Merge branch 'github:main' into amammad-python-WebAppsConstatntSecretKeys

2026-01-31 15:22:57 +01:00 · 2023-06-30 22:36:45 +10:00
parent a988ccb7d5 634c838b45
commit 6f34c3225b
171 changed files with 4581 additions and 631 deletions
--- a/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql
@@ -14,11 +14,14 @@

 import java
 import semmle.code.java.security.CommandLineQuery
+import semmle.code.java.security.ExternalProcess
 import LocalUserInputToArgumentToExecFlow::PathGraph

 from
  LocalUserInputToArgumentToExecFlow::PathNode source,
-  LocalUserInputToArgumentToExecFlow::PathNode sink
-where LocalUserInputToArgumentToExecFlow::flowPath(source, sink)
-select sink.getNode().asExpr(), source, sink, "This command line depends on a $@.",
-  source.getNode(), "user-provided value"
+  LocalUserInputToArgumentToExecFlow::PathNode sink, Expr e
+where
+  LocalUserInputToArgumentToExecFlow::flowPath(source, sink) and
+  argumentToExec(e, sink.getNode())
+select e, source, sink, "This command line depends on a $@.", source.getNode(),
+  "user-provided value"
--- a/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
+++ b/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
@@ -14,6 +14,7 @@

 import java
 import semmle.code.java.security.CommandLineQuery
+import semmle.code.java.security.ExternalProcess

 /**
 * Strings that are known to be sane by some simple local analysis. Such strings
--- a/java/ql/src/Telemetry/ExternalApi.qll
+++ b/java/ql/src/Telemetry/ExternalApi.qll
@@ -27,8 +27,9 @@ class ExternalApi extends Callable {
   */
  string getApiName() {
    result =
-      this.getDeclaringType().getPackage() + "." + this.getDeclaringType().getSourceDeclaration() +
-        "#" + this.getName() + paramsString(this)
+      this.getDeclaringType().getPackage() + "." +
+        this.getDeclaringType().getSourceDeclaration().nestedName() + "#" + this.getName() +
+        paramsString(this)
  }

  private string getJarName() {
--- a/java/ql/src/change-notes/2023-06-23-apache-commons-lang.md
+++ b/java/ql/src/change-notes/2023-06-23-apache-commons-lang.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* New models have been added for `org.apache.commons.lang`.
--- a/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql
@@ -15,7 +15,11 @@
 import java
 import semmle.code.java.security.CommandLineQuery
 import RemoteUserInputToArgumentToExecFlow::PathGraph
-import JSchOSInjection
+private import semmle.code.java.dataflow.ExternalFlow
+
+private class ActivateModels extends ActiveExperimentalModels {
+  ActivateModels() { this = "jsch-os-injection" }
+}

 // This is a clone of query `java/command-line-injection` that also includes experimental sinks.
 from
--- a/java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjection.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjection.qll
@@ -1,20 +0,0 @@
-/**
- * Provides classes for JSch OS command injection detection
- */
-
-import java
-
-/** The class `com.jcraft.jsch.ChannelExec`. */
-private class JSchChannelExec extends RefType {
-  JSchChannelExec() { this.hasQualifiedName("com.jcraft.jsch", "ChannelExec") }
-}
-
-/** A method to set an OS Command for the execution. */
-private class ChannelExecSetCommandMethod extends Method, ExecCallable {
-  ChannelExecSetCommandMethod() {
-    this.hasName("setCommand") and
-    this.getDeclaringType() instanceof JSchChannelExec
-  }
-
-  override int getAnExecutedArgument() { result = 0 }
-}