hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 01:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into amammad-java-JWT

Browse Source
This commit is contained in:
Am
2024-07-28 13:03:23 +03:30
committed by GitHub
parent 6538a06f29 e1329dff72
commit 96c142bf0a
191 changed files with 91335 additions and 5118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
java/ql/automodel/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-automodel-queries
version: 1.0.4
version: 1.0.5-dev
groups:
- java
- automodel

4
java/ql/lib/change-notes/2024-06-14-reverse-dns-separate-threat-model-kind.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: majorAnalysis
---
* We previously considered reverse DNS resolutions (IP address -> domain name) as sources of untrusted data, since compromised/malicious DNS servers could potentially return malicious responses to arbitrary requests. We have now removed this source from the default set of untrusted sources and made a new threat model kind for them, called "reverse-dns". You can optionally include other threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see [Analyzing your code with CodeQL queries](https://docs.github.com/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#including-model-packs-to-add-potential-sources-of-tainted-data>) and [Customizing your advanced setup for code scanning](https://docs.github.com/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models).

4
java/ql/lib/change-notes/2024-07-16-add-models-for-the-lastaflute-framework.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Adds models for request handlers using the `org.lastaflute.web` web framework.

4
java/ql/lib/change-notes/2024-07-24-url-fields-inherit-taint.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added flow through some methods of the class `java.net.URL` by ensuring that the fields of a URL are tainted.

3
java/ql/lib/ext/org.apache.commons.lang3.model.yml
View File

@@ -3,6 +3,9 @@ extensions:
pack: codeql/java-all
extensible: sinkModel
data:
# Note these sinks do not use the sink kind `regex-use[0]` because the regex injection query needs to select them separately from
# other `regex-use[0]` sinks in order to avoid FPs. As a result, these sinks are currently not used in the polynomial ReDoS query.
# TODO: refactor the `regex-use%` sink kind so that the polynomial ReDoS query can also use these sinks.
- ["org.apache.commons.lang3", "RegExUtils", False, "removeAll", "(String,String)", "", "Argument[1]", "regex-use", "manual"]
- ["org.apache.commons.lang3", "RegExUtils", False, "removeFirst", "(String,String)", "", "Argument[1]", "regex-use", "manual"]
- ["org.apache.commons.lang3", "RegExUtils", False, "removePattern", "(String,String)", "", "Argument[1]", "regex-use", "manual"]

6
java/ql/lib/ext/org.lastaflute.web.model.yml Normal file
View File

@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sourceModel
data:
- ["org.lastaflute.web", "Execute", False, "", "", "Annotated", "Parameter", "remote", "manual"]

9
java/ql/lib/ext/org.lastaflute.web.ruts.multipart.model.yml Normal file
View File

@@ -0,0 +1,9 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["org.lastaflute.web.ruts.multipart", "MultipartFormFile", True, "getContentType", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["org.lastaflute.web.ruts.multipart", "MultipartFormFile", True, "getFileData", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["org.lastaflute.web.ruts.multipart", "MultipartFormFile", True, "getFileName", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["org.lastaflute.web.ruts.multipart", "MultipartFormFile", True, "getInputStream", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]

2
java/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-all
version: 2.0.0
version: 2.0.1-dev
groups: java
dbscheme: config/semmlecode.dbscheme
extractor: java

33
java/ql/lib/semmle/code/java/dataflow/FlowSources.qll
View File

@@ -119,21 +119,6 @@ private predicate variableStep(Expr tracked, VarAccess sink) {
)
}
private class ReverseDnsSource extends RemoteFlowSource {
ReverseDnsSource() {
// Try not to trigger on `localhost`.
exists(MethodCall m | m = this.asExpr() |
m.getMethod() instanceof ReverseDnsMethod and
not exists(MethodCall l |
(variableStep(l, m.getQualifier()) or l = m.getQualifier()) and
(l.getMethod().getName() = "getLocalHost" or l.getMethod().getName() = "getLoopbackAddress")
)
)
}
override string getSourceType() { result = "reverse DNS lookup" }
}
private class MessageBodyReaderParameterSource extends RemoteFlowSource {
MessageBodyReaderParameterSource() {
exists(MessageBodyReaderRead m |
@@ -388,6 +373,24 @@ class AndroidJavascriptInterfaceMethodParameter extends RemoteFlowSource {
}
}
/** A node with input that comes from a reverse DNS lookup. */
abstract class ReverseDnsUserInput extends UserInput {
override string getThreatModel() { result = "reverse-dns" }
}
private class ReverseDnsSource extends ReverseDnsUserInput {
ReverseDnsSource() {
// Try not to trigger on `localhost`.
exists(MethodCall m | m = this.asExpr() |
m.getMethod() instanceof ReverseDnsMethod and
not exists(MethodCall l |
(variableStep(l, m.getQualifier()) or l = m.getQualifier()) and
(l.getMethod().getName() = "getLocalHost" or l.getMethod().getName() = "getLoopbackAddress")
)
)
}
}
/**
* A data flow source node for an API, which should be considered
* supported for a modeling perspective.

1
java/ql/lib/semmle/code/java/dataflow/FlowSteps.qll
View File

@@ -22,6 +22,7 @@ private module Frameworks {
private import semmle.code.java.frameworks.IoJsonWebToken
private import semmle.code.java.frameworks.jackson.JacksonSerializability
private import semmle.code.java.frameworks.InputStream
private import semmle.code.java.frameworks.Networking
private import semmle.code.java.frameworks.Properties
private import semmle.code.java.frameworks.Protobuf
private import semmle.code.java.frameworks.ThreadLocal

8
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
View File

@@ -356,8 +356,12 @@ RefType getErasedRepr(Type t) {
t instanceof NullType and result instanceof TypeObject
}
class DataFlowType extends SrcRefType {
final private class SrcRefTypeFinal = SrcRefType;
class DataFlowType extends SrcRefTypeFinal {
DataFlowType() { this = getErasedRepr(_) }
string toString() { result = ppReprType(this) }
}
pragma[nomagic]
@@ -371,7 +375,7 @@ DataFlowType getNodeType(Node n) {
}
/** Gets a string representation of a type returned by `getErasedRepr`. */
string ppReprType(DataFlowType t) {
private string ppReprType(SrcRefType t) {
if t.(BoxedType).getPrimitiveType().getName() = "double"
then result = "Number"
else result = t.toString()

7
java/ql/lib/semmle/code/java/frameworks/Networking.qll
View File

@@ -3,6 +3,8 @@
*/
import semmle.code.java.Type
private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.dataflow.FlowSteps
/** The type `java.net.URLConnection`. */
class TypeUrlConnection extends RefType {
@@ -24,6 +26,11 @@ class TypeUrl extends RefType {
TypeUrl() { this.hasQualifiedName("java.net", "URL") }
}
/** Specifies that if a `URL` is tainted, then so are its synthetic fields. */
private class UrlFieldsInheritTaint extends DataFlow::SyntheticFieldContent, TaintInheritingContent {
UrlFieldsInheritTaint() { this.getField().matches("java.net.URL.%") }
}
/** The type `java.net.URLDecoder`. */
class TypeUrlDecoder extends RefType {
TypeUrlDecoder() { this.hasQualifiedName("java.net", "URLDecoder") }

14
java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll
View File

@@ -13,9 +13,17 @@ private class ExploitableStringLiteral extends StringLiteral {
/**
* Holds if `kind` is an external sink kind that is relevant for regex flow.
* `full` is true if sinks with this kind match against the full string of its input.
* `strArg` is the index of the argument to methods with this sink kind that contan the string to be matched against,
* where -1 is the qualifier; or -2 if no such argument exists.
* `full` is true if sinks with this kind match against the full string of its
* input.
* `strArg` is the index of the argument to methods with this sink kind that
* contain the string to be matched against, where -1 is the qualifier; or -2
* if no such argument exists.
*
* Note that `regex-use` is deliberately not a possible value for `kind` here,
* as it is used for regular expression injection sinks that need to be selected
* separately from existing `regex-use[0]` sinks.
* TODO: refactor the `regex-use%` sink kind so that the polynomial ReDoS query
* can also use the `regex-use` sinks.
*/
private predicate regexSinkKindInfo(string kind, boolean full, int strArg) {
sinkModel(_, _, _, _, _, _, _, kind, _, _) and

11
java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll
View File

@@ -7,6 +7,9 @@ import semmle.code.java.security.SensitiveActions
import semmle.code.java.frameworks.android.Compose
private import semmle.code.java.security.Sanitizers
/** A data flow source node for sensitive logging sources. */
abstract class SensitiveLoggerSource extends DataFlow::Node { }
/** A variable that may hold sensitive information, judging by its name. */
class VariableWithSensitiveName extends Variable {
VariableWithSensitiveName() {
@@ -26,6 +29,10 @@ class CredentialExpr extends VarAccess {
}
}
private class CredentialExprSource extends SensitiveLoggerSource {
CredentialExprSource() { this.asExpr() instanceof CredentialExpr }
}
/** An instantiation of a (reflexive, transitive) subtype of `java.lang.reflect.Type`. */
private class TypeType extends RefType {
pragma[nomagic]
@@ -42,7 +49,7 @@ private class TypeType extends RefType {
deprecated class SensitiveLoggerConfiguration extends TaintTracking::Configuration {
SensitiveLoggerConfiguration() { this = "SensitiveLoggerConfiguration" }
override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CredentialExpr }
override predicate isSource(DataFlow::Node source) { source instanceof SensitiveLoggerSource }
override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "log-injection") }
@@ -59,7 +66,7 @@ deprecated class SensitiveLoggerConfiguration extends TaintTracking::Configurati
/** A data-flow configuration for identifying potentially-sensitive data flowing to a log output. */
module SensitiveLoggerConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CredentialExpr }
predicate isSource(DataFlow::Node source) { source instanceof SensitiveLoggerSource }
predicate isSink(DataFlow::Node sink) { sinkNode(sink, "log-injection") }

4
java/ql/src/change-notes/2024-07-23-java-sensitivelogging-source.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added the extensible abstract class `SensitiveLoggerSource`. Now this class can be extended to add more sources to the `java/sensitive-log` query or for customizations overrides.

2
java/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-queries
version: 1.1.1
version: 1.1.2-dev
groups:
- java
- queries

18
java/ql/test/TestUtilities/PrettyPrintModels.ql Normal file
View File

@@ -0,0 +1,18 @@
/**
* @kind test-postprocess
*/
import codeql.dataflow.test.ProvenancePathGraph
import semmle.code.java.dataflow.ExternalFlow
external predicate queryResults(string relation, int row, int column, string data);
external predicate queryRelations(string relation);
query predicate resultRelations(string relation) { queryRelations(relation) }
module Res = TranslateProvenanceResults<interpretModelForTest/2, queryResults/4>;
from string relation, int row, int column, string data
where Res::results(relation, row, column, data)
select relation, row, column, data

12
java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.expected
View File

@@ -19,18 +19,18 @@ edges
| SpringUrlRedirect.java:104:39:104:56 | redirectUrl : String | SpringUrlRedirect.java:106:37:106:47 | redirectUrl : String | provenance | |
| SpringUrlRedirect.java:106:9:106:19 | httpHeaders [post update] : HttpHeaders | SpringUrlRedirect.java:108:68:108:78 | httpHeaders | provenance | |
| SpringUrlRedirect.java:106:9:106:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | SpringUrlRedirect.java:108:68:108:78 | httpHeaders | provenance | |
| SpringUrlRedirect.java:106:37:106:47 | redirectUrl : String | SpringUrlRedirect.java:106:9:106:19 | httpHeaders [post update] : HttpHeaders | provenance | MaD:49240 |
| SpringUrlRedirect.java:106:37:106:47 | redirectUrl : String | SpringUrlRedirect.java:106:9:106:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | provenance | MaD:49481 |
| SpringUrlRedirect.java:106:37:106:47 | redirectUrl : String | SpringUrlRedirect.java:106:9:106:19 | httpHeaders [post update] : HttpHeaders | provenance | MaD:49245 |
| SpringUrlRedirect.java:106:37:106:47 | redirectUrl : String | SpringUrlRedirect.java:106:9:106:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | provenance | MaD:49486 |
| SpringUrlRedirect.java:112:39:112:56 | redirectUrl : String | SpringUrlRedirect.java:114:37:114:47 | redirectUrl : String | provenance | |
| SpringUrlRedirect.java:114:9:114:19 | httpHeaders [post update] : HttpHeaders | SpringUrlRedirect.java:116:37:116:47 | httpHeaders | provenance | |
| SpringUrlRedirect.java:114:9:114:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | SpringUrlRedirect.java:116:37:116:47 | httpHeaders | provenance | |
| SpringUrlRedirect.java:114:37:114:47 | redirectUrl : String | SpringUrlRedirect.java:114:9:114:19 | httpHeaders [post update] : HttpHeaders | provenance | MaD:49240 |
| SpringUrlRedirect.java:114:37:114:47 | redirectUrl : String | SpringUrlRedirect.java:114:9:114:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | provenance | MaD:49481 |
| SpringUrlRedirect.java:114:37:114:47 | redirectUrl : String | SpringUrlRedirect.java:114:9:114:19 | httpHeaders [post update] : HttpHeaders | provenance | MaD:49245 |
| SpringUrlRedirect.java:114:37:114:47 | redirectUrl : String | SpringUrlRedirect.java:114:9:114:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | provenance | MaD:49486 |
| SpringUrlRedirect.java:120:33:120:50 | redirectUrl : String | SpringUrlRedirect.java:122:37:122:47 | redirectUrl : String | provenance | |
| SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders | SpringUrlRedirect.java:124:49:124:59 | httpHeaders | provenance | |
| SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | SpringUrlRedirect.java:124:49:124:59 | httpHeaders | provenance | |
| SpringUrlRedirect.java:122:37:122:47 | redirectUrl : String | SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders | provenance | MaD:49240 |
| SpringUrlRedirect.java:122:37:122:47 | redirectUrl : String | SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | provenance | MaD:49481 |
| SpringUrlRedirect.java:122:37:122:47 | redirectUrl : String | SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders | provenance | MaD:49245 |
| SpringUrlRedirect.java:122:37:122:47 | redirectUrl : String | SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | provenance | MaD:49486 |
| SpringUrlRedirect.java:128:33:128:50 | redirectUrl : String | SpringUrlRedirect.java:130:44:130:54 | redirectUrl : String | provenance | |
| SpringUrlRedirect.java:130:9:130:19 | httpHeaders : HttpHeaders | SpringUrlRedirect.java:132:49:132:59 | httpHeaders | provenance | |
| SpringUrlRedirect.java:130:33:130:55 | create(...) : URI | SpringUrlRedirect.java:130:9:130:19 | httpHeaders : HttpHeaders | provenance | Config |

7
java/ql/test/library-tests/dataflow/taintsources/A.java
View File

@@ -43,7 +43,12 @@ public class A {
};
sink(new URL("test").openConnection().getInputStream()); // $hasRemoteValueFlow
sink(new Socket("test", 1234).getInputStream()); // $hasRemoteValueFlow
sink(InetAddress.getByName("test").getHostName()); // $hasRemoteValueFlow
sink(InetAddress.getByName("test").getHostName()); // $hasReverseDnsValueFlow
sink(InetAddress.getLocalHost().getHostName());
sink(InetAddress.getLoopbackAddress().getHostName());
sink(InetAddress.getByName("test").getCanonicalHostName()); // $hasReverseDnsValueFlow
sink(InetAddress.getLocalHost().getCanonicalHostName());
sink(InetAddress.getLoopbackAddress().getCanonicalHostName());
sink(System.in); // $hasLocalValueFlow
sink(new FileInputStream("test")); // $hasLocalValueFlow

8
java/ql/test/library-tests/dataflow/taintsources/local.ql
View File

@@ -2,16 +2,12 @@ import java
import semmle.code.java.dataflow.FlowSources
import TestUtilities.InlineExpectationsTest
class LocalSource extends DataFlow::Node instanceof UserInput {
LocalSource() { not this instanceof RemoteFlowSource }
}
predicate isTestSink(DataFlow::Node n) {
exists(MethodCall ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
}
module LocalValueConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node n) { n instanceof LocalSource }
predicate isSource(DataFlow::Node n) { n instanceof LocalUserInput }
predicate isSink(DataFlow::Node n) { isTestSink(n) }
}
@@ -19,7 +15,7 @@ module LocalValueConfig implements DataFlow::ConfigSig {
module LocalValueFlow = DataFlow::Global<LocalValueConfig>;
module LocalTaintConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node n) { n instanceof LocalSource }
predicate isSource(DataFlow::Node n) { n instanceof LocalUserInput }
predicate isSink(DataFlow::Node n) { isTestSink(n) }
}

2
java/ql/test/library-tests/dataflow/taintsources/reversedns.expected Normal file
View File

@@ -0,0 +1,2 @@
failures
testFailures

47
java/ql/test/library-tests/dataflow/taintsources/reversedns.ql Normal file
View File

@@ -0,0 +1,47 @@
import java
import semmle.code.java.dataflow.FlowSources
import TestUtilities.InlineExpectationsTest
predicate isTestSink(DataFlow::Node n) {
exists(MethodCall ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
}
module ReverseDnsValueConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node n) { n instanceof ReverseDnsUserInput }
predicate isSink(DataFlow::Node n) { isTestSink(n) }
}
module ReverseDnsValueFlow = DataFlow::Global<ReverseDnsValueConfig>;
module ReverseDnsTaintConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node n) { n instanceof ReverseDnsUserInput }
predicate isSink(DataFlow::Node n) { isTestSink(n) }
}
module ReverseDnsTaintFlow = TaintTracking::Global<ReverseDnsTaintConfig>;
module ReverseDnsFlowTest implements TestSig {
string getARelevantTag() { result = ["hasReverseDnsValueFlow", "hasReverseDnsTaintFlow"] }
predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasReverseDnsValueFlow" and
exists(DataFlow::Node sink | ReverseDnsValueFlow::flowTo(sink) |
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
or
tag = "hasReverseDnsTaintFlow" and
exists(DataFlow::Node src, DataFlow::Node sink |
ReverseDnsTaintFlow::flow(src, sink) and not ReverseDnsValueFlow::flow(src, sink)
|
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}
import MakeTest<ReverseDnsFlowTest>

16
java/ql/test/library-tests/frameworks/jdk/java.net/Test.java
View File

@@ -90,6 +90,14 @@ public class Test {
out = in.toURL();
sink(out); // $ hasTaintFlow
}
{
// manual test for `URI.toURL().getPath()`; checks that if a `URL` is tainted, then so are its synthetic fields
// java.net;URL;False;getPath;();;Argument[this].SyntheticField[java.net.URL.path];ReturnValue;taint;ai-manual
URL out = null;
URI in = (URI) source();
out = in.toURL();
sink(out.getPath()); // $ hasTaintFlow
}
{
// "java.net;URL;false;URL;(String);;Argument[0];Argument[this];taint;manual"
URL out = null;
@@ -97,6 +105,14 @@ public class Test {
out = new URL(in);
sink(out); // $ hasTaintFlow
}
{
// manual test for `URL(String).getPath()`; checks that if a `URL` is tainted, then so are its synthetic fields
// java.net;URL;False;getPath;();;Argument[this].SyntheticField[java.net.URL.path];ReturnValue;taint;ai-manual
URL out = null;
String in = (String) source();
out = new URL(in);
sink(out.getPath()); // $ hasTaintFlow
}
{
// "java.net;URL;false;URL;(URL,String);;Argument[0];Argument[this];taint;ai-generated"
URL out = null;

27
java/ql/test/library-tests/frameworks/lastaflute/Test.java Normal file
View File

@@ -0,0 +1,27 @@
import java.io.IOException;
import org.lastaflute.web.Execute;
import org.lastaflute.web.ruts.multipart.MultipartFormFile;
public class Test {
void sink(Object o) {
}
public class TestForm {
public MultipartFormFile file;
}
@Execute
public String index(TestForm form) throws IOException {
MultipartFormFile file = form.file;
sink(file.getFileData()); // $hasTaintFlow
sink(file.getInputStream()); // $hasTaintFlow
return "index.jsp";
}
}

1
java/ql/test/library-tests/frameworks/lastaflute/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/lastaflute

0
java/ql/test/library-tests/frameworks/lastaflute/test.expected Normal file
View File

11
java/ql/test/library-tests/frameworks/lastaflute/test.ql Normal file
View File

@@ -0,0 +1,11 @@
import java
import semmle.code.java.dataflow.FlowSources
import TestUtilities.InlineFlowTest
module Config implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node n) { n instanceof RemoteFlowSource }
predicate isSink(DataFlow::Node n) { DefaultFlowConfig::isSink(n) }
}
import TaintFlowTest<Config>

12
java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java
View File

@@ -5,12 +5,14 @@ import java.io.FileReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.InetAddress;
import java.net.URL;
import java.nio.charset.Charset;
import java.nio.file.Files;
import java.nio.file.Path;
import javax.servlet.http.HttpServletRequest;
import javax.xml.transform.stream.StreamResult;
import org.apache.commons.io.FileUtils;
import org.apache.tools.ant.AntClassLoader;
import org.apache.tools.ant.DirectoryScanner;
@@ -24,10 +26,10 @@ import org.springframework.util.FileCopyUtils;
public class Test {
private InetAddress address;
private HttpServletRequest request;
public Object source() {
return address.getHostName();
return request.getParameter("source");
}
void test() throws IOException {
@@ -166,8 +168,8 @@ public class Test {
new LargeText((File) source(), null, false, false); // $ hasTaintFlow
}
void doGet6(String root, InetAddress address) throws IOException {
String temp = address.getHostName();
void doGet6(String root, HttpServletRequest request) throws IOException {
String temp = request.getParameter("source");
// GOOD: Use `contains` and `startsWith` to check if the path is safe
if (!temp.contains("..") && temp.startsWith(root + "/")) {
File file = new File(temp);

28
java/ql/test/query-tests/security/CWE-078/ExecTainted.expected
View File

@@ -1,23 +1,33 @@
#select
| Test.java:7:44:7:69 | ... + ... | Test.java:57:27:57:39 | args : String[] | Test.java:7:25:7:70 | new ..[] { .. } | This command line depends on a $@. | Test.java:57:27:57:39 | args | user-provided value |
| Test.java:10:29:10:74 | new String[] | Test.java:57:27:57:39 | args : String[] | Test.java:10:29:10:74 | new String[] | This command line depends on a $@. | Test.java:57:27:57:39 | args | user-provided value |
| Test.java:18:29:18:31 | cmd | Test.java:57:27:57:39 | args : String[] | Test.java:18:29:18:31 | cmd | This command line depends on a $@. | Test.java:57:27:57:39 | args | user-provided value |
| Test.java:24:29:24:32 | cmd1 | Test.java:57:27:57:39 | args : String[] | Test.java:24:29:24:32 | cmd1 | This command line depends on a $@. | Test.java:57:27:57:39 | args | user-provided value |
| Test.java:29:44:29:64 | ... + ... | Test.java:57:27:57:39 | args : String[] | Test.java:29:25:29:65 | new ..[] { .. } | This command line depends on a $@. | Test.java:57:27:57:39 | args | user-provided value |
edges
| Test.java:6:35:6:44 | arg : String | Test.java:7:44:7:69 | ... + ... : String | provenance | |
| Test.java:6:35:6:44 | arg : String | Test.java:10:61:10:73 | ... + ... : String | provenance | |
| Test.java:6:35:6:44 | arg : String | Test.java:16:13:16:25 | ... + ... : String | provenance | |
| Test.java:6:35:6:44 | arg : String | Test.java:22:15:22:27 | ... + ... : String | provenance | |
| Test.java:7:25:7:70 | new ..[] { .. } : String[] [[]] : String | Test.java:7:25:7:70 | new ..[] { .. } | provenance | Sink:MaD:42682 |
| Test.java:7:25:7:70 | new ..[] { .. } : String[] [[]] : String | Test.java:7:25:7:70 | new ..[] { .. } | provenance | Sink:MaD:2 |
| Test.java:7:44:7:69 | ... + ... : String | Test.java:7:25:7:70 | new ..[] { .. } : String[] [[]] : String | provenance | |
| Test.java:10:29:10:74 | {...} : String[] [[]] : String | Test.java:10:29:10:74 | new String[] | provenance | Sink:MaD:42682 |
| Test.java:10:29:10:74 | {...} : String[] [[]] : String | Test.java:10:29:10:74 | new String[] | provenance | Sink:MaD:2 |
| Test.java:10:61:10:73 | ... + ... : String | Test.java:10:29:10:74 | {...} : String[] [[]] : String | provenance | |
| Test.java:16:5:16:7 | cmd [post update] : ArrayList [<element>] : String | Test.java:18:29:18:31 | cmd | provenance | Sink:MaD:42681 |
| Test.java:16:13:16:25 | ... + ... : String | Test.java:16:5:16:7 | cmd [post update] : ArrayList [<element>] : String | provenance | MaD:43744 |
| Test.java:22:5:22:8 | cmd1 [post update] : String[] [[]] : String | Test.java:24:29:24:32 | cmd1 | provenance | Sink:MaD:42682 |
| Test.java:16:5:16:7 | cmd [post update] : ArrayList [<element>] : String | Test.java:18:29:18:31 | cmd | provenance | Sink:MaD:1 |
| Test.java:16:13:16:25 | ... + ... : String | Test.java:16:5:16:7 | cmd [post update] : ArrayList [<element>] : String | provenance | MaD:3 |
| Test.java:22:5:22:8 | cmd1 [post update] : String[] [[]] : String | Test.java:24:29:24:32 | cmd1 | provenance | Sink:MaD:2 |
| Test.java:22:15:22:27 | ... + ... : String | Test.java:22:5:22:8 | cmd1 [post update] : String[] [[]] : String | provenance | |
| Test.java:28:38:28:47 | arg : String | Test.java:29:44:29:64 | ... + ... : String | provenance | |
| Test.java:29:25:29:65 | new ..[] { .. } : String[] [[]] : String | Test.java:29:25:29:65 | new ..[] { .. } | provenance | Sink:MaD:42682 |
| Test.java:29:25:29:65 | new ..[] { .. } : String[] [[]] : String | Test.java:29:25:29:65 | new ..[] { .. } | provenance | Sink:MaD:2 |
| Test.java:29:44:29:64 | ... + ... : String | Test.java:29:25:29:65 | new ..[] { .. } : String[] [[]] : String | provenance | |
| Test.java:57:27:57:39 | args : String[] | Test.java:60:20:60:22 | arg : String | provenance | |
| Test.java:57:27:57:39 | args : String[] | Test.java:61:23:61:25 | arg : String | provenance | |
| Test.java:60:20:60:22 | arg : String | Test.java:6:35:6:44 | arg : String | provenance | |
| Test.java:61:23:61:25 | arg : String | Test.java:28:38:28:47 | arg : String | provenance | |
models
| 1 | Sink: java.lang; ProcessBuilder; false; ProcessBuilder; (List); ; Argument[0]; command-injection; ai-manual |
| 2 | Sink: java.lang; ProcessBuilder; false; ProcessBuilder; (String[]); ; Argument[0]; command-injection; ai-manual |
| 3 | Summary: java.util; Collection; true; add; ; ; Argument[0]; Argument[this].Element; value; manual |
nodes
| Test.java:6:35:6:44 | arg : String | semmle.label | arg : String |
| Test.java:7:25:7:70 | new ..[] { .. } | semmle.label | new ..[] { .. } |
@@ -40,9 +50,3 @@ nodes
| Test.java:60:20:60:22 | arg : String | semmle.label | arg : String |
| Test.java:61:23:61:25 | arg : String | semmle.label | arg : String |
subpaths
#select
| Test.java:7:44:7:69 | ... + ... | Test.java:57:27:57:39 | args : String[] | Test.java:7:25:7:70 | new ..[] { .. } | This command line depends on a $@. | Test.java:57:27:57:39 | args | user-provided value |
| Test.java:10:29:10:74 | new String[] | Test.java:57:27:57:39 | args : String[] | Test.java:10:29:10:74 | new String[] | This command line depends on a $@. | Test.java:57:27:57:39 | args | user-provided value |
| Test.java:18:29:18:31 | cmd | Test.java:57:27:57:39 | args : String[] | Test.java:18:29:18:31 | cmd | This command line depends on a $@. | Test.java:57:27:57:39 | args | user-provided value |
| Test.java:24:29:24:32 | cmd1 | Test.java:57:27:57:39 | args : String[] | Test.java:24:29:24:32 | cmd1 | This command line depends on a $@. | Test.java:57:27:57:39 | args | user-provided value |
| Test.java:29:44:29:64 | ... + ... | Test.java:57:27:57:39 | args : String[] | Test.java:29:25:29:65 | new ..[] { .. } | This command line depends on a $@. | Test.java:57:27:57:39 | args | user-provided value |

3
java/ql/test/query-tests/security/CWE-078/ExecTainted.qlref
View File

@@ -1 +1,2 @@
Security/CWE/CWE-078/ExecTainted.ql
query: Security/CWE/CWE-078/ExecTainted.ql
postprocess: TestUtilities/PrettyPrintModels.ql

36
java/ql/test/query-tests/security/CWE-090/LdapInjection.expected
View File

@@ -90,50 +90,50 @@ edges
| LdapInjection.java:196:32:196:78 | uBadSearchRequestSetFilter : String | LdapInjection.java:199:17:199:42 | uBadSearchRequestSetFilter : String | provenance | |
| LdapInjection.java:199:5:199:5 | s : SearchRequest | LdapInjection.java:200:14:200:14 | s | provenance | Sink:MaD:1933 |
| LdapInjection.java:199:17:199:42 | uBadSearchRequestSetFilter : String | LdapInjection.java:199:5:199:5 | s : SearchRequest | provenance | Config |
| LdapInjection.java:229:30:229:54 | sBad : String | LdapInjection.java:230:36:230:55 | ... + ... | provenance | Sink:MaD:49370 |
| LdapInjection.java:229:57:229:83 | sBadDN : String | LdapInjection.java:230:14:230:33 | ... + ... | provenance | Sink:MaD:49370 |
| LdapInjection.java:234:30:234:54 | sBad : String | LdapInjection.java:235:88:235:107 | ... + ... | provenance | Sink:MaD:49360 |
| LdapInjection.java:229:30:229:54 | sBad : String | LdapInjection.java:230:36:230:55 | ... + ... | provenance | Sink:MaD:49375 |
| LdapInjection.java:229:57:229:83 | sBadDN : String | LdapInjection.java:230:14:230:33 | ... + ... | provenance | Sink:MaD:49375 |
| LdapInjection.java:234:30:234:54 | sBad : String | LdapInjection.java:235:88:235:107 | ... + ... | provenance | Sink:MaD:49365 |
| LdapInjection.java:234:57:234:92 | sBadDNLNBuilder : String | LdapInjection.java:235:48:235:76 | ... + ... : String | provenance | |
| LdapInjection.java:235:20:235:77 | newInstance(...) : LdapNameBuilder | LdapInjection.java:235:20:235:85 | build(...) | provenance | Config Sink:MaD:49360 |
| LdapInjection.java:235:20:235:77 | newInstance(...) : LdapNameBuilder | LdapInjection.java:235:20:235:85 | build(...) | provenance | Config Sink:MaD:49365 |
| LdapInjection.java:235:48:235:76 | ... + ... : String | LdapInjection.java:235:20:235:77 | newInstance(...) : LdapNameBuilder | provenance | Config |
| LdapInjection.java:239:30:239:54 | sBad : String | LdapInjection.java:240:100:240:119 | ... + ... | provenance | Sink:MaD:49372 |
| LdapInjection.java:239:30:239:54 | sBad : String | LdapInjection.java:240:100:240:119 | ... + ... | provenance | Sink:MaD:49377 |
| LdapInjection.java:239:57:239:95 | sBadDNLNBuilderAdd : String | LdapInjection.java:240:57:240:88 | ... + ... : String | provenance | |
| LdapInjection.java:240:23:240:89 | add(...) : LdapNameBuilder | LdapInjection.java:240:23:240:97 | build(...) | provenance | Config Sink:MaD:49357 |
| LdapInjection.java:240:23:240:89 | add(...) : LdapNameBuilder | LdapInjection.java:240:23:240:97 | build(...) | provenance | Config Sink:MaD:49372 |
| LdapInjection.java:240:23:240:89 | add(...) : LdapNameBuilder | LdapInjection.java:240:23:240:97 | build(...) | provenance | Config Sink:MaD:49362 |
| LdapInjection.java:240:23:240:89 | add(...) : LdapNameBuilder | LdapInjection.java:240:23:240:97 | build(...) | provenance | Config Sink:MaD:49377 |
| LdapInjection.java:240:57:240:88 | ... + ... : String | LdapInjection.java:240:23:240:89 | add(...) : LdapNameBuilder | provenance | Config |
| LdapInjection.java:244:30:244:63 | sBadLdapQuery : String | LdapInjection.java:245:47:245:75 | ... + ... : String | provenance | |
| LdapInjection.java:245:47:245:75 | ... + ... : String | LdapInjection.java:245:15:245:76 | filter(...) | provenance | Config Sink:MaD:49369 |
| LdapInjection.java:245:47:245:75 | ... + ... : String | LdapInjection.java:245:15:245:76 | filter(...) | provenance | Config Sink:MaD:49374 |
| LdapInjection.java:249:30:249:60 | sBadFilter : String | LdapInjection.java:250:86:250:111 | ... + ... : String | provenance | |
| LdapInjection.java:249:63:249:98 | sBadDNLdapUtils : String | LdapInjection.java:250:34:250:62 | ... + ... : String | provenance | |
| LdapInjection.java:250:34:250:62 | ... + ... : String | LdapInjection.java:250:12:250:63 | newLdapName(...) | provenance | Config Sink:MaD:49368 |
| LdapInjection.java:250:86:250:111 | ... + ... : String | LdapInjection.java:250:66:250:112 | new HardcodedFilter(...) | provenance | Config Sink:MaD:49368 |
| LdapInjection.java:250:34:250:62 | ... + ... : String | LdapInjection.java:250:12:250:63 | newLdapName(...) | provenance | Config Sink:MaD:49373 |
| LdapInjection.java:250:86:250:111 | ... + ... : String | LdapInjection.java:250:66:250:112 | new HardcodedFilter(...) | provenance | Config Sink:MaD:49373 |
| LdapInjection.java:254:30:254:63 | sBadLdapQuery : String | LdapInjection.java:255:56:255:84 | ... + ... : String | provenance | |
| LdapInjection.java:255:56:255:84 | ... + ... : String | LdapInjection.java:255:24:255:85 | filter(...) | provenance | Config Sink:MaD:49371 |
| LdapInjection.java:255:56:255:84 | ... + ... : String | LdapInjection.java:255:24:255:85 | filter(...) | provenance | Config Sink:MaD:49376 |
| LdapInjection.java:259:30:259:64 | sBadLdapQuery2 : String | LdapInjection.java:260:51:260:80 | ... + ... : String | provenance | |
| LdapInjection.java:260:19:260:81 | filter(...) : LdapQuery | LdapInjection.java:261:24:261:24 | q | provenance | Sink:MaD:49371 |
| LdapInjection.java:260:19:260:81 | filter(...) : LdapQuery | LdapInjection.java:261:24:261:24 | q | provenance | Sink:MaD:49376 |
| LdapInjection.java:260:51:260:80 | ... + ... : String | LdapInjection.java:260:19:260:81 | filter(...) : LdapQuery | provenance | Config |
| LdapInjection.java:265:30:265:73 | sBadLdapQueryWithFilter : String | LdapInjection.java:266:76:266:114 | ... + ... : String | provenance | |
| LdapInjection.java:266:56:266:115 | new HardcodedFilter(...) : HardcodedFilter | LdapInjection.java:266:24:266:116 | filter(...) | provenance | Config Sink:MaD:49371 |
| LdapInjection.java:266:56:266:115 | new HardcodedFilter(...) : HardcodedFilter | LdapInjection.java:266:24:266:116 | filter(...) | provenance | Config Sink:MaD:49376 |
| LdapInjection.java:266:76:266:114 | ... + ... : String | LdapInjection.java:266:56:266:115 | new HardcodedFilter(...) : HardcodedFilter | provenance | Config |
| LdapInjection.java:270:30:270:74 | sBadLdapQueryWithFilter2 : String | LdapInjection.java:271:68:271:107 | ... + ... : String | provenance | |
| LdapInjection.java:271:48:271:108 | new HardcodedFilter(...) : HardcodedFilter | LdapInjection.java:272:56:272:56 | f : HardcodedFilter | provenance | |
| LdapInjection.java:271:68:271:107 | ... + ... : String | LdapInjection.java:271:48:271:108 | new HardcodedFilter(...) : HardcodedFilter | provenance | Config |
| LdapInjection.java:272:56:272:56 | f : HardcodedFilter | LdapInjection.java:272:24:272:57 | filter(...) | provenance | Config Sink:MaD:49371 |
| LdapInjection.java:272:56:272:56 | f : HardcodedFilter | LdapInjection.java:272:24:272:57 | filter(...) | provenance | Config Sink:MaD:49376 |
| LdapInjection.java:276:31:276:68 | sBadLdapQueryBase : String | LdapInjection.java:277:42:277:58 | sBadLdapQueryBase : String | provenance | |
| LdapInjection.java:277:12:277:59 | base(...) : LdapQueryBuilder | LdapInjection.java:277:12:277:66 | base(...) | provenance | Config Sink:MaD:49368 |
| LdapInjection.java:277:12:277:59 | base(...) : LdapQueryBuilder | LdapInjection.java:277:12:277:66 | base(...) | provenance | Config Sink:MaD:49373 |
| LdapInjection.java:277:42:277:58 | sBadLdapQueryBase : String | LdapInjection.java:277:12:277:59 | base(...) : LdapQueryBuilder | provenance | Config |
| LdapInjection.java:281:31:281:71 | sBadLdapQueryComplex : String | LdapInjection.java:282:54:282:73 | sBadLdapQueryComplex : String | provenance | |
| LdapInjection.java:282:24:282:74 | base(...) : LdapQueryBuilder | LdapInjection.java:282:24:282:87 | where(...) : ConditionCriteria | provenance | Config |
| LdapInjection.java:282:24:282:87 | where(...) : ConditionCriteria | LdapInjection.java:282:24:282:98 | is(...) | provenance | Config Sink:MaD:49371 |
| LdapInjection.java:282:24:282:87 | where(...) : ConditionCriteria | LdapInjection.java:282:24:282:98 | is(...) | provenance | Config Sink:MaD:49376 |
| LdapInjection.java:282:54:282:73 | sBadLdapQueryComplex : String | LdapInjection.java:282:24:282:74 | base(...) : LdapQueryBuilder | provenance | Config |
| LdapInjection.java:286:31:286:69 | sBadFilterToString : String | LdapInjection.java:287:38:287:71 | ... + ... : String | provenance | |
| LdapInjection.java:287:18:287:72 | new HardcodedFilter(...) : HardcodedFilter | LdapInjection.java:287:18:287:83 | toString(...) | provenance | Config Sink:MaD:49370 |
| LdapInjection.java:287:18:287:72 | new HardcodedFilter(...) : HardcodedFilter | LdapInjection.java:287:18:287:83 | toString(...) | provenance | Config Sink:MaD:49375 |
| LdapInjection.java:287:38:287:71 | ... + ... : String | LdapInjection.java:287:18:287:72 | new HardcodedFilter(...) : HardcodedFilter | provenance | Config |
| LdapInjection.java:291:31:291:67 | sBadFilterEncode : String | LdapInjection.java:293:25:293:56 | ... + ... : String | provenance | |
| LdapInjection.java:293:5:293:57 | new HardcodedFilter(...) : HardcodedFilter | LdapInjection.java:293:66:293:66 | s : StringBuffer | provenance | Config |
| LdapInjection.java:293:25:293:56 | ... + ... : String | LdapInjection.java:293:5:293:57 | new HardcodedFilter(...) : HardcodedFilter | provenance | Config |
| LdapInjection.java:293:66:293:66 | s : StringBuffer | LdapInjection.java:294:18:294:18 | s : StringBuffer | provenance | |
| LdapInjection.java:294:18:294:18 | s : StringBuffer | LdapInjection.java:294:18:294:29 | toString(...) | provenance | MaD:42727 Sink:MaD:49370 |
| LdapInjection.java:294:18:294:18 | s : StringBuffer | LdapInjection.java:294:18:294:29 | toString(...) | provenance | MaD:42727 Sink:MaD:49375 |
| LdapInjection.java:314:30:314:54 | aBad : String | LdapInjection.java:316:36:316:55 | ... + ... | provenance | Sink:MaD:47462 |
| LdapInjection.java:314:57:314:83 | aBadDN : String | LdapInjection.java:316:14:316:33 | ... + ... | provenance | Sink:MaD:47462 |
| LdapInjection.java:320:30:320:54 | aBad : String | LdapInjection.java:322:65:322:84 | ... + ... | provenance | Sink:MaD:47462 |

14
java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrls.ql
View File

@@ -1,14 +0,0 @@
/**
* @kind path-problem
*/
import java
import semmle.code.java.security.HttpsUrlsQuery
import codeql.dataflow.test.ProvenancePathGraph
import semmle.code.java.dataflow.ExternalFlow
import ShowProvenance<interpretModelForTest/2, HttpStringToUrlOpenMethodFlow::PathNode, HttpStringToUrlOpenMethodFlow::PathGraph>
from HttpStringToUrlOpenMethodFlow::PathNode source, HttpStringToUrlOpenMethodFlow::PathNode sink
where HttpStringToUrlOpenMethodFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "URL may have been constructed with HTTP protocol, using $@.",
source.getNode(), "this HTTP URL"

2
java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrls.qlref Normal file
View File

@@ -0,0 +1,2 @@
query: Security/CWE/CWE-319/HttpsUrls.ql
postprocess: TestUtilities/PrettyPrintModels.ql

5
java/ql/test/stubs/lastaflute/org/lastaflute/web/Execute.java generated Normal file
View File

@@ -0,0 +1,5 @@
package org.lastaflute.web;
public @interface Execute {
}

14
java/ql/test/stubs/lastaflute/org/lastaflute/web/ruts/multipart/MultipartFormFile.java generated Normal file
View File

@@ -0,0 +1,14 @@
package org.lastaflute.web.ruts.multipart;
import java.io.InputStream;
import java.io.IOException;
public interface MultipartFormFile {
byte[] getFileData() throws IOException;
InputStream getInputStream() throws IOException;
String getFileName();
String getContentType();
}