hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into redsun82/codegen-new-parent-child

Browse Source
This commit is contained in:
Paolo Tranquilli
2025-06-26 09:30:41 +02:00
committed by GitHub
parent 1dcd60527c 4d2c67857f
commit 9a8ef3acf7
419 changed files with 29098 additions and 5367 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
Cargo.lock generated
View File

@@ -419,6 +419,7 @@ dependencies = [
"lazy_static",
"rayon",
"regex",
"serde_json",
"tracing",
"tracing-subscriber",
"tree-sitter",

6
config/add-overlay-annotations.py
View File

@@ -17,16 +17,16 @@
#!/usr/bin/python3
import sys
import os
import re
from difflib import context_diff
OVERLAY_PATTERN = re.compile(r'overlay\[[a-zA-Z?_-]+\]')
def has_overlay_annotations(lines):
'''
Check whether the given lines contain any overlay[...] annotations.
'''
overlays = ["local", "local?", "global", "caller", "caller?"]
annotations = [f"overlay[{t}]" for t in overlays]
return any(ann in line for ann in annotations for line in lines)
return any(OVERLAY_PATTERN.search(line) for line in lines)
def is_line_comment(line):

3
config/dbscheme-fragments.json
View File

@@ -11,6 +11,7 @@
"/*- Diagnostic messages -*/",
"/*- Diagnostic messages: severity -*/",
"/*- Source location prefix -*/",
"/*- Database metadata -*/",
"/*- Lines of code -*/",
"/*- Configuration files with key value pairs -*/",
"/*- YAML -*/",
@@ -31,4 +32,4 @@
"/*- Python dbscheme -*/",
"/*- Empty location -*/"
]
}
}

6
config/opcode-qldoc.py
View File

@@ -8,9 +8,9 @@ needs_an_re = re.compile(r'^(?!Unary)[AEIOU]') # Name requiring "an" instead of
start_qldoc_re = re.compile(r'^\s*/\*\*') # Start of a QLDoc comment
end_qldoc_re = re.compile(r'\*/\s*$') # End of a QLDoc comment
blank_qldoc_line_re = re.compile(r'^\s*\*\s*$') # A line in a QLDoc comment with only the '*'
instruction_class_re = re.compile(r'^class (?P<name>[A-aa-z0-9]+)Instruction\s') # Declaration of an `Instruction` class
opcode_base_class_re = re.compile(r'^abstract class (?P<name>[A-aa-z0-9]+)Opcode\s') # Declaration of an `Opcode` base class
opcode_class_re = re.compile(r'^ class (?P<name>[A-aa-z0-9]+)\s') # Declaration of an `Opcode` class
instruction_class_re = re.compile(r'^class (?P<name>[A-Za-z0-9]+)Instruction\s') # Declaration of an `Instruction` class
opcode_base_class_re = re.compile(r'^abstract class (?P<name>[A-Za-z0-9]+)Opcode\s') # Declaration of an `Opcode` base class
opcode_class_re = re.compile(r'^ class (?P<name>[A-Za-z0-9]+)\s') # Declaration of an `Opcode` class
script_dir = path.realpath(path.dirname(__file__))
instruction_path = path.realpath(path.join(script_dir, '../cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll'))

14
cpp/downgrades/7bc12b02a4363149f0727a4bce07952dbb9d98aa/builtintypes.ql Normal file
View File

@@ -0,0 +1,14 @@
class BuiltinType extends @builtintype {
string toString() { none() }
}
from BuiltinType type, string name, int kind, int kind_new, int size, int sign, int alignment
where
builtintypes(type, name, kind, size, sign, alignment) and
if
type instanceof @complex_fp16 or
type instanceof @complex_std_bfloat16 or
type instanceof @complex_std_float16
then kind_new = 2
else kind_new = kind
select type, name, kind_new, size, sign, alignment

2509
cpp/downgrades/7bc12b02a4363149f0727a4bce07952dbb9d98aa/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2506
cpp/downgrades/7bc12b02a4363149f0727a4bce07952dbb9d98aa/semmlecode.cpp.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

3
cpp/downgrades/7bc12b02a4363149f0727a4bce07952dbb9d98aa/upgrade.properties Normal file
View File

@@ -0,0 +1,3 @@
description: Introduce new complex 16-bit floating-point types
compatibility: backwards
builtintypes.rel: run builtintypes.qlo

4
cpp/ql/lib/change-notes/2025-06-24-float16.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added support for `__fp16 _Complex` and `__bf16 _Complex` types

9
cpp/ql/lib/semmle/code/cpp/Type.qll
View File

@@ -858,6 +858,15 @@ private predicate floatingPointTypeMapping(
or
// __mfp8
kind = 62 and base = 2 and domain = TRealDomain() and realKind = 62 and extended = false
or
// _Complex __fp16
kind = 64 and base = 2 and domain = TComplexDomain() and realKind = 54 and extended = false
or
// _Complex __bf16
kind = 65 and base = 2 and domain = TComplexDomain() and realKind = 55 and extended = false
or
// _Complex std::float16_t
kind = 66 and base = 2 and domain = TComplexDomain() and realKind = 56 and extended = false
}
/**

3
cpp/ql/lib/semmlecode.cpp.dbscheme
View File

@@ -693,6 +693,9 @@ case @builtintype.kind of
| 61 = @complex_std_float128 // _Complex _Float128
| 62 = @mfp8 // __mfp8
| 63 = @scalable_vector_count // __SVCount_t
| 64 = @complex_fp16 // _Complex __fp16
| 65 = @complex_std_bfloat16 // _Complex __bf16
| 66 = @complex_std_float16 // _Complex std::float16_t
;
builtintypes(

12
cpp/ql/lib/semmlecode.cpp.dbscheme.stats
View File

@@ -336,6 +336,18 @@
<k>@scalable_vector_count</k>
<v>124</v>
</e>
<e>
<k>@complex_fp16</k>
<v>124</v>
</e>
<e>
<k>@complex_std_bfloat16</k>
<v>124</v>
</e>
<e>
<k>@complex_std_float16</k>
<v>124</v>
</e>
<e>
<k>@pointer</k>
<v>455609</v>

2506
cpp/ql/lib/upgrades/e38346051783182ea75822e4adf8d4c6a949bc37/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2509
cpp/ql/lib/upgrades/e38346051783182ea75822e4adf8d4c6a949bc37/semmlecode.cpp.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2
cpp/ql/lib/upgrades/e38346051783182ea75822e4adf8d4c6a949bc37/upgrade.properties Normal file
View File

@@ -0,0 +1,2 @@
description: Support more complex 16-bit floating-point types
compatibility: full

2
cpp/ql/test/library-tests/templates/instantiation_directive/functions.expected
View File

@@ -1,3 +1,5 @@
| file://:0:0:0:0 | operator= | file://:0:0:0:0 | __va_list_tag && |
| file://:0:0:0:0 | operator= | file://:0:0:0:0 | const __va_list_tag & |
| test.cpp:2:6:2:6 | foo | file://:0:0:0:0 | float |
| test.cpp:2:6:2:6 | foo | file://:0:0:0:0 | int |
| test.cpp:2:6:2:8 | foo | test.cpp:1:19:1:19 | T |

1
cpp/ql/test/library-tests/templates/isfromtemplateinstantiation/instantiations.expected
View File

@@ -10,3 +10,4 @@
| isfromtemplateinstantiation.cpp:134:29:134:33 | Outer<int> | ClassTemplateInstantiation | file://:0:0:0:0 | int |
| isfromtemplateinstantiation.cpp:135:31:135:35 | Inner<long> | ClassTemplateInstantiation | file://:0:0:0:0 | long |
| load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> | ClassTemplateInstantiation | load.cpp:3:7:3:24 | std_istream_mockup |
| load.cpp:22:10:22:10 | load | FunctionTemplateInstantiation | file://:0:0:0:0 | short |

96
cpp/ql/test/library-tests/templates/isfromtemplateinstantiation/isfromtemplateinstantiation.expected
View File

@@ -104,6 +104,15 @@
| isfromtemplateinstantiation.cpp:99:1:99:1 | return ... | isfromtemplateinstantiation.cpp:77:26:77:45 | AnotherTemplateClass<int> |
| isfromtemplateinstantiation.cpp:99:1:99:1 | return ... | isfromtemplateinstantiation.cpp:97:52:97:52 | AnotherTemplateClass<int>::myMethod2(MyClassEnum) |
| isfromtemplateinstantiation.cpp:110:3:110:3 | definition of var_template | isfromtemplateinstantiation.cpp:110:3:110:3 | var_template |
| isfromtemplateinstantiation.cpp:129:6:129:6 | AnotherTemplateClass<long *>::f() | isfromtemplateinstantiation.cpp:128:7:128:30 | AnotherTemplateClass<long *> |
| isfromtemplateinstantiation.cpp:129:6:129:6 | definition of f | isfromtemplateinstantiation.cpp:128:7:128:30 | AnotherTemplateClass<long *> |
| isfromtemplateinstantiation.cpp:129:6:129:6 | definition of f | isfromtemplateinstantiation.cpp:129:6:129:6 | AnotherTemplateClass<long *>::f() |
| isfromtemplateinstantiation.cpp:129:10:129:22 | { ... } | isfromtemplateinstantiation.cpp:128:7:128:30 | AnotherTemplateClass<long *> |
| isfromtemplateinstantiation.cpp:129:10:129:22 | { ... } | isfromtemplateinstantiation.cpp:129:6:129:6 | AnotherTemplateClass<long *>::f() |
| isfromtemplateinstantiation.cpp:129:12:129:20 | return ... | isfromtemplateinstantiation.cpp:128:7:128:30 | AnotherTemplateClass<long *> |
| isfromtemplateinstantiation.cpp:129:12:129:20 | return ... | isfromtemplateinstantiation.cpp:129:6:129:6 | AnotherTemplateClass<long *>::f() |
| isfromtemplateinstantiation.cpp:129:19:129:19 | 1 | isfromtemplateinstantiation.cpp:128:7:128:30 | AnotherTemplateClass<long *> |
| isfromtemplateinstantiation.cpp:129:19:129:19 | 1 | isfromtemplateinstantiation.cpp:129:6:129:6 | AnotherTemplateClass<long *>::f() |
| isfromtemplateinstantiation.cpp:135:31:135:35 | Inner<U> | isfromtemplateinstantiation.cpp:134:29:134:33 | Outer<int> |
| isfromtemplateinstantiation.cpp:135:31:135:35 | declaration of Inner<U> | isfromtemplateinstantiation.cpp:134:29:134:33 | Outer<int> |
| isfromtemplateinstantiation.cpp:136:7:136:7 | definition of x | isfromtemplateinstantiation.cpp:135:31:135:35 | Inner<long> |
@@ -112,7 +121,94 @@
| isfromtemplateinstantiation.cpp:137:7:137:7 | y | isfromtemplateinstantiation.cpp:135:31:135:35 | Inner<long> |
| load.cpp:15:14:15:15 | definition of is | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:15:14:15:15 | is | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:18:5:18:5 | definition of basic_text_iprimitive | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:18:5:18:5 | definition of basic_text_iprimitive | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
| load.cpp:18:36:18:42 | definition of isParam | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:18:36:18:42 | definition of isParam | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
| load.cpp:18:36:18:42 | std_istream_mockup & isParam | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:18:36:18:42 | std_istream_mockup & isParam | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
| load.cpp:19:11:19:21 | constructor init of field is | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:19:11:19:21 | constructor init of field is | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
| load.cpp:19:14:19:20 | (reference dereference) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:19:14:19:20 | (reference dereference) | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
| load.cpp:19:14:19:20 | (reference to) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:19:14:19:20 | (reference to) | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
| load.cpp:19:14:19:20 | isParam | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:19:14:19:20 | isParam | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
| load.cpp:19:23:19:24 | { ... } | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:19:23:19:24 | { ... } | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
| load.cpp:19:24:19:24 | return ... | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:19:24:19:24 | return ... | load.cpp:18:5:18:5 | basic_text_iprimitive<std_istream_mockup>::basic_text_iprimitive(std_istream_mockup &) |
| load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:22:10:22:10 | definition of load | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:22:10:22:10 | definition of load | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
| load.cpp:22:10:22:13 | basic_text_iprimitive<std_istream_mockup>::load<T>(T &) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:22:10:22:13 | declaration of load | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:22:19:22:19 | T & t | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:22:19:22:19 | declaration of t | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:22:19:22:19 | definition of t | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:22:19:22:19 | definition of t | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
| load.cpp:22:19:22:19 | short & t | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:22:19:22:19 | short & t | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
| load.cpp:23:5:25:5 | { ... } | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:23:5:25:5 | { ... } | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
| load.cpp:24:9:24:10 | (reference dereference) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:24:9:24:10 | (reference dereference) | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
| load.cpp:24:9:24:10 | is | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:24:9:24:10 | is | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
| load.cpp:24:9:24:10 | this | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:24:9:24:10 | this | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
| load.cpp:24:9:24:16 | ExprStmt | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:24:9:24:16 | ExprStmt | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
| load.cpp:24:12:24:12 | call to operator>> | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:24:12:24:12 | call to operator>> | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
| load.cpp:24:12:24:16 | (reference dereference) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:24:12:24:16 | (reference dereference) | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
| load.cpp:24:15:24:15 | (reference dereference) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:24:15:24:15 | (reference dereference) | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
| load.cpp:24:15:24:15 | (reference to) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:24:15:24:15 | (reference to) | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
| load.cpp:24:15:24:15 | t | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:24:15:24:15 | t | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
| load.cpp:25:5:25:5 | return ... | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:25:5:25:5 | return ... | load.cpp:22:10:22:10 | basic_text_iprimitive<std_istream_mockup>::load<short>(short &) |
| load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:27:10:27:10 | definition of load | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:27:10:27:10 | definition of load | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
| load.cpp:27:22:27:22 | char & t | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:27:22:27:22 | char & t | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
| load.cpp:27:22:27:22 | definition of t | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:27:22:27:22 | definition of t | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
| load.cpp:28:5:32:5 | { ... } | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:28:5:32:5 | { ... } | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
| load.cpp:29:9:29:20 | declaration | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:29:9:29:20 | declaration | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
| load.cpp:29:19:29:19 | definition of i | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:29:19:29:19 | definition of i | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
| load.cpp:29:19:29:19 | i | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:29:19:29:19 | i | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
| load.cpp:30:9:30:12 | call to load | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:30:9:30:12 | call to load | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
| load.cpp:30:9:30:12 | this | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:30:9:30:12 | this | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
| load.cpp:30:9:30:16 | ExprStmt | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:30:9:30:16 | ExprStmt | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
| load.cpp:30:14:30:14 | (reference to) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:30:14:30:14 | (reference to) | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
| load.cpp:30:14:30:14 | i | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:30:14:30:14 | i | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
| load.cpp:31:9:31:9 | (reference dereference) | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:31:9:31:9 | (reference dereference) | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
| load.cpp:31:9:31:9 | t | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:31:9:31:9 | t | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
| load.cpp:31:9:31:13 | ... = ... | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:31:9:31:13 | ... = ... | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
| load.cpp:31:9:31:14 | ExprStmt | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:31:9:31:14 | ExprStmt | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
| load.cpp:31:13:31:13 | (char)... | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:31:13:31:13 | (char)... | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
| load.cpp:31:13:31:13 | i | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:31:13:31:13 | i | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |
| load.cpp:32:5:32:5 | return ... | load.cpp:13:7:13:27 | basic_text_iprimitive<std_istream_mockup> |
| load.cpp:32:5:32:5 | return ... | load.cpp:27:10:27:10 | basic_text_iprimitive<std_istream_mockup>::load(char &) |

70
cpp/ql/test/library-tests/templates/isfromtemplateinstantiation/isfromuninstantiatedtemplate.expected
View File

@@ -425,7 +425,16 @@ isFromUninstantiatedTemplate
| isfromtemplateinstantiation.cpp:123:6:123:6 | f | | | Declaration | |
| isfromtemplateinstantiation.cpp:128:7:128:30 | AnotherTemplateClass<T *> | | T | Declaration | |
| isfromtemplateinstantiation.cpp:128:7:128:30 | AnotherTemplateClass<long *> | I | | Declaration | |
| isfromtemplateinstantiation.cpp:129:6:129:6 | definition of f | | T | Definition | |
| isfromtemplateinstantiation.cpp:129:6:129:6 | definition of f | I | | Definition | |
| isfromtemplateinstantiation.cpp:129:6:129:6 | f | | T | Declaration | |
| isfromtemplateinstantiation.cpp:129:6:129:6 | f | I | | Declaration | |
| isfromtemplateinstantiation.cpp:129:10:129:22 | { ... } | | T | Stmt | |
| isfromtemplateinstantiation.cpp:129:10:129:22 | { ... } | I | | Stmt | |
| isfromtemplateinstantiation.cpp:129:12:129:20 | return ... | | T | Stmt | |
| isfromtemplateinstantiation.cpp:129:12:129:20 | return ... | I | | Stmt | |
| isfromtemplateinstantiation.cpp:129:19:129:19 | 1 | | T | Expr | |
| isfromtemplateinstantiation.cpp:129:19:129:19 | 1 | I | | Expr | |
| isfromtemplateinstantiation.cpp:134:29:134:33 | Outer<T> | | T | Declaration | |
| isfromtemplateinstantiation.cpp:134:29:134:33 | Outer<int> | I | | Declaration | |
| isfromtemplateinstantiation.cpp:135:31:135:35 | Inner<U> | | T | Declaration | |
@@ -461,21 +470,82 @@ isFromUninstantiatedTemplate
| load.cpp:15:14:15:15 | definition of is | I | | Definition | |
| load.cpp:15:14:15:15 | is | | T | Declaration | |
| load.cpp:15:14:15:15 | is | I | | Declaration | |
| load.cpp:18:5:18:5 | basic_text_iprimitive | I | | Declaration | |
| load.cpp:18:5:18:25 | basic_text_iprimitive | | T | Declaration | |
| load.cpp:18:36:18:42 | definition of isParam | | T | Definition | |
| load.cpp:18:36:18:42 | definition of isParam | I | | Definition | |
| load.cpp:18:36:18:42 | isParam | | T | Declaration | |
| load.cpp:18:36:18:42 | isParam | I | | Declaration | |
| load.cpp:19:11:19:21 | constructor init of field is | | T | Expr | |
| load.cpp:19:11:19:21 | constructor init of field is | I | | Expr | |
| load.cpp:19:14:19:20 | (reference dereference) | | T | Expr | |
| load.cpp:19:14:19:20 | (reference dereference) | I | | Expr | |
| load.cpp:19:14:19:20 | (reference to) | | T | Expr | |
| load.cpp:19:14:19:20 | (reference to) | I | | Expr | |
| load.cpp:19:14:19:20 | isParam | | T | Expr | Ref |
| load.cpp:19:14:19:20 | isParam | I | | Expr | Ref |
| load.cpp:19:23:19:24 | { ... } | | T | Stmt | |
| load.cpp:19:23:19:24 | { ... } | I | | Stmt | |
| load.cpp:19:24:19:24 | return ... | | T | Stmt | |
| load.cpp:19:24:19:24 | return ... | I | | Stmt | |
| load.cpp:22:10:22:10 | load | I | | Declaration | |
| load.cpp:22:10:22:13 | load | | T | Declaration | |
| load.cpp:22:10:22:13 | load | I | T | Declaration | |
| load.cpp:22:19:22:19 | definition of t | | T | Definition | |
| load.cpp:22:19:22:19 | definition of t | I | | Definition | |
| load.cpp:22:19:22:19 | t | | T | Declaration | |
| load.cpp:22:19:22:19 | t | I | | Declaration | |
| load.cpp:22:19:22:19 | t | I | T | Declaration | |
| load.cpp:23:5:25:5 | { ... } | | T | Stmt | |
| load.cpp:23:5:25:5 | { ... } | I | | Stmt | |
| load.cpp:24:9:24:10 | (reference dereference) | | T | Expr | |
| load.cpp:24:9:24:10 | (reference dereference) | I | | Expr | |
| load.cpp:24:9:24:10 | is | | T | Expr | Not ref |
| load.cpp:24:9:24:10 | is | I | | Expr | Not ref |
| load.cpp:24:9:24:10 | this | | T | Expr | |
| load.cpp:24:9:24:10 | this | I | | Expr | |
| load.cpp:24:9:24:16 | ExprStmt | | T | Stmt | |
| load.cpp:24:9:24:16 | ExprStmt | I | | Stmt | |
| load.cpp:24:15:24:15 | (reference dereference) | | T | Expr | |
| load.cpp:24:15:24:15 | (reference dereference) | I | | Expr | |
| load.cpp:24:15:24:15 | (reference to) | I | | Expr | |
| load.cpp:24:15:24:15 | t | | T | Expr | Not ref |
| load.cpp:24:15:24:15 | t | I | | Expr | Ref |
| load.cpp:25:5:25:5 | return ... | | T | Stmt | |
| load.cpp:25:5:25:5 | return ... | I | | Stmt | |
| load.cpp:27:10:27:10 | load | I | | Declaration | |
| load.cpp:27:10:27:13 | load | | T | Declaration | |
| load.cpp:27:22:27:22 | definition of t | | T | Definition | |
| load.cpp:27:22:27:22 | definition of t | I | | Definition | |
| load.cpp:27:22:27:22 | t | | T | Declaration | |
| load.cpp:27:22:27:22 | t | I | | Declaration | |
| load.cpp:28:5:32:5 | { ... } | | T | Stmt | |
| load.cpp:28:5:32:5 | { ... } | I | | Stmt | |
| load.cpp:29:9:29:20 | declaration | | T | Stmt | |
| load.cpp:29:9:29:20 | declaration | I | | Stmt | |
| load.cpp:29:19:29:19 | definition of i | | T | Definition | |
| load.cpp:29:19:29:19 | definition of i | I | | Definition | |
| load.cpp:29:19:29:19 | i | | T | Declaration | |
| load.cpp:29:19:29:19 | i | I | | Declaration | |
| load.cpp:30:9:30:12 | Unknown literal | | T | Expr | |
| load.cpp:30:9:30:12 | call to load | I | | Expr | |
| load.cpp:30:9:30:12 | this | I | | Expr | |
| load.cpp:30:9:30:16 | ExprStmt | | T | Stmt | |
| load.cpp:30:9:30:16 | ExprStmt | I | | Stmt | |
| load.cpp:30:14:30:14 | (reference to) | I | | Expr | |
| load.cpp:30:14:30:14 | i | | T | Expr | Not ref |
| load.cpp:30:14:30:14 | i | I | | Expr | Ref |
| load.cpp:31:9:31:9 | (reference dereference) | | T | Expr | |
| load.cpp:31:9:31:9 | (reference dereference) | I | | Expr | |
| load.cpp:31:9:31:9 | t | | T | Expr | Not ref |
| load.cpp:31:9:31:9 | t | I | | Expr | Not ref |
| load.cpp:31:9:31:13 | ... = ... | | T | Expr | |
| load.cpp:31:9:31:13 | ... = ... | I | | Expr | |
| load.cpp:31:9:31:14 | ExprStmt | | T | Stmt | |
| load.cpp:31:9:31:14 | ExprStmt | I | | Stmt | |
| load.cpp:31:13:31:13 | (char)... | | T | Expr | |
| load.cpp:31:13:31:13 | (char)... | I | | Expr | |
| load.cpp:31:13:31:13 | i | | T | Expr | Not ref |
| load.cpp:31:13:31:13 | i | I | | Expr | Not ref |
| load.cpp:32:5:32:5 | return ... | | T | Stmt | |
| load.cpp:32:5:32:5 | return ... | I | | Stmt | |

1
cpp/ql/test/library-tests/templates/switch/test.expected
View File

@@ -1 +1,2 @@
| test.cpp:13:3:20:3 | switch (...) ... | 3 |
| test.cpp:13:3:20:3 | switch (...) ... | 3 |

3
cpp/ql/test/library-tests/templates/type_instantiations/types.expected
View File

@@ -5,10 +5,13 @@
| file://:0:0:0:0 | _Complex _Float64 |
| file://:0:0:0:0 | _Complex _Float64x |
| file://:0:0:0:0 | _Complex _Float128 |
| file://:0:0:0:0 | _Complex __bf16 |
| file://:0:0:0:0 | _Complex __float128 |
| file://:0:0:0:0 | _Complex __fp16 |
| file://:0:0:0:0 | _Complex double |
| file://:0:0:0:0 | _Complex float |
| file://:0:0:0:0 | _Complex long double |
| file://:0:0:0:0 | _Complex std::float16_t |
| file://:0:0:0:0 | _Decimal32 |
| file://:0:0:0:0 | _Decimal64 |
| file://:0:0:0:0 | _Decimal128 |

3
cpp/ql/test/library-tests/type_sizes/type_sizes.expected
View File

@@ -25,10 +25,13 @@
| file://:0:0:0:0 | _Complex _Float64 | 16 |
| file://:0:0:0:0 | _Complex _Float64x | 32 |
| file://:0:0:0:0 | _Complex _Float128 | 32 |
| file://:0:0:0:0 | _Complex __bf16 | 4 |
| file://:0:0:0:0 | _Complex __float128 | 32 |
| file://:0:0:0:0 | _Complex __fp16 | 4 |
| file://:0:0:0:0 | _Complex double | 16 |
| file://:0:0:0:0 | _Complex float | 8 |
| file://:0:0:0:0 | _Complex long double | 32 |
| file://:0:0:0:0 | _Complex std::float16_t | 4 |
| file://:0:0:0:0 | _Decimal32 | 4 |
| file://:0:0:0:0 | _Decimal64 | 8 |
| file://:0:0:0:0 | _Decimal128 | 16 |

3
cpp/ql/test/library-tests/unspecified_type/types/unspecified_type.expected
View File

@@ -7,10 +7,13 @@
| file://:0:0:0:0 | _Complex _Float64 | _Complex _Float64 |
| file://:0:0:0:0 | _Complex _Float64x | _Complex _Float64x |
| file://:0:0:0:0 | _Complex _Float128 | _Complex _Float128 |
| file://:0:0:0:0 | _Complex __bf16 | _Complex __bf16 |
| file://:0:0:0:0 | _Complex __float128 | _Complex __float128 |
| file://:0:0:0:0 | _Complex __fp16 | _Complex __fp16 |
| file://:0:0:0:0 | _Complex double | _Complex double |
| file://:0:0:0:0 | _Complex float | _Complex float |
| file://:0:0:0:0 | _Complex long double | _Complex long double |
| file://:0:0:0:0 | _Complex std::float16_t | _Complex std::float16_t |
| file://:0:0:0:0 | _Decimal32 | _Decimal32 |
| file://:0:0:0:0 | _Decimal64 | _Decimal64 |
| file://:0:0:0:0 | _Decimal128 | _Decimal128 |

3
cpp/ql/test/library-tests/variables/variables/types.expected
View File

@@ -6,10 +6,13 @@
| _Complex _Float64 | BinaryFloatingPointType, ComplexNumberType | | | | |
| _Complex _Float64x | BinaryFloatingPointType, ComplexNumberType | | | | |
| _Complex _Float128 | BinaryFloatingPointType, ComplexNumberType | | | | |
| _Complex __bf16 | BinaryFloatingPointType, ComplexNumberType | | | | |
| _Complex __float128 | BinaryFloatingPointType, ComplexNumberType | | | | |
| _Complex __fp16 | BinaryFloatingPointType, ComplexNumberType | | | | |
| _Complex double | BinaryFloatingPointType, ComplexNumberType | | | | |
| _Complex float | BinaryFloatingPointType, ComplexNumberType | | | | |
| _Complex long double | BinaryFloatingPointType, ComplexNumberType | | | | |
| _Complex std::float16_t | BinaryFloatingPointType, ComplexNumberType | | | | |
| _Decimal32 | Decimal32Type | | | | |
| _Decimal64 | Decimal64Type | | | | |
| _Decimal128 | Decimal128Type | | | | |

4
go/ql/lib/change-notes/2025-06-03-fix-definedtype-getbasetype.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Previously, `DefinedType.getBaseType` gave the underlying type. It now gives the right hand side of the type declaration, as the documentation indicated that it should.

5
go/ql/lib/change-notes/2025-06-05-deprecate-DeclaredType-BuiltinType.md Normal file
View File

@@ -0,0 +1,5 @@
---
category: deprecated
---
* The class `BuiltinType` is now deprecated. Use the new replacement `BuiltinTypeEntity` instead.
* The class `DeclaredType` is now deprecated. Use the new replacement `DeclaredTypeEntity` instead.

30
go/ql/lib/semmle/go/Decls.qll
View File

@@ -381,10 +381,20 @@ class TypeSpec extends @typespec, Spec, TypeParamDeclParent {
string getName() { result = this.getNameExpr().getName() }
/**
* Gets the expression denoting the underlying type to which the newly declared type is bound.
* Gets the declared type of this specifier.
*
* Note that for alias types this will give the underlying type.
*/
Type getDeclaredType() { result = this.getNameExpr().getType() }
/**
* Gets the expression denoting the underlying type to which the declared type is bound.
*/
Expr getTypeExpr() { result = this.getChildExpr(1) }
/** Gets the underlying type to which the declared type is bound. */
Type getRhsType() { result = this.getTypeExpr().getType() }
override string toString() { result = "type declaration specifier" }
override string getAPrimaryQlClass() { result = "TypeSpec" }
@@ -461,6 +471,7 @@ class FieldBase extends @field, ExprParent {
* Examples:
*
* ```go
* io.Reader
* Name string `json:"name"`
* x, y int
* ```
@@ -469,8 +480,9 @@ class FieldBase extends @field, ExprParent {
*
* ```go
* struct {
* Name string `json:"name"`
* x, y int
* io.Reader // embedded field
* Name string `json:"name"` // field with tag
* x, y int // declares two fields with the same type
* }
* ```
*/
@@ -482,12 +494,24 @@ class FieldDecl extends FieldBase, Documentable, ExprParent {
/**
* Gets the expression representing the name of the `i`th field declared in this declaration
* (0-based).
*
* This is not defined for embedded fields.
*/
Expr getNameExpr(int i) {
i >= 0 and
result = this.getChildExpr(i + 1)
}
/**
* Gets the `i`th field declared in this declaration (0-based).
*
* This is not defined for embedded fields.
*/
Field getField(int i) { this.getNameExpr(i).(Ident).declares(result) }
/** Holds if this field declaration declares an embedded type. */
predicate isEmbedded() { not exists(this.getNameExpr(_)) }
/** Gets the tag expression of this field declaration, if any. */
Expr getTag() { result = this.getChildExpr(-1) }

50
go/ql/lib/semmle/go/Scopes.qll
View File

@@ -202,13 +202,19 @@ class TypeEntity extends Entity, @typeobject { }
class TypeParamParentEntity extends Entity, @typeparamparentobject { }
/** A named type which has a declaration. */
class DeclaredType extends TypeEntity, DeclaredEntity, TypeParamParentEntity, @decltypeobject {
class DeclaredTypeEntity extends TypeEntity, DeclaredEntity, TypeParamParentEntity, @decltypeobject {
/** Gets the declaration specifier declaring this type. */
TypeSpec getSpec() { result.getNameExpr() = this.getDeclaration() }
}
/** DEPRECATED: Use `DeclaredTypeEntity` instead. */
deprecated class DeclaredType = DeclaredTypeEntity;
/** A built-in type. */
class BuiltinType extends TypeEntity, BuiltinEntity, @builtintypeobject { }
class BuiltinTypeEntity extends TypeEntity, BuiltinEntity, @builtintypeobject { }
/** DEPRECATED: Use `BuiltinTypeEntity` instead. */
deprecated class BuiltinType = BuiltinTypeEntity;
/** A built-in or declared constant, variable, field, method or function. */
class ValueEntity extends Entity, @valueobject {
@@ -754,64 +760,64 @@ private predicate builtinFunction(
module Builtin {
// built-in types
/** Gets the built-in type `bool`. */
BuiltinType bool() { result.getName() = "bool" }
BuiltinTypeEntity bool() { result.getName() = "bool" }
/** Gets the built-in type `byte`. */
BuiltinType byte() { result.getName() = "byte" }
BuiltinTypeEntity byte() { result.getName() = "byte" }
/** Gets the built-in type `complex64`. */
BuiltinType complex64() { result.getName() = "complex64" }
BuiltinTypeEntity complex64() { result.getName() = "complex64" }
/** Gets the built-in type `complex128`. */
BuiltinType complex128() { result.getName() = "complex128" }
BuiltinTypeEntity complex128() { result.getName() = "complex128" }
/** Gets the built-in type `error`. */
BuiltinType error() { result.getName() = "error" }
BuiltinTypeEntity error() { result.getName() = "error" }
/** Gets the built-in type `float32`. */
BuiltinType float32() { result.getName() = "float32" }
BuiltinTypeEntity float32() { result.getName() = "float32" }
/** Gets the built-in type `float64`. */
BuiltinType float64() { result.getName() = "float64" }
BuiltinTypeEntity float64() { result.getName() = "float64" }
/** Gets the built-in type `int`. */
BuiltinType int_() { result.getName() = "int" }
BuiltinTypeEntity int_() { result.getName() = "int" }
/** Gets the built-in type `int8`. */
BuiltinType int8() { result.getName() = "int8" }
BuiltinTypeEntity int8() { result.getName() = "int8" }
/** Gets the built-in type `int16`. */
BuiltinType int16() { result.getName() = "int16" }
BuiltinTypeEntity int16() { result.getName() = "int16" }
/** Gets the built-in type `int32`. */
BuiltinType int32() { result.getName() = "int32" }
BuiltinTypeEntity int32() { result.getName() = "int32" }
/** Gets the built-in type `int64`. */
BuiltinType int64() { result.getName() = "int64" }
BuiltinTypeEntity int64() { result.getName() = "int64" }
/** Gets the built-in type `rune`. */
BuiltinType rune() { result.getName() = "rune" }
BuiltinTypeEntity rune() { result.getName() = "rune" }
/** Gets the built-in type `string`. */
BuiltinType string_() { result.getName() = "string" }
BuiltinTypeEntity string_() { result.getName() = "string" }
/** Gets the built-in type `uint`. */
BuiltinType uint() { result.getName() = "uint" }
BuiltinTypeEntity uint() { result.getName() = "uint" }
/** Gets the built-in type `uint8`. */
BuiltinType uint8() { result.getName() = "uint8" }
BuiltinTypeEntity uint8() { result.getName() = "uint8" }
/** Gets the built-in type `uint16`. */
BuiltinType uint16() { result.getName() = "uint16" }
BuiltinTypeEntity uint16() { result.getName() = "uint16" }
/** Gets the built-in type `uint32`. */
BuiltinType uint32() { result.getName() = "uint32" }
BuiltinTypeEntity uint32() { result.getName() = "uint32" }
/** Gets the built-in type `uint64`. */
BuiltinType uint64() { result.getName() = "uint64" }
BuiltinTypeEntity uint64() { result.getName() = "uint64" }
/** Gets the built-in type `uintptr`. */
BuiltinType uintptr() { result.getName() = "uintptr" }
BuiltinTypeEntity uintptr() { result.getName() = "uintptr" }
// built-in constants
/** Gets the built-in constant `true`. */

15
go/ql/lib/semmle/go/Types.qll
View File

@@ -1038,8 +1038,15 @@ deprecated class NamedType = DefinedType;
/** A defined type. */
class DefinedType extends @definedtype, CompositeType {
/** Gets the type which this type is defined to be. */
Type getBaseType() { underlying_type(this, result) }
/**
* Gets the type which this type is defined to be, if available.
*
* Note that this is only defined for types declared in the project being
* analyzed. It will not be defined for types declared in external packages.
*/
Type getBaseType() {
result = this.getEntity().(DeclaredTypeEntity).getSpec().getTypeExpr().getType()
}
override Method getMethod(string m) {
result = CompositeType.super.getMethod(m)
@@ -1049,7 +1056,7 @@ class DefinedType extends @definedtype, CompositeType {
or
// handle promoted methods
exists(StructType s, Type embedded |
s = this.getBaseType() and
s = this.getUnderlyingType() and
s.hasOwnField(_, _, embedded, true) and
// ensure `m` can be promoted
not s.hasOwnField(_, m, _, _) and
@@ -1063,7 +1070,7 @@ class DefinedType extends @definedtype, CompositeType {
)
}
override Type getUnderlyingType() { result = this.getBaseType().getUnderlyingType() }
override Type getUnderlyingType() { underlying_type(this, result) }
}
/**

4
go/ql/test/library-tests/semmle/go/Decl/TypeSpec.expected
View File

@@ -1,2 +1,2 @@
| main.go:3:6:3:15 | type declaration specifier | status | int | def |
| main.go:5:6:5:20 | type declaration specifier | intlist | []int | alias |
| main.go:3:6:3:15 | type declaration specifier | status | status | main.go:3:13:3:15 | int | int | def |
| main.go:5:6:5:20 | type declaration specifier | intlist | []int | main.go:5:16:5:20 | array type | []int | alias |

2
go/ql/test/library-tests/semmle/go/Decl/TypeSpec.ql
View File

@@ -2,4 +2,4 @@ import go
from TypeSpec ts, string kind
where if ts instanceof AliasSpec then kind = "alias" else kind = "def"
select ts, ts.getName(), ts.getTypeExpr().getType().pp(), kind
select ts, ts.getName(), ts.getDeclaredType().pp(), ts.getTypeExpr(), ts.getRhsType().pp(), kind

112
go/ql/test/library-tests/semmle/go/Types/DefinedType_getBaseType.expected Normal file
View File

@@ -0,0 +1,112 @@
| aliases.go:19:6:19:7 | S3 | struct { x int } |
| aliases.go:29:6:29:11 | MyType | struct { x MyTypeT } |
| cyclic.go:3:6:3:6 | s | struct { * s } |
| cyclic.go:7:6:7:6 | t | struct { * u; f int } |
| cyclic.go:12:6:12:6 | u | struct { t } |
| cyclic.go:16:6:16:6 | v | struct { s } |
| depth.go:5:6:5:6 | a | struct { b; c } |
| depth.go:10:6:10:6 | b | struct { f int } |
| depth.go:14:6:14:6 | c | struct { d } |
| depth.go:18:6:18:6 | d | struct { f string } |
| embedded.go:3:6:3:8 | Baz | struct { A string } |
| embedded.go:7:6:7:8 | Qux | struct { * Baz } |
| embedded.go:11:6:11:14 | EmbedsBaz | struct { Qux; Baz string } |
| generic.go:3:6:3:19 | GenericStruct1 | struct { valueField T; pointerField * T; arrayField [10]T; sliceField []T; mapField [string]T } |
| generic.go:11:6:11:27 | CircularGenericStruct1 | struct { pointerField * CircularGenericStruct1 } |
| generic.go:15:6:15:31 | UsesCircularGenericStruct1 | struct { root CircularGenericStruct1 } |
| generic.go:19:6:19:19 | GenericStruct2 | struct { structField GenericStruct1; mapField [S]T } |
| generic.go:24:6:24:20 | GenericStruct2b | struct { structField GenericStruct2 } |
| generic.go:28:6:28:27 | CircularGenericStruct2 | struct { pointerField * CircularGenericStruct2 } |
| generic.go:32:6:32:21 | GenericInterface | interface { GetT func() T } |
| generic.go:36:6:36:17 | GenericArray | [10]T |
| generic.go:37:6:37:19 | GenericPointer | * T |
| generic.go:38:6:38:17 | GenericSlice | []T |
| generic.go:39:6:39:16 | GenericMap1 | [string]V |
| generic.go:40:6:40:16 | GenericMap2 | [K]V |
| generic.go:41:6:41:19 | GenericChannel | chan<- T |
| generic.go:42:6:42:14 | MyMapType | [string]int |
| generic.go:43:6:43:19 | GenericDefined | MyMapType |
| generic.go:44:6:44:16 | MyFuncType1 | func(T) |
| generic.go:45:6:45:16 | MyFuncType2 | func(T1) T2 |
| generic.go:47:6:47:16 | MyInterface | interface { clone func() MyInterface; dummy1 func() [10]U; dummy11 func() GenericArray; dummy12 func() GenericPointer; dummy13 func() GenericSlice; dummy14 func() GenericMap1; dummy15 func() GenericMap2; dummy17 func() GenericChannel; dummy18 func() GenericDefined; dummy19 func() MyFuncType1; dummy2 func() * U; dummy20 func() MyFuncType2; dummy3 func() []U; dummy4 func() [U]U; dummy5 func() chan<- U; dummy6 func() MyMapType; dummy7 func() MyFuncType2 } |
| generic.go:67:6:67:22 | HasBlankTypeParam | struct { } |
| generic.go:68:6:68:23 | HasBlankTypeParams | struct { } |
| generic.go:84:6:84:21 | GenericSignature | func(T) T |
| interface.go:3:6:3:7 | i0 | comparable |
| interface.go:5:6:5:7 | i1 | interface { int } |
| interface.go:9:6:9:7 | i2 | interface { ~string } |
| interface.go:13:6:13:7 | i3 | interface { [5]int \| ~string } |
| interface.go:18:6:18:7 | i4 | interface { i1 \| i2 \| float32 } |
| interface.go:23:6:23:7 | i5 | interface { []uint8; int \| ~[]uint8 } |
| interface.go:28:6:28:7 | i6 | interface { ~[]int \| ~string; String func() string } |
| interface.go:34:6:34:7 | i7 | interface { [5]int \| ~string; ~string; String func() string } |
| interface.go:41:6:41:7 | i8 | interface { ~[]int \| ~string; String func() string; StringA func() string } |
| interface.go:47:6:47:7 | i9 | interface { ~[]int \| ~string; String func() string; StringB func() string } |
| interface.go:52:6:52:8 | i10 | interface { comparable } |
| interface.go:57:6:57:8 | i11 | interface { [5]uint8 \| string; int } |
| interface.go:63:6:63:8 | i12 | interface { comparable; []uint8 \| string } |
| interface.go:69:6:69:8 | i13 | interface { comparable; []uint8 \| string } |
| interface.go:75:6:75:8 | i14 | interface { []uint8 \| string; ~[]int \| ~string; String func() string; StringA func() string } |
| interface.go:81:6:81:8 | i15 | interface { []uint8 \| string; ~[]int \| ~string; String func() string; StringB func() string } |
| interface.go:87:6:87:8 | i16 | interface { } |
| interface.go:91:6:91:8 | i17 | interface { StringA func() string } |
| interface.go:95:6:95:8 | i18 | interface { comparable; StringA func() string } |
| interface.go:101:6:101:8 | i19 | interface { StringB func() string } |
| interface.go:105:6:105:8 | i20 | interface { comparable; StringB func() string } |
| interface.go:114:6:114:19 | testComparable | struct { } |
| interface.go:115:6:115:20 | testComparable0 | struct { } |
| interface.go:116:6:116:20 | testComparable1 | struct { } |
| interface.go:117:6:117:20 | testComparable2 | struct { } |
| interface.go:118:6:118:20 | testComparable3 | struct { } |
| interface.go:119:6:119:20 | testComparable4 | struct { } |
| interface.go:120:6:120:20 | testComparable5 | struct { } |
| interface.go:121:6:121:20 | testComparable6 | struct { } |
| interface.go:122:6:122:20 | testComparable7 | struct { } |
| interface.go:123:6:123:20 | testComparable8 | struct { } |
| interface.go:124:6:124:20 | testComparable9 | struct { } |
| interface.go:125:6:125:21 | testComparable10 | struct { } |
| interface.go:126:6:126:21 | testComparable11 | struct { } |
| interface.go:127:6:127:21 | testComparable12 | struct { } |
| interface.go:128:6:128:21 | testComparable13 | struct { } |
| interface.go:129:6:129:21 | testComparable14 | struct { } |
| interface.go:130:6:130:21 | testComparable15 | struct { } |
| interface.go:131:6:131:21 | testComparable16 | struct { } |
| interface.go:132:6:132:21 | testComparable17 | struct { } |
| interface.go:133:6:133:21 | testComparable18 | struct { } |
| interface.go:134:6:134:21 | testComparable19 | struct { } |
| interface.go:135:6:135:21 | testComparable20 | struct { } |
| interface.go:136:6:136:21 | testComparable21 | struct { } |
| interface.go:137:6:137:21 | testComparable22 | struct { } |
| interface.go:138:6:138:21 | testComparable23 | struct { } |
| main.go:17:6:17:20 | EmbedsNameClash | struct { NameClash } |
| pkg1/embedding.go:8:6:8:9 | base | struct { } |
| pkg1/embedding.go:19:6:19:13 | embedder | struct { base } |
| pkg1/embedding.go:22:6:22:16 | ptrembedder | struct { * base } |
| pkg1/embedding.go:25:6:25:14 | embedder2 | struct { embedder } |
| pkg1/embedding.go:28:6:28:14 | embedder3 | struct { embedder } |
| pkg1/embedding.go:35:6:35:14 | embedder4 | struct { base; f int } |
| pkg1/interfaces.go:3:6:3:6 | A | interface { m func() } |
| pkg1/interfaces.go:7:6:7:6 | B | interface { m func() ; n func() } |
| pkg1/interfaces.go:12:6:12:6 | C | interface { n func() ; o func() } |
| pkg1/interfaces.go:17:6:17:14 | AEmbedded | interface { m func() } |
| pkg1/interfaces.go:21:6:21:7 | AC | interface { m func() ; n func() ; o func() } |
| pkg1/interfaces.go:26:6:26:14 | AExtended | interface { m func() ; n func() } |
| pkg1/interfaces.go:31:6:31:7 | A2 | interface { m func() } |
| pkg1/interfaces.go:35:6:35:24 | MixedExportedAndNot | interface { Exported func() ; notExported func() } |
| pkg1/promotedStructs.go:4:6:4:6 | S | struct { SField string } |
| pkg1/promotedStructs.go:13:6:13:6 | P | struct { PField string } |
| pkg1/promotedStructs.go:22:6:22:12 | SEmbedS | struct { S } |
| pkg1/promotedStructs.go:25:6:25:12 | SEmbedP | struct { P } |
| pkg1/tst.go:5:6:5:6 | T | struct { f int; Foo; Bar } |
| pkg1/tst.go:11:6:11:7 | T2 | struct { Foo Foo; Bar } |
| pkg1/tst.go:16:6:16:7 | T3 | struct { * Foo; * Bar } |
| pkg1/tst.go:21:6:21:7 | T4 | struct { * Foo; Bar Bar } |
| pkg1/tst.go:26:6:26:8 | Foo | struct { val int; flag bool } |
| pkg1/tst.go:31:6:31:8 | Bar | struct { flag bool } |
| pkg1/tst.go:61:6:61:14 | NameClash | struct { NameClash } |
| pkg2/tst.go:3:6:3:6 | T | struct { g int } |
| pkg2/tst.go:7:6:7:6 | G | struct { g int } |
| pkg2/tst.go:11:6:11:24 | MixedExportedAndNot | interface { Exported func() ; notExported func() } |
| pkg2/tst.go:16:6:16:14 | NameClash | struct { NCField string } |
| struct_tags.go:3:6:3:7 | S1 | struct { field1 int `tag1a`; field2 int `tag2a` } |
| struct_tags.go:8:6:8:7 | S2 | struct { field1 int `tag1b`; field2 int `tag2b` } |

5
go/ql/test/library-tests/semmle/go/Types/DefinedType_getBaseType.ql Normal file
View File

@@ -0,0 +1,5 @@
import go
from DefinedType dt, Type tp
where tp = dt.getBaseType()
select dt, tp.pp()

70
go/ql/test/library-tests/semmle/go/Types/FieldDecl.expected Normal file
View File

@@ -0,0 +1,70 @@
fieldDeclWithNamedFields
| aliases.go:6:26:6:35 | field declaration | 0 | aliases.go:6:26:6:26 | x |
| aliases.go:6:26:6:35 | field declaration | 0 | aliases.go:8:26:8:26 | x |
| aliases.go:6:26:6:35 | field declaration | 0 | aliases.go:19:17:19:17 | x |
| aliases.go:8:26:8:35 | field declaration | 0 | aliases.go:6:26:6:26 | x |
| aliases.go:8:26:8:35 | field declaration | 0 | aliases.go:8:26:8:26 | x |
| aliases.go:8:26:8:35 | field declaration | 0 | aliases.go:19:17:19:17 | x |
| aliases.go:19:17:19:21 | field declaration | 0 | aliases.go:6:26:6:26 | x |
| aliases.go:19:17:19:21 | field declaration | 0 | aliases.go:8:26:8:26 | x |
| aliases.go:19:17:19:21 | field declaration | 0 | aliases.go:19:17:19:17 | x |
| aliases.go:29:34:29:42 | field declaration | 0 | aliases.go:29:34:29:34 | x |
| cyclic.go:9:2:9:6 | field declaration | 0 | cyclic.go:9:2:9:2 | f |
| depth.go:11:2:11:6 | field declaration | 0 | depth.go:11:2:11:2 | f |
| depth.go:19:2:19:9 | field declaration | 0 | depth.go:19:2:19:2 | f |
| embedded.go:4:2:4:9 | field declaration | 0 | embedded.go:4:2:4:2 | A |
| embedded.go:13:2:13:11 | field declaration | 0 | embedded.go:13:2:13:4 | Baz |
| generic.go:4:2:4:15 | field declaration | 0 | generic.go:4:2:4:11 | valueField |
| generic.go:5:2:5:16 | field declaration | 0 | generic.go:5:2:5:13 | pointerField |
| generic.go:6:2:6:19 | field declaration | 0 | generic.go:6:2:6:11 | arrayField |
| generic.go:7:2:7:17 | field declaration | 0 | generic.go:7:2:7:11 | sliceField |
| generic.go:8:2:8:26 | field declaration | 0 | generic.go:8:2:8:9 | mapField |
| generic.go:12:2:12:40 | field declaration | 0 | generic.go:12:2:12:13 | pointerField |
| generic.go:16:2:16:31 | field declaration | 0 | generic.go:16:2:16:5 | root |
| generic.go:20:2:20:30 | field declaration | 0 | generic.go:20:2:20:12 | structField |
| generic.go:21:2:21:20 | field declaration | 0 | generic.go:21:2:21:9 | mapField |
| generic.go:25:2:25:33 | field declaration | 0 | generic.go:25:2:25:12 | structField |
| generic.go:29:2:29:43 | field declaration | 0 | generic.go:29:2:29:13 | pointerField |
| pkg1/embedding.go:37:2:37:6 | field declaration | 0 | pkg1/embedding.go:37:2:37:2 | f |
| pkg1/promotedStructs.go:5:2:5:14 | field declaration | 0 | pkg1/promotedStructs.go:5:2:5:7 | SField |
| pkg1/promotedStructs.go:14:2:14:14 | field declaration | 0 | pkg1/promotedStructs.go:14:2:14:7 | PField |
| pkg1/tst.go:6:2:6:6 | field declaration | 0 | pkg1/tst.go:6:2:6:2 | f |
| pkg1/tst.go:12:2:12:8 | field declaration | 0 | pkg1/tst.go:12:2:12:4 | Foo |
| pkg1/tst.go:23:2:23:8 | field declaration | 0 | pkg1/tst.go:23:2:23:4 | Bar |
| pkg1/tst.go:27:2:27:9 | field declaration | 0 | pkg1/tst.go:27:2:27:4 | val |
| pkg1/tst.go:28:2:28:10 | field declaration | 0 | pkg1/tst.go:28:2:28:5 | flag |
| pkg1/tst.go:32:2:32:10 | field declaration | 0 | pkg1/tst.go:32:2:32:5 | flag |
| pkg2/tst.go:4:2:4:6 | field declaration | 0 | pkg2/tst.go:4:2:4:2 | g |
| pkg2/tst.go:4:2:4:6 | field declaration | 0 | pkg2/tst.go:8:2:8:2 | g |
| pkg2/tst.go:8:2:8:6 | field declaration | 0 | pkg2/tst.go:4:2:4:2 | g |
| pkg2/tst.go:8:2:8:6 | field declaration | 0 | pkg2/tst.go:8:2:8:2 | g |
| pkg2/tst.go:17:2:17:15 | field declaration | 0 | pkg2/tst.go:17:2:17:8 | NCField |
| struct_tags.go:4:2:4:19 | field declaration | 0 | struct_tags.go:4:2:4:7 | field1 |
| struct_tags.go:5:2:5:19 | field declaration | 0 | struct_tags.go:5:2:5:7 | field2 |
| struct_tags.go:9:2:9:19 | field declaration | 0 | struct_tags.go:9:2:9:7 | field1 |
| struct_tags.go:10:2:10:19 | field declaration | 0 | struct_tags.go:10:2:10:7 | field2 |
fieldDeclWithEmbeddedField
| cyclic.go:4:2:4:3 | field declaration | * s |
| cyclic.go:8:2:8:3 | field declaration | * u |
| cyclic.go:13:2:13:2 | field declaration | t |
| cyclic.go:17:2:17:2 | field declaration | s |
| depth.go:6:2:6:2 | field declaration | b |
| depth.go:7:2:7:2 | field declaration | c |
| depth.go:15:2:15:2 | field declaration | d |
| embedded.go:8:2:8:5 | field declaration | * Baz |
| embedded.go:12:2:12:4 | field declaration | Qux |
| main.go:18:2:18:15 | field declaration | NameClash |
| pkg1/embedding.go:19:23:19:26 | field declaration | base |
| pkg1/embedding.go:22:26:22:30 | field declaration | * base |
| pkg1/embedding.go:25:24:25:31 | field declaration | embedder |
| pkg1/embedding.go:28:24:28:31 | field declaration | embedder |
| pkg1/embedding.go:36:2:36:5 | field declaration | base |
| pkg1/promotedStructs.go:22:22:22:22 | field declaration | S |
| pkg1/promotedStructs.go:25:22:25:22 | field declaration | P |
| pkg1/tst.go:7:2:7:4 | field declaration | Foo |
| pkg1/tst.go:8:2:8:4 | field declaration | Bar |
| pkg1/tst.go:13:2:13:4 | field declaration | Bar |
| pkg1/tst.go:17:2:17:5 | field declaration | * Foo |
| pkg1/tst.go:18:2:18:5 | field declaration | * Bar |
| pkg1/tst.go:22:2:22:5 | field declaration | * Foo |
| pkg1/tst.go:62:2:62:15 | field declaration | NameClash |

7
go/ql/test/library-tests/semmle/go/Types/FieldDecl.ql Normal file
View File

@@ -0,0 +1,7 @@
import go
query predicate fieldDeclWithNamedFields(FieldDecl fd, int i, Field f) { fd.getField(i) = f }
query predicate fieldDeclWithEmbeddedField(FieldDecl fd, string tp) {
fd.isEmbedded() and tp = fd.getType().pp()
}

5
go/ql/test/library-tests/semmle/go/Types/MethodTypes.expected
View File

@@ -31,12 +31,12 @@
| interface.go:101:6:101:8 | i19 | StringB | func() string |
| interface.go:105:6:105:8 | i20 | StringB | func() string |
| main.go:17:6:17:20 | EmbedsNameClash | NCMethod | func() |
| pkg1/embedding.go:8:6:8:9 | base | f | func() int |
| pkg1/embedding.go:19:6:19:13 | embedder | f | func() int |
| pkg1/embedding.go:22:6:22:16 | ptrembedder | f | func() int |
| pkg1/embedding.go:22:6:22:16 | ptrembedder | g | func() int |
| pkg1/embedding.go:25:6:25:14 | embedder2 | f | func() int |
| pkg1/embedding.go:28:6:28:14 | embedder3 | f | func() int |
| pkg1/embedding.go:35:6:35:14 | embedder4 | f | func() int |
| pkg1/interfaces.go:3:6:3:6 | A | m | func() |
| pkg1/interfaces.go:7:6:7:6 | B | m | func() |
| pkg1/interfaces.go:7:6:7:6 | B | n | func() |
@@ -51,10 +51,13 @@
| pkg1/interfaces.go:31:6:31:7 | A2 | m | func() |
| pkg1/interfaces.go:35:6:35:24 | MixedExportedAndNot | Exported | func() |
| pkg1/interfaces.go:35:6:35:24 | MixedExportedAndNot | notExported | func() |
| pkg1/promotedStructs.go:4:6:4:6 | S | SMethod | func() interface { } |
| pkg1/promotedStructs.go:22:6:22:12 | SEmbedS | SMethod | func() interface { } |
| pkg1/tst.go:5:6:5:6 | T | half | func() Foo |
| pkg1/tst.go:16:6:16:7 | T3 | half | func() Foo |
| pkg1/tst.go:21:6:21:7 | T4 | half | func() Foo |
| pkg1/tst.go:26:6:26:8 | Foo | half | func() Foo |
| pkg1/tst.go:61:6:61:14 | NameClash | NCMethod | func() |
| pkg2/tst.go:11:6:11:24 | MixedExportedAndNot | Exported | func() |
| pkg2/tst.go:11:6:11:24 | MixedExportedAndNot | notExported | func() |
| pkg2/tst.go:16:6:16:14 | NameClash | NCMethod | func() |

4
go/ql/test/library-tests/semmle/go/Types/MethodTypes.ql
View File

@@ -1,7 +1,7 @@
import go
from DefinedType t, string m, Type tp
from Type t, string m, Type tp
where
exists(t.getEntity().getDeclaration()) and
t.getBaseType().hasMethod(m, tp)
t.hasMethod(m, tp)
select t, m, tp.pp()

2
java/kotlin-extractor/pick-kotlin-version.py
View File

@@ -26,7 +26,7 @@ if kotlinc is None:
res = subprocess.run([kotlinc, "-version"], text=True, stdout=subprocess.DEVNULL, stderr=subprocess.PIPE)
if res.returncode != 0:
raise Exception(f"kotlinc -version failed: {res.stderr}")
m = re.match(r'.* kotlinc-jvm ([0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z][a-zA-Z0-9]*)?) .*', res.stderr)
m = re.search(r' kotlinc-jvm ([0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z][a-zA-Z0-9]*)?) ', res.stderr)
if m is None:
raise Exception(f'Cannot detect version of kotlinc (got {res.stderr})')
version = m[1]

11
java/ql/lib/semmle/code/java/controlflow/BasicBlocks.qll
View File

@@ -85,6 +85,17 @@ class BasicBlock extends BbImpl::BasicBlock {
*/
predicate dominates(BasicBlock bb) { super.dominates(bb) }
/**
* Holds if this basic block strictly dominates basic block `bb`.
*
* That is, all paths reaching `bb` from the entry point basic block must
* go through this basic block and this basic block is different from `bb`.
*/
predicate strictlyDominates(BasicBlock bb) { super.strictlyDominates(bb) }
/** Gets an immediate successor of this basic block of a given type, if any. */
BasicBlock getASuccessor(Input::SuccessorType t) { result = super.getASuccessor(t) }
/**
* DEPRECATED: Use `getASuccessor` instead.
*

627
java/ql/lib/semmle/code/java/controlflow/Guards.qll
View File

@@ -5,9 +5,9 @@
import java
private import semmle.code.java.controlflow.Dominance
private import semmle.code.java.controlflow.internal.GuardsLogic
private import semmle.code.java.controlflow.internal.Preconditions
private import semmle.code.java.controlflow.internal.SwitchCases
private import codeql.controlflow.Guards as SharedGuards
/**
* A basic block that terminates in a condition, splitting the subsequent control flow.
@@ -137,68 +137,382 @@ private predicate isNonFallThroughPredecessor(SwitchCase sc, ControlFlowNode pre
)
}
/**
* A condition that can be evaluated to either true or false. This can either
* be an `Expr` of boolean type that isn't a boolean literal, or a case of a
* switch statement, or a method access that acts as a precondition check.
*
* Evaluating a switch case to true corresponds to taking that switch case, and
* evaluating it to false corresponds to taking some other branch.
*/
final class Guard extends ExprParent {
Guard() {
this.(Expr).getType() instanceof BooleanType and not this instanceof BooleanLiteral
or
this instanceof SwitchCase
or
conditionCheckArgument(this, _, _)
private module GuardsInput implements SharedGuards::InputSig<Location> {
private import java as J
private import semmle.code.java.dataflow.NullGuards as NullGuards
import SuccessorType
class ControlFlowNode = J::ControlFlowNode;
class BasicBlock = J::BasicBlock;
predicate dominatingEdge(BasicBlock bb1, BasicBlock bb2) { J::dominatingEdge(bb1, bb2) }
class AstNode = ExprParent;
class Expr = J::Expr;
private newtype TConstantValue =
TCharValue(string c) { any(CharacterLiteral lit).getValue() = c } or
TStringValue(string value) { any(CompileTimeConstantExpr c).getStringValue() = value } or
TEnumValue(EnumConstant c)
class ConstantValue extends TConstantValue {
string toString() {
this = TCharValue(result)
or
this = TStringValue(result)
or
exists(EnumConstant c | this = TEnumValue(c) and result = c.toString())
}
}
abstract class ConstantExpr extends Expr {
predicate isNull() { none() }
boolean asBooleanValue() { none() }
int asIntegerValue() { none() }
ConstantValue asConstantValue() { none() }
}
private class NullConstant extends ConstantExpr instanceof J::NullLiteral {
override predicate isNull() { any() }
}
private class BooleanConstant extends ConstantExpr instanceof J::BooleanLiteral {
override boolean asBooleanValue() { result = super.getBooleanValue() }
}
private class IntegerConstant extends ConstantExpr instanceof J::CompileTimeConstantExpr {
override int asIntegerValue() { result = super.getIntValue() }
}
private class CharConstant extends ConstantExpr instanceof J::CharacterLiteral {
override ConstantValue asConstantValue() { result = TCharValue(super.getValue()) }
}
private class StringConstant extends ConstantExpr instanceof J::CompileTimeConstantExpr {
override ConstantValue asConstantValue() { result = TStringValue(super.getStringValue()) }
}
private class EnumConstantExpr extends ConstantExpr instanceof J::VarAccess {
override ConstantValue asConstantValue() {
exists(EnumConstant c | this = c.getAnAccess() and result = TEnumValue(c))
}
}
class NonNullExpr extends Expr {
NonNullExpr() {
this = NullGuards::baseNotNullExpr()
or
exists(Field f |
this = f.getAnAccess() and
f.isFinal() and
f.getInitializer() = NullGuards::baseNotNullExpr()
)
}
}
class Case extends ExprParent instanceof J::SwitchCase {
Expr getSwitchExpr() { result = super.getSelectorExpr() }
predicate isDefaultCase() { this instanceof DefaultCase }
ConstantExpr asConstantCase() {
exists(ConstCase cc | this = cc |
cc.getValue() = result and
strictcount(cc.getValue(_)) = 1
)
}
private predicate hasPatternCaseMatchEdge(BasicBlock bb1, BasicBlock bb2, boolean isMatch) {
exists(ConditionNode patterncase |
this instanceof PatternCase and
patterncase = super.getControlFlowNode() and
bb1.getLastNode() = patterncase and
bb2.getFirstNode() = patterncase.getABranchSuccessor(isMatch)
)
}
predicate matchEdge(BasicBlock bb1, BasicBlock bb2) {
exists(ControlFlowNode pred |
// Pattern cases are handled as ConditionBlocks.
not this instanceof PatternCase and
bb2.getFirstNode() = super.getControlFlowNode() and
isNonFallThroughPredecessor(this, pred) and
bb1 = pred.getBasicBlock()
)
or
this.hasPatternCaseMatchEdge(bb1, bb2, true)
}
predicate nonMatchEdge(BasicBlock bb1, BasicBlock bb2) {
this.hasPatternCaseMatchEdge(bb1, bb2, false)
}
}
abstract private class BinExpr extends Expr {
Expr getAnOperand() {
result = this.(BinaryExpr).getAnOperand() or result = this.(AssignOp).getSource()
}
}
class AndExpr extends BinExpr {
AndExpr() {
this instanceof AndBitwiseExpr or
this instanceof AndLogicalExpr or
this instanceof AssignAndExpr
}
}
class OrExpr extends BinExpr {
OrExpr() {
this instanceof OrBitwiseExpr or
this instanceof OrLogicalExpr or
this instanceof AssignOrExpr
}
}
class NotExpr extends Expr instanceof J::LogNotExpr {
Expr getOperand() { result = this.(J::LogNotExpr).getExpr() }
}
class IdExpr extends Expr {
IdExpr() { this instanceof AssignExpr or this instanceof CastExpr }
Expr getEqualChildExpr() {
result = this.(AssignExpr).getSource()
or
result = this.(CastExpr).getExpr()
}
}
private predicate objectsEquals(Method equals) {
equals.hasQualifiedName("java.util", "Objects", "equals") and
equals.getNumberOfParameters() = 2
}
class EqualityTest extends Expr {
EqualityTest() {
this instanceof J::EqualityTest or
this.(MethodCall).getMethod() instanceof EqualsMethod or
objectsEquals(this.(MethodCall).getMethod())
}
Expr getAnOperand() {
result = this.(J::EqualityTest).getAnOperand()
or
result = this.(MethodCall).getAnArgument()
or
this.(MethodCall).getMethod() instanceof EqualsMethod and
result = this.(MethodCall).getQualifier()
}
boolean polarity() {
result = this.(J::EqualityTest).polarity()
or
result = true and not this instanceof J::EqualityTest
}
}
class ConditionalExpr extends Expr instanceof J::ConditionalExpr {
Expr getCondition() { result = super.getCondition() }
Expr getThen() { result = super.getTrueExpr() }
Expr getElse() { result = super.getFalseExpr() }
}
}
private module GuardsImpl = SharedGuards::Make<Location, GuardsInput>;
private module LogicInputCommon {
private import semmle.code.java.dataflow.NullGuards as NullGuards
predicate additionalNullCheck(
GuardsImpl::PreGuard guard, GuardValue val, GuardsInput::Expr e, boolean isNull
) {
guard.(InstanceOfExpr).getExpr() = e and val.asBooleanValue() = true and isNull = false
or
exists(MethodCall call |
call = guard and
call.getAnArgument() = e and
NullGuards::nullCheckMethod(call.getMethod(), val.asBooleanValue(), isNull)
)
}
}
private module LogicInput_v1 implements GuardsImpl::LogicInputSig {
private import semmle.code.java.dataflow.internal.BaseSSA
final private class FinalBaseSsaVariable = BaseSsaVariable;
class SsaDefinition extends FinalBaseSsaVariable {
GuardsInput::Expr getARead() { result = this.getAUse() }
}
class SsaWriteDefinition extends SsaDefinition instanceof BaseSsaUpdate {
GuardsInput::Expr getDefinition() {
super.getDefiningExpr().(VariableAssign).getSource() = result or
super.getDefiningExpr().(AssignOp) = result
}
}
class SsaPhiNode extends SsaDefinition instanceof BaseSsaPhiNode {
predicate hasInputFromBlock(SsaDefinition inp, BasicBlock bb) {
super.hasInputFromBlock(inp, bb)
}
}
predicate additionalNullCheck = LogicInputCommon::additionalNullCheck/4;
predicate additionalImpliesStep(
GuardsImpl::PreGuard g1, GuardValue v1, GuardsImpl::PreGuard g2, GuardValue v2
) {
exists(MethodCall check, int argIndex |
g1 = check and
v1.getDualValue().isThrowsException() and
conditionCheckArgument(check, argIndex, v2.asBooleanValue()) and
g2 = check.getArgument(argIndex)
)
}
}
private module LogicInput_v2 implements GuardsImpl::LogicInputSig {
private import semmle.code.java.dataflow.SSA as SSA
final private class FinalSsaVariable = SSA::SsaVariable;
class SsaDefinition extends FinalSsaVariable {
GuardsInput::Expr getARead() { result = this.getAUse() }
}
class SsaWriteDefinition extends SsaDefinition instanceof SSA::SsaExplicitUpdate {
GuardsInput::Expr getDefinition() {
super.getDefiningExpr().(VariableAssign).getSource() = result or
super.getDefiningExpr().(AssignOp) = result
}
}
class SsaPhiNode extends SsaDefinition instanceof SSA::SsaPhiNode {
predicate hasInputFromBlock(SsaDefinition inp, BasicBlock bb) {
super.hasInputFromBlock(inp, bb)
}
}
predicate additionalNullCheck = LogicInputCommon::additionalNullCheck/4;
predicate additionalImpliesStep(
GuardsImpl::PreGuard g1, GuardValue v1, GuardsImpl::PreGuard g2, GuardValue v2
) {
LogicInput_v1::additionalImpliesStep(g1, v1, g2, v2)
or
CustomGuard::additionalImpliesStep(g1, v1, g2, v2)
}
}
private module LogicInput_v3 implements GuardsImpl::LogicInputSig {
private import semmle.code.java.dataflow.IntegerGuards as IntegerGuards
import LogicInput_v2
predicate rangeGuard(GuardsImpl::PreGuard guard, GuardValue val, Expr e, int k, boolean upper) {
IntegerGuards::rangeGuard(guard, val.asBooleanValue(), e, k, upper)
}
predicate additionalNullCheck = LogicInputCommon::additionalNullCheck/4;
predicate additionalImpliesStep = LogicInput_v2::additionalImpliesStep/4;
}
private module CustomGuardInput implements Guards_v2::CustomGuardInputSig {
private import semmle.code.java.dataflow.SSA
private int parameterPosition() { result in [-1, any(Parameter p).getPosition()] }
/** A parameter position represented by an integer. */
class ParameterPosition extends int {
ParameterPosition() { this = parameterPosition() }
}
/** An argument position represented by an integer. */
class ArgumentPosition extends int {
ArgumentPosition() { this = parameterPosition() }
}
/** Holds if arguments at position `apos` match parameters at position `ppos`. */
pragma[inline]
predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }
final private class FinalMethod = Method;
class BooleanMethod extends FinalMethod {
BooleanMethod() {
super.getReturnType().(PrimitiveType).hasName("boolean") and
not super.isOverridable()
}
LogicInput_v2::SsaDefinition getParameter(ParameterPosition ppos) {
exists(Parameter p |
super.getParameter(ppos) = p and
not p.isVarargs() and
result.(SsaImplicitInit).isParameterDefinition(p)
)
}
GuardsInput::Expr getAReturnExpr() {
exists(ReturnStmt ret |
this = ret.getEnclosingCallable() and
ret.getResult() = result
)
}
}
private predicate booleanMethodCall(MethodCall call, BooleanMethod m) {
call.getMethod().getSourceDeclaration() = m
}
class BooleanMethodCall extends GuardsInput::Expr instanceof MethodCall {
BooleanMethodCall() { booleanMethodCall(this, _) }
BooleanMethod getMethod() { booleanMethodCall(this, result) }
GuardsInput::Expr getArgument(ArgumentPosition apos) { result = super.getArgument(apos) }
}
}
class GuardValue = GuardsImpl::GuardValue;
private module CustomGuard = Guards_v2::CustomGuard<CustomGuardInput>;
/** INTERNAL: Don't use. */
module Guards_v1 = GuardsImpl::Logic<LogicInput_v1>;
/** INTERNAL: Don't use. */
module Guards_v2 = GuardsImpl::Logic<LogicInput_v2>;
/** INTERNAL: Don't use. */
module Guards_v3 = GuardsImpl::Logic<LogicInput_v3>;
/** INTERNAL: Don't use. */
predicate implies_v3(Guard g1, boolean b1, Guard g2, boolean b2) {
Guards_v3::boolImplies(g1, any(GuardValue v | v.asBooleanValue() = b1), g2,
any(GuardValue v | v.asBooleanValue() = b2))
}
/**
* A guard. This may be any expression whose value determines subsequent
* control flow. It may also be a switch case, which as a guard is considered
* to evaluate to either true or false depending on whether the case matches.
*/
final class Guard extends Guards_v3::Guard {
/** Gets the immediately enclosing callable whose body contains this guard. */
Callable getEnclosingCallable() {
result = this.(Expr).getEnclosingCallable() or
result = this.(SwitchCase).getEnclosingCallable()
}
/** Gets the statement containing this guard. */
Stmt getEnclosingStmt() {
result = this.(Expr).getEnclosingStmt() or
result = this.(SwitchCase).getSwitch() or
result = this.(SwitchCase).getSwitchExpr().getEnclosingStmt()
}
/**
* Gets the basic block containing this guard or the basic block that tests the
* applicability of this switch case -- for a pattern case this is the case statement
* itself; for a non-pattern case this is the most recent pattern case or the top of
* the switch block if there is none.
*/
BasicBlock getBasicBlock() {
// Not a switch case
result = this.(Expr).getBasicBlock()
or
// Return the closest pattern case statement before this one, including this one.
result = getClosestPrecedingPatternCase(this).getBasicBlock()
or
// Not a pattern case and no preceding pattern case -- return the top of the switch block.
not exists(getClosestPrecedingPatternCase(this)) and
result = this.(SwitchCase).getSelectorExpr().getBasicBlock()
}
/**
* Holds if this guard is an equality test between `e1` and `e2`. The test
* can be either `==`, `!=`, `.equals`, or a switch case. If the test is
* negated, that is `!=`, then `polarity` is false, otherwise `polarity` is
* true.
*/
predicate isEquality(Expr e1, Expr e2, boolean polarity) {
exists(Expr exp1, Expr exp2 | equalityGuard(this, exp1, exp2, polarity) |
e1 = exp1 and e2 = exp2
or
e2 = exp1 and e1 = exp2
)
}
/**
* Holds if this guard tests whether `testedExpr` has type `testedType`.
*
@@ -231,211 +545,14 @@ final class Guard extends ExprParent {
else restricted = false
)
}
/**
* Holds if the evaluation of this guard to `branch` corresponds to the edge
* from `bb1` to `bb2`.
*/
predicate hasBranchEdge(BasicBlock bb1, BasicBlock bb2, boolean branch) {
exists(ConditionBlock cb |
cb = bb1 and
cb.getCondition() = this and
bb2 = cb.getTestSuccessor(branch)
)
or
exists(SwitchCase sc, ControlFlowNode pred |
sc = this and
// Pattern cases are handled as ConditionBlocks above.
not sc instanceof PatternCase and
branch = true and
bb2.getFirstNode() = sc.getControlFlowNode() and
isNonFallThroughPredecessor(sc, pred) and
bb1 = pred.getBasicBlock()
)
or
preconditionBranchEdge(this, bb1, bb2, branch)
}
/**
* Holds if this guard evaluating to `branch` directly controls the block
* `controlled`. That is, the `true`- or `false`-successor of this guard (as
* given by `branch`) dominates `controlled`.
*/
predicate directlyControls(BasicBlock controlled, boolean branch) {
exists(ConditionBlock cb |
cb.getCondition() = this and
cb.controls(controlled, branch)
)
or
switchCaseControls(this, controlled) and branch = true
or
preconditionControls(this, controlled, branch)
}
/**
* Holds if this guard evaluating to `branch` controls the control-flow
* branch edge from `bb1` to `bb2`. That is, following the edge from
* `bb1` to `bb2` implies that this guard evaluated to `branch`.
*/
predicate controlsBranchEdge(BasicBlock bb1, BasicBlock bb2, boolean branch) {
guardControlsBranchEdge_v3(this, bb1, bb2, branch)
}
/**
* Holds if this guard evaluating to `branch` directly or indirectly controls
* the block `controlled`. That is, the evaluation of `controlled` is
* dominated by this guard evaluating to `branch`.
*/
predicate controls(BasicBlock controlled, boolean branch) {
guardControls_v3(this, controlled, branch)
}
}
private predicate switchCaseControls(SwitchCase sc, BasicBlock bb) {
exists(BasicBlock caseblock |
// Pattern cases are handled as condition blocks
not sc instanceof PatternCase and
caseblock.getFirstNode() = sc.getControlFlowNode() and
caseblock.dominates(bb) and
// Check we can't fall through from a previous block:
forall(ControlFlowNode pred | pred = sc.getControlFlowNode().getAPredecessor() |
isNonFallThroughPredecessor(sc, pred)
)
)
}
private predicate preconditionBranchEdge(
MethodCall ma, BasicBlock bb1, BasicBlock bb2, boolean branch
) {
conditionCheckArgument(ma, _, branch) and
bb1.getLastNode() = ma.getControlFlowNode() and
bb2.getFirstNode() = bb1.getLastNode().getANormalSuccessor()
}
private predicate preconditionControls(MethodCall ma, BasicBlock controlled, boolean branch) {
exists(BasicBlock check, BasicBlock succ |
preconditionBranchEdge(ma, check, succ, branch) and
dominatingEdge(check, succ) and
succ.dominates(controlled)
)
}
/**
* INTERNAL: Use `Guards.controls` instead.
* INTERNAL: Use `Guard.controls` instead.
*
* Holds if `guard.controls(controlled, branch)`, except this only relies on
* BaseSSA-based reasoning.
*/
predicate guardControls_v1(Guard guard, BasicBlock controlled, boolean branch) {
guard.directlyControls(controlled, branch)
or
exists(Guard g, boolean b |
guardControls_v1(g, controlled, b) and
implies_v1(g, b, guard, branch)
)
}
/**
* INTERNAL: Use `Guards.controls` instead.
*
* Holds if `guard.controls(controlled, branch)`, except this doesn't rely on
* RangeAnalysis.
*/
predicate guardControls_v2(Guard guard, BasicBlock controlled, boolean branch) {
guard.directlyControls(controlled, branch)
or
exists(Guard g, boolean b |
guardControls_v2(g, controlled, b) and
implies_v2(g, b, guard, branch)
)
}
pragma[nomagic]
private predicate guardControls_v3(Guard guard, BasicBlock controlled, boolean branch) {
guard.directlyControls(controlled, branch)
or
exists(Guard g, boolean b |
guardControls_v3(g, controlled, b) and
implies_v3(g, b, guard, branch)
)
}
pragma[nomagic]
private predicate guardControlsBranchEdge_v2(
Guard guard, BasicBlock bb1, BasicBlock bb2, boolean branch
) {
guard.hasBranchEdge(bb1, bb2, branch)
or
exists(Guard g, boolean b |
guardControlsBranchEdge_v2(g, bb1, bb2, b) and
implies_v2(g, b, guard, branch)
)
}
pragma[nomagic]
private predicate guardControlsBranchEdge_v3(
Guard guard, BasicBlock bb1, BasicBlock bb2, boolean branch
) {
guard.hasBranchEdge(bb1, bb2, branch)
or
exists(Guard g, boolean b |
guardControlsBranchEdge_v3(g, bb1, bb2, b) and
implies_v3(g, b, guard, branch)
)
}
/** INTERNAL: Use `Guard` instead. */
final class Guard_v2 extends Guard {
/**
* Holds if this guard evaluating to `branch` controls the control-flow
* branch edge from `bb1` to `bb2`. That is, following the edge from
* `bb1` to `bb2` implies that this guard evaluated to `branch`.
*/
predicate controlsBranchEdge(BasicBlock bb1, BasicBlock bb2, boolean branch) {
guardControlsBranchEdge_v2(this, bb1, bb2, branch)
}
/**
* Holds if this guard evaluating to `branch` directly or indirectly controls
* the block `controlled`. That is, the evaluation of `controlled` is
* dominated by this guard evaluating to `branch`.
*/
predicate controls(BasicBlock controlled, boolean branch) {
guardControls_v2(this, controlled, branch)
}
}
private predicate equalityGuard(Guard g, Expr e1, Expr e2, boolean polarity) {
exists(EqualityTest eqtest |
eqtest = g and
polarity = eqtest.polarity() and
eqtest.hasOperands(e1, e2)
)
or
exists(MethodCall ma |
ma = g and
ma.getMethod() instanceof EqualsMethod and
polarity = true and
ma.getAnArgument() = e1 and
ma.getQualifier() = e2
)
or
exists(MethodCall ma, Method equals |
ma = g and
ma.getMethod() = equals and
polarity = true and
equals.hasName("equals") and
equals.getNumberOfParameters() = 2 and
equals.getDeclaringType().hasQualifiedName("java.util", "Objects") and
ma.getArgument(0) = e1 and
ma.getArgument(1) = e2
)
or
exists(ConstCase cc |
cc = g and
polarity = true and
cc.getSelectorExpr() = e1 and
cc.getValue() = e2 and
strictcount(cc.getValue(_)) = 1
)
predicate guardControls_v1(Guards_v1::Guard guard, BasicBlock controlled, boolean branch) {
guard.controls(controlled, branch)
}

396
java/ql/lib/semmle/code/java/controlflow/internal/GuardsLogic.qll
View File

@@ -1,396 +0,0 @@
/**
* Provides predicates for working with the internal logic of the `Guards`
* library.
*/
import java
import semmle.code.java.controlflow.Guards
private import Preconditions
private import semmle.code.java.dataflow.SSA
private import semmle.code.java.dataflow.internal.BaseSSA
private import semmle.code.java.dataflow.NullGuards
private import semmle.code.java.dataflow.IntegerGuards
/**
* Holds if the assumption that `g1` has been evaluated to `b1` implies that
* `g2` has been evaluated to `b2`, that is, the evaluation of `g2` to `b2`
* dominates the evaluation of `g1` to `b1`.
*
* Restricted to BaseSSA-based reasoning.
*/
predicate implies_v1(Guard g1, boolean b1, Guard g2, boolean b2) {
g1.(AndBitwiseExpr).getAnOperand() = g2 and b1 = true and b2 = true
or
g1.(OrBitwiseExpr).getAnOperand() = g2 and b1 = false and b2 = false
or
g1.(AssignAndExpr).getSource() = g2 and b1 = true and b2 = true
or
g1.(AssignOrExpr).getSource() = g2 and b1 = false and b2 = false
or
g1.(AndLogicalExpr).getAnOperand() = g2 and b1 = true and b2 = true
or
g1.(OrLogicalExpr).getAnOperand() = g2 and b1 = false and b2 = false
or
g1.(LogNotExpr).getExpr() = g2 and
b1 = b2.booleanNot() and
b1 = [true, false]
or
exists(EqualityTest eqtest, boolean polarity, BooleanLiteral boollit |
eqtest = g1 and
eqtest.hasOperands(g2, boollit) and
eqtest.polarity() = polarity and
b1 = [true, false] and
b2 = b1.booleanXor(polarity).booleanXor(boollit.getBooleanValue())
)
or
exists(ConditionalExpr cond, boolean branch, BooleanLiteral boollit, boolean boolval |
cond.getBranchExpr(branch) = boollit and
cond = g1 and
boolval = boollit.getBooleanValue() and
b1 = boolval.booleanNot() and
(
g2 = cond.getCondition() and b2 = branch.booleanNot()
or
g2 = cond.getABranchExpr() and b2 = b1
)
)
or
g1.(DefaultCase).getSwitch().getAConstCase() = g2 and b1 = true and b2 = false
or
g1.(DefaultCase).getSwitchExpr().getAConstCase() = g2 and b1 = true and b2 = false
or
exists(MethodCall check, int argIndex | check = g1 |
conditionCheckArgument(check, argIndex, _) and
g2 = check.getArgument(argIndex) and
b1 = [true, false] and
b2 = b1
)
or
exists(BaseSsaUpdate vbool |
vbool.getDefiningExpr().(VariableAssign).getSource() = g2 or
vbool.getDefiningExpr().(AssignOp) = g2
|
vbool.getAUse() = g1 and
b1 = [true, false] and
b2 = b1
)
or
g1.(AssignExpr).getSource() = g2 and b2 = b1 and b1 = [true, false]
}
/**
* Holds if the assumption that `g1` has been evaluated to `b1` implies that
* `g2` has been evaluated to `b2`, that is, the evaluation of `g2` to `b2`
* dominates the evaluation of `g1` to `b1`.
*
* Allows full use of SSA but is restricted to pre-RangeAnalysis reasoning.
*/
predicate implies_v2(Guard g1, boolean b1, Guard g2, boolean b2) {
implies_v1(g1, b1, g2, b2)
or
exists(SsaExplicitUpdate vbool |
vbool.getDefiningExpr().(VariableAssign).getSource() = g2 or
vbool.getDefiningExpr().(AssignOp) = g2
|
vbool.getAUse() = g1 and
b1 = [true, false] and
b2 = b1
)
or
exists(SsaVariable v, AbstractValue k |
// If `v = g2 ? k : ...` or `v = g2 ? ... : k` then a guard
// proving `v != k` ensures that `g2` evaluates to `b2`.
conditionalAssignVal(v, g2, b2.booleanNot(), k) and
guardImpliesNotEqual1(g1, b1, v, k)
)
or
exists(SsaVariable v, Expr e, AbstractValue k |
// If `v = g2 ? k : ...` and all other assignments to `v` are different from
// `k` then a guard proving `v == k` ensures that `g2` evaluates to `b2`.
uniqueValue(v, e, k) and
guardImpliesEqual(g1, b1, v, k) and
g2.directlyControls(e.getBasicBlock(), b2) and
not g2.directlyControls(g1.getBasicBlock(), b2)
)
}
/**
* Holds if the assumption that `g1` has been evaluated to `b1` implies that
* `g2` has been evaluated to `b2`, that is, the evaluation of `g2` to `b2`
* dominates the evaluation of `g1` to `b1`.
*/
cached
predicate implies_v3(Guard g1, boolean b1, Guard g2, boolean b2) {
implies_v2(g1, b1, g2, b2)
or
exists(SsaVariable v, AbstractValue k |
// If `v = g2 ? k : ...` or `v = g2 ? ... : k` then a guard
// proving `v != k` ensures that `g2` evaluates to `b2`.
conditionalAssignVal(v, g2, b2.booleanNot(), k) and
guardImpliesNotEqual2(g1, b1, v, k)
)
or
exists(SsaVariable v |
conditionalAssign(v, g2, b2.booleanNot(), clearlyNotNullExpr()) and
guardImpliesEqual(g1, b1, v, TAbsValNull())
)
}
private newtype TAbstractValue =
TAbsValNull() or
TAbsValInt(int i) { exists(CompileTimeConstantExpr c | c.getIntValue() = i) } or
TAbsValChar(string c) { exists(CharacterLiteral lit | lit.getValue() = c) } or
TAbsValString(string s) { exists(StringLiteral lit | lit.getValue() = s) } or
TAbsValEnum(EnumConstant c)
/** The value of a constant expression. */
abstract private class AbstractValue extends TAbstractValue {
abstract string toString();
/** Gets an expression whose value is this abstract value. */
abstract Expr getExpr();
}
private class AbsValNull extends AbstractValue, TAbsValNull {
override string toString() { result = "null" }
override Expr getExpr() { result = alwaysNullExpr() }
}
private class AbsValInt extends AbstractValue, TAbsValInt {
int i;
AbsValInt() { this = TAbsValInt(i) }
override string toString() { result = i.toString() }
override Expr getExpr() { result.(CompileTimeConstantExpr).getIntValue() = i }
}
private class AbsValChar extends AbstractValue, TAbsValChar {
string c;
AbsValChar() { this = TAbsValChar(c) }
override string toString() { result = c }
override Expr getExpr() { result.(CharacterLiteral).getValue() = c }
}
private class AbsValString extends AbstractValue, TAbsValString {
string s;
AbsValString() { this = TAbsValString(s) }
override string toString() { result = s }
override Expr getExpr() { result.(CompileTimeConstantExpr).getStringValue() = s }
}
private class AbsValEnum extends AbstractValue, TAbsValEnum {
EnumConstant c;
AbsValEnum() { this = TAbsValEnum(c) }
override string toString() { result = c.toString() }
override Expr getExpr() { result = c.getAnAccess() }
}
/**
* Holds if `v` can have a value that is not representable as an `AbstractValue`.
*/
private predicate hasPossibleUnknownValue(SsaVariable v) {
exists(SsaVariable def | v.getAnUltimateDefinition() = def |
def instanceof SsaImplicitUpdate
or
def instanceof SsaImplicitInit
or
exists(VariableUpdate upd | upd = def.(SsaExplicitUpdate).getDefiningExpr() |
not exists(upd.(VariableAssign).getSource())
)
or
exists(VariableAssign a, Expr e |
a = def.(SsaExplicitUpdate).getDefiningExpr() and
e = possibleValue(a.getSource()) and
not exists(AbstractValue val | val.getExpr() = e)
)
)
}
/**
* Gets a sub-expression of `e` whose value can flow to `e` through
* `ConditionalExpr`s.
*/
private Expr possibleValue(Expr e) {
result = possibleValue(e.(ConditionalExpr).getABranchExpr())
or
result = e and not e instanceof ConditionalExpr
}
/**
* Gets an ultimate definition of `v` that is not itself a phi node. The
* boolean `fromBackEdge` indicates whether the flow from `result` to `v` goes
* through a back edge.
*/
SsaVariable getADefinition(SsaVariable v, boolean fromBackEdge) {
result = v and not v instanceof SsaPhiNode and fromBackEdge = false
or
exists(SsaVariable inp, BasicBlock bb, boolean fbe |
v.(SsaPhiNode).hasInputFromBlock(inp, bb) and
result = getADefinition(inp, fbe) and
(if v.getBasicBlock().dominates(bb) then fromBackEdge = true else fromBackEdge = fbe)
)
}
/**
* Holds if `e` equals `k` and may be assigned to `v`. The boolean
* `fromBackEdge` indicates whether the flow from `e` to `v` goes through a
* back edge.
*/
private predicate possibleValue(SsaVariable v, boolean fromBackEdge, Expr e, AbstractValue k) {
not hasPossibleUnknownValue(v) and
exists(SsaExplicitUpdate def |
def = getADefinition(v, fromBackEdge) and
e = possibleValue(def.getDefiningExpr().(VariableAssign).getSource()) and
k.getExpr() = e
)
}
/**
* Holds if `e` equals `k` and may be assigned to `v` without going through
* back edges, and all other possible ultimate definitions of `v` are different
* from `k`. The trivial case where `v` is an `SsaExplicitUpdate` with `e` as
* the only possible value is excluded.
*/
private predicate uniqueValue(SsaVariable v, Expr e, AbstractValue k) {
possibleValue(v, false, e, k) and
forex(Expr other, AbstractValue otherval | possibleValue(v, _, other, otherval) and other != e |
otherval != k
)
}
/**
* Holds if `v1` and `v2` have the same value in `bb`.
*/
private predicate equalVarsInBlock(BasicBlock bb, SsaVariable v1, SsaVariable v2) {
exists(Guard guard, boolean branch |
guard.isEquality(v1.getAUse(), v2.getAUse(), branch) and
guardControls_v1(guard, bb, branch)
)
}
/**
* Holds if `guard` evaluating to `branch` implies that `v` equals `k`.
*/
private predicate guardImpliesEqual(Guard guard, boolean branch, SsaVariable v, AbstractValue k) {
exists(SsaVariable v0 |
guard.isEquality(v0.getAUse(), k.getExpr(), branch) and
(v = v0 or equalVarsInBlock(guard.getBasicBlock(), v0, v))
)
}
private BasicBlock getAGuardBranchSuccessor(Guard g, boolean branch) {
result.getFirstNode() = g.(Expr).getControlFlowNode().(ConditionNode).getABranchSuccessor(branch)
or
result.getFirstNode() = g.(SwitchCase).getControlFlowNode() and branch = true
}
/**
* Holds if `guard` dominates `phi` and `guard` evaluating to `branch` controls the definition
* `upd = e` where `upd` is a possible input to `phi`.
*/
private predicate guardControlsPhiBranch(
SsaExplicitUpdate upd, SsaPhiNode phi, Guard guard, boolean branch, Expr e
) {
guard.directlyControls(upd.getBasicBlock(), branch) and
upd.getDefiningExpr().(VariableAssign).getSource() = e and
upd = phi.getAPhiInput() and
guard.getBasicBlock().strictlyDominates(phi.getBasicBlock())
}
/**
* Holds if `v` is conditionally assigned `e` under the condition that `guard` evaluates to `branch`.
*
* The evaluation of `guard` dominates the definition of `v` and `guard` evaluating to `branch`
* implies that `e` is assigned to `v`. In particular, this allows us to conclude that if `v` has
* a value different from `e` then `guard` must have evaluated to `branch.booleanNot()`.
*/
private predicate conditionalAssign(SsaVariable v, Guard guard, boolean branch, Expr e) {
exists(ConditionalExpr c |
v.(SsaExplicitUpdate).getDefiningExpr().(VariableAssign).getSource() = c and
guard = c.getCondition()
|
e = c.getBranchExpr(branch)
)
or
exists(SsaExplicitUpdate upd, SsaPhiNode phi |
phi = v and
guardControlsPhiBranch(upd, phi, guard, branch, e) and
not guard.directlyControls(phi.getBasicBlock(), branch) and
forall(SsaVariable other | other != upd and other = phi.getAPhiInput() |
guard.directlyControls(other.getBasicBlock(), branch.booleanNot())
or
other.getBasicBlock().dominates(guard.getBasicBlock()) and
not other.isLiveAtEndOfBlock(getAGuardBranchSuccessor(guard, branch))
)
)
}
/**
* Holds if `v` is conditionally assigned `val` under the condition that `guard` evaluates to `branch`.
*/
private predicate conditionalAssignVal(SsaVariable v, Guard guard, boolean branch, AbstractValue val) {
conditionalAssign(v, guard, branch, val.getExpr())
}
private predicate relevantEq(SsaVariable v, AbstractValue val) {
conditionalAssignVal(v, _, _, val)
or
exists(SsaVariable v0 |
conditionalAssignVal(v0, _, _, val) and
equalVarsInBlock(_, v0, v)
)
}
/**
* Holds if the evaluation of `guard` to `branch` implies that `v` does not have the value `val`.
*/
private predicate guardImpliesNotEqual1(
Guard guard, boolean branch, SsaVariable v, AbstractValue val
) {
exists(SsaVariable v0 |
relevantEq(v0, val) and
(
guard.isEquality(v0.getAUse(), val.getExpr(), branch.booleanNot())
or
exists(AbstractValue val2 |
guard.isEquality(v0.getAUse(), val2.getExpr(), branch) and
val != val2
)
or
guard.(InstanceOfExpr).getExpr() = sameValue(v0, _) and branch = true and val = TAbsValNull()
) and
(v = v0 or equalVarsInBlock(guard.getBasicBlock(), v0, v))
)
}
/**
* Holds if the evaluation of `guard` to `branch` implies that `v` does not have the value `val`.
*/
private predicate guardImpliesNotEqual2(
Guard guard, boolean branch, SsaVariable v, AbstractValue val
) {
exists(SsaVariable v0 |
relevantEq(v0, val) and
(
guard = directNullGuard(v0, branch, false) and val = TAbsValNull()
or
exists(int k |
guard = integerGuard(v0.getAUse(), branch, k, false) and
val = TAbsValInt(k)
)
) and
(v = v0 or equalVarsInBlock(guard.getBasicBlock(), v0, v))
)
}

2
java/ql/lib/semmle/code/java/dataflow/FlowSteps.qll
View File

@@ -160,7 +160,7 @@ private class NumberTaintPreservingCallable extends TaintPreservingCallable {
int argument;
NumberTaintPreservingCallable() {
this.getDeclaringType().getAnAncestor().hasQualifiedName("java.lang", "Number") and
this.getDeclaringType().getASourceSupertype*().hasQualifiedName("java.lang", "Number") and
(
this instanceof Constructor and
argument = 0

121
java/ql/lib/semmle/code/java/dataflow/IntegerGuards.qll
View File

@@ -32,6 +32,58 @@ class IntComparableExpr extends Expr {
}
}
/**
* Holds if `comp` evaluating to `branch` ensures that `e1` is less than `e2`.
* When `strict` is true, `e1` is strictly less than `e2`, otherwise it is less
* than or equal to `e2`.
*/
private predicate comparison(ComparisonExpr comp, boolean branch, Expr e1, Expr e2, boolean strict) {
branch = true and
e1 = comp.getLesserOperand() and
e2 = comp.getGreaterOperand() and
(if comp.isStrict() then strict = true else strict = false)
or
branch = false and
e1 = comp.getGreaterOperand() and
e2 = comp.getLesserOperand() and
(if comp.isStrict() then strict = false else strict = true)
}
/**
* Holds if `guard` evaluating to `branch` ensures that:
* `e <= k` when `upper = true`
* `e >= k` when `upper = false`
*/
pragma[nomagic]
predicate rangeGuard(Expr guard, boolean branch, Expr e, int k, boolean upper) {
exists(EqualityTest eqtest, Expr c |
eqtest = guard and
eqtest.hasOperands(e, c) and
bounded(c, any(ZeroBound zb), k, upper, _) and
branch = eqtest.polarity()
)
or
exists(Expr c, int val, boolean strict, int d |
bounded(c, any(ZeroBound zb), val, upper, _) and
(
upper = true and
comparison(guard, branch, e, c, strict) and
d = -1
or
upper = false and
comparison(guard, branch, c, e, strict) and
d = 1
) and
(
strict = false and k = val
or
// e < c <= val ==> e <= c - 1 <= val - 1
// e > c >= val ==> e >= c + 1 >= val + 1
strict = true and k = val + d
)
)
}
/**
* An expression that directly tests whether a given expression is equal to `k` or not.
* The set of `k`s is restricted to those that are relevant for the expression or
@@ -53,75 +105,14 @@ Expr integerGuard(IntComparableExpr e, boolean branch, int k, boolean is_k) {
)
)
or
exists(EqualityTest eqtest, int val, Expr c, boolean upper |
exists(int val, boolean upper |
rangeGuard(result, branch, e, val, upper) and
k = e.relevantInt() and
eqtest = result and
eqtest.hasOperands(e, c) and
bounded(c, any(ZeroBound zb), val, upper, _) and
is_k = false and
(
upper = true and val < k
or
upper = false and val > k
) and
branch = eqtest.polarity()
)
or
exists(ComparisonExpr comp, Expr c, int val, boolean upper |
k = e.relevantInt() and
comp = result and
comp.hasOperands(e, c) and
bounded(c, any(ZeroBound zb), val, upper, _) and
is_k = false
|
// k <= val <= c < e, so e != k
comp.getLesserOperand() = c and
comp.isStrict() and
branch = true and
val >= k and
upper = false
upper = true and val < k // e <= val < k ==> e != k
or
comp.getLesserOperand() = c and
comp.isStrict() and
branch = false and
val < k and
upper = true
or
comp.getLesserOperand() = c and
not comp.isStrict() and
branch = true and
val > k and
upper = false
or
comp.getLesserOperand() = c and
not comp.isStrict() and
branch = false and
val <= k and
upper = true
or
comp.getGreaterOperand() = c and
comp.isStrict() and
branch = true and
val <= k and
upper = true
or
comp.getGreaterOperand() = c and
comp.isStrict() and
branch = false and
val > k and
upper = false
or
comp.getGreaterOperand() = c and
not comp.isStrict() and
branch = true and
val < k and
upper = true
or
comp.getGreaterOperand() = c and
not comp.isStrict() and
branch = false and
val >= k and
upper = false
upper = false and val > k // e >= val > k ==> e != k
)
}

177
java/ql/lib/semmle/code/java/dataflow/NullGuards.qll
View File

@@ -4,7 +4,7 @@
import java
import SSA
private import semmle.code.java.controlflow.internal.GuardsLogic
private import semmle.code.java.controlflow.Guards
private import semmle.code.java.frameworks.apache.Collections
private import IntegerGuards
@@ -41,34 +41,45 @@ EqualityTest varEqualityTestExpr(SsaVariable v1, SsaVariable v2, boolean isEqual
}
/** Gets an expression that is provably not `null`. */
Expr clearlyNotNullExpr(Expr reason) {
result instanceof ClassInstanceExpr and reason = result
Expr baseNotNullExpr() {
result instanceof ClassInstanceExpr
or
result instanceof ArrayCreationExpr and reason = result
result instanceof ArrayCreationExpr
or
result instanceof TypeLiteral and reason = result
result instanceof TypeLiteral
or
result instanceof ThisAccess and reason = result
result instanceof ThisAccess
or
result instanceof StringLiteral and reason = result
result instanceof StringLiteral
or
result instanceof AddExpr and result.getType() instanceof TypeString and reason = result
result instanceof AddExpr and result.getType() instanceof TypeString
or
exists(Field f |
result = f.getAnAccess() and
(f.hasName("TRUE") or f.hasName("FALSE")) and
f.getDeclaringType().hasQualifiedName("java.lang", "Boolean") and
reason = result
f.getDeclaringType().hasQualifiedName("java.lang", "Boolean")
)
or
result = any(EnumConstant c).getAnAccess()
or
result instanceof ImplicitNotNullExpr
or
result instanceof ImplicitCoercionToUnitExpr
or
result
.(MethodCall)
.getMethod()
.hasQualifiedName("com.google.common.base", "Strings", "nullToEmpty")
}
/** Gets an expression that is provably not `null`. */
Expr clearlyNotNullExpr(Expr reason) {
result = baseNotNullExpr() and reason = result
or
result.(CastExpr).getExpr() = clearlyNotNullExpr(reason)
or
result.(ImplicitCastExpr).getExpr() = clearlyNotNullExpr(reason)
or
result instanceof ImplicitNotNullExpr and reason = result
or
result instanceof ImplicitCoercionToUnitExpr and reason = result
or
result.(AssignExpr).getSource() = clearlyNotNullExpr(reason)
or
exists(ConditionalExpr c, Expr r1, Expr r2 |
@@ -83,14 +94,14 @@ Expr clearlyNotNullExpr(Expr reason) {
guard.controls(rval.getBasicBlock(), branch) and
reason = guard and
rval = v.getAUse() and
result = rval
result = rval and
not result = baseNotNullExpr()
)
or
exists(SsaVariable v | clearlyNotNull(v, reason) and result = v.getAUse())
or
exists(Method m | m = result.(MethodCall).getMethod() and reason = result |
m.getDeclaringType().hasQualifiedName("com.google.common.base", "Strings") and
m.hasName("nullToEmpty")
exists(SsaVariable v |
clearlyNotNull(v, reason) and
result = v.getAUse() and
not result = baseNotNullExpr()
)
}
@@ -173,50 +184,19 @@ predicate nullCheckMethod(Method m, boolean branch, boolean isnull) {
* is true, and non-null if `isnull` is false.
*/
Expr basicNullGuard(Expr e, boolean branch, boolean isnull) {
exists(EqualityTest eqtest, boolean polarity |
eqtest = result and
eqtest.hasOperands(e, any(NullLiteral n)) and
polarity = eqtest.polarity() and
(
branch = true and isnull = polarity
or
branch = false and isnull = polarity.booleanNot()
)
)
or
result.(InstanceOfExpr).getExpr() = e and branch = true and isnull = false
or
exists(MethodCall call |
call = result and
call.getAnArgument() = e and
nullCheckMethod(call.getMethod(), branch, isnull)
)
or
exists(EqualityTest eqtest |
eqtest = result and
eqtest.hasOperands(e, clearlyNotNullExpr()) and
isnull = false and
branch = eqtest.polarity()
)
or
result = enumConstEquality(e, branch, _) and isnull = false
Guards_v3::nullGuard(result, any(GuardValue v | v.asBooleanValue() = branch), e, isnull)
}
/**
* DEPRECATED: Use `basicNullGuard` instead.
*
* Gets an expression that directly tests whether a given expression, `e`, is null or not.
*
* If `result` evaluates to `branch`, then `e` is guaranteed to be null if `isnull`
* is true, and non-null if `isnull` is false.
*/
Expr basicOrCustomNullGuard(Expr e, boolean branch, boolean isnull) {
deprecated Expr basicOrCustomNullGuard(Expr e, boolean branch, boolean isnull) {
result = basicNullGuard(e, branch, isnull)
or
exists(MethodCall call, Method m, int ix |
call = result and
call.getArgument(ix) = e and
call.getMethod().getSourceDeclaration() = m and
m = customNullGuard(ix, branch, isnull)
)
}
/**
@@ -226,80 +206,61 @@ Expr basicOrCustomNullGuard(Expr e, boolean branch, boolean isnull) {
* is true, and non-null if `isnull` is false.
*/
Expr directNullGuard(SsaVariable v, boolean branch, boolean isnull) {
result = basicOrCustomNullGuard(sameValue(v, _), branch, isnull)
result = basicNullGuard(sameValue(v, _), branch, isnull)
}
/**
* DEPRECATED: Use `nullGuardControls`/`nullGuardControlsBranchEdge` instead.
*
* Gets a `Guard` that tests (possibly indirectly) whether a given SSA variable is null or not.
*
* If `result` evaluates to `branch`, then `v` is guaranteed to be null if `isnull`
* is true, and non-null if `isnull` is false.
*/
Guard nullGuard(SsaVariable v, boolean branch, boolean isnull) {
result = directNullGuard(v, branch, isnull) or
exists(boolean branch0 | implies_v3(result, branch, nullGuard(v, branch0, isnull), branch0))
deprecated Guard nullGuard(SsaVariable v, boolean branch, boolean isnull) {
result = directNullGuard(v, branch, isnull)
}
/**
* A return statement in a non-overridable method that on a return value of
* `retval` allows the conclusion that the parameter `p` either is null or
* non-null as specified by `isnull`.
* Holds if there exists a null check on `v`, such that taking the branch edge
* from `bb1` to `bb2` implies that `v` is guaranteed to be null if `isnull` is
* true, and non-null if `isnull` is false.
*/
private predicate validReturnInCustomNullGuard(
ReturnStmt ret, Parameter p, boolean retval, boolean isnull
) {
exists(Method m |
ret.getEnclosingCallable() = m and
p.getCallable() = m and
m.getReturnType().(PrimitiveType).hasName("boolean") and
not p.isVarargs() and
p.getType() instanceof RefType and
not m.isOverridable()
) and
exists(SsaImplicitInit ssa | ssa.isParameterDefinition(p) |
nullGuardedReturn(ret, ssa, isnull) and
(retval = true or retval = false)
or
exists(Expr res | res = ret.getResult() | res = nullGuard(ssa, retval, isnull))
predicate nullGuardControlsBranchEdge(SsaVariable v, boolean isnull, BasicBlock bb1, BasicBlock bb2) {
exists(GuardValue gv |
Guards_v3::ssaControlsBranchEdge(v, bb1, bb2, gv) and
gv.isNullness(isnull)
)
}
private predicate nullGuardedReturn(ReturnStmt ret, SsaImplicitInit ssa, boolean isnull) {
exists(boolean branch |
nullGuard(ssa, branch, isnull).directlyControls(ret.getBasicBlock(), branch)
)
}
pragma[nomagic]
private Method returnStmtGetEnclosingCallable(ReturnStmt ret) {
ret.getEnclosingCallable() = result
}
/**
* Gets a non-overridable method with a boolean return value that performs a null-check
* on the `index`th parameter. A return value equal to `retval` allows us to conclude
* that the argument either is null or non-null as specified by `isnull`.
* Holds if there exists a null check on `v` that controls `bb`, such that in
* `bb` `v` is guaranteed to be null if `isnull` is true, and non-null if
* `isnull` is false.
*/
private Method customNullGuard(int index, boolean retval, boolean isnull) {
exists(Parameter p |
p.getCallable() = result and
p.getPosition() = index and
forex(ReturnStmt ret |
returnStmtGetEnclosingCallable(ret) = result and
exists(Expr res | res = ret.getResult() |
not res.(BooleanLiteral).getBooleanValue() = retval.booleanNot()
)
|
validReturnInCustomNullGuard(ret, p, retval, isnull)
)
predicate nullGuardControls(SsaVariable v, boolean isnull, BasicBlock bb) {
exists(GuardValue gv |
Guards_v3::ssaControls(v, bb, gv) and
gv.isNullness(isnull)
)
}
/**
* `guard` is a guard expression that suggests that `v` might be null.
*
* This is equivalent to `guard = basicNullGuard(sameValue(v, _), _, true)`.
* Holds if `guard` is a guard expression that suggests that `e` might be null.
*/
predicate guardSuggestsExprMaybeNull(Expr guard, Expr e) {
guard.(EqualityTest).hasOperands(e, any(NullLiteral n))
or
exists(MethodCall call |
call = guard and
call.getAnArgument() = e and
nullCheckMethod(call.getMethod(), _, true)
)
}
/**
* Holds if `guard` is a guard expression that suggests that `v` might be null.
*/
predicate guardSuggestsVarMaybeNull(Expr guard, SsaVariable v) {
guard = basicNullGuard(sameValue(v, _), _, true)
guardSuggestsExprMaybeNull(guard, sameValue(v, _))
}

27
java/ql/lib/semmle/code/java/dataflow/Nullness.qll
View File

@@ -141,9 +141,9 @@ private ControlFlowNode varDereference(SsaVariable v, VarAccess va) {
private ControlFlowNode ensureNotNull(SsaVariable v) {
result = varDereference(v, _)
or
exists(AssertTrueMethod m | result.asCall() = m.getACheck(nullGuard(v, true, false)))
exists(AssertTrueMethod m | result.asCall() = m.getACheck(directNullGuard(v, true, false)))
or
exists(AssertFalseMethod m | result.asCall() = m.getACheck(nullGuard(v, false, false)))
exists(AssertFalseMethod m | result.asCall() = m.getACheck(directNullGuard(v, false, false)))
or
exists(AssertNotNullMethod m | result.asCall() = m.getACheck(v.getAUse()))
or
@@ -339,7 +339,7 @@ private predicate nullVarStep(
not assertFail(mid, _) and
bb = mid.getASuccessor() and
not impossibleEdge(mid, bb) and
not exists(boolean branch | nullGuard(midssa, branch, false).hasBranchEdge(mid, bb, branch)) and
not nullGuardControlsBranchEdge(midssa, false, mid, bb) and
not (leavingFinally(mid, bb, true) and midstoredcompletion = true) and
if bb.getFirstNode().asStmt() = any(TryStmt try | | try.getFinally())
then
@@ -476,6 +476,11 @@ private ConditionBlock ssaEnumConstEquality(SsaVariable v, boolean polarity, Enu
result.getCondition() = enumConstEquality(v.getAUse(), polarity, c)
}
private predicate conditionChecksNull(ConditionBlock cond, SsaVariable v, boolean branchIsNull) {
nullGuardControlsBranchEdge(v, true, cond, cond.getTestSuccessor(branchIsNull)) and
nullGuardControlsBranchEdge(v, false, cond, cond.getTestSuccessor(branchIsNull.booleanNot()))
}
/** A pair of correlated conditions for a given NPE candidate. */
private predicate correlatedConditions(
SsaSourceVariable npecand, ConditionBlock cond1, ConditionBlock cond2, boolean inverted
@@ -491,10 +496,8 @@ private predicate correlatedConditions(
)
or
exists(SsaVariable v, boolean branch1, boolean branch2 |
cond1.getCondition() = nullGuard(v, branch1, true) and
cond1.getCondition() = nullGuard(v, branch1.booleanNot(), false) and
cond2.getCondition() = nullGuard(v, branch2, true) and
cond2.getCondition() = nullGuard(v, branch2.booleanNot(), false) and
conditionChecksNull(cond1, v, branch1) and
conditionChecksNull(cond2, v, branch2) and
inverted = branch1.booleanXor(branch2)
)
or
@@ -620,7 +623,7 @@ private Expr trackingVarGuard(
SsaVariable trackssa, SsaSourceVariable trackvar, TrackVarKind kind, boolean branch, boolean isA
) {
exists(Expr init | trackingVar(_, trackssa, trackvar, kind, init) |
result = basicOrCustomNullGuard(trackvar.getAnAccess(), branch, isA) and
result = basicNullGuard(trackvar.getAnAccess(), branch, isA) and
kind = TrackVarKindNull()
or
result = trackvar.getAnAccess() and
@@ -831,15 +834,13 @@ predicate alwaysNullDeref(SsaSourceVariable v, VarAccess va) {
def.(SsaExplicitUpdate).getDefiningExpr().(VariableAssign).getSource() = alwaysNullExpr()
)
or
exists(boolean branch |
nullGuard(ssa, branch, true).directlyControls(bb, branch) and
not clearlyNotNull(ssa)
)
nullGuardControls(ssa, true, bb) and
not clearlyNotNull(ssa)
|
// Exclude fields as they might not have an accurate ssa representation.
not v.getVariable() instanceof Field and
firstVarDereferenceInBlock(bb, ssa, va) and
ssa.getSourceVariable() = v and
not exists(boolean branch | nullGuard(ssa, branch, false).directlyControls(bb, branch))
not nullGuardControls(ssa, false, bb)
)
}

5
java/ql/lib/semmle/code/java/dataflow/RangeAnalysis.qll
View File

@@ -66,7 +66,6 @@
import java
private import SSA
private import RangeUtils
private import semmle.code.java.controlflow.internal.GuardsLogic
private import semmle.code.java.security.RandomDataSource
private import SignAnalysis
private import semmle.code.java.Reflection
@@ -79,7 +78,7 @@ module Sem implements Semantic<Location> {
private import java as J
private import SSA as SSA
private import RangeUtils as RU
private import semmle.code.java.controlflow.internal.GuardsLogic as GL
private import semmle.code.java.controlflow.Guards as G
class Expr = J::Expr;
@@ -219,7 +218,7 @@ module Sem implements Semantic<Location> {
int getBlockId1(BasicBlock bb) { idOf(bb, result) }
class Guard extends GL::Guard_v2 {
class Guard extends G::Guards_v2::Guard {
Expr asExpr() { result = this }
}

2
java/ql/lib/semmle/code/java/dataflow/RangeUtils.qll
View File

@@ -4,7 +4,7 @@
import java
private import SSA
private import semmle.code.java.controlflow.internal.GuardsLogic
private import semmle.code.java.controlflow.Guards
private import semmle.code.java.Constants
private import semmle.code.java.dataflow.RangeAnalysis
private import codeql.rangeanalysis.internal.RangeUtils

7
java/ql/lib/semmle/code/java/dataflow/internal/BaseSSA.qll
View File

@@ -372,5 +372,10 @@ class BaseSsaImplicitInit extends BaseSsaVariable instanceof Impl::WriteDefiniti
/** An SSA phi node. */
class BaseSsaPhiNode extends BaseSsaVariable instanceof Impl::PhiNode {
/** Gets an input to the phi node defining the SSA variable. */
BaseSsaVariable getAPhiInput() { phiHasInputFromBlock(this, result, _) }
BaseSsaVariable getAPhiInput() { this.hasInputFromBlock(result, _) }
/** Holds if `inp` is an input to the phi node along the edge originating in `bb`. */
predicate hasInputFromBlock(BaseSsaVariable inp, BasicBlock bb) {
phiHasInputFromBlock(this, inp, bb)
}
}

2
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowNodes.qll
View File

@@ -60,8 +60,6 @@ module SsaFlow {
cached
private module Cached {
private import semmle.code.java.controlflow.internal.GuardsLogic as GuardsLogic
cached
newtype TNode =
TExprNode(Expr e) {

2
java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/ModulusAnalysisSpecific.qll
View File

@@ -14,7 +14,7 @@ module Private {
class Expr = J::Expr;
class Guard = G::Guard_v2;
class Guard = G::Guards_v2::Guard;
class ConstantIntegerExpr = RU::ConstantIntegerExpr;

2
java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll
View File

@@ -12,7 +12,7 @@ module Private {
class ConstantIntegerExpr = RU::ConstantIntegerExpr;
class Guard = G::Guard_v2;
class Guard = G::Guards_v2::Guard;
class SsaVariable = Ssa::SsaVariable;

2
java/ql/lib/semmle/code/java/frameworks/struts/StrutsActions.qll
View File

@@ -130,7 +130,7 @@ class Struts2PrepareMethod extends Method {
*/
class Struts2ActionSupportClass extends Class {
Struts2ActionSupportClass() {
this.getAStrictAncestor().hasQualifiedName("com.opensymphony.xwork2", "ActionSupport")
this.getASourceSupertype+().hasQualifiedName("com.opensymphony.xwork2", "ActionSupport")
}
/**

1
java/ql/lib/semmle/code/java/security/ArithmeticCommon.qll
View File

@@ -7,7 +7,6 @@ private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.dataflow.RangeAnalysis
private import semmle.code.java.dataflow.RangeUtils
private import semmle.code.java.dataflow.SignAnalysis
private import semmle.code.java.controlflow.internal.GuardsLogic
/**
* Holds if the type of `exp` is narrower than or equal to `numType`,

4
java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll
View File

@@ -323,6 +323,10 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
predicate isBarrier(DataFlow::Node node) { isUnsafeDeserializationSanitizer(node) }
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSinkLocation(DataFlow::Node sink) {
result = sink.(UnsafeDeserializationSink).getMethodCall().getLocation()
}
}
module UnsafeDeserializationFlow = TaintTracking::Global<UnsafeDeserializationConfig>;

12
java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll
View File

@@ -47,18 +47,6 @@ module PolynomialRedosConfig implements DataFlow::ConfigSig {
node instanceof SimpleTypeSanitizer or
node.asExpr().(MethodCall).getMethod() instanceof LengthRestrictedMethod
}
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSinkLocation(DataFlow::Node sink) {
exists(SuperlinearBackTracking::PolynomialBackTrackingTerm regexp |
regexp.getRootTerm() = sink.(PolynomialRedosSink).getRegExp()
|
result = sink.getLocation()
or
result = regexp.getLocation()
)
}
}
module PolynomialRedosFlow = TaintTracking::Global<PolynomialRedosConfig>;

4
java/ql/src/Language Abuse/UselessNullCheck.ql
View File

@@ -18,10 +18,10 @@ import semmle.code.java.controlflow.Guards
from Expr guard, Expr e, Expr reason, string msg
where
guard = basicNullGuard(e, _, true) and
guardSuggestsExprMaybeNull(guard, e) and
e = clearlyNotNullExpr(reason) and
(
if reason instanceof Guard
if reason = directNullGuard(_, _, _)
then msg = "This check is useless. $@ cannot be null at this check, since it is guarded by $@."
else
if reason != e

4
java/ql/src/change-notes/2025-06-17-improved-guards.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Java analysis of guards has been switched to use the new and improved shared guards library. This improves precision of a number of queries, in particular `java/dereferenced-value-may-be-null`, which now has fewer false positives, and `java/useless-null-check` and `java/constant-comparison`, which gain additional true positives.

146
java/ql/test/library-tests/guards/Guards.java Normal file
View File

@@ -0,0 +1,146 @@
public class Guards {
static void chk() { }
static boolean g(Object lbl) { return lbl.hashCode() > 10; }
static void checkTrue(boolean b, String msg) {
if (!b) throw new Error(msg);
}
static void checkFalse(boolean b, String msg) {
checkTrue(!b, msg);
}
void t1(int[] a, String s) {
if (g("A")) {
chk(); // $ guarded=g(A):true
} else {
chk(); // $ guarded=g(A):false
}
boolean b = g(1) ? g(2) : true;
if (b != false) {
chk(); // $ guarded=...?...:...:true guarded='b != false:true' guarded=b:true
} else {
chk(); // $ guarded=...?...:...:false guarded='b != false:false' guarded=b:false guarded=g(1):true guarded=g(2):false
}
int sz = a != null ? a.length : 0;
for (int i = 0; i < sz; i++) {
chk(); // $ guarded='a != null:true' guarded='i < sz:true' guarded='sz:not 0' guarded='...?...:...:not 0' guarded='a.length:not 0' guarded='a:not null'
int e = a[i];
if (e > 2) break;
}
chk(); // nothing guards here
if (g(3))
s = "bar";
switch (s) {
case "bar":
chk(); // $ guarded='s:match "bar"' guarded='s:bar'
break;
case "foo":
chk(); // $ guarded='s:match "foo"' guarded='s:foo' guarded=g(3):false
break;
default:
chk(); // $ guarded='s:non-match "bar"' guarded='s:non-match "foo"' guarded='s:not bar' guarded='s:not foo' guarded='s:match default' guarded=g(3):false
break;
}
Object o = g(4) ? null : s;
if (o instanceof String) {
chk(); // $ guarded=...instanceof...:true guarded='o:not null' guarded='...?...:...:not null' guarded=g(4):false guarded='s:not null'
}
}
void t2() {
checkTrue(g(1), "A");
checkFalse(g(2), "B");
chk(); // $ guarded='checkTrue(...):no exception' guarded=g(1):true guarded='checkFalse(...):no exception' guarded=g(2):false
}
void t3() {
boolean b = g(1) && (g(2) || g(3));
if (b) {
chk(); // $ guarded=b:true guarded='g(...) && ... \|\| ...:true' guarded=g(1):true guarded='g(...) \|\| g(...):true'
} else {
chk(); // $ guarded=b:false guarded='g(...) && ... \|\| ...:false'
}
b = g(4) || !g(5);
if (b) {
chk(); // $ guarded=b:true guarded='g(...) \|\| !...:true'
} else {
chk(); // $ guarded=b:false guarded='g(...) \|\| !...:false' guarded=g(4):false guarded=!...:false guarded=g(5):true
}
}
enum Val {
E1,
E2,
E3
}
void t4() {
Val x = null; // unique value
if (g(1)) x = Val.E1; // unique value
if (g(2)) x = Val.E2;
if (g("Alt2")) x = Val.E2;
if (g(3)) x = Val.E3; // unique value
if (x == null)
chk(); // $ guarded='x == null:true' guarded='x:null' guarded=g(1):false guarded=g(2):false guarded=g(Alt2):false guarded=g(3):false
switch (x) {
case E1:
chk(); // $ guarded='x:match E1' guarded='x:E1' guarded=g(1):true guarded=g(2):false guarded=g(Alt2):false guarded=g(3):false
break;
case E2:
chk(); // $ guarded='x:match E2' guarded='x:E2' guarded=g(3):false
break;
case E3:
chk(); // $ guarded='x:match E3' guarded='x:E3' guarded=g(3):true
break;
}
Object o = g(4) ? new Object() : null;
if (o == null) {
chk(); // $ guarded='o == null:true' guarded='o:null' guarded='...?...:...:null' guarded=g(4):false
} else {
chk(); // $ guarded='o == null:false' guarded='o:not null' guarded='...?...:...:not null' guarded=g(4):true
}
}
void t5(String foo) {
String base = foo;
if (base == null) {
base = "/user";
}
if (base.equals("/"))
chk(); // $ guarded=equals(/):true guarded='base:/' guarded='base:not null' guarded='base == null:false' guarded='foo:/' guarded='foo:not null'
}
void t6() {
Object o = null;
if (g(1)) {
o = new Object();
if (g(2)) { }
}
if (o != null) {
chk(); // $ guarded='o != null:true' guarded='o:not null' guarded=g(1):true
} else {
chk(); // $ guarded='o != null:false' guarded='o:null' guarded=g(1):false
}
}
void t7(int[] a) {
boolean found = false;
for (int i = 0; i < a.length; i++) {
boolean answer = a[i] == 42;
if (answer) {
found = true;
}
if (found) {
chk(); // $ guarded=found:true guarded='i < a.length:true'
}
}
if (found) {
chk(); // $ guarded=found:true guarded='i < a.length:false'
}
}
}

91
java/ql/test/library-tests/guards/GuardsInline.expected Normal file
View File

@@ -0,0 +1,91 @@
| Guards.java:16:7:16:11 | chk(...) | g(A):true |
| Guards.java:18:7:18:11 | chk(...) | g(A):false |
| Guards.java:23:7:23:11 | chk(...) | 'b != false:true' |
| Guards.java:23:7:23:11 | chk(...) | ...?...:...:true |
| Guards.java:23:7:23:11 | chk(...) | b:true |
| Guards.java:25:7:25:11 | chk(...) | 'b != false:false' |
| Guards.java:25:7:25:11 | chk(...) | ...?...:...:false |
| Guards.java:25:7:25:11 | chk(...) | b:false |
| Guards.java:25:7:25:11 | chk(...) | g(1):true |
| Guards.java:25:7:25:11 | chk(...) | g(2):false |
| Guards.java:29:7:29:11 | chk(...) | '...?...:...:not 0' |
| Guards.java:29:7:29:11 | chk(...) | 'a != null:true' |
| Guards.java:29:7:29:11 | chk(...) | 'a.length:not 0' |
| Guards.java:29:7:29:11 | chk(...) | 'a:not null' |
| Guards.java:29:7:29:11 | chk(...) | 'i < sz:true' |
| Guards.java:29:7:29:11 | chk(...) | 'sz:not 0' |
| Guards.java:39:9:39:13 | chk(...) | 's:bar' |
| Guards.java:39:9:39:13 | chk(...) | 's:match "bar"' |
| Guards.java:42:9:42:13 | chk(...) | 's:foo' |
| Guards.java:42:9:42:13 | chk(...) | 's:match "foo"' |
| Guards.java:42:9:42:13 | chk(...) | g(3):false |
| Guards.java:45:9:45:13 | chk(...) | 's:match default' |
| Guards.java:45:9:45:13 | chk(...) | 's:non-match "bar"' |
| Guards.java:45:9:45:13 | chk(...) | 's:non-match "foo"' |
| Guards.java:45:9:45:13 | chk(...) | 's:not bar' |
| Guards.java:45:9:45:13 | chk(...) | 's:not foo' |
| Guards.java:45:9:45:13 | chk(...) | g(3):false |
| Guards.java:51:7:51:11 | chk(...) | '...?...:...:not null' |
| Guards.java:51:7:51:11 | chk(...) | 'o:not null' |
| Guards.java:51:7:51:11 | chk(...) | 's:not null' |
| Guards.java:51:7:51:11 | chk(...) | ...instanceof...:true |
| Guards.java:51:7:51:11 | chk(...) | g(4):false |
| Guards.java:58:5:58:9 | chk(...) | 'checkFalse(...):no exception' |
| Guards.java:58:5:58:9 | chk(...) | 'checkTrue(...):no exception' |
| Guards.java:58:5:58:9 | chk(...) | g(1):true |
| Guards.java:58:5:58:9 | chk(...) | g(2):false |
| Guards.java:64:7:64:11 | chk(...) | 'g(...) && ... \|\| ...:true' |
| Guards.java:64:7:64:11 | chk(...) | 'g(...) \|\| g(...):true' |
| Guards.java:64:7:64:11 | chk(...) | b:true |
| Guards.java:64:7:64:11 | chk(...) | g(1):true |
| Guards.java:66:7:66:11 | chk(...) | 'g(...) && ... \|\| ...:false' |
| Guards.java:66:7:66:11 | chk(...) | b:false |
| Guards.java:70:7:70:11 | chk(...) | 'g(...) \|\| !...:true' |
| Guards.java:70:7:70:11 | chk(...) | b:true |
| Guards.java:72:7:72:11 | chk(...) | !...:false |
| Guards.java:72:7:72:11 | chk(...) | 'g(...) \|\| !...:false' |
| Guards.java:72:7:72:11 | chk(...) | b:false |
| Guards.java:72:7:72:11 | chk(...) | g(4):false |
| Guards.java:72:7:72:11 | chk(...) | g(5):true |
| Guards.java:89:7:89:11 | chk(...) | 'x == null:true' |
| Guards.java:89:7:89:11 | chk(...) | 'x:null' |
| Guards.java:89:7:89:11 | chk(...) | g(1):false |
| Guards.java:89:7:89:11 | chk(...) | g(2):false |
| Guards.java:89:7:89:11 | chk(...) | g(3):false |
| Guards.java:89:7:89:11 | chk(...) | g(Alt2):false |
| Guards.java:92:9:92:13 | chk(...) | 'x:E1' |
| Guards.java:92:9:92:13 | chk(...) | 'x:match E1' |
| Guards.java:92:9:92:13 | chk(...) | g(1):true |
| Guards.java:92:9:92:13 | chk(...) | g(2):false |
| Guards.java:92:9:92:13 | chk(...) | g(3):false |
| Guards.java:92:9:92:13 | chk(...) | g(Alt2):false |
| Guards.java:95:9:95:13 | chk(...) | 'x:E2' |
| Guards.java:95:9:95:13 | chk(...) | 'x:match E2' |
| Guards.java:95:9:95:13 | chk(...) | g(3):false |
| Guards.java:98:9:98:13 | chk(...) | 'x:E3' |
| Guards.java:98:9:98:13 | chk(...) | 'x:match E3' |
| Guards.java:98:9:98:13 | chk(...) | g(3):true |
| Guards.java:103:7:103:11 | chk(...) | '...?...:...:null' |
| Guards.java:103:7:103:11 | chk(...) | 'o == null:true' |
| Guards.java:103:7:103:11 | chk(...) | 'o:null' |
| Guards.java:103:7:103:11 | chk(...) | g(4):false |
| Guards.java:105:7:105:11 | chk(...) | '...?...:...:not null' |
| Guards.java:105:7:105:11 | chk(...) | 'o == null:false' |
| Guards.java:105:7:105:11 | chk(...) | 'o:not null' |
| Guards.java:105:7:105:11 | chk(...) | g(4):true |
| Guards.java:115:7:115:11 | chk(...) | 'base == null:false' |
| Guards.java:115:7:115:11 | chk(...) | 'base:/' |
| Guards.java:115:7:115:11 | chk(...) | 'base:not null' |
| Guards.java:115:7:115:11 | chk(...) | 'foo:/' |
| Guards.java:115:7:115:11 | chk(...) | 'foo:not null' |
| Guards.java:115:7:115:11 | chk(...) | equals(/):true |
| Guards.java:125:7:125:11 | chk(...) | 'o != null:true' |
| Guards.java:125:7:125:11 | chk(...) | 'o:not null' |
| Guards.java:125:7:125:11 | chk(...) | g(1):true |
| Guards.java:127:7:127:11 | chk(...) | 'o != null:false' |
| Guards.java:127:7:127:11 | chk(...) | 'o:null' |
| Guards.java:127:7:127:11 | chk(...) | g(1):false |
| Guards.java:139:9:139:13 | chk(...) | 'i < a.length:true' |
| Guards.java:139:9:139:13 | chk(...) | found:true |
| Guards.java:143:7:143:11 | chk(...) | 'i < a.length:false' |
| Guards.java:143:7:143:11 | chk(...) | found:true |

51
java/ql/test/library-tests/guards/GuardsInline.ql Normal file
View File

@@ -0,0 +1,51 @@
import java
import semmle.code.java.controlflow.Guards
import codeql.util.Boolean
string ppGuard(Guard g, Boolean branch) {
exists(MethodCall mc, Literal s |
mc = g and
mc.getAnArgument() = s and
result = mc.getMethod().getName() + "(" + s.getValue() + ")" + ":" + branch
)
or
exists(BinaryExpr bin |
bin = g and
result = "'" + bin.getLeftOperand() + bin.getOp() + bin.getRightOperand() + ":" + branch + "'"
)
or
exists(SwitchCase cc, Expr s, string match, string value |
cc = g and
cc.getSelectorExpr() = s and
(
cc.(ConstCase).getValue().toString() = value
or
cc instanceof DefaultCase and value = "default"
) and
if branch = true then match = ":match " else match = ":non-match "
|
result = "'" + s.toString() + match + value + "'"
)
}
query predicate guarded(MethodCall mc, string guard) {
mc.getMethod().hasName("chk") and
exists(Guard g, BasicBlock bb, boolean branch |
g.controls(bb, branch) and
mc.getBasicBlock() = bb
|
guard = ppGuard(g, branch)
or
not exists(ppGuard(g, branch)) and
guard = g.toString() + ":" + branch
)
or
mc.getMethod().hasName("chk") and
exists(Guard g, BasicBlock bb, GuardValue val |
g.valueControls(bb, val) and
not exists(val.asBooleanValue()) and
mc.getBasicBlock() = bb
|
guard = "'" + g.toString() + ":" + val + "'"
)
}

2
java/ql/test/library-tests/guards/GuardsInline.qlref Normal file
View File

@@ -0,0 +1,2 @@
query: GuardsInline.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

28
java/ql/test/library-tests/guards/guardslogic.expected
View File

@@ -30,33 +30,33 @@
| Logic.java:29:16:29:19 | g(...) | false | Logic.java:30:30:31:5 | { ... } |
| Logic.java:29:16:29:19 | g(...) | true | Logic.java:29:23:29:26 | null |
| Logic.java:30:9:30:27 | ...instanceof... | true | Logic.java:30:30:31:5 | { ... } |
| Logic.java:35:5:35:29 | checkTrue(...) | true | Logic.java:36:5:36:28 | <Expr>; |
| Logic.java:35:5:35:29 | checkTrue(...) | true | Logic.java:37:5:37:15 | if (...) |
| Logic.java:35:5:35:29 | checkTrue(...) | true | Logic.java:37:17:39:5 | { ... } |
| Logic.java:35:5:35:29 | checkTrue(...) | true | Logic.java:40:5:40:18 | var ...; |
| Logic.java:35:5:35:29 | checkTrue(...) | no exception | Logic.java:36:5:36:28 | <Expr>; |
| Logic.java:35:5:35:29 | checkTrue(...) | no exception | Logic.java:37:5:37:15 | if (...) |
| Logic.java:35:5:35:29 | checkTrue(...) | no exception | Logic.java:37:17:39:5 | { ... } |
| Logic.java:35:5:35:29 | checkTrue(...) | no exception | Logic.java:40:5:40:18 | var ...; |
| Logic.java:35:15:35:19 | ... > ... | true | Logic.java:36:5:36:28 | <Expr>; |
| Logic.java:35:15:35:19 | ... > ... | true | Logic.java:37:5:37:15 | if (...) |
| Logic.java:35:15:35:19 | ... > ... | true | Logic.java:37:17:39:5 | { ... } |
| Logic.java:35:15:35:19 | ... > ... | true | Logic.java:40:5:40:18 | var ...; |
| Logic.java:36:5:36:27 | checkFalse(...) | false | Logic.java:37:5:37:15 | if (...) |
| Logic.java:36:5:36:27 | checkFalse(...) | false | Logic.java:37:17:39:5 | { ... } |
| Logic.java:36:5:36:27 | checkFalse(...) | false | Logic.java:40:5:40:18 | var ...; |
| Logic.java:36:5:36:27 | checkFalse(...) | no exception | Logic.java:37:5:37:15 | if (...) |
| Logic.java:36:5:36:27 | checkFalse(...) | no exception | Logic.java:37:17:39:5 | { ... } |
| Logic.java:36:5:36:27 | checkFalse(...) | no exception | Logic.java:40:5:40:18 | var ...; |
| Logic.java:36:16:36:21 | g(...) | false | Logic.java:37:5:37:15 | if (...) |
| Logic.java:36:16:36:21 | g(...) | false | Logic.java:37:17:39:5 | { ... } |
| Logic.java:36:16:36:21 | g(...) | false | Logic.java:40:5:40:18 | var ...; |
| Logic.java:37:9:37:14 | ... > ... | true | Logic.java:37:17:39:5 | { ... } |
| Logic.java:44:10:44:10 | b | false | Logic.java:44:33:44:35 | msg |
| Logic.java:52:5:52:29 | checkTrue(...) | true | Logic.java:53:5:53:28 | <Expr>; |
| Logic.java:52:5:52:29 | checkTrue(...) | true | Logic.java:54:5:54:15 | if (...) |
| Logic.java:52:5:52:29 | checkTrue(...) | true | Logic.java:54:17:56:5 | { ... } |
| Logic.java:52:5:52:29 | checkTrue(...) | true | Logic.java:57:5:57:18 | var ...; |
| Logic.java:52:5:52:29 | checkTrue(...) | no exception | Logic.java:53:5:53:28 | <Expr>; |
| Logic.java:52:5:52:29 | checkTrue(...) | no exception | Logic.java:54:5:54:15 | if (...) |
| Logic.java:52:5:52:29 | checkTrue(...) | no exception | Logic.java:54:17:56:5 | { ... } |
| Logic.java:52:5:52:29 | checkTrue(...) | no exception | Logic.java:57:5:57:18 | var ...; |
| Logic.java:52:24:52:28 | ... > ... | true | Logic.java:53:5:53:28 | <Expr>; |
| Logic.java:52:24:52:28 | ... > ... | true | Logic.java:54:5:54:15 | if (...) |
| Logic.java:52:24:52:28 | ... > ... | true | Logic.java:54:17:56:5 | { ... } |
| Logic.java:52:24:52:28 | ... > ... | true | Logic.java:57:5:57:18 | var ...; |
| Logic.java:53:5:53:27 | checkFalse(...) | false | Logic.java:54:5:54:15 | if (...) |
| Logic.java:53:5:53:27 | checkFalse(...) | false | Logic.java:54:17:56:5 | { ... } |
| Logic.java:53:5:53:27 | checkFalse(...) | false | Logic.java:57:5:57:18 | var ...; |
| Logic.java:53:5:53:27 | checkFalse(...) | no exception | Logic.java:54:5:54:15 | if (...) |
| Logic.java:53:5:53:27 | checkFalse(...) | no exception | Logic.java:54:17:56:5 | { ... } |
| Logic.java:53:5:53:27 | checkFalse(...) | no exception | Logic.java:57:5:57:18 | var ...; |
| Logic.java:53:21:53:26 | g(...) | false | Logic.java:54:5:54:15 | if (...) |
| Logic.java:53:21:53:26 | g(...) | false | Logic.java:54:17:56:5 | { ... } |
| Logic.java:53:21:53:26 | g(...) | false | Logic.java:57:5:57:18 | var ...; |

9
java/ql/test/library-tests/guards/guardslogic.ql
View File

@@ -1,8 +1,9 @@
import java
import semmle.code.java.controlflow.Guards
from Guard g, BasicBlock bb, boolean branch
from Guard g, BasicBlock bb, GuardValue gv
where
g.controls(bb, branch) and
g.getEnclosingCallable().getDeclaringType().hasName("Logic")
select g, branch, bb
g.valueControls(bb, gv) and
g.getEnclosingCallable().getDeclaringType().hasName("Logic") and
(exists(gv.asBooleanValue()) or gv.isThrowsException() or gv.getDualValue().isThrowsException())
select g, gv, bb

40
java/ql/test/library-tests/guards/guardspreconditions.expected
View File

@@ -1,20 +1,20 @@
| Preconditions.java:8:9:8:31 | assertTrue(...) | true | Preconditions.java:9:9:9:18 | <Expr>; |
| Preconditions.java:13:9:13:32 | assertTrue(...) | true | Preconditions.java:14:9:14:18 | <Expr>; |
| Preconditions.java:18:9:18:33 | assertFalse(...) | false | Preconditions.java:19:9:19:18 | <Expr>; |
| Preconditions.java:23:9:23:32 | assertFalse(...) | false | Preconditions.java:24:9:24:18 | <Expr>; |
| Preconditions.java:28:9:28:41 | assertTrue(...) | true | Preconditions.java:29:9:29:18 | <Expr>; |
| Preconditions.java:33:9:33:42 | assertTrue(...) | true | Preconditions.java:34:9:34:18 | <Expr>; |
| Preconditions.java:38:9:38:43 | assertFalse(...) | false | Preconditions.java:39:9:39:18 | <Expr>; |
| Preconditions.java:43:9:43:42 | assertFalse(...) | false | Preconditions.java:44:9:44:18 | <Expr>; |
| Preconditions.java:48:9:48:35 | assertTrue(...) | true | Preconditions.java:49:9:49:18 | <Expr>; |
| Preconditions.java:53:9:53:36 | assertTrue(...) | true | Preconditions.java:54:9:54:18 | <Expr>; |
| Preconditions.java:58:9:58:37 | assertFalse(...) | false | Preconditions.java:59:9:59:18 | <Expr>; |
| Preconditions.java:63:9:63:36 | assertFalse(...) | false | Preconditions.java:64:9:64:18 | <Expr>; |
| Preconditions.java:68:9:68:45 | assertTrue(...) | true | Preconditions.java:69:9:69:18 | <Expr>; |
| Preconditions.java:73:9:73:46 | assertTrue(...) | true | Preconditions.java:74:9:74:18 | <Expr>; |
| Preconditions.java:78:9:78:47 | assertFalse(...) | false | Preconditions.java:79:9:79:18 | <Expr>; |
| Preconditions.java:83:9:83:46 | assertFalse(...) | false | Preconditions.java:84:9:84:18 | <Expr>; |
| Preconditions.java:88:9:88:15 | t(...) | true | Preconditions.java:89:9:89:18 | <Expr>; |
| Preconditions.java:93:9:93:16 | t(...) | true | Preconditions.java:94:9:94:18 | <Expr>; |
| Preconditions.java:98:9:98:16 | f(...) | false | Preconditions.java:99:9:99:18 | <Expr>; |
| Preconditions.java:103:9:103:15 | f(...) | false | Preconditions.java:104:9:104:18 | <Expr>; |
| Preconditions.java:8:9:8:31 | assertTrue(...) | no exception | Preconditions.java:9:9:9:18 | <Expr>; |
| Preconditions.java:13:9:13:32 | assertTrue(...) | no exception | Preconditions.java:14:9:14:18 | <Expr>; |
| Preconditions.java:18:9:18:33 | assertFalse(...) | no exception | Preconditions.java:19:9:19:18 | <Expr>; |
| Preconditions.java:23:9:23:32 | assertFalse(...) | no exception | Preconditions.java:24:9:24:18 | <Expr>; |
| Preconditions.java:28:9:28:41 | assertTrue(...) | no exception | Preconditions.java:29:9:29:18 | <Expr>; |
| Preconditions.java:33:9:33:42 | assertTrue(...) | no exception | Preconditions.java:34:9:34:18 | <Expr>; |
| Preconditions.java:38:9:38:43 | assertFalse(...) | no exception | Preconditions.java:39:9:39:18 | <Expr>; |
| Preconditions.java:43:9:43:42 | assertFalse(...) | no exception | Preconditions.java:44:9:44:18 | <Expr>; |
| Preconditions.java:48:9:48:35 | assertTrue(...) | no exception | Preconditions.java:49:9:49:18 | <Expr>; |
| Preconditions.java:53:9:53:36 | assertTrue(...) | no exception | Preconditions.java:54:9:54:18 | <Expr>; |
| Preconditions.java:58:9:58:37 | assertFalse(...) | no exception | Preconditions.java:59:9:59:18 | <Expr>; |
| Preconditions.java:63:9:63:36 | assertFalse(...) | no exception | Preconditions.java:64:9:64:18 | <Expr>; |
| Preconditions.java:68:9:68:45 | assertTrue(...) | no exception | Preconditions.java:69:9:69:18 | <Expr>; |
| Preconditions.java:73:9:73:46 | assertTrue(...) | no exception | Preconditions.java:74:9:74:18 | <Expr>; |
| Preconditions.java:78:9:78:47 | assertFalse(...) | no exception | Preconditions.java:79:9:79:18 | <Expr>; |
| Preconditions.java:83:9:83:46 | assertFalse(...) | no exception | Preconditions.java:84:9:84:18 | <Expr>; |
| Preconditions.java:88:9:88:15 | t(...) | no exception | Preconditions.java:89:9:89:18 | <Expr>; |
| Preconditions.java:93:9:93:16 | t(...) | no exception | Preconditions.java:94:9:94:18 | <Expr>; |
| Preconditions.java:98:9:98:16 | f(...) | no exception | Preconditions.java:99:9:99:18 | <Expr>; |
| Preconditions.java:103:9:103:15 | f(...) | no exception | Preconditions.java:104:9:104:18 | <Expr>; |

9
java/ql/test/library-tests/guards/guardspreconditions.ql
View File

@@ -1,8 +1,9 @@
import java
import semmle.code.java.controlflow.Guards
from Guard g, BasicBlock bb, boolean branch
from Guard g, BasicBlock bb, GuardValue gv
where
g.controls(bb, branch) and
g.getEnclosingCallable().getDeclaringType().hasName("Preconditions")
select g, branch, bb
g.valueControls(bb, gv) and
g.getEnclosingCallable().getDeclaringType().hasName("Preconditions") and
(gv.isThrowsException() or gv.getDualValue().isThrowsException())
select g, gv, bb

8
java/ql/test/library-tests/guards12/guard.expected
View File

@@ -51,13 +51,5 @@ hasBranchEdge
| Test.java:12:7:12:17 | case ... | Test.java:9:13:9:13 | s | Test.java:12:12:12:14 | "d" | true | false | Test.java:13:7:13:16 | default |
| Test.java:12:7:12:17 | case ... | Test.java:9:13:9:13 | s | Test.java:12:12:12:14 | "d" | true | true | Test.java:12:7:12:17 | case ... |
| Test.java:17:26:17:33 | ... == ... | Test.java:17:26:17:28 | len | Test.java:17:33:17:33 | 4 | true | true | Test.java:17:38:17:40 | { ... } |
| Test.java:18:7:18:17 | case ... | Test.java:16:13:16:13 | s | Test.java:18:12:18:14 | "e" | true | false | Test.java:19:7:19:16 | default |
| Test.java:18:7:18:17 | case ... | Test.java:16:13:16:13 | s | Test.java:18:12:18:14 | "e" | true | true | Test.java:18:7:18:17 | case ... |
| Test.java:22:7:22:17 | case ... | Test.java:21:13:21:41 | ...?...:... | Test.java:22:12:22:14 | "f" | true | false | Test.java:25:7:25:16 | default |
| Test.java:22:7:22:17 | case ... | Test.java:21:13:21:41 | ...?...:... | Test.java:22:12:22:14 | "f" | true | true | Test.java:22:7:22:17 | case ... |
| Test.java:23:27:23:34 | ... == ... | Test.java:23:27:23:29 | len | Test.java:23:34:23:34 | 4 | true | true | Test.java:23:39:23:41 | { ... } |
| Test.java:24:7:24:17 | case ... | Test.java:21:13:21:41 | ...?...:... | Test.java:24:12:24:14 | "g" | true | false | Test.java:25:7:25:16 | default |
| Test.java:24:7:24:17 | case ... | Test.java:21:13:21:41 | ...?...:... | Test.java:24:12:24:14 | "g" | true | true | Test.java:24:7:24:17 | case ... |
| Test.java:28:7:28:15 | case ... | Test.java:27:13:27:13 | s | Test.java:28:12:28:14 | "h" | true | false | Test.java:33:7:33:14 | default |
| Test.java:28:7:28:15 | case ... | Test.java:27:13:27:13 | s | Test.java:28:12:28:14 | "h" | true | true | Test.java:28:7:28:15 | case ... |
| Test.java:30:7:30:15 | case ... | Test.java:27:13:27:13 | s | Test.java:30:12:30:14 | "i" | true | false | Test.java:33:7:33:14 | default |

4
java/ql/test/library-tests/guards12/guard.ql
View File

@@ -1,8 +1,8 @@
import java
import semmle.code.java.controlflow.Guards
query predicate hasBranchEdge(Guard g, BasicBlock bb1, BasicBlock bb2, boolean branch) {
g.hasBranchEdge(bb1, bb2, branch)
query predicate hasBranchEdge(Guard g, BasicBlock bb1, BasicBlock bb2, GuardValue branch) {
g.hasValueBranchEdge(bb1, bb2, branch)
}
from Guard g, BasicBlock bb, boolean branch, Expr e1, Expr e2, boolean pol

12
java/ql/test/query-tests/Nullness/C.java
View File

@@ -60,7 +60,7 @@ public class C {
arrLen = arr == null ? 0 : arr.length;
}
if (arrLen > 0) {
arr[0] = 0; // NPE - false positive
arr[0] = 0; // OK
}
}
@@ -244,4 +244,14 @@ public class C {
}
xs[0]++; // OK
}
public void ex18(boolean b, int[] xs, Object related) {
assert (!b && xs == null && related == null) ||
(b && xs != null && related != null) ||
(b && xs == null && related == null);
if (b) {
if (related == null) { return; }
xs[0] = 42; // FP - correlated conditions fails to recognize assert edges
}
}
}

4
java/ql/test/query-tests/Nullness/NullMaybe.expected
View File

@@ -24,7 +24,6 @@
| C.java:10:17:10:18 | a3 | Variable $@ may be null at this access because of $@ assignment. | C.java:8:5:8:21 | long[] a3 | a3 | C.java:8:12:8:20 | a3 | this |
| C.java:21:7:21:8 | s1 | Variable $@ may be null at this access because of $@ assignment. | C.java:14:5:14:30 | String s1 | s1 | C.java:17:7:17:24 | ...=... | this |
| C.java:51:7:51:11 | slice | Variable $@ may be null at this access because of $@ assignment. | C.java:43:5:43:30 | List<String> slice | slice | C.java:43:18:43:29 | slice | this |
| C.java:63:7:63:9 | arr | Variable $@ may be null at this access as suggested by $@ null guard. | C.java:57:35:57:43 | arr | arr | C.java:60:16:60:26 | ... == ... | this |
| C.java:100:7:100:10 | arr2 | Variable $@ may be null at this access because of $@ assignment. | C.java:95:5:95:22 | int[] arr2 | arr2 | C.java:95:11:95:21 | arr2 | this |
| C.java:110:25:110:27 | obj | Variable $@ may be null at this access because of $@ assignment. | C.java:106:5:106:30 | Object obj | obj | C.java:118:13:118:22 | ...=... | this |
| C.java:137:7:137:10 | obj2 | Variable $@ may be null at this access as suggested by $@ null guard. | C.java:131:5:131:23 | Object obj2 | obj2 | C.java:132:9:132:20 | ... != ... | this |
@@ -33,6 +32,9 @@
| C.java:207:9:207:11 | obj | Variable $@ may be null at this access because of $@ assignment. | C.java:201:5:201:22 | Object obj | obj | C.java:201:12:201:21 | obj | this |
| C.java:219:9:219:10 | o1 | Variable $@ may be null at this access as suggested by $@ null guard. | C.java:212:20:212:28 | o1 | o1 | C.java:213:9:213:18 | ... == ... | this |
| C.java:233:7:233:8 | xs | Variable $@ may be null at this access because of $@ assignment. | C.java:231:5:231:56 | int[] xs | xs | C.java:231:11:231:55 | xs | this |
| C.java:254:7:254:8 | xs | Variable $@ may be null at this access as suggested by $@ null guard. | C.java:248:31:248:38 | xs | xs | C.java:249:19:249:28 | ... == ... | this |
| C.java:254:7:254:8 | xs | Variable $@ may be null at this access as suggested by $@ null guard. | C.java:248:31:248:38 | xs | xs | C.java:250:18:250:27 | ... != ... | this |
| C.java:254:7:254:8 | xs | Variable $@ may be null at this access as suggested by $@ null guard. | C.java:248:31:248:38 | xs | xs | C.java:251:18:251:27 | ... == ... | this |
| F.java:11:5:11:7 | obj | Variable $@ may be null at this access as suggested by $@ null guard. | F.java:8:18:8:27 | obj | obj | F.java:9:9:9:19 | ... == ... | this |
| F.java:17:5:17:7 | obj | Variable $@ may be null at this access as suggested by $@ null guard. | F.java:14:18:14:27 | obj | obj | F.java:15:9:15:19 | ... == ... | this |
| G.java:20:12:20:12 | s | Variable $@ may be null at this access as suggested by $@ null guard. | G.java:3:27:3:34 | s | s | G.java:5:9:5:17 | ... == ... | this |

474
java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected
View File

@@ -0,0 +1,474 @@
#select
| TaintedPath.java:16:71:16:78 | filename | TaintedPath.java:13:58:13:78 | getInputStream(...) : InputStream | TaintedPath.java:16:71:16:78 | filename | This path depends on a $@. | TaintedPath.java:13:58:13:78 | getInputStream(...) | user-provided value |
| Test.java:37:52:37:68 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:37:52:37:68 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:39:32:39:48 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:39:32:39:48 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:41:47:41:63 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:41:47:41:63 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:43:10:43:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:43:10:43:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:45:10:45:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:45:10:45:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:47:10:47:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:47:10:47:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:49:10:49:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:49:10:49:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:51:39:51:53 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:51:39:51:53 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:53:10:53:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:53:10:53:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:55:10:55:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:55:10:55:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:57:10:57:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:57:10:57:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:59:10:59:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:59:10:59:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:61:10:61:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:61:10:61:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:63:10:63:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:63:10:63:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:65:10:65:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:65:10:65:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:67:10:67:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:67:10:67:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:69:31:69:45 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:69:31:69:45 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:71:10:71:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:71:10:71:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:73:10:73:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:73:10:73:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:75:10:75:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:75:10:75:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:77:10:77:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:77:10:77:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:79:10:79:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:79:10:79:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:81:10:81:24 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:81:10:81:24 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:83:31:83:45 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:83:31:83:45 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:85:29:85:43 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:85:29:85:43 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:87:29:87:53 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:87:29:87:53 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:89:29:89:45 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:89:29:89:45 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:91:24:91:38 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:91:24:91:38 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:93:24:93:48 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:93:24:93:48 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:95:24:95:38 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:95:24:95:38 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:97:24:97:40 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:97:24:97:40 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:99:24:99:40 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:99:24:99:40 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:101:20:101:34 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:101:20:101:34 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:102:20:102:34 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:102:20:102:34 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:104:33:104:47 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:104:33:104:47 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:105:40:105:54 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:105:40:105:54 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:107:33:107:47 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:107:33:107:47 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:109:31:109:45 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:109:31:109:45 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:111:26:111:40 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:111:26:111:40 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:113:26:113:40 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:113:26:113:40 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:115:34:115:48 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:115:34:115:48 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:117:35:117:49 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:117:35:117:49 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:119:30:119:44 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:119:30:119:44 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:121:22:121:36 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:121:22:121:36 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:123:30:123:44 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:123:30:123:44 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:125:21:125:35 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:125:21:125:35 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:127:26:127:40 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:127:26:127:40 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:129:33:129:47 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:129:33:129:47 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:131:33:131:47 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:131:33:131:47 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:132:33:132:47 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:132:33:132:47 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:134:31:134:45 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:134:31:134:45 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:136:21:136:35 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:136:21:136:35 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:137:21:137:35 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:137:21:137:35 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:138:21:138:35 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:138:21:138:35 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:140:27:140:41 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:140:27:140:41 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:141:27:141:41 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:141:27:141:41 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:143:26:143:40 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:143:26:143:40 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:145:35:145:49 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:145:35:145:49 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:147:41:147:57 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:147:41:147:57 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:149:45:149:61 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:149:45:149:61 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:151:43:151:57 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:151:43:151:57 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:153:28:153:42 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:153:28:153:42 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:155:41:155:55 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:155:41:155:55 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:160:30:160:44 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:160:30:160:44 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:162:40:162:81 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:162:40:162:81 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:164:34:164:75 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:164:34:164:75 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:166:34:166:75 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:166:34:166:75 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:168:23:168:37 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:168:23:168:37 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:181:23:181:37 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:181:23:181:37 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:186:23:186:40 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:186:23:186:40 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:188:20:188:34 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:188:20:188:34 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:190:21:190:35 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:190:21:190:35 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:192:22:192:36 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:192:22:192:36 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:197:20:197:34 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:197:20:197:34 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:199:19:199:33 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:199:19:199:33 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
| Test.java:204:20:204:36 | (...)... | Test.java:32:16:32:45 | getParameter(...) : String | Test.java:204:20:204:36 | (...)... | This path depends on a $@. | Test.java:32:16:32:45 | getParameter(...) | user-provided value |
edges
| TaintedPath.java:13:17:13:89 | new BufferedReader(...) : BufferedReader | TaintedPath.java:14:27:14:40 | filenameReader : BufferedReader | provenance | |
| TaintedPath.java:13:36:13:88 | new InputStreamReader(...) : InputStreamReader | TaintedPath.java:13:17:13:89 | new BufferedReader(...) : BufferedReader | provenance | MaD:74 |
| TaintedPath.java:13:58:13:78 | getInputStream(...) : InputStream | TaintedPath.java:13:36:13:88 | new InputStreamReader(...) : InputStreamReader | provenance | Src:MaD:72 MaD:76 |
| TaintedPath.java:14:27:14:40 | filenameReader : BufferedReader | TaintedPath.java:14:27:14:51 | readLine(...) : String | provenance | MaD:75 |
| TaintedPath.java:14:27:14:51 | readLine(...) : String | TaintedPath.java:16:71:16:78 | filename | provenance | Sink:MaD:27 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:37:61:37:68 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:39:41:39:48 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:41:56:41:63 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:43:17:43:24 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:45:17:45:24 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:47:17:47:24 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:49:17:49:24 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:51:46:51:53 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:53:17:53:24 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:55:17:55:24 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:57:17:57:24 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:59:17:59:24 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:61:17:61:24 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:63:17:63:24 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:65:17:65:24 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:67:17:67:24 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:69:38:69:45 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:71:17:71:24 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:73:17:73:24 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:75:17:75:24 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:77:17:77:24 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:79:17:79:24 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:81:17:81:24 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:83:38:83:45 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:85:36:85:43 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:87:46:87:53 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:89:38:89:45 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:91:31:91:38 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:93:41:93:48 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:95:31:95:38 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:97:33:97:40 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:99:33:99:40 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:101:27:101:34 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:102:27:102:34 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:104:40:104:47 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:105:47:105:54 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:107:40:107:47 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:109:38:109:45 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:111:33:111:40 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:113:33:113:40 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:115:41:115:48 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:117:42:117:49 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:119:37:119:44 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:121:29:121:36 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:123:37:123:44 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:125:28:125:35 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:127:33:127:40 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:129:40:129:47 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:131:40:131:47 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:132:40:132:47 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:134:38:134:45 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:136:28:136:35 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:137:28:137:35 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:138:28:138:35 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:140:34:140:41 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:141:34:141:41 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:143:33:143:40 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:145:42:145:49 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:147:50:147:57 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:149:54:149:61 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:151:50:151:57 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:153:35:153:42 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:155:48:155:55 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:160:37:160:44 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:162:74:162:81 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:164:68:164:75 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:166:68:166:75 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:168:30:168:37 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:181:30:181:37 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:186:33:186:40 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:188:27:188:34 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:190:28:190:35 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:192:29:192:36 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:197:27:197:34 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:199:26:199:33 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:32:16:32:45 | getParameter(...) : String | Test.java:204:29:204:36 | source(...) : String | provenance | Src:MaD:73 |
| Test.java:37:61:37:68 | source(...) : String | Test.java:37:52:37:68 | (...)... | provenance | Sink:MaD:31 |
| Test.java:39:41:39:48 | source(...) : String | Test.java:39:32:39:48 | (...)... | provenance | Sink:MaD:29 |
| Test.java:41:56:41:63 | source(...) : String | Test.java:41:47:41:63 | (...)... | provenance | Sink:MaD:30 |
| Test.java:43:17:43:24 | source(...) : String | Test.java:43:10:43:24 | (...)... | provenance | Sink:MaD:1 |
| Test.java:45:17:45:24 | source(...) : String | Test.java:45:10:45:24 | (...)... | provenance | Sink:MaD:2 |
| Test.java:47:17:47:24 | source(...) : String | Test.java:47:10:47:24 | (...)... | provenance | Sink:MaD:3 |
| Test.java:49:17:49:24 | source(...) : String | Test.java:49:10:49:24 | (...)... | provenance | Sink:MaD:4 |
| Test.java:51:46:51:53 | source(...) : String | Test.java:51:39:51:53 | (...)... | provenance | Sink:MaD:5 |
| Test.java:53:17:53:24 | source(...) : String | Test.java:53:10:53:24 | (...)... | provenance | Sink:MaD:6 |
| Test.java:55:17:55:24 | source(...) : String | Test.java:55:10:55:24 | (...)... | provenance | Sink:MaD:7 |
| Test.java:57:17:57:24 | source(...) : String | Test.java:57:10:57:24 | (...)... | provenance | Sink:MaD:8 |
| Test.java:59:17:59:24 | source(...) : String | Test.java:59:10:59:24 | (...)... | provenance | Sink:MaD:9 |
| Test.java:61:17:61:24 | source(...) : String | Test.java:61:10:61:24 | (...)... | provenance | Sink:MaD:10 |
| Test.java:63:17:63:24 | source(...) : String | Test.java:63:10:63:24 | (...)... | provenance | Sink:MaD:11 |
| Test.java:65:17:65:24 | source(...) : String | Test.java:65:10:65:24 | (...)... | provenance | Sink:MaD:12 |
| Test.java:67:17:67:24 | source(...) : String | Test.java:67:10:67:24 | (...)... | provenance | Sink:MaD:13 |
| Test.java:69:38:69:45 | source(...) : String | Test.java:69:31:69:45 | (...)... | provenance | Sink:MaD:14 |
| Test.java:71:17:71:24 | source(...) : String | Test.java:71:10:71:24 | (...)... | provenance | Sink:MaD:15 |
| Test.java:73:17:73:24 | source(...) : String | Test.java:73:10:73:24 | (...)... | provenance | Sink:MaD:16 |
| Test.java:75:17:75:24 | source(...) : String | Test.java:75:10:75:24 | (...)... | provenance | Sink:MaD:17 |
| Test.java:77:17:77:24 | source(...) : String | Test.java:77:10:77:24 | (...)... | provenance | Sink:MaD:19 |
| Test.java:79:17:79:24 | source(...) : String | Test.java:79:10:79:24 | (...)... | provenance | Sink:MaD:18 |
| Test.java:81:17:81:24 | source(...) : String | Test.java:81:10:81:24 | (...)... | provenance | Sink:MaD:20 |
| Test.java:83:38:83:45 | source(...) : String | Test.java:83:31:83:45 | (...)... | provenance | Sink:MaD:14 |
| Test.java:85:36:85:43 | source(...) : String | Test.java:85:29:85:43 | (...)... | provenance | Sink:MaD:21 |
| Test.java:87:46:87:53 | source(...) : String | Test.java:87:29:87:53 | (...)... | provenance | Sink:MaD:22 |
| Test.java:89:38:89:45 | source(...) : String | Test.java:89:29:89:45 | (...)... | provenance | Sink:MaD:23 |
| Test.java:91:31:91:38 | source(...) : String | Test.java:91:24:91:38 | (...)... | provenance | Sink:MaD:24 |
| Test.java:93:41:93:48 | source(...) : String | Test.java:93:24:93:48 | (...)... | provenance | Sink:MaD:26 |
| Test.java:95:31:95:38 | source(...) : String | Test.java:95:24:95:38 | (...)... | provenance | Sink:MaD:25 |
| Test.java:97:33:97:40 | source(...) : String | Test.java:97:24:97:40 | (...)... | provenance | Sink:MaD:27 |
| Test.java:99:33:99:40 | source(...) : String | Test.java:99:24:99:40 | (...)... | provenance | Sink:MaD:28 |
| Test.java:101:27:101:34 | source(...) : String | Test.java:101:20:101:34 | (...)... | provenance | Sink:MaD:34 |
| Test.java:102:27:102:34 | source(...) : String | Test.java:102:20:102:34 | (...)... | provenance | Sink:MaD:33 |
| Test.java:104:40:104:47 | source(...) : String | Test.java:104:33:104:47 | (...)... | provenance | Sink:MaD:35 |
| Test.java:105:47:105:54 | source(...) : String | Test.java:105:40:105:54 | (...)... | provenance | Sink:MaD:32 |
| Test.java:107:40:107:47 | source(...) : String | Test.java:107:33:107:47 | (...)... | provenance | Sink:MaD:36 |
| Test.java:109:38:109:45 | source(...) : String | Test.java:109:31:109:45 | (...)... | provenance | Sink:MaD:37 |
| Test.java:111:33:111:40 | source(...) : String | Test.java:111:26:111:40 | (...)... | provenance | Sink:MaD:38 |
| Test.java:113:33:113:40 | source(...) : String | Test.java:113:26:113:40 | (...)... | provenance | Sink:MaD:39 |
| Test.java:115:41:115:48 | source(...) : String | Test.java:115:34:115:48 | (...)... | provenance | Sink:MaD:40 |
| Test.java:117:42:117:49 | source(...) : String | Test.java:117:35:117:49 | (...)... | provenance | Sink:MaD:41 |
| Test.java:119:37:119:44 | source(...) : String | Test.java:119:30:119:44 | (...)... | provenance | Sink:MaD:42 |
| Test.java:121:29:121:36 | source(...) : String | Test.java:121:22:121:36 | (...)... | provenance | Sink:MaD:43 |
| Test.java:123:37:123:44 | source(...) : String | Test.java:123:30:123:44 | (...)... | provenance | Sink:MaD:44 |
| Test.java:125:28:125:35 | source(...) : String | Test.java:125:21:125:35 | (...)... | provenance | Sink:MaD:45 |
| Test.java:127:33:127:40 | source(...) : String | Test.java:127:26:127:40 | (...)... | provenance | Sink:MaD:46 |
| Test.java:129:40:129:47 | source(...) : String | Test.java:129:33:129:47 | (...)... | provenance | Sink:MaD:47 |
| Test.java:131:40:131:47 | source(...) : String | Test.java:131:33:131:47 | (...)... | provenance | Sink:MaD:48 |
| Test.java:132:40:132:47 | source(...) : String | Test.java:132:33:132:47 | (...)... | provenance | Sink:MaD:48 |
| Test.java:134:38:134:45 | source(...) : String | Test.java:134:31:134:45 | (...)... | provenance | Sink:MaD:49 |
| Test.java:136:28:136:35 | source(...) : String | Test.java:136:21:136:35 | (...)... | provenance | Sink:MaD:50 |
| Test.java:137:28:137:35 | source(...) : String | Test.java:137:21:137:35 | (...)... | provenance | Sink:MaD:50 |
| Test.java:138:28:138:35 | source(...) : String | Test.java:138:21:138:35 | (...)... | provenance | Sink:MaD:50 |
| Test.java:140:34:140:41 | source(...) : String | Test.java:140:27:140:41 | (...)... | provenance | Sink:MaD:51 |
| Test.java:141:34:141:41 | source(...) : String | Test.java:141:27:141:41 | (...)... | provenance | Sink:MaD:51 |
| Test.java:143:33:143:40 | source(...) : String | Test.java:143:26:143:40 | (...)... | provenance | Sink:MaD:52 |
| Test.java:145:42:145:49 | source(...) : String | Test.java:145:35:145:49 | (...)... | provenance | Sink:MaD:53 |
| Test.java:147:50:147:57 | source(...) : String | Test.java:147:41:147:57 | (...)... | provenance | Sink:MaD:65 |
| Test.java:149:54:149:61 | source(...) : String | Test.java:149:45:149:61 | (...)... | provenance | Sink:MaD:66 |
| Test.java:151:50:151:57 | source(...) : String | Test.java:151:43:151:57 | (...)... | provenance | Sink:MaD:71 |
| Test.java:153:35:153:42 | source(...) : String | Test.java:153:28:153:42 | (...)... | provenance | Sink:MaD:69 |
| Test.java:155:48:155:55 | source(...) : String | Test.java:155:41:155:55 | (...)... | provenance | Sink:MaD:70 |
| Test.java:160:37:160:44 | source(...) : String | Test.java:160:30:160:44 | (...)... | provenance | Sink:MaD:63 |
| Test.java:162:74:162:81 | source(...) : String | Test.java:162:40:162:81 | (...)... | provenance | Sink:MaD:60 |
| Test.java:164:68:164:75 | source(...) : String | Test.java:164:34:164:75 | (...)... | provenance | Sink:MaD:62 |
| Test.java:166:68:166:75 | source(...) : String | Test.java:166:34:166:75 | (...)... | provenance | Sink:MaD:61 |
| Test.java:168:30:168:37 | source(...) : String | Test.java:168:23:168:37 | (...)... | provenance | Sink:MaD:67 |
| Test.java:181:30:181:37 | source(...) : String | Test.java:181:23:181:37 | (...)... | provenance | Sink:MaD:64 |
| Test.java:186:33:186:40 | source(...) : String | Test.java:186:23:186:40 | (...)... | provenance | Sink:MaD:54 |
| Test.java:188:27:188:34 | source(...) : String | Test.java:188:20:188:34 | (...)... | provenance | Sink:MaD:55 |
| Test.java:190:28:190:35 | source(...) : String | Test.java:190:21:190:35 | (...)... | provenance | Sink:MaD:56 |
| Test.java:192:29:192:36 | source(...) : String | Test.java:192:22:192:36 | (...)... | provenance | Sink:MaD:57 |
| Test.java:197:27:197:34 | source(...) : String | Test.java:197:20:197:34 | (...)... | provenance | Sink:MaD:58 |
| Test.java:199:26:199:33 | source(...) : String | Test.java:199:19:199:33 | (...)... | provenance | Sink:MaD:59 |
| Test.java:204:29:204:36 | source(...) : String | Test.java:204:20:204:36 | (...)... | provenance | Sink:MaD:68 |
models
| 1 | Sink: java.io; File; true; canExecute; (); ; Argument[this]; path-injection; manual |
| 2 | Sink: java.io; File; true; canRead; (); ; Argument[this]; path-injection; manual |
| 3 | Sink: java.io; File; true; canWrite; (); ; Argument[this]; path-injection; manual |
| 4 | Sink: java.io; File; true; createNewFile; (); ; Argument[this]; path-injection; ai-manual |
| 5 | Sink: java.io; File; true; createTempFile; (String,String,File); ; Argument[2]; path-injection; ai-manual |
| 6 | Sink: java.io; File; true; delete; (); ; Argument[this]; path-injection; manual |
| 7 | Sink: java.io; File; true; deleteOnExit; (); ; Argument[this]; path-injection; manual |
| 8 | Sink: java.io; File; true; exists; (); ; Argument[this]; path-injection; manual |
| 9 | Sink: java.io; File; true; isDirectory; (); ; Argument[this]; path-injection; manual |
| 10 | Sink: java.io; File; true; isFile; (); ; Argument[this]; path-injection; manual |
| 11 | Sink: java.io; File; true; isHidden; (); ; Argument[this]; path-injection; manual |
| 12 | Sink: java.io; File; true; mkdir; (); ; Argument[this]; path-injection; manual |
| 13 | Sink: java.io; File; true; mkdirs; (); ; Argument[this]; path-injection; manual |
| 14 | Sink: java.io; File; true; renameTo; (File); ; Argument[0]; path-injection; ai-manual |
| 15 | Sink: java.io; File; true; renameTo; (File); ; Argument[this]; path-injection; ai-manual |
| 16 | Sink: java.io; File; true; setExecutable; ; ; Argument[this]; path-injection; manual |
| 17 | Sink: java.io; File; true; setLastModified; ; ; Argument[this]; path-injection; manual |
| 18 | Sink: java.io; File; true; setReadOnly; ; ; Argument[this]; path-injection; manual |
| 19 | Sink: java.io; File; true; setReadable; ; ; Argument[this]; path-injection; manual |
| 20 | Sink: java.io; File; true; setWritable; ; ; Argument[this]; path-injection; manual |
| 21 | Sink: java.io; FileInputStream; true; FileInputStream; (File); ; Argument[0]; path-injection; ai-manual |
| 22 | Sink: java.io; FileInputStream; true; FileInputStream; (FileDescriptor); ; Argument[0]; path-injection; manual |
| 23 | Sink: java.io; FileInputStream; true; FileInputStream; (String); ; Argument[0]; path-injection; ai-manual |
| 24 | Sink: java.io; FileReader; true; FileReader; (File); ; Argument[0]; path-injection; ai-manual |
| 25 | Sink: java.io; FileReader; true; FileReader; (File,Charset); ; Argument[0]; path-injection; manual |
| 26 | Sink: java.io; FileReader; true; FileReader; (FileDescriptor); ; Argument[0]; path-injection; manual |
| 27 | Sink: java.io; FileReader; true; FileReader; (String); ; Argument[0]; path-injection; ai-manual |
| 28 | Sink: java.io; FileReader; true; FileReader; (String,Charset); ; Argument[0]; path-injection; manual |
| 29 | Sink: java.lang; Class; false; getResource; (String); ; Argument[0]; path-injection; ai-manual |
| 30 | Sink: java.lang; ClassLoader; true; getSystemResourceAsStream; (String); ; Argument[0]; path-injection; ai-manual |
| 31 | Sink: java.lang; Module; true; getResourceAsStream; (String); ; Argument[0]; path-injection; ai-manual |
| 32 | Sink: java.nio.file; Files; false; copy; (InputStream,Path,CopyOption[]); ; Argument[1]; path-injection; manual |
| 33 | Sink: java.nio.file; Files; false; copy; (Path,OutputStream); ; Argument[0]; path-injection; manual |
| 34 | Sink: java.nio.file; Files; false; copy; (Path,Path,CopyOption[]); ; Argument[0]; path-injection; manual |
| 35 | Sink: java.nio.file; Files; false; copy; (Path,Path,CopyOption[]); ; Argument[1]; path-injection; manual |
| 36 | Sink: java.nio.file; Files; false; createDirectories; ; ; Argument[0]; path-injection; manual |
| 37 | Sink: java.nio.file; Files; false; createDirectory; ; ; Argument[0]; path-injection; manual |
| 38 | Sink: java.nio.file; Files; false; createFile; ; ; Argument[0]; path-injection; manual |
| 39 | Sink: java.nio.file; Files; false; createLink; ; ; Argument[0]; path-injection; manual |
| 40 | Sink: java.nio.file; Files; false; createSymbolicLink; ; ; Argument[0]; path-injection; manual |
| 41 | Sink: java.nio.file; Files; false; createTempDirectory; (Path,String,FileAttribute[]); ; Argument[0]; path-injection; manual |
| 42 | Sink: java.nio.file; Files; false; createTempFile; (Path,String,String,FileAttribute[]); ; Argument[0]; path-injection; manual |
| 43 | Sink: java.nio.file; Files; false; delete; (Path); ; Argument[0]; path-injection; ai-manual |
| 44 | Sink: java.nio.file; Files; false; deleteIfExists; (Path); ; Argument[0]; path-injection; ai-manual |
| 45 | Sink: java.nio.file; Files; false; lines; (Path,Charset); ; Argument[0]; path-injection; ai-manual |
| 46 | Sink: java.nio.file; Files; false; move; ; ; Argument[1]; path-injection; manual |
| 47 | Sink: java.nio.file; Files; false; newBufferedReader; (Path,Charset); ; Argument[0]; path-injection; ai-manual |
| 48 | Sink: java.nio.file; Files; false; newBufferedWriter; ; ; Argument[0]; path-injection; manual |
| 49 | Sink: java.nio.file; Files; false; newOutputStream; ; ; Argument[0]; path-injection; manual |
| 50 | Sink: java.nio.file; Files; false; write; ; ; Argument[0]; path-injection; manual |
| 51 | Sink: java.nio.file; Files; false; writeString; ; ; Argument[0]; path-injection; manual |
| 52 | Sink: javax.xml.transform.stream; StreamResult; true; StreamResult; (File); ; Argument[0]; path-injection; ai-manual |
| 53 | Sink: org.apache.commons.io; FileUtils; true; openInputStream; (File); ; Argument[0]; path-injection; ai-manual |
| 54 | Sink: org.apache.tools.ant.taskdefs; Copy; true; addFileset; (FileSet); ; Argument[0]; path-injection; ai-manual |
| 55 | Sink: org.apache.tools.ant.taskdefs; Copy; true; setFile; (File); ; Argument[0]; path-injection; ai-manual |
| 56 | Sink: org.apache.tools.ant.taskdefs; Copy; true; setTodir; (File); ; Argument[0]; path-injection; ai-manual |
| 57 | Sink: org.apache.tools.ant.taskdefs; Copy; true; setTofile; (File); ; Argument[0]; path-injection; ai-manual |
| 58 | Sink: org.apache.tools.ant.taskdefs; Expand; true; setDest; (File); ; Argument[0]; path-injection; ai-manual |
| 59 | Sink: org.apache.tools.ant.taskdefs; Expand; true; setSrc; (File); ; Argument[0]; path-injection; ai-manual |
| 60 | Sink: org.apache.tools.ant; AntClassLoader; true; AntClassLoader; (ClassLoader,Project,Path,boolean); ; Argument[2]; path-injection; ai-manual |
| 61 | Sink: org.apache.tools.ant; AntClassLoader; true; AntClassLoader; (Project,Path); ; Argument[1]; path-injection; ai-manual |
| 62 | Sink: org.apache.tools.ant; AntClassLoader; true; AntClassLoader; (Project,Path,boolean); ; Argument[1]; path-injection; ai-manual |
| 63 | Sink: org.apache.tools.ant; AntClassLoader; true; addPathComponent; (File); ; Argument[0]; path-injection; ai-manual |
| 64 | Sink: org.apache.tools.ant; DirectoryScanner; true; setBasedir; (File); ; Argument[0]; path-injection; ai-manual |
| 65 | Sink: org.codehaus.cargo.container.installer; ZipURLInstaller; true; ZipURLInstaller; (URL,String,String); ; Argument[1]; path-injection; ai-manual |
| 66 | Sink: org.codehaus.cargo.container.installer; ZipURLInstaller; true; ZipURLInstaller; (URL,String,String); ; Argument[2]; path-injection; ai-manual |
| 67 | Sink: org.kohsuke.stapler.framework.io; LargeText; true; LargeText; (File,Charset,boolean,boolean); ; Argument[0]; path-injection; ai-manual |
| 68 | Sink: org.openjdk.jmh.runner.options; ChainedOptionsBuilder; true; result; (String); ; Argument[0]; path-injection; ai-manual |
| 69 | Sink: org.springframework.util; FileCopyUtils; false; copy; (File,File); ; Argument[0]; path-injection; manual |
| 70 | Sink: org.springframework.util; FileCopyUtils; false; copy; (File,File); ; Argument[1]; path-injection; manual |
| 71 | Sink: org.springframework.util; FileCopyUtils; false; copy; (byte[],File); ; Argument[1]; path-injection; manual |
| 72 | Source: java.net; Socket; false; getInputStream; (); ; ReturnValue; remote; manual |
| 73 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
| 74 | Summary: java.io; BufferedReader; false; BufferedReader; ; ; Argument[0]; Argument[this]; taint; manual |
| 75 | Summary: java.io; BufferedReader; true; readLine; ; ; Argument[this]; ReturnValue; taint; manual |
| 76 | Summary: java.io; InputStreamReader; false; InputStreamReader; ; ; Argument[0]; Argument[this]; taint; manual |
nodes
| TaintedPath.java:13:17:13:89 | new BufferedReader(...) : BufferedReader | semmle.label | new BufferedReader(...) : BufferedReader |
| TaintedPath.java:13:36:13:88 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
| TaintedPath.java:13:58:13:78 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| TaintedPath.java:14:27:14:40 | filenameReader : BufferedReader | semmle.label | filenameReader : BufferedReader |
| TaintedPath.java:14:27:14:51 | readLine(...) : String | semmle.label | readLine(...) : String |
| TaintedPath.java:16:71:16:78 | filename | semmle.label | filename |
| Test.java:32:16:32:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| Test.java:37:52:37:68 | (...)... | semmle.label | (...)... |
| Test.java:37:61:37:68 | source(...) : String | semmle.label | source(...) : String |
| Test.java:39:32:39:48 | (...)... | semmle.label | (...)... |
| Test.java:39:41:39:48 | source(...) : String | semmle.label | source(...) : String |
| Test.java:41:47:41:63 | (...)... | semmle.label | (...)... |
| Test.java:41:56:41:63 | source(...) : String | semmle.label | source(...) : String |
| Test.java:43:10:43:24 | (...)... | semmle.label | (...)... |
| Test.java:43:17:43:24 | source(...) : String | semmle.label | source(...) : String |
| Test.java:45:10:45:24 | (...)... | semmle.label | (...)... |
| Test.java:45:17:45:24 | source(...) : String | semmle.label | source(...) : String |
| Test.java:47:10:47:24 | (...)... | semmle.label | (...)... |
| Test.java:47:17:47:24 | source(...) : String | semmle.label | source(...) : String |
| Test.java:49:10:49:24 | (...)... | semmle.label | (...)... |
| Test.java:49:17:49:24 | source(...) : String | semmle.label | source(...) : String |
| Test.java:51:39:51:53 | (...)... | semmle.label | (...)... |
| Test.java:51:46:51:53 | source(...) : String | semmle.label | source(...) : String |
| Test.java:53:10:53:24 | (...)... | semmle.label | (...)... |
| Test.java:53:17:53:24 | source(...) : String | semmle.label | source(...) : String |
| Test.java:55:10:55:24 | (...)... | semmle.label | (...)... |
| Test.java:55:17:55:24 | source(...) : String | semmle.label | source(...) : String |
| Test.java:57:10:57:24 | (...)... | semmle.label | (...)... |
| Test.java:57:17:57:24 | source(...) : String | semmle.label | source(...) : String |
| Test.java:59:10:59:24 | (...)... | semmle.label | (...)... |
| Test.java:59:17:59:24 | source(...) : String | semmle.label | source(...) : String |
| Test.java:61:10:61:24 | (...)... | semmle.label | (...)... |
| Test.java:61:17:61:24 | source(...) : String | semmle.label | source(...) : String |
| Test.java:63:10:63:24 | (...)... | semmle.label | (...)... |
| Test.java:63:17:63:24 | source(...) : String | semmle.label | source(...) : String |
| Test.java:65:10:65:24 | (...)... | semmle.label | (...)... |
| Test.java:65:17:65:24 | source(...) : String | semmle.label | source(...) : String |
| Test.java:67:10:67:24 | (...)... | semmle.label | (...)... |
| Test.java:67:17:67:24 | source(...) : String | semmle.label | source(...) : String |
| Test.java:69:31:69:45 | (...)... | semmle.label | (...)... |
| Test.java:69:38:69:45 | source(...) : String | semmle.label | source(...) : String |
| Test.java:71:10:71:24 | (...)... | semmle.label | (...)... |
| Test.java:71:17:71:24 | source(...) : String | semmle.label | source(...) : String |
| Test.java:73:10:73:24 | (...)... | semmle.label | (...)... |
| Test.java:73:17:73:24 | source(...) : String | semmle.label | source(...) : String |
| Test.java:75:10:75:24 | (...)... | semmle.label | (...)... |
| Test.java:75:17:75:24 | source(...) : String | semmle.label | source(...) : String |
| Test.java:77:10:77:24 | (...)... | semmle.label | (...)... |
| Test.java:77:17:77:24 | source(...) : String | semmle.label | source(...) : String |
| Test.java:79:10:79:24 | (...)... | semmle.label | (...)... |
| Test.java:79:17:79:24 | source(...) : String | semmle.label | source(...) : String |
| Test.java:81:10:81:24 | (...)... | semmle.label | (...)... |
| Test.java:81:17:81:24 | source(...) : String | semmle.label | source(...) : String |
| Test.java:83:31:83:45 | (...)... | semmle.label | (...)... |
| Test.java:83:38:83:45 | source(...) : String | semmle.label | source(...) : String |
| Test.java:85:29:85:43 | (...)... | semmle.label | (...)... |
| Test.java:85:36:85:43 | source(...) : String | semmle.label | source(...) : String |
| Test.java:87:29:87:53 | (...)... | semmle.label | (...)... |
| Test.java:87:46:87:53 | source(...) : String | semmle.label | source(...) : String |
| Test.java:89:29:89:45 | (...)... | semmle.label | (...)... |
| Test.java:89:38:89:45 | source(...) : String | semmle.label | source(...) : String |
| Test.java:91:24:91:38 | (...)... | semmle.label | (...)... |
| Test.java:91:31:91:38 | source(...) : String | semmle.label | source(...) : String |
| Test.java:93:24:93:48 | (...)... | semmle.label | (...)... |
| Test.java:93:41:93:48 | source(...) : String | semmle.label | source(...) : String |
| Test.java:95:24:95:38 | (...)... | semmle.label | (...)... |
| Test.java:95:31:95:38 | source(...) : String | semmle.label | source(...) : String |
| Test.java:97:24:97:40 | (...)... | semmle.label | (...)... |
| Test.java:97:33:97:40 | source(...) : String | semmle.label | source(...) : String |
| Test.java:99:24:99:40 | (...)... | semmle.label | (...)... |
| Test.java:99:33:99:40 | source(...) : String | semmle.label | source(...) : String |
| Test.java:101:20:101:34 | (...)... | semmle.label | (...)... |
| Test.java:101:27:101:34 | source(...) : String | semmle.label | source(...) : String |
| Test.java:102:20:102:34 | (...)... | semmle.label | (...)... |
| Test.java:102:27:102:34 | source(...) : String | semmle.label | source(...) : String |
| Test.java:104:33:104:47 | (...)... | semmle.label | (...)... |
| Test.java:104:40:104:47 | source(...) : String | semmle.label | source(...) : String |
| Test.java:105:40:105:54 | (...)... | semmle.label | (...)... |
| Test.java:105:47:105:54 | source(...) : String | semmle.label | source(...) : String |
| Test.java:107:33:107:47 | (...)... | semmle.label | (...)... |
| Test.java:107:40:107:47 | source(...) : String | semmle.label | source(...) : String |
| Test.java:109:31:109:45 | (...)... | semmle.label | (...)... |
| Test.java:109:38:109:45 | source(...) : String | semmle.label | source(...) : String |
| Test.java:111:26:111:40 | (...)... | semmle.label | (...)... |
| Test.java:111:33:111:40 | source(...) : String | semmle.label | source(...) : String |
| Test.java:113:26:113:40 | (...)... | semmle.label | (...)... |
| Test.java:113:33:113:40 | source(...) : String | semmle.label | source(...) : String |
| Test.java:115:34:115:48 | (...)... | semmle.label | (...)... |
| Test.java:115:41:115:48 | source(...) : String | semmle.label | source(...) : String |
| Test.java:117:35:117:49 | (...)... | semmle.label | (...)... |
| Test.java:117:42:117:49 | source(...) : String | semmle.label | source(...) : String |
| Test.java:119:30:119:44 | (...)... | semmle.label | (...)... |
| Test.java:119:37:119:44 | source(...) : String | semmle.label | source(...) : String |
| Test.java:121:22:121:36 | (...)... | semmle.label | (...)... |
| Test.java:121:29:121:36 | source(...) : String | semmle.label | source(...) : String |
| Test.java:123:30:123:44 | (...)... | semmle.label | (...)... |
| Test.java:123:37:123:44 | source(...) : String | semmle.label | source(...) : String |
| Test.java:125:21:125:35 | (...)... | semmle.label | (...)... |
| Test.java:125:28:125:35 | source(...) : String | semmle.label | source(...) : String |
| Test.java:127:26:127:40 | (...)... | semmle.label | (...)... |
| Test.java:127:33:127:40 | source(...) : String | semmle.label | source(...) : String |
| Test.java:129:33:129:47 | (...)... | semmle.label | (...)... |
| Test.java:129:40:129:47 | source(...) : String | semmle.label | source(...) : String |
| Test.java:131:33:131:47 | (...)... | semmle.label | (...)... |
| Test.java:131:40:131:47 | source(...) : String | semmle.label | source(...) : String |
| Test.java:132:33:132:47 | (...)... | semmle.label | (...)... |
| Test.java:132:40:132:47 | source(...) : String | semmle.label | source(...) : String |
| Test.java:134:31:134:45 | (...)... | semmle.label | (...)... |
| Test.java:134:38:134:45 | source(...) : String | semmle.label | source(...) : String |
| Test.java:136:21:136:35 | (...)... | semmle.label | (...)... |
| Test.java:136:28:136:35 | source(...) : String | semmle.label | source(...) : String |
| Test.java:137:21:137:35 | (...)... | semmle.label | (...)... |
| Test.java:137:28:137:35 | source(...) : String | semmle.label | source(...) : String |
| Test.java:138:21:138:35 | (...)... | semmle.label | (...)... |
| Test.java:138:28:138:35 | source(...) : String | semmle.label | source(...) : String |
| Test.java:140:27:140:41 | (...)... | semmle.label | (...)... |
| Test.java:140:34:140:41 | source(...) : String | semmle.label | source(...) : String |
| Test.java:141:27:141:41 | (...)... | semmle.label | (...)... |
| Test.java:141:34:141:41 | source(...) : String | semmle.label | source(...) : String |
| Test.java:143:26:143:40 | (...)... | semmle.label | (...)... |
| Test.java:143:33:143:40 | source(...) : String | semmle.label | source(...) : String |
| Test.java:145:35:145:49 | (...)... | semmle.label | (...)... |
| Test.java:145:42:145:49 | source(...) : String | semmle.label | source(...) : String |
| Test.java:147:41:147:57 | (...)... | semmle.label | (...)... |
| Test.java:147:50:147:57 | source(...) : String | semmle.label | source(...) : String |
| Test.java:149:45:149:61 | (...)... | semmle.label | (...)... |
| Test.java:149:54:149:61 | source(...) : String | semmle.label | source(...) : String |
| Test.java:151:43:151:57 | (...)... | semmle.label | (...)... |
| Test.java:151:50:151:57 | source(...) : String | semmle.label | source(...) : String |
| Test.java:153:28:153:42 | (...)... | semmle.label | (...)... |
| Test.java:153:35:153:42 | source(...) : String | semmle.label | source(...) : String |
| Test.java:155:41:155:55 | (...)... | semmle.label | (...)... |
| Test.java:155:48:155:55 | source(...) : String | semmle.label | source(...) : String |
| Test.java:160:30:160:44 | (...)... | semmle.label | (...)... |
| Test.java:160:37:160:44 | source(...) : String | semmle.label | source(...) : String |
| Test.java:162:40:162:81 | (...)... | semmle.label | (...)... |
| Test.java:162:74:162:81 | source(...) : String | semmle.label | source(...) : String |
| Test.java:164:34:164:75 | (...)... | semmle.label | (...)... |
| Test.java:164:68:164:75 | source(...) : String | semmle.label | source(...) : String |
| Test.java:166:34:166:75 | (...)... | semmle.label | (...)... |
| Test.java:166:68:166:75 | source(...) : String | semmle.label | source(...) : String |
| Test.java:168:23:168:37 | (...)... | semmle.label | (...)... |
| Test.java:168:30:168:37 | source(...) : String | semmle.label | source(...) : String |
| Test.java:181:23:181:37 | (...)... | semmle.label | (...)... |
| Test.java:181:30:181:37 | source(...) : String | semmle.label | source(...) : String |
| Test.java:186:23:186:40 | (...)... | semmle.label | (...)... |
| Test.java:186:33:186:40 | source(...) : String | semmle.label | source(...) : String |
| Test.java:188:20:188:34 | (...)... | semmle.label | (...)... |
| Test.java:188:27:188:34 | source(...) : String | semmle.label | source(...) : String |
| Test.java:190:21:190:35 | (...)... | semmle.label | (...)... |
| Test.java:190:28:190:35 | source(...) : String | semmle.label | source(...) : String |
| Test.java:192:22:192:36 | (...)... | semmle.label | (...)... |
| Test.java:192:29:192:36 | source(...) : String | semmle.label | source(...) : String |
| Test.java:197:20:197:34 | (...)... | semmle.label | (...)... |
| Test.java:197:27:197:34 | source(...) : String | semmle.label | source(...) : String |
| Test.java:199:19:199:33 | (...)... | semmle.label | (...)... |
| Test.java:199:26:199:33 | source(...) : String | semmle.label | source(...) : String |
| Test.java:204:20:204:36 | (...)... | semmle.label | (...)... |
| Test.java:204:29:204:36 | source(...) : String | semmle.label | source(...) : String |
subpaths

4
java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java
View File

@@ -10,10 +10,10 @@ import java.nio.file.Paths;
public class TaintedPath {
public void sendUserFile(Socket sock, String user) throws IOException {
BufferedReader filenameReader =
new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8"));
new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8")); // $ Source
String filename = filenameReader.readLine();
// BAD: read from a file without checking its path
BufferedReader fileReader = new BufferedReader(new FileReader(filename)); // $ hasTaintFlow
BufferedReader fileReader = new BufferedReader(new FileReader(filename)); // $ Alert
String fileLine = fileReader.readLine();
while (fileLine != null) {
sock.getOutputStream().write(fileLine.getBytes());

4
java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.ql
View File

@@ -1,4 +0,0 @@
import java
import utils.test.InlineFlowTest
import semmle.code.java.security.TaintedPathQuery
import TaintFlowTest<TaintedPathConfig>

4
java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.qlref Normal file
View File

@@ -0,0 +1,4 @@
query: Security/CWE/CWE-022/TaintedPath.ql
postprocess:
- utils/test/PrettyPrintModels.ql
- utils/test/InlineExpectationsTestQuery.ql

156
java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java
View File

@@ -29,143 +29,143 @@ public class Test {
private HttpServletRequest request;
public Object source() {
return request.getParameter("source");
return request.getParameter("source"); // $ Source
}
void test() throws IOException {
// "java.lang;Module;true;getResourceAsStream;(String);;Argument[0];read-file;ai-generated"
getClass().getModule().getResourceAsStream((String) source()); // $ hasTaintFlow
getClass().getModule().getResourceAsStream((String) source()); // $ Alert
// "java.lang;Class;false;getResource;(String);;Argument[0];read-file;ai-generated"
getClass().getResource((String) source()); // $ hasTaintFlow
getClass().getResource((String) source()); // $ Alert
// "java.lang;ClassLoader;true;getSystemResourceAsStream;(String);;Argument[0];read-file;ai-generated"
ClassLoader.getSystemResourceAsStream((String) source()); // $ hasTaintFlow
ClassLoader.getSystemResourceAsStream((String) source()); // $ Alert
// "java.io;File;True;canExecute;();;Argument[this];path-injection;manual"
((File) source()).canExecute(); // $ hasTaintFlow
((File) source()).canExecute(); // $ Alert
// "java.io;File;True;canRead;();;Argument[this];path-injection;manual"
((File) source()).canRead(); // $ hasTaintFlow
((File) source()).canRead(); // $ Alert
// "java.io;File;True;canWrite;();;Argument[this];path-injection;manual"
((File) source()).canWrite(); // $ hasTaintFlow
((File) source()).canWrite(); // $ Alert
// "java.io;File;True;createNewFile;();;Argument[this];path-injection;ai-manual"
((File) source()).createNewFile(); // $ hasTaintFlow
((File) source()).createNewFile(); // $ Alert
// "java.io;File;true;createTempFile;(String,String,File);;Argument[2];create-file;ai-generated"
File.createTempFile(";", ";", (File) source()); // $ hasTaintFlow
File.createTempFile(";", ";", (File) source()); // $ Alert
// "java.io;File;True;delete;();;Argument[this];path-injection;manual"
((File) source()).delete(); // $ hasTaintFlow
((File) source()).delete(); // $ Alert
// "java.io;File;True;deleteOnExit;();;Argument[this];path-injection;manual"
((File) source()).deleteOnExit(); // $ hasTaintFlow
((File) source()).deleteOnExit(); // $ Alert
// "java.io;File;True;exists;();;Argument[this];path-injection;manual"
((File) source()).exists(); // $ hasTaintFlow
((File) source()).exists(); // $ Alert
// "java.io:File;True;isDirectory;();;Argument[this];path-injection;manual"
((File) source()).isDirectory(); // $ hasTaintFlow
((File) source()).isDirectory(); // $ Alert
// "java.io:File;True;isFile;();;Argument[this];path-injection;manual"
((File) source()).isFile(); // $ hasTaintFlow
((File) source()).isFile(); // $ Alert
// "java.io:File;True;isHidden;();;Argument[this];path-injection;manual"
((File) source()).isHidden(); // $ hasTaintFlow
((File) source()).isHidden(); // $ Alert
// "java.io;File;True;mkdir;();;Argument[this];path-injection;manual"
((File) source()).mkdir(); // $ hasTaintFlow
((File) source()).mkdir(); // $ Alert
// "java.io;File;True;mkdirs;();;Argument[this];path-injection;manual"
((File) source()).mkdirs(); // $ hasTaintFlow
((File) source()).mkdirs(); // $ Alert
// "java.io;File;True;renameTo;(File);;Argument[0];path-injection;ai-manual"
new File("").renameTo((File) source()); // $ hasTaintFlow
new File("").renameTo((File) source()); // $ Alert
// "java.io;File;True;renameTo;(File);;Argument[this];path-injection;ai-manual"
((File) source()).renameTo(null); // $ hasTaintFlow
((File) source()).renameTo(null); // $ Alert
// "java.io;File;True;setExecutable;;;Argument[this];path-injection;manual"
((File) source()).setExecutable(true); // $ hasTaintFlow
((File) source()).setExecutable(true); // $ Alert
// "java.io;File;True;setLastModified;;;Argument[this];path-injection;manual"
((File) source()).setLastModified(0); // $ hasTaintFlow
((File) source()).setLastModified(0); // $ Alert
// "java.io;File;True;setReadable;;;Argument[this];path-injection;manual"
((File) source()).setReadable(true); // $ hasTaintFlow
((File) source()).setReadable(true); // $ Alert
// "java.io;File;True;setReadOnly;;;Argument[this];path-injection;manual"
((File) source()).setReadOnly(); // $ hasTaintFlow
((File) source()).setReadOnly(); // $ Alert
// "java.io;File;True;setWritable;;;Argument[this];path-injection;manual"
((File) source()).setWritable(true); // $ hasTaintFlow
((File) source()).setWritable(true); // $ Alert
// "java.io;File;true;renameTo;(File);;Argument[0];create-file;ai-generated"
new File("").renameTo((File) source()); // $ hasTaintFlow
new File("").renameTo((File) source()); // $ Alert
// "java.io;FileInputStream;true;FileInputStream;(File);;Argument[0];read-file;ai-generated"
new FileInputStream((File) source()); // $ hasTaintFlow
new FileInputStream((File) source()); // $ Alert
// "java.io;FileInputStream;true;FileInputStream;(FileDescriptor);;Argument[0];read-file;manual"
new FileInputStream((FileDescriptor) source()); // $ hasTaintFlow
// "java.io;FileInputStream;true;FileInputStream;(Strrirng);;Argument[0];read-file;manual"
new FileInputStream((String) source()); // $ hasTaintFlow
new FileInputStream((FileDescriptor) source()); // $ Alert
// "java.io;FileInputStream;true;FileInputStream;(String);;Argument[0];read-file;manual"
new FileInputStream((String) source()); // $ Alert
// "java.io;FileReader;true;FileReader;(File);;Argument[0];read-file;ai-generated"
new FileReader((File) source()); // $ hasTaintFlow
new FileReader((File) source()); // $ Alert
// "java.io;FileReader;true;FileReader;(FileDescriptor);;Argument[0];read-file;manual"
new FileReader((FileDescriptor) source()); // $ hasTaintFlow
new FileReader((FileDescriptor) source()); // $ Alert
// "java.io;FileReader;true;FileReader;(File,Charset);;Argument[0];read-file;manual"
new FileReader((File) source(), null); // $ hasTaintFlow
new FileReader((File) source(), null); // $ Alert
// "java.io;FileReader;true;FileReader;(String);;Argument[0];read-file;ai-generated"
new FileReader((String) source()); // $ hasTaintFlow
new FileReader((String) source()); // $ Alert
// "java.io;FileReader;true;FileReader;(String,Charset);;Argument[0];read-file;manual"
new FileReader((String) source(), null); // $ hasTaintFlow
new FileReader((String) source(), null); // $ Alert
// "java.nio.file;Files;false;copy;;;Argument[0];read-file;manual"
Files.copy((Path) source(), (Path) null); // $ hasTaintFlow
Files.copy((Path) source(), (OutputStream) null); // $ hasTaintFlow
Files.copy((Path) source(), (Path) null); // $ Alert
Files.copy((Path) source(), (OutputStream) null); // $ Alert
// "java.nio.file;Files;false;copy;;;Argument[1];create-file;manual"
Files.copy((Path) null, (Path) source()); // $ hasTaintFlow
Files.copy((InputStream) null, (Path) source()); // $ hasTaintFlow
Files.copy((Path) null, (Path) source()); // $ Alert
Files.copy((InputStream) null, (Path) source()); // $ Alert
// "java.nio.file;Files;false;createDirectories;;;Argument[0];create-file;manual"
Files.createDirectories((Path) source()); // $ hasTaintFlow
Files.createDirectories((Path) source()); // $ Alert
// "java.nio.file;Files;false;createDirectory;;;Argument[0];create-file;manual"
Files.createDirectory((Path) source()); // $ hasTaintFlow
Files.createDirectory((Path) source()); // $ Alert
// "java.nio.file;Files;false;createFile;;;Argument[0];create-file;manual"
Files.createFile((Path) source()); // $ hasTaintFlow
Files.createFile((Path) source()); // $ Alert
// "java.nio.file;Files;false;createLink;;;Argument[0];create-file;manual"
Files.createLink((Path) source(), null); // $ hasTaintFlow
Files.createLink((Path) source(), null); // $ Alert
// "java.nio.file;Files;false;createSymbolicLink;;;Argument[0];create-file;manual"
Files.createSymbolicLink((Path) source(), null); // $ hasTaintFlow
Files.createSymbolicLink((Path) source(), null); // $ Alert
// "java.nio.file;Files;false;createTempDirectory;(Path,String,FileAttribute[]);;Argument[0];create-file;manual"
Files.createTempDirectory((Path) source(), null); // $ hasTaintFlow
Files.createTempDirectory((Path) source(), null); // $ Alert
// "java.nio.file;Files;false;createTempFile;(Path,String,String,FileAttribute[]);;Argument[0];create-file;manual"
Files.createTempFile((Path) source(), null, null); // $ hasTaintFlow
Files.createTempFile((Path) source(), null, null); // $ Alert
// "java.nio.file;Files;false;delete;(Path);;Argument[0];delete-file;ai-generated"
Files.delete((Path) source()); // $ hasTaintFlow
Files.delete((Path) source()); // $ Alert
// "java.nio.file;Files;false;deleteIfExists;(Path);;Argument[0];delete-file;ai-generated"
Files.deleteIfExists((Path) source()); // $ hasTaintFlow
Files.deleteIfExists((Path) source()); // $ Alert
// "java.nio.file;Files;false;lines;(Path,Charset);;Argument[0];read-file;ai-generated"
Files.lines((Path) source(), null); // $ hasTaintFlow
Files.lines((Path) source(), null); // $ Alert
// "java.nio.file;Files;false;move;;;Argument[1];create-file;manual"
Files.move(null, (Path) source()); // $ hasTaintFlow
Files.move(null, (Path) source()); // $ Alert
// "java.nio.file;Files;false;newBufferedReader;(Path,Charset);;Argument[0];read-file;ai-generated"
Files.newBufferedReader((Path) source(), null); // $ hasTaintFlow
Files.newBufferedReader((Path) source(), null); // $ Alert
// "java.nio.file;Files;false;newBufferedWriter;;;Argument[0];create-file;manual"
Files.newBufferedWriter((Path) source()); // $ hasTaintFlow
Files.newBufferedWriter((Path) source(), (Charset) null); // $ hasTaintFlow
Files.newBufferedWriter((Path) source()); // $ Alert
Files.newBufferedWriter((Path) source(), (Charset) null); // $ Alert
// "java.nio.file;Files;false;newOutputStream;;;Argument[0];create-file;manual"
Files.newOutputStream((Path) source()); // $ hasTaintFlow
Files.newOutputStream((Path) source()); // $ Alert
// "java.nio.file;Files;false;write;;;Argument[0];create-file;manual"
Files.write((Path) source(), (byte[]) null); // $ hasTaintFlow
Files.write((Path) source(), (Iterable<CharSequence>) null); // $ hasTaintFlow
Files.write((Path) source(), (Iterable<CharSequence>) null, (Charset) null); // $ hasTaintFlow
Files.write((Path) source(), (byte[]) null); // $ Alert
Files.write((Path) source(), (Iterable<CharSequence>) null); // $ Alert
Files.write((Path) source(), (Iterable<CharSequence>) null, (Charset) null); // $ Alert
// "java.nio.file;Files;false;writeString;;;Argument[0];create-file;manual"
Files.writeString((Path) source(), (CharSequence) null); // $ hasTaintFlow
Files.writeString((Path) source(), (CharSequence) null, (Charset) null); // $ hasTaintFlow
Files.writeString((Path) source(), (CharSequence) null); // $ Alert
Files.writeString((Path) source(), (CharSequence) null, (Charset) null); // $ Alert
// "javax.xml.transform.stream;StreamResult";true;"StreamResult;(File);;Argument[0];create-file;ai-generated"
new StreamResult((File) source()); // $ hasTaintFlow
new StreamResult((File) source()); // $ Alert
// "org.apache.commons.io;FileUtils;true;openInputStream;(File);;Argument[0];read-file;ai-generated"
FileUtils.openInputStream((File) source()); // $ hasTaintFlow
FileUtils.openInputStream((File) source()); // $ Alert
// "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[1];create-file;ai-generated"
new ZipURLInstaller((URL) null, (String) source(), ""); // $ hasTaintFlow
new ZipURLInstaller((URL) null, (String) source(), ""); // $ Alert
// "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[2];create-file;ai-generated"
new ZipURLInstaller((URL) null, "", (String) source()); // $ hasTaintFlow
new ZipURLInstaller((URL) null, "", (String) source()); // $ Alert
// "org.springframework.util;FileCopyUtils;false;copy;(byte[],File);;Argument[1];create-file;manual"
FileCopyUtils.copy((byte[]) null, (File) source()); // $ hasTaintFlow
FileCopyUtils.copy((byte[]) null, (File) source()); // $ Alert
// "org.springframework.util;FileCopyUtils;false;copy;(File,File);;Argument[0];create-file;manual"
FileCopyUtils.copy((File) source(), null); // $ hasTaintFlow
FileCopyUtils.copy((File) source(), null); // $ Alert
// "org.springframework.util;FileCopyUtils;false;copy;(File,File);;Argument[1];create-file;manual"
FileCopyUtils.copy((File) null, (File) source()); // $ hasTaintFlow
FileCopyUtils.copy((File) null, (File) source()); // $ Alert
}
void test(AntClassLoader acl) {
// "org.apache.tools.ant;AntClassLoader;true;addPathComponent;(File);;Argument[0];read-file;ai-generated"
acl.addPathComponent((File) source()); // $ hasTaintFlow
acl.addPathComponent((File) source()); // $ Alert
// "org.apache.tools.ant;AntClassLoader;true;AntClassLoader;(ClassLoader,Project,Path,boolean);;Argument[2];read-file;ai-generated"
new AntClassLoader(null, null, (org.apache.tools.ant.types.Path) source(), false); // $ hasTaintFlow
new AntClassLoader(null, null, (org.apache.tools.ant.types.Path) source(), false); // $ Alert
// "org.apache.tools.ant;AntClassLoader;true;AntClassLoader;(Project,Path,boolean);;Argument[1];read-file;ai-generated"
new AntClassLoader(null, (org.apache.tools.ant.types.Path) source(), false); // $ hasTaintFlow
new AntClassLoader(null, (org.apache.tools.ant.types.Path) source(), false); // $ Alert
// "org.apache.tools.ant;AntClassLoader;true;AntClassLoader;(Project,Path);;Argument[1];read-file;ai-generated"
new AntClassLoader(null, (org.apache.tools.ant.types.Path) source()); // $ hasTaintFlow
new AntClassLoader(null, (org.apache.tools.ant.types.Path) source()); // $ Alert
// "org.kohsuke.stapler.framework.io;LargeText;true;LargeText;(File,Charset,boolean,boolean);;Argument[0];read-file;ai-generated"
new LargeText((File) source(), null, false, false); // $ hasTaintFlow
new LargeText((File) source(), null, false, false); // $ Alert
}
void doGet6(String root, HttpServletRequest request) throws IOException {
@@ -178,29 +178,29 @@ public class Test {
void test(DirectoryScanner ds) {
// "org.apache.tools.ant;DirectoryScanner;true;setBasedir;(File);;Argument[0];read-file;ai-generated"
ds.setBasedir((File) source()); // $ hasTaintFlow
ds.setBasedir((File) source()); // $ Alert
}
void test(Copy cp) {
// "org.apache.tools.ant.taskdefs;Copy;true;addFileset;(FileSet);;Argument[0];read-file;ai-generated"
cp.addFileset((FileSet) source()); // $ hasTaintFlow
cp.addFileset((FileSet) source()); // $ Alert
// "org.apache.tools.ant.taskdefs;Copy;true;setFile;(File);;Argument[0];read-file;ai-generated"
cp.setFile((File) source()); // $ hasTaintFlow
cp.setFile((File) source()); // $ Alert
// "org.apache.tools.ant.taskdefs;Copy;true;setTodir;(File);;Argument[0];create-file;ai-generated"
cp.setTodir((File) source()); // $ hasTaintFlow
cp.setTodir((File) source()); // $ Alert
// "org.apache.tools.ant.taskdefs;Copy;true;setTofile;(File);;Argument[0];create-file;ai-generated"
cp.setTofile((File) source()); // $ hasTaintFlow
cp.setTofile((File) source()); // $ Alert
}
void test(Expand ex) {
// "org.apache.tools.ant.taskdefs;Expand;true;setDest;(File);;Argument[0];create-file;ai-generated"
ex.setDest((File) source()); // $ hasTaintFlow
ex.setDest((File) source()); // $ Alert
// "org.apache.tools.ant.taskdefs;Expand;true;setSrc;(File);;Argument[0];read-file;ai-generated"
ex.setSrc((File) source()); // $ hasTaintFlow
ex.setSrc((File) source()); // $ Alert
}
void test(ChainedOptionsBuilder cob) {
// "org.openjdk.jmh.runner.options;ChainedOptionsBuilder;true;result;(String);;Argument[0];create-file;ai-generated"
cob.result((String) source()); // $ hasTaintFlow
cob.result((String) source()); // $ Alert
}
}

32
java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversal.expected
View File

@@ -1,16 +1,16 @@
| PartialPathTraversalTest.java:10:14:10:73 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:17:9:17:72 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:29:14:29:58 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:35:14:35:63 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:42:14:42:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:49:14:49:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:53:14:53:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:61:14:61:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:64:14:64:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:75:14:75:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:94:14:94:63 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:102:14:102:63 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:105:14:105:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:173:14:173:63 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:191:18:191:87 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:209:14:209:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:13:14:13:75 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:20:9:20:74 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:32:14:32:60 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:38:14:38:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:45:14:45:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:52:14:52:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:56:14:56:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:64:14:64:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:67:14:67:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:78:14:78:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:97:14:97:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:105:14:105:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:108:14:108:66 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:176:14:176:65 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:194:18:194:87 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |
| PartialPathTraversalTest.java:212:14:212:64 | startsWith(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal. |

135
java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalFromRemoteTest.expected
View File

@@ -0,0 +1,135 @@
#select
| PartialPathTraversalTest.java:13:14:13:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:13:14:13:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:20:10:20:33 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:20:10:20:33 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:32:14:32:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:32:14:32:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:38:14:38:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:38:14:38:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:45:14:45:26 | canonicalPath | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:45:14:45:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:52:14:52:26 | canonicalPath | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:52:14:52:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:56:14:56:27 | canonicalPath2 | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:56:14:56:27 | canonicalPath2 | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:64:14:64:26 | canonicalPath | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:64:14:64:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:67:14:67:27 | canonicalPath2 | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:67:14:67:27 | canonicalPath2 | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:97:14:97:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:97:14:97:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:105:14:105:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:105:14:105:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:108:14:108:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:108:14:108:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:176:14:176:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:176:14:176:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:194:18:194:47 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:194:18:194:47 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:212:14:212:26 | canonicalPath | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:212:14:212:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
edges
| PartialPathTraversalTest.java:13:14:13:18 | dir(...) : File | PartialPathTraversalTest.java:13:14:13:37 | getCanonicalPath(...) | provenance | MaD:6 |
| PartialPathTraversalTest.java:20:10:20:14 | dir(...) : File | PartialPathTraversalTest.java:20:10:20:33 | getCanonicalPath(...) | provenance | MaD:6 |
| PartialPathTraversalTest.java:32:14:32:18 | dir(...) : File | PartialPathTraversalTest.java:32:14:32:37 | getCanonicalPath(...) | provenance | MaD:6 |
| PartialPathTraversalTest.java:38:14:38:18 | dir(...) : File | PartialPathTraversalTest.java:38:14:38:37 | getCanonicalPath(...) | provenance | MaD:6 |
| PartialPathTraversalTest.java:44:32:44:36 | dir(...) : File | PartialPathTraversalTest.java:44:32:44:55 | getCanonicalPath(...) : String | provenance | MaD:6 |
| PartialPathTraversalTest.java:44:32:44:55 | getCanonicalPath(...) : String | PartialPathTraversalTest.java:45:14:45:26 | canonicalPath | provenance | |
| PartialPathTraversalTest.java:51:32:51:36 | dir(...) : File | PartialPathTraversalTest.java:51:32:51:55 | getCanonicalPath(...) : String | provenance | MaD:6 |
| PartialPathTraversalTest.java:51:32:51:55 | getCanonicalPath(...) : String | PartialPathTraversalTest.java:52:14:52:26 | canonicalPath | provenance | |
| PartialPathTraversalTest.java:55:33:55:37 | dir(...) : File | PartialPathTraversalTest.java:55:33:55:56 | getCanonicalPath(...) : String | provenance | MaD:6 |
| PartialPathTraversalTest.java:55:33:55:56 | getCanonicalPath(...) : String | PartialPathTraversalTest.java:56:14:56:27 | canonicalPath2 | provenance | |
| PartialPathTraversalTest.java:62:32:62:36 | dir(...) : File | PartialPathTraversalTest.java:62:32:62:55 | getCanonicalPath(...) : String | provenance | MaD:6 |
| PartialPathTraversalTest.java:62:32:62:55 | getCanonicalPath(...) : String | PartialPathTraversalTest.java:64:14:64:26 | canonicalPath | provenance | |
| PartialPathTraversalTest.java:63:33:63:37 | dir(...) : File | PartialPathTraversalTest.java:63:33:63:56 | getCanonicalPath(...) : String | provenance | MaD:6 |
| PartialPathTraversalTest.java:63:33:63:56 | getCanonicalPath(...) : String | PartialPathTraversalTest.java:67:14:67:27 | canonicalPath2 | provenance | |
| PartialPathTraversalTest.java:97:14:97:18 | dir(...) : File | PartialPathTraversalTest.java:97:14:97:37 | getCanonicalPath(...) | provenance | MaD:6 |
| PartialPathTraversalTest.java:105:14:105:18 | dir(...) : File | PartialPathTraversalTest.java:105:14:105:37 | getCanonicalPath(...) | provenance | MaD:6 |
| PartialPathTraversalTest.java:108:14:108:18 | dir(...) : File | PartialPathTraversalTest.java:108:14:108:37 | getCanonicalPath(...) | provenance | MaD:6 |
| PartialPathTraversalTest.java:176:14:176:18 | dir(...) : File | PartialPathTraversalTest.java:176:14:176:37 | getCanonicalPath(...) | provenance | MaD:6 |
| PartialPathTraversalTest.java:186:25:186:30 | path(...) : String[] | PartialPathTraversalTest.java:188:23:188:23 | p : String | provenance | |
| PartialPathTraversalTest.java:188:13:188:14 | sb [post update] : StringBuilder | PartialPathTraversalTest.java:191:27:191:28 | sb : StringBuilder | provenance | |
| PartialPathTraversalTest.java:188:23:188:23 | p : String | PartialPathTraversalTest.java:188:13:188:14 | sb [post update] : StringBuilder | provenance | MaD:8 |
| PartialPathTraversalTest.java:191:27:191:28 | sb : StringBuilder | PartialPathTraversalTest.java:191:27:191:39 | toString(...) : String | provenance | MaD:9 |
| PartialPathTraversalTest.java:191:27:191:39 | toString(...) : String | PartialPathTraversalTest.java:192:37:192:44 | filePath : String | provenance | |
| PartialPathTraversalTest.java:192:28:192:45 | new File(...) : File | PartialPathTraversalTest.java:194:18:194:28 | encodedFile : File | provenance | |
| PartialPathTraversalTest.java:192:37:192:44 | filePath : String | PartialPathTraversalTest.java:192:28:192:45 | new File(...) : File | provenance | MaD:4 |
| PartialPathTraversalTest.java:194:18:194:28 | encodedFile : File | PartialPathTraversalTest.java:194:18:194:47 | getCanonicalPath(...) | provenance | MaD:6 |
| PartialPathTraversalTest.java:211:46:211:50 | dir(...) : File | PartialPathTraversalTest.java:211:46:211:69 | getCanonicalPath(...) : String | provenance | MaD:6 |
| PartialPathTraversalTest.java:211:46:211:69 | getCanonicalPath(...) : String | PartialPathTraversalTest.java:212:14:212:26 | canonicalPath | provenance | |
| PartialPathTraversalTest.java:252:45:252:117 | new BufferedReader(...) : BufferedReader | PartialPathTraversalTest.java:253:31:253:44 | filenameReader : BufferedReader | provenance | |
| PartialPathTraversalTest.java:252:64:252:116 | new InputStreamReader(...) : InputStreamReader | PartialPathTraversalTest.java:252:45:252:117 | new BufferedReader(...) : BufferedReader | provenance | MaD:2 |
| PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:252:64:252:116 | new InputStreamReader(...) : InputStreamReader | provenance | Src:MaD:1 MaD:7 |
| PartialPathTraversalTest.java:253:31:253:44 | filenameReader : BufferedReader | PartialPathTraversalTest.java:253:31:253:55 | readLine(...) : String | provenance | MaD:3 |
| PartialPathTraversalTest.java:253:31:253:55 | readLine(...) : String | PartialPathTraversalTest.java:254:29:254:36 | filename : String | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:13:14:13:18 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:20:10:20:14 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:32:14:32:18 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:38:14:38:18 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:44:32:44:36 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:51:32:51:36 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:55:33:55:37 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:62:32:62:36 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:63:33:63:37 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:97:14:97:18 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:105:14:105:18 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:108:14:108:18 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:176:14:176:18 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:211:46:211:50 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:261:16:261:20 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:29:254:36 | filename : String | PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | provenance | MaD:4 |
| PartialPathTraversalTest.java:261:16:261:20 | dir(...) : File | PartialPathTraversalTest.java:261:16:261:38 | getAbsolutePath(...) : String | provenance | MaD:5 |
| PartialPathTraversalTest.java:261:16:261:38 | getAbsolutePath(...) : String | PartialPathTraversalTest.java:261:16:261:60 | split(...) : String[] | provenance | MaD:10 |
| PartialPathTraversalTest.java:261:16:261:60 | split(...) : String[] | PartialPathTraversalTest.java:186:25:186:30 | path(...) : String[] | provenance | |
models
| 1 | Source: java.net; Socket; false; getInputStream; (); ; ReturnValue; remote; manual |
| 2 | Summary: java.io; BufferedReader; false; BufferedReader; ; ; Argument[0]; Argument[this]; taint; manual |
| 3 | Summary: java.io; BufferedReader; true; readLine; ; ; Argument[this]; ReturnValue; taint; manual |
| 4 | Summary: java.io; File; false; File; ; ; Argument[0]; Argument[this]; taint; manual |
| 5 | Summary: java.io; File; true; getAbsolutePath; ; ; Argument[this]; ReturnValue; taint; manual |
| 6 | Summary: java.io; File; true; getCanonicalPath; ; ; Argument[this]; ReturnValue; taint; manual |
| 7 | Summary: java.io; InputStreamReader; false; InputStreamReader; ; ; Argument[0]; Argument[this]; taint; manual |
| 8 | Summary: java.lang; AbstractStringBuilder; true; append; ; ; Argument[0]; Argument[this]; taint; manual |
| 9 | Summary: java.lang; CharSequence; true; toString; ; ; Argument[this]; ReturnValue; taint; manual |
| 10 | Summary: java.lang; String; false; split; ; ; Argument[this]; ReturnValue; taint; manual |
nodes
| PartialPathTraversalTest.java:13:14:13:18 | dir(...) : File | semmle.label | dir(...) : File |
| PartialPathTraversalTest.java:13:14:13:37 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) |
| PartialPathTraversalTest.java:20:10:20:14 | dir(...) : File | semmle.label | dir(...) : File |
| PartialPathTraversalTest.java:20:10:20:33 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) |
| PartialPathTraversalTest.java:32:14:32:18 | dir(...) : File | semmle.label | dir(...) : File |
| PartialPathTraversalTest.java:32:14:32:37 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) |
| PartialPathTraversalTest.java:38:14:38:18 | dir(...) : File | semmle.label | dir(...) : File |
| PartialPathTraversalTest.java:38:14:38:37 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) |
| PartialPathTraversalTest.java:44:32:44:36 | dir(...) : File | semmle.label | dir(...) : File |
| PartialPathTraversalTest.java:44:32:44:55 | getCanonicalPath(...) : String | semmle.label | getCanonicalPath(...) : String |
| PartialPathTraversalTest.java:45:14:45:26 | canonicalPath | semmle.label | canonicalPath |
| PartialPathTraversalTest.java:51:32:51:36 | dir(...) : File | semmle.label | dir(...) : File |
| PartialPathTraversalTest.java:51:32:51:55 | getCanonicalPath(...) : String | semmle.label | getCanonicalPath(...) : String |
| PartialPathTraversalTest.java:52:14:52:26 | canonicalPath | semmle.label | canonicalPath |
| PartialPathTraversalTest.java:55:33:55:37 | dir(...) : File | semmle.label | dir(...) : File |
| PartialPathTraversalTest.java:55:33:55:56 | getCanonicalPath(...) : String | semmle.label | getCanonicalPath(...) : String |
| PartialPathTraversalTest.java:56:14:56:27 | canonicalPath2 | semmle.label | canonicalPath2 |
| PartialPathTraversalTest.java:62:32:62:36 | dir(...) : File | semmle.label | dir(...) : File |
| PartialPathTraversalTest.java:62:32:62:55 | getCanonicalPath(...) : String | semmle.label | getCanonicalPath(...) : String |
| PartialPathTraversalTest.java:63:33:63:37 | dir(...) : File | semmle.label | dir(...) : File |
| PartialPathTraversalTest.java:63:33:63:56 | getCanonicalPath(...) : String | semmle.label | getCanonicalPath(...) : String |
| PartialPathTraversalTest.java:64:14:64:26 | canonicalPath | semmle.label | canonicalPath |
| PartialPathTraversalTest.java:67:14:67:27 | canonicalPath2 | semmle.label | canonicalPath2 |
| PartialPathTraversalTest.java:97:14:97:18 | dir(...) : File | semmle.label | dir(...) : File |
| PartialPathTraversalTest.java:97:14:97:37 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) |
| PartialPathTraversalTest.java:105:14:105:18 | dir(...) : File | semmle.label | dir(...) : File |
| PartialPathTraversalTest.java:105:14:105:37 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) |
| PartialPathTraversalTest.java:108:14:108:18 | dir(...) : File | semmle.label | dir(...) : File |
| PartialPathTraversalTest.java:108:14:108:37 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) |
| PartialPathTraversalTest.java:176:14:176:18 | dir(...) : File | semmle.label | dir(...) : File |
| PartialPathTraversalTest.java:176:14:176:37 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) |
| PartialPathTraversalTest.java:186:25:186:30 | path(...) : String[] | semmle.label | path(...) : String[] |
| PartialPathTraversalTest.java:188:13:188:14 | sb [post update] : StringBuilder | semmle.label | sb [post update] : StringBuilder |
| PartialPathTraversalTest.java:188:23:188:23 | p : String | semmle.label | p : String |
| PartialPathTraversalTest.java:191:27:191:28 | sb : StringBuilder | semmle.label | sb : StringBuilder |
| PartialPathTraversalTest.java:191:27:191:39 | toString(...) : String | semmle.label | toString(...) : String |
| PartialPathTraversalTest.java:192:28:192:45 | new File(...) : File | semmle.label | new File(...) : File |
| PartialPathTraversalTest.java:192:37:192:44 | filePath : String | semmle.label | filePath : String |
| PartialPathTraversalTest.java:194:18:194:28 | encodedFile : File | semmle.label | encodedFile : File |
| PartialPathTraversalTest.java:194:18:194:47 | getCanonicalPath(...) | semmle.label | getCanonicalPath(...) |
| PartialPathTraversalTest.java:211:46:211:50 | dir(...) : File | semmle.label | dir(...) : File |
| PartialPathTraversalTest.java:211:46:211:69 | getCanonicalPath(...) : String | semmle.label | getCanonicalPath(...) : String |
| PartialPathTraversalTest.java:212:14:212:26 | canonicalPath | semmle.label | canonicalPath |
| PartialPathTraversalTest.java:252:45:252:117 | new BufferedReader(...) : BufferedReader | semmle.label | new BufferedReader(...) : BufferedReader |
| PartialPathTraversalTest.java:252:64:252:116 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
| PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| PartialPathTraversalTest.java:253:31:253:44 | filenameReader : BufferedReader | semmle.label | filenameReader : BufferedReader |
| PartialPathTraversalTest.java:253:31:253:55 | readLine(...) : String | semmle.label | readLine(...) : String |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | semmle.label | new File(...) : File |
| PartialPathTraversalTest.java:254:29:254:36 | filename : String | semmle.label | filename : String |
| PartialPathTraversalTest.java:261:16:261:20 | dir(...) : File | semmle.label | dir(...) : File |
| PartialPathTraversalTest.java:261:16:261:38 | getAbsolutePath(...) : String | semmle.label | getAbsolutePath(...) : String |
| PartialPathTraversalTest.java:261:16:261:60 | split(...) : String[] | semmle.label | split(...) : String[] |
subpaths

24
java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalFromRemoteTest.ql
View File

@@ -1,24 +0,0 @@
import java
import utils.test.InlineExpectationsTest
import semmle.code.java.security.PartialPathTraversalQuery
class TestRemoteSource extends RemoteFlowSource {
TestRemoteSource() { this.asParameter().hasName(["dir", "path"]) }
override string getSourceType() { result = "TestSource" }
}
module Test implements TestSig {
string getARelevantTag() { result = "hasTaintFlow" }
predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasTaintFlow" and
exists(DataFlow::Node sink | PartialPathTraversalFromRemoteFlow::flowTo(sink) |
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}
import MakeTest<Test>

4
java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalFromRemoteTest.qlref Normal file
View File

@@ -0,0 +1,4 @@
query: Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql
postprocess:
- utils/test/PrettyPrintModels.ql
- utils/test/InlineExpectationsTestQuery.ql

190
java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalTest.java
View File

@@ -1,68 +1,71 @@
import java.io.IOException;
import java.io.File;
import java.io.InputStream;
import java.io.BufferedReader;
import java.io.InputStreamReader;
import static java.io.File.separatorChar;
import java.nio.file.Files;
import java.net.Socket;
public class PartialPathTraversalTest {
public void esapiExample(File dir, File parent) throws IOException {
if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath())) { // $hasTaintFlow
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
public void esapiExample(File parent) throws IOException {
if (!dir().getCanonicalPath().startsWith(parent.getCanonicalPath())) { // $ Alert
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
@SuppressWarnings("ResultOfMethodCallIgnored")
void foo1(File dir, File parent) throws IOException {
(dir.getCanonicalPath()).startsWith((parent.getCanonicalPath())); // $hasTaintFlow
void foo1(File parent) throws IOException {
(dir().getCanonicalPath()).startsWith((parent.getCanonicalPath())); // $ Alert
}
void foo2(File dir, File parent) throws IOException {
dir.getCanonicalPath();
void foo2(File parent) throws IOException {
dir().getCanonicalPath();
if ("potato".startsWith(parent.getCanonicalPath())) {
System.out.println("Hello!");
}
}
void foo3(File dir, File parent) throws IOException {
void foo3(File parent) throws IOException {
String parentPath = parent.getCanonicalPath();
if (!dir.getCanonicalPath().startsWith(parentPath)) { // $hasTaintFlow
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
if (!dir().getCanonicalPath().startsWith(parentPath)) { // $ Alert
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
void foo4(File dir) throws IOException {
if (!dir.getCanonicalPath().startsWith("/usr" + "/dir")) { // $hasTaintFlow
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
void foo4() throws IOException {
if (!dir().getCanonicalPath().startsWith("/usr" + "/dir")) { // $ Alert
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
void foo5(File dir, File parent) throws IOException {
String canonicalPath = dir.getCanonicalPath();
if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $hasTaintFlow
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
void foo5(File parent) throws IOException {
String canonicalPath = dir().getCanonicalPath();
if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
void foo6(File dir, File parent) throws IOException {
String canonicalPath = dir.getCanonicalPath();
if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $hasTaintFlow
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
void foo6(File parent) throws IOException {
String canonicalPath = dir().getCanonicalPath();
if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
String canonicalPath2 = dir.getCanonicalPath();
if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $hasTaintFlow
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
String canonicalPath2 = dir().getCanonicalPath();
if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $ Alert
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
void foo7(File dir, File parent) throws IOException {
String canonicalPath = dir.getCanonicalPath();
String canonicalPath2 = dir.getCanonicalPath();
if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $hasTaintFlow
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
String canonicalPath = dir().getCanonicalPath();
String canonicalPath2 = dir().getCanonicalPath();
if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $hasTaintFlow
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $ Alert
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
@@ -72,70 +75,70 @@ public class PartialPathTraversalTest {
void foo8(File parent) throws IOException {
String canonicalPath = getChild().getCanonicalPath();
if (!canonicalPath.startsWith(parent.getCanonicalPath())) {
if (!canonicalPath.startsWith(parent.getCanonicalPath())) {
throw new IOException("Invalid directory: " + getChild().getCanonicalPath());
}
}
void foo9(File dir, File parent) throws IOException {
if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath() + File.separator)) {
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
void foo9(File parent) throws IOException {
if (!dir().getCanonicalPath().startsWith(parent.getCanonicalPath() + File.separator)) {
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
void foo10(File dir, File parent) throws IOException {
if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath() + File.separatorChar)) {
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
void foo10(File parent) throws IOException {
if (!dir().getCanonicalPath().startsWith(parent.getCanonicalPath() + File.separatorChar)) {
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
void foo11(File dir, File parent) throws IOException {
void foo11(File parent) throws IOException {
String parentCanonical = parent.getCanonicalPath();
if (!dir.getCanonicalPath().startsWith(parentCanonical)) { // $hasTaintFlow
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
void foo12(File dir, File parent) throws IOException {
void foo12(File parent) throws IOException {
String parentCanonical = parent.getCanonicalPath();
String parentCanonical2 = parent.getCanonicalPath();
if (!dir.getCanonicalPath().startsWith(parentCanonical)) { // $hasTaintFlow
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
if (!dir.getCanonicalPath().startsWith(parentCanonical2)) { // $hasTaintFlow
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
if (!dir().getCanonicalPath().startsWith(parentCanonical2)) { // $ Alert
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
void foo13(File dir, File parent) throws IOException {
void foo13(File parent) throws IOException {
String parentCanonical = parent.getCanonicalPath() + File.separatorChar;
if (!dir.getCanonicalPath().startsWith(parentCanonical)) {
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
if (!dir().getCanonicalPath().startsWith(parentCanonical)) {
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
void foo14(File dir, File parent) throws IOException {
void foo14(File parent) throws IOException {
String parentCanonical = parent.getCanonicalPath() + separatorChar;
if (!dir.getCanonicalPath().startsWith(parentCanonical)) {
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
if (!dir().getCanonicalPath().startsWith(parentCanonical)) {
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
void foo15(File dir, File parent) throws IOException {
String parentCanonical = parent.getCanonicalPath() + File.separatorChar;
String parentCanonical2 = parent.getCanonicalPath() + File.separatorChar;
if (!dir.getCanonicalPath().startsWith(parentCanonical)) {
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
if (!dir().getCanonicalPath().startsWith(parentCanonical)) {
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
if (!dir.getCanonicalPath().startsWith(parentCanonical2)) {
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
if (!dir().getCanonicalPath().startsWith(parentCanonical2)) {
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
void foo16(File dir, File parent) throws IOException {
void foo16(File parent) throws IOException {
String parentCanonical = parent.getCanonicalPath() + File.separator;
if (!dir.getCanonicalPath().startsWith(parentCanonical)) {
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
if (!dir().getCanonicalPath().startsWith(parentCanonical)) {
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
@@ -145,7 +148,7 @@ public class PartialPathTraversalTest {
"UnusedAssignment",
"ResultOfMethodCallIgnored"
})
void foo17(File dir, File parent, boolean branch) throws IOException {
void foo17(File parent, boolean branch) throws IOException {
String parentCanonical = null;
"test ".startsWith("somethingElse");
if (branch) {
@@ -153,8 +156,8 @@ public class PartialPathTraversalTest {
} else {
parentCanonical = parent.getCanonicalPath() + File.separatorChar;
}
if (!dir.getCanonicalPath().startsWith(parentCanonical)) {
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
if (!dir().getCanonicalPath().startsWith(parentCanonical)) {
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
@@ -163,24 +166,24 @@ public class PartialPathTraversalTest {
if (branch) {
parentCanonical = parent.getCanonicalPath() + File.separatorChar;
}
if (!dir.getCanonicalPath().startsWith(parentCanonical)) {
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
if (!dir().getCanonicalPath().startsWith(parentCanonical)) {
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
void foo19(File dir, File parent) throws IOException {
void foo19(File parent) throws IOException {
String parentCanonical = parent.getCanonicalPath() + "/potato";
if (!dir.getCanonicalPath().startsWith(parentCanonical)) { // $hasTaintFlow
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
private File cacheDir;
InputStream foo20(String... path) {
InputStream foo20() {
StringBuilder sb = new StringBuilder();
sb.append(cacheDir.getAbsolutePath());
for (String p : path) {
for (String p : path()) {
sb.append(File.separatorChar);
sb.append(p);
}
@@ -188,7 +191,7 @@ public class PartialPathTraversalTest {
String filePath = sb.toString();
File encodedFile = new File(filePath);
try {
if (!encodedFile.getCanonicalPath().startsWith(cacheDir.getCanonicalPath())) { // $hasTaintFlow
if (!encodedFile.getCanonicalPath().startsWith(cacheDir.getCanonicalPath())) { // $ Alert
return null;
}
return Files.newInputStream(encodedFile.toPath());
@@ -197,37 +200,37 @@ public class PartialPathTraversalTest {
}
}
void foo21(File dir, File parent) throws IOException {
void foo21(File parent) throws IOException {
String parentCanonical = parent.getCanonicalPath();
if (!dir.getCanonicalPath().startsWith(parentCanonical + File.separator)) {
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
if (!dir().getCanonicalPath().startsWith(parentCanonical + File.separator)) {
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
void foo22(File dir, File dir2, File parent, boolean conditional) throws IOException {
String canonicalPath = conditional ? dir.getCanonicalPath() : dir2.getCanonicalPath();
if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $hasTaintFlow
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
void foo22(File dir2, File parent, boolean conditional) throws IOException {
String canonicalPath = conditional ? dir().getCanonicalPath() : dir2.getCanonicalPath();
if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
void foo23(File dir, File parent) throws IOException {
void foo23(File parent) throws IOException {
String parentCanonical = parent.getCanonicalPath();
if (!dir.getCanonicalPath().startsWith(parentCanonical + "/")) {
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
if (!dir().getCanonicalPath().startsWith(parentCanonical + "/")) {
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
void foo24(File dir, File parent) throws IOException {
void foo24(File parent) throws IOException {
String parentCanonical = parent.getCanonicalPath();
if (!dir.getCanonicalPath().startsWith(parentCanonical + '/')) {
throw new IOException("Invalid directory: " + dir.getCanonicalPath());
if (!dir().getCanonicalPath().startsWith(parentCanonical + '/')) {
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
public void doesNotFlagOptimalSafeVersion(File dir, File parent) throws IOException {
if (!dir.toPath().normalize().startsWith(parent.toPath())) { // Safe
throw new IOException("Path traversal attempt: " + dir.getCanonicalPath());
public void doesNotFlagOptimalSafeVersion(File parent) throws IOException {
if (!dir().toPath().normalize().startsWith(parent.toPath())) { // Safe
throw new IOException("Path traversal attempt: " + dir().getCanonicalPath());
}
}
@@ -242,4 +245,19 @@ public class PartialPathTraversalTest {
}
}
}
Socket sock;
File dir() {
try {
BufferedReader filenameReader = new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8")); // $ Source
String filename = filenameReader.readLine();
return new File(filename);
} catch (IOException e) {
throw new RuntimeException("Failed to read from socket", e);
}
}
String[] path() {
return dir().getAbsolutePath().split(File.separator);
}
}

308
java/ql/test/query-tests/security/CWE-074/JndiInjection/JndiInjectionTest.expected Normal file
View File

@@ -0,0 +1,308 @@
#select
| JndiInjectionTest.java:36:16:36:22 | nameStr | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:36:16:36:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input |
| JndiInjectionTest.java:37:20:37:26 | nameStr | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:37:20:37:26 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input |
| JndiInjectionTest.java:38:29:38:35 | nameStr | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:38:29:38:35 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input |
| JndiInjectionTest.java:39:16:39:22 | nameStr | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:39:16:39:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input |
| JndiInjectionTest.java:40:14:40:20 | nameStr | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:40:14:40:20 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input |
| JndiInjectionTest.java:41:22:41:28 | nameStr | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:41:22:41:28 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input |
| JndiInjectionTest.java:43:16:43:19 | name | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:43:16:43:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input |
| JndiInjectionTest.java:44:20:44:23 | name | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:44:20:44:23 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input |
| JndiInjectionTest.java:45:29:45:32 | name | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:45:29:45:32 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input |
| JndiInjectionTest.java:46:16:46:19 | name | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:46:16:46:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input |
| JndiInjectionTest.java:47:14:47:17 | name | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:47:14:47:17 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input |
| JndiInjectionTest.java:48:22:48:25 | name | JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:48:22:48:25 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:32:38:32:65 | nameStr | this user input |
| JndiInjectionTest.java:56:16:56:22 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:56:16:56:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
| JndiInjectionTest.java:57:20:57:26 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:57:20:57:26 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
| JndiInjectionTest.java:58:16:58:22 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:58:16:58:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
| JndiInjectionTest.java:59:14:59:20 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:59:14:59:20 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
| JndiInjectionTest.java:60:22:60:28 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:60:22:60:28 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
| JndiInjectionTest.java:62:16:62:19 | name | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:62:16:62:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
| JndiInjectionTest.java:63:20:63:23 | name | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:63:20:63:23 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
| JndiInjectionTest.java:64:16:64:19 | name | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:64:16:64:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
| JndiInjectionTest.java:65:14:65:17 | name | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:65:14:65:17 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
| JndiInjectionTest.java:66:22:66:25 | name | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:66:22:66:25 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
| JndiInjectionTest.java:70:16:70:22 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:70:16:70:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
| JndiInjectionTest.java:71:16:71:22 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:71:16:71:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
| JndiInjectionTest.java:74:16:74:22 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:74:16:74:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
| JndiInjectionTest.java:75:16:75:22 | nameStr | JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:75:16:75:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:52:34:52:61 | nameStr | this user input |
| JndiInjectionTest.java:87:16:87:22 | nameStr | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:87:16:87:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input |
| JndiInjectionTest.java:88:20:88:26 | nameStr | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:88:20:88:26 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input |
| JndiInjectionTest.java:89:16:89:22 | nameStr | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:89:16:89:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input |
| JndiInjectionTest.java:90:14:90:20 | nameStr | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:90:14:90:20 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input |
| JndiInjectionTest.java:91:22:91:28 | nameStr | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:91:22:91:28 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input |
| JndiInjectionTest.java:93:16:93:19 | name | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:93:16:93:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input |
| JndiInjectionTest.java:94:20:94:23 | name | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:94:20:94:23 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input |
| JndiInjectionTest.java:95:16:95:19 | name | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:95:16:95:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input |
| JndiInjectionTest.java:96:14:96:17 | name | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:96:14:96:17 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input |
| JndiInjectionTest.java:97:22:97:25 | name | JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:97:22:97:25 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:83:42:83:69 | nameStr | this user input |
| JndiInjectionTest.java:104:16:104:22 | nameStr | JndiInjectionTest.java:101:42:101:69 | nameStr : String | JndiInjectionTest.java:104:16:104:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:101:42:101:69 | nameStr | this user input |
| JndiInjectionTest.java:105:16:105:22 | nameStr | JndiInjectionTest.java:101:42:101:69 | nameStr : String | JndiInjectionTest.java:105:16:105:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:101:42:101:69 | nameStr | this user input |
| JndiInjectionTest.java:113:16:113:19 | name | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:113:16:113:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:115:16:115:19 | name | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:115:16:115:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:117:16:117:19 | name | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:117:16:117:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:118:16:118:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:118:16:118:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:120:16:120:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:120:16:120:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:122:16:122:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:122:16:122:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:123:23:123:26 | name | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:123:23:123:26 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:124:23:124:29 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:124:23:124:29 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:125:18:125:21 | name | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:125:18:125:21 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:126:16:126:19 | name | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:126:16:126:19 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:127:14:127:17 | name | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:127:14:127:17 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:128:22:128:25 | name | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:128:22:128:25 | name | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:129:16:129:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:129:16:129:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:131:16:131:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:131:16:131:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:132:16:132:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:132:16:132:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:133:16:133:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:133:16:133:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:134:16:134:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:134:16:134:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:138:16:138:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:138:16:138:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:139:16:139:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:139:16:139:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:141:16:141:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:141:16:141:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:142:16:142:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:142:16:142:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:144:16:144:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:144:16:144:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:145:16:145:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:145:16:145:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:149:16:149:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:149:16:149:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:150:16:150:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:150:16:150:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:152:16:152:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:152:16:152:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:153:16:153:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:153:16:153:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:155:16:155:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:155:16:155:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:156:16:156:22 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:156:16:156:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:170:25:170:31 | nameStr | JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:170:25:170:31 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:109:42:109:69 | nameStr | this user input |
| JndiInjectionTest.java:177:16:177:22 | nameStr | JndiInjectionTest.java:174:41:174:68 | nameStr : String | JndiInjectionTest.java:177:16:177:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:174:41:174:68 | nameStr | this user input |
| JndiInjectionTest.java:178:16:178:22 | nameStr | JndiInjectionTest.java:174:41:174:68 | nameStr : String | JndiInjectionTest.java:178:16:178:22 | nameStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:174:41:174:68 | nameStr | this user input |
| JndiInjectionTest.java:183:33:183:57 | new JMXServiceURL(...) | JndiInjectionTest.java:182:37:182:63 | urlStr : String | JndiInjectionTest.java:183:33:183:57 | new JMXServiceURL(...) | JNDI lookup might include name from $@. | JndiInjectionTest.java:182:37:182:63 | urlStr | this user input |
| JndiInjectionTest.java:187:5:187:13 | connector | JndiInjectionTest.java:182:37:182:63 | urlStr : String | JndiInjectionTest.java:187:5:187:13 | connector | JNDI lookup might include name from $@. | JndiInjectionTest.java:182:37:182:63 | urlStr | this user input |
| JndiInjectionTest.java:194:35:194:40 | urlStr | JndiInjectionTest.java:191:27:191:53 | urlStr : String | JndiInjectionTest.java:194:35:194:40 | urlStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:191:27:191:53 | urlStr | this user input |
| JndiInjectionTest.java:202:41:202:46 | urlStr | JndiInjectionTest.java:199:27:199:53 | urlStr : String | JndiInjectionTest.java:202:41:202:46 | urlStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:199:27:199:53 | urlStr | this user input |
| JndiInjectionTest.java:211:37:211:42 | urlStr | JndiInjectionTest.java:207:52:207:78 | urlStr : String | JndiInjectionTest.java:211:37:211:42 | urlStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:207:52:207:78 | urlStr | this user input |
| JndiInjectionTest.java:221:51:221:56 | urlStr | JndiInjectionTest.java:216:52:216:78 | urlStr : String | JndiInjectionTest.java:221:51:221:56 | urlStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:216:52:216:78 | urlStr | this user input |
| JndiInjectionTest.java:231:51:231:56 | urlStr | JndiInjectionTest.java:226:52:226:78 | urlStr : String | JndiInjectionTest.java:231:51:231:56 | urlStr | JNDI lookup might include name from $@. | JndiInjectionTest.java:226:52:226:78 | urlStr | this user input |
edges
| JndiInjectionTest.java:32:38:32:65 | nameStr : String | JndiInjectionTest.java:33:35:33:41 | nameStr : String | provenance | |
| JndiInjectionTest.java:33:17:33:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:43:16:43:19 | name | provenance | Sink:MaD:6 |
| JndiInjectionTest.java:33:17:33:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:44:20:44:23 | name | provenance | Sink:MaD:7 |
| JndiInjectionTest.java:33:17:33:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:45:29:45:32 | name | provenance | Sink:MaD:9 |
| JndiInjectionTest.java:33:17:33:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:46:16:46:19 | name | provenance | Sink:MaD:8 |
| JndiInjectionTest.java:33:17:33:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:47:14:47:17 | name | provenance | Sink:MaD:4 |
| JndiInjectionTest.java:33:17:33:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:48:22:48:25 | name | provenance | Sink:MaD:5 |
| JndiInjectionTest.java:33:35:33:41 | nameStr : String | JndiInjectionTest.java:33:17:33:42 | new CompositeName(...) : CompositeName | provenance | Config |
| JndiInjectionTest.java:33:35:33:41 | nameStr : String | JndiInjectionTest.java:36:16:36:22 | nameStr | provenance | Sink:MaD:6 |
| JndiInjectionTest.java:33:35:33:41 | nameStr : String | JndiInjectionTest.java:37:20:37:26 | nameStr | provenance | Sink:MaD:7 |
| JndiInjectionTest.java:33:35:33:41 | nameStr : String | JndiInjectionTest.java:38:29:38:35 | nameStr | provenance | Sink:MaD:9 |
| JndiInjectionTest.java:33:35:33:41 | nameStr : String | JndiInjectionTest.java:39:16:39:22 | nameStr | provenance | Sink:MaD:8 |
| JndiInjectionTest.java:33:35:33:41 | nameStr : String | JndiInjectionTest.java:40:14:40:20 | nameStr | provenance | Sink:MaD:4 |
| JndiInjectionTest.java:33:35:33:41 | nameStr : String | JndiInjectionTest.java:41:22:41:28 | nameStr | provenance | Sink:MaD:5 |
| JndiInjectionTest.java:52:34:52:61 | nameStr : String | JndiInjectionTest.java:53:34:53:40 | nameStr : String | provenance | |
| JndiInjectionTest.java:53:17:53:59 | new CompoundName(...) : CompoundName | JndiInjectionTest.java:62:16:62:19 | name | provenance | Sink:MaD:6 |
| JndiInjectionTest.java:53:17:53:59 | new CompoundName(...) : CompoundName | JndiInjectionTest.java:63:20:63:23 | name | provenance | Sink:MaD:7 |
| JndiInjectionTest.java:53:17:53:59 | new CompoundName(...) : CompoundName | JndiInjectionTest.java:64:16:64:19 | name | provenance | Sink:MaD:8 |
| JndiInjectionTest.java:53:17:53:59 | new CompoundName(...) : CompoundName | JndiInjectionTest.java:65:14:65:17 | name | provenance | Sink:MaD:4 |
| JndiInjectionTest.java:53:17:53:59 | new CompoundName(...) : CompoundName | JndiInjectionTest.java:66:22:66:25 | name | provenance | Sink:MaD:5 |
| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:53:17:53:59 | new CompoundName(...) : CompoundName | provenance | Config |
| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:56:16:56:22 | nameStr | provenance | Sink:MaD:6 |
| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:57:20:57:26 | nameStr | provenance | Sink:MaD:7 |
| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:58:16:58:22 | nameStr | provenance | Sink:MaD:8 |
| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:59:14:59:20 | nameStr | provenance | Sink:MaD:4 |
| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:60:22:60:28 | nameStr | provenance | Sink:MaD:5 |
| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:70:16:70:22 | nameStr | provenance | Sink:MaD:3 |
| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:71:16:71:22 | nameStr | provenance | Sink:MaD:3 |
| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:74:16:74:22 | nameStr | provenance | Sink:MaD:3 |
| JndiInjectionTest.java:53:34:53:40 | nameStr : String | JndiInjectionTest.java:75:16:75:22 | nameStr | provenance | Sink:MaD:3 |
| JndiInjectionTest.java:83:42:83:69 | nameStr : String | JndiInjectionTest.java:84:35:84:41 | nameStr : String | provenance | |
| JndiInjectionTest.java:84:17:84:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:93:16:93:19 | name | provenance | Sink:MaD:6 |
| JndiInjectionTest.java:84:17:84:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:94:20:94:23 | name | provenance | Sink:MaD:7 |
| JndiInjectionTest.java:84:17:84:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:95:16:95:19 | name | provenance | Sink:MaD:8 |
| JndiInjectionTest.java:84:17:84:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:96:14:96:17 | name | provenance | Sink:MaD:4 |
| JndiInjectionTest.java:84:17:84:42 | new CompositeName(...) : CompositeName | JndiInjectionTest.java:97:22:97:25 | name | provenance | Sink:MaD:5 |
| JndiInjectionTest.java:84:35:84:41 | nameStr : String | JndiInjectionTest.java:84:17:84:42 | new CompositeName(...) : CompositeName | provenance | Config |
| JndiInjectionTest.java:84:35:84:41 | nameStr : String | JndiInjectionTest.java:87:16:87:22 | nameStr | provenance | Sink:MaD:6 |
| JndiInjectionTest.java:84:35:84:41 | nameStr : String | JndiInjectionTest.java:88:20:88:26 | nameStr | provenance | Sink:MaD:7 |
| JndiInjectionTest.java:84:35:84:41 | nameStr : String | JndiInjectionTest.java:89:16:89:22 | nameStr | provenance | Sink:MaD:8 |
| JndiInjectionTest.java:84:35:84:41 | nameStr : String | JndiInjectionTest.java:90:14:90:20 | nameStr | provenance | Sink:MaD:4 |
| JndiInjectionTest.java:84:35:84:41 | nameStr : String | JndiInjectionTest.java:91:22:91:28 | nameStr | provenance | Sink:MaD:5 |
| JndiInjectionTest.java:101:42:101:69 | nameStr : String | JndiInjectionTest.java:104:16:104:22 | nameStr | provenance | Sink:MaD:11 |
| JndiInjectionTest.java:101:42:101:69 | nameStr : String | JndiInjectionTest.java:105:16:105:22 | nameStr | provenance | Sink:MaD:11 |
| JndiInjectionTest.java:109:42:109:69 | nameStr : String | JndiInjectionTest.java:111:41:111:47 | nameStr : String | provenance | |
| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | JndiInjectionTest.java:113:16:113:19 | name | provenance | Sink:MaD:15 |
| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | JndiInjectionTest.java:115:16:115:19 | name | provenance | Sink:MaD:16 |
| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | JndiInjectionTest.java:117:16:117:19 | name | provenance | Sink:MaD:17 |
| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | JndiInjectionTest.java:123:23:123:26 | name | provenance | Sink:MaD:21 |
| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | JndiInjectionTest.java:125:18:125:21 | name | provenance | Sink:MaD:12 |
| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | JndiInjectionTest.java:126:16:126:19 | name | provenance | Sink:MaD:22 |
| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | JndiInjectionTest.java:127:14:127:17 | name | provenance | Sink:MaD:13 |
| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | JndiInjectionTest.java:128:22:128:25 | name | provenance | Sink:MaD:14 |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:111:17:111:48 | add(...) : Name | provenance | Config |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:118:16:118:22 | nameStr | provenance | Sink:MaD:18 |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:120:16:120:22 | nameStr | provenance | Sink:MaD:19 |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:122:16:122:22 | nameStr | provenance | Sink:MaD:20 |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:124:23:124:29 | nameStr | provenance | Sink:MaD:21 |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:129:16:129:22 | nameStr | provenance | |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:131:16:131:22 | nameStr | provenance | Sink:MaD:27 |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:132:16:132:22 | nameStr | provenance | Sink:MaD:25 |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:132:16:132:22 | nameStr | provenance | Sink:MaD:27 |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:133:16:133:22 | nameStr | provenance | Sink:MaD:24 |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:133:16:133:22 | nameStr | provenance | Sink:MaD:27 |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:134:16:134:22 | nameStr | provenance | Sink:MaD:23 |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:134:16:134:22 | nameStr | provenance | Sink:MaD:27 |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:138:16:138:22 | nameStr | provenance | Sink:MaD:27 |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:139:16:139:22 | nameStr | provenance | Sink:MaD:27 |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:141:16:141:22 | nameStr | provenance | Sink:MaD:27 |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:142:16:142:22 | nameStr | provenance | Sink:MaD:27 |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:144:16:144:22 | nameStr | provenance | Sink:MaD:27 |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:145:16:145:22 | nameStr | provenance | Sink:MaD:27 |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:149:16:149:22 | nameStr | provenance | Sink:MaD:27 |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:150:16:150:22 | nameStr | provenance | Sink:MaD:27 |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:152:16:152:22 | nameStr | provenance | Sink:MaD:27 |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:153:16:153:22 | nameStr | provenance | Sink:MaD:27 |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:155:16:155:22 | nameStr | provenance | Sink:MaD:27 |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:156:16:156:22 | nameStr | provenance | Sink:MaD:27 |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:170:25:170:31 | nameStr | provenance | Sink:MaD:26 |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | JndiInjectionTest.java:170:25:170:31 | nameStr | provenance | Sink:MaD:28 |
| JndiInjectionTest.java:174:41:174:68 | nameStr : String | JndiInjectionTest.java:177:16:177:22 | nameStr | provenance | Sink:MaD:10 |
| JndiInjectionTest.java:174:41:174:68 | nameStr : String | JndiInjectionTest.java:178:16:178:22 | nameStr | provenance | Sink:MaD:10 |
| JndiInjectionTest.java:182:37:182:63 | urlStr : String | JndiInjectionTest.java:183:51:183:56 | urlStr : String | provenance | |
| JndiInjectionTest.java:183:51:183:56 | urlStr : String | JndiInjectionTest.java:183:33:183:57 | new JMXServiceURL(...) | provenance | Config Sink:MaD:2 |
| JndiInjectionTest.java:183:51:183:56 | urlStr : String | JndiInjectionTest.java:185:43:185:48 | urlStr : String | provenance | |
| JndiInjectionTest.java:185:25:185:49 | new JMXServiceURL(...) : JMXServiceURL | JndiInjectionTest.java:186:66:186:68 | url : JMXServiceURL | provenance | |
| JndiInjectionTest.java:185:43:185:48 | urlStr : String | JndiInjectionTest.java:185:25:185:49 | new JMXServiceURL(...) : JMXServiceURL | provenance | Config |
| JndiInjectionTest.java:186:30:186:75 | newJMXConnector(...) : JMXConnector | JndiInjectionTest.java:187:5:187:13 | connector | provenance | Sink:MaD:1 |
| JndiInjectionTest.java:186:66:186:68 | url : JMXServiceURL | JndiInjectionTest.java:186:30:186:75 | newJMXConnector(...) : JMXConnector | provenance | Config |
| JndiInjectionTest.java:186:66:186:68 | url : JMXServiceURL | JndiInjectionTest.java:186:30:186:75 | newJMXConnector(...) : JMXConnector | provenance | MaD:29 |
| JndiInjectionTest.java:191:27:191:53 | urlStr : String | JndiInjectionTest.java:194:35:194:40 | urlStr | provenance | |
| JndiInjectionTest.java:199:27:199:53 | urlStr : String | JndiInjectionTest.java:202:41:202:46 | urlStr | provenance | |
| JndiInjectionTest.java:207:52:207:78 | urlStr : String | JndiInjectionTest.java:211:37:211:42 | urlStr | provenance | |
| JndiInjectionTest.java:216:52:216:78 | urlStr : String | JndiInjectionTest.java:221:51:221:56 | urlStr | provenance | |
| JndiInjectionTest.java:226:52:226:78 | urlStr : String | JndiInjectionTest.java:231:51:231:56 | urlStr | provenance | |
models
| 1 | Sink: javax.management.remote; JMXConnector; true; connect; ; ; Argument[this]; jndi-injection; manual |
| 2 | Sink: javax.management.remote; JMXConnectorFactory; false; connect; ; ; Argument[0]; jndi-injection; manual |
| 3 | Sink: javax.naming.directory; DirContext; true; search; ; ; Argument[0..1]; ldap-injection; manual |
| 4 | Sink: javax.naming; Context; true; list; ; ; Argument[0]; jndi-injection; manual |
| 5 | Sink: javax.naming; Context; true; listBindings; ; ; Argument[0]; jndi-injection; manual |
| 6 | Sink: javax.naming; Context; true; lookup; ; ; Argument[0]; jndi-injection; manual |
| 7 | Sink: javax.naming; Context; true; lookupLink; ; ; Argument[0]; jndi-injection; manual |
| 8 | Sink: javax.naming; Context; true; rename; ; ; Argument[0]; jndi-injection; manual |
| 9 | Sink: javax.naming; InitialContext; true; doLookup; ; ; Argument[0]; jndi-injection; manual |
| 10 | Sink: org.apache.shiro.jndi; JndiTemplate; false; lookup; ; ; Argument[0]; jndi-injection; manual |
| 11 | Sink: org.springframework.jndi; JndiTemplate; false; lookup; ; ; Argument[0]; jndi-injection; manual |
| 12 | Sink: org.springframework.ldap.core; LdapOperations; true; findByDn; ; ; Argument[0]; jndi-injection; manual |
| 13 | Sink: org.springframework.ldap.core; LdapOperations; true; list; ; ; Argument[0]; jndi-injection; manual |
| 14 | Sink: org.springframework.ldap.core; LdapOperations; true; listBindings; ; ; Argument[0]; jndi-injection; manual |
| 15 | Sink: org.springframework.ldap.core; LdapOperations; true; lookup; (Name); ; Argument[0]; jndi-injection; manual |
| 16 | Sink: org.springframework.ldap.core; LdapOperations; true; lookup; (Name,ContextMapper); ; Argument[0]; jndi-injection; manual |
| 17 | Sink: org.springframework.ldap.core; LdapOperations; true; lookup; (Name,String[],ContextMapper); ; Argument[0]; jndi-injection; manual |
| 18 | Sink: org.springframework.ldap.core; LdapOperations; true; lookup; (String); ; Argument[0]; jndi-injection; manual |
| 19 | Sink: org.springframework.ldap.core; LdapOperations; true; lookup; (String,ContextMapper); ; Argument[0]; jndi-injection; manual |
| 20 | Sink: org.springframework.ldap.core; LdapOperations; true; lookup; (String,String[],ContextMapper); ; Argument[0]; jndi-injection; manual |
| 21 | Sink: org.springframework.ldap.core; LdapOperations; true; lookupContext; ; ; Argument[0]; jndi-injection; manual |
| 22 | Sink: org.springframework.ldap.core; LdapOperations; true; rename; ; ; Argument[0]; jndi-injection; manual |
| 23 | Sink: org.springframework.ldap.core; LdapOperations; true; search; (String,String,ContextMapper); ; Argument[0]; jndi-injection; manual |
| 24 | Sink: org.springframework.ldap.core; LdapOperations; true; search; (String,String,int,ContextMapper); ; Argument[0]; jndi-injection; manual |
| 25 | Sink: org.springframework.ldap.core; LdapOperations; true; search; (String,String,int,String[],ContextMapper); ; Argument[0]; jndi-injection; manual |
| 26 | Sink: org.springframework.ldap.core; LdapOperations; true; searchForObject; (String,String,ContextMapper); ; Argument[0]; jndi-injection; manual |
| 27 | Sink: org.springframework.ldap.core; LdapTemplate; false; search; ; ; Argument[0..1]; ldap-injection; manual |
| 28 | Sink: org.springframework.ldap.core; LdapTemplate; false; searchForObject; ; ; Argument[0..1]; ldap-injection; manual |
| 29 | Summary: javax.management.remote; JMXConnectorFactory; true; newJMXConnector; (JMXServiceURL,Map); ; Argument[0]; ReturnValue; taint; df-generated |
nodes
| JndiInjectionTest.java:32:38:32:65 | nameStr : String | semmle.label | nameStr : String |
| JndiInjectionTest.java:33:17:33:42 | new CompositeName(...) : CompositeName | semmle.label | new CompositeName(...) : CompositeName |
| JndiInjectionTest.java:33:35:33:41 | nameStr : String | semmle.label | nameStr : String |
| JndiInjectionTest.java:36:16:36:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:37:20:37:26 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:38:29:38:35 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:39:16:39:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:40:14:40:20 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:41:22:41:28 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:43:16:43:19 | name | semmle.label | name |
| JndiInjectionTest.java:44:20:44:23 | name | semmle.label | name |
| JndiInjectionTest.java:45:29:45:32 | name | semmle.label | name |
| JndiInjectionTest.java:46:16:46:19 | name | semmle.label | name |
| JndiInjectionTest.java:47:14:47:17 | name | semmle.label | name |
| JndiInjectionTest.java:48:22:48:25 | name | semmle.label | name |
| JndiInjectionTest.java:52:34:52:61 | nameStr : String | semmle.label | nameStr : String |
| JndiInjectionTest.java:53:17:53:59 | new CompoundName(...) : CompoundName | semmle.label | new CompoundName(...) : CompoundName |
| JndiInjectionTest.java:53:34:53:40 | nameStr : String | semmle.label | nameStr : String |
| JndiInjectionTest.java:56:16:56:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:57:20:57:26 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:58:16:58:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:59:14:59:20 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:60:22:60:28 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:62:16:62:19 | name | semmle.label | name |
| JndiInjectionTest.java:63:20:63:23 | name | semmle.label | name |
| JndiInjectionTest.java:64:16:64:19 | name | semmle.label | name |
| JndiInjectionTest.java:65:14:65:17 | name | semmle.label | name |
| JndiInjectionTest.java:66:22:66:25 | name | semmle.label | name |
| JndiInjectionTest.java:70:16:70:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:71:16:71:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:74:16:74:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:75:16:75:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:83:42:83:69 | nameStr : String | semmle.label | nameStr : String |
| JndiInjectionTest.java:84:17:84:42 | new CompositeName(...) : CompositeName | semmle.label | new CompositeName(...) : CompositeName |
| JndiInjectionTest.java:84:35:84:41 | nameStr : String | semmle.label | nameStr : String |
| JndiInjectionTest.java:87:16:87:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:88:20:88:26 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:89:16:89:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:90:14:90:20 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:91:22:91:28 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:93:16:93:19 | name | semmle.label | name |
| JndiInjectionTest.java:94:20:94:23 | name | semmle.label | name |
| JndiInjectionTest.java:95:16:95:19 | name | semmle.label | name |
| JndiInjectionTest.java:96:14:96:17 | name | semmle.label | name |
| JndiInjectionTest.java:97:22:97:25 | name | semmle.label | name |
| JndiInjectionTest.java:101:42:101:69 | nameStr : String | semmle.label | nameStr : String |
| JndiInjectionTest.java:104:16:104:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:105:16:105:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:109:42:109:69 | nameStr : String | semmle.label | nameStr : String |
| JndiInjectionTest.java:111:17:111:48 | add(...) : Name | semmle.label | add(...) : Name |
| JndiInjectionTest.java:111:41:111:47 | nameStr : String | semmle.label | nameStr : String |
| JndiInjectionTest.java:113:16:113:19 | name | semmle.label | name |
| JndiInjectionTest.java:115:16:115:19 | name | semmle.label | name |
| JndiInjectionTest.java:117:16:117:19 | name | semmle.label | name |
| JndiInjectionTest.java:118:16:118:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:120:16:120:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:122:16:122:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:123:23:123:26 | name | semmle.label | name |
| JndiInjectionTest.java:124:23:124:29 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:125:18:125:21 | name | semmle.label | name |
| JndiInjectionTest.java:126:16:126:19 | name | semmle.label | name |
| JndiInjectionTest.java:127:14:127:17 | name | semmle.label | name |
| JndiInjectionTest.java:128:22:128:25 | name | semmle.label | name |
| JndiInjectionTest.java:129:16:129:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:131:16:131:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:132:16:132:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:133:16:133:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:134:16:134:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:138:16:138:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:139:16:139:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:141:16:141:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:142:16:142:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:144:16:144:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:145:16:145:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:149:16:149:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:150:16:150:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:152:16:152:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:153:16:153:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:155:16:155:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:156:16:156:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:170:25:170:31 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:174:41:174:68 | nameStr : String | semmle.label | nameStr : String |
| JndiInjectionTest.java:177:16:177:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:178:16:178:22 | nameStr | semmle.label | nameStr |
| JndiInjectionTest.java:182:37:182:63 | urlStr : String | semmle.label | urlStr : String |
| JndiInjectionTest.java:183:33:183:57 | new JMXServiceURL(...) | semmle.label | new JMXServiceURL(...) |
| JndiInjectionTest.java:183:51:183:56 | urlStr : String | semmle.label | urlStr : String |
| JndiInjectionTest.java:185:25:185:49 | new JMXServiceURL(...) : JMXServiceURL | semmle.label | new JMXServiceURL(...) : JMXServiceURL |
| JndiInjectionTest.java:185:43:185:48 | urlStr : String | semmle.label | urlStr : String |
| JndiInjectionTest.java:186:30:186:75 | newJMXConnector(...) : JMXConnector | semmle.label | newJMXConnector(...) : JMXConnector |
| JndiInjectionTest.java:186:66:186:68 | url : JMXServiceURL | semmle.label | url : JMXServiceURL |
| JndiInjectionTest.java:187:5:187:13 | connector | semmle.label | connector |
| JndiInjectionTest.java:191:27:191:53 | urlStr : String | semmle.label | urlStr : String |
| JndiInjectionTest.java:194:35:194:40 | urlStr | semmle.label | urlStr |
| JndiInjectionTest.java:199:27:199:53 | urlStr : String | semmle.label | urlStr : String |
| JndiInjectionTest.java:202:41:202:46 | urlStr | semmle.label | urlStr |
| JndiInjectionTest.java:207:52:207:78 | urlStr : String | semmle.label | urlStr : String |
| JndiInjectionTest.java:211:37:211:42 | urlStr | semmle.label | urlStr |
| JndiInjectionTest.java:216:52:216:78 | urlStr : String | semmle.label | urlStr : String |
| JndiInjectionTest.java:221:51:221:56 | urlStr | semmle.label | urlStr |
| JndiInjectionTest.java:226:52:226:78 | urlStr : String | semmle.label | urlStr : String |
| JndiInjectionTest.java:231:51:231:56 | urlStr | semmle.label | urlStr |
subpaths

178
java/ql/test/query-tests/security/CWE-074/JndiInjectionTest.java → java/ql/test/query-tests/security/CWE-074/JndiInjection/JndiInjectionTest.java
View File

@@ -29,50 +29,50 @@ import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class JndiInjectionTest {
@RequestMapping
public void testInitialContextBad1(@RequestParam String nameStr) throws NamingException {
public void testInitialContextBad1(@RequestParam String nameStr) throws NamingException { // $ Source
Name name = new CompositeName(nameStr);
InitialContext ctx = new InitialContext();
ctx.lookup(nameStr); // $hasJndiInjection
ctx.lookupLink(nameStr); // $hasJndiInjection
InitialContext.doLookup(nameStr); // $hasJndiInjection
ctx.rename(nameStr, ""); // $hasJndiInjection
ctx.list(nameStr); // $hasJndiInjection
ctx.listBindings(nameStr); // $hasJndiInjection
ctx.lookup(nameStr); // $ Alert
ctx.lookupLink(nameStr); // $ Alert
InitialContext.doLookup(nameStr); // $ Alert
ctx.rename(nameStr, ""); // $ Alert
ctx.list(nameStr); // $ Alert
ctx.listBindings(nameStr); // $ Alert
ctx.lookup(name); // $hasJndiInjection
ctx.lookupLink(name); // $hasJndiInjection
InitialContext.doLookup(name); // $hasJndiInjection
ctx.rename(name, null); // $hasJndiInjection
ctx.list(name); // $hasJndiInjection
ctx.listBindings(name); // $hasJndiInjection
ctx.lookup(name); // $ Alert
ctx.lookupLink(name); // $ Alert
InitialContext.doLookup(name); // $ Alert
ctx.rename(name, null); // $ Alert
ctx.list(name); // $ Alert
ctx.listBindings(name); // $ Alert
}
@RequestMapping
public void testDirContextBad1(@RequestParam String nameStr) throws NamingException {
public void testDirContextBad1(@RequestParam String nameStr) throws NamingException { // $ Source
Name name = new CompoundName(nameStr, new Properties());
DirContext ctx = new InitialDirContext();
ctx.lookup(nameStr); // $hasJndiInjection
ctx.lookupLink(nameStr); // $hasJndiInjection
ctx.rename(nameStr, ""); // $hasJndiInjection
ctx.list(nameStr); // $hasJndiInjection
ctx.listBindings(nameStr); // $hasJndiInjection
ctx.lookup(nameStr); // $ Alert
ctx.lookupLink(nameStr); // $ Alert
ctx.rename(nameStr, ""); // $ Alert
ctx.list(nameStr); // $ Alert
ctx.listBindings(nameStr); // $ Alert
ctx.lookup(name); // $hasJndiInjection
ctx.lookupLink(name); // $hasJndiInjection
ctx.rename(name, null); // $hasJndiInjection
ctx.list(name); // $hasJndiInjection
ctx.listBindings(name); // $hasJndiInjection
ctx.lookup(name); // $ Alert
ctx.lookupLink(name); // $ Alert
ctx.rename(name, null); // $ Alert
ctx.list(name); // $ Alert
ctx.listBindings(name); // $ Alert
SearchControls searchControls = new SearchControls();
searchControls.setReturningObjFlag(true);
ctx.search(nameStr, "", searchControls); // $hasJndiInjection
ctx.search(nameStr, "", new Object[] {}, searchControls); // $hasJndiInjection
ctx.search(nameStr, "", searchControls); // $ Alert
ctx.search(nameStr, "", new Object[] {}, searchControls); // $ Alert
SearchControls searchControls2 = new SearchControls(1, 0, 0, null, true, false);
ctx.search(nameStr, "", searchControls2); // $hasJndiInjection
ctx.search(nameStr, "", new Object[] {}, searchControls2); // $hasJndiInjection
ctx.search(nameStr, "", searchControls2); // $ Alert
ctx.search(nameStr, "", new Object[] {}, searchControls2); // $ Alert
SearchControls searchControls3 = new SearchControls(1, 0, 0, null, false, false);
ctx.search(nameStr, "", searchControls3); // Safe
@@ -80,80 +80,80 @@ public class JndiInjectionTest {
}
@RequestMapping
public void testInitialLdapContextBad1(@RequestParam String nameStr) throws NamingException {
public void testInitialLdapContextBad1(@RequestParam String nameStr) throws NamingException { // $ Source
Name name = new CompositeName(nameStr);
InitialLdapContext ctx = new InitialLdapContext();
ctx.lookup(nameStr); // $hasJndiInjection
ctx.lookupLink(nameStr); // $hasJndiInjection
ctx.rename(nameStr, ""); // $hasJndiInjection
ctx.list(nameStr); // $hasJndiInjection
ctx.listBindings(nameStr); // $hasJndiInjection
ctx.lookup(nameStr); // $ Alert
ctx.lookupLink(nameStr); // $ Alert
ctx.rename(nameStr, ""); // $ Alert
ctx.list(nameStr); // $ Alert
ctx.listBindings(nameStr); // $ Alert
ctx.lookup(name); // $hasJndiInjection
ctx.lookupLink(name); // $hasJndiInjection
ctx.rename(name, null); // $hasJndiInjection
ctx.list(name); // $hasJndiInjection
ctx.listBindings(name); // $hasJndiInjection
ctx.lookup(name); // $ Alert
ctx.lookupLink(name); // $ Alert
ctx.rename(name, null); // $ Alert
ctx.list(name); // $ Alert
ctx.listBindings(name); // $ Alert
}
@RequestMapping
public void testSpringJndiTemplateBad1(@RequestParam String nameStr) throws NamingException {
public void testSpringJndiTemplateBad1(@RequestParam String nameStr) throws NamingException { // $ Source
JndiTemplate ctx = new JndiTemplate();
ctx.lookup(nameStr); // $hasJndiInjection
ctx.lookup(nameStr, null); // $hasJndiInjection
ctx.lookup(nameStr); // $ Alert
ctx.lookup(nameStr, null); // $ Alert
}
@RequestMapping
public void testSpringLdapTemplateBad1(@RequestParam String nameStr) throws NamingException {
public void testSpringLdapTemplateBad1(@RequestParam String nameStr) throws NamingException { // $ Source
LdapTemplate ctx = new LdapTemplate();
Name name = new CompositeName().add(nameStr);
ctx.lookup(name); // $hasJndiInjection
ctx.lookup(name); // $ Alert
ctx.lookup(name, (AttributesMapper) null); // Safe
ctx.lookup(name, (ContextMapper) null); // $hasJndiInjection
ctx.lookup(name, (ContextMapper) null); // $ Alert
ctx.lookup(name, new String[] {}, (AttributesMapper) null); // Safe
ctx.lookup(name, new String[] {}, (ContextMapper) null); // $hasJndiInjection
ctx.lookup(nameStr); // $hasJndiInjection
ctx.lookup(name, new String[] {}, (ContextMapper) null); // $ Alert
ctx.lookup(nameStr); // $ Alert
ctx.lookup(nameStr, (AttributesMapper) null); // Safe
ctx.lookup(nameStr, (ContextMapper) null); // $hasJndiInjection
ctx.lookup(nameStr, (ContextMapper) null); // $ Alert
ctx.lookup(nameStr, new String[] {}, (AttributesMapper) null); // Safe
ctx.lookup(nameStr, new String[] {}, (ContextMapper) null); // $hasJndiInjection
ctx.lookupContext(name); // $hasJndiInjection
ctx.lookupContext(nameStr); // $hasJndiInjection
ctx.findByDn(name, null); // $hasJndiInjection
ctx.rename(name, null); // $hasJndiInjection
ctx.list(name); // $hasJndiInjection
ctx.listBindings(name); // $hasJndiInjection
ctx.unbind(nameStr, true); // $hasJndiInjection
ctx.lookup(nameStr, new String[] {}, (ContextMapper) null); // $ Alert
ctx.lookupContext(name); // $ Alert
ctx.lookupContext(nameStr); // $ Alert
ctx.findByDn(name, null); // $ Alert
ctx.rename(name, null); // $ Alert
ctx.list(name); // $ Alert
ctx.listBindings(name); // $ Alert
ctx.unbind(nameStr, true); // $ Alert
ctx.search(nameStr, "", 0, true, null); // $hasJndiInjection
ctx.search(nameStr, "", 0, new String[] {}, (ContextMapper<Object>) null); // $hasJndiInjection
ctx.search(nameStr, "", 0, (ContextMapper<Object>) null); // $hasJndiInjection
ctx.search(nameStr, "", (ContextMapper<Object>) null); // $hasJndiInjection
ctx.search(nameStr, "", 0, true, null); // $ Alert
ctx.search(nameStr, "", 0, new String[] {}, (ContextMapper<Object>) null); // $ Alert
ctx.search(nameStr, "", 0, (ContextMapper<Object>) null); // $ Alert
ctx.search(nameStr, "", (ContextMapper<Object>) null); // $ Alert
SearchControls searchControls = new SearchControls();
searchControls.setReturningObjFlag(true);
ctx.search(nameStr, "", searchControls, (AttributesMapper<Object>) null); // $hasJndiInjection
ctx.search(nameStr, "", searchControls, (AttributesMapper<Object>) null, // $hasJndiInjection
ctx.search(nameStr, "", searchControls, (AttributesMapper<Object>) null); // $ Alert
ctx.search(nameStr, "", searchControls, (AttributesMapper<Object>) null, // $ Alert
(DirContextProcessor) null);
ctx.search(nameStr, "", searchControls, (ContextMapper<Object>) null); // $hasJndiInjection
ctx.search(nameStr, "", searchControls, (ContextMapper<Object>) null, // $hasJndiInjection
ctx.search(nameStr, "", searchControls, (ContextMapper<Object>) null); // $ Alert
ctx.search(nameStr, "", searchControls, (ContextMapper<Object>) null, // $ Alert
(DirContextProcessor) null);
ctx.search(nameStr, "", searchControls, (NameClassPairCallbackHandler) null); // $hasJndiInjection
ctx.search(nameStr, "", searchControls, (NameClassPairCallbackHandler) null, // $hasJndiInjection
ctx.search(nameStr, "", searchControls, (NameClassPairCallbackHandler) null); // $ Alert
ctx.search(nameStr, "", searchControls, (NameClassPairCallbackHandler) null, // $ Alert
(DirContextProcessor) null);
SearchControls searchControls2 = new SearchControls(1, 0, 0, null, true, false);
ctx.search(nameStr, "", searchControls2, (AttributesMapper<Object>) null); // $hasJndiInjection
ctx.search(nameStr, "", searchControls2, (AttributesMapper<Object>) null, // $hasJndiInjection
ctx.search(nameStr, "", searchControls2, (AttributesMapper<Object>) null); // $ Alert
ctx.search(nameStr, "", searchControls2, (AttributesMapper<Object>) null, // $ Alert
(DirContextProcessor) null);
ctx.search(nameStr, "", searchControls2, (ContextMapper<Object>) null); // $hasJndiInjection
ctx.search(nameStr, "", searchControls2, (ContextMapper<Object>) null, // $hasJndiInjection
ctx.search(nameStr, "", searchControls2, (ContextMapper<Object>) null); // $ Alert
ctx.search(nameStr, "", searchControls2, (ContextMapper<Object>) null, // $ Alert
(DirContextProcessor) null);
ctx.search(nameStr, "", searchControls2, (NameClassPairCallbackHandler) null); // $hasJndiInjection
ctx.search(nameStr, "", searchControls2, (NameClassPairCallbackHandler) null, // $hasJndiInjection
ctx.search(nameStr, "", searchControls2, (NameClassPairCallbackHandler) null); // $ Alert
ctx.search(nameStr, "", searchControls2, (NameClassPairCallbackHandler) null, // $ Alert
(DirContextProcessor) null);
SearchControls searchControls3 = new SearchControls(1, 0, 0, null, false, false);
@@ -167,68 +167,68 @@ public class JndiInjectionTest {
ctx.search(nameStr, "", searchControls3, (NameClassPairCallbackHandler) null, // Safe
(DirContextProcessor) null);
ctx.searchForObject(nameStr, "", (ContextMapper<Object>) null); // $hasJndiInjection
ctx.searchForObject(nameStr, "", (ContextMapper<Object>) null); // $ Alert
}
@RequestMapping
public void testShiroJndiTemplateBad1(@RequestParam String nameStr) throws NamingException {
public void testShiroJndiTemplateBad1(@RequestParam String nameStr) throws NamingException { // $ Source
org.apache.shiro.jndi.JndiTemplate ctx = new org.apache.shiro.jndi.JndiTemplate();
ctx.lookup(nameStr); // $hasJndiInjection
ctx.lookup(nameStr, null); // $hasJndiInjection
ctx.lookup(nameStr); // $ Alert
ctx.lookup(nameStr, null); // $ Alert
}
@RequestMapping
public void testJMXServiceUrlBad1(@RequestParam String urlStr) throws IOException {
JMXConnectorFactory.connect(new JMXServiceURL(urlStr)); // $hasJndiInjection
public void testJMXServiceUrlBad1(@RequestParam String urlStr) throws IOException { // $ Source
JMXConnectorFactory.connect(new JMXServiceURL(urlStr)); // $ Alert
JMXServiceURL url = new JMXServiceURL(urlStr);
JMXConnector connector = JMXConnectorFactory.newJMXConnector(url, null);
connector.connect(); // $hasJndiInjection
connector.connect(); // $ Alert
}
@RequestMapping
public void testEnvBad1(@RequestParam String urlStr) throws NamingException {
public void testEnvBad1(@RequestParam String urlStr) throws NamingException { // $ Source
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
env.put(Context.PROVIDER_URL, urlStr); // $hasJndiInjection
env.put(Context.PROVIDER_URL, urlStr); // $ Alert
new InitialContext(env);
}
@RequestMapping
public void testEnvBad2(@RequestParam String urlStr) throws NamingException {
public void testEnvBad2(@RequestParam String urlStr) throws NamingException { // $ Source
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
env.put("java.naming.provider.url", urlStr); // $hasJndiInjection
env.put("java.naming.provider.url", urlStr); // $ Alert
new InitialDirContext(env);
}
@RequestMapping
public void testSpringJndiTemplatePropertiesBad1(@RequestParam String urlStr)
public void testSpringJndiTemplatePropertiesBad1(@RequestParam String urlStr) // $ Source
throws NamingException {
Properties props = new Properties();
props.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
props.put(Context.PROVIDER_URL, urlStr); // $hasJndiInjection
props.put(Context.PROVIDER_URL, urlStr); // $ Alert
new JndiTemplate(props);
}
@RequestMapping
public void testSpringJndiTemplatePropertiesBad2(@RequestParam String urlStr)
public void testSpringJndiTemplatePropertiesBad2(@RequestParam String urlStr) // $ Source
throws NamingException {
Properties props = new Properties();
props.setProperty(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.rmi.registry.RegistryContextFactory");
props.setProperty("java.naming.provider.url", urlStr); // $hasJndiInjection
props.setProperty("java.naming.provider.url", urlStr); // $ Alert
new JndiTemplate(props);
}
@RequestMapping
public void testSpringJndiTemplatePropertiesBad3(@RequestParam String urlStr)
public void testSpringJndiTemplatePropertiesBad3(@RequestParam String urlStr) // $ Source
throws NamingException {
Properties props = new Properties();
props.setProperty(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.rmi.registry.RegistryContextFactory");
props.setProperty("java.naming.provider.url", urlStr); // $hasJndiInjection
props.setProperty("java.naming.provider.url", urlStr); // $ Alert
JndiTemplate template = new JndiTemplate();
template.setEnvironment(props);
}

4
java/ql/test/query-tests/security/CWE-074/JndiInjection/JndiInjectionTest.qlref Normal file
View File

@@ -0,0 +1,4 @@
query: Security/CWE/CWE-074/JndiInjection.ql
postprocess:
- utils/test/PrettyPrintModels.ql
- utils/test/InlineExpectationsTestQuery.ql

1
java/ql/test/query-tests/security/CWE-074/JndiInjection/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.8.x:${testdir}/../../../../stubs/shiro-core-1.5.2:${testdir}/../../../../stubs/spring-ldap-2.3.2:${testdir}/../../../../stubs/Saxon-HE-9.9.1-7:${testdir}/../../../../stubs/apache-commons-logging-1.2

0
java/ql/test/query-tests/security/CWE-074/JndiInjectionTest.expected
View File

18
java/ql/test/query-tests/security/CWE-074/JndiInjectionTest.ql
View File

@@ -1,18 +0,0 @@
import java
import semmle.code.java.security.JndiInjectionQuery
import utils.test.InlineExpectationsTest
module HasJndiInjectionTest implements TestSig {
string getARelevantTag() { result = "hasJndiInjection" }
predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasJndiInjection" and
exists(DataFlow::Node sink | JndiInjectionFlow::flowTo(sink) |
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}
import MakeTest<HasJndiInjectionTest>

245
java/ql/test/query-tests/security/CWE-074/XsltInjection/XsltInjectionTest.expected Normal file
View File

@@ -0,0 +1,245 @@
#select
| XsltInjectionTest.java:31:5:31:59 | newTransformer(...) | XsltInjectionTest.java:30:44:30:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:31:5:31:59 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:30:44:30:66 | getInputStream(...) | this user input |
| XsltInjectionTest.java:36:5:36:74 | newTransformer(...) | XsltInjectionTest.java:35:66:35:88 | getInputStream(...) : InputStream | XsltInjectionTest.java:36:5:36:74 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:35:66:35:88 | getInputStream(...) | this user input |
| XsltInjectionTest.java:43:5:43:59 | newTransformer(...) | XsltInjectionTest.java:40:45:40:70 | param : String | XsltInjectionTest.java:43:5:43:59 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:40:45:40:70 | param | this user input |
| XsltInjectionTest.java:48:5:48:74 | newTransformer(...) | XsltInjectionTest.java:47:54:47:76 | getInputStream(...) : InputStream | XsltInjectionTest.java:48:5:48:74 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:47:54:47:76 | getInputStream(...) | this user input |
| XsltInjectionTest.java:54:5:54:59 | newTransformer(...) | XsltInjectionTest.java:53:67:53:89 | getInputStream(...) : InputStream | XsltInjectionTest.java:54:5:54:59 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:53:67:53:89 | getInputStream(...) | this user input |
| XsltInjectionTest.java:60:5:60:59 | newTransformer(...) | XsltInjectionTest.java:59:75:59:97 | getInputStream(...) : InputStream | XsltInjectionTest.java:60:5:60:59 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:59:75:59:97 | getInputStream(...) | this user input |
| XsltInjectionTest.java:66:5:66:74 | newTransformer(...) | XsltInjectionTest.java:65:31:65:53 | getInputStream(...) : InputStream | XsltInjectionTest.java:66:5:66:74 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:65:31:65:53 | getInputStream(...) | this user input |
| XsltInjectionTest.java:72:5:72:59 | newTransformer(...) | XsltInjectionTest.java:71:73:71:95 | getInputStream(...) : InputStream | XsltInjectionTest.java:72:5:72:59 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:71:73:71:95 | getInputStream(...) | this user input |
| XsltInjectionTest.java:80:5:80:34 | newTransformer(...) | XsltInjectionTest.java:76:44:76:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:80:5:80:34 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:76:44:76:66 | getInputStream(...) | this user input |
| XsltInjectionTest.java:87:5:87:34 | newTransformer(...) | XsltInjectionTest.java:84:44:84:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:87:5:87:34 | newTransformer(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:84:44:84:66 | getInputStream(...) | this user input |
| XsltInjectionTest.java:94:5:94:35 | load(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:94:5:94:35 | load(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input |
| XsltInjectionTest.java:95:5:95:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:95:5:95:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input |
| XsltInjectionTest.java:96:5:96:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:96:5:96:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input |
| XsltInjectionTest.java:97:5:97:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:97:5:97:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input |
| XsltInjectionTest.java:98:5:98:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:98:5:98:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input |
| XsltInjectionTest.java:99:5:99:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:99:5:99:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input |
| XsltInjectionTest.java:100:5:100:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:100:5:100:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input |
| XsltInjectionTest.java:101:5:101:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:101:5:101:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input |
| XsltInjectionTest.java:102:5:102:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:102:5:102:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input |
| XsltInjectionTest.java:103:5:103:37 | load30(...) | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:103:5:103:37 | load30(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:91:44:91:66 | getInputStream(...) | this user input |
| XsltInjectionTest.java:112:5:112:46 | load(...) | XsltInjectionTest.java:107:36:107:61 | param : String | XsltInjectionTest.java:112:5:112:46 | load(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:107:36:107:61 | param | this user input |
| XsltInjectionTest.java:113:5:113:49 | load(...) | XsltInjectionTest.java:107:64:107:76 | socket : Socket | XsltInjectionTest.java:113:5:113:49 | load(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:107:64:107:76 | socket | this user input |
| XsltInjectionTest.java:113:5:113:49 | load(...) | XsltInjectionTest.java:109:44:109:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:113:5:113:49 | load(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:109:44:109:66 | getInputStream(...) | this user input |
| XsltInjectionTest.java:114:5:114:50 | load(...) | XsltInjectionTest.java:107:36:107:61 | param : String | XsltInjectionTest.java:114:5:114:50 | load(...) | XSLT transformation might include stylesheet from $@. | XsltInjectionTest.java:107:36:107:61 | param | this user input |
edges
| XsltInjectionTest.java:30:27:30:67 | new StreamSource(...) : StreamSource | XsltInjectionTest.java:31:53:31:58 | source : StreamSource | provenance | |
| XsltInjectionTest.java:30:44:30:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:30:27:30:67 | new StreamSource(...) : StreamSource | provenance | Src:MaD:7 MaD:14 |
| XsltInjectionTest.java:31:53:31:58 | source : StreamSource | XsltInjectionTest.java:31:5:31:59 | newTransformer(...) | provenance | Config Sink:MaD:1 |
| XsltInjectionTest.java:35:27:35:90 | new StreamSource(...) : StreamSource | XsltInjectionTest.java:36:51:36:56 | source : StreamSource | provenance | |
| XsltInjectionTest.java:35:44:35:89 | new InputStreamReader(...) : InputStreamReader | XsltInjectionTest.java:35:27:35:90 | new StreamSource(...) : StreamSource | provenance | MaD:14 |
| XsltInjectionTest.java:35:66:35:88 | getInputStream(...) : InputStream | XsltInjectionTest.java:35:44:35:89 | new InputStreamReader(...) : InputStreamReader | provenance | Src:MaD:7 MaD:8 |
| XsltInjectionTest.java:36:5:36:57 | newTemplates(...) : Templates | XsltInjectionTest.java:36:5:36:74 | newTransformer(...) | provenance | Config Sink:MaD:1 |
| XsltInjectionTest.java:36:5:36:57 | newTemplates(...) : Templates | XsltInjectionTest.java:36:5:36:74 | newTransformer(...) | provenance | MaD:15 Sink:MaD:1 |
| XsltInjectionTest.java:36:51:36:56 | source : StreamSource | XsltInjectionTest.java:36:5:36:57 | newTemplates(...) : Templates | provenance | Config |
| XsltInjectionTest.java:36:51:36:56 | source : StreamSource | XsltInjectionTest.java:36:5:36:57 | newTemplates(...) : Templates | provenance | MaD:16 |
| XsltInjectionTest.java:40:45:40:70 | param : String | XsltInjectionTest.java:42:61:42:64 | xslt : String | provenance | |
| XsltInjectionTest.java:42:27:42:66 | new StreamSource(...) : StreamSource | XsltInjectionTest.java:43:53:43:58 | source : StreamSource | provenance | |
| XsltInjectionTest.java:42:44:42:65 | new StringReader(...) : StringReader | XsltInjectionTest.java:42:27:42:66 | new StreamSource(...) : StreamSource | provenance | MaD:14 |
| XsltInjectionTest.java:42:61:42:64 | xslt : String | XsltInjectionTest.java:42:44:42:65 | new StringReader(...) : StringReader | provenance | MaD:9 |
| XsltInjectionTest.java:43:53:43:58 | source : StreamSource | XsltInjectionTest.java:43:5:43:59 | newTransformer(...) | provenance | Config Sink:MaD:1 |
| XsltInjectionTest.java:47:24:47:78 | new SAXSource(...) : SAXSource | XsltInjectionTest.java:48:51:48:56 | source : SAXSource | provenance | |
| XsltInjectionTest.java:47:38:47:77 | new InputSource(...) : InputSource | XsltInjectionTest.java:47:24:47:78 | new SAXSource(...) : SAXSource | provenance | MaD:12 |
| XsltInjectionTest.java:47:54:47:76 | getInputStream(...) : InputStream | XsltInjectionTest.java:47:38:47:77 | new InputSource(...) : InputSource | provenance | Src:MaD:7 MaD:17 |
| XsltInjectionTest.java:48:5:48:57 | newTemplates(...) : Templates | XsltInjectionTest.java:48:5:48:74 | newTransformer(...) | provenance | Config Sink:MaD:1 |
| XsltInjectionTest.java:48:5:48:57 | newTemplates(...) : Templates | XsltInjectionTest.java:48:5:48:74 | newTransformer(...) | provenance | MaD:15 Sink:MaD:1 |
| XsltInjectionTest.java:48:51:48:56 | source : SAXSource | XsltInjectionTest.java:48:5:48:57 | newTemplates(...) : Templates | provenance | Config |
| XsltInjectionTest.java:48:51:48:56 | source : SAXSource | XsltInjectionTest.java:48:5:48:57 | newTemplates(...) : Templates | provenance | MaD:16 |
| XsltInjectionTest.java:53:9:53:92 | new SAXSource(...) : SAXSource | XsltInjectionTest.java:54:53:54:58 | source : SAXSource | provenance | |
| XsltInjectionTest.java:53:29:53:91 | new InputSource(...) : InputSource | XsltInjectionTest.java:53:9:53:92 | new SAXSource(...) : SAXSource | provenance | MaD:13 |
| XsltInjectionTest.java:53:45:53:90 | new InputStreamReader(...) : InputStreamReader | XsltInjectionTest.java:53:29:53:91 | new InputSource(...) : InputSource | provenance | MaD:17 |
| XsltInjectionTest.java:53:67:53:89 | getInputStream(...) : InputStream | XsltInjectionTest.java:53:45:53:90 | new InputStreamReader(...) : InputStreamReader | provenance | Src:MaD:7 MaD:8 |
| XsltInjectionTest.java:54:53:54:58 | source : SAXSource | XsltInjectionTest.java:54:5:54:59 | newTransformer(...) | provenance | Config Sink:MaD:1 |
| XsltInjectionTest.java:59:9:59:99 | new StAXSource(...) : StAXSource | XsltInjectionTest.java:60:53:60:58 | source : StAXSource | provenance | |
| XsltInjectionTest.java:59:24:59:98 | createXMLEventReader(...) : XMLEventReader | XsltInjectionTest.java:59:9:59:99 | new StAXSource(...) : StAXSource | provenance | Config |
| XsltInjectionTest.java:59:75:59:97 | getInputStream(...) : InputStream | XsltInjectionTest.java:59:24:59:98 | createXMLEventReader(...) : XMLEventReader | provenance | Src:MaD:7 Config |
| XsltInjectionTest.java:60:53:60:58 | source : StAXSource | XsltInjectionTest.java:60:5:60:59 | newTransformer(...) | provenance | Config Sink:MaD:1 |
| XsltInjectionTest.java:64:25:65:56 | new StAXSource(...) : StAXSource | XsltInjectionTest.java:66:51:66:56 | source : StAXSource | provenance | |
| XsltInjectionTest.java:64:40:65:55 | createXMLStreamReader(...) : XMLStreamReader | XsltInjectionTest.java:64:25:65:56 | new StAXSource(...) : StAXSource | provenance | Config |
| XsltInjectionTest.java:65:9:65:54 | new InputStreamReader(...) : InputStreamReader | XsltInjectionTest.java:64:40:65:55 | createXMLStreamReader(...) : XMLStreamReader | provenance | Config |
| XsltInjectionTest.java:65:31:65:53 | getInputStream(...) : InputStream | XsltInjectionTest.java:65:9:65:54 | new InputStreamReader(...) : InputStreamReader | provenance | Src:MaD:7 MaD:8 |
| XsltInjectionTest.java:66:5:66:57 | newTemplates(...) : Templates | XsltInjectionTest.java:66:5:66:74 | newTransformer(...) | provenance | Config Sink:MaD:1 |
| XsltInjectionTest.java:66:5:66:57 | newTemplates(...) : Templates | XsltInjectionTest.java:66:5:66:74 | newTransformer(...) | provenance | MaD:15 Sink:MaD:1 |
| XsltInjectionTest.java:66:51:66:56 | source : StAXSource | XsltInjectionTest.java:66:5:66:57 | newTemplates(...) : Templates | provenance | Config |
| XsltInjectionTest.java:66:51:66:56 | source : StAXSource | XsltInjectionTest.java:66:5:66:57 | newTemplates(...) : Templates | provenance | MaD:16 |
| XsltInjectionTest.java:70:24:71:97 | new DOMSource(...) : DOMSource | XsltInjectionTest.java:72:53:72:58 | source : DOMSource | provenance | |
| XsltInjectionTest.java:71:9:71:96 | parse(...) : Document | XsltInjectionTest.java:70:24:71:97 | new DOMSource(...) : DOMSource | provenance | Config |
| XsltInjectionTest.java:71:73:71:95 | getInputStream(...) : InputStream | XsltInjectionTest.java:71:9:71:96 | parse(...) : Document | provenance | Src:MaD:7 Config |
| XsltInjectionTest.java:72:53:72:58 | source : DOMSource | XsltInjectionTest.java:72:5:72:59 | newTransformer(...) | provenance | Config Sink:MaD:1 |
| XsltInjectionTest.java:76:27:76:67 | new StreamSource(...) : StreamSource | XsltInjectionTest.java:80:28:80:33 | source : StreamSource | provenance | |
| XsltInjectionTest.java:76:44:76:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:76:27:76:67 | new StreamSource(...) : StreamSource | provenance | Src:MaD:7 MaD:14 |
| XsltInjectionTest.java:80:28:80:33 | source : StreamSource | XsltInjectionTest.java:80:5:80:34 | newTransformer(...) | provenance | Config Sink:MaD:1 |
| XsltInjectionTest.java:84:27:84:67 | new StreamSource(...) : StreamSource | XsltInjectionTest.java:87:28:87:33 | source : StreamSource | provenance | |
| XsltInjectionTest.java:84:44:84:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:84:27:84:67 | new StreamSource(...) : StreamSource | provenance | Src:MaD:7 MaD:14 |
| XsltInjectionTest.java:87:28:87:33 | source : StreamSource | XsltInjectionTest.java:87:5:87:34 | newTransformer(...) | provenance | Config Sink:MaD:1 |
| XsltInjectionTest.java:91:27:91:67 | new StreamSource(...) : StreamSource | XsltInjectionTest.java:94:22:94:27 | source : StreamSource | provenance | |
| XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:91:27:91:67 | new StreamSource(...) : StreamSource | provenance | Src:MaD:7 MaD:14 |
| XsltInjectionTest.java:94:5:94:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:94:5:94:35 | load(...) | provenance | Config Sink:MaD:6 |
| XsltInjectionTest.java:94:22:94:27 | source : StreamSource | XsltInjectionTest.java:94:5:94:28 | compile(...) : XsltExecutable | provenance | Config |
| XsltInjectionTest.java:94:22:94:27 | source : StreamSource | XsltInjectionTest.java:95:22:95:27 | source : StreamSource | provenance | |
| XsltInjectionTest.java:95:5:95:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:95:5:95:37 | load30(...) | provenance | Config Sink:MaD:5 |
| XsltInjectionTest.java:95:22:95:27 | source : StreamSource | XsltInjectionTest.java:95:5:95:28 | compile(...) : XsltExecutable | provenance | Config |
| XsltInjectionTest.java:95:22:95:27 | source : StreamSource | XsltInjectionTest.java:96:22:96:27 | source : StreamSource | provenance | |
| XsltInjectionTest.java:96:5:96:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:96:5:96:37 | load30(...) | provenance | Config Sink:MaD:2 |
| XsltInjectionTest.java:96:22:96:27 | source : StreamSource | XsltInjectionTest.java:96:5:96:28 | compile(...) : XsltExecutable | provenance | Config |
| XsltInjectionTest.java:96:22:96:27 | source : StreamSource | XsltInjectionTest.java:97:22:97:27 | source : StreamSource | provenance | |
| XsltInjectionTest.java:97:5:97:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:97:5:97:37 | load30(...) | provenance | Config Sink:MaD:2 |
| XsltInjectionTest.java:97:22:97:27 | source : StreamSource | XsltInjectionTest.java:97:5:97:28 | compile(...) : XsltExecutable | provenance | Config |
| XsltInjectionTest.java:97:22:97:27 | source : StreamSource | XsltInjectionTest.java:98:22:98:27 | source : StreamSource | provenance | |
| XsltInjectionTest.java:98:5:98:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:98:5:98:37 | load30(...) | provenance | Config Sink:MaD:2 |
| XsltInjectionTest.java:98:22:98:27 | source : StreamSource | XsltInjectionTest.java:98:5:98:28 | compile(...) : XsltExecutable | provenance | Config |
| XsltInjectionTest.java:98:22:98:27 | source : StreamSource | XsltInjectionTest.java:99:22:99:27 | source : StreamSource | provenance | |
| XsltInjectionTest.java:99:5:99:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:99:5:99:37 | load30(...) | provenance | Config Sink:MaD:2 |
| XsltInjectionTest.java:99:22:99:27 | source : StreamSource | XsltInjectionTest.java:99:5:99:28 | compile(...) : XsltExecutable | provenance | Config |
| XsltInjectionTest.java:99:22:99:27 | source : StreamSource | XsltInjectionTest.java:100:22:100:27 | source : StreamSource | provenance | |
| XsltInjectionTest.java:100:5:100:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:100:5:100:37 | load30(...) | provenance | Config Sink:MaD:3 |
| XsltInjectionTest.java:100:22:100:27 | source : StreamSource | XsltInjectionTest.java:100:5:100:28 | compile(...) : XsltExecutable | provenance | Config |
| XsltInjectionTest.java:100:22:100:27 | source : StreamSource | XsltInjectionTest.java:101:22:101:27 | source : StreamSource | provenance | |
| XsltInjectionTest.java:101:5:101:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:101:5:101:37 | load30(...) | provenance | Config Sink:MaD:3 |
| XsltInjectionTest.java:101:22:101:27 | source : StreamSource | XsltInjectionTest.java:101:5:101:28 | compile(...) : XsltExecutable | provenance | Config |
| XsltInjectionTest.java:101:22:101:27 | source : StreamSource | XsltInjectionTest.java:102:22:102:27 | source : StreamSource | provenance | |
| XsltInjectionTest.java:102:5:102:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:102:5:102:37 | load30(...) | provenance | Config Sink:MaD:4 |
| XsltInjectionTest.java:102:22:102:27 | source : StreamSource | XsltInjectionTest.java:102:5:102:28 | compile(...) : XsltExecutable | provenance | Config |
| XsltInjectionTest.java:102:22:102:27 | source : StreamSource | XsltInjectionTest.java:103:22:103:27 | source : StreamSource | provenance | |
| XsltInjectionTest.java:103:5:103:28 | compile(...) : XsltExecutable | XsltInjectionTest.java:103:5:103:37 | load30(...) | provenance | Config Sink:MaD:4 |
| XsltInjectionTest.java:103:22:103:27 | source : StreamSource | XsltInjectionTest.java:103:5:103:28 | compile(...) : XsltExecutable | provenance | Config |
| XsltInjectionTest.java:107:36:107:61 | param : String | XsltInjectionTest.java:108:23:108:27 | param : String | provenance | |
| XsltInjectionTest.java:107:64:107:76 | socket : Socket | XsltInjectionTest.java:109:44:109:49 | socket : Socket | provenance | |
| XsltInjectionTest.java:108:15:108:28 | new URI(...) : URI | XsltInjectionTest.java:112:36:112:38 | uri : URI | provenance | |
| XsltInjectionTest.java:108:23:108:27 | param : String | XsltInjectionTest.java:108:15:108:28 | new URI(...) : URI | provenance | MaD:11 |
| XsltInjectionTest.java:109:27:109:67 | new StreamSource(...) : StreamSource | XsltInjectionTest.java:113:29:113:34 | source : StreamSource | provenance | |
| XsltInjectionTest.java:109:44:109:49 | socket : Socket | XsltInjectionTest.java:109:44:109:66 | getInputStream(...) : InputStream | provenance | MaD:10 |
| XsltInjectionTest.java:109:44:109:66 | getInputStream(...) : InputStream | XsltInjectionTest.java:109:27:109:67 | new StreamSource(...) : StreamSource | provenance | Src:MaD:7 MaD:14 |
| XsltInjectionTest.java:112:5:112:39 | loadExecutablePackage(...) : XsltExecutable | XsltInjectionTest.java:112:5:112:46 | load(...) | provenance | Config Sink:MaD:6 |
| XsltInjectionTest.java:112:36:112:38 | uri : URI | XsltInjectionTest.java:112:5:112:39 | loadExecutablePackage(...) : XsltExecutable | provenance | Config |
| XsltInjectionTest.java:112:36:112:38 | uri : URI | XsltInjectionTest.java:114:33:114:35 | uri : URI | provenance | |
| XsltInjectionTest.java:113:5:113:35 | compilePackage(...) : XsltPackage | XsltInjectionTest.java:113:5:113:42 | link(...) : XsltExecutable | provenance | Config |
| XsltInjectionTest.java:113:5:113:42 | link(...) : XsltExecutable | XsltInjectionTest.java:113:5:113:49 | load(...) | provenance | Config Sink:MaD:6 |
| XsltInjectionTest.java:113:29:113:34 | source : StreamSource | XsltInjectionTest.java:113:5:113:35 | compilePackage(...) : XsltPackage | provenance | Config |
| XsltInjectionTest.java:114:5:114:36 | loadLibraryPackage(...) : XsltPackage | XsltInjectionTest.java:114:5:114:43 | link(...) : XsltExecutable | provenance | Config |
| XsltInjectionTest.java:114:5:114:43 | link(...) : XsltExecutable | XsltInjectionTest.java:114:5:114:50 | load(...) | provenance | Config Sink:MaD:6 |
| XsltInjectionTest.java:114:33:114:35 | uri : URI | XsltInjectionTest.java:114:5:114:36 | loadLibraryPackage(...) : XsltPackage | provenance | Config |
models
| 1 | Sink: javax.xml.transform; Transformer; false; transform; ; ; Argument[this]; xslt-injection; manual |
| 2 | Sink: net.sf.saxon.s9api; Xslt30Transformer; false; applyTemplates; ; ; Argument[this]; xslt-injection; manual |
| 3 | Sink: net.sf.saxon.s9api; Xslt30Transformer; false; callFunction; ; ; Argument[this]; xslt-injection; manual |
| 4 | Sink: net.sf.saxon.s9api; Xslt30Transformer; false; callTemplate; ; ; Argument[this]; xslt-injection; manual |
| 5 | Sink: net.sf.saxon.s9api; Xslt30Transformer; false; transform; ; ; Argument[this]; xslt-injection; manual |
| 6 | Sink: net.sf.saxon.s9api; XsltTransformer; false; transform; ; ; Argument[this]; xslt-injection; manual |
| 7 | Source: java.net; Socket; false; getInputStream; (); ; ReturnValue; remote; manual |
| 8 | Summary: java.io; InputStreamReader; false; InputStreamReader; ; ; Argument[0]; Argument[this]; taint; manual |
| 9 | Summary: java.io; StringReader; false; StringReader; ; ; Argument[0]; Argument[this]; taint; manual |
| 10 | Summary: java.net; Socket; true; getInputStream; (); ; Argument[this]; ReturnValue; taint; df-generated |
| 11 | Summary: java.net; URI; false; URI; (String); ; Argument[0]; Argument[this]; taint; manual |
| 12 | Summary: javax.xml.transform.sax; SAXSource; false; SAXSource; (InputSource); ; Argument[0]; Argument[this]; taint; manual |
| 13 | Summary: javax.xml.transform.sax; SAXSource; false; SAXSource; (XMLReader,InputSource); ; Argument[1]; Argument[this]; taint; manual |
| 14 | Summary: javax.xml.transform.stream; StreamSource; false; StreamSource; ; ; Argument[0]; Argument[this]; taint; manual |
| 15 | Summary: javax.xml.transform; Templates; true; newTransformer; (); ; Argument[this]; ReturnValue; taint; df-generated |
| 16 | Summary: javax.xml.transform; TransformerFactory; true; newTemplates; (Source); ; Argument[0]; ReturnValue; taint; df-generated |
| 17 | Summary: org.xml.sax; InputSource; false; InputSource; ; ; Argument[0]; Argument[this]; taint; manual |
nodes
| XsltInjectionTest.java:30:27:30:67 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
| XsltInjectionTest.java:30:44:30:66 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| XsltInjectionTest.java:31:5:31:59 | newTransformer(...) | semmle.label | newTransformer(...) |
| XsltInjectionTest.java:31:53:31:58 | source : StreamSource | semmle.label | source : StreamSource |
| XsltInjectionTest.java:35:27:35:90 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
| XsltInjectionTest.java:35:44:35:89 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
| XsltInjectionTest.java:35:66:35:88 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| XsltInjectionTest.java:36:5:36:57 | newTemplates(...) : Templates | semmle.label | newTemplates(...) : Templates |
| XsltInjectionTest.java:36:5:36:74 | newTransformer(...) | semmle.label | newTransformer(...) |
| XsltInjectionTest.java:36:51:36:56 | source : StreamSource | semmle.label | source : StreamSource |
| XsltInjectionTest.java:40:45:40:70 | param : String | semmle.label | param : String |
| XsltInjectionTest.java:42:27:42:66 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
| XsltInjectionTest.java:42:44:42:65 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
| XsltInjectionTest.java:42:61:42:64 | xslt : String | semmle.label | xslt : String |
| XsltInjectionTest.java:43:5:43:59 | newTransformer(...) | semmle.label | newTransformer(...) |
| XsltInjectionTest.java:43:53:43:58 | source : StreamSource | semmle.label | source : StreamSource |
| XsltInjectionTest.java:47:24:47:78 | new SAXSource(...) : SAXSource | semmle.label | new SAXSource(...) : SAXSource |
| XsltInjectionTest.java:47:38:47:77 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource |
| XsltInjectionTest.java:47:54:47:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| XsltInjectionTest.java:48:5:48:57 | newTemplates(...) : Templates | semmle.label | newTemplates(...) : Templates |
| XsltInjectionTest.java:48:5:48:74 | newTransformer(...) | semmle.label | newTransformer(...) |
| XsltInjectionTest.java:48:51:48:56 | source : SAXSource | semmle.label | source : SAXSource |
| XsltInjectionTest.java:53:9:53:92 | new SAXSource(...) : SAXSource | semmle.label | new SAXSource(...) : SAXSource |
| XsltInjectionTest.java:53:29:53:91 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource |
| XsltInjectionTest.java:53:45:53:90 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
| XsltInjectionTest.java:53:67:53:89 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| XsltInjectionTest.java:54:5:54:59 | newTransformer(...) | semmle.label | newTransformer(...) |
| XsltInjectionTest.java:54:53:54:58 | source : SAXSource | semmle.label | source : SAXSource |
| XsltInjectionTest.java:59:9:59:99 | new StAXSource(...) : StAXSource | semmle.label | new StAXSource(...) : StAXSource |
| XsltInjectionTest.java:59:24:59:98 | createXMLEventReader(...) : XMLEventReader | semmle.label | createXMLEventReader(...) : XMLEventReader |
| XsltInjectionTest.java:59:75:59:97 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| XsltInjectionTest.java:60:5:60:59 | newTransformer(...) | semmle.label | newTransformer(...) |
| XsltInjectionTest.java:60:53:60:58 | source : StAXSource | semmle.label | source : StAXSource |
| XsltInjectionTest.java:64:25:65:56 | new StAXSource(...) : StAXSource | semmle.label | new StAXSource(...) : StAXSource |
| XsltInjectionTest.java:64:40:65:55 | createXMLStreamReader(...) : XMLStreamReader | semmle.label | createXMLStreamReader(...) : XMLStreamReader |
| XsltInjectionTest.java:65:9:65:54 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
| XsltInjectionTest.java:65:31:65:53 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| XsltInjectionTest.java:66:5:66:57 | newTemplates(...) : Templates | semmle.label | newTemplates(...) : Templates |
| XsltInjectionTest.java:66:5:66:74 | newTransformer(...) | semmle.label | newTransformer(...) |
| XsltInjectionTest.java:66:51:66:56 | source : StAXSource | semmle.label | source : StAXSource |
| XsltInjectionTest.java:70:24:71:97 | new DOMSource(...) : DOMSource | semmle.label | new DOMSource(...) : DOMSource |
| XsltInjectionTest.java:71:9:71:96 | parse(...) : Document | semmle.label | parse(...) : Document |
| XsltInjectionTest.java:71:73:71:95 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| XsltInjectionTest.java:72:5:72:59 | newTransformer(...) | semmle.label | newTransformer(...) |
| XsltInjectionTest.java:72:53:72:58 | source : DOMSource | semmle.label | source : DOMSource |
| XsltInjectionTest.java:76:27:76:67 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
| XsltInjectionTest.java:76:44:76:66 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| XsltInjectionTest.java:80:5:80:34 | newTransformer(...) | semmle.label | newTransformer(...) |
| XsltInjectionTest.java:80:28:80:33 | source : StreamSource | semmle.label | source : StreamSource |
| XsltInjectionTest.java:84:27:84:67 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
| XsltInjectionTest.java:84:44:84:66 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| XsltInjectionTest.java:87:5:87:34 | newTransformer(...) | semmle.label | newTransformer(...) |
| XsltInjectionTest.java:87:28:87:33 | source : StreamSource | semmle.label | source : StreamSource |
| XsltInjectionTest.java:91:27:91:67 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
| XsltInjectionTest.java:91:44:91:66 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| XsltInjectionTest.java:94:5:94:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable |
| XsltInjectionTest.java:94:5:94:35 | load(...) | semmle.label | load(...) |
| XsltInjectionTest.java:94:22:94:27 | source : StreamSource | semmle.label | source : StreamSource |
| XsltInjectionTest.java:95:5:95:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable |
| XsltInjectionTest.java:95:5:95:37 | load30(...) | semmle.label | load30(...) |
| XsltInjectionTest.java:95:22:95:27 | source : StreamSource | semmle.label | source : StreamSource |
| XsltInjectionTest.java:96:5:96:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable |
| XsltInjectionTest.java:96:5:96:37 | load30(...) | semmle.label | load30(...) |
| XsltInjectionTest.java:96:22:96:27 | source : StreamSource | semmle.label | source : StreamSource |
| XsltInjectionTest.java:97:5:97:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable |
| XsltInjectionTest.java:97:5:97:37 | load30(...) | semmle.label | load30(...) |
| XsltInjectionTest.java:97:22:97:27 | source : StreamSource | semmle.label | source : StreamSource |
| XsltInjectionTest.java:98:5:98:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable |
| XsltInjectionTest.java:98:5:98:37 | load30(...) | semmle.label | load30(...) |
| XsltInjectionTest.java:98:22:98:27 | source : StreamSource | semmle.label | source : StreamSource |
| XsltInjectionTest.java:99:5:99:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable |
| XsltInjectionTest.java:99:5:99:37 | load30(...) | semmle.label | load30(...) |
| XsltInjectionTest.java:99:22:99:27 | source : StreamSource | semmle.label | source : StreamSource |
| XsltInjectionTest.java:100:5:100:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable |
| XsltInjectionTest.java:100:5:100:37 | load30(...) | semmle.label | load30(...) |
| XsltInjectionTest.java:100:22:100:27 | source : StreamSource | semmle.label | source : StreamSource |
| XsltInjectionTest.java:101:5:101:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable |
| XsltInjectionTest.java:101:5:101:37 | load30(...) | semmle.label | load30(...) |
| XsltInjectionTest.java:101:22:101:27 | source : StreamSource | semmle.label | source : StreamSource |
| XsltInjectionTest.java:102:5:102:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable |
| XsltInjectionTest.java:102:5:102:37 | load30(...) | semmle.label | load30(...) |
| XsltInjectionTest.java:102:22:102:27 | source : StreamSource | semmle.label | source : StreamSource |
| XsltInjectionTest.java:103:5:103:28 | compile(...) : XsltExecutable | semmle.label | compile(...) : XsltExecutable |
| XsltInjectionTest.java:103:5:103:37 | load30(...) | semmle.label | load30(...) |
| XsltInjectionTest.java:103:22:103:27 | source : StreamSource | semmle.label | source : StreamSource |
| XsltInjectionTest.java:107:36:107:61 | param : String | semmle.label | param : String |
| XsltInjectionTest.java:107:64:107:76 | socket : Socket | semmle.label | socket : Socket |
| XsltInjectionTest.java:108:15:108:28 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| XsltInjectionTest.java:108:23:108:27 | param : String | semmle.label | param : String |
| XsltInjectionTest.java:109:27:109:67 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
| XsltInjectionTest.java:109:44:109:49 | socket : Socket | semmle.label | socket : Socket |
| XsltInjectionTest.java:109:44:109:66 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| XsltInjectionTest.java:112:5:112:39 | loadExecutablePackage(...) : XsltExecutable | semmle.label | loadExecutablePackage(...) : XsltExecutable |
| XsltInjectionTest.java:112:5:112:46 | load(...) | semmle.label | load(...) |
| XsltInjectionTest.java:112:36:112:38 | uri : URI | semmle.label | uri : URI |
| XsltInjectionTest.java:113:5:113:35 | compilePackage(...) : XsltPackage | semmle.label | compilePackage(...) : XsltPackage |
| XsltInjectionTest.java:113:5:113:42 | link(...) : XsltExecutable | semmle.label | link(...) : XsltExecutable |
| XsltInjectionTest.java:113:5:113:49 | load(...) | semmle.label | load(...) |
| XsltInjectionTest.java:113:29:113:34 | source : StreamSource | semmle.label | source : StreamSource |
| XsltInjectionTest.java:114:5:114:36 | loadLibraryPackage(...) : XsltPackage | semmle.label | loadLibraryPackage(...) : XsltPackage |
| XsltInjectionTest.java:114:5:114:43 | link(...) : XsltExecutable | semmle.label | link(...) : XsltExecutable |
| XsltInjectionTest.java:114:5:114:50 | load(...) | semmle.label | load(...) |
| XsltInjectionTest.java:114:33:114:35 | uri : URI | semmle.label | uri : URI |
subpaths

72
java/ql/test/query-tests/security/CWE-074/XsltInjectionTest.java → java/ql/test/query-tests/security/CWE-074/XsltInjection/XsltInjectionTest.java
View File

@@ -27,91 +27,91 @@ import net.sf.saxon.s9api.XsltCompiler;
@Controller
public class XsltInjectionTest {
public void testStreamSourceInputStream(Socket socket) throws Exception {
StreamSource source = new StreamSource(socket.getInputStream());
TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $hasXsltInjection
StreamSource source = new StreamSource(socket.getInputStream()); // $ Source
TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $ Alert
}
public void testStreamSourceReader(Socket socket) throws Exception {
StreamSource source = new StreamSource(new InputStreamReader(socket.getInputStream()));
TransformerFactory.newInstance().newTemplates(source).newTransformer().transform(null, null); // $hasXsltInjection
StreamSource source = new StreamSource(new InputStreamReader(socket.getInputStream())); // $ Source
TransformerFactory.newInstance().newTemplates(source).newTransformer().transform(null, null); // $ Alert
}
@RequestMapping
public void testStreamSourceInjectedParam(@RequestParam String param) throws Exception {
public void testStreamSourceInjectedParam(@RequestParam String param) throws Exception { // $ Source
String xslt = "<xsl:stylesheet [...]" + param + "</xsl:stylesheet>";
StreamSource source = new StreamSource(new StringReader(xslt));
TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $hasXsltInjection
TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $ Alert
}
public void testSAXSourceInputStream(Socket socket) throws Exception {
SAXSource source = new SAXSource(new InputSource(socket.getInputStream()));
TransformerFactory.newInstance().newTemplates(source).newTransformer().transform(null, null); // $hasXsltInjection
SAXSource source = new SAXSource(new InputSource(socket.getInputStream())); // $ Source
TransformerFactory.newInstance().newTemplates(source).newTransformer().transform(null, null); // $ Alert
}
public void testSAXSourceReader(Socket socket) throws Exception {
SAXSource source =
new SAXSource(null, new InputSource(new InputStreamReader(socket.getInputStream())));
TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $hasXsltInjection
new SAXSource(null, new InputSource(new InputStreamReader(socket.getInputStream()))); // $ Source
TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $ Alert
}
public void testStAXSourceEventReader(Socket socket) throws Exception {
StAXSource source =
new StAXSource(XMLInputFactory.newInstance().createXMLEventReader(socket.getInputStream()));
TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $hasXsltInjection
new StAXSource(XMLInputFactory.newInstance().createXMLEventReader(socket.getInputStream())); // $ Source
TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $ Alert
}
public void testStAXSourceEventStream(Socket socket) throws Exception {
StAXSource source = new StAXSource(XMLInputFactory.newInstance().createXMLStreamReader(null,
new InputStreamReader(socket.getInputStream())));
TransformerFactory.newInstance().newTemplates(source).newTransformer().transform(null, null); // $hasXsltInjection
new InputStreamReader(socket.getInputStream()))); // $ Source
TransformerFactory.newInstance().newTemplates(source).newTransformer().transform(null, null); // $ Alert
}
public void testDOMSource(Socket socket) throws Exception {
DOMSource source = new DOMSource(
DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(socket.getInputStream()));
TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $hasXsltInjection
DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(socket.getInputStream())); // $ Source
TransformerFactory.newInstance().newTransformer(source).transform(null, null); // $ Alert
}
public void testDisabledXXE(Socket socket) throws Exception {
StreamSource source = new StreamSource(socket.getInputStream());
StreamSource source = new StreamSource(socket.getInputStream()); // $ Source
TransformerFactory factory = TransformerFactory.newInstance();
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
factory.newTransformer(source).transform(null, null); // $hasXsltInjection
factory.newTransformer(source).transform(null, null); // $ Alert
}
public void testFeatureSecureProcessingDisabled(Socket socket) throws Exception {
StreamSource source = new StreamSource(socket.getInputStream());
StreamSource source = new StreamSource(socket.getInputStream()); // $ Source
TransformerFactory factory = TransformerFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false);
factory.newTransformer(source).transform(null, null); // $hasXsltInjection
factory.newTransformer(source).transform(null, null); // $ Alert
}
public void testSaxon(Socket socket) throws Exception {
StreamSource source = new StreamSource(socket.getInputStream());
StreamSource source = new StreamSource(socket.getInputStream()); // $ Source
XsltCompiler compiler = new Processor(true).newXsltCompiler();
compiler.compile(source).load().transform(); // $hasXsltInjection
compiler.compile(source).load30().transform(null, null); // $hasXsltInjection
compiler.compile(source).load30().applyTemplates((Source) null); // $hasXsltInjection
compiler.compile(source).load30().applyTemplates((Source) null, null); // $hasXsltInjection
compiler.compile(source).load30().applyTemplates((XdmValue) null); // $hasXsltInjection
compiler.compile(source).load30().applyTemplates((XdmValue) null, null); // $hasXsltInjection
compiler.compile(source).load30().callFunction(null, null); // $hasXsltInjection
compiler.compile(source).load30().callFunction(null, null, null); // $hasXsltInjection
compiler.compile(source).load30().callTemplate(null); // $hasXsltInjection
compiler.compile(source).load30().callTemplate(null, null); // $hasXsltInjection
compiler.compile(source).load().transform(); // $ Alert
compiler.compile(source).load30().transform(null, null); // $ Alert
compiler.compile(source).load30().applyTemplates((Source) null); // $ Alert
compiler.compile(source).load30().applyTemplates((Source) null, null); // $ Alert
compiler.compile(source).load30().applyTemplates((XdmValue) null); // $ Alert
compiler.compile(source).load30().applyTemplates((XdmValue) null, null); // $ Alert
compiler.compile(source).load30().callFunction(null, null); // $ Alert
compiler.compile(source).load30().callFunction(null, null, null); // $ Alert
compiler.compile(source).load30().callTemplate(null); // $ Alert
compiler.compile(source).load30().callTemplate(null, null); // $ Alert
}
@RequestMapping
public void testSaxonXsltPackage(@RequestParam String param, Socket socket) throws Exception {
public void testSaxonXsltPackage(@RequestParam String param, Socket socket) throws Exception { // $ Source
URI uri = new URI(param);
StreamSource source = new StreamSource(socket.getInputStream());
StreamSource source = new StreamSource(socket.getInputStream()); // $ Source
XsltCompiler compiler = new Processor(true).newXsltCompiler();
compiler.loadExecutablePackage(uri).load().transform(); // $hasXsltInjection
compiler.compilePackage(source).link().load().transform(); // $hasXsltInjection
compiler.loadLibraryPackage(uri).link().load().transform(); // $hasXsltInjection
compiler.loadExecutablePackage(uri).load().transform(); // $ Alert
compiler.compilePackage(source).link().load().transform(); // $ Alert
compiler.loadLibraryPackage(uri).link().load().transform(); // $ Alert
}
public void testOkFeatureSecureProcessing(Socket socket) throws Exception {

4
java/ql/test/query-tests/security/CWE-074/XsltInjection/XsltInjectionTest.qlref Normal file
View File

@@ -0,0 +1,4 @@
query: Security/CWE/CWE-074/XsltInjection.ql
postprocess:
- utils/test/PrettyPrintModels.ql
- utils/test/InlineExpectationsTestQuery.ql

1
java/ql/test/query-tests/security/CWE-074/XsltInjection/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.8.x:${testdir}/../../../../stubs/shiro-core-1.5.2:${testdir}/../../../../stubs/spring-ldap-2.3.2:${testdir}/../../../../stubs/Saxon-HE-9.9.1-7:${testdir}/../../../../stubs/apache-commons-logging-1.2

0
java/ql/test/query-tests/security/CWE-074/XsltInjectionTest.expected
View File

20
java/ql/test/query-tests/security/CWE-074/XsltInjectionTest.ql
View File

@@ -1,20 +0,0 @@
import java
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.XsltInjectionQuery
import utils.test.InlineExpectationsTest
module HasXsltInjectionTest implements TestSig {
string getARelevantTag() { result = "hasXsltInjection" }
predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasXsltInjection" and
exists(DataFlow::Node sink | XsltInjectionFlow::flowTo(sink) |
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}
import MakeTest<HasXsltInjectionTest>

1
java/ql/test/query-tests/security/CWE-074/options
View File

@@ -1 +0,0 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.8.x:${testdir}/../../../stubs/shiro-core-1.5.2:${testdir}/../../../stubs/spring-ldap-2.3.2:${testdir}/../../../stubs/Saxon-HE-9.9.1-7:${testdir}/../../../stubs/apache-commons-logging-1.2

74
java/ql/test/query-tests/security/CWE-079/semmle/tests/JaxXSS.java
View File

@@ -12,25 +12,25 @@ import java.util.Locale;
public class JaxXSS {
@GET
public static Response specificContentType(boolean safeContentType, boolean chainDirectly, boolean contentTypeFirst, String userControlled) {
public static Response specificContentType(boolean safeContentType, boolean chainDirectly, boolean contentTypeFirst, String userControlled) { // $ Source
Response.ResponseBuilder builder = Response.ok();
if(!safeContentType) {
if(chainDirectly) {
if(contentTypeFirst)
return builder.type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss
return builder.type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert
else
return builder.entity(userControlled).type(MediaType.TEXT_HTML).build(); // $ xss
return builder.entity(userControlled).type(MediaType.TEXT_HTML).build(); // $ Alert
}
else {
if(contentTypeFirst) {
Response.ResponseBuilder builder2 = builder.type(MediaType.TEXT_HTML);
return builder2.entity(userControlled).build(); // $ xss
return builder2.entity(userControlled).build(); // $ Alert
}
else {
Response.ResponseBuilder builder2 = builder.entity(userControlled);
return builder2.type(MediaType.TEXT_HTML).build(); // $ xss
return builder2.type(MediaType.TEXT_HTML).build(); // $ Alert
}
}
}
@@ -56,7 +56,7 @@ public class JaxXSS {
}
@GET
public static Response specificContentTypeSetterMethods(int route, boolean safeContentType, String userControlled) {
public static Response specificContentTypeSetterMethods(int route, boolean safeContentType, String userControlled) { // $ Source
// Test the remarkably many routes to setting a content-type in Jax-RS, besides the ResponseBuilder.entity method used above:
@@ -105,39 +105,39 @@ public class JaxXSS {
else {
if(route == 0) {
// via ok, as a string literal:
return Response.ok("text/html").entity(userControlled).build(); // $ xss
return Response.ok("text/html").entity(userControlled).build(); // $ Alert
}
else if(route == 1) {
// via ok, as a string constant:
return Response.ok(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss
return Response.ok(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert
}
else if(route == 2) {
// via ok, as a MediaType constant:
return Response.ok(MediaType.TEXT_HTML_TYPE).entity(userControlled).build(); // $ xss
return Response.ok(MediaType.TEXT_HTML_TYPE).entity(userControlled).build(); // $ Alert
}
else if(route == 3) {
// via ok, as a Variant, via constructor:
return Response.ok(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ xss
return Response.ok(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ Alert
}
else if(route == 4) {
// via ok, as a Variant, via static method:
return Response.ok(Variant.mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ xss
return Response.ok(Variant.mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ Alert
}
else if(route == 5) {
// via ok, as a Variant, via instance method:
return Response.ok(Variant.languages(Locale.UK).mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ xss
return Response.ok(Variant.languages(Locale.UK).mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ Alert
}
else if(route == 6) {
// via builder variant, before entity:
return Response.ok().variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ xss
return Response.ok().variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ Alert
}
else if(route == 7) {
// via builder variant, after entity:
return Response.ok().entity(userControlled).variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).build(); // $ xss
return Response.ok().entity(userControlled).variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).build(); // $ Alert
}
else if(route == 8) {
// provide entity via ok, then content-type via builder:
return Response.ok(userControlled).type(MediaType.TEXT_HTML_TYPE).build(); // $ xss
return Response.ok(userControlled).type(MediaType.TEXT_HTML_TYPE).build(); // $ Alert
}
}
@@ -161,28 +161,28 @@ public class JaxXSS {
}
@GET @Produces(MediaType.TEXT_HTML)
public static Response methodContentTypeUnsafe(String userControlled) {
return Response.ok(userControlled).build(); // $ xss
public static Response methodContentTypeUnsafe(String userControlled) { // $ Source
return Response.ok(userControlled).build(); // $ Alert
}
@POST @Produces(MediaType.TEXT_HTML)
public static Response methodContentTypeUnsafePost(String userControlled) {
return Response.ok(userControlled).build(); // $ xss
public static Response methodContentTypeUnsafePost(String userControlled) { // $ Source
return Response.ok(userControlled).build(); // $ Alert
}
@GET @Produces("text/html")
public static Response methodContentTypeUnsafeStringLiteral(String userControlled) {
return Response.ok(userControlled).build(); // $ xss
public static Response methodContentTypeUnsafeStringLiteral(String userControlled) { // $ Source
return Response.ok(userControlled).build(); // $ Alert
}
@GET @Produces({MediaType.TEXT_HTML, MediaType.APPLICATION_JSON})
public static Response methodContentTypeMaybeSafe(String userControlled) {
return Response.ok(userControlled).build(); // $ xss
public static Response methodContentTypeMaybeSafe(String userControlled) { // $ Source
return Response.ok(userControlled).build(); // $ Alert
}
@GET @Produces(MediaType.APPLICATION_JSON)
public static Response methodContentTypeSafeOverriddenWithUnsafe(String userControlled) {
return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss
public static Response methodContentTypeSafeOverriddenWithUnsafe(String userControlled) { // $ Source
return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert
}
@GET @Produces(MediaType.TEXT_HTML)
@@ -204,13 +204,13 @@ public class JaxXSS {
}
@GET @Produces({"text/html"})
public Response overridesWithUnsafe(String userControlled) {
return Response.ok(userControlled).build(); // $ xss
public Response overridesWithUnsafe(String userControlled) { // $ Source
return Response.ok(userControlled).build(); // $ Alert
}
@GET
public Response overridesWithUnsafe2(String userControlled) {
return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss
public Response overridesWithUnsafe2(String userControlled) { // $ Source
return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert
}
}
@@ -218,13 +218,13 @@ public class JaxXSS {
@Produces({"text/html"})
public static class ClassContentTypeUnsafe {
@GET
public Response test(String userControlled) {
return Response.ok(userControlled).build(); // $ xss
public Response test(String userControlled) { // $ Source
return Response.ok(userControlled).build(); // $ Alert
}
@GET
public String testDirectReturn(String userControlled) {
return userControlled; // $ xss
public String testDirectReturn(String userControlled) { // $ Source
return userControlled; // $ Alert
}
@GET @Produces({"application/json"})
@@ -239,13 +239,13 @@ public class JaxXSS {
}
@GET
public static Response entityWithNoMediaType(String userControlled) {
return Response.ok(userControlled).build(); // $ xss
public static Response entityWithNoMediaType(String userControlled) { // $ Source
return Response.ok(userControlled).build(); // $ Alert
}
@GET
public static String stringWithNoMediaType(String userControlled) {
return userControlled; // $ xss
public static String stringWithNoMediaType(String userControlled) { // $ Source
return userControlled; // $ Alert
}
}

20
java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java
View File

@@ -18,7 +18,7 @@ public class JsfXSS extends Renderer
{
super.encodeBegin(facesContext, component);
Map<String, String> requestParameters = facesContext.getExternalContext().getRequestParameterMap();
Map<String, String> requestParameters = facesContext.getExternalContext().getRequestParameterMap(); // $ Source
String windowId = requestParameters.get("window_id");
ResponseWriter writer = facesContext.getResponseWriter();
@@ -26,7 +26,7 @@ public class JsfXSS extends Renderer
writer.write("(function(){");
writer.write("dswh.init('" + windowId + "','"
+ "......" + "',"
+ -1 + ",{"); // $ xss
+ -1 + ",{"); // $ Alert
writer.write("});");
writer.write("})();");
writer.write("</script>");
@@ -57,13 +57,13 @@ public class JsfXSS extends Renderer
{
ExternalContext ec = facesContext.getExternalContext();
ResponseWriter writer = facesContext.getResponseWriter();
writer.write(ec.getRequestParameterMap().keySet().iterator().next()); // $ xss
writer.write(ec.getRequestParameterNames().next()); // $ xss
writer.write(ec.getRequestParameterValuesMap().get("someKey")[0]); // $ xss
writer.write(ec.getRequestParameterValuesMap().keySet().iterator().next()); // $ xss
writer.write(ec.getRequestPathInfo()); // $ xss
writer.write(((Cookie)ec.getRequestCookieMap().get("someKey")).getName()); // $ xss
writer.write(ec.getRequestHeaderMap().get("someKey")); // $ xss
writer.write(ec.getRequestHeaderValuesMap().get("someKey")[0]); // $ xss
writer.write(ec.getRequestParameterMap().keySet().iterator().next()); // $ Alert
writer.write(ec.getRequestParameterNames().next()); // $ Alert
writer.write(ec.getRequestParameterValuesMap().get("someKey")[0]); // $ Alert
writer.write(ec.getRequestParameterValuesMap().keySet().iterator().next()); // $ Alert
writer.write(ec.getRequestPathInfo()); // $ Alert
writer.write(((Cookie)ec.getRequestCookieMap().get("someKey")).getName()); // $ Alert
writer.write(ec.getRequestHeaderMap().get("someKey")); // $ Alert
writer.write(ec.getRequestHeaderValuesMap().get("someKey")[0]); // $ Alert
}
}

56
java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java
View File

@@ -13,17 +13,17 @@ import java.util.Optional;
public class SpringXSS {
@GetMapping
public static ResponseEntity<String> specificContentType(boolean safeContentType, boolean chainDirectly, String userControlled) {
public static ResponseEntity<String> specificContentType(boolean safeContentType, boolean chainDirectly, String userControlled) { // $ Source
ResponseEntity.BodyBuilder builder = ResponseEntity.ok();
if(!safeContentType) {
if(chainDirectly) {
return builder.contentType(MediaType.TEXT_HTML).body(userControlled); // $ xss
return builder.contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert
}
else {
ResponseEntity.BodyBuilder builder2 = builder.contentType(MediaType.TEXT_HTML);
return builder2.body(userControlled); // $ xss
return builder2.body(userControlled); // $ Alert
}
}
else {
@@ -59,23 +59,23 @@ public class SpringXSS {
}
@GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE)
public static ResponseEntity<String> methodContentTypeUnsafe(String userControlled) {
return ResponseEntity.ok(userControlled); // $ xss
public static ResponseEntity<String> methodContentTypeUnsafe(String userControlled) { // $ Source
return ResponseEntity.ok(userControlled); // $ Alert
}
@GetMapping(value = "/xyz", produces = "text/html")
public static ResponseEntity<String> methodContentTypeUnsafeStringLiteral(String userControlled) {
return ResponseEntity.ok(userControlled); // $ xss
public static ResponseEntity<String> methodContentTypeUnsafeStringLiteral(String userControlled) { // $ Source
return ResponseEntity.ok(userControlled); // $ Alert
}
@GetMapping(value = "/xyz", produces = {MediaType.TEXT_HTML_VALUE, MediaType.APPLICATION_JSON_VALUE})
public static ResponseEntity<String> methodContentTypeMaybeSafe(String userControlled) {
return ResponseEntity.ok(userControlled); // $ xss
public static ResponseEntity<String> methodContentTypeMaybeSafe(String userControlled) { // $ Source
return ResponseEntity.ok(userControlled); // $ Alert
}
@GetMapping(value = "/xyz", produces = MediaType.APPLICATION_JSON_VALUE)
public static ResponseEntity<String> methodContentTypeSafeOverriddenWithUnsafe(String userControlled) {
return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ xss
public static ResponseEntity<String> methodContentTypeSafeOverriddenWithUnsafe(String userControlled) { // $ Source
return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert
}
@GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE)
@@ -84,17 +84,17 @@ public class SpringXSS {
}
@GetMapping(value = "/xyz", produces = {"text/html", "application/json"})
public static ResponseEntity<String> methodContentTypeMaybeSafeStringLiterals(String userControlled, int constructionMethod) {
public static ResponseEntity<String> methodContentTypeMaybeSafeStringLiterals(String userControlled, int constructionMethod) { // $ Source
// Also try out some alternative constructors for the ResponseEntity:
switch(constructionMethod) {
case 0:
return ResponseEntity.ok(userControlled); // $ xss
return ResponseEntity.ok(userControlled); // $ Alert
case 1:
return ResponseEntity.of(Optional.of(userControlled)); // $ xss
return ResponseEntity.of(Optional.of(userControlled)); // $ Alert
case 2:
return ResponseEntity.ok().body(userControlled); // $ xss
return ResponseEntity.ok().body(userControlled); // $ Alert
case 3:
return new ResponseEntity<String>(userControlled, HttpStatus.OK); // $ xss
return new ResponseEntity<String>(userControlled, HttpStatus.OK); // $ Alert
default:
return null;
}
@@ -114,13 +114,13 @@ public class SpringXSS {
}
@GetMapping(value = "/xyz", produces = {"text/html"})
public ResponseEntity<String> overridesWithUnsafe(String userControlled) {
return ResponseEntity.ok(userControlled); // $ xss
public ResponseEntity<String> overridesWithUnsafe(String userControlled) { // $ Source
return ResponseEntity.ok(userControlled); // $ Alert
}
@GetMapping(value = "/abc")
public ResponseEntity<String> overridesWithUnsafe2(String userControlled) {
return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ xss
public ResponseEntity<String> overridesWithUnsafe2(String userControlled) { // $ Source
return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert
}
}
@@ -128,13 +128,13 @@ public class SpringXSS {
@RequestMapping(produces = {"text/html"})
private static class ClassContentTypeUnsafe {
@GetMapping(value = "/abc")
public ResponseEntity<String> test(String userControlled) {
return ResponseEntity.ok(userControlled); // $ xss
public ResponseEntity<String> test(String userControlled) { // $ Source
return ResponseEntity.ok(userControlled); // $ Alert
}
@GetMapping(value = "/abc")
public String testDirectReturn(String userControlled) {
return userControlled; // $ xss
public String testDirectReturn(String userControlled) { // $ Source
return userControlled; // $ Alert
}
@GetMapping(value = "/xyz", produces = {"application/json"})
@@ -149,13 +149,13 @@ public class SpringXSS {
}
@GetMapping(value = "/abc")
public static ResponseEntity<String> entityWithNoMediaType(String userControlled) {
return ResponseEntity.ok(userControlled); // $ xss
public static ResponseEntity<String> entityWithNoMediaType(String userControlled) { // $ Source
return ResponseEntity.ok(userControlled); // $ Alert
}
@GetMapping(value = "/abc")
public static String stringWithNoMediaType(String userControlled) {
return userControlled; // $ xss
public static String stringWithNoMediaType(String userControlled) { // $ Source
return userControlled; // $ Alert
}
@GetMapping(value = "/abc")

336
java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.expected
View File

@@ -0,0 +1,336 @@
#select
| JaxXSS.java:22:59:22:72 | userControlled | JaxXSS.java:15:120:15:140 | userControlled : String | JaxXSS.java:22:59:22:72 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:15:120:15:140 | userControlled | user-provided value |
| JaxXSS.java:24:33:24:46 | userControlled | JaxXSS.java:15:120:15:140 | userControlled : String | JaxXSS.java:24:33:24:46 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:15:120:15:140 | userControlled | user-provided value |
| JaxXSS.java:29:34:29:47 | userControlled | JaxXSS.java:15:120:15:140 | userControlled : String | JaxXSS.java:29:34:29:47 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:15:120:15:140 | userControlled | user-provided value |
| JaxXSS.java:33:18:33:59 | build(...) | JaxXSS.java:15:120:15:140 | userControlled : String | JaxXSS.java:33:18:33:59 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:15:120:15:140 | userControlled | user-provided value |
| JaxXSS.java:108:16:108:70 | build(...) | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:108:16:108:70 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value |
| JaxXSS.java:112:16:112:78 | build(...) | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:112:16:112:78 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value |
| JaxXSS.java:116:16:116:83 | build(...) | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:116:16:116:83 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value |
| JaxXSS.java:120:98:120:111 | userControlled | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:120:98:120:111 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value |
| JaxXSS.java:124:89:124:102 | userControlled | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:124:89:124:102 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value |
| JaxXSS.java:128:110:128:123 | userControlled | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:128:110:128:123 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value |
| JaxXSS.java:132:108:132:121 | userControlled | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:132:108:132:121 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value |
| JaxXSS.java:136:37:136:50 | userControlled | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:136:37:136:50 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value |
| JaxXSS.java:140:16:140:81 | build(...) | JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:140:16:140:81 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:59:95:59:115 | userControlled | user-provided value |
| JaxXSS.java:165:12:165:46 | build(...) | JaxXSS.java:164:50:164:70 | userControlled : String | JaxXSS.java:165:12:165:46 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:164:50:164:70 | userControlled | user-provided value |
| JaxXSS.java:170:12:170:46 | build(...) | JaxXSS.java:169:54:169:74 | userControlled : String | JaxXSS.java:170:12:170:46 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:169:54:169:74 | userControlled | user-provided value |
| JaxXSS.java:175:12:175:46 | build(...) | JaxXSS.java:174:63:174:83 | userControlled : String | JaxXSS.java:175:12:175:46 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:174:63:174:83 | userControlled | user-provided value |
| JaxXSS.java:180:12:180:46 | build(...) | JaxXSS.java:179:53:179:73 | userControlled : String | JaxXSS.java:180:12:180:46 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:179:53:179:73 | userControlled | user-provided value |
| JaxXSS.java:185:59:185:72 | userControlled | JaxXSS.java:184:68:184:88 | userControlled : String | JaxXSS.java:185:59:185:72 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:184:68:184:88 | userControlled | user-provided value |
| JaxXSS.java:208:14:208:48 | build(...) | JaxXSS.java:207:41:207:61 | userControlled : String | JaxXSS.java:208:14:208:48 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:207:41:207:61 | userControlled | user-provided value |
| JaxXSS.java:213:61:213:74 | userControlled | JaxXSS.java:212:42:212:62 | userControlled : String | JaxXSS.java:213:61:213:74 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:212:42:212:62 | userControlled | user-provided value |
| JaxXSS.java:222:14:222:48 | build(...) | JaxXSS.java:221:26:221:46 | userControlled : String | JaxXSS.java:222:14:222:48 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:221:26:221:46 | userControlled | user-provided value |
| JaxXSS.java:227:14:227:27 | userControlled | JaxXSS.java:226:36:226:56 | userControlled : String | JaxXSS.java:227:14:227:27 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:226:36:226:56 | userControlled | user-provided value |
| JaxXSS.java:243:12:243:46 | build(...) | JaxXSS.java:242:48:242:68 | userControlled : String | JaxXSS.java:243:12:243:46 | build(...) | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:242:48:242:68 | userControlled | user-provided value |
| JaxXSS.java:248:12:248:25 | userControlled | JaxXSS.java:247:46:247:66 | userControlled : String | JaxXSS.java:248:12:248:25 | userControlled | Cross-site scripting vulnerability due to a $@. | JaxXSS.java:247:46:247:66 | userControlled | user-provided value |
| JsfXSS.java:27:22:29:27 | ... + ... | JsfXSS.java:21:50:21:107 | getRequestParameterMap(...) : Map | JsfXSS.java:27:22:29:27 | ... + ... | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:21:50:21:107 | getRequestParameterMap(...) | user-provided value |
| JsfXSS.java:60:22:60:75 | next(...) | JsfXSS.java:60:22:60:48 | getRequestParameterMap(...) : Map | JsfXSS.java:60:22:60:75 | next(...) | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:60:22:60:48 | getRequestParameterMap(...) | user-provided value |
| JsfXSS.java:61:22:61:57 | next(...) | JsfXSS.java:61:22:61:50 | getRequestParameterNames(...) : Iterator | JsfXSS.java:61:22:61:57 | next(...) | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:61:22:61:50 | getRequestParameterNames(...) | user-provided value |
| JsfXSS.java:62:22:62:72 | ...[...] | JsfXSS.java:62:22:62:54 | getRequestParameterValuesMap(...) : Map | JsfXSS.java:62:22:62:72 | ...[...] | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:62:22:62:54 | getRequestParameterValuesMap(...) | user-provided value |
| JsfXSS.java:63:22:63:81 | next(...) | JsfXSS.java:63:22:63:54 | getRequestParameterValuesMap(...) : Map | JsfXSS.java:63:22:63:81 | next(...) | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:63:22:63:54 | getRequestParameterValuesMap(...) | user-provided value |
| JsfXSS.java:64:22:64:44 | getRequestPathInfo(...) | JsfXSS.java:64:22:64:44 | getRequestPathInfo(...) | JsfXSS.java:64:22:64:44 | getRequestPathInfo(...) | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:64:22:64:44 | getRequestPathInfo(...) | user-provided value |
| JsfXSS.java:65:22:65:80 | getName(...) | JsfXSS.java:65:22:65:80 | getName(...) | JsfXSS.java:65:22:65:80 | getName(...) | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:65:22:65:80 | getName(...) | user-provided value |
| JsfXSS.java:66:22:66:60 | get(...) | JsfXSS.java:66:22:66:45 | getRequestHeaderMap(...) : Map | JsfXSS.java:66:22:66:60 | get(...) | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:66:22:66:45 | getRequestHeaderMap(...) | user-provided value |
| JsfXSS.java:67:22:67:69 | ...[...] | JsfXSS.java:67:22:67:51 | getRequestHeaderValuesMap(...) : Map | JsfXSS.java:67:22:67:69 | ...[...] | Cross-site scripting vulnerability due to a $@. | JsfXSS.java:67:22:67:51 | getRequestHeaderValuesMap(...) | user-provided value |
| SpringXSS.java:22:62:22:75 | userControlled | SpringXSS.java:16:108:16:128 | userControlled : String | SpringXSS.java:22:62:22:75 | userControlled | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:16:108:16:128 | userControlled | user-provided value |
| SpringXSS.java:26:30:26:43 | userControlled | SpringXSS.java:16:108:16:128 | userControlled : String | SpringXSS.java:26:30:26:43 | userControlled | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:16:108:16:128 | userControlled | user-provided value |
| SpringXSS.java:63:12:63:44 | ok(...) | SpringXSS.java:62:64:62:84 | userControlled : String | SpringXSS.java:63:12:63:44 | ok(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:62:64:62:84 | userControlled | user-provided value |
| SpringXSS.java:68:12:68:44 | ok(...) | SpringXSS.java:67:77:67:97 | userControlled : String | SpringXSS.java:68:12:68:44 | ok(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:67:77:67:97 | userControlled | user-provided value |
| SpringXSS.java:73:12:73:44 | ok(...) | SpringXSS.java:72:67:72:87 | userControlled : String | SpringXSS.java:73:12:73:44 | ok(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:72:67:72:87 | userControlled | user-provided value |
| SpringXSS.java:78:70:78:83 | userControlled | SpringXSS.java:77:82:77:102 | userControlled : String | SpringXSS.java:78:70:78:83 | userControlled | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:77:82:77:102 | userControlled | user-provided value |
| SpringXSS.java:91:14:91:46 | ok(...) | SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:91:14:91:46 | ok(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:87:81:87:101 | userControlled | user-provided value |
| SpringXSS.java:93:14:93:59 | of(...) | SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:93:14:93:59 | of(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:87:81:87:101 | userControlled | user-provided value |
| SpringXSS.java:95:14:95:53 | body(...) | SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:95:14:95:53 | body(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:87:81:87:101 | userControlled | user-provided value |
| SpringXSS.java:97:14:97:70 | new ResponseEntity<String>(...) | SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:97:14:97:70 | new ResponseEntity<String>(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:87:81:87:101 | userControlled | user-provided value |
| SpringXSS.java:118:14:118:46 | ok(...) | SpringXSS.java:117:55:117:75 | userControlled : String | SpringXSS.java:118:14:118:46 | ok(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:117:55:117:75 | userControlled | user-provided value |
| SpringXSS.java:123:72:123:85 | userControlled | SpringXSS.java:122:56:122:76 | userControlled : String | SpringXSS.java:123:72:123:85 | userControlled | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:122:56:122:76 | userControlled | user-provided value |
| SpringXSS.java:132:14:132:46 | ok(...) | SpringXSS.java:131:40:131:60 | userControlled : String | SpringXSS.java:132:14:132:46 | ok(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:131:40:131:60 | userControlled | user-provided value |
| SpringXSS.java:137:14:137:27 | userControlled | SpringXSS.java:136:36:136:56 | userControlled : String | SpringXSS.java:137:14:137:27 | userControlled | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:136:36:136:56 | userControlled | user-provided value |
| SpringXSS.java:153:12:153:44 | ok(...) | SpringXSS.java:152:62:152:82 | userControlled : String | SpringXSS.java:153:12:153:44 | ok(...) | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:152:62:152:82 | userControlled | user-provided value |
| SpringXSS.java:158:12:158:25 | userControlled | SpringXSS.java:157:46:157:66 | userControlled : String | SpringXSS.java:158:12:158:25 | userControlled | Cross-site scripting vulnerability due to a $@. | SpringXSS.java:157:46:157:66 | userControlled | user-provided value |
| XSS.java:19:12:19:77 | ... + ... | XSS.java:19:28:19:55 | getParameter(...) : String | XSS.java:19:12:19:77 | ... + ... | Cross-site scripting vulnerability due to a $@. | XSS.java:19:28:19:55 | getParameter(...) | user-provided value |
| XSS.java:34:30:34:87 | ... + ... | XSS.java:34:67:34:87 | getPathInfo(...) : String | XSS.java:34:30:34:87 | ... + ... | Cross-site scripting vulnerability due to a $@. | XSS.java:34:67:34:87 | getPathInfo(...) | user-provided value |
| XSS.java:37:36:37:67 | getBytes(...) | XSS.java:37:36:37:56 | getPathInfo(...) : String | XSS.java:37:36:37:67 | getBytes(...) | Cross-site scripting vulnerability due to a $@. | XSS.java:37:36:37:56 | getPathInfo(...) | user-provided value |
| XSS.java:83:33:83:53 | getPathInfo(...) | XSS.java:83:33:83:53 | getPathInfo(...) | XSS.java:83:33:83:53 | getPathInfo(...) | Cross-site scripting vulnerability due to a $@. | XSS.java:83:33:83:53 | getPathInfo(...) | user-provided value |
| XSS.java:88:33:88:53 | getPathInfo(...) | XSS.java:88:33:88:53 | getPathInfo(...) | XSS.java:88:33:88:53 | getPathInfo(...) | Cross-site scripting vulnerability due to a $@. | XSS.java:88:33:88:53 | getPathInfo(...) | user-provided value |
| XSS.java:93:33:93:53 | getPathInfo(...) | XSS.java:93:33:93:53 | getPathInfo(...) | XSS.java:93:33:93:53 | getPathInfo(...) | Cross-site scripting vulnerability due to a $@. | XSS.java:93:33:93:53 | getPathInfo(...) | user-provided value |
| XSS.java:100:39:100:70 | getBytes(...) | XSS.java:100:39:100:59 | getPathInfo(...) : String | XSS.java:100:39:100:70 | getBytes(...) | Cross-site scripting vulnerability due to a $@. | XSS.java:100:39:100:59 | getPathInfo(...) | user-provided value |
| XSS.java:105:39:105:70 | getBytes(...) | XSS.java:105:39:105:59 | getPathInfo(...) : String | XSS.java:105:39:105:70 | getBytes(...) | Cross-site scripting vulnerability due to a $@. | XSS.java:105:39:105:59 | getPathInfo(...) | user-provided value |
| XSS.java:110:39:110:70 | getBytes(...) | XSS.java:110:39:110:59 | getPathInfo(...) : String | XSS.java:110:39:110:70 | getBytes(...) | Cross-site scripting vulnerability due to a $@. | XSS.java:110:39:110:59 | getPathInfo(...) | user-provided value |
edges
| JaxXSS.java:15:120:15:140 | userControlled : String | JaxXSS.java:22:59:22:72 | userControlled | provenance | |
| JaxXSS.java:15:120:15:140 | userControlled : String | JaxXSS.java:24:33:24:46 | userControlled | provenance | |
| JaxXSS.java:15:120:15:140 | userControlled : String | JaxXSS.java:29:34:29:47 | userControlled | provenance | |
| JaxXSS.java:15:120:15:140 | userControlled : String | JaxXSS.java:32:62:32:75 | userControlled : String | provenance | |
| JaxXSS.java:32:47:32:76 | entity(...) : ResponseBuilder | JaxXSS.java:33:18:33:25 | builder2 : ResponseBuilder | provenance | |
| JaxXSS.java:32:62:32:75 | userControlled : String | JaxXSS.java:32:47:32:76 | entity(...) : ResponseBuilder | provenance | MaD:17+MaD:18 |
| JaxXSS.java:33:18:33:25 | builder2 : ResponseBuilder | JaxXSS.java:33:18:33:51 | type(...) : ResponseBuilder | provenance | MaD:19 |
| JaxXSS.java:33:18:33:51 | type(...) : ResponseBuilder | JaxXSS.java:33:18:33:59 | build(...) | provenance | MaD:16 |
| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:108:48:108:61 | userControlled : String | provenance | |
| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:112:56:112:69 | userControlled : String | provenance | |
| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:116:61:116:74 | userControlled : String | provenance | |
| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:120:98:120:111 | userControlled | provenance | |
| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:124:89:124:102 | userControlled | provenance | |
| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:128:110:128:123 | userControlled | provenance | |
| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:132:108:132:121 | userControlled | provenance | |
| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:136:37:136:50 | userControlled | provenance | |
| JaxXSS.java:59:95:59:115 | userControlled : String | JaxXSS.java:140:28:140:41 | userControlled : String | provenance | |
| JaxXSS.java:108:16:108:62 | entity(...) : ResponseBuilder | JaxXSS.java:108:16:108:70 | build(...) | provenance | MaD:16 |
| JaxXSS.java:108:48:108:61 | userControlled : String | JaxXSS.java:108:16:108:62 | entity(...) : ResponseBuilder | provenance | MaD:17+MaD:18 |
| JaxXSS.java:112:16:112:70 | entity(...) : ResponseBuilder | JaxXSS.java:112:16:112:78 | build(...) | provenance | MaD:16 |
| JaxXSS.java:112:56:112:69 | userControlled : String | JaxXSS.java:112:16:112:70 | entity(...) : ResponseBuilder | provenance | MaD:17+MaD:18 |
| JaxXSS.java:116:16:116:75 | entity(...) : ResponseBuilder | JaxXSS.java:116:16:116:83 | build(...) | provenance | MaD:16 |
| JaxXSS.java:116:61:116:74 | userControlled : String | JaxXSS.java:116:16:116:75 | entity(...) : ResponseBuilder | provenance | MaD:17+MaD:18 |
| JaxXSS.java:140:16:140:42 | ok(...) : ResponseBuilder | JaxXSS.java:140:16:140:73 | type(...) : ResponseBuilder | provenance | MaD:19 |
| JaxXSS.java:140:16:140:73 | type(...) : ResponseBuilder | JaxXSS.java:140:16:140:81 | build(...) | provenance | MaD:16 |
| JaxXSS.java:140:28:140:41 | userControlled : String | JaxXSS.java:140:16:140:42 | ok(...) : ResponseBuilder | provenance | MaD:20 |
| JaxXSS.java:164:50:164:70 | userControlled : String | JaxXSS.java:165:24:165:37 | userControlled : String | provenance | |
| JaxXSS.java:165:12:165:38 | ok(...) : ResponseBuilder | JaxXSS.java:165:12:165:46 | build(...) | provenance | MaD:16 |
| JaxXSS.java:165:24:165:37 | userControlled : String | JaxXSS.java:165:12:165:38 | ok(...) : ResponseBuilder | provenance | MaD:20 |
| JaxXSS.java:169:54:169:74 | userControlled : String | JaxXSS.java:170:24:170:37 | userControlled : String | provenance | |
| JaxXSS.java:170:12:170:38 | ok(...) : ResponseBuilder | JaxXSS.java:170:12:170:46 | build(...) | provenance | MaD:16 |
| JaxXSS.java:170:24:170:37 | userControlled : String | JaxXSS.java:170:12:170:38 | ok(...) : ResponseBuilder | provenance | MaD:20 |
| JaxXSS.java:174:63:174:83 | userControlled : String | JaxXSS.java:175:24:175:37 | userControlled : String | provenance | |
| JaxXSS.java:175:12:175:38 | ok(...) : ResponseBuilder | JaxXSS.java:175:12:175:46 | build(...) | provenance | MaD:16 |
| JaxXSS.java:175:24:175:37 | userControlled : String | JaxXSS.java:175:12:175:38 | ok(...) : ResponseBuilder | provenance | MaD:20 |
| JaxXSS.java:179:53:179:73 | userControlled : String | JaxXSS.java:180:24:180:37 | userControlled : String | provenance | |
| JaxXSS.java:180:12:180:38 | ok(...) : ResponseBuilder | JaxXSS.java:180:12:180:46 | build(...) | provenance | MaD:16 |
| JaxXSS.java:180:24:180:37 | userControlled : String | JaxXSS.java:180:12:180:38 | ok(...) : ResponseBuilder | provenance | MaD:20 |
| JaxXSS.java:184:68:184:88 | userControlled : String | JaxXSS.java:185:59:185:72 | userControlled | provenance | |
| JaxXSS.java:207:41:207:61 | userControlled : String | JaxXSS.java:208:26:208:39 | userControlled : String | provenance | |
| JaxXSS.java:208:14:208:40 | ok(...) : ResponseBuilder | JaxXSS.java:208:14:208:48 | build(...) | provenance | MaD:16 |
| JaxXSS.java:208:26:208:39 | userControlled : String | JaxXSS.java:208:14:208:40 | ok(...) : ResponseBuilder | provenance | MaD:20 |
| JaxXSS.java:212:42:212:62 | userControlled : String | JaxXSS.java:213:61:213:74 | userControlled | provenance | |
| JaxXSS.java:221:26:221:46 | userControlled : String | JaxXSS.java:222:26:222:39 | userControlled : String | provenance | |
| JaxXSS.java:222:14:222:40 | ok(...) : ResponseBuilder | JaxXSS.java:222:14:222:48 | build(...) | provenance | MaD:16 |
| JaxXSS.java:222:26:222:39 | userControlled : String | JaxXSS.java:222:14:222:40 | ok(...) : ResponseBuilder | provenance | MaD:20 |
| JaxXSS.java:226:36:226:56 | userControlled : String | JaxXSS.java:227:14:227:27 | userControlled | provenance | |
| JaxXSS.java:242:48:242:68 | userControlled : String | JaxXSS.java:243:24:243:37 | userControlled : String | provenance | |
| JaxXSS.java:243:12:243:38 | ok(...) : ResponseBuilder | JaxXSS.java:243:12:243:46 | build(...) | provenance | MaD:16 |
| JaxXSS.java:243:24:243:37 | userControlled : String | JaxXSS.java:243:12:243:38 | ok(...) : ResponseBuilder | provenance | MaD:20 |
| JaxXSS.java:247:46:247:66 | userControlled : String | JaxXSS.java:248:12:248:25 | userControlled | provenance | |
| JsfXSS.java:21:50:21:107 | getRequestParameterMap(...) : Map | JsfXSS.java:22:27:22:43 | requestParameters : Map | provenance | Src:MaD:5 |
| JsfXSS.java:22:27:22:43 | requestParameters : Map | JsfXSS.java:22:27:22:60 | get(...) : String | provenance | MaD:13 |
| JsfXSS.java:22:27:22:60 | get(...) : String | JsfXSS.java:27:22:29:27 | ... + ... | provenance | Sink:MaD:2 |
| JsfXSS.java:60:22:60:48 | getRequestParameterMap(...) : Map | JsfXSS.java:60:22:60:57 | keySet(...) : Set [<element>] : Object | provenance | Src:MaD:5 MaD:14 |
| JsfXSS.java:60:22:60:57 | keySet(...) : Set [<element>] : Object | JsfXSS.java:60:22:60:68 | iterator(...) : Iterator [<element>] : Object | provenance | MaD:10 |
| JsfXSS.java:60:22:60:68 | iterator(...) : Iterator [<element>] : Object | JsfXSS.java:60:22:60:75 | next(...) | provenance | MaD:12 Sink:MaD:2 |
| JsfXSS.java:61:22:61:50 | getRequestParameterNames(...) : Iterator | JsfXSS.java:61:22:61:57 | next(...) | provenance | Src:MaD:6 MaD:12 Sink:MaD:2 |
| JsfXSS.java:62:22:62:54 | getRequestParameterValuesMap(...) : Map | JsfXSS.java:62:22:62:69 | get(...) : String[] | provenance | Src:MaD:7 MaD:13 |
| JsfXSS.java:62:22:62:69 | get(...) : String[] | JsfXSS.java:62:22:62:72 | ...[...] | provenance | Sink:MaD:2 |
| JsfXSS.java:63:22:63:54 | getRequestParameterValuesMap(...) : Map | JsfXSS.java:63:22:63:63 | keySet(...) : Set [<element>] : Object | provenance | Src:MaD:7 MaD:14 |
| JsfXSS.java:63:22:63:63 | keySet(...) : Set [<element>] : Object | JsfXSS.java:63:22:63:74 | iterator(...) : Iterator [<element>] : Object | provenance | MaD:10 |
| JsfXSS.java:63:22:63:74 | iterator(...) : Iterator [<element>] : Object | JsfXSS.java:63:22:63:81 | next(...) | provenance | MaD:12 Sink:MaD:2 |
| JsfXSS.java:66:22:66:45 | getRequestHeaderMap(...) : Map | JsfXSS.java:66:22:66:60 | get(...) | provenance | Src:MaD:3 MaD:13 Sink:MaD:2 |
| JsfXSS.java:67:22:67:51 | getRequestHeaderValuesMap(...) : Map | JsfXSS.java:67:22:67:66 | get(...) : String[] | provenance | Src:MaD:4 MaD:13 |
| JsfXSS.java:67:22:67:66 | get(...) : String[] | JsfXSS.java:67:22:67:69 | ...[...] | provenance | Sink:MaD:2 |
| SpringXSS.java:16:108:16:128 | userControlled : String | SpringXSS.java:22:62:22:75 | userControlled | provenance | |
| SpringXSS.java:16:108:16:128 | userControlled : String | SpringXSS.java:26:30:26:43 | userControlled | provenance | |
| SpringXSS.java:62:64:62:84 | userControlled : String | SpringXSS.java:63:12:63:44 | ok(...) | provenance | SpringResponseEntity |
| SpringXSS.java:62:64:62:84 | userControlled : String | SpringXSS.java:63:30:63:43 | userControlled : String | provenance | |
| SpringXSS.java:63:30:63:43 | userControlled : String | SpringXSS.java:63:12:63:44 | ok(...) | provenance | MaD:24 |
| SpringXSS.java:67:77:67:97 | userControlled : String | SpringXSS.java:68:12:68:44 | ok(...) | provenance | SpringResponseEntity |
| SpringXSS.java:67:77:67:97 | userControlled : String | SpringXSS.java:68:30:68:43 | userControlled : String | provenance | |
| SpringXSS.java:68:30:68:43 | userControlled : String | SpringXSS.java:68:12:68:44 | ok(...) | provenance | MaD:24 |
| SpringXSS.java:72:67:72:87 | userControlled : String | SpringXSS.java:73:12:73:44 | ok(...) | provenance | SpringResponseEntity |
| SpringXSS.java:72:67:72:87 | userControlled : String | SpringXSS.java:73:30:73:43 | userControlled : String | provenance | |
| SpringXSS.java:73:30:73:43 | userControlled : String | SpringXSS.java:73:12:73:44 | ok(...) | provenance | MaD:24 |
| SpringXSS.java:77:82:77:102 | userControlled : String | SpringXSS.java:78:70:78:83 | userControlled | provenance | |
| SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:91:14:91:46 | ok(...) | provenance | SpringResponseEntity |
| SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:91:32:91:45 | userControlled : String | provenance | |
| SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:93:44:93:57 | userControlled : String | provenance | |
| SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:95:14:95:53 | body(...) | provenance | SpringResponseEntityBodyBuilder |
| SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:95:39:95:52 | userControlled : String | provenance | |
| SpringXSS.java:87:81:87:101 | userControlled : String | SpringXSS.java:97:41:97:54 | userControlled : String | provenance | |
| SpringXSS.java:91:32:91:45 | userControlled : String | SpringXSS.java:91:14:91:46 | ok(...) | provenance | MaD:24 |
| SpringXSS.java:93:32:93:58 | of(...) : Optional [<element>] : String | SpringXSS.java:93:14:93:59 | of(...) | provenance | MaD:23 |
| SpringXSS.java:93:44:93:57 | userControlled : String | SpringXSS.java:93:32:93:58 | of(...) : Optional [<element>] : String | provenance | MaD:15 |
| SpringXSS.java:95:39:95:52 | userControlled : String | SpringXSS.java:95:14:95:53 | body(...) | provenance | MaD:21 |
| SpringXSS.java:97:41:97:54 | userControlled : String | SpringXSS.java:97:14:97:70 | new ResponseEntity<String>(...) | provenance | MaD:22 |
| SpringXSS.java:117:55:117:75 | userControlled : String | SpringXSS.java:118:14:118:46 | ok(...) | provenance | SpringResponseEntity |
| SpringXSS.java:117:55:117:75 | userControlled : String | SpringXSS.java:118:32:118:45 | userControlled : String | provenance | |
| SpringXSS.java:118:32:118:45 | userControlled : String | SpringXSS.java:118:14:118:46 | ok(...) | provenance | MaD:24 |
| SpringXSS.java:122:56:122:76 | userControlled : String | SpringXSS.java:123:72:123:85 | userControlled | provenance | |
| SpringXSS.java:131:40:131:60 | userControlled : String | SpringXSS.java:132:14:132:46 | ok(...) | provenance | SpringResponseEntity |
| SpringXSS.java:131:40:131:60 | userControlled : String | SpringXSS.java:132:32:132:45 | userControlled : String | provenance | |
| SpringXSS.java:132:32:132:45 | userControlled : String | SpringXSS.java:132:14:132:46 | ok(...) | provenance | MaD:24 |
| SpringXSS.java:136:36:136:56 | userControlled : String | SpringXSS.java:137:14:137:27 | userControlled | provenance | |
| SpringXSS.java:152:62:152:82 | userControlled : String | SpringXSS.java:153:12:153:44 | ok(...) | provenance | SpringResponseEntity |
| SpringXSS.java:152:62:152:82 | userControlled : String | SpringXSS.java:153:30:153:43 | userControlled : String | provenance | |
| SpringXSS.java:153:30:153:43 | userControlled : String | SpringXSS.java:153:12:153:44 | ok(...) | provenance | MaD:24 |
| SpringXSS.java:157:46:157:66 | userControlled : String | SpringXSS.java:158:12:158:25 | userControlled | provenance | |
| XSS.java:19:28:19:55 | getParameter(...) : String | XSS.java:19:12:19:77 | ... + ... | provenance | Src:MaD:9 Sink:MaD:1 |
| XSS.java:34:67:34:87 | getPathInfo(...) : String | XSS.java:34:30:34:87 | ... + ... | provenance | Src:MaD:8 Sink:MaD:1 |
| XSS.java:37:36:37:56 | getPathInfo(...) : String | XSS.java:37:36:37:67 | getBytes(...) | provenance | Src:MaD:8 MaD:11 |
| XSS.java:100:39:100:59 | getPathInfo(...) : String | XSS.java:100:39:100:70 | getBytes(...) | provenance | Src:MaD:8 MaD:11 |
| XSS.java:105:39:105:59 | getPathInfo(...) : String | XSS.java:105:39:105:70 | getBytes(...) | provenance | Src:MaD:8 MaD:11 |
| XSS.java:110:39:110:59 | getPathInfo(...) : String | XSS.java:110:39:110:70 | getBytes(...) | provenance | Src:MaD:8 MaD:11 |
models
| 1 | Sink: java.io; PrintWriter; false; print; ; ; Argument[0]; file-content-store; manual |
| 2 | Sink: java.io; Writer; true; write; ; ; Argument[0]; file-content-store; manual |
| 3 | Source: javax.faces.context; ExternalContext; true; getRequestHeaderMap; (); ; ReturnValue; remote; manual |
| 4 | Source: javax.faces.context; ExternalContext; true; getRequestHeaderValuesMap; (); ; ReturnValue; remote; manual |
| 5 | Source: javax.faces.context; ExternalContext; true; getRequestParameterMap; (); ; ReturnValue; remote; manual |
| 6 | Source: javax.faces.context; ExternalContext; true; getRequestParameterNames; (); ; ReturnValue; remote; manual |
| 7 | Source: javax.faces.context; ExternalContext; true; getRequestParameterValuesMap; (); ; ReturnValue; remote; manual |
| 8 | Source: javax.servlet.http; HttpServletRequest; false; getPathInfo; (); ; ReturnValue; remote; manual |
| 9 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
| 10 | Summary: java.lang; Iterable; true; iterator; (); ; Argument[this].Element; ReturnValue.Element; value; manual |
| 11 | Summary: java.lang; String; false; getBytes; ; ; Argument[this]; ReturnValue; taint; manual |
| 12 | Summary: java.util; Iterator; true; next; ; ; Argument[this].Element; ReturnValue; value; manual |
| 13 | Summary: java.util; Map; true; get; ; ; Argument[this].MapValue; ReturnValue; value; manual |
| 14 | Summary: java.util; Map; true; keySet; (); ; Argument[this].MapKey; ReturnValue.Element; value; manual |
| 15 | Summary: java.util; Optional; false; of; ; ; Argument[0]; ReturnValue.Element; value; manual |
| 16 | Summary: javax.ws.rs.core; Response$ResponseBuilder; true; build; ; ; Argument[this]; ReturnValue; taint; manual |
| 17 | Summary: javax.ws.rs.core; Response$ResponseBuilder; true; entity; ; ; Argument[0]; Argument[this]; taint; manual |
| 18 | Summary: javax.ws.rs.core; Response$ResponseBuilder; true; entity; ; ; Argument[this]; ReturnValue; value; manual |
| 19 | Summary: javax.ws.rs.core; Response$ResponseBuilder; true; type; ; ; Argument[this]; ReturnValue; value; manual |
| 20 | Summary: javax.ws.rs.core; Response; false; ok; ; ; Argument[0]; ReturnValue; taint; manual |
| 21 | Summary: org.springframework.http; ResponseEntity$BodyBuilder; true; body; (Object); ; Argument[0]; ReturnValue; taint; manual |
| 22 | Summary: org.springframework.http; ResponseEntity; true; ResponseEntity; (Object,HttpStatus); ; Argument[0]; Argument[this]; taint; manual |
| 23 | Summary: org.springframework.http; ResponseEntity; true; of; (Optional); ; Argument[0].Element; ReturnValue; taint; manual |
| 24 | Summary: org.springframework.http; ResponseEntity; true; ok; (Object); ; Argument[0]; ReturnValue; taint; manual |
nodes
| JaxXSS.java:15:120:15:140 | userControlled : String | semmle.label | userControlled : String |
| JaxXSS.java:22:59:22:72 | userControlled | semmle.label | userControlled |
| JaxXSS.java:24:33:24:46 | userControlled | semmle.label | userControlled |
| JaxXSS.java:29:34:29:47 | userControlled | semmle.label | userControlled |
| JaxXSS.java:32:47:32:76 | entity(...) : ResponseBuilder | semmle.label | entity(...) : ResponseBuilder |
| JaxXSS.java:32:62:32:75 | userControlled : String | semmle.label | userControlled : String |
| JaxXSS.java:33:18:33:25 | builder2 : ResponseBuilder | semmle.label | builder2 : ResponseBuilder |
| JaxXSS.java:33:18:33:51 | type(...) : ResponseBuilder | semmle.label | type(...) : ResponseBuilder |
| JaxXSS.java:33:18:33:59 | build(...) | semmle.label | build(...) |
| JaxXSS.java:59:95:59:115 | userControlled : String | semmle.label | userControlled : String |
| JaxXSS.java:108:16:108:62 | entity(...) : ResponseBuilder | semmle.label | entity(...) : ResponseBuilder |
| JaxXSS.java:108:16:108:70 | build(...) | semmle.label | build(...) |
| JaxXSS.java:108:48:108:61 | userControlled : String | semmle.label | userControlled : String |
| JaxXSS.java:112:16:112:70 | entity(...) : ResponseBuilder | semmle.label | entity(...) : ResponseBuilder |
| JaxXSS.java:112:16:112:78 | build(...) | semmle.label | build(...) |
| JaxXSS.java:112:56:112:69 | userControlled : String | semmle.label | userControlled : String |
| JaxXSS.java:116:16:116:75 | entity(...) : ResponseBuilder | semmle.label | entity(...) : ResponseBuilder |
| JaxXSS.java:116:16:116:83 | build(...) | semmle.label | build(...) |
| JaxXSS.java:116:61:116:74 | userControlled : String | semmle.label | userControlled : String |
| JaxXSS.java:120:98:120:111 | userControlled | semmle.label | userControlled |
| JaxXSS.java:124:89:124:102 | userControlled | semmle.label | userControlled |
| JaxXSS.java:128:110:128:123 | userControlled | semmle.label | userControlled |
| JaxXSS.java:132:108:132:121 | userControlled | semmle.label | userControlled |
| JaxXSS.java:136:37:136:50 | userControlled | semmle.label | userControlled |
| JaxXSS.java:140:16:140:42 | ok(...) : ResponseBuilder | semmle.label | ok(...) : ResponseBuilder |
| JaxXSS.java:140:16:140:73 | type(...) : ResponseBuilder | semmle.label | type(...) : ResponseBuilder |
| JaxXSS.java:140:16:140:81 | build(...) | semmle.label | build(...) |
| JaxXSS.java:140:28:140:41 | userControlled : String | semmle.label | userControlled : String |
| JaxXSS.java:164:50:164:70 | userControlled : String | semmle.label | userControlled : String |
| JaxXSS.java:165:12:165:38 | ok(...) : ResponseBuilder | semmle.label | ok(...) : ResponseBuilder |
| JaxXSS.java:165:12:165:46 | build(...) | semmle.label | build(...) |
| JaxXSS.java:165:24:165:37 | userControlled : String | semmle.label | userControlled : String |
| JaxXSS.java:169:54:169:74 | userControlled : String | semmle.label | userControlled : String |
| JaxXSS.java:170:12:170:38 | ok(...) : ResponseBuilder | semmle.label | ok(...) : ResponseBuilder |
| JaxXSS.java:170:12:170:46 | build(...) | semmle.label | build(...) |
| JaxXSS.java:170:24:170:37 | userControlled : String | semmle.label | userControlled : String |
| JaxXSS.java:174:63:174:83 | userControlled : String | semmle.label | userControlled : String |
| JaxXSS.java:175:12:175:38 | ok(...) : ResponseBuilder | semmle.label | ok(...) : ResponseBuilder |
| JaxXSS.java:175:12:175:46 | build(...) | semmle.label | build(...) |
| JaxXSS.java:175:24:175:37 | userControlled : String | semmle.label | userControlled : String |
| JaxXSS.java:179:53:179:73 | userControlled : String | semmle.label | userControlled : String |
| JaxXSS.java:180:12:180:38 | ok(...) : ResponseBuilder | semmle.label | ok(...) : ResponseBuilder |
| JaxXSS.java:180:12:180:46 | build(...) | semmle.label | build(...) |
| JaxXSS.java:180:24:180:37 | userControlled : String | semmle.label | userControlled : String |
| JaxXSS.java:184:68:184:88 | userControlled : String | semmle.label | userControlled : String |
| JaxXSS.java:185:59:185:72 | userControlled | semmle.label | userControlled |
| JaxXSS.java:207:41:207:61 | userControlled : String | semmle.label | userControlled : String |
| JaxXSS.java:208:14:208:40 | ok(...) : ResponseBuilder | semmle.label | ok(...) : ResponseBuilder |
| JaxXSS.java:208:14:208:48 | build(...) | semmle.label | build(...) |
| JaxXSS.java:208:26:208:39 | userControlled : String | semmle.label | userControlled : String |
| JaxXSS.java:212:42:212:62 | userControlled : String | semmle.label | userControlled : String |
| JaxXSS.java:213:61:213:74 | userControlled | semmle.label | userControlled |
| JaxXSS.java:221:26:221:46 | userControlled : String | semmle.label | userControlled : String |
| JaxXSS.java:222:14:222:40 | ok(...) : ResponseBuilder | semmle.label | ok(...) : ResponseBuilder |
| JaxXSS.java:222:14:222:48 | build(...) | semmle.label | build(...) |
| JaxXSS.java:222:26:222:39 | userControlled : String | semmle.label | userControlled : String |
| JaxXSS.java:226:36:226:56 | userControlled : String | semmle.label | userControlled : String |
| JaxXSS.java:227:14:227:27 | userControlled | semmle.label | userControlled |
| JaxXSS.java:242:48:242:68 | userControlled : String | semmle.label | userControlled : String |
| JaxXSS.java:243:12:243:38 | ok(...) : ResponseBuilder | semmle.label | ok(...) : ResponseBuilder |
| JaxXSS.java:243:12:243:46 | build(...) | semmle.label | build(...) |
| JaxXSS.java:243:24:243:37 | userControlled : String | semmle.label | userControlled : String |
| JaxXSS.java:247:46:247:66 | userControlled : String | semmle.label | userControlled : String |
| JaxXSS.java:248:12:248:25 | userControlled | semmle.label | userControlled |
| JsfXSS.java:21:50:21:107 | getRequestParameterMap(...) : Map | semmle.label | getRequestParameterMap(...) : Map |
| JsfXSS.java:22:27:22:43 | requestParameters : Map | semmle.label | requestParameters : Map |
| JsfXSS.java:22:27:22:60 | get(...) : String | semmle.label | get(...) : String |
| JsfXSS.java:27:22:29:27 | ... + ... | semmle.label | ... + ... |
| JsfXSS.java:60:22:60:48 | getRequestParameterMap(...) : Map | semmle.label | getRequestParameterMap(...) : Map |
| JsfXSS.java:60:22:60:57 | keySet(...) : Set [<element>] : Object | semmle.label | keySet(...) : Set [<element>] : Object |
| JsfXSS.java:60:22:60:68 | iterator(...) : Iterator [<element>] : Object | semmle.label | iterator(...) : Iterator [<element>] : Object |
| JsfXSS.java:60:22:60:75 | next(...) | semmle.label | next(...) |
| JsfXSS.java:61:22:61:50 | getRequestParameterNames(...) : Iterator | semmle.label | getRequestParameterNames(...) : Iterator |
| JsfXSS.java:61:22:61:57 | next(...) | semmle.label | next(...) |
| JsfXSS.java:62:22:62:54 | getRequestParameterValuesMap(...) : Map | semmle.label | getRequestParameterValuesMap(...) : Map |
| JsfXSS.java:62:22:62:69 | get(...) : String[] | semmle.label | get(...) : String[] |
| JsfXSS.java:62:22:62:72 | ...[...] | semmle.label | ...[...] |
| JsfXSS.java:63:22:63:54 | getRequestParameterValuesMap(...) : Map | semmle.label | getRequestParameterValuesMap(...) : Map |
| JsfXSS.java:63:22:63:63 | keySet(...) : Set [<element>] : Object | semmle.label | keySet(...) : Set [<element>] : Object |
| JsfXSS.java:63:22:63:74 | iterator(...) : Iterator [<element>] : Object | semmle.label | iterator(...) : Iterator [<element>] : Object |
| JsfXSS.java:63:22:63:81 | next(...) | semmle.label | next(...) |
| JsfXSS.java:64:22:64:44 | getRequestPathInfo(...) | semmle.label | getRequestPathInfo(...) |
| JsfXSS.java:65:22:65:80 | getName(...) | semmle.label | getName(...) |
| JsfXSS.java:66:22:66:45 | getRequestHeaderMap(...) : Map | semmle.label | getRequestHeaderMap(...) : Map |
| JsfXSS.java:66:22:66:60 | get(...) | semmle.label | get(...) |
| JsfXSS.java:67:22:67:51 | getRequestHeaderValuesMap(...) : Map | semmle.label | getRequestHeaderValuesMap(...) : Map |
| JsfXSS.java:67:22:67:66 | get(...) : String[] | semmle.label | get(...) : String[] |
| JsfXSS.java:67:22:67:69 | ...[...] | semmle.label | ...[...] |
| SpringXSS.java:16:108:16:128 | userControlled : String | semmle.label | userControlled : String |
| SpringXSS.java:22:62:22:75 | userControlled | semmle.label | userControlled |
| SpringXSS.java:26:30:26:43 | userControlled | semmle.label | userControlled |
| SpringXSS.java:62:64:62:84 | userControlled : String | semmle.label | userControlled : String |
| SpringXSS.java:63:12:63:44 | ok(...) | semmle.label | ok(...) |
| SpringXSS.java:63:30:63:43 | userControlled : String | semmle.label | userControlled : String |
| SpringXSS.java:67:77:67:97 | userControlled : String | semmle.label | userControlled : String |
| SpringXSS.java:68:12:68:44 | ok(...) | semmle.label | ok(...) |
| SpringXSS.java:68:30:68:43 | userControlled : String | semmle.label | userControlled : String |
| SpringXSS.java:72:67:72:87 | userControlled : String | semmle.label | userControlled : String |
| SpringXSS.java:73:12:73:44 | ok(...) | semmle.label | ok(...) |
| SpringXSS.java:73:30:73:43 | userControlled : String | semmle.label | userControlled : String |
| SpringXSS.java:77:82:77:102 | userControlled : String | semmle.label | userControlled : String |
| SpringXSS.java:78:70:78:83 | userControlled | semmle.label | userControlled |
| SpringXSS.java:87:81:87:101 | userControlled : String | semmle.label | userControlled : String |
| SpringXSS.java:91:14:91:46 | ok(...) | semmle.label | ok(...) |
| SpringXSS.java:91:32:91:45 | userControlled : String | semmle.label | userControlled : String |
| SpringXSS.java:93:14:93:59 | of(...) | semmle.label | of(...) |
| SpringXSS.java:93:32:93:58 | of(...) : Optional [<element>] : String | semmle.label | of(...) : Optional [<element>] : String |
| SpringXSS.java:93:44:93:57 | userControlled : String | semmle.label | userControlled : String |
| SpringXSS.java:95:14:95:53 | body(...) | semmle.label | body(...) |
| SpringXSS.java:95:39:95:52 | userControlled : String | semmle.label | userControlled : String |
| SpringXSS.java:97:14:97:70 | new ResponseEntity<String>(...) | semmle.label | new ResponseEntity<String>(...) |
| SpringXSS.java:97:41:97:54 | userControlled : String | semmle.label | userControlled : String |
| SpringXSS.java:117:55:117:75 | userControlled : String | semmle.label | userControlled : String |
| SpringXSS.java:118:14:118:46 | ok(...) | semmle.label | ok(...) |
| SpringXSS.java:118:32:118:45 | userControlled : String | semmle.label | userControlled : String |
| SpringXSS.java:122:56:122:76 | userControlled : String | semmle.label | userControlled : String |
| SpringXSS.java:123:72:123:85 | userControlled | semmle.label | userControlled |
| SpringXSS.java:131:40:131:60 | userControlled : String | semmle.label | userControlled : String |
| SpringXSS.java:132:14:132:46 | ok(...) | semmle.label | ok(...) |
| SpringXSS.java:132:32:132:45 | userControlled : String | semmle.label | userControlled : String |
| SpringXSS.java:136:36:136:56 | userControlled : String | semmle.label | userControlled : String |
| SpringXSS.java:137:14:137:27 | userControlled | semmle.label | userControlled |
| SpringXSS.java:152:62:152:82 | userControlled : String | semmle.label | userControlled : String |
| SpringXSS.java:153:12:153:44 | ok(...) | semmle.label | ok(...) |
| SpringXSS.java:153:30:153:43 | userControlled : String | semmle.label | userControlled : String |
| SpringXSS.java:157:46:157:66 | userControlled : String | semmle.label | userControlled : String |
| SpringXSS.java:158:12:158:25 | userControlled | semmle.label | userControlled |
| XSS.java:19:12:19:77 | ... + ... | semmle.label | ... + ... |
| XSS.java:19:28:19:55 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| XSS.java:34:30:34:87 | ... + ... | semmle.label | ... + ... |
| XSS.java:34:67:34:87 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
| XSS.java:37:36:37:56 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
| XSS.java:37:36:37:67 | getBytes(...) | semmle.label | getBytes(...) |
| XSS.java:83:33:83:53 | getPathInfo(...) | semmle.label | getPathInfo(...) |
| XSS.java:88:33:88:53 | getPathInfo(...) | semmle.label | getPathInfo(...) |
| XSS.java:93:33:93:53 | getPathInfo(...) | semmle.label | getPathInfo(...) |
| XSS.java:100:39:100:59 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
| XSS.java:100:39:100:70 | getBytes(...) | semmle.label | getBytes(...) |
| XSS.java:105:39:105:59 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
| XSS.java:105:39:105:70 | getBytes(...) | semmle.label | getBytes(...) |
| XSS.java:110:39:110:59 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
| XSS.java:110:39:110:70 | getBytes(...) | semmle.label | getBytes(...) |
subpaths

18
java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java
View File

@@ -16,7 +16,7 @@ public class XSS extends HttpServlet {
throws ServletException, IOException {
// BAD: a request parameter is written directly to the Servlet response stream
response.getWriter()
.print("The page \"" + request.getParameter("page") + "\" was not found."); // $ xss
.print("The page \"" + request.getParameter("page") + "\" was not found."); // $ Alert
// GOOD: servlet API encodes the error message HTML for the HTML context
response.sendError(HttpServletResponse.SC_NOT_FOUND,
@@ -31,10 +31,10 @@ public class XSS extends HttpServlet {
"The page \"" + capitalizeName(request.getParameter("page")) + "\" was not found.");
// BAD: outputting the path of the resource
response.getWriter().print("The path section of the URL was " + request.getPathInfo()); // $ xss
response.getWriter().print("The path section of the URL was " + request.getPathInfo()); // $ Alert
// BAD: typical XSS, this time written to an OutputStream instead of a Writer
response.getOutputStream().write(request.getPathInfo().getBytes()); // $ xss
response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert
// GOOD: sanitizer
response.getOutputStream().write(hudson.Util.escape(request.getPathInfo()).getBytes()); // safe
@@ -80,34 +80,34 @@ public class XSS extends HttpServlet {
if(setContentMethod == 0) {
// BAD: set content-type to something that is not safe
response.setContentType("text/html");
response.getWriter().print(request.getPathInfo()); // $ xss
response.getWriter().print(request.getPathInfo()); // $ Alert
}
else if(setContentMethod == 1) {
// BAD: set content-type to something that is not safe
response.setHeader("Content-Type", "text/html");
response.getWriter().print(request.getPathInfo()); // $ xss
response.getWriter().print(request.getPathInfo()); // $ Alert
}
else {
// BAD: set content-type to something that is not safe
response.addHeader("Content-Type", "text/html");
response.getWriter().print(request.getPathInfo()); // $ xss
response.getWriter().print(request.getPathInfo()); // $ Alert
}
}
else {
if(setContentMethod == 0) {
// BAD: set content-type to something that is not safe
response.setContentType("text/html");
response.getOutputStream().write(request.getPathInfo().getBytes()); // $ xss
response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert
}
else if(setContentMethod == 1) {
// BAD: set content-type to something that is not safe
response.setHeader("Content-Type", "text/html");
response.getOutputStream().write(request.getPathInfo().getBytes()); // $ xss
response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert
}
else {
// BAD: set content-type to something that is not safe
response.addHeader("Content-Type", "text/html");
response.getOutputStream().write(request.getPathInfo().getBytes()); // $ xss
response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert
}
}
}

18
java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.ql
View File

@@ -1,18 +0,0 @@
import java
import semmle.code.java.security.XssQuery
import utils.test.InlineExpectationsTest
module XssTest implements TestSig {
string getARelevantTag() { result = "xss" }
predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "xss" and
exists(DataFlow::Node sink | XssFlow::flowTo(sink) |
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}
import MakeTest<XssTest>

4
java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.qlref Normal file
View File

@@ -0,0 +1,4 @@
query: Security/CWE/CWE-079/XSS.ql
postprocess:
- utils/test/PrettyPrintModels.ql
- utils/test/InlineExpectationsTestQuery.ql

25
java/ql/test/query-tests/security/CWE-094/GroovyClassLoaderTest.java → java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyClassLoaderTest.java
View File

@@ -14,42 +14,41 @@ public class GroovyClassLoaderTest extends HttpServlet {
throws ServletException, IOException {
// "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource);;Argument[0];groovy;manual",
{
String script = request.getParameter("script");
String script = request.getParameter("script"); // $ Source
final GroovyClassLoader classLoader = new GroovyClassLoader();
GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
classLoader.parseClass(gcs); // $hasGroovyInjection
classLoader.parseClass(gcs); // $ Alert
}
// "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource,boolean);;Argument[0];groovy;manual",
{
String script = request.getParameter("script");
String script = request.getParameter("script"); // $ Source
final GroovyClassLoader classLoader = new GroovyClassLoader();
GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
classLoader.parseClass(gcs, true); // $hasGroovyInjection
classLoader.parseClass(gcs, true); // $ Alert
}
// "groovy.lang;GroovyClassLoader;false;parseClass;(InputStream,String);;Argument[0];groovy;manual",
{
String script = request.getParameter("script");
String script = request.getParameter("script"); // $ Source
final GroovyClassLoader classLoader = new GroovyClassLoader();
classLoader.parseClass(new ByteArrayInputStream(script.getBytes()), "test"); // $hasGroovyInjection
classLoader.parseClass(new ByteArrayInputStream(script.getBytes()), "test"); // $ Alert
}
// "groovy.lang;GroovyClassLoader;false;parseClass;(Reader,String);;Argument[0];groovy;manual",
{
String script = request.getParameter("script");
String script = request.getParameter("script"); // $ Source
final GroovyClassLoader classLoader = new GroovyClassLoader();
classLoader.parseClass(new StringReader(script), "test"); // $hasGroovyInjection
classLoader.parseClass(new StringReader(script), "test"); // $ Alert
}
// "groovy.lang;GroovyClassLoader;false;parseClass;(String);;Argument[0];groovy;manual",
{
String script = request.getParameter("script");
String script = request.getParameter("script"); // $ Source
final GroovyClassLoader classLoader = new GroovyClassLoader();
classLoader.parseClass(script); // $hasGroovyInjection
classLoader.parseClass(script); // $ Alert
}
// "groovy.lang;GroovyClassLoader;false;parseClass;(String,String);;Argument[0];groovy;manual",
{
String script = request.getParameter("script");
String script = request.getParameter("script"); // $ Source
final GroovyClassLoader classLoader = new GroovyClassLoader();
classLoader.parseClass(script, "test"); // $hasGroovyInjection
classLoader.parseClass(script, "test"); // $ Alert
}
}
}

Some files were not shown because too many files have changed in this diff Show More