hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 10:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Minor updates

Browse Source
This commit is contained in:
luchua-bc
2020-10-28 20:23:22 +00:00
parent 99c79f4aa3
commit 908d659906
5 changed files with 241 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
java/ql/src/experimental/Security/CWE/CWE-532/SensitiveInfoLog.ql
View File

@@ -9,21 +9,21 @@
import java
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.security.SensitiveActions
import DataFlow
import PathGraph
/**
* Gets a regular expression for matching names of variables that indicate the value being held is a credential
* Gets a regular expression for matching names of variables that indicate the value being held may contain sensitive information
*/
private string getACredentialRegex() {
result = "(?i).*challenge|pass(wd|word|code|phrase)(?!.*question).*" or
result = "(?i)(.*username|.*secret|url).*"
result = "(?i)(.*uri|url).*"
}
/** Variable keeps sensitive information judging by its name * */
class CredentialExpr extends Expr {
CredentialExpr() {
exists(Variable v | this = v.getAnAccess() | v.getName().regexpMatch(getACredentialRegex()))
exists(Variable v | this = v.getAnAccess() | v.getName().regexpMatch([getCommonSensitiveInfoRegex(), getACredentialRegex()]))
}
}

8
java/ql/src/experimental/Security/CWE/CWE-927/SensitiveBroadcast.ql
View File

@@ -12,6 +12,7 @@ import semmle.code.java.dataflow.DataFlow3
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.frameworks.android.Intent
import semmle.code.java.security.SensitiveActions
import DataFlow::PathGraph
/**
* Gets regular expression for matching names of Android variables that indicate the value being held contains sensitive information.
@@ -23,7 +24,10 @@ private string getAndroidSensitiveInfoRegex() { result = "(?i).*(email|phone|tic
*/
class PutIntentExtraMethodAccess extends MethodAccess {
PutIntentExtraMethodAccess() {
getMethod().getName().regexpMatch("put\\w*Extra(s?)") and
(
getMethod().getName().matches("put%Extra") or
getMethod().hasName("putExtras")
) and
getMethod().getDeclaringType() instanceof TypeIntent
}
}
@@ -138,7 +142,7 @@ class SensitiveBroadcastConfig extends TaintTracking::Configuration {
override predicate isSink(DataFlow::Node sink) { isSensitiveBroadcastSink(sink) }
/**
* Holds if there is an additional flow step from `PutIntentExtraMethodAccess` or `PutBundleExtraMethodAccess` to a broadcast intent.
* Holds if there is an additional flow step from `PutIntentExtraMethodAccess` or `PutBundleExtraMethodAccess` that taints the `Intent` or its extras `Bundle`.
*/
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
exists(PutIntentExtraMethodAccess pia |

58
java/ql/test/experimental/query-tests/security/CWE-927/SensitiveBroadcast.expected
View File

@@ -1,12 +1,46 @@
| SensitiveBroadcast.java:13:31:13:36 | intent | SensitiveBroadcast.java:11:34:11:38 | token : String | SensitiveBroadcast.java:13:31:13:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:11:34:11:38 | token | sensitive information |
| SensitiveBroadcast.java:13:31:13:36 | intent | SensitiveBroadcast.java:12:41:12:52 | refreshToken : String | SensitiveBroadcast.java:13:31:13:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:12:41:12:52 | refreshToken | sensitive information |
| SensitiveBroadcast.java:25:31:25:36 | intent | SensitiveBroadcast.java:23:33:23:40 | userName : String | SensitiveBroadcast.java:25:31:25:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:23:33:23:40 | userName | sensitive information |
| SensitiveBroadcast.java:25:31:25:36 | intent | SensitiveBroadcast.java:24:32:24:39 | password : String | SensitiveBroadcast.java:25:31:25:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:24:32:24:39 | password | sensitive information |
| SensitiveBroadcast.java:37:31:37:36 | intent | SensitiveBroadcast.java:35:41:35:45 | email : String | SensitiveBroadcast.java:37:31:37:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:35:41:35:45 | email | sensitive information |
| SensitiveBroadcast.java:49:31:49:36 | intent | SensitiveBroadcast.java:47:33:47:40 | username : String | SensitiveBroadcast.java:49:31:49:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:47:33:47:40 | username | sensitive information |
| SensitiveBroadcast.java:49:31:49:36 | intent | SensitiveBroadcast.java:48:32:48:39 | password : String | SensitiveBroadcast.java:49:31:49:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:48:32:48:39 | password | sensitive information |
| SensitiveBroadcast.java:95:54:95:59 | intent | SensitiveBroadcast.java:94:35:94:40 | ticket : String | SensitiveBroadcast.java:95:54:95:59 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:94:35:94:40 | ticket | sensitive information |
| SensitiveBroadcast.java:108:54:108:59 | intent | SensitiveBroadcast.java:105:33:105:40 | username : String | SensitiveBroadcast.java:108:54:108:59 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:105:33:105:40 | username | sensitive information |
| SensitiveBroadcast.java:108:54:108:59 | intent | SensitiveBroadcast.java:106:32:106:39 | password : String | SensitiveBroadcast.java:108:54:108:59 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:106:32:106:39 | password | sensitive information |
| SensitiveBroadcast.java:139:54:139:59 | intent | SensitiveBroadcast.java:134:40:134:47 | username : String | SensitiveBroadcast.java:139:54:139:59 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:134:40:134:47 | username | sensitive information |
| SensitiveBroadcast.java:139:54:139:59 | intent | SensitiveBroadcast.java:135:39:135:46 | password : String | SensitiveBroadcast.java:139:54:139:59 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:135:39:135:46 | password | sensitive information |
edges
| SensitiveBroadcast.java:12:34:12:38 | token : String | SensitiveBroadcast.java:14:31:14:36 | intent |
| SensitiveBroadcast.java:13:41:13:52 | refreshToken : String | SensitiveBroadcast.java:14:31:14:36 | intent |
| SensitiveBroadcast.java:24:33:24:40 | userName : String | SensitiveBroadcast.java:26:31:26:36 | intent |
| SensitiveBroadcast.java:25:32:25:39 | password : String | SensitiveBroadcast.java:26:31:26:36 | intent |
| SensitiveBroadcast.java:36:35:36:39 | email : String | SensitiveBroadcast.java:38:31:38:36 | intent |
| SensitiveBroadcast.java:49:22:49:29 | username : String | SensitiveBroadcast.java:52:31:52:36 | intent |
| SensitiveBroadcast.java:50:22:50:29 | password : String | SensitiveBroadcast.java:52:31:52:36 | intent |
| SensitiveBroadcast.java:97:35:97:40 | ticket : String | SensitiveBroadcast.java:98:54:98:59 | intent |
| SensitiveBroadcast.java:108:33:108:40 | username : String | SensitiveBroadcast.java:111:54:111:59 | intent |
| SensitiveBroadcast.java:109:32:109:39 | password : String | SensitiveBroadcast.java:111:54:111:59 | intent |
| SensitiveBroadcast.java:135:34:135:41 | username : String | SensitiveBroadcast.java:140:54:140:59 | intent |
| SensitiveBroadcast.java:136:33:136:40 | password : String | SensitiveBroadcast.java:140:54:140:59 | intent |
nodes
| SensitiveBroadcast.java:12:34:12:38 | token : String | semmle.label | token : String |
| SensitiveBroadcast.java:13:41:13:52 | refreshToken : String | semmle.label | refreshToken : String |
| SensitiveBroadcast.java:14:31:14:36 | intent | semmle.label | intent |
| SensitiveBroadcast.java:24:33:24:40 | userName : String | semmle.label | userName : String |
| SensitiveBroadcast.java:25:32:25:39 | password : String | semmle.label | password : String |
| SensitiveBroadcast.java:26:31:26:36 | intent | semmle.label | intent |
| SensitiveBroadcast.java:36:35:36:39 | email : String | semmle.label | email : String |
| SensitiveBroadcast.java:38:31:38:36 | intent | semmle.label | intent |
| SensitiveBroadcast.java:49:22:49:29 | username : String | semmle.label | username : String |
| SensitiveBroadcast.java:50:22:50:29 | password : String | semmle.label | password : String |
| SensitiveBroadcast.java:52:31:52:36 | intent | semmle.label | intent |
| SensitiveBroadcast.java:97:35:97:40 | ticket : String | semmle.label | ticket : String |
| SensitiveBroadcast.java:98:54:98:59 | intent | semmle.label | intent |
| SensitiveBroadcast.java:108:33:108:40 | username : String | semmle.label | username : String |
| SensitiveBroadcast.java:109:32:109:39 | password : String | semmle.label | password : String |
| SensitiveBroadcast.java:111:54:111:59 | intent | semmle.label | intent |
| SensitiveBroadcast.java:135:34:135:41 | username : String | semmle.label | username : String |
| SensitiveBroadcast.java:136:33:136:40 | password : String | semmle.label | password : String |
| SensitiveBroadcast.java:140:54:140:59 | intent | semmle.label | intent |
#select
| SensitiveBroadcast.java:14:31:14:36 | intent | SensitiveBroadcast.java:12:34:12:38 | token : String | SensitiveBroadcast.java:14:31:14:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:12:34:12:38 | token | sensitive information |
| SensitiveBroadcast.java:14:31:14:36 | intent | SensitiveBroadcast.java:13:41:13:52 | refreshToken : String | SensitiveBroadcast.java:14:31:14:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:13:41:13:52 | refreshToken | sensitive information |
| SensitiveBroadcast.java:26:31:26:36 | intent | SensitiveBroadcast.java:24:33:24:40 | userName : String | SensitiveBroadcast.java:26:31:26:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:24:33:24:40 | userName | sensitive information |
| SensitiveBroadcast.java:26:31:26:36 | intent | SensitiveBroadcast.java:25:32:25:39 | password : String | SensitiveBroadcast.java:26:31:26:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:25:32:25:39 | password | sensitive information |
| SensitiveBroadcast.java:38:31:38:36 | intent | SensitiveBroadcast.java:36:35:36:39 | email : String | SensitiveBroadcast.java:38:31:38:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:36:35:36:39 | email | sensitive information |
| SensitiveBroadcast.java:52:31:52:36 | intent | SensitiveBroadcast.java:49:22:49:29 | username : String | SensitiveBroadcast.java:52:31:52:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:49:22:49:29 | username | sensitive information |
| SensitiveBroadcast.java:52:31:52:36 | intent | SensitiveBroadcast.java:50:22:50:29 | password : String | SensitiveBroadcast.java:52:31:52:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:50:22:50:29 | password | sensitive information |
| SensitiveBroadcast.java:98:54:98:59 | intent | SensitiveBroadcast.java:97:35:97:40 | ticket : String | SensitiveBroadcast.java:98:54:98:59 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:97:35:97:40 | ticket | sensitive information |
| SensitiveBroadcast.java:111:54:111:59 | intent | SensitiveBroadcast.java:108:33:108:40 | username : String | SensitiveBroadcast.java:111:54:111:59 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:108:33:108:40 | username | sensitive information |
| SensitiveBroadcast.java:111:54:111:59 | intent | SensitiveBroadcast.java:109:32:109:39 | password : String | SensitiveBroadcast.java:111:54:111:59 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:109:32:109:39 | password | sensitive information |
| SensitiveBroadcast.java:140:54:140:59 | intent | SensitiveBroadcast.java:135:34:135:41 | username : String | SensitiveBroadcast.java:140:54:140:59 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:135:34:135:41 | username | sensitive information |
| SensitiveBroadcast.java:140:54:140:59 | intent | SensitiveBroadcast.java:136:33:136:40 | password : String | SensitiveBroadcast.java:140:54:140:59 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:136:33:136:40 | password | sensitive information |

42
java/ql/test/experimental/query-tests/security/CWE-927/SensitiveBroadcast.java
View File

@@ -1,6 +1,7 @@
import android.content.Context;
import android.content.Intent;
import android.os.Bundle;
import java.util.ArrayList;
class SensitiveBroadcast {
@@ -32,7 +33,7 @@ class SensitiveBroadcast {
Intent intent = new Intent();
intent.setAction("com.example.custom_action");
Bundle bundle = new Bundle();
bundle.putCharSequence("email", email);
bundle.putString("email", email);
intent.putExtras(bundle);
context.sendBroadcast(intent);
}
@@ -44,8 +45,10 @@ class SensitiveBroadcast {
Intent intent = new Intent();
intent.setAction("com.example.custom_action");
intent.putExtra("name", username);
intent.putExtra("pwd", password);
ArrayList<String> userinfo = new ArrayList<String>();
userinfo.add(username);
userinfo.add(password);
intent.putStringArrayListExtra("userinfo", userinfo);
context.sendBroadcast(intent, null);
}
@@ -115,15 +118,13 @@ class SensitiveBroadcast {
Intent intent = new Intent();
intent.setAction("com.example.custom_action");
Bundle bundle = new Bundle();
bundle.putCharSequence("name", username);
bundle.putCharSequence("pwd", password);
intent.putExtras(bundle);
intent.putExtra("name", username);
intent.putExtra("pwd", password);
String[] perms = new String[]{"com.example.custom_action", "com.example.custom_action2"};
context.sendBroadcastWithMultiplePermissions(intent, perms);
}
// BAD - Tests broadcast of sensitive user information with multiple permissions using empty array initialization through two variables.
// BAD - Tests broadcast of sensitive user information with multiple permissions using empty array initialization through two variables and `intent.putExtras(bundle)`.
public void sendBroadcast11(Context context) {
String username = "test123";
String password = "abc12345";
@@ -131,19 +132,38 @@ class SensitiveBroadcast {
Intent intent = new Intent();
intent.setAction("com.example.custom_action");
Bundle bundle = new Bundle();
bundle.putCharSequence("name", username);
bundle.putCharSequence("pwd", password);
bundle.putString("name", username);
bundle.putString("pwd", password);
intent.putExtras(bundle);
String[] perms = new String[0];
String[] perms2 = perms;
context.sendBroadcastWithMultiplePermissions(intent, perms2);
}
// GOOD - Tests broadcast of sensitive user information with ordered broadcast.
/**
* BAD - Tests broadcast of sensitive user information with multiple permissions using empty array initialization through two variables and `intent.getExtras().putString()`.
* Note this case of `getExtras().putString(...)` is not yet detected thus is beyond what the query is capable of.
*/
public void sendBroadcast12(Context context) {
String username = "test123";
String password = "abc12345";
Intent intent = new Intent();
intent.setAction("com.example.custom_action");
Bundle bundle = new Bundle();
intent.putExtras(bundle);
intent.getExtras().putString("name", username);
intent.getExtras().putString("pwd", password);
String[] perms = new String[0];
String[] perms2 = perms;
context.sendBroadcastWithMultiplePermissions(intent, perms2);
}
// GOOD - Tests broadcast of sensitive user information with ordered broadcast.
public void sendBroadcast13(Context context) {
String username = "test123";
String password = "abc12345";
Intent intent = new Intent();
intent.setAction("com.example.custom_action");
intent.putExtra("name", username);

154
java/ql/test/stubs/google-android-9.0.0/android/os/BaseBundle.java
View File

@@ -129,6 +129,160 @@ public class BaseBundle {
return false;
}
/**
* Returns true if the given key is contained in the mapping
* of this Bundle.
*
* @param key a String key
* @return true if the key is part of the mapping, false otherwise
*/
public boolean containsKey(String key) {
return false;
}
/**
* Returns the entry with the given key as an object.
*
* @param key a String key
* @return an Object, or null
*/
public Object get(String key) {
return null;
}
/**
* Removes any entry with the given key from the mapping of this Bundle.
*
* @param key a String key
*/
public void remove(String key) {
}
/** {@hide} */
public void putObject(String key, Object value) {
}
/**
* Inserts a Boolean value into the mapping of this Bundle, replacing
* any existing value for the given key. Either key or value may be null.
*
* @param key a String, or null
* @param value a boolean
*/
public void putBoolean(String key, boolean value) {
}
/**
* Inserts a byte value into the mapping of this Bundle, replacing
* any existing value for the given key.
*
* @param key a String, or null
* @param value a byte
*/
void putByte(String key, byte value) {
}
/**
* Inserts a char value into the mapping of this Bundle, replacing
* any existing value for the given key.
*
* @param key a String, or null
* @param value a char
*/
void putChar(String key, char value) {
}
/**
* Inserts a short value into the mapping of this Bundle, replacing
* any existing value for the given key.
*
* @param key a String, or null
* @param value a short
*/
void putShort(String key, short value) {
}
/**
* Inserts an int value into the mapping of this Bundle, replacing
* any existing value for the given key.
*
* @param key a String, or null
* @param value an int
*/
public void putInt(String key, int value) {
}
/**
* Inserts a long value into the mapping of this Bundle, replacing
* any existing value for the given key.
*
* @param key a String, or null
* @param value a long
*/
public void putLong(String key, long value) {
}
/**
* Inserts a float value into the mapping of this Bundle, replacing
* any existing value for the given key.
*
* @param key a String, or null
* @param value a float
*/
void putFloat(String key, float value) {
}
/**
* Inserts a double value into the mapping of this Bundle, replacing
* any existing value for the given key.
*
* @param key a String, or null
* @param value a double
*/
public void putDouble(String key, double value) {
}
/**
* Inserts a String value into the mapping of this Bundle, replacing
* any existing value for the given key. Either key or value may be null.
*
* @param key a String, or null
* @param value a String, or null
*/
public void putString(String key, String value) {
}
/**
* Inserts a CharSequence value into the mapping of this Bundle, replacing
* any existing value for the given key. Either key or value may be null.
*
* @param key a String, or null
* @param value a CharSequence, or null
*/
void putCharSequence(String key, CharSequence value) {
}
/**
* Inserts an ArrayList<Integer> value into the mapping of this Bundle, replacing
* any existing value for the given key. Either key or value may be null.
*
* @param key a String, or null
* @param value an ArrayList<Integer> object, or null
*/
void putIntegerArrayList(String key, ArrayList<Integer> value) {
}
/**
* Inserts an ArrayList<String> value into the mapping of this Bundle, replacing
* any existing value for the given key. Either key or value may be null.
*
* @param key a String, or null
* @param value an ArrayList<String> object, or null
*/
void putStringArrayList(String key, ArrayList<String> value) {
}
/**
* Inserts an ArrayList<CharSequence> value into the mapping of this Bundle,
* replacing any existing value for the given key. Either key or value may be