderConfig config | config.getQualifier() = v.getAnAccess() |
exists(SaxBuilderConfig config | config.getQualifier() = v.getAnAccess() |
config
.enables(any(ConstantStringExpr s |
s.getStringValue() = "http://apache.org/xml/features/disallow-doctype-decl"
@@ -426,6 +435,9 @@ class SafeSAXBuilder extends VarAccess {
}
}
/** DEPRECATED: Alias for SafeSaxBuilder */
deprecated class SafeSAXBuilder = SafeSaxBuilder;
/*
* The case in
* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxb-unmarshaller
@@ -435,21 +447,27 @@ class SafeSAXBuilder extends VarAccess {
/**
* The class `javax.xml.parsers.SAXParser`.
*/
class SAXParser extends RefType {
SAXParser() { this.hasQualifiedName("javax.xml.parsers", "SAXParser") }
class SaxParser extends RefType {
SaxParser() { this.hasQualifiedName("javax.xml.parsers", "SAXParser") }
}
/** The class `javax.xml.parsers.SAXParserFactory`. */
class SAXParserFactory extends RefType {
SAXParserFactory() { this.hasQualifiedName("javax.xml.parsers", "SAXParserFactory") }
/** DEPRECATED: Alias for SaxParser */
deprecated class SAXParser = SaxParser;
/** The class `javax.xml.parsers.SaxParserFactory`. */
class SaxParserFactory extends RefType {
SaxParserFactory() { this.hasQualifiedName("javax.xml.parsers", "SAXParserFactory") }
}
/** A call to `SAXParser.parse`. */
class SAXParserParse extends XmlParserCall {
SAXParserParse() {
/** DEPRECATED: Alias for SaxParserFactory */
deprecated class SAXParserFactory = SaxParserFactory;
/** A call to `SaxParser.parse`. */
class SaxParserParse extends XmlParserCall {
SaxParserParse() {
exists(Method m |
m = this.getMethod() and
m.getDeclaringType() instanceof SAXParser and
m.getDeclaringType() instanceof SaxParser and
m.hasName("parse")
)
}
@@ -457,44 +475,50 @@ class SAXParserParse extends XmlParserCall {
override Expr getSink() { result = this.getArgument(0) }
override predicate isSafe() {
exists(SafeSAXParserFlowConfig sp | sp.hasFlowToExpr(this.getQualifier()))
exists(SafeSaxParserFlowConfig sp | sp.hasFlowToExpr(this.getQualifier()))
}
}
/** A `ParserConfig` that is specific to `SAXParserFactory`. */
class SAXParserFactoryConfig extends ParserConfig {
SAXParserFactoryConfig() {
/** DEPRECATED: Alias for SaxParserParse */
deprecated class SAXParserParse = SaxParserParse;
/** A `ParserConfig` that is specific to `SaxParserFactory`. */
class SaxParserFactoryConfig extends ParserConfig {
SaxParserFactoryConfig() {
exists(Method m |
m = this.getMethod() and
m.getDeclaringType() instanceof SAXParserFactory and
m.getDeclaringType() instanceof SaxParserFactory and
m.hasName("setFeature")
)
}
}
/** DEPRECATED: Alias for SaxParserFactoryConfig */
deprecated class SAXParserFactoryConfig = SaxParserFactoryConfig;
/**
* A safely configured `SAXParserFactory`.
*/
class SafeSAXParserFactory extends VarAccess {
SafeSAXParserFactory() {
class SafeSaxParserFactory extends VarAccess {
SafeSaxParserFactory() {
exists(Variable v | v = this.getVariable() |
exists(SAXParserFactoryConfig config | config.getQualifier() = v.getAnAccess() |
exists(SaxParserFactoryConfig config | config.getQualifier() = v.getAnAccess() |
config.enables(singleSafeConfig())
)
or
exists(SAXParserFactoryConfig config | config.getQualifier() = v.getAnAccess() |
exists(SaxParserFactoryConfig config | config.getQualifier() = v.getAnAccess() |
config
.disables(any(ConstantStringExpr s |
s.getStringValue() = "http://xml.org/sax/features/external-general-entities"
))
) and
exists(SAXParserFactoryConfig config | config.getQualifier() = v.getAnAccess() |
exists(SaxParserFactoryConfig config | config.getQualifier() = v.getAnAccess() |
config
.disables(any(ConstantStringExpr s |
s.getStringValue() = "http://xml.org/sax/features/external-parameter-entities"
))
) and
exists(SAXParserFactoryConfig config | config.getQualifier() = v.getAnAccess() |
exists(SaxParserFactoryConfig config | config.getQualifier() = v.getAnAccess() |
config
.disables(any(ConstantStringExpr s |
s.getStringValue() =
@@ -505,18 +529,21 @@ class SafeSAXParserFactory extends VarAccess {
}
}
private class SafeSAXParserFactoryToNewSAXParserFlowConfig extends DataFlow5::Configuration {
SafeSAXParserFactoryToNewSAXParserFlowConfig() {
/** DEPRECATED: Alias for SafeSaxParserFactory */
deprecated class SafeSAXParserFactory = SafeSaxParserFactory;
private class SafeSaxParserFactoryToNewSaxParserFlowConfig extends DataFlow5::Configuration {
SafeSaxParserFactoryToNewSaxParserFlowConfig() {
this = "XmlParsers::SafeSAXParserFactoryToNewSAXParserFlowConfig"
}
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSAXParserFactory }
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxParserFactory }
override predicate isSink(DataFlow::Node sink) {
exists(MethodAccess ma, Method m |
sink.asExpr() = ma.getQualifier() and
ma.getMethod() = m and
m.getDeclaringType() instanceof SAXParserFactory and
m.getDeclaringType() instanceof SaxParserFactory and
m.hasName("newSAXParser")
)
}
@@ -524,45 +551,51 @@ private class SafeSAXParserFactoryToNewSAXParserFlowConfig extends DataFlow5::Co
override int fieldFlowBranchLimit() { result = 0 }
}
private class SafeSAXParserFlowConfig extends DataFlow4::Configuration {
SafeSAXParserFlowConfig() { this = "XmlParsers::SafeSAXParserFlowConfig" }
private class SafeSaxParserFlowConfig extends DataFlow4::Configuration {
SafeSaxParserFlowConfig() { this = "XmlParsers::SafeSAXParserFlowConfig" }
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSAXParser }
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxParser }
override predicate isSink(DataFlow::Node sink) {
exists(MethodAccess ma |
sink.asExpr() = ma.getQualifier() and ma.getMethod().getDeclaringType() instanceof SAXParser
sink.asExpr() = ma.getQualifier() and ma.getMethod().getDeclaringType() instanceof SaxParser
)
}
override int fieldFlowBranchLimit() { result = 0 }
}
/** A `SAXParser` created from a safely configured `SAXParserFactory`. */
class SafeSAXParser extends MethodAccess {
SafeSAXParser() {
exists(SafeSAXParserFactoryToNewSAXParserFlowConfig sdf |
this.getMethod().getDeclaringType() instanceof SAXParserFactory and
/** A `SaxParser` created from a safely configured `SaxParserFactory`. */
class SafeSaxParser extends MethodAccess {
SafeSaxParser() {
exists(SafeSaxParserFactoryToNewSaxParserFlowConfig sdf |
this.getMethod().getDeclaringType() instanceof SaxParserFactory and
this.getMethod().hasName("newSAXParser") and
sdf.hasFlowToExpr(this.getQualifier())
)
}
}
/** DEPRECATED: Alias for SafeSaxParser */
deprecated class SafeSAXParser = SafeSaxParser;
/* SAXReader: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#saxreader */
/**
* The class `org.dom4j.io.SAXReader`.
*/
class SAXReader extends RefType {
SAXReader() { this.hasQualifiedName("org.dom4j.io", "SAXReader") }
class SaxReader extends RefType {
SaxReader() { this.hasQualifiedName("org.dom4j.io", "SAXReader") }
}
/** A call to `SAXReader.read`. */
class SAXReaderRead extends XmlParserCall {
SAXReaderRead() {
/** DEPRECATED: Alias for SaxReader */
deprecated class SAXReader = SaxReader;
/** A call to `SaxReader.read`. */
class SaxReaderRead extends XmlParserCall {
SaxReaderRead() {
exists(Method m |
m = this.getMethod() and
m.getDeclaringType() instanceof SAXReader and
m.getDeclaringType() instanceof SaxReader and
m.hasName("read")
)
}
@@ -570,52 +603,58 @@ class SAXReaderRead extends XmlParserCall {
override Expr getSink() { result = this.getArgument(0) }
override predicate isSafe() {
exists(SafeSAXReaderFlowConfig sr | sr.hasFlowToExpr(this.getQualifier()))
exists(SafeSaxReaderFlowConfig sr | sr.hasFlowToExpr(this.getQualifier()))
}
}
/** A `ParserConfig` specific to `SAXReader`. */
class SAXReaderConfig extends ParserConfig {
SAXReaderConfig() {
/** DEPRECATED: Alias for SaxReaderRead */
deprecated class SAXReaderRead = SaxReaderRead;
/** A `ParserConfig` specific to `SaxReader`. */
class SaxReaderConfig extends ParserConfig {
SaxReaderConfig() {
exists(Method m |
m = this.getMethod() and
m.getDeclaringType() instanceof SAXReader and
m.getDeclaringType() instanceof SaxReader and
m.hasName("setFeature")
)
}
}
private class SafeSAXReaderFlowConfig extends DataFlow4::Configuration {
SafeSAXReaderFlowConfig() { this = "XmlParsers::SafeSAXReaderFlowConfig" }
/** DEPRECATED: Alias for SaxReaderConfig */
deprecated class SAXReaderConfig = SaxReaderConfig;
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSAXReader }
private class SafeSaxReaderFlowConfig extends DataFlow4::Configuration {
SafeSaxReaderFlowConfig() { this = "XmlParsers::SafeSAXReaderFlowConfig" }
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxReader }
override predicate isSink(DataFlow::Node sink) {
exists(MethodAccess ma |
sink.asExpr() = ma.getQualifier() and ma.getMethod().getDeclaringType() instanceof SAXReader
sink.asExpr() = ma.getQualifier() and ma.getMethod().getDeclaringType() instanceof SaxReader
)
}
override int fieldFlowBranchLimit() { result = 0 }
}
/** A safely configured `SAXReader`. */
class SafeSAXReader extends VarAccess {
SafeSAXReader() {
/** A safely configured `SaxReader`. */
class SafeSaxReader extends VarAccess {
SafeSaxReader() {
exists(Variable v | v = this.getVariable() |
exists(SAXReaderConfig config | config.getQualifier() = v.getAnAccess() |
exists(SaxReaderConfig config | config.getQualifier() = v.getAnAccess() |
config
.disables(any(ConstantStringExpr s |
s.getStringValue() = "http://xml.org/sax/features/external-general-entities"
))
) and
exists(SAXReaderConfig config | config.getQualifier() = v.getAnAccess() |
exists(SaxReaderConfig config | config.getQualifier() = v.getAnAccess() |
config
.disables(any(ConstantStringExpr s |
s.getStringValue() = "http://xml.org/sax/features/external-parameter-entities"
))
) and
exists(SAXReaderConfig config | config.getQualifier() = v.getAnAccess() |
exists(SaxReaderConfig config | config.getQualifier() = v.getAnAccess() |
config
.enables(any(ConstantStringExpr s |
s.getStringValue() = "http://apache.org/xml/features/disallow-doctype-decl"
@@ -625,18 +664,24 @@ class SafeSAXReader extends VarAccess {
}
}
/** DEPRECATED: Alias for SafeSaxReader */
deprecated class SafeSAXReader = SafeSaxReader;
/* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlreader */
/** The class `org.xml.sax.XMLReader`. */
class XMLReader extends RefType {
XMLReader() { this.hasQualifiedName("org.xml.sax", "XMLReader") }
/** The class `org.xml.sax.XmlReader`. */
class XmlReader extends RefType {
XmlReader() { this.hasQualifiedName("org.xml.sax", "XMLReader") }
}
/** A call to `XMLReader.read`. */
class XMLReaderParse extends XmlParserCall {
XMLReaderParse() {
/** DEPRECATED: Alias for XmlReader */
deprecated class XMLReader = XmlReader;
/** A call to `XmlReader.read`. */
class XmlReaderParse extends XmlParserCall {
XmlReaderParse() {
exists(Method m |
m = this.getMethod() and
m.getDeclaringType() instanceof XMLReader and
m.getDeclaringType() instanceof XmlReader and
m.hasName("parse")
)
}
@@ -644,59 +689,68 @@ class XMLReaderParse extends XmlParserCall {
override Expr getSink() { result = this.getArgument(0) }
override predicate isSafe() {
exists(ExplicitlySafeXMLReader sr | sr.flowsTo(this.getQualifier())) or
exists(CreatedSafeXMLReader cr | cr.flowsTo(this.getQualifier()))
exists(ExplicitlySafeXmlReader sr | sr.flowsTo(this.getQualifier())) or
exists(CreatedSafeXmlReader cr | cr.flowsTo(this.getQualifier()))
}
}
/** A `ParserConfig` specific to the `XMLReader`. */
class XMLReaderConfig extends ParserConfig {
XMLReaderConfig() {
/** DEPRECATED: Alias for XmlReaderParse */
deprecated class XMLReaderParse = XmlReaderParse;
/** A `ParserConfig` specific to the `XmlReader`. */
class XmlReaderConfig extends ParserConfig {
XmlReaderConfig() {
exists(Method m |
m = this.getMethod() and
m.getDeclaringType() instanceof XMLReader and
m.getDeclaringType() instanceof XmlReader and
m.hasName("setFeature")
)
}
}
private class ExplicitlySafeXMLReaderFlowConfig extends DataFlow3::Configuration {
ExplicitlySafeXMLReaderFlowConfig() { this = "XmlParsers::ExplicitlySafeXMLReaderFlowConfig" }
/** DEPRECATED: Alias for XmlReaderConfig */
deprecated class XMLReaderConfig = XmlReaderConfig;
private class ExplicitlySafeXmlReaderFlowConfig extends DataFlow3::Configuration {
ExplicitlySafeXmlReaderFlowConfig() { this = "XmlParsers::ExplicitlySafeXMLReaderFlowConfig" }
override predicate isSource(DataFlow::Node src) {
src.asExpr() instanceof ExplicitlySafeXMLReader
src.asExpr() instanceof ExplicitlySafeXmlReader
}
override predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof SafeXMLReaderFlowSink }
override predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof SafeXmlReaderFlowSink }
override int fieldFlowBranchLimit() { result = 0 }
}
class SafeXMLReaderFlowSink extends Expr {
SafeXMLReaderFlowSink() {
this = any(XMLReaderParse p).getQualifier() or
this = any(ConstructedSAXSource s).getArgument(0) or
this = any(SAXSourceSetReader s).getArgument(0)
class SafeXmlReaderFlowSink extends Expr {
SafeXmlReaderFlowSink() {
this = any(XmlReaderParse p).getQualifier() or
this = any(ConstructedSaxSource s).getArgument(0) or
this = any(SaxSourceSetReader s).getArgument(0)
}
}
/** An `XMLReader` that is explicitly configured to be safe. */
class ExplicitlySafeXMLReader extends VarAccess {
ExplicitlySafeXMLReader() {
/** DEPRECATED: Alias for SafeXmlReaderFlowSink */
deprecated class SafeXMLReaderFlowSink = SafeXmlReaderFlowSink;
/** An `XmlReader` that is explicitly configured to be safe. */
class ExplicitlySafeXmlReader extends VarAccess {
ExplicitlySafeXmlReader() {
exists(Variable v | v = this.getVariable() |
exists(XMLReaderConfig config | config.getQualifier() = v.getAnAccess() |
exists(XmlReaderConfig config | config.getQualifier() = v.getAnAccess() |
config
.disables(any(ConstantStringExpr s |
s.getStringValue() = "http://xml.org/sax/features/external-general-entities"
))
) and
exists(XMLReaderConfig config | config.getQualifier() = v.getAnAccess() |
exists(XmlReaderConfig config | config.getQualifier() = v.getAnAccess() |
config
.disables(any(ConstantStringExpr s |
s.getStringValue() = "http://xml.org/sax/features/external-parameter-entities"
))
) and
exists(XMLReaderConfig config | config.getQualifier() = v.getAnAccess() |
exists(XmlReaderConfig config | config.getQualifier() = v.getAnAccess() |
config
.disables(any(ConstantStringExpr s |
s.getStringValue() =
@@ -704,7 +758,7 @@ class ExplicitlySafeXMLReader extends VarAccess {
))
)
or
exists(XMLReaderConfig config | config.getQualifier() = v.getAnAccess() |
exists(XmlReaderConfig config | config.getQualifier() = v.getAnAccess() |
config
.enables(any(ConstantStringExpr s |
s.getStringValue() = "http://apache.org/xml/features/disallow-doctype-decl"
@@ -713,35 +767,38 @@ class ExplicitlySafeXMLReader extends VarAccess {
)
}
predicate flowsTo(SafeXMLReaderFlowSink sink) {
any(ExplicitlySafeXMLReaderFlowConfig conf)
predicate flowsTo(SafeXmlReaderFlowSink sink) {
any(ExplicitlySafeXmlReaderFlowConfig conf)
.hasFlow(DataFlow::exprNode(this), DataFlow::exprNode(sink))
}
}
private class CreatedSafeXMLReaderFlowConfig extends DataFlow3::Configuration {
CreatedSafeXMLReaderFlowConfig() { this = "XmlParsers::CreatedSafeXMLReaderFlowConfig" }
/** DEPRECATED: Alias for ExplicitlySafeXmlReader */
deprecated class ExplicitlySafeXMLReader = ExplicitlySafeXmlReader;
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof CreatedSafeXMLReader }
private class CreatedSafeXmlReaderFlowConfig extends DataFlow3::Configuration {
CreatedSafeXmlReaderFlowConfig() { this = "XmlParsers::CreatedSafeXMLReaderFlowConfig" }
override predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof SafeXMLReaderFlowSink }
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof CreatedSafeXmlReader }
override predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof SafeXmlReaderFlowSink }
override int fieldFlowBranchLimit() { result = 0 }
}
/** An `XMLReader` that is obtained from a safe source. */
class CreatedSafeXMLReader extends Call {
CreatedSafeXMLReader() {
/** An `XmlReader` that is obtained from a safe source. */
class CreatedSafeXmlReader extends Call {
CreatedSafeXmlReader() {
//Obtained from SAXParser
exists(SafeSAXParserFlowConfig safeParser |
this.(MethodAccess).getMethod().getDeclaringType() instanceof SAXParser and
exists(SafeSaxParserFlowConfig safeParser |
this.(MethodAccess).getMethod().getDeclaringType() instanceof SaxParser and
this.(MethodAccess).getMethod().hasName("getXMLReader") and
safeParser.hasFlowToExpr(this.getQualifier())
)
or
//Obtained from SAXReader
exists(SafeSAXReaderFlowConfig safeReader |
this.(MethodAccess).getMethod().getDeclaringType() instanceof SAXReader and
exists(SafeSaxReaderFlowConfig safeReader |
this.(MethodAccess).getMethod().getDeclaringType() instanceof SaxReader and
this.(MethodAccess).getMethod().hasName("getXMLReader") and
safeReader.hasFlowToExpr(this.getQualifier())
)
@@ -753,28 +810,34 @@ class CreatedSafeXMLReader extends Call {
)
}
predicate flowsTo(SafeXMLReaderFlowSink sink) {
any(CreatedSafeXMLReaderFlowConfig conf)
predicate flowsTo(SafeXmlReaderFlowSink sink) {
any(CreatedSafeXmlReaderFlowConfig conf)
.hasFlow(DataFlow::exprNode(this), DataFlow::exprNode(sink))
}
}
/** DEPRECATED: Alias for CreatedSafeXmlReader */
deprecated class CreatedSafeXMLReader = CreatedSafeXmlReader;
/*
* SAXSource in
* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxb-unmarshaller
*/
/** The class `javax.xml.transform.sax.SAXSource` */
class SAXSource extends RefType {
SAXSource() { this.hasQualifiedName("javax.xml.transform.sax", "SAXSource") }
/** The class `javax.xml.transform.sax.SaxSource` */
class SaxSource extends RefType {
SaxSource() { this.hasQualifiedName("javax.xml.transform.sax", "SAXSource") }
}
/** A call to the constructor of `SAXSource` with `XMLReader` and `InputSource`. */
class ConstructedSAXSource extends ClassInstanceExpr {
ConstructedSAXSource() {
this.getConstructedType() instanceof SAXSource and
/** DEPRECATED: Alias for SaxSource */
deprecated class SAXSource = SaxSource;
/** A call to the constructor of `SaxSource` with `XmlReader` and `InputSource`. */
class ConstructedSaxSource extends ClassInstanceExpr {
ConstructedSaxSource() {
this.getConstructedType() instanceof SaxSource and
this.getNumArgument() = 2 and
this.getArgument(0).getType() instanceof XMLReader
this.getArgument(0).getType() instanceof XmlReader
}
/**
@@ -782,40 +845,49 @@ class ConstructedSAXSource extends ClassInstanceExpr {
*/
Expr getSink() { result = this.getArgument(1) }
/** Holds if the resulting `SAXSource` is safe. */
/** Holds if the resulting `SaxSource` is safe. */
predicate isSafe() {
exists(CreatedSafeXMLReader safeReader | safeReader.flowsTo(this.getArgument(0))) or
exists(ExplicitlySafeXMLReader safeReader | safeReader.flowsTo(this.getArgument(0)))
exists(CreatedSafeXmlReader safeReader | safeReader.flowsTo(this.getArgument(0))) or
exists(ExplicitlySafeXmlReader safeReader | safeReader.flowsTo(this.getArgument(0)))
}
}
/** A call to the `SAXSource.setXMLReader` method. */
class SAXSourceSetReader extends MethodAccess {
SAXSourceSetReader() {
/** DEPRECATED: Alias for ConstructedSaxSource */
deprecated class ConstructedSAXSource = ConstructedSaxSource;
/** A call to the `SaxSource.setXMLReader` method. */
class SaxSourceSetReader extends MethodAccess {
SaxSourceSetReader() {
exists(Method m |
m = this.getMethod() and
m.getDeclaringType() instanceof SAXSource and
m.getDeclaringType() instanceof SaxSource and
m.hasName("setXMLReader")
)
}
}
/** A `SAXSource` that is safe to use. */
class SafeSAXSource extends Expr {
SafeSAXSource() {
/** DEPRECATED: Alias for SaxSourceSetReader */
deprecated class SAXSourceSetReader = SaxSourceSetReader;
/** A `SaxSource` that is safe to use. */
class SafeSaxSource extends Expr {
SafeSaxSource() {
exists(Variable v | v = this.(VarAccess).getVariable() |
exists(SAXSourceSetReader s | s.getQualifier() = v.getAnAccess() |
exists(SaxSourceSetReader s | s.getQualifier() = v.getAnAccess() |
(
exists(CreatedSafeXMLReader safeReader | safeReader.flowsTo(s.getArgument(0))) or
exists(ExplicitlySafeXMLReader safeReader | safeReader.flowsTo(s.getArgument(0)))
exists(CreatedSafeXmlReader safeReader | safeReader.flowsTo(s.getArgument(0))) or
exists(ExplicitlySafeXmlReader safeReader | safeReader.flowsTo(s.getArgument(0)))
)
)
)
or
this.(ConstructedSAXSource).isSafe()
this.(ConstructedSaxSource).isSafe()
}
}
/** DEPRECATED: Alias for SafeSaxSource */
deprecated class SafeSAXSource = SafeSaxSource;
/* Transformer: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory */
/** An access to a method use for configuring a transformer or schema. */
abstract class TransformerConfig extends MethodAccess {
@@ -992,8 +1064,8 @@ class SafeTransformer extends MethodAccess {
*/
/** A call to `SAXTransformerFactory.newFilter`. */
class SAXTransformerFactoryNewXMLFilter extends XmlParserCall {
SAXTransformerFactoryNewXMLFilter() {
class SaxTransformerFactoryNewXmlFilter extends XmlParserCall {
SaxTransformerFactoryNewXmlFilter() {
exists(Method m |
this.getMethod() = m and
m.getDeclaringType().hasQualifiedName("javax.xml.transform.sax", "SAXTransformerFactory") and
@@ -1008,6 +1080,9 @@ class SAXTransformerFactoryNewXMLFilter extends XmlParserCall {
}
}
/** DEPRECATED: Alias for SaxTransformerFactoryNewXmlFilter */
deprecated class SAXTransformerFactoryNewXMLFilter = SaxTransformerFactoryNewXmlFilter;
/* Schema: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory */
/** The class `javax.xml.validation.SchemaFactory`. */
class SchemaFactory extends RefType {
@@ -1116,8 +1191,8 @@ class XPathEvaluate extends XmlParserCall {
// Sink methods in simplexml http://simple.sourceforge.net/home.php
/** A call to `read` or `validate` in `Persister`. */
class SimpleXMLPersisterCall extends XmlParserCall {
SimpleXMLPersisterCall() {
class SimpleXmlPersisterCall extends XmlParserCall {
SimpleXmlPersisterCall() {
exists(Method m |
this.getMethod() = m and
(m.hasName("validate") or m.hasName("read")) and
@@ -1130,9 +1205,12 @@ class SimpleXMLPersisterCall extends XmlParserCall {
override predicate isSafe() { none() }
}
/** DEPRECATED: Alias for SimpleXmlPersisterCall */
deprecated class SimpleXMLPersisterCall = SimpleXmlPersisterCall;
/** A call to `provide` in `Provider`. */
class SimpleXMLProviderCall extends XmlParserCall {
SimpleXMLProviderCall() {
class SimpleXmlProviderCall extends XmlParserCall {
SimpleXmlProviderCall() {
exists(Method m |
this.getMethod() = m and
m.hasName("provide") and
@@ -1148,9 +1226,12 @@ class SimpleXMLProviderCall extends XmlParserCall {
override predicate isSafe() { none() }
}
/** DEPRECATED: Alias for SimpleXmlProviderCall */
deprecated class SimpleXMLProviderCall = SimpleXmlProviderCall;
/** A call to `read` in `NodeBuilder`. */
class SimpleXMLNodeBuilderCall extends XmlParserCall {
SimpleXMLNodeBuilderCall() {
class SimpleXmlNodeBuilderCall extends XmlParserCall {
SimpleXmlNodeBuilderCall() {
exists(Method m |
this.getMethod() = m and
m.hasName("read") and
@@ -1163,9 +1244,12 @@ class SimpleXMLNodeBuilderCall extends XmlParserCall {
override predicate isSafe() { none() }
}
/** DEPRECATED: Alias for SimpleXmlNodeBuilderCall */
deprecated class SimpleXMLNodeBuilderCall = SimpleXmlNodeBuilderCall;
/** A call to the `format` method of the `Formatter`. */
class SimpleXMLFormatterCall extends XmlParserCall {
SimpleXMLFormatterCall() {
class SimpleXmlFormatterCall extends XmlParserCall {
SimpleXmlFormatterCall() {
exists(Method m |
this.getMethod() = m and
m.hasName("format") and
@@ -1178,6 +1262,9 @@ class SimpleXMLFormatterCall extends XmlParserCall {
override predicate isSafe() { none() }
}
/** DEPRECATED: Alias for SimpleXmlFormatterCall */
deprecated class SimpleXMLFormatterCall = SimpleXmlFormatterCall;
/** A configuration for secure processing. */
Expr configSecureProcessing() {
result.(ConstantStringExpr).getStringValue() =

6
java/ql/lib/semmle/code/java/security/XsltInjection.qll
View File

@@ -112,7 +112,7 @@ private predicate documentBuilderStep(DataFlow::Node n1, DataFlow::Node n2) {
* `new DOMSource(tainted)`.
*/
private predicate domSourceStep(DataFlow::Node n1, DataFlow::Node n2) {
exists(ConstructorCall cc | cc.getConstructedType() instanceof TypeDOMSource |
exists(ConstructorCall cc | cc.getConstructedType() instanceof TypeDomSource |
n1.asExpr() = cc.getAnArgument() and
n2.asExpr() = cc
)
@@ -179,8 +179,8 @@ private class TypeStAXSource extends Class {
}
/** The class `javax.xml.transform.dom.DOMSource`. */
private class TypeDOMSource extends Class {
TypeDOMSource() { this.hasQualifiedName("javax.xml.transform.dom", "DOMSource") }
private class TypeDomSource extends Class {
TypeDomSource() { this.hasQualifiedName("javax.xml.transform.dom", "DOMSource") }
}
/** The interface `javax.xml.transform.Templates`. */

43
java/ql/lib/semmle/code/xml/WebXML.qll
View File

@@ -3,13 +3,16 @@ import java
/**
* Holds if any `web.xml` files are included in this snapshot.
*/
predicate isWebXMLIncluded() { exists(WebXMLFile webXML) }
predicate isWebXmlIncluded() { exists(WebXmlFile webXml) }
/** DEPRECATED: Alias for isWebXmlIncluded */
deprecated predicate isWebXMLIncluded = isWebXmlIncluded/0;
/**
* A deployment descriptor file, typically called `web.xml`.
*/
class WebXMLFile extends XMLFile {
WebXMLFile() {
class WebXmlFile extends XMLFile {
WebXmlFile() {
count(XMLElement e | e = this.getAChild()) = 1 and
this.getAChild().getName() = "web-app"
}
@@ -28,11 +31,14 @@ class WebXMLFile extends XMLFile {
}
}
/** DEPRECATED: Alias for WebXmlFile */
deprecated class WebXMLFile = WebXmlFile;
/**
* An XML element in a `WebXMLFile`.
*/
class WebXMLElement extends XMLElement {
WebXMLElement() { this.getFile() instanceof WebXMLFile }
class WebXmlElement extends XMLElement {
WebXmlElement() { this.getFile() instanceof WebXmlFile }
/**
* Gets the value for this element, with leading and trailing whitespace trimmed.
@@ -40,10 +46,13 @@ class WebXMLElement extends XMLElement {
string getValue() { result = this.allCharactersString().trim() }
}
/** DEPRECATED: Alias for WebXmlElement */
deprecated class WebXMLElement = WebXmlElement;
/**
* A `<context-param>` element in a `web.xml` file.
*/
class WebContextParameter extends WebXMLElement {
class WebContextParameter extends WebXmlElement {
WebContextParameter() { this.getName() = "context-param" }
/**
@@ -60,28 +69,28 @@ class WebContextParameter extends WebXMLElement {
/**
* A `<param-name>` element in a `web.xml` file.
*/
class WebContextParamName extends WebXMLElement {
class WebContextParamName extends WebXmlElement {
WebContextParamName() { this.getName() = "param-name" }
}
/**
* A `<param-value>` element in a `web.xml` file.
*/
class WebContextParamValue extends WebXMLElement {
class WebContextParamValue extends WebXmlElement {
WebContextParamValue() { this.getName() = "param-value" }
}
/**
* A `<filter>` element in a `web.xml` file.
*/
class WebFilter extends WebXMLElement {
class WebFilter extends WebXmlElement {
WebFilter() { this.getName() = "filter" }
}
/**
* A `<filter-class>` element in a `web.xml` file, nested under a `<filter>` element.
*/
class WebFilterClass extends WebXMLElement {
class WebFilterClass extends WebXmlElement {
WebFilterClass() {
this.getName() = "filter-class" and
this.getParent() instanceof WebFilter
@@ -93,14 +102,14 @@ class WebFilterClass extends WebXMLElement {
/**
* A `<servlet>` element in a `web.xml` file.
*/
class WebServlet extends WebXMLElement {
class WebServlet extends WebXmlElement {
WebServlet() { this.getName() = "servlet" }
}
/**
* A `<servlet-class>` element in a `web.xml` file, nested under a `<servlet>` element.
*/
class WebServletClass extends WebXMLElement {
class WebServletClass extends WebXmlElement {
WebServletClass() {
this.getName() = "servlet-class" and
this.getParent() instanceof WebServlet
@@ -112,14 +121,14 @@ class WebServletClass extends WebXMLElement {
/**
* A `<listener>` element in a `web.xml` file.
*/
class WebListener extends WebXMLElement {
class WebListener extends WebXmlElement {
WebListener() { this.getName() = "listener" }
}
/**
* A `<listener-class>` element in a `web.xml` file, nested under a `<listener>` element.
*/
class WebListenerClass extends WebXMLElement {
class WebListenerClass extends WebXmlElement {
WebListenerClass() {
this.getName() = "listener-class" and
this.getParent() instanceof WebListener
@@ -134,7 +143,7 @@ class WebListenerClass extends WebXMLElement {
/**
* An `<error-page>` element in a `web.xml` file.
*/
class WebErrorPage extends WebXMLElement {
class WebErrorPage extends WebXmlElement {
WebErrorPage() { this.getName() = "error-page" }
/**
@@ -151,7 +160,7 @@ class WebErrorPage extends WebXMLElement {
/**
* An `<exception-type>` element in a `web.xml` file, nested under an `<error-page>` element.
*/
class WebErrorPageType extends WebXMLElement {
class WebErrorPageType extends WebXmlElement {
WebErrorPageType() {
this.getName() = "exception-type" and
this.getParent() instanceof WebErrorPage
@@ -161,7 +170,7 @@ class WebErrorPageType extends WebXMLElement {
/**
* A `<location>` element in a `web.xml` file, nested under an `<error-page>` element.
*/
class WebErrorPageLocation extends WebXMLElement {
class WebErrorPageLocation extends WebXmlElement {
WebErrorPageLocation() {
this.getName() = "location" and
this.getParent() instanceof WebErrorPage

4
java/ql/lib/semmle/code/xml/XML.qll
View File

@@ -4,11 +4,11 @@
import semmle.files.FileSystem
private class TXMLLocatable =
private class TXmlLocatable =
@xmldtd or @xmlelement or @xmlattribute or @xmlnamespace or @xmlcomment or @xmlcharacters;
/** An XML element that has a location. */
class XMLLocatable extends @xmllocatable, TXMLLocatable {
class XMLLocatable extends @xmllocatable, TXmlLocatable {
/** Gets the source location for this element. */
Location getLocation() { xmllocations(this, result) }

4
java/ql/src/Frameworks/Spring/Architecture/Refactoring Opportunities/UnusedBean.ql
View File

@@ -100,7 +100,7 @@ class SpringPureClass extends Class {
// Setter method by autowiring, either in the XML or by annotation
c = this.getAMethod().(SpringBeanAutowiredCallable)
or
c = this.getAMethod().(SpringBeanXMLAutowiredSetterMethod)
c = this.getAMethod().(SpringBeanXmlAutowiredSetterMethod)
)
}
}
@@ -189,7 +189,7 @@ class LiveSpringBean extends SpringBean {
)
or
// Injected by autowired specified in XML
exists(SpringBeanXMLAutowiredSetterMethod setterMethod |
exists(SpringBeanXmlAutowiredSetterMethod setterMethod |
// The config method must be on a live bean
setterMethod.getDeclaringType().(SpringBeanRefType).getSpringBean() instanceof
LiveSpringBean

2
java/ql/src/Frameworks/Spring/Violations of Best Practice/UseShortcutForms.ql
View File

@@ -51,7 +51,7 @@ class SpringPropertyUseShortcut extends SpringProperty {
}
}
from SpringXMLElement springElement, string msg
from SpringXmlElement springElement, string msg
where
exists(SpringConstructorArgUseShortcut cons | cons = springElement and msg = cons.getMessage())
or

4
java/ql/src/Likely Bugs/Termination/ConstantLoopCondition.ql
View File

@@ -74,8 +74,8 @@ where
) and
// None of the ssa variables in `cond` are updated inside the loop.
forex(SsaVariable ssa, RValue use | ssa.getAUse() = use and use.getParent*() = cond |
not ssa.getCFGNode().getEnclosingStmt().getEnclosingStmt*() = loop or
ssa.getCFGNode().(Expr).getParent*() = loop.(ForStmt).getAnInit()
not ssa.getCfgNode().getEnclosingStmt().getEnclosingStmt*() = loop or
ssa.getCfgNode().(Expr).getParent*() = loop.(ForStmt).getAnInit()
) and
// And `cond` does not use method calls, field reads, or array reads.
not exists(MethodAccess ma | ma.getParent*() = cond) and

6
java/ql/src/Security/CWE/CWE-020/ExternalAPIsUsedWithUntrustedData.ql
View File

@@ -12,7 +12,7 @@ import java
import semmle.code.java.security.ExternalAPIs
import semmle.code.java.dataflow.DataFlow
from ExternalAPIUsedWithUntrustedData externalAPI
select externalAPI, count(externalAPI.getUntrustedDataNode()) as numberOfUses,
externalAPI.getNumberOfUntrustedSources() as numberOfUntrustedSources order by
from ExternalApiUsedWithUntrustedData externalApi
select externalApi, count(externalApi.getUntrustedDataNode()) as numberOfUses,
externalApi.getNumberOfUntrustedSources() as numberOfUntrustedSources order by
numberOfUntrustedSources desc

4
java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
View File

@@ -15,8 +15,8 @@ import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.security.ExternalAPIs
import DataFlow::PathGraph
from UntrustedDataToExternalAPIConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
from UntrustedDataToExternalApiConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink, source, sink,
"Call to " + sink.getNode().(ExternalAPIDataNode).getMethodDescription() +
"Call to " + sink.getNode().(ExternalApiDataNode).getMethodDescription() +
" with untrusted data from $@.", source, source.toString()

6
java/ql/src/Security/CWE/CWE-079/XSS.ql
View File

@@ -16,8 +16,8 @@ import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.XSS
import DataFlow::PathGraph
class XSSConfig extends TaintTracking::Configuration {
XSSConfig() { this = "XSSConfig" }
class XssConfig extends TaintTracking::Configuration {
XssConfig() { this = "XSSConfig" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -32,7 +32,7 @@ class XSSConfig extends TaintTracking::Configuration {
}
}
from DataFlow::PathNode source, DataFlow::PathNode sink, XSSConfig conf
from DataFlow::PathNode source, DataFlow::PathNode sink, XssConfig conf
where conf.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
source.getNode(), "user-provided value"

6
java/ql/src/Security/CWE/CWE-079/XSSLocal.ql
View File

@@ -16,15 +16,15 @@ import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.XSS
import DataFlow::PathGraph
class XSSLocalConfig extends TaintTracking::Configuration {
XSSLocalConfig() { this = "XSSLocalConfig" }
class XssLocalConfig extends TaintTracking::Configuration {
XssLocalConfig() { this = "XSSLocalConfig" }
override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
}
from DataFlow::PathNode source, DataFlow::PathNode sink, XSSLocalConfig conf
from DataFlow::PathNode source, DataFlow::PathNode sink, XssLocalConfig conf
where conf.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
source.getNode(), "user-provided value"

6
java/ql/src/Security/CWE/CWE-319/UseSSL.ql
View File

@@ -14,8 +14,8 @@ import java
import semmle.code.java.dataflow.TypeFlow
import semmle.code.java.security.Encryption
class URLConnection extends RefType {
URLConnection() {
class UrlConnection extends RefType {
UrlConnection() {
this.getAnAncestor().hasQualifiedName("java.net", "URLConnection") and
not this.hasName("JarURLConnection")
}
@@ -29,7 +29,7 @@ from MethodAccess m, Class c, string type
where
m.getQualifier().getType() = c and
(
c instanceof URLConnection and type = "connection"
c instanceof UrlConnection and type = "connection"
or
c instanceof Socket and type = "socket"
) and

8
java/ql/src/Security/CWE/CWE-611/XXE.ql
View File

@@ -19,10 +19,10 @@ import semmle.code.java.dataflow.FlowSources
import semmle.code.java.dataflow.TaintTracking2
import DataFlow::PathGraph
class SafeSAXSourceFlowConfig extends TaintTracking2::Configuration {
SafeSAXSourceFlowConfig() { this = "XmlParsers::SafeSAXSourceFlowConfig" }
class SafeSaxSourceFlowConfig extends TaintTracking2::Configuration {
SafeSaxSourceFlowConfig() { this = "XmlParsers::SafeSAXSourceFlowConfig" }
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSAXSource }
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxSource }
override predicate isSink(DataFlow::Node sink) {
sink.asExpr() = any(XmlParserCall parse).getSink()
@@ -33,7 +33,7 @@ class SafeSAXSourceFlowConfig extends TaintTracking2::Configuration {
class UnsafeXxeSink extends DataFlow::ExprNode {
UnsafeXxeSink() {
not exists(SafeSAXSourceFlowConfig safeSource | safeSource.hasFlowTo(this)) and
not exists(SafeSaxSourceFlowConfig safeSource | safeSource.hasFlowTo(this)) and
exists(XmlParserCall parse |
parse.getSink() = this.getExpr() and
not parse.isSafe()

7
java/ql/src/Telemetry/ExternalAPI.qll
View File

@@ -12,8 +12,8 @@ private import semmle.code.java.dataflow.TaintTracking
/**
* An external API from either the Java Standard Library or a 3rd party library.
*/
class ExternalAPI extends Callable {
ExternalAPI() { not this.fromSource() }
class ExternalApi extends Callable {
ExternalApi() { not this.fromSource() }
/** Holds if this API is not worth supporting */
predicate isUninteresting() { this.isTestLibrary() or this.isParameterlessConstructor() }
@@ -80,6 +80,9 @@ class ExternalAPI extends Callable {
predicate isSupported() { this.hasSummary() or this.isSource() or this.isSink() }
}
/** DEPRECATED: Alias for ExternalApi */
deprecated class ExternalAPI = ExternalApi;
private class TestLibrary extends RefType {
TestLibrary() {
this.getPackage()

2
java/ql/src/Telemetry/ExternalLibraryUsage.ql
View File

@@ -12,7 +12,7 @@ import ExternalAPI
from int usages, string jarname
where
usages =
strictcount(Call c, ExternalAPI a |
strictcount(Call c, ExternalApi a |
c.getCallee().getSourceDeclaration() = a and
not c.getFile() instanceof GeneratedFile and
a.jarContainer() = jarname and

2
java/ql/src/Telemetry/SupportedExternalSinks.ql
View File

@@ -10,7 +10,7 @@ import java
import ExternalAPI
import semmle.code.java.GeneratedFiles
from ExternalAPI api, int usages
from ExternalApi api, int usages
where
not api.isUninteresting() and
api.isSink() and

2
java/ql/src/Telemetry/SupportedExternalSources.ql
View File

@@ -10,7 +10,7 @@ import java
import ExternalAPI
import semmle.code.java.GeneratedFiles
from ExternalAPI api, int usages
from ExternalApi api, int usages
where
not api.isUninteresting() and
api.isSource() and

2
java/ql/src/Telemetry/SupportedExternalTaint.ql
View File

@@ -10,7 +10,7 @@ import java
import ExternalAPI
import semmle.code.java.GeneratedFiles
from ExternalAPI api, int usages
from ExternalApi api, int usages
where
not api.isUninteresting() and
api.hasSummary() and

2
java/ql/src/Telemetry/UnsupportedExternalAPIs.ql
View File

@@ -10,7 +10,7 @@ import java
import ExternalAPI
import semmle.code.java.GeneratedFiles
from ExternalAPI api, int usages
from ExternalApi api, int usages
where
not api.isUninteresting() and
not api.isSupported() and

4
java/ql/src/Violations of Best Practice/Dead Code/DeadLocals.qll
View File

@@ -44,8 +44,8 @@ predicate overwritten(SsaExplicitUpdate ssa) {
not deadLocal(overwrite) and
not overwrite.getDefiningExpr() instanceof LocalVariableDeclExpr and
exists(BasicBlock bb1, BasicBlock bb2, int i, int j |
bb1.getNode(i) = ssa.getCFGNode() and
bb2.getNode(j) = overwrite.getCFGNode()
bb1.getNode(i) = ssa.getCfgNode() and
bb2.getNode(j) = overwrite.getCfgNode()
|
bb1.getABBSuccessor+() = bb2
or

18
java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql
View File

@@ -16,8 +16,8 @@ import semmle.code.java.dataflow.FlowSources
import semmle.code.java.dataflow.ExternalFlow
import DataFlow::PathGraph
class URLConstructor extends ClassInstanceExpr {
URLConstructor() { this.getConstructor().getDeclaringType() instanceof TypeUrl }
class UrlConstructor extends ClassInstanceExpr {
UrlConstructor() { this.getConstructor().getDeclaringType() instanceof TypeUrl }
Expr stringArg() {
// Query only in URL's that were constructed by calling the single parameter string constructor.
@@ -27,28 +27,28 @@ class URLConstructor extends ClassInstanceExpr {
}
}
class URLOpenStreamMethod extends Method {
URLOpenStreamMethod() {
class UrlOpenStreamMethod extends Method {
UrlOpenStreamMethod() {
this.getDeclaringType() instanceof TypeUrl and
this.getName() = "openStream"
}
}
class RemoteURLToOpenStreamFlowConfig extends TaintTracking::Configuration {
RemoteURLToOpenStreamFlowConfig() { this = "OpenStream::RemoteURLToOpenStreamFlowConfig" }
class RemoteUrlToOpenStreamFlowConfig extends TaintTracking::Configuration {
RemoteUrlToOpenStreamFlowConfig() { this = "OpenStream::RemoteURLToOpenStreamFlowConfig" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) {
exists(MethodAccess m |
sink.asExpr() = m.getQualifier() and m.getMethod() instanceof URLOpenStreamMethod
sink.asExpr() = m.getQualifier() and m.getMethod() instanceof UrlOpenStreamMethod
)
or
sinkNode(sink, "url-open-stream")
}
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
exists(URLConstructor u |
exists(UrlConstructor u |
node1.asExpr() = u.stringArg() and
node2.asExpr() = u
)
@@ -58,6 +58,6 @@ class RemoteURLToOpenStreamFlowConfig extends TaintTracking::Configuration {
from DataFlow::PathNode source, DataFlow::PathNode sink, MethodAccess call
where
sink.getNode().asExpr() = call.getQualifier() and
any(RemoteURLToOpenStreamFlowConfig c).hasFlowPath(source, sink)
any(RemoteUrlToOpenStreamFlowConfig c).hasFlowPath(source, sink)
select call, source, sink,
"URL on which openStream is called may have been constructed from remote source"

5
java/ql/src/experimental/Security/CWE/CWE-089/MyBatisCommonLib.qll
View File

@@ -45,7 +45,7 @@ class ListType extends RefType {
}
/** Holds if the specified `method` uses MyBatis Mapper XMLElement `mmxx`. */
predicate myBatisMapperXMLElementFromMethod(Method method, MyBatisMapperXMLElement mmxx) {
predicate myBatisMapperXmlElementFromMethod(Method method, MyBatisMapperXmlElement mmxx) {
exists(MyBatisMapperSqlOperation mbmxe | mbmxe.getMapperMethod() = method |
mbmxe.getAChild*() = mmxx
or
@@ -56,6 +56,9 @@ predicate myBatisMapperXMLElementFromMethod(Method method, MyBatisMapperXMLEleme
)
}
/** DEPRECATED: Alias for myBatisMapperXmlElementFromMethod */
deprecated predicate myBatisMapperXMLElementFromMethod = myBatisMapperXmlElementFromMethod/2;
/** Holds if the specified `method` has Ibatis Sql operation annotation `isoa`. */
predicate myBatisSqlOperationAnnotationFromMethod(Method method, IbatisSqlOperationAnnotation isoa) {
exists(MyBatisSqlOperationAnnotationMethod msoam |

4
java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql
View File

@@ -45,11 +45,11 @@ private class MyBatisMapperXmlSqlInjectionConfiguration extends TaintTracking::C
from
MyBatisMapperXmlSqlInjectionConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink,
MyBatisMapperXMLElement mmxe, MethodAccess ma, string unsafeExpression
MyBatisMapperXmlElement mmxe, MethodAccess ma, string unsafeExpression
where
cfg.hasFlowPath(source, sink) and
ma.getAnArgument() = sink.getNode().asExpr() and
myBatisMapperXMLElementFromMethod(ma.getMethod(), mmxe) and
myBatisMapperXmlElementFromMethod(ma.getMethod(), mmxe) and
unsafeExpression = getAMybatisXmlSetValue(mmxe) and
(
isMybatisXmlOrAnnotationSqlInjection(sink.getNode(), ma, unsafeExpression)

4
java/ql/src/experimental/Security/CWE/CWE-1004/InsecureTomcatConfig.ql
View File

@@ -17,10 +17,10 @@ private class HttpOnlyConfig extends WebContextParameter {
string getParamValueElementValue() { result = this.getParamValue().getValue() }
predicate isHTTPOnlySet() { this.getParamValueElementValue().toLowerCase() = "false" }
predicate isHttpOnlySet() { this.getParamValueElementValue().toLowerCase() = "false" }
}
from HttpOnlyConfig config
where config.isHTTPOnlySet()
where config.isHttpOnlySet()
select config,
"httpOnly should be enabled in tomcat config file to help mitigate cross-site scripting (XSS) attacks"

2
java/ql/src/experimental/Security/CWE/CWE-548/InsecureDirectoryConfig.ql
View File

@@ -27,7 +27,7 @@ private class DefaultTomcatServlet extends WebServletClass {
/**
* The `<init-param>` element in a `web.xml` file, nested under a `<servlet>` element controlling directory listing.
*/
class DirectoryListingInitParam extends WebXMLElement {
class DirectoryListingInitParam extends WebXmlElement {
DirectoryListingInitParam() {
this.getName() = "init-param" and
this.getAChild("param-name").getTextValue() = "listings" and

2
java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql
View File

@@ -23,7 +23,7 @@ class UnsafeUrlForwardFlowConfig extends TaintTracking::Configuration {
not exists(MethodAccess ma, Method m | ma.getMethod() = m |
(
m instanceof HttpServletRequestGetRequestURIMethod or
m instanceof HttpServletRequestGetRequestURLMethod or
m instanceof HttpServletRequestGetRequestUrlMethod or
m instanceof HttpServletRequestGetPathMethod
) and
ma = source.asExpr()

28
java/ql/src/experimental/Security/CWE/CWE-611/XXELib.qll
View File

@@ -204,17 +204,20 @@ private class SafeDigesterFlowConfig extends DataFlow4::Configuration {
override int fieldFlowBranchLimit() { result = 0 }
}
/** The class `java.beans.XMLDecoder`. */
class XMLDecoder extends RefType {
XMLDecoder() { this.hasQualifiedName("java.beans", "XMLDecoder") }
/** The class `java.beans.XmlDecoder`. */
class XmlDecoder extends RefType {
XmlDecoder() { this.hasQualifiedName("java.beans", "XMLDecoder") }
}
/** A call to `XMLDecoder.readObject`. */
class XMLDecoderReadObject extends XmlParserCall {
XMLDecoderReadObject() {
/** DEPRECATED: Alias for XmlDecoder */
deprecated class XMLDecoder = XmlDecoder;
/** A call to `XmlDecoder.readObject`. */
class XmlDecoderReadObject extends XmlParserCall {
XmlDecoderReadObject() {
exists(Method m |
this.getMethod() = m and
m.getDeclaringType() instanceof XMLDecoder and
m.getDeclaringType() instanceof XmlDecoder and
m.hasName("readObject")
)
}
@@ -224,6 +227,9 @@ class XMLDecoderReadObject extends XmlParserCall {
override predicate isSafe() { none() }
}
/** DEPRECATED: Alias for XmlDecoderReadObject */
deprecated class XMLDecoderReadObject = XmlDecoderReadObject;
private predicate constantStringExpr(Expr e, string val) {
e.(CompileTimeConstantExpr).getStringValue() = val
or
@@ -235,8 +241,8 @@ private predicate constantStringExpr(Expr e, string val) {
}
/** A call to `SAXTransformerFactory.newTransformerHandler`. */
class SAXTransformerFactoryNewTransformerHandler extends XmlParserCall {
SAXTransformerFactoryNewTransformerHandler() {
class SaxTransformerFactoryNewTransformerHandler extends XmlParserCall {
SaxTransformerFactoryNewTransformerHandler() {
exists(Method m |
this.getMethod() = m and
m.getDeclaringType().hasQualifiedName("javax.xml.transform.sax", "SAXTransformerFactory") and
@@ -251,6 +257,10 @@ class SAXTransformerFactoryNewTransformerHandler extends XmlParserCall {
}
}
/** DEPRECATED: Alias for SaxTransformerFactoryNewTransformerHandler */
deprecated class SAXTransformerFactoryNewTransformerHandler =
SaxTransformerFactoryNewTransformerHandler;
/** An expression that always has the same string value. */
private class ConstantStringExpr extends Expr {
string value;

2
java/ql/src/experimental/semmle/code/java/PathSanitizer.qll
View File

@@ -102,7 +102,7 @@ private class BlockListBarrierGuard extends PathTraversalBarrierGuard instanceof
* A guard that considers a string safe because it is checked for URL encoding sequences,
* having previously been checked against a block-list of forbidden values.
*/
private class URLEncodingBarrierGuard extends PathTraversalBarrierGuard instanceof UrlEncodingGuard {
private class UrlEncodingBarrierGuard extends PathTraversalBarrierGuard instanceof UrlEncodingGuard {
override predicate checks(Expr e, boolean branch) {
e = super.getCheckedExpr() and
branch = false and

16
java/ql/src/experimental/semmle/code/xml/StrutsXML.qll
View File

@@ -3,18 +3,21 @@ import java
/**
* A deployment descriptor file, typically called `struts.xml`.
*/
class StrutsXMLFile extends XMLFile {
StrutsXMLFile() {
class StrutsXmlFile extends XMLFile {
StrutsXmlFile() {
count(XMLElement e | e = this.getAChild()) = 1 and
this.getAChild().getName() = "struts"
}
}
/** DEPRECATED: Alias for StrutsXmlFile */
deprecated class StrutsXMLFile = StrutsXmlFile;
/**
* An XML element in a `StrutsXMLFile`.
*/
class StrutsXMLElement extends XMLElement {
StrutsXMLElement() { this.getFile() instanceof StrutsXMLFile }
class StrutsXmlElement extends XMLElement {
StrutsXmlElement() { this.getFile() instanceof StrutsXmlFile }
/**
* Gets the value for this element, with leading and trailing whitespace trimmed.
@@ -22,10 +25,13 @@ class StrutsXMLElement extends XMLElement {
string getValue() { result = this.allCharactersString().trim() }
}
/** DEPRECATED: Alias for StrutsXmlElement */
deprecated class StrutsXMLElement = StrutsXmlElement;
/**
* A `<constant>` element in a `StrutsXMLFile`.
*/
class ConstantParameter extends StrutsXMLElement {
class ConstantParameter extends StrutsXmlElement {
ConstantParameter() { this.getName() = "constant" }
/**

2
java/ql/src/meta/ssa/AmbiguousToString.ql
View File

@@ -22,6 +22,6 @@ where
or
multipleToString(ssa) and problem = "SSA variable with multiple 'toString()' results for "
) and
n = ssa.getCFGNode() and
n = ssa.getCfgNode() and
v = ssa.getSourceVariable().getVariable()
select n, problem + v

24
java/ql/src/semmle/code/xml/MyBatisMapperXML.qll
View File

@@ -7,18 +7,21 @@ import java
/**
* MyBatis Mapper XML file.
*/
class MyBatisMapperXMLFile extends XMLFile {
MyBatisMapperXMLFile() {
class MyBatisMapperXmlFile extends XMLFile {
MyBatisMapperXmlFile() {
count(XMLElement e | e = this.getAChild()) = 1 and
this.getAChild().getName() = "mapper"
}
}
/** DEPRECATED: Alias for MyBatisMapperXmlFile */
deprecated class MyBatisMapperXMLFile = MyBatisMapperXmlFile;
/**
* An XML element in a `MyBatisMapperXMLFile`.
*/
class MyBatisMapperXMLElement extends XMLElement {
MyBatisMapperXMLElement() { this.getFile() instanceof MyBatisMapperXMLFile }
class MyBatisMapperXmlElement extends XMLElement {
MyBatisMapperXmlElement() { this.getFile() instanceof MyBatisMapperXmlFile }
/**
* Gets the value for this element, with leading and trailing whitespace trimmed.
@@ -33,10 +36,13 @@ class MyBatisMapperXMLElement extends XMLElement {
}
}
/** DEPRECATED: Alias for MyBatisMapperXmlElement */
deprecated class MyBatisMapperXMLElement = MyBatisMapperXmlElement;
/**
* An MyBatis Mapper sql operation element.
*/
abstract class MyBatisMapperSqlOperation extends MyBatisMapperXMLElement {
abstract class MyBatisMapperSqlOperation extends MyBatisMapperXmlElement {
/**
* Gets the value of the `id` attribute of MyBatis Mapper sql operation element.
*/
@@ -52,7 +58,7 @@ abstract class MyBatisMapperSqlOperation extends MyBatisMapperXMLElement {
*/
Method getMapperMethod() {
result.getName() = this.getId() and
result.getDeclaringType() = this.getParent().(MyBatisMapperXMLElement).getNamespaceRefType()
result.getDeclaringType() = this.getParent().(MyBatisMapperXmlElement).getNamespaceRefType()
}
}
@@ -87,7 +93,7 @@ class MyBatisMapperSelect extends MyBatisMapperSqlOperation {
/**
* A `<sql>` element in a `MyBatisMapperXMLElement`.
*/
class MyBatisMapperSql extends MyBatisMapperXMLElement {
class MyBatisMapperSql extends MyBatisMapperXmlElement {
MyBatisMapperSql() { this.getName() = "sql" }
/**
@@ -99,7 +105,7 @@ class MyBatisMapperSql extends MyBatisMapperXMLElement {
/**
* A `<include>` element in a `MyBatisMapperXMLElement`.
*/
class MyBatisMapperInclude extends MyBatisMapperXMLElement {
class MyBatisMapperInclude extends MyBatisMapperXmlElement {
MyBatisMapperInclude() { this.getName() = "include" }
/**
@@ -111,6 +117,6 @@ class MyBatisMapperInclude extends MyBatisMapperXMLElement {
/**
* A `<foreach>` element in a `MyBatisMapperXMLElement`.
*/
class MyBatisMapperForeach extends MyBatisMapperXMLElement {
class MyBatisMapperForeach extends MyBatisMapperXmlElement {
MyBatisMapperForeach() { this.getName() = "foreach" }
}

4
java/ql/src/utils/model-generator/CaptureSinkModels.ql
View File

@@ -43,7 +43,7 @@ string asInputArgument(DataFlow::Node source) {
result = "Argument[-1]"
}
string captureSink(TargetAPI api) {
string captureSink(TargetApi api) {
exists(DataFlow::Node src, DataFlow::Node sink, PropagateToSinkConfiguration config, string kind |
config.hasFlow(src, sink) and
sinkNode(sink, kind) and
@@ -53,6 +53,6 @@ string captureSink(TargetAPI api) {
)
}
from TargetAPI api, string sink
from TargetApi api, string sink
where sink = captureSink(api)
select sink order by sink

6
java/ql/src/utils/model-generator/CaptureSourceModels.ql
View File

@@ -22,7 +22,7 @@ class FromSourceConfiguration extends TaintTracking::Configuration {
override predicate isSource(DataFlow::Node source) { sourceNode(source, _) }
override predicate isSink(DataFlow::Node sink) {
exists(TargetAPI c |
exists(TargetApi c |
sink instanceof ReturnNodeExt and
sink.getEnclosingCallable() = c and
c.isPublic() and
@@ -39,7 +39,7 @@ class FromSourceConfiguration extends TaintTracking::Configuration {
}
}
string captureSource(TargetAPI api) {
string captureSource(TargetApi api) {
exists(DataFlow::Node source, DataFlow::Node sink, FromSourceConfiguration config, string kind |
config.hasFlow(source, sink) and
sourceNode(source, kind) and
@@ -48,6 +48,6 @@ string captureSource(TargetAPI api) {
)
}
from TargetAPI api, string sink
from TargetApi api, string sink
where sink = captureSource(api)
select sink order by sink

10
java/ql/src/utils/model-generator/CaptureSummaryModels.ql
View File

@@ -12,7 +12,7 @@ import semmle.code.java.dataflow.internal.DataFlowPrivate
import semmle.code.java.dataflow.InstanceAccess
import ModelGeneratorUtils
string captureFlow(TargetAPI api) {
string captureFlow(TargetApi api) {
result = captureQualifierFlow(api) or
result = captureThroughFlow(api)
}
@@ -29,7 +29,7 @@ string captureFlow(TargetAPI api) {
* }
* ```
*/
string captureQualifierFlow(TargetAPI api) {
string captureQualifierFlow(TargetApi api) {
exists(ReturnStmt rtn |
rtn.getEnclosingCallable() = api and
rtn.getResult().(ThisAccess).isOwnInstanceAccess()
@@ -50,7 +50,7 @@ class ThroughFlowConfig extends TaintTracking::Configuration {
override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
source instanceof DataFlow::ParameterNode and
source.getEnclosingCallable() instanceof TargetAPI and
source.getEnclosingCallable() instanceof TargetApi and
state instanceof TaintRead
}
@@ -145,7 +145,7 @@ class ThroughFlowConfig extends TaintTracking::Configuration {
* Captured Model:
* `p;Foo;true;addToList;;Argument[0];Argument[1];taint`
*/
string captureThroughFlow(TargetAPI api) {
string captureThroughFlow(TargetApi api) {
exists(
ThroughFlowConfig config, DataFlow::ParameterNode p, ReturnNodeExt returnNodeExt, string input,
string output
@@ -159,6 +159,6 @@ string captureThroughFlow(TargetAPI api) {
)
}
from TargetAPI api, string flow
from TargetApi api, string flow
where flow = captureFlow(api)
select flow order by flow

23
java/ql/src/utils/model-generator/ModelGeneratorUtils.qll
View File

@@ -11,8 +11,8 @@ Method superImpl(Method m) {
not m instanceof ToStringMethod
}
class TargetAPI extends Callable {
TargetAPI() {
class TargetApi extends Callable {
TargetApi() {
this.isPublic() and
this.fromSource() and
(
@@ -23,6 +23,9 @@ class TargetAPI extends Callable {
}
}
/** DEPRECATED: Alias for TargetApi */
deprecated class TargetAPI = TargetApi;
private string isExtensible(RefType ref) {
if ref.isFinal() then result = "false" else result = "true"
}
@@ -59,17 +62,17 @@ private predicate isJdkInternal(CompilationUnit cu) {
}
bindingset[input, output]
string asTaintModel(TargetAPI api, string input, string output) {
string asTaintModel(TargetApi api, string input, string output) {
result = asSummaryModel(api, input, output, "taint")
}
bindingset[input, output]
string asValueModel(TargetAPI api, string input, string output) {
string asValueModel(TargetApi api, string input, string output) {
result = asSummaryModel(api, input, output, "value")
}
bindingset[input, output, kind]
string asSummaryModel(TargetAPI api, string input, string output, string kind) {
string asSummaryModel(TargetApi api, string input, string output, string kind) {
result =
asPartialModel(api) + input + ";" //
+ output + ";" //
@@ -77,19 +80,19 @@ string asSummaryModel(TargetAPI api, string input, string output, string kind) {
}
bindingset[input, kind]
string asSinkModel(TargetAPI api, string input, string kind) {
string asSinkModel(TargetApi api, string input, string kind) {
result = asPartialModel(api) + input + ";" + kind
}
bindingset[output, kind]
string asSourceModel(TargetAPI api, string output, string kind) {
string asSourceModel(TargetApi api, string output, string kind) {
result = asPartialModel(api) + output + ";" + kind
}
/**
* Computes the first 6 columns for CSV rows.
*/
private string asPartialModel(TargetAPI api) {
private string asPartialModel(TargetApi api) {
result =
typeAsSummaryModel(api) + ";" //
+ isExtensible(bestTypeForModel(api)) + ";" //
@@ -102,9 +105,9 @@ private string asPartialModel(TargetAPI api) {
* Returns the appropriate type name for the model. Either the type
* declaring the method or the supertype introducing the method.
*/
private string typeAsSummaryModel(TargetAPI api) { result = typeAsModel(bestTypeForModel(api)) }
private string typeAsSummaryModel(TargetApi api) { result = typeAsModel(bestTypeForModel(api)) }
private RefType bestTypeForModel(TargetAPI api) {
private RefType bestTypeForModel(TargetApi api) {
if exists(superImpl(api))
then superImpl(api).fromSource() and result = superImpl(api).getDeclaringType()
else result = api.getDeclaringType()

2
java/ql/test/library-tests/ssa/ssaDef.ql
View File

@@ -9,4 +9,4 @@ where
or
not exists(ssa.toString()) and s = "error"
)
select v, ssa.getCFGNode(), s
select v, ssa.getCfgNode(), s

2
java/ql/test/library-tests/ssa/ssaPhi.ql
View File

@@ -3,4 +3,4 @@ import semmle.code.java.dataflow.SSA
from SsaPhiNode ssa, SsaSourceVariable v, SsaVariable phiInput
where ssa.getAPhiInput() = phiInput and ssa.getSourceVariable() = v
select v, ssa.getCFGNode(), phiInput.getCFGNode()
select v, ssa.getCfgNode(), phiInput.getCfgNode()

2
java/ql/test/library-tests/ssa/ssaUse.ql
View File

@@ -3,4 +3,4 @@ import semmle.code.java.dataflow.SSA
from SsaVariable ssa, SsaSourceVariable v, Expr use
where use = ssa.getAUse() and ssa.getSourceVariable() = v
select v, ssa.getCFGNode(), ssa.toString(), use
select v, ssa.getCfgNode(), ssa.toString(), use

6
java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.ql
View File

@@ -3,8 +3,8 @@ import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.XSS
import TestUtilities.InlineExpectationsTest
class XSSConfig extends TaintTracking::Configuration {
XSSConfig() { this = "XSSConfig" }
class XssConfig extends TaintTracking::Configuration {
XssConfig() { this = "XSSConfig" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -24,7 +24,7 @@ class XssTest extends InlineExpectationsTest {
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "xss" and
exists(DataFlow::Node src, DataFlow::Node sink, XSSConfig conf | conf.hasFlow(src, sink) |
exists(DataFlow::Node src, DataFlow::Node sink, XssConfig conf | conf.hasFlow(src, sink) |
sink.getLocation() = location and
element = sink.toString() and
value = ""