Merge branch 'main' into starcke/automodel-pack

2026-04-28 02:05:14 +02:00 · 2023-08-08 15:02:33 +02:00
parent 0d78eeb871 7da6da1c93
commit 8d34ab6d18
252 changed files with 13920 additions and 2899 deletions
--- a/java/ql/test/experimental/query-tests/security/CWE-078/CommandInjectionRuntimeExecLocal.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-078/CommandInjectionRuntimeExecLocal.expected
@@ -0,0 +1,41 @@
+edges
+| RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | RuntimeExecTest.java:22:67:22:72 | script : String |
+| RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | RuntimeExecTest.java:25:66:25:71 | script : String |
+| RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | RuntimeExecTest.java:31:36:31:41 | script : String |
+| RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | RuntimeExecTest.java:38:52:38:57 | script : String |
+| RuntimeExecTest.java:22:43:22:73 | {...} : String[] [[]] : String | RuntimeExecTest.java:22:43:22:73 | new String[] |
+| RuntimeExecTest.java:22:67:22:72 | script : String | RuntimeExecTest.java:22:43:22:73 | {...} : String[] [[]] : String |
+| RuntimeExecTest.java:25:42:25:72 | {...} : String[] [[]] : String | RuntimeExecTest.java:26:43:26:55 | commandArray1 |
+| RuntimeExecTest.java:25:66:25:71 | script : String | RuntimeExecTest.java:25:42:25:72 | {...} : String[] [[]] : String |
+| RuntimeExecTest.java:31:17:31:29 | commandArray2 [post update] : String[] [[]] : String | RuntimeExecTest.java:32:43:32:55 | commandArray2 |
+| RuntimeExecTest.java:31:36:31:41 | script : String | RuntimeExecTest.java:31:17:31:29 | commandArray2 [post update] : String[] [[]] : String |
+| RuntimeExecTest.java:36:21:39:21 | concat(...) : Stream [<element>] : String | RuntimeExecTest.java:36:21:39:44 | toArray(...) : String[] [[]] : String |
+| RuntimeExecTest.java:36:21:39:44 | toArray(...) : String[] [[]] : String | RuntimeExecTest.java:36:21:39:44 | toArray(...) |
+| RuntimeExecTest.java:38:25:38:59 | stream(...) : Stream [<element>] : String | RuntimeExecTest.java:36:21:39:21 | concat(...) : Stream [<element>] : String |
+| RuntimeExecTest.java:38:39:38:58 | new String[] : String[] [[]] : String | RuntimeExecTest.java:38:25:38:59 | stream(...) : Stream [<element>] : String |
+| RuntimeExecTest.java:38:39:38:58 | {...} : String[] [[]] : String | RuntimeExecTest.java:38:39:38:58 | new String[] : String[] [[]] : String |
+| RuntimeExecTest.java:38:52:38:57 | script : String | RuntimeExecTest.java:38:39:38:58 | {...} : String[] [[]] : String |
+nodes
+| RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | semmle.label | getenv(...) : String |
+| RuntimeExecTest.java:22:43:22:73 | new String[] | semmle.label | new String[] |
+| RuntimeExecTest.java:22:43:22:73 | {...} : String[] [[]] : String | semmle.label | {...} : String[] [[]] : String |
+| RuntimeExecTest.java:22:67:22:72 | script : String | semmle.label | script : String |
+| RuntimeExecTest.java:25:42:25:72 | {...} : String[] [[]] : String | semmle.label | {...} : String[] [[]] : String |
+| RuntimeExecTest.java:25:66:25:71 | script : String | semmle.label | script : String |
+| RuntimeExecTest.java:26:43:26:55 | commandArray1 | semmle.label | commandArray1 |
+| RuntimeExecTest.java:31:17:31:29 | commandArray2 [post update] : String[] [[]] : String | semmle.label | commandArray2 [post update] : String[] [[]] : String |
+| RuntimeExecTest.java:31:36:31:41 | script : String | semmle.label | script : String |
+| RuntimeExecTest.java:32:43:32:55 | commandArray2 | semmle.label | commandArray2 |
+| RuntimeExecTest.java:36:21:39:21 | concat(...) : Stream [<element>] : String | semmle.label | concat(...) : Stream [<element>] : String |
+| RuntimeExecTest.java:36:21:39:44 | toArray(...) | semmle.label | toArray(...) |
+| RuntimeExecTest.java:36:21:39:44 | toArray(...) : String[] [[]] : String | semmle.label | toArray(...) : String[] [[]] : String |
+| RuntimeExecTest.java:38:25:38:59 | stream(...) : Stream [<element>] : String | semmle.label | stream(...) : Stream [<element>] : String |
+| RuntimeExecTest.java:38:39:38:58 | new String[] : String[] [[]] : String | semmle.label | new String[] : String[] [[]] : String |
+| RuntimeExecTest.java:38:39:38:58 | {...} : String[] [[]] : String | semmle.label | {...} : String[] [[]] : String |
+| RuntimeExecTest.java:38:52:38:57 | script : String | semmle.label | script : String |
+subpaths
+#select
+| RuntimeExecTest.java:22:43:22:73 | new String[] | RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | RuntimeExecTest.java:22:43:22:73 | new String[] | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | RuntimeExecTest.java:22:56:22:64 | "/bin/sh" | "/bin/sh" | RuntimeExecTest.java:17:25:17:51 | getenv(...) | getenv(...) : String |
+| RuntimeExecTest.java:26:43:26:55 | commandArray1 | RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | RuntimeExecTest.java:26:43:26:55 | commandArray1 | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | RuntimeExecTest.java:25:55:25:63 | "/bin/sh" | "/bin/sh" | RuntimeExecTest.java:17:25:17:51 | getenv(...) | getenv(...) : String |
+| RuntimeExecTest.java:32:43:32:55 | commandArray2 | RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | RuntimeExecTest.java:32:43:32:55 | commandArray2 | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | RuntimeExecTest.java:30:36:30:44 | "/bin/sh" | "/bin/sh" | RuntimeExecTest.java:17:25:17:51 | getenv(...) | getenv(...) : String |
+| RuntimeExecTest.java:36:21:39:44 | toArray(...) | RuntimeExecTest.java:17:25:17:51 | getenv(...) : String | RuntimeExecTest.java:36:21:39:44 | toArray(...) | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | RuntimeExecTest.java:37:52:37:60 | "/bin/sh" | "/bin/sh" | RuntimeExecTest.java:17:25:17:51 | getenv(...) | getenv(...) : String |
--- a/java/ql/test/experimental/query-tests/security/CWE-078/CommandInjectionRuntimeExecLocal.qlref
+++ b/java/ql/test/experimental/query-tests/security/CWE-078/CommandInjectionRuntimeExecLocal.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql
--- a/java/ql/test/experimental/query-tests/security/CWE-078/RuntimeExecTest.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-078/RuntimeExecTest.java
@@ -0,0 +1,47 @@
+/* Tests for command injection query
+ * 
+ * This is suitable for testing static analysis tools, as long as they treat local input as an attack surface (which can be prone to false positives)
+ * 
+ * (C) Copyright GitHub, 2023
+ * 
+ */
+
+import java.util.stream.Stream;
+import java.io.IOException;
+import java.util.Arrays;
+
+public class RuntimeExecTest {
+    public static void test() {
+        System.out.println("Command injection test");
+
+        String script = System.getenv("SCRIPTNAME");
+
+        if (script != null) {
+            try {
+                // 1. array literal in the args
+                Runtime.getRuntime().exec(new String[]{"/bin/sh", script});
+
+                // 2. array literal with dataflow
+                String[] commandArray1 = new String[]{"/bin/sh", script};
+                Runtime.getRuntime().exec(commandArray1);
+
+                // 3. array assignment after it is created
+                String[] commandArray2 = new String[4];
+                commandArray2[0] = "/bin/sh";
+                commandArray2[1] = script;
+                Runtime.getRuntime().exec(commandArray2);
+
+                // 4. Stream concatenation
+                Runtime.getRuntime().exec(
+                    Stream.concat(
+                        Arrays.stream(new String[]{"/bin/sh"}),
+                        Arrays.stream(new String[]{script})
+                    ).toArray(String[]::new)
+                );
+
+            } catch (Exception e) {
+                System.err.println("ERROR: " + e.getMessage());
+            }
+        }
+    }
+}
--- a/java/ql/test/library-tests/dataflow/threat-models/Empty.java
+++ b/java/ql/test/library-tests/dataflow/threat-models/Empty.java
@@ -0,0 +1 @@
+class Empty { }
--- a/java/ql/test/library-tests/dataflow/threat-models/threat-models1.expected
+++ b/java/ql/test/library-tests/dataflow/threat-models/threat-models1.expected
@@ -0,0 +1,5 @@
+| default |
+| remote |
+| request |
+| response |
+| uri-path |
--- a/java/ql/test/library-tests/dataflow/threat-models/threat-models1.ql
+++ b/java/ql/test/library-tests/dataflow/threat-models/threat-models1.ql
@@ -0,0 +1,5 @@
+import semmle.code.java.dataflow.ExternalFlowConfiguration as ExternalFlowConfiguration
+
+query predicate supportedThreatModels(string kind) {
+  ExternalFlowConfiguration::sourceModelKindConfig(kind)
+}
--- a/java/ql/test/library-tests/dataflow/threat-models/threat-models2.expected
+++ b/java/ql/test/library-tests/dataflow/threat-models/threat-models2.expected
@@ -0,0 +1,10 @@
+| cli |
+| database |
+| default |
+| environment |
+| file |
+| local |
+| remote |
+| request |
+| response |
+| uri-path |
--- a/java/ql/test/library-tests/dataflow/threat-models/threat-models2.ext.yml
+++ b/java/ql/test/library-tests/dataflow/threat-models/threat-models2.ext.yml
@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: supportedThreatModels
+    data:
+      - ["local"] # Add the "local" group threat model.
--- a/java/ql/test/library-tests/dataflow/threat-models/threat-models2.ql
+++ b/java/ql/test/library-tests/dataflow/threat-models/threat-models2.ql
@@ -0,0 +1,5 @@
+import semmle.code.java.dataflow.ExternalFlowConfiguration as ExternalFlowConfiguration
+
+query predicate supportedThreatModels(string kind) {
+  ExternalFlowConfiguration::sourceModelKindConfig(kind)
+}
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql`