mirror of
https://github.com/github/codeql.git
synced 2026-04-28 02:05:14 +02:00
Merge pull request #12446 from github/java/update-mad-decls-after-triage-2023-03-08T14-51-59
Java: Update MaD Declarations after Triage
This commit is contained in:
Tony Torralba
@@ -14,7 +14,22 @@ edges
|
||||
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:12:99:33 | new URI(...) |
|
||||
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:100:12:100:45 | new URI(...) |
|
||||
| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:101:12:101:54 | new URI(...) |
|
||||
| Test.java:105:14:105:34 | getHostName(...) : String | Test.java:107:46:107:46 | t |
|
||||
| mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:17:61:17:72 | source(...) : String |
|
||||
| mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:19:41:19:52 | source(...) : String |
|
||||
| mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:25:38:25:49 | source(...) : String |
|
||||
| mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:27:36:27:47 | source(...) : String |
|
||||
| mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:29:31:29:42 | source(...) : String |
|
||||
| mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:31:33:31:44 | source(...) : String |
|
||||
| mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:33:50:33:61 | source(...) : String |
|
||||
| mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:35:54:35:65 | source(...) : String |
|
||||
| mad/Test.java:17:61:17:72 | source(...) : String | mad/Test.java:17:52:17:72 | (...)... |
|
||||
| mad/Test.java:19:41:19:52 | source(...) : String | mad/Test.java:19:32:19:52 | (...)... |
|
||||
| mad/Test.java:25:38:25:49 | source(...) : String | mad/Test.java:25:31:25:49 | (...)... |
|
||||
| mad/Test.java:27:36:27:47 | source(...) : String | mad/Test.java:27:29:27:47 | (...)... |
|
||||
| mad/Test.java:29:31:29:42 | source(...) : String | mad/Test.java:29:24:29:42 | (...)... |
|
||||
| mad/Test.java:31:33:31:44 | source(...) : String | mad/Test.java:31:24:31:44 | (...)... |
|
||||
| mad/Test.java:33:50:33:61 | source(...) : String | mad/Test.java:33:41:33:61 | (...)... |
|
||||
| mad/Test.java:35:54:35:65 | source(...) : String | mad/Test.java:35:45:35:65 | (...)... |
|
||||
nodes
|
||||
| Test.java:19:18:19:38 | getHostName(...) : String | semmle.label | getHostName(...) : String |
|
||||
| Test.java:24:20:24:23 | temp | semmle.label | temp |
|
||||
@@ -35,8 +50,23 @@ nodes
|
||||
| Test.java:99:12:99:33 | new URI(...) | semmle.label | new URI(...) |
|
||||
| Test.java:100:12:100:45 | new URI(...) | semmle.label | new URI(...) |
|
||||
| Test.java:101:12:101:54 | new URI(...) | semmle.label | new URI(...) |
|
||||
| Test.java:105:14:105:34 | getHostName(...) : String | semmle.label | getHostName(...) : String |
|
||||
| Test.java:107:46:107:46 | t | semmle.label | t |
|
||||
| mad/Test.java:12:16:12:36 | getHostName(...) : String | semmle.label | getHostName(...) : String |
|
||||
| mad/Test.java:17:52:17:72 | (...)... | semmle.label | (...)... |
|
||||
| mad/Test.java:17:61:17:72 | source(...) : String | semmle.label | source(...) : String |
|
||||
| mad/Test.java:19:32:19:52 | (...)... | semmle.label | (...)... |
|
||||
| mad/Test.java:19:41:19:52 | source(...) : String | semmle.label | source(...) : String |
|
||||
| mad/Test.java:25:31:25:49 | (...)... | semmle.label | (...)... |
|
||||
| mad/Test.java:25:38:25:49 | source(...) : String | semmle.label | source(...) : String |
|
||||
| mad/Test.java:27:29:27:47 | (...)... | semmle.label | (...)... |
|
||||
| mad/Test.java:27:36:27:47 | source(...) : String | semmle.label | source(...) : String |
|
||||
| mad/Test.java:29:24:29:42 | (...)... | semmle.label | (...)... |
|
||||
| mad/Test.java:29:31:29:42 | source(...) : String | semmle.label | source(...) : String |
|
||||
| mad/Test.java:31:24:31:44 | (...)... | semmle.label | (...)... |
|
||||
| mad/Test.java:31:33:31:44 | source(...) : String | semmle.label | source(...) : String |
|
||||
| mad/Test.java:33:41:33:61 | (...)... | semmle.label | (...)... |
|
||||
| mad/Test.java:33:50:33:61 | source(...) : String | semmle.label | source(...) : String |
|
||||
| mad/Test.java:35:45:35:65 | (...)... | semmle.label | (...)... |
|
||||
| mad/Test.java:35:54:35:65 | source(...) : String | semmle.label | source(...) : String |
|
||||
subpaths
|
||||
#select
|
||||
| Test.java:24:11:24:24 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:24:20:24:23 | temp | This path depends on a $@. | Test.java:19:18:19:38 | getHostName(...) | user-provided value |
|
||||
@@ -50,4 +80,11 @@ subpaths
|
||||
| Test.java:99:3:99:34 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:12:99:33 | new URI(...) | This path depends on a $@. | Test.java:95:14:95:34 | getHostName(...) | user-provided value |
|
||||
| Test.java:100:3:100:46 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:100:12:100:45 | new URI(...) | This path depends on a $@. | Test.java:95:14:95:34 | getHostName(...) | user-provided value |
|
||||
| Test.java:101:3:101:55 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:101:12:101:54 | new URI(...) | This path depends on a $@. | Test.java:95:14:95:34 | getHostName(...) | user-provided value |
|
||||
| Test.java:107:46:107:46 | t | Test.java:105:14:105:34 | getHostName(...) : String | Test.java:107:46:107:46 | t | This path depends on a $@. | Test.java:105:14:105:34 | getHostName(...) | user-provided value |
|
||||
| mad/Test.java:17:52:17:72 | (...)... | mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:17:52:17:72 | (...)... | This path depends on a $@. | mad/Test.java:12:16:12:36 | getHostName(...) | user-provided value |
|
||||
| mad/Test.java:19:32:19:52 | (...)... | mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:19:32:19:52 | (...)... | This path depends on a $@. | mad/Test.java:12:16:12:36 | getHostName(...) | user-provided value |
|
||||
| mad/Test.java:25:31:25:49 | (...)... | mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:25:31:25:49 | (...)... | This path depends on a $@. | mad/Test.java:12:16:12:36 | getHostName(...) | user-provided value |
|
||||
| mad/Test.java:27:29:27:47 | (...)... | mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:27:29:27:47 | (...)... | This path depends on a $@. | mad/Test.java:12:16:12:36 | getHostName(...) | user-provided value |
|
||||
| mad/Test.java:29:24:29:42 | (...)... | mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:29:24:29:42 | (...)... | This path depends on a $@. | mad/Test.java:12:16:12:36 | getHostName(...) | user-provided value |
|
||||
| mad/Test.java:31:9:31:45 | new FileReader(...) | mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:31:24:31:44 | (...)... | This path depends on a $@. | mad/Test.java:12:16:12:36 | getHostName(...) | user-provided value |
|
||||
| mad/Test.java:33:41:33:61 | (...)... | mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:33:41:33:61 | (...)... | This path depends on a $@. | mad/Test.java:12:16:12:36 | getHostName(...) | user-provided value |
|
||||
| mad/Test.java:35:45:35:65 | (...)... | mad/Test.java:12:16:12:36 | getHostName(...) : String | mad/Test.java:35:45:35:65 | (...)... | This path depends on a $@. | mad/Test.java:12:16:12:36 | getHostName(...) | user-provided value |
|
||||
|
||||
@@ -101,9 +101,4 @@ class Test {
|
||||
new File(new URI(null, null, null, 0, t, null, null));
|
||||
}
|
||||
|
||||
void doGet6(InetAddress address) throws IOException {
|
||||
String t = address.getHostName();
|
||||
// BAD: accessing local resource with user input
|
||||
getClass().getModule().getResourceAsStream(t);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,37 @@
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.FileReader;
|
||||
import java.io.IOException;
|
||||
import java.net.InetAddress;
|
||||
import java.net.URL;
|
||||
import org.codehaus.cargo.container.installer.ZipURLInstaller;
|
||||
|
||||
public class Test {
|
||||
|
||||
public Object source(InetAddress address) {
|
||||
return address.getHostName();
|
||||
}
|
||||
|
||||
void test(InetAddress address) throws IOException {
|
||||
// "java.lang;Module;true;getResourceAsStream;(String);;Argument[0];read-file;ai-generated"
|
||||
getClass().getModule().getResourceAsStream((String) source(null));
|
||||
// "java.lang;Class;false;getResource;(String);;Argument[0];read-file;ai-generated"
|
||||
getClass().getResource((String) source(null));
|
||||
// "java.lang;ClassLoader;true;getSystemResourceAsStream;(String);;Argument[0];read-file;ai-generated"
|
||||
ClassLoader.getSystemResource((String) source(null));
|
||||
// "java.io;File;true;createTempFile;(String,String,File);;Argument[2];create-file;ai-generated"
|
||||
File.createTempFile(";", (String) source(null));
|
||||
// "java.io;File;true;renameTo;(File);;Argument[0];create-file;ai-generated"
|
||||
new File("").renameTo((File) source(null));
|
||||
// "java.io;FileInputStream;true;FileInputStream;(File);;Argument[0];read-file;ai-generated"
|
||||
new FileInputStream((File) source(null));
|
||||
// "java.io;FileReader;true;FileReader;(File);;Argument[0];read-file;ai-generated"
|
||||
new FileReader((File) source(null));
|
||||
// "java.io;FileReader;true;FileReader;(String);;Argument[0];read-file;ai-generated"
|
||||
new FileReader((String) source(null));
|
||||
// "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[1];create-file;ai-generated"
|
||||
new ZipURLInstaller((URL) null, (String) source(null), "");
|
||||
// "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[2];create-file;ai-generated"
|
||||
new ZipURLInstaller((URL) null, "", (String) source(null));
|
||||
}
|
||||
}
|
||||
@@ -1 +1 @@
|
||||
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/apache-commons-io-2.6
|
||||
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/apache-commons-io-2.6:${testdir}/../../../../../stubs/cargo
|
||||
|
||||
@@ -1,29 +0,0 @@
|
||||
import org.apache.hadoop.hive.metastore.api.ColumnStatistics;
|
||||
import org.apache.hadoop.hive.metastore.api.DefaultConstraintsRequest;
|
||||
import org.apache.hadoop.hive.metastore.ObjectStore;
|
||||
import org.apache.hive.hcatalog.templeton.ColumnDesc;
|
||||
import org.apache.hive.hcatalog.templeton.HcatDelegator;
|
||||
import java.util.List;
|
||||
|
||||
public class Hive {
|
||||
|
||||
public static Object source() {
|
||||
return null;
|
||||
}
|
||||
|
||||
public void test(ObjectStore objStore, HcatDelegator hcatDel) throws Exception {
|
||||
{
|
||||
String taint = (String) source();
|
||||
new DefaultConstraintsRequest("", taint, ""); // $ sqlInjection
|
||||
}
|
||||
{
|
||||
ColumnStatistics taint = (ColumnStatistics) source();
|
||||
//objStore.updatePartitionColumnStatistics(taint, (List<String>) null, (String) null, 0L); // $ sqlInjection
|
||||
objStore.updatePartitionColumnStatistics(taint, (List<String>) null); // $ sqlInjection
|
||||
}
|
||||
{
|
||||
ColumnDesc taint = (ColumnDesc) source();
|
||||
hcatDel.addOneColumn(null, null, null, taint); // $ sqlInjection
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -57,6 +57,7 @@
|
||||
| good | 4 | Test.java:126:20:126:88 | "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=? ORDER BY PRICE" |
|
||||
| good | 5 | Test.java:127:62:127:67 | query2 |
|
||||
| good | 6 | Test.java:128:24:128:24 | 1 |
|
||||
| source | 1 | mad/Test.java:11:16:11:19 | null |
|
||||
| tableNames | 4 | Test.java:187:32:187:56 | "SELECT ITEM,PRICE FROM " |
|
||||
| tableNames | 5 | Test.java:188:8:188:55 | " WHERE ITEM_CATEGORY='Biscuits' ORDER BY PRICE" |
|
||||
| tableNames | 10 | Test.java:193:33:193:57 | "SELECT ITEM,PRICE FROM " |
|
||||
@@ -97,6 +98,18 @@
|
||||
| tainted | 58 | Test.java:87:8:87:15 | category |
|
||||
| tainted | 58 | Test.java:87:19:87:36 | "' ORDER BY PRICE" |
|
||||
| tainted | 59 | Test.java:88:47:88:52 | query1 |
|
||||
| test | 3 | mad/Test.java:17:24:17:25 | "" |
|
||||
| test | 3 | mad/Test.java:17:28:17:29 | "" |
|
||||
| test | 3 | mad/Test.java:17:39:17:40 | "" |
|
||||
| test | 4 | mad/Test.java:26:43:26:44 | "" |
|
||||
| test | 4 | mad/Test.java:26:54:26:55 | "" |
|
||||
| test | 5 | mad/Test.java:19:28:19:29 | "" |
|
||||
| test | 5 | mad/Test.java:19:32:19:33 | "" |
|
||||
| test | 13 | mad/Test.java:35:13:35:80 | updatePartitionColumnStatistics(...) |
|
||||
| test | 13 | mad/Test.java:35:76:35:79 | null |
|
||||
| test | 18 | mad/Test.java:40:34:40:37 | null |
|
||||
| test | 18 | mad/Test.java:40:40:40:43 | null |
|
||||
| test | 18 | mad/Test.java:40:46:40:49 | null |
|
||||
| unescaped | 4 | Test.java:96:28:96:81 | "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" |
|
||||
| unescaped | 5 | Test.java:97:23:97:40 | "' ORDER BY PRICE" |
|
||||
| unescaped | 11 | Test.java:103:19:103:72 | "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" |
|
||||
|
||||
@@ -0,0 +1,43 @@
|
||||
import java.sql.DatabaseMetaData;
|
||||
import java.util.List;
|
||||
import org.apache.hadoop.hive.metastore.api.ColumnStatistics;
|
||||
import org.apache.hadoop.hive.metastore.api.DefaultConstraintsRequest;
|
||||
import org.apache.hadoop.hive.metastore.ObjectStore;
|
||||
import org.apache.hive.hcatalog.templeton.HcatDelegator;
|
||||
import org.apache.hive.hcatalog.templeton.ColumnDesc;
|
||||
|
||||
public class Test {
|
||||
public static Object source() {
|
||||
return null;
|
||||
}
|
||||
|
||||
public void test(DatabaseMetaData dmd) throws Exception {
|
||||
String taint = (String) source();
|
||||
// java.sql;DatabaseMetaData;true;getColumns;(String,String,String,String);;Argument[2];sql;ai-generated
|
||||
dmd.getColumns("", "", taint, ""); // $ sqlInjection
|
||||
// java.sql;DatabaseMetaData;true;getPrimaryKeys;(String,String,String);;Argument[2];sql;ai-generated
|
||||
dmd.getPrimaryKeys("", "", taint); // $ sqlInjection
|
||||
}
|
||||
|
||||
public void test(ObjectStore objStore, HcatDelegator hcatDel) throws Exception {
|
||||
{
|
||||
String taint = (String) source();
|
||||
// "org.apache.hadoop.hive.metastore.api;DefaultConstraintsRequest;true;DefaultConstraintsRequest;(String,String,String);;Argument[1];sql;ai-generated"
|
||||
new DefaultConstraintsRequest("", taint, ""); // $ sqlInjection
|
||||
}
|
||||
{
|
||||
ColumnStatistics taint = (ColumnStatistics) source();
|
||||
// "org.apache.hadoop.hive.metastore;ObjectStore;true;updatePartitionColumnStatistics;(ColumnStatistics,List,String,long);;Argument[0];sql;ai-generated"
|
||||
// @formatter:off
|
||||
// objStore.updatePartitionColumnStatistics(taint, (List<String>) null, (String) null, 0L); // $ sqlInjection
|
||||
// @formatter:on
|
||||
// "org.apache.hadoop.hive.metastore;ObjectStore;true;updatePartitionColumnStatistics;(ColumnStatistics,List);;Argument[0];sql;ai-generated"
|
||||
objStore.updatePartitionColumnStatistics(taint, (List<String>) null); // $ sqlInjection
|
||||
}
|
||||
{
|
||||
ColumnDesc taint = (ColumnDesc) source();
|
||||
// "org.apache.hive.hcatalog.templeton;HcatDelegator;true;addOneColumn;(String,String,String,ColumnDesc);;Argument[3];sql;ai-generated"
|
||||
hcatDel.addOneColumn(null, null, null, taint); // $ sqlInjection
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -20,7 +20,7 @@ public class JdbcUrlSSRF extends HttpServlet {
|
||||
|
||||
String jdbcUrl = request.getParameter("jdbcUrl");
|
||||
Driver driver = new org.postgresql.Driver();
|
||||
DataSourceBuilder dsBuilder = new DataSourceBuilder();
|
||||
DataSourceBuilder dsBuilder = DataSourceBuilder.create();
|
||||
|
||||
try {
|
||||
driver.connect(jdbcUrl, null); // $ SSRF
|
||||
|
||||
22
java/ql/test/query-tests/security/CWE-918/mad/Test.java
Normal file
22
java/ql/test/query-tests/security/CWE-918/mad/Test.java
Normal file
@@ -0,0 +1,22 @@
|
||||
import java.net.URL;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javafx.scene.web.WebEngine;
|
||||
import org.codehaus.cargo.container.installer.ZipURLInstaller;
|
||||
|
||||
public class Test {
|
||||
|
||||
public static Object source(HttpServletRequest request) {
|
||||
return request.getParameter(null);
|
||||
}
|
||||
|
||||
public void test(WebEngine webEngine) {
|
||||
// "javafx.scene.web;WebEngine;false;load;(String);;Argument[0];open-url;ai-generated"
|
||||
webEngine.load((String) source(null)); // $ SSRF
|
||||
}
|
||||
|
||||
public void test() {
|
||||
// "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[0];open-url:ai-generated"
|
||||
new ZipURLInstaller((URL) source(null), "", ""); // $ SSRF
|
||||
}
|
||||
|
||||
}
|
||||
@@ -1,2 +1,2 @@
|
||||
//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/servlet-api-2.4/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/
|
||||
//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/servlet-api-2.4/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web
|
||||
|
||||
|
||||
Reference in New Issue
Block a user