hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 09:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2685 from esbena/java/sharpen-maven-non-ssl

Browse Source 
java: sharpen java/maven/non-https-url to allow localhost URLs
This commit is contained in:
Anders Schack-Mulligen
2020-01-24 13:19:26 +01:00
committed by GitHub
parent ee0648bb57 8deefd60a7
commit 98d527c44c
4 changed files with 27 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql
View File

@@ -25,8 +25,7 @@ private class DeclaredRepository extends PomElement {
string getUrl() { result = getAChild("url").(PomElement).getValue() }
predicate isInsecureRepositoryUsage() {
getUrl().matches("http://%") or
getUrl().matches("ftp://%")
getUrl().regexpMatch("(?i)^(http|ftp)://(?!localhost[:/]).*")
}
}

5
java/ql/test/query-tests/security/CWE-829/semmle/tests/InsecureDependencyResolution.expected
View File

@@ -1,4 +1,5 @@
| insecure-pom.xml:19:9:24:22 | repository | Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://insecure-repository.example |
| insecure-pom.xml:25:9:30:30 | snapshotRepository | Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://insecure-repository.example |
| insecure-pom.xml:33:9:38:22 | repository | Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://insecure-repository.example |
| insecure-pom.xml:41:9:46:28 | pluginRepository | Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://insecure-repository.example |
| insecure-pom.xml:31:9:36:30 | snapshotRepository | Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://localhost.example |
| insecure-pom.xml:39:9:44:22 | repository | Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://insecure-repository.example |
| insecure-pom.xml:47:9:52:28 | pluginRepository | Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://insecure-repository.example |

6
java/ql/test/query-tests/security/CWE-829/semmle/tests/insecure-pom.xml
View File

@@ -28,6 +28,12 @@
<!-- BAD! Use HTTPS -->
<url>http://insecure-repository.example</url>
</snapshotRepository>
<snapshotRepository>
<id>insecure-snapshots</id>
<name>Insecure Repository Snapshots</name>
<!-- BAD! Use HTTPS -->
<url>http://localhost.example</url>
</snapshotRepository>
</distributionManagement>
<repositories>
<repository>

17
java/ql/test/query-tests/security/CWE-829/semmle/tests/secure-pom.xml
View File

@@ -28,6 +28,18 @@
<!-- GOOD! Use HTTPS -->
<url>https://insecure-repository.example</url>
</snapshotRepository>
<snapshotRepository>
<id>insecure-snapshots</id>
<name>Secure Repository Snapshots</name>
<!-- GOOD! Use HTTP, but for localhost -->
<url>http://localhost/snaphots</url>
</snapshotRepository>
<snapshotRepository>
<id>insecure-snapshots</id>
<name>Secure Repository Snapshots</name>
<!-- GOOD! Use HTTP, but for localhost -->
<url>http://localhost:82</url>
</snapshotRepository>
</distributionManagement>
<repositories>
<repository>
@@ -36,6 +48,11 @@
<!-- GOOD! Use HTTPS -->
<url>https://insecure-repository.example</url>
</repository>
<repository>
<id>test</id>
<!-- GOOD! Use HTTP, but for localhost -->
<url>http://localhost:${deploy.webserver.port}/repo</url>
</repository>
</repositories>
<pluginRepositories>
<pluginRepository>