mirror of
https://github.com/github/codeql.git
synced 2025-12-16 16:53:25 +01:00
Autoformat.
This commit is contained in:
Anders Schack-Mulligen
@@ -291,8 +291,7 @@ predicate arrayInitializerChild(AggregateLiteral parent, Expr e) {
|
||||
|
||||
// i.e. not a constant folded expression
|
||||
predicate literallyLiteral(Literal lit) {
|
||||
lit
|
||||
.getValueText()
|
||||
lit.getValueText()
|
||||
.regexpMatch(".*\".*|\\s*+[-+]?+\\s*+(0[xob][0-9a-fA-F]|[0-9])[0-9a-fA-F,._]*+([eE][-+]?+[0-9,._]*+)?+\\s*+[a-zA-Z]*+\\s*+")
|
||||
}
|
||||
|
||||
|
||||
@@ -189,8 +189,7 @@ class InitializationFunction extends Function {
|
||||
// Field wise assignment to the parameter
|
||||
any(Assignment e).getLValue() = getAFieldAccess(this.getParameter(i)) or
|
||||
i =
|
||||
this
|
||||
.(MemberFunction)
|
||||
this.(MemberFunction)
|
||||
.getAnOverridingFunction+()
|
||||
.(InitializationFunction)
|
||||
.initializedParameter() or
|
||||
@@ -475,12 +474,9 @@ class ConditionalInitializationCall extends FunctionCall {
|
||||
fa.getASuccessor+() = result
|
||||
) and
|
||||
result =
|
||||
this
|
||||
.getArgument(getTarget(this)
|
||||
.(ConditionalInitializationFunction)
|
||||
.conditionallyInitializedParameter(_))
|
||||
.(AddressOfExpr)
|
||||
.getOperand()
|
||||
this.getArgument(getTarget(this)
|
||||
.(ConditionalInitializationFunction)
|
||||
.conditionallyInitializedParameter(_)).(AddressOfExpr).getOperand()
|
||||
}
|
||||
|
||||
Variable getStatusVariable() {
|
||||
|
||||
@@ -31,8 +31,7 @@ predicate canonicalName1(Declaration d, string canonical) {
|
||||
|
||||
predicate canonicalName2(Declaration d, string canonical) {
|
||||
canonical =
|
||||
d
|
||||
.getName()
|
||||
d.getName()
|
||||
.replaceAll("_", "")
|
||||
.replaceAll("0", "O")
|
||||
.replaceAll("D", "O")
|
||||
|
||||
@@ -35,8 +35,7 @@ private predicate autogeneratedComment(string comment) {
|
||||
.regexpMatch("(?si).*(" +
|
||||
// replace `generated` with a regexp that also catches things like
|
||||
// `auto-generated`.
|
||||
cond
|
||||
.replaceAll("generated", "(auto[\\w-]*[\\s/\\*\\r\\n]*)?generated")
|
||||
cond.replaceAll("generated", "(auto[\\w-]*[\\s/\\*\\r\\n]*)?generated")
|
||||
// replace `!` with a regexp for end-of-sentence / separator characters.
|
||||
.replaceAll("!", "[\\.\\?\\!\\-\\;\\,]")
|
||||
// replace ` ` with a regexp for one or more whitespace characters
|
||||
|
||||
@@ -236,9 +236,8 @@ class Class extends UserType {
|
||||
or
|
||||
exists(ClassDerivation cd | cd.getBaseClass() = base |
|
||||
result =
|
||||
this
|
||||
.accessOfBaseMemberMulti(cd.getDerivedClass(),
|
||||
fieldInBase.accessInDirectDerived(cd.getASpecifier().(AccessSpecifier)))
|
||||
this.accessOfBaseMemberMulti(cd.getDerivedClass(),
|
||||
fieldInBase.accessInDirectDerived(cd.getASpecifier().(AccessSpecifier)))
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
@@ -478,9 +478,8 @@ class AccessHolder extends Declaration, TAccessHolder {
|
||||
*/
|
||||
pragma[inline]
|
||||
predicate canAccessMember(Declaration member, Class derived) {
|
||||
this
|
||||
.couldAccessMember(member.getDeclaringType(), member.getASpecifier().(AccessSpecifier),
|
||||
derived)
|
||||
this.couldAccessMember(member.getDeclaringType(), member.getASpecifier().(AccessSpecifier),
|
||||
derived)
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -34,8 +34,7 @@ private predicate shouldPrintFunction(Function func) {
|
||||
bindingset[s]
|
||||
private string escapeString(string s) {
|
||||
result =
|
||||
s
|
||||
.replaceAll("\\", "\\\\")
|
||||
s.replaceAll("\\", "\\\\")
|
||||
.replaceAll("\n", "\\n")
|
||||
.replaceAll("\r", "\\r")
|
||||
.replaceAll("\t", "\\t")
|
||||
|
||||
@@ -1089,8 +1089,7 @@ class FormatLiteral extends Literal {
|
||||
then result = this.getFormat().substring(0, this.getConvSpecOffset(0))
|
||||
else
|
||||
result =
|
||||
this
|
||||
.getFormat()
|
||||
this.getFormat()
|
||||
.substring(this.getConvSpecOffset(n - 1) + this.getConvSpec(n - 1).length(),
|
||||
this.getConvSpecOffset(n))
|
||||
}
|
||||
@@ -1106,8 +1105,7 @@ class FormatLiteral extends Literal {
|
||||
if n > 0
|
||||
then
|
||||
result =
|
||||
this
|
||||
.getFormat()
|
||||
this.getFormat()
|
||||
.substring(this.getConvSpecOffset(n - 1) + this.getConvSpec(n - 1).length(),
|
||||
this.getFormat().length())
|
||||
else result = this.getFormat()
|
||||
|
||||
@@ -847,8 +847,7 @@ class NewOrNewArrayExpr extends Expr, @any_new_expr {
|
||||
*/
|
||||
Expr getPlacementPointer() {
|
||||
result =
|
||||
this
|
||||
.getAllocatorCall()
|
||||
this.getAllocatorCall()
|
||||
.getArgument(this.getAllocator().(OperatorNewAllocationFunction).getPlacementArgument())
|
||||
}
|
||||
}
|
||||
|
||||
@@ -160,8 +160,7 @@ predicate ifndefDirective(PreprocessorDirective ppd, string macro) {
|
||||
ppd instanceof PreprocessorIf and
|
||||
exists(string head | head = ppd.getHead() |
|
||||
macro =
|
||||
head
|
||||
.replaceAll("(", " ")
|
||||
head.replaceAll("(", " ")
|
||||
.replaceAll(")", "")
|
||||
.replaceAll("\t", " ")
|
||||
.regexpCapture("[ ]*![ ]*defined[ ]+([^ ]*)[ ]*", 1)
|
||||
|
||||
@@ -652,8 +652,7 @@ module TaintedWithPath {
|
||||
override predicate hasLocationInfo(
|
||||
string filepath, int startline, int startcolumn, int endline, int endcolumn
|
||||
) {
|
||||
this
|
||||
.inner()
|
||||
this.inner()
|
||||
.getLocation()
|
||||
.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
|
||||
}
|
||||
|
||||
@@ -528,9 +528,9 @@ class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEff
|
||||
tag instanceof OnlyInstructionTag and
|
||||
operandTag instanceof BufferSizeOperandTag and
|
||||
result =
|
||||
getTranslatedExpr(call
|
||||
.getArgument(call.getTarget().(SideEffectFunction).getParameterSizeIndex(index))
|
||||
.getFullyConverted()).getResult()
|
||||
getTranslatedExpr(call.getArgument(call.getTarget()
|
||||
.(SideEffectFunction)
|
||||
.getParameterSizeIndex(index)).getFullyConverted()).getResult()
|
||||
}
|
||||
|
||||
override CppType getInstructionMemoryOperandType(InstructionTag tag, TypedOperandTag operandTag) {
|
||||
|
||||
@@ -58,8 +58,7 @@ private class IteratorByTraits extends Iterator {
|
||||
private FunctionInput getIteratorArgumentInput(Operator op, int index) {
|
||||
exists(Type t |
|
||||
t =
|
||||
op
|
||||
.getACallToThisFunction()
|
||||
op.getACallToThisFunction()
|
||||
.getArgument(index)
|
||||
.getExplicitlyConverted()
|
||||
.getType()
|
||||
@@ -307,11 +306,10 @@ private class IteratorAssignmentMemberOperator extends MemberFunction, TaintFunc
|
||||
*/
|
||||
private class BeginOrEndFunction extends MemberFunction, TaintFunction, GetIteratorFunction {
|
||||
BeginOrEndFunction() {
|
||||
this
|
||||
.hasName([
|
||||
"begin", "cbegin", "rbegin", "crbegin", "end", "cend", "rend", "crend", "before_begin",
|
||||
"cbefore_begin"
|
||||
]) and
|
||||
this.hasName([
|
||||
"begin", "cbegin", "rbegin", "crbegin", "end", "cend", "rend", "crend", "before_begin",
|
||||
"cbefore_begin"
|
||||
]) and
|
||||
this.getType().getUnspecifiedType() instanceof Iterator
|
||||
}
|
||||
|
||||
|
||||
@@ -179,9 +179,8 @@ private class StdMapErase extends TaintFunction {
|
||||
*/
|
||||
private class StdMapEqualRange extends TaintFunction {
|
||||
StdMapEqualRange() {
|
||||
this
|
||||
.hasQualifiedName("std", ["map", "unordered_map"],
|
||||
["lower_bound", "upper_bound", "equal_range"])
|
||||
this.hasQualifiedName("std", ["map", "unordered_map"],
|
||||
["lower_bound", "upper_bound", "equal_range"])
|
||||
}
|
||||
|
||||
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
|
||||
|
||||
@@ -132,9 +132,8 @@ private class StdSetErase extends TaintFunction {
|
||||
*/
|
||||
private class StdSetEqualRange extends TaintFunction {
|
||||
StdSetEqualRange() {
|
||||
this
|
||||
.hasQualifiedName("std", ["set", "unordered_set"],
|
||||
["lower_bound", "upper_bound", "equal_range"])
|
||||
this.hasQualifiedName("std", ["set", "unordered_set"],
|
||||
["lower_bound", "upper_bound", "equal_range"])
|
||||
}
|
||||
|
||||
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
|
||||
|
||||
@@ -5,8 +5,7 @@ from Compilation c, int i, string s
|
||||
where
|
||||
i > 0 and
|
||||
s =
|
||||
c
|
||||
.getArgument(i)
|
||||
c.getArgument(i)
|
||||
.replaceAll("\\", "/")
|
||||
.regexpReplaceAll(".*(/qltest/predefined_macros)", "<tools>$1")
|
||||
select c.getAFileCompiled().toString(), i, s
|
||||
|
||||
@@ -15,8 +15,7 @@ from MethodCall call, Method add
|
||||
where
|
||||
call.getTarget() = add.getAnUltimateImplementor*() and
|
||||
add.hasName("Add") and
|
||||
add
|
||||
.getDeclaringType()
|
||||
add.getDeclaringType()
|
||||
.getUnboundDeclaration()
|
||||
.hasQualifiedName("System.Collections.Generic.ICollection<>") and
|
||||
call.getAnArgument() instanceof NullLiteral
|
||||
|
||||
@@ -59,8 +59,7 @@ class CollectionMember extends DataMember {
|
||||
// A write of a field or property can be a method call to certain methods...
|
||||
exists(MethodCall call | call = result |
|
||||
call.getQualifier() = this.getAnAccess() and
|
||||
call
|
||||
.getTarget()
|
||||
call.getTarget()
|
||||
.getName()
|
||||
.regexpMatch("Add.*|Append|Clear.*|Delete|" +
|
||||
"(Try)?Dequeue|Enqueue|Insert.*|(Try)?Pop|Push|(Try?)Remove.*|Replace.*|SafeDelete|Set.*|")
|
||||
|
||||
@@ -13,8 +13,7 @@ class ThreadStartingCallable extends Callable {
|
||||
this.(Method).getQualifiedName() = "System.Threading.Tasks.Task.Run" or
|
||||
this.(Constructor).getDeclaringType().getQualifiedName() = "System.Threading.Thread" or
|
||||
this.(Method).getQualifiedName() = "System.Threading.Thread.Start" or
|
||||
this
|
||||
.(Constructor)
|
||||
this.(Constructor)
|
||||
.getDeclaringType()
|
||||
.getQualifiedName()
|
||||
.matches("System.Threading.Tasks.Task<%>")
|
||||
|
||||
@@ -51,12 +51,10 @@ predicate isDateFromJapaneseCalendarCreation(ObjectCreation cr) {
|
||||
cr.getType().hasQualifiedName("System.DateTimeOffset")
|
||||
) and
|
||||
(
|
||||
cr
|
||||
.getArgumentForName("calendar")
|
||||
cr.getArgumentForName("calendar")
|
||||
.getType()
|
||||
.hasQualifiedName("System.Globalization.JapaneseCalendar") or
|
||||
cr
|
||||
.getArgumentForName("calendar")
|
||||
cr.getArgumentForName("calendar")
|
||||
.getType()
|
||||
.hasQualifiedName("System.Globalization.JapaneseLunisolarCalendar")
|
||||
) and
|
||||
|
||||
@@ -16,8 +16,7 @@ import semmle.code.asp.WebConfig
|
||||
from SystemWebXMLElement web, XMLAttribute maxReqLength
|
||||
where
|
||||
maxReqLength =
|
||||
web
|
||||
.getAChild(any(string s | s.toLowerCase() = "httpruntime"))
|
||||
web.getAChild(any(string s | s.toLowerCase() = "httpruntime"))
|
||||
.getAttribute(any(string s | s.toLowerCase() = "maxrequestlength")) and
|
||||
maxReqLength.getValue().toInt() > 4096
|
||||
select maxReqLength, "Large 'maxRequestLength' value (" + maxReqLength.getValue() + " KB)."
|
||||
|
||||
@@ -34,8 +34,7 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
exists(MethodCall mc |
|
||||
mc.getTarget().hasName("Escape") and
|
||||
mc
|
||||
.getTarget()
|
||||
mc.getTarget()
|
||||
.getDeclaringType()
|
||||
.getABaseType*()
|
||||
.hasQualifiedName("System.Security.SecurityElement")
|
||||
|
||||
@@ -29,8 +29,7 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodCall mc, string name, int arg |
|
||||
mc.getTarget().getName().matches(name) and
|
||||
mc
|
||||
.getTarget()
|
||||
mc.getTarget()
|
||||
.getDeclaringType()
|
||||
.getABaseType*()
|
||||
.hasQualifiedName("System.Reflection.Assembly") and
|
||||
|
||||
@@ -18,8 +18,7 @@ class AddCertToRootStoreConfig extends DataFlow::Configuration {
|
||||
|
||||
override predicate isSource(DataFlow::Node source) {
|
||||
exists(ObjectCreation oc | oc = source.asExpr() |
|
||||
oc
|
||||
.getType()
|
||||
oc.getType()
|
||||
.(RefType)
|
||||
.hasQualifiedName("System.Security.Cryptography.X509Certificates.X509Store") and
|
||||
oc.getArgument(0).(Access).getTarget().hasName("Root")
|
||||
@@ -29,11 +28,9 @@ class AddCertToRootStoreConfig extends DataFlow::Configuration {
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodCall mc |
|
||||
(
|
||||
mc
|
||||
.getTarget()
|
||||
mc.getTarget()
|
||||
.hasQualifiedName("System.Security.Cryptography.X509Certificates.X509Store", "Add") or
|
||||
mc
|
||||
.getTarget()
|
||||
mc.getTarget()
|
||||
.hasQualifiedName("System.Security.Cryptography.X509Certificates.X509Store", "AddRange")
|
||||
) and
|
||||
sink.asExpr() = mc.getQualifier()
|
||||
|
||||
@@ -18,8 +18,7 @@ where
|
||||
exists(Assignment a, PropertyAccess pa |
|
||||
a.getLValue() = pa and
|
||||
pa.getTarget().hasName("EnableHeaderChecking") and
|
||||
pa
|
||||
.getTarget()
|
||||
pa.getTarget()
|
||||
.getDeclaringType()
|
||||
.hasQualifiedName("System.Web.Configuration", "HttpRuntimeSection") and
|
||||
a.getRValue().getValue() = "false" and
|
||||
|
||||
@@ -15,8 +15,7 @@ import csharp
|
||||
from MethodCall mc, BoolLiteral b
|
||||
where
|
||||
mc.getTarget().hasName("Encrypt") and
|
||||
mc
|
||||
.getTarget()
|
||||
mc.getTarget()
|
||||
.getDeclaringType()
|
||||
.hasQualifiedName("System.Security.Cryptography", "RSACryptoServiceProvider") and
|
||||
mc.getArgument(1) = b and
|
||||
|
||||
@@ -15,8 +15,7 @@ predicate incorrectUseOfRC2(Assignment e, string msg) {
|
||||
exists(PropertyAccess pa |
|
||||
pa.getParent() = e and
|
||||
pa.getTarget().hasName("EffectiveKeySize") and
|
||||
pa
|
||||
.getTarget()
|
||||
pa.getTarget()
|
||||
.getDeclaringType()
|
||||
.hasQualifiedName("System.Security.Cryptography", "RC2CryptoServiceProvider")
|
||||
) and
|
||||
@@ -25,8 +24,7 @@ predicate incorrectUseOfRC2(Assignment e, string msg) {
|
||||
}
|
||||
|
||||
predicate incorrectUseOfDSA(ObjectCreation e, string msg) {
|
||||
e
|
||||
.getTarget()
|
||||
e.getTarget()
|
||||
.getDeclaringType()
|
||||
.hasQualifiedName("System.Security.Cryptography", "DSACryptoServiceProvider") and
|
||||
exists(Expr i | e.getArgument(0) = i and i.getValue().toInt() < 2048) and
|
||||
@@ -34,8 +32,7 @@ predicate incorrectUseOfDSA(ObjectCreation e, string msg) {
|
||||
}
|
||||
|
||||
predicate incorrectUseOfRSA(ObjectCreation e, string msg) {
|
||||
e
|
||||
.getTarget()
|
||||
e.getTarget()
|
||||
.getDeclaringType()
|
||||
.hasQualifiedName("System.Security.Cryptography", "RSACryptoServiceProvider") and
|
||||
exists(Expr i | e.getArgument(0) = i and i.getValue().toInt() < 2048) and
|
||||
|
||||
@@ -18,8 +18,7 @@ predicate incorrectUseOfDES(ObjectCreation e, string msg) {
|
||||
}
|
||||
|
||||
predicate incorrectUseOfTripleDES(ObjectCreation e, string msg) {
|
||||
e
|
||||
.getType()
|
||||
e.getType()
|
||||
.(Class)
|
||||
.hasQualifiedName("System.Security.Cryptography", "TripleDESCryptoServiceProvider") and
|
||||
msg =
|
||||
|
||||
@@ -30,8 +30,7 @@ class Attributable extends @attributable {
|
||||
predicate hasLocationInfo(
|
||||
string filepath, int startline, int startcolumn, int endline, int endcolumn
|
||||
) {
|
||||
this
|
||||
.(Element)
|
||||
this.(Element)
|
||||
.getLocation()
|
||||
.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
|
||||
}
|
||||
|
||||
@@ -86,8 +86,7 @@ class CollectionType extends RefType {
|
||||
exists(RefType base | base = this.getABaseType*() |
|
||||
base.hasQualifiedName(collectionNamespaceName(), collectionTypeName())
|
||||
or
|
||||
base
|
||||
.(ConstructedType)
|
||||
base.(ConstructedType)
|
||||
.getUnboundGeneric()
|
||||
.hasQualifiedName(genericCollectionNamespaceName(), genericCollectionTypeName())
|
||||
)
|
||||
|
||||
@@ -61,9 +61,8 @@ class GenericGeneratedCodeComment extends GeneratedCodeComment {
|
||||
entity = "file|class|interface|art[ei]fact|module|script" and
|
||||
was = "was|is|has been" and
|
||||
automatically = "automatically |mechanically |auto[- ]?" and
|
||||
line
|
||||
.regexpMatch("(?i).*\\bThis (" + entity + ") (" + was + ") (" + automatically +
|
||||
")?generated\\b.*")
|
||||
line.regexpMatch("(?i).*\\bThis (" + entity + ") (" + was + ") (" + automatically +
|
||||
")?generated\\b.*")
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -481,8 +481,7 @@ class CollectionExpr extends Expr {
|
||||
result =
|
||||
any(PropertyRead pr |
|
||||
this = pr.getQualifier() and
|
||||
pr
|
||||
.getTarget()
|
||||
pr.getTarget()
|
||||
.overridesOrImplementsOrEquals(any(Property p |
|
||||
p.getUnboundDeclaration() =
|
||||
any(SystemCollectionsGenericICollectionInterface x).getCountProperty()
|
||||
|
||||
@@ -859,8 +859,7 @@ module Expressions {
|
||||
c =
|
||||
any(NestedCompletion nc |
|
||||
nc.getInnerCompletion() = cc and
|
||||
nc
|
||||
.getOuterCompletion()
|
||||
nc.getOuterCompletion()
|
||||
.(ThrowCompletion)
|
||||
.getExceptionClass()
|
||||
.hasQualifiedName("System.InvalidOperationException")
|
||||
|
||||
@@ -414,9 +414,8 @@ private class FrameworkDataFlowAdaptor extends SummarizedCallable {
|
||||
SummaryInput input, ContentList inputContents, SummaryOutput output, ContentList outputContents,
|
||||
boolean preservesValue
|
||||
) {
|
||||
ltdf
|
||||
.callableFlow(toCallableFlowSource(input), toAccessPath(inputContents),
|
||||
toCallableFlowSink(output), toAccessPath(outputContents), this, preservesValue)
|
||||
ltdf.callableFlow(toCallableFlowSource(input), toAccessPath(inputContents),
|
||||
toCallableFlowSink(output), toAccessPath(outputContents), this, preservesValue)
|
||||
}
|
||||
|
||||
private AccessPath getAnAccessPath() {
|
||||
|
||||
@@ -168,8 +168,7 @@ private module DispatchImpl {
|
||||
)
|
||||
or
|
||||
result =
|
||||
call
|
||||
.(NonDelegateDataFlowCall)
|
||||
call.(NonDelegateDataFlowCall)
|
||||
.getDispatchCall()
|
||||
.getADynamicTargetInCallContext(ctx.(NonDelegateDataFlowCall).getDispatchCall())
|
||||
.getUnboundDeclaration()
|
||||
|
||||
@@ -760,9 +760,8 @@ private module Cached {
|
||||
c instanceof ElementContent
|
||||
or
|
||||
exists(ForeachStmt fs, Ssa::ExplicitDefinition def |
|
||||
x
|
||||
.hasDefPath(fs.getIterableExpr(), node1.getControlFlowNode(), def.getADefinition(),
|
||||
def.getControlFlowNode()) and
|
||||
x.hasDefPath(fs.getIterableExpr(), node1.getControlFlowNode(), def.getADefinition(),
|
||||
def.getControlFlowNode()) and
|
||||
node2.(SsaDefinitionNode).getDefinition() = def and
|
||||
c instanceof ElementContent
|
||||
)
|
||||
@@ -1268,8 +1267,7 @@ private module ArgumentNodes {
|
||||
|
||||
override DotNet::Type getTypeImpl() {
|
||||
result =
|
||||
c
|
||||
.getParameter(delegateIndex)
|
||||
c.getParameter(delegateIndex)
|
||||
.getType()
|
||||
.(SystemLinqExpressions::DelegateExtType)
|
||||
.getDelegateType()
|
||||
@@ -1583,8 +1581,7 @@ private module OutNodes {
|
||||
|
||||
override DotNet::Type getTypeImpl() {
|
||||
result =
|
||||
c
|
||||
.getParameter(pos)
|
||||
c.getParameter(pos)
|
||||
.getType()
|
||||
.(SystemLinqExpressions::DelegateExtType)
|
||||
.getDelegateType()
|
||||
|
||||
@@ -18,8 +18,7 @@ module DataAnnotations {
|
||||
/** The `NotMappedAttribute` attribute. */
|
||||
class NotMappedAttribute extends Attribute {
|
||||
NotMappedAttribute() {
|
||||
this
|
||||
.getType()
|
||||
this.getType()
|
||||
.hasQualifiedName("System.ComponentModel.DataAnnotations.Schema.NotMappedAttribute")
|
||||
}
|
||||
}
|
||||
|
||||
@@ -76,8 +76,7 @@ module NHibernate {
|
||||
SqlParameter() {
|
||||
this.getType() instanceof StringType and
|
||||
(this.getName() = "sql" or this.getName() = "sqlString" or this.getName() = "query") and
|
||||
this
|
||||
.getCallable()
|
||||
this.getCallable()
|
||||
.getDeclaringType()
|
||||
.getDeclaringNamespace()
|
||||
.getParent*()
|
||||
|
||||
@@ -69,8 +69,7 @@ class MySqlHelperMethodCallSqlExpr extends SqlExpr, MethodCall {
|
||||
/** A `Microsoft.ApplicationBlocks.Data.SqlHelper` method. */
|
||||
class MicrosoftSqlHelperMethodCallSqlExpr extends SqlExpr, MethodCall {
|
||||
MicrosoftSqlHelperMethodCallSqlExpr() {
|
||||
this
|
||||
.getQualifier()
|
||||
this.getQualifier()
|
||||
.getType()
|
||||
.(Class)
|
||||
.hasQualifiedName("Microsoft.ApplicationBlocks.Data", "SqlHelper")
|
||||
|
||||
@@ -97,8 +97,7 @@ module SystemDataEntityInfrastructure {
|
||||
/** A class that extends or is constructed from `System.Entity.Data.Infrastructure.DbRawSqlQuery`. */
|
||||
class DbRawSqlQuery extends Class {
|
||||
DbRawSqlQuery() {
|
||||
this
|
||||
.getABaseType*()
|
||||
this.getABaseType*()
|
||||
.getUnboundDeclaration()
|
||||
.(csharp::UnboundGenericClass)
|
||||
.getNameWithoutBrackets() = "DbRawSqlQuery"
|
||||
|
||||
@@ -70,9 +70,8 @@ module HardcodedSymmetricEncryptionKey {
|
||||
CreateSymmetricKeySink() {
|
||||
exists(MethodCall mc, Method m |
|
||||
mc.getTarget() = m and
|
||||
m
|
||||
.hasQualifiedName("Windows.Security.Cryptography.Core.SymmetricKeyAlgorithmProvider",
|
||||
"CreateSymmetricKey") and
|
||||
m.hasQualifiedName("Windows.Security.Cryptography.Core.SymmetricKeyAlgorithmProvider",
|
||||
"CreateSymmetricKey") and
|
||||
this.asExpr() = mc.getArgumentForName("keyMaterial")
|
||||
)
|
||||
}
|
||||
|
||||
@@ -56,8 +56,7 @@ module ReDoS {
|
||||
s.getValue().regexpMatch(".*\\([^()*+\\]]+\\]?(\\*|\\+)\\.?\\)(\\*|\\+).*")
|
||||
or
|
||||
// Example: (([a-z])?([a-z]+.))+
|
||||
s
|
||||
.getValue()
|
||||
s.getValue()
|
||||
.regexpMatch(".*\\((\\([^()]+\\)\\?)?\\([^()*+\\]]+\\]?(\\*|\\+)\\.?\\)\\)(\\*|\\+).*")
|
||||
or
|
||||
// Example: (([a-z])+.)+
|
||||
|
||||
@@ -191,8 +191,7 @@ class AspNetCoreQueryRemoteFlowSource extends AspNetCoreRemoteFlowSource, DataFl
|
||||
)
|
||||
or
|
||||
exists(Call c |
|
||||
c
|
||||
.getTarget()
|
||||
c.getTarget()
|
||||
.getDeclaringType()
|
||||
.hasQualifiedName("Microsoft.AspNetCore.Http", "IQueryCollection") and
|
||||
c.getTarget().getName() = "TryGetValue" and
|
||||
|
||||
@@ -11,21 +11,17 @@ abstract class UnsafeDeserializer extends Callable { }
|
||||
/** An unsafe deserializer method in the `System.*` namespace. */
|
||||
class SystemDeserializer extends UnsafeDeserializer {
|
||||
SystemDeserializer() {
|
||||
this
|
||||
.hasQualifiedName("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter",
|
||||
"Deserialize")
|
||||
this.hasQualifiedName("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter",
|
||||
"Deserialize")
|
||||
or
|
||||
this
|
||||
.hasQualifiedName("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter",
|
||||
"UnsafeDeserialize")
|
||||
this.hasQualifiedName("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter",
|
||||
"UnsafeDeserialize")
|
||||
or
|
||||
this
|
||||
.hasQualifiedName("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter",
|
||||
"UnsafeDeserializeMethodResponse")
|
||||
this.hasQualifiedName("System.Runtime.Serialization.Formatters.Binary.BinaryFormatter",
|
||||
"UnsafeDeserializeMethodResponse")
|
||||
or
|
||||
this
|
||||
.hasQualifiedName("System.Runtime.Deserialization.Formatters.Soap.SoapFormatter",
|
||||
"Deserialize")
|
||||
this.hasQualifiedName("System.Runtime.Deserialization.Formatters.Soap.SoapFormatter",
|
||||
"Deserialize")
|
||||
or
|
||||
this.hasQualifiedName("System.Web.UI.ObjectStateFormatter", "Deserialize")
|
||||
or
|
||||
|
||||
@@ -25,8 +25,7 @@ class EmptyIterableIterator extends IterableIterator {
|
||||
exists(Method m |
|
||||
m.getDeclaringType().getSourceDeclaration() = this and
|
||||
m.getName() = "hasNext" and
|
||||
m
|
||||
.getBody()
|
||||
m.getBody()
|
||||
.(SingletonBlock)
|
||||
.getStmt()
|
||||
.(ReturnStmt)
|
||||
|
||||
@@ -25,8 +25,7 @@ predicate iteratorWrapper(Iterable it, Field f, boolean wrap) {
|
||||
f.getAnAssignedValue().getEnclosingCallable() instanceof InitializerMethod
|
||||
) and
|
||||
// ... whose type is a sub-type of `java.util.Iterator` and ...
|
||||
f
|
||||
.getType()
|
||||
f.getType()
|
||||
.(RefType)
|
||||
.getASupertype*()
|
||||
.getSourceDeclaration()
|
||||
|
||||
@@ -23,8 +23,7 @@ where
|
||||
// completely to distinguish grammatical punctuation after which a space is
|
||||
// needed, and intra-identifier punctuation in, for example, a fully
|
||||
// qualified java class name.
|
||||
s
|
||||
.getLiteral()
|
||||
s.getLiteral()
|
||||
.regexpCapture(".* (([-A-Za-z/'\\.:,]*[a-zA-Z]|[0-9]+)[\\.:,;!?']*)\"[^\"]*\\+[^\"]*\"[a-zA-Z].*",
|
||||
1) = word and
|
||||
not word.regexpMatch(".*[,\\.:].*[a-zA-Z].*[^a-zA-Z]")
|
||||
|
||||
@@ -19,8 +19,7 @@ import DataFlow::PathGraph
|
||||
*/
|
||||
class ELMessageInterpolatorType extends RefType {
|
||||
ELMessageInterpolatorType() {
|
||||
this
|
||||
.getASourceSupertype*()
|
||||
this.getASourceSupertype*()
|
||||
.hasQualifiedName("org.hibernate.validator.messageinterpolation",
|
||||
["ResourceBundleMessageInterpolator", "ValueFormatterMessageInterpolator"])
|
||||
}
|
||||
@@ -38,9 +37,8 @@ class SetMessageInterpolatorCall extends MethodAccess {
|
||||
t.hasQualifiedName("javax.validation", ["Configuration", "ValidatorContext"]) and
|
||||
m.getName() = "messageInterpolator"
|
||||
or
|
||||
t
|
||||
.hasQualifiedName("org.springframework.validation.beanvalidation",
|
||||
["CustomValidatorBean", "LocalValidatorFactoryBean"]) and
|
||||
t.hasQualifiedName("org.springframework.validation.beanvalidation",
|
||||
["CustomValidatorBean", "LocalValidatorFactoryBean"]) and
|
||||
m.getName() = "setMessageInterpolator"
|
||||
)
|
||||
)
|
||||
@@ -58,8 +56,7 @@ class SetMessageInterpolatorCall extends MethodAccess {
|
||||
*/
|
||||
class BuildConstraintViolationWithTemplateMethod extends Method {
|
||||
BuildConstraintViolationWithTemplateMethod() {
|
||||
this
|
||||
.getDeclaringType()
|
||||
this.getDeclaringType()
|
||||
.getASupertype*()
|
||||
.hasQualifiedName("javax.validation", "ConstraintValidatorContext") and
|
||||
this.hasName("buildConstraintViolationWithTemplate")
|
||||
|
||||
@@ -15,8 +15,7 @@ import java
|
||||
from MethodAccess call
|
||||
where
|
||||
call.getMethod().hasName("disable") and
|
||||
call
|
||||
.getReceiverType()
|
||||
call.getReceiverType()
|
||||
.hasQualifiedName("org.springframework.security.config.annotation.web.configurers",
|
||||
"CsrfConfigurer<HttpSecurity>")
|
||||
select call, "CSRF vulnerability due to protection being disabled."
|
||||
|
||||
@@ -36,8 +36,7 @@ private predicate looksLikeCode(JavadocText line) {
|
||||
*/
|
||||
private string trimmedCommentText(JavadocText line) {
|
||||
result =
|
||||
line
|
||||
.getText()
|
||||
line.getText()
|
||||
.trim()
|
||||
.regexpReplaceAll("\\s*//.*$", "")
|
||||
.regexpReplaceAll("\\{@[^}]+\\}", "")
|
||||
|
||||
@@ -174,11 +174,10 @@ private class RequestEntityUriArg extends RequestForgerySink {
|
||||
private class SpringRestTemplateUrlMethods extends Method {
|
||||
SpringRestTemplateUrlMethods() {
|
||||
this.getDeclaringType() instanceof SpringRestTemplate and
|
||||
this
|
||||
.hasName([
|
||||
"doExecute", "postForEntity", "postForLocation", "postForObject", "put", "exchange",
|
||||
"execute", "getForEntity", "getForObject", "patchForObject"
|
||||
])
|
||||
this.hasName([
|
||||
"doExecute", "postForEntity", "postForLocation", "postForObject", "put", "exchange",
|
||||
"execute", "getForEntity", "getForObject", "patchForObject"
|
||||
])
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -3,9 +3,8 @@ import java
|
||||
/** The class `org.springframework.security.config.annotation.web.builders.HttpSecurity`. */
|
||||
class TypeHttpSecurity extends Class {
|
||||
TypeHttpSecurity() {
|
||||
this
|
||||
.hasQualifiedName("org.springframework.security.config.annotation.web.builders",
|
||||
"HttpSecurity")
|
||||
this.hasQualifiedName("org.springframework.security.config.annotation.web.builders",
|
||||
"HttpSecurity")
|
||||
}
|
||||
}
|
||||
|
||||
@@ -15,9 +14,8 @@ class TypeHttpSecurity extends Class {
|
||||
*/
|
||||
class TypeAuthorizedUrl extends Class {
|
||||
TypeAuthorizedUrl() {
|
||||
this
|
||||
.hasQualifiedName("org.springframework.security.config.annotation.web.configurers",
|
||||
"ExpressionUrlAuthorizationConfigurer<HttpSecurity>$AuthorizedUrl<>")
|
||||
this.hasQualifiedName("org.springframework.security.config.annotation.web.configurers",
|
||||
"ExpressionUrlAuthorizationConfigurer<HttpSecurity>$AuthorizedUrl<>")
|
||||
}
|
||||
}
|
||||
|
||||
@@ -26,9 +24,8 @@ class TypeAuthorizedUrl extends Class {
|
||||
*/
|
||||
class TypeAbstractRequestMatcherRegistry extends Class {
|
||||
TypeAbstractRequestMatcherRegistry() {
|
||||
this
|
||||
.hasQualifiedName("org.springframework.security.config.annotation.web",
|
||||
"AbstractRequestMatcherRegistry<AuthorizedUrl<>>")
|
||||
this.hasQualifiedName("org.springframework.security.config.annotation.web",
|
||||
"AbstractRequestMatcherRegistry<AuthorizedUrl<>>")
|
||||
}
|
||||
}
|
||||
|
||||
@@ -37,9 +34,8 @@ class TypeAbstractRequestMatcherRegistry extends Class {
|
||||
*/
|
||||
class TypeEndpointRequest extends Class {
|
||||
TypeEndpointRequest() {
|
||||
this
|
||||
.hasQualifiedName("org.springframework.boot.actuate.autoconfigure.security.servlet",
|
||||
"EndpointRequest")
|
||||
this.hasQualifiedName("org.springframework.boot.actuate.autoconfigure.security.servlet",
|
||||
"EndpointRequest")
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -52,8 +52,7 @@ class HostVerificationMethodAccess extends MethodAccess {
|
||||
(
|
||||
this.getArgument(0).(StringLiteral).getRepresentedString().charAt(0) != "." //string constant comparison e.g. uri.getHost().endsWith("example.com")
|
||||
or
|
||||
this
|
||||
.getArgument(0)
|
||||
this.getArgument(0)
|
||||
.(AddExpr)
|
||||
.getLeftOperand()
|
||||
.(VarAccess)
|
||||
@@ -63,8 +62,7 @@ class HostVerificationMethodAccess extends MethodAccess {
|
||||
.getRepresentedString()
|
||||
.charAt(0) != "." //var1+var2, check var1 starts with "." e.g. String domainName = "example"; Uri.parse(url).getHost().endsWith(domainName+".com")
|
||||
or
|
||||
this
|
||||
.getArgument(0)
|
||||
this.getArgument(0)
|
||||
.(AddExpr)
|
||||
.getLeftOperand()
|
||||
.(StringLiteral)
|
||||
@@ -80,8 +78,7 @@ class HostVerificationMethodAccess extends MethodAccess {
|
||||
f.getDeclaringType() instanceof AndroidRString
|
||||
) //Check resource properties in /res/values/strings.xml in Android mobile applications using res.getString(R.string.key)
|
||||
or
|
||||
this
|
||||
.getArgument(0)
|
||||
this.getArgument(0)
|
||||
.(VarAccess)
|
||||
.getVariable()
|
||||
.getAnAssignedValue()
|
||||
|
||||
@@ -49,11 +49,9 @@ library class MarkerCommentGeneratedFile extends GeneratedFile {
|
||||
exists(JavadocElement t | t.getFile() = this |
|
||||
exists(string msg | msg = t.getText() |
|
||||
msg.regexpMatch("(?i).*\\bGenerated By\\b.*\\bDo not edit\\b.*") or
|
||||
msg
|
||||
.regexpMatch("(?i).*\\bThis (file|class|interface|art[ei]fact) (was|is|(has been)) (?:auto[ -]?)?gener(e?)ated.*") or
|
||||
msg.regexpMatch("(?i).*\\bThis (file|class|interface|art[ei]fact) (was|is|(has been)) (?:auto[ -]?)?gener(e?)ated.*") or
|
||||
msg.regexpMatch("(?i).*\\bAny modifications to this file will be lost\\b.*") or
|
||||
msg
|
||||
.regexpMatch("(?i).*\\bThis (file|class|interface|art[ei]fact) (was|is) (?:mechanically|automatically) generated\\b.*") or
|
||||
msg.regexpMatch("(?i).*\\bThis (file|class|interface|art[ei]fact) (was|is) (?:mechanically|automatically) generated\\b.*") or
|
||||
msg.regexpMatch("(?i).*\\bThe following code was (?:auto[ -]?)?generated (?:by|from)\\b.*") or
|
||||
msg.regexpMatch("(?i).*\\bAutogenerated by Thrift.*") or
|
||||
msg.regexpMatch("(?i).*\\bGenerated By.*JavaCC.*") or
|
||||
|
||||
@@ -188,8 +188,7 @@ class FormattingCall extends Call {
|
||||
exists(Expr arg | arg = this.getArgument(1 + this.getFormatStringIndex()) |
|
||||
result = arg.(ArrayCreationExpr).getFirstDimensionSize() or
|
||||
result =
|
||||
arg
|
||||
.(VarAccess)
|
||||
arg.(VarAccess)
|
||||
.getVariable()
|
||||
.getAnAssignedValue()
|
||||
.(ArrayCreationExpr)
|
||||
|
||||
@@ -112,8 +112,7 @@ private class SpringMultipartRequestSource extends RemoteFlowSource {
|
||||
exists(MethodAccess ma, Method m |
|
||||
ma = this.asExpr() and
|
||||
m = ma.getMethod() and
|
||||
m
|
||||
.getDeclaringType()
|
||||
m.getDeclaringType()
|
||||
.getASourceSupertype*()
|
||||
.hasQualifiedName("org.springframework.web.multipart", "MultipartRequest") and
|
||||
m.getName().matches("get%")
|
||||
@@ -128,8 +127,7 @@ private class SpringMultipartFileSource extends RemoteFlowSource {
|
||||
exists(MethodAccess ma, Method m |
|
||||
ma = this.asExpr() and
|
||||
m = ma.getMethod() and
|
||||
m
|
||||
.getDeclaringType()
|
||||
m.getDeclaringType()
|
||||
.getASourceSupertype*()
|
||||
.hasQualifiedName("org.springframework.web.multipart", "MultipartFile") and
|
||||
m.getName().matches("get%")
|
||||
@@ -189,8 +187,7 @@ private class BeanValidationSource extends RemoteFlowSource {
|
||||
exists(Method m, Parameter v |
|
||||
this.asParameter() = v and
|
||||
m.getParameter(0) = v and
|
||||
m
|
||||
.getDeclaringType()
|
||||
m.getDeclaringType()
|
||||
.getASourceSupertype+()
|
||||
.hasQualifiedName("javax.validation", "ConstraintValidator") and
|
||||
m.hasName("isValid") and
|
||||
@@ -237,8 +234,7 @@ class EnvInput extends LocalUserInput {
|
||||
exists(Field f | this.asExpr() = f.getAnAccess() | f instanceof SystemIn)
|
||||
or
|
||||
// Access to files.
|
||||
this
|
||||
.asExpr()
|
||||
this.asExpr()
|
||||
.(ConstructorCall)
|
||||
.getConstructedType()
|
||||
.hasQualifiedName("java.io", "FileInputStream")
|
||||
|
||||
@@ -55,13 +55,11 @@ abstract class TaintPreservingCallable extends Callable {
|
||||
private class StringTaintPreservingMethod extends TaintPreservingCallable {
|
||||
StringTaintPreservingMethod() {
|
||||
this.getDeclaringType() instanceof TypeString and
|
||||
this
|
||||
.hasName([
|
||||
"concat", "copyValueOf", "endsWith", "format", "formatted", "getBytes", "indent",
|
||||
"intern", "join", "repeat", "split", "strip", "stripIndent", "stripLeading",
|
||||
"stripTrailing", "substring", "toCharArray", "toLowerCase", "toString", "toUpperCase",
|
||||
"trim"
|
||||
])
|
||||
this.hasName([
|
||||
"concat", "copyValueOf", "endsWith", "format", "formatted", "getBytes", "indent", "intern",
|
||||
"join", "repeat", "split", "strip", "stripIndent", "stripLeading", "stripTrailing",
|
||||
"substring", "toCharArray", "toLowerCase", "toString", "toUpperCase", "trim"
|
||||
])
|
||||
}
|
||||
|
||||
override predicate returnsTaintFrom(int arg) {
|
||||
|
||||
@@ -110,8 +110,7 @@ private predicate taintPreservingQualifierToMethod(Method m) {
|
||||
m.hasName(["asIterator", "nextElement"])
|
||||
or
|
||||
// java.util.Map
|
||||
m
|
||||
.(MapMethod)
|
||||
m.(MapMethod)
|
||||
.hasName([
|
||||
"computeIfAbsent", "entrySet", "get", "getOrDefault", "put", "putIfAbsent", "remove",
|
||||
"replace", "values"
|
||||
@@ -138,8 +137,7 @@ private predicate taintPreservingQualifierToMethod(Method m) {
|
||||
m.(CollectionMethod).hasName("remove") and m.getNumberOfParameters() = 0
|
||||
or
|
||||
// java.util.Deque
|
||||
m
|
||||
.(CollectionMethod)
|
||||
m.(CollectionMethod)
|
||||
.hasName([
|
||||
"getFirst", "getLast", "peekFirst", "peekLast", "pollFirst", "pollLast", "removeFirst",
|
||||
"removeLast"
|
||||
@@ -159,8 +157,7 @@ private predicate taintPreservingQualifierToMethod(Method m) {
|
||||
// java.util.NavigableSet
|
||||
// covered by Deque: pollFirst(), pollLast()
|
||||
// covered by SortedSet: headSet(E, boolean), subSet(E, boolean, E, boolean) and tailSet(E, boolean)
|
||||
m
|
||||
.(CollectionMethod)
|
||||
m.(CollectionMethod)
|
||||
.hasName(["ceiling", "descendingIterator", "descendingSet", "floor", "higher", "lower"])
|
||||
or
|
||||
// java.util.SortedMap
|
||||
@@ -168,16 +165,14 @@ private predicate taintPreservingQualifierToMethod(Method m) {
|
||||
or
|
||||
// java.util.NavigableMap
|
||||
// covered by SortedMap: headMap(K, boolean), subMap(K, boolean, K, boolean), tailMap(K, boolean)
|
||||
m
|
||||
.(MapMethod)
|
||||
m.(MapMethod)
|
||||
.hasName([
|
||||
"ceilingEntry", "descendingMap", "firstEntry", "floorEntry", "higherEntry", "lastEntry",
|
||||
"lowerEntry", "pollFirstEntry", "pollLastEntry"
|
||||
])
|
||||
or
|
||||
// java.util.Dictionary
|
||||
m
|
||||
.getDeclaringType()
|
||||
m.getDeclaringType()
|
||||
.getSourceDeclaration()
|
||||
.getASourceSupertype*()
|
||||
.hasQualifiedName("java.util", "Dictionary") and
|
||||
|
||||
@@ -421,8 +421,7 @@ predicate simpleLocalFlowStep(Node node1, Node node2) {
|
||||
exists(MethodAccess ma, Method m |
|
||||
ma = node2.asExpr() and
|
||||
m = ma.getMethod() and
|
||||
m
|
||||
.getDeclaringType()
|
||||
m.getDeclaringType()
|
||||
.getSourceDeclaration()
|
||||
.getASourceSupertype*()
|
||||
.hasQualifiedName("java.util", "Stack") and
|
||||
|
||||
@@ -684,8 +684,7 @@ private class FormatterCallable extends TaintPreservingCallable {
|
||||
(
|
||||
this.hasName(["format", "out", "toString"])
|
||||
or
|
||||
this
|
||||
.(Constructor)
|
||||
this.(Constructor)
|
||||
.getParameterType(0)
|
||||
.(RefType)
|
||||
.getASourceSupertype*()
|
||||
|
||||
@@ -25,8 +25,7 @@ class ApacheHttpEntityGetContent extends Method {
|
||||
*/
|
||||
class ApacheHttpRequest extends RefType {
|
||||
ApacheHttpRequest() {
|
||||
this
|
||||
.getASourceSupertype*()
|
||||
this.getASourceSupertype*()
|
||||
.hasQualifiedName("org.apache.http.client.methods", "HttpRequestBase") or
|
||||
this.getASourceSupertype*().hasQualifiedName("org.apache.http.message", "BasicHttpRequest")
|
||||
}
|
||||
|
||||
@@ -36,8 +36,7 @@ class XStreamEnableWhiteListing extends MethodAccess {
|
||||
exists(Field f |
|
||||
this.getAnArgument() = f.getAnAccess() and
|
||||
f.hasName("NONE") and
|
||||
f
|
||||
.getDeclaringType()
|
||||
f.getDeclaringType()
|
||||
.hasQualifiedName("com.thoughtworks.xstream.security", "NoTypePermission")
|
||||
)
|
||||
)
|
||||
|
||||
@@ -263,10 +263,9 @@ private class QueryBuilderAppendMethod extends TaintPreservingCallable {
|
||||
// appendWhere(CharSequence inWhere)
|
||||
// appendWhereStandalone(CharSequence inWhere)
|
||||
// static appendColumns(StringBuilder s, String[] columns)
|
||||
this
|
||||
.hasName([
|
||||
"setProjectionMap", "setTables", "appendWhere", "appendWhereStandalone", "appendColumns"
|
||||
])
|
||||
this.hasName([
|
||||
"setProjectionMap", "setTables", "appendWhere", "appendWhereStandalone", "appendColumns"
|
||||
])
|
||||
}
|
||||
|
||||
override predicate transfersTaint(int src, int sink) {
|
||||
|
||||
@@ -22,8 +22,7 @@ private predicate ocniComment(OCNIComment ocni, Method m) {
|
||||
m.isNative() and
|
||||
// ... and the comment has to be contained in `m`.
|
||||
ocni.getFile() = m.getFile() and
|
||||
ocni.getLocation().getStartLine() in [m.getLocation().getStartLine() .. m
|
||||
.getLocation()
|
||||
ocni.getLocation().getStartLine() in [m.getLocation().getStartLine() .. m.getLocation()
|
||||
.getEndLine()]
|
||||
}
|
||||
|
||||
|
||||
@@ -283,8 +283,7 @@ class SystemExitMethod extends Method {
|
||||
this.hasName("exit") and
|
||||
this.getNumberOfParameters() = 1 and
|
||||
this.getParameter(0).getType().(PrimitiveType).hasName("int") and
|
||||
this
|
||||
.getDeclaringType()
|
||||
this.getDeclaringType()
|
||||
.getASupertype*()
|
||||
.getSourceDeclaration()
|
||||
.hasQualifiedName("java.lang", "System")
|
||||
@@ -300,8 +299,7 @@ class RuntimeExitOrHaltMethod extends Method {
|
||||
(this.hasName("exit") or this.hasName("halt")) and
|
||||
this.getNumberOfParameters() = 1 and
|
||||
this.getParameter(0).getType().(PrimitiveType).hasName("int") and
|
||||
this
|
||||
.getDeclaringType()
|
||||
this.getDeclaringType()
|
||||
.getASupertype*()
|
||||
.getSourceDeclaration()
|
||||
.hasQualifiedName("java.lang", "Runtime")
|
||||
@@ -317,8 +315,7 @@ class RuntimeAddOrRemoveShutdownHookMethod extends Method {
|
||||
(this.hasName("addShutdownHook") or this.hasName("removeShutdownHook")) and
|
||||
this.getNumberOfParameters() = 1 and
|
||||
this.getParameter(0).getType().(RefType).hasQualifiedName("java.lang", "Thread") and
|
||||
this
|
||||
.getDeclaringType()
|
||||
this.getDeclaringType()
|
||||
.getASupertype*()
|
||||
.getSourceDeclaration()
|
||||
.hasQualifiedName("java.lang", "Runtime")
|
||||
@@ -334,8 +331,7 @@ class SystemSetPrintStreamMethod extends Method {
|
||||
(this.hasName("setErr") or this.hasName("setOut")) and
|
||||
this.getNumberOfParameters() = 1 and
|
||||
this.getParameter(0).getType().(RefType).hasQualifiedName("java.io", "PrintStream") and
|
||||
this
|
||||
.getDeclaringType()
|
||||
this.getDeclaringType()
|
||||
.getASupertype*()
|
||||
.getSourceDeclaration()
|
||||
.hasQualifiedName("java.lang", "System")
|
||||
@@ -351,8 +347,7 @@ class SystemSetInputStreamMethod extends Method {
|
||||
this.hasName("setIn") and
|
||||
this.getNumberOfParameters() = 1 and
|
||||
this.getParameter(0).getType().(RefType).hasQualifiedName("java.io", "InputStream") and
|
||||
this
|
||||
.getDeclaringType()
|
||||
this.getDeclaringType()
|
||||
.getASupertype*()
|
||||
.getSourceDeclaration()
|
||||
.hasQualifiedName("java.lang", "System")
|
||||
@@ -367,8 +362,7 @@ class SystemGetSecurityManagerMethod extends Method {
|
||||
SystemGetSecurityManagerMethod() {
|
||||
this.hasName("getSecurityManager") and
|
||||
this.hasNoParameters() and
|
||||
this
|
||||
.getDeclaringType()
|
||||
this.getDeclaringType()
|
||||
.getASupertype*()
|
||||
.getSourceDeclaration()
|
||||
.hasQualifiedName("java.lang", "System")
|
||||
@@ -384,8 +378,7 @@ class SystemSetSecurityManagerMethod extends Method {
|
||||
this.hasName("setSecurityManager") and
|
||||
this.getNumberOfParameters() = 1 and
|
||||
this.getParameter(0).getType().(RefType).hasQualifiedName("java.lang", "SecurityManager") and
|
||||
this
|
||||
.getDeclaringType()
|
||||
this.getDeclaringType()
|
||||
.getASupertype*()
|
||||
.getSourceDeclaration()
|
||||
.hasQualifiedName("java.lang", "System")
|
||||
@@ -400,8 +393,7 @@ class SystemInheritedChannelMethod extends Method {
|
||||
SystemInheritedChannelMethod() {
|
||||
this.hasName("inheritedChannel") and
|
||||
this.hasNoParameters() and
|
||||
this
|
||||
.getDeclaringType()
|
||||
this.getDeclaringType()
|
||||
.getASupertype*()
|
||||
.getSourceDeclaration()
|
||||
.hasQualifiedName("java.lang", "System")
|
||||
@@ -429,8 +421,7 @@ class EnableReplaceObjectMethod extends Method {
|
||||
this.hasName("enableReplaceObject") and
|
||||
this.getNumberOfParameters() = 1 and
|
||||
this.getParameter(0).getType().(PrimitiveType).hasName("boolean") and
|
||||
this
|
||||
.getDeclaringType()
|
||||
this.getDeclaringType()
|
||||
.getASupertype*()
|
||||
.getSourceDeclaration()
|
||||
.hasQualifiedName("java.io", "ObjectOutputStream")
|
||||
@@ -446,8 +437,7 @@ class ReplaceObjectMethod extends Method {
|
||||
this.hasName("replaceObject") and
|
||||
this.getNumberOfParameters() = 1 and
|
||||
this.getParameter(0).getType() instanceof TypeObject and
|
||||
this
|
||||
.getDeclaringType()
|
||||
this.getDeclaringType()
|
||||
.getASupertype*()
|
||||
.getSourceDeclaration()
|
||||
.hasQualifiedName("java.io", "ObjectOutputStream")
|
||||
@@ -463,8 +453,7 @@ class EnableResolveObjectMethod extends Method {
|
||||
this.hasName("enableResolveObject") and
|
||||
this.getNumberOfParameters() = 1 and
|
||||
this.getParameter(0).getType().(PrimitiveType).hasName("boolean") and
|
||||
this
|
||||
.getDeclaringType()
|
||||
this.getDeclaringType()
|
||||
.getASupertype*()
|
||||
.getSourceDeclaration()
|
||||
.hasQualifiedName("java.io", "ObjectInputStream")
|
||||
@@ -480,8 +469,7 @@ class ResolveObjectMethod extends Method {
|
||||
this.hasName("resolveObject") and
|
||||
this.getNumberOfParameters() = 1 and
|
||||
this.getParameter(0).getType() instanceof TypeObject and
|
||||
this
|
||||
.getDeclaringType()
|
||||
this.getDeclaringType()
|
||||
.getASupertype*()
|
||||
.getSourceDeclaration()
|
||||
.hasQualifiedName("java.io", "ObjectInputStream")
|
||||
@@ -497,8 +485,7 @@ class ResolveClassMethod extends Method {
|
||||
this.hasName("resolveClass") and
|
||||
this.getNumberOfParameters() = 1 and
|
||||
this.getParameter(0).getType().(RefType).hasQualifiedName("java.io", "ObjectStreamClass") and
|
||||
this
|
||||
.getDeclaringType()
|
||||
this.getDeclaringType()
|
||||
.getASupertype*()
|
||||
.getSourceDeclaration()
|
||||
.hasQualifiedName("java.io", "ObjectInputStream")
|
||||
@@ -513,15 +500,13 @@ class ResolveProxyClassMethod extends Method {
|
||||
ResolveProxyClassMethod() {
|
||||
this.hasName("resolveProxyClass") and
|
||||
this.getNumberOfParameters() = 1 and
|
||||
this
|
||||
.getParameter(0)
|
||||
this.getParameter(0)
|
||||
.getType()
|
||||
.(Array)
|
||||
.getComponentType()
|
||||
.(RefType)
|
||||
.hasQualifiedName("java.lang", "String") and
|
||||
this
|
||||
.getDeclaringType()
|
||||
this.getDeclaringType()
|
||||
.getASupertype*()
|
||||
.getSourceDeclaration()
|
||||
.hasQualifiedName("java.io", "ObjectInputStream")
|
||||
@@ -545,14 +530,12 @@ class SetSocketFactoryMethod extends Method {
|
||||
SetSocketFactoryMethod() {
|
||||
this.hasName("setSocketFactory") and
|
||||
this.getNumberOfParameters() = 1 and
|
||||
this
|
||||
.getParameter(0)
|
||||
this.getParameter(0)
|
||||
.getType()
|
||||
.(RefType)
|
||||
.getSourceDeclaration()
|
||||
.hasQualifiedName("java.net", "SocketImplFactory") and
|
||||
this
|
||||
.getDeclaringType()
|
||||
this.getDeclaringType()
|
||||
.getASupertype*()
|
||||
.getSourceDeclaration()
|
||||
.hasQualifiedName("java.net", "ServerSocket")
|
||||
@@ -567,14 +550,12 @@ class SetSocketImplFactoryMethod extends Method {
|
||||
SetSocketImplFactoryMethod() {
|
||||
this.hasName("setSocketImplFactory") and
|
||||
this.getNumberOfParameters() = 1 and
|
||||
this
|
||||
.getParameter(0)
|
||||
this.getParameter(0)
|
||||
.getType()
|
||||
.(RefType)
|
||||
.getSourceDeclaration()
|
||||
.hasQualifiedName("java.net", "SocketImplFactory") and
|
||||
this
|
||||
.getDeclaringType()
|
||||
this.getDeclaringType()
|
||||
.getASupertype*()
|
||||
.getSourceDeclaration()
|
||||
.hasQualifiedName("java.net", "Socket")
|
||||
@@ -589,14 +570,12 @@ class SetUrlStreamHandlerFactoryMethod extends Method {
|
||||
SetUrlStreamHandlerFactoryMethod() {
|
||||
this.hasName("setURLStreamHandlerFactory") and
|
||||
this.getNumberOfParameters() = 1 and
|
||||
this
|
||||
.getParameter(0)
|
||||
this.getParameter(0)
|
||||
.getType()
|
||||
.(RefType)
|
||||
.getSourceDeclaration()
|
||||
.hasQualifiedName("java.net", "URLStreamHandlerFactory") and
|
||||
this
|
||||
.getDeclaringType()
|
||||
this.getDeclaringType()
|
||||
.getASupertype*()
|
||||
.getSourceDeclaration()
|
||||
.hasQualifiedName("java.net", "URL")
|
||||
@@ -621,13 +600,11 @@ class SystemOrRuntimeLoadLibraryMethod extends Method {
|
||||
this.getNumberOfParameters() = 1 and
|
||||
this.getParameter(0).getType().(RefType).hasQualifiedName("java.lang", "String") and
|
||||
(
|
||||
this
|
||||
.getDeclaringType()
|
||||
this.getDeclaringType()
|
||||
.getASupertype*()
|
||||
.getSourceDeclaration()
|
||||
.hasQualifiedName("java.lang", "System") or
|
||||
this
|
||||
.getDeclaringType()
|
||||
this.getDeclaringType()
|
||||
.getASupertype*()
|
||||
.getSourceDeclaration()
|
||||
.hasQualifiedName("java.lang", "Runtime")
|
||||
@@ -642,8 +619,7 @@ class SystemOrRuntimeLoadLibraryMethod extends Method {
|
||||
class RuntimeExecMethod extends Method {
|
||||
RuntimeExecMethod() {
|
||||
this.hasName("exec") and
|
||||
this
|
||||
.getDeclaringType()
|
||||
this.getDeclaringType()
|
||||
.getASupertype*()
|
||||
.getSourceDeclaration()
|
||||
.hasQualifiedName("java.lang", "Runtime")
|
||||
|
||||
@@ -208,12 +208,10 @@ class SpringRequestMappingParameter extends Parameter {
|
||||
// HttpEntity is like @RequestBody, but with a wrapper including the headers
|
||||
// TODO model unwrapping aspects
|
||||
getType().(RefType).getASourceSupertype*() instanceof SpringHttpEntity or
|
||||
this
|
||||
.getAnAnnotation()
|
||||
this.getAnAnnotation()
|
||||
.getType()
|
||||
.hasQualifiedName("org.springframework.web.bind.annotation", "RequestAttribute") or
|
||||
this
|
||||
.getAnAnnotation()
|
||||
this.getAnAnnotation()
|
||||
.getType()
|
||||
.hasQualifiedName("org.springframework.web.bind.annotation", "SessionAttribute")
|
||||
}
|
||||
|
||||
@@ -9,8 +9,7 @@ private predicate fileRead(VarAccess fileAccess, Expr fileReadingExpr) {
|
||||
cie = fileReadingExpr and
|
||||
cie.getArgument(0) = fileAccess
|
||||
|
|
||||
cie
|
||||
.getConstructedType()
|
||||
cie.getConstructedType()
|
||||
.hasQualifiedName("java.io", ["RandomAccessFile", "FileReader", "FileInputStream"])
|
||||
)
|
||||
or
|
||||
|
||||
@@ -56,8 +56,7 @@ predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
|
||||
sink = ma.getQualifier() and
|
||||
not exists(DataFlow::ExprNode node |
|
||||
node.getExpr() = sink and
|
||||
node
|
||||
.getTypeBound()
|
||||
node.getTypeBound()
|
||||
.(RefType)
|
||||
.hasQualifiedName("org.apache.commons.io.serialization", "ValidatingObjectInputStream")
|
||||
)
|
||||
|
||||
@@ -20,8 +20,7 @@ class AntTarget extends XMLElement {
|
||||
string getDependsString() {
|
||||
result =
|
||||
"," +
|
||||
this
|
||||
.getAttributeValue("depends")
|
||||
this.getAttributeValue("depends")
|
||||
.replaceAll(" ", "")
|
||||
.replaceAll("\r", "")
|
||||
.replaceAll("\n", "")
|
||||
|
||||
@@ -50,8 +50,7 @@ from EqOrSwitch et, TypeofExpr typeof, ConstantString str
|
||||
where
|
||||
typeof = et.getAnOperand().getUnderlyingValue() and
|
||||
str = et.getAnOperand().getUnderlyingValue() and
|
||||
not str
|
||||
.getStringValue()
|
||||
not str.getStringValue()
|
||||
.regexpMatch("undefined|boolean|number|string|object|function|symbol|unknown|date|bigint")
|
||||
select typeof,
|
||||
"The result of this 'typeof' expression is compared to '$@', but the two can never be equal.",
|
||||
|
||||
@@ -59,8 +59,7 @@ predicate matchesBeginningOfString(RegExpTerm term) {
|
||||
* `i` is bound to the index of the last child in the top-level domain part.
|
||||
*/
|
||||
predicate hasTopLevelDomainEnding(RegExpSequence seq, int i) {
|
||||
seq
|
||||
.getChild(i)
|
||||
seq.getChild(i)
|
||||
.(RegExpConstant)
|
||||
.getValue()
|
||||
.regexpMatch("(?i)" + RegExpPatterns::commonTLD() + "(:\\d+)?([/?#].*)?") and
|
||||
|
||||
@@ -34,8 +34,7 @@ predicate isDangerous(RegExpTerm t) {
|
||||
exists(RegExpSequence seq | seq = t |
|
||||
t.getChild(0).getConstantValue() = "<" and
|
||||
// the `cript|scrip` case has been observed in the wild, not sure what the goal of that pattern is...
|
||||
t
|
||||
.getChild(0)
|
||||
t.getChild(0)
|
||||
.getSuccessor+()
|
||||
.getAMatchedString()
|
||||
.regexpMatch("(?i)iframe|script|cript|scrip|style")
|
||||
|
||||
@@ -80,8 +80,7 @@ private DataFlow::Node goodRandom(DataFlow::TypeTracker t, DataFlow::SourceNode
|
||||
// reading a number from a Buffer.
|
||||
exists(DataFlow::MethodCallNode call | result = call |
|
||||
call.getReceiver() = goodRandom(t2, source) and
|
||||
call
|
||||
.getMethodName()
|
||||
call.getMethodName()
|
||||
.regexpMatch("read(BigInt|BigUInt|Double|Float|Int|UInt)(8|16|32|64)?(BE|LE)?")
|
||||
)
|
||||
)
|
||||
|
||||
@@ -65,8 +65,7 @@ module LdapInjection {
|
||||
sanitize = "(?:escape|saniti[sz]e|validate|filter)" and
|
||||
input = "[Ii]nput?"
|
||||
|
|
||||
this
|
||||
.getCalleeName()
|
||||
this.getCalleeName()
|
||||
.regexpMatch("(?i)(" + sanitize + input + ")" + "|(" + input + sanitize + ")")
|
||||
)
|
||||
}
|
||||
|
||||
@@ -38,8 +38,7 @@ private predicate codeGeneratorMarkerComment(Comment c, string tool) {
|
||||
toolPattern =
|
||||
"js_of_ocaml|CoffeeScript|LiveScript|dart2js|ANTLR|PEG\\.js|Opal|JSX|jison(?:-lex)?|(?:Microsoft \\(R\\) AutoRest Code Generator)|purs" and
|
||||
tool =
|
||||
c
|
||||
.getText()
|
||||
c.getText()
|
||||
.regexpCapture("(?s)[\\s*]*(?:parser |Code )?[gG]eneratedy? (?:from .*)?by (" +
|
||||
toolPattern + ")\\b.*", 1)
|
||||
)
|
||||
@@ -55,9 +54,8 @@ private class GenericGeneratedCodeMarkerComment extends GeneratedCodeMarkerComme
|
||||
entity = "code|file|class|interface|art[ei]fact|module|script" and
|
||||
was = "was|is|has been" and
|
||||
automatically = "automatically |mechanically |auto[- ]?" and
|
||||
line
|
||||
.regexpMatch("(?i).*\\b(This|The following) (" + entity + ") (" + was + ") (" +
|
||||
automatically + ")?gener(e?)ated\\b.*")
|
||||
line.regexpMatch("(?i).*\\b(This|The following) (" + entity + ") (" + was + ") (" +
|
||||
automatically + ")?gener(e?)ated\\b.*")
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -68,8 +68,7 @@ abstract class Module extends TopLevel {
|
||||
or
|
||||
// a re-export using spread-operator. E.g. `const foo = require("./foo"); module.exports = {bar: bar, ...foo};`
|
||||
exists(ObjectExpr obj | obj = this.(NodeModule).getAModuleExportsNode().asExpr() |
|
||||
obj
|
||||
.getAProperty()
|
||||
obj.getAProperty()
|
||||
.(SpreadProperty)
|
||||
.getInit()
|
||||
.(SpreadElement)
|
||||
|
||||
@@ -83,8 +83,7 @@ class NodeModule extends Module {
|
||||
// a re-export using spread-operator. E.g. `const foo = require("./foo"); module.exports = {bar: bar, ...foo};`
|
||||
exists(ObjectExpr obj | obj = getAModuleExportsNode().asExpr() |
|
||||
result =
|
||||
obj
|
||||
.getAProperty()
|
||||
obj.getAProperty()
|
||||
.(SpreadProperty)
|
||||
.getInit()
|
||||
.(SpreadElement)
|
||||
|
||||
@@ -602,8 +602,7 @@ class SsaVariableCapture extends SsaImplicitDefinition, TCapture {
|
||||
string filepath, int startline, int startcolumn, int endline, int endcolumn
|
||||
) {
|
||||
exists(ReachableBasicBlock bb, int i | definesAt(bb, i, _) |
|
||||
bb
|
||||
.getNode(i)
|
||||
bb.getNode(i)
|
||||
.getLocation()
|
||||
.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
|
||||
)
|
||||
|
||||
@@ -336,8 +336,7 @@ module DataFlow {
|
||||
override predicate hasLocationInfo(
|
||||
string filepath, int startline, int startcolumn, int endline, int endcolumn
|
||||
) {
|
||||
prop
|
||||
.(Locatable)
|
||||
prop.(Locatable)
|
||||
.getLocation()
|
||||
.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
|
||||
}
|
||||
|
||||
@@ -846,8 +846,7 @@ private class ApplicationInsightsInstance extends FrameworkLibraryInstance {
|
||||
|
||||
ApplicationInsightsInstance() {
|
||||
version =
|
||||
this
|
||||
.(TopLevel)
|
||||
this.(TopLevel)
|
||||
.getFile()
|
||||
.getAbsolutePath()
|
||||
.regexpCapture(any(ApplicationInsights t).getAURLRegex(), 1)
|
||||
@@ -891,8 +890,7 @@ private class TwitterTextClassic extends FrameworkLibraryWithURLRegex {
|
||||
*/
|
||||
private class TwitterTextClassicInstance extends FrameworkLibraryInstance {
|
||||
TwitterTextClassicInstance() {
|
||||
this
|
||||
.(TopLevel)
|
||||
this.(TopLevel)
|
||||
.getFile()
|
||||
.getAbsolutePath()
|
||||
.regexpMatch(any(TwitterTextClassic t).getAURLRegex())
|
||||
|
||||
@@ -153,8 +153,7 @@ private class TemplateFieldNgSourceProvider extends NgSourceProvider {
|
||||
TemplateFieldNgSourceProvider() {
|
||||
this = directive.getMember("template").asExpr() and
|
||||
source =
|
||||
this
|
||||
.(ConstantString)
|
||||
this.(ConstantString)
|
||||
.getStringValue()
|
||||
.regexpFind(getInterpolatedExpressionPattern(), _, offset)
|
||||
}
|
||||
|
||||
@@ -217,8 +217,7 @@ predicate isMultiLicenseBundle(TopLevel tl) {
|
||||
// case: ordinary block comments lines that start with a license
|
||||
count(BlockComment head |
|
||||
head.getTopLevel() = tl and
|
||||
head
|
||||
.getLine(_)
|
||||
head.getLine(_)
|
||||
.regexpMatch("(?i)[\\s*]*(@license\\b.*|The [a-z0-9-]+ License (\\([a-z0-9-]+\\))?\\s*)")
|
||||
) > 1
|
||||
}
|
||||
|
||||
@@ -792,8 +792,7 @@ module ClientRequest {
|
||||
this = cmd and
|
||||
(
|
||||
cmd.getACommandArgument().getStringValue() = "curl" or
|
||||
cmd
|
||||
.getACommandArgument()
|
||||
cmd.getACommandArgument()
|
||||
.(StringOps::ConcatenationRoot)
|
||||
.getConstantStringParts()
|
||||
.regexpMatch("curl .*")
|
||||
|
||||
@@ -114,8 +114,7 @@ module Fastify {
|
||||
if methodName = "route"
|
||||
then
|
||||
result =
|
||||
this
|
||||
.flow()
|
||||
this.flow()
|
||||
.(DataFlow::MethodCallNode)
|
||||
.getOptionArgument(0,
|
||||
[
|
||||
|
||||
@@ -298,9 +298,8 @@ module Koa {
|
||||
|
||||
ResponseSendArgument() {
|
||||
exists(DataFlow::PropWrite pwn |
|
||||
pwn
|
||||
.writes(DataFlow::valueNode(rh.getAResponseOrContextExpr()), "body",
|
||||
DataFlow::valueNode(this))
|
||||
pwn.writes(DataFlow::valueNode(rh.getAResponseOrContextExpr()), "body",
|
||||
DataFlow::valueNode(this))
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
@@ -72,8 +72,7 @@ private predicate neverReturnsJQuery(string name) {
|
||||
decl.getBaseName() = "jQuery" and
|
||||
decl.getName() = name
|
||||
|
|
||||
not decl
|
||||
.getDocumentation()
|
||||
not decl.getDocumentation()
|
||||
.getATagByTitle("return")
|
||||
.getType()
|
||||
.getAnUnderlyingType()
|
||||
@@ -364,11 +363,10 @@ private module JQueryClientRequest {
|
||||
*/
|
||||
private DataFlow::SourceNode getAResponseNodeFromAnXHRObject(DataFlow::SourceNode obj) {
|
||||
result =
|
||||
obj
|
||||
.getAPropertyRead(any(string s |
|
||||
s = "responseText" or
|
||||
s = "responseXML"
|
||||
))
|
||||
obj.getAPropertyRead(any(string s |
|
||||
s = "responseText" or
|
||||
s = "responseXML"
|
||||
))
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -63,8 +63,7 @@ module CleartextLogging {
|
||||
)
|
||||
or
|
||||
// avoid i18n strings
|
||||
this
|
||||
.(DataFlow::PropRead)
|
||||
this.(DataFlow::PropRead)
|
||||
.getBase()
|
||||
.asExpr()
|
||||
.(VarRef)
|
||||
|
||||
@@ -63,8 +63,7 @@ module Shared {
|
||||
class QuoteGuard extends SanitizerGuard, StringOps::Includes {
|
||||
QuoteGuard() {
|
||||
this.getSubstring().mayHaveStringValue("\"") and
|
||||
this
|
||||
.getBaseString()
|
||||
this.getBaseString()
|
||||
.getALocalSource()
|
||||
.flowsTo(any(IncompleteHTML::HtmlAttributeConcatenation attributeConcat))
|
||||
}
|
||||
|
||||
@@ -69,8 +69,7 @@ module XssThroughDom {
|
||||
) and
|
||||
// looks like a $("<p>" + ... ) source, which is benign for this query.
|
||||
not exists(DataFlow::Node prefix |
|
||||
DomBasedXss::isPrefixOfJQueryHtmlString(this
|
||||
.getReceiver()
|
||||
DomBasedXss::isPrefixOfJQueryHtmlString(this.getReceiver()
|
||||
.(DataFlow::CallNode)
|
||||
.getAnArgument(), prefix)
|
||||
|
|
||||
|
||||
@@ -17,9 +17,8 @@ private string commonTopLevelDomainRegex() { result = "com|org|edu|gov|uk|net|io
|
||||
|
||||
predicate looksLikeUrl(StrConst s) {
|
||||
exists(string text | text = s.getText() |
|
||||
text
|
||||
.regexpMatch("(?i)([a-z]*:?//)?\\.?([a-z0-9-]+\\.)+(" + commonTopLevelDomainRegex() +
|
||||
")(:[0-9]+)?/?")
|
||||
text.regexpMatch("(?i)([a-z]*:?//)?\\.?([a-z0-9-]+\\.)+(" + commonTopLevelDomainRegex() +
|
||||
")(:[0-9]+)?/?")
|
||||
or
|
||||
// target is a HTTP URL to a domain on any TLD
|
||||
text.regexpMatch("(?i)https?://([a-z0-9-]+\\.)+([a-z]+)(:[0-9]+)?/?")
|
||||
|
||||
@@ -184,8 +184,7 @@ predicate ssa_consistency(string clsname, string problem, string what) {
|
||||
/* Minimality of phi nodes */
|
||||
exists(SsaVariable var |
|
||||
strictcount(var.getAPhiInput()) = 1 and
|
||||
var
|
||||
.getAPhiInput()
|
||||
var.getAPhiInput()
|
||||
.getDefinition()
|
||||
.getBasicBlock()
|
||||
.strictlyDominates(var.getDefinition().getBasicBlock())
|
||||
|
||||
@@ -607,8 +607,7 @@ class TaintTrackingImplementation extends string {
|
||||
TaintTrackingNode src, DataFlow::Node node, TaintTrackingContext context, AttributePath path,
|
||||
TaintKind kind, string edgeLabel
|
||||
) {
|
||||
this
|
||||
.(EssaTaintTracking)
|
||||
this.(EssaTaintTracking)
|
||||
.taintedDefinition(src, node.asVariable().getDefinition(), context, path, kind) and
|
||||
edgeLabel = ""
|
||||
}
|
||||
|
||||
@@ -95,8 +95,7 @@ private predicate dont_modify(File f) {
|
||||
private predicate auto_generated(File f) {
|
||||
exists(Comment c |
|
||||
c.getLocation().getFile() = f and
|
||||
c
|
||||
.getText()
|
||||
c.getText()
|
||||
.regexpMatch("(?is)# *this +(code|file) +is +(auto(matically)?[ -]?generated|created automatically).*")
|
||||
)
|
||||
}
|
||||
|
||||
@@ -84,8 +84,7 @@ class Value extends TObject {
|
||||
predicate hasLocationInfo(
|
||||
string filepath, int startline, int startcolumn, int endline, int endcolumn
|
||||
) {
|
||||
this
|
||||
.(ObjectInternal)
|
||||
this.(ObjectInternal)
|
||||
.getOrigin()
|
||||
.getLocation()
|
||||
.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
|
||||
|
||||
@@ -75,8 +75,7 @@ class Object extends @py_object {
|
||||
string filepath, int startline, int startcolumn, int endline, int endcolumn
|
||||
) {
|
||||
this.hasOrigin() and
|
||||
this
|
||||
.getOrigin()
|
||||
this.getOrigin()
|
||||
.getLocation()
|
||||
.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
|
||||
or
|
||||
|
||||
Reference in New Issue
Block a user