hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-14 11:19:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into fix/path-injection-torealpath

Browse Source
This commit is contained in:
Owen Mansel-Chan
2026-04-23 10:40:47 +01:00
committed by GitHub
parent 9ff4ed286f d6abd4c72d
commit 9f19791d8c
684 changed files with 144504 additions and 101321 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
java/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,18 @@
## 9.0.4
### Minor Analysis Improvements
* The queries "Resolving XML external entity in user-controlled data" (`java/xxe`) and "Resolving XML external entity in user-controlled data from local source" (`java/xxe-local`) now recognize sinks in the Woodstox StAX library when `com.ctc.wstx.stax.WstxInputFactory` or `org.codehaus.stax2.XMLInputFactory2` are used directly.
## 9.0.3
### Minor Analysis Improvements
* The `java/tainted-arithmetic` query no longer flags arithmetic expressions that are used directly as an operand of a comparison in `if`-condition bounds-checking patterns. For example, `if (off + len > array.length)` is now recognized as a bounds check rather than a potentially vulnerable computation, reducing false positives.
* The `java/potentially-weak-cryptographic-algorithm` query no longer flags Elliptic Curve algorithms (`EC`, `ECDSA`, `ECDH`, `EdDSA`, `Ed25519`, `Ed448`, `XDH`, `X25519`, `X448`), HMAC-based algorithms (`HMACSHA1`, `HMACSHA256`, `HMACSHA384`, `HMACSHA512`), or PBKDF2 key derivation as potentially insecure. These are modern, secure algorithms recommended by NIST and other standards bodies. This will reduce the number of false positives for this query.
* The first argument of the method `getInstance` of `java.security.Signature` is now modeled as a sink for `java/potentially-weak-cryptographic-algorithm`, `java/weak-cryptographic-algorithm` and `java/rsa-without-oaep`. This will increase the number of alerts for these queries.
* Kotlin versions up to 2.3.20 are now supported.
## 9.0.2
No user-facing changes.

4
java/ql/lib/change-notes/2026-03-20-data-extensions-barriers.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: feature
---
* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for Java and Kotlin](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-java-and-kotlin/).

4
java/ql/lib/change-notes/2026-03-26-kotlin-2.3.20.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Kotlin versions up to 2.3.20 are now supported.

4
java/ql/lib/change-notes/2026-03-28-tainted-arithmetic-bounds-check.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The `java/tainted-arithmetic` query no longer flags arithmetic expressions that are used directly as an operand of a comparison in `if`-condition bounds-checking patterns. For example, `if (off + len > array.length)` is now recognized as a bounds check rather than a potentially vulnerable computation, reducing false positives.

4
java/ql/lib/change-notes/2026-04-04-sensitive-log-fp-reduction.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The `java/sensitive-log` query now excludes additional common variable naming patterns that do not hold sensitive data, reducing false positives. This includes pagination/iteration tokens (`nextToken`, `pageToken`, `continuationToken`), token metadata (`tokenType`, `tokenEndpoint`, `tokenCount`), and secret metadata (`secretName`, `secretId`, `secretVersion`).

4
java/ql/lib/change-notes/2026-04-18-partial-path-traversal-fix.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The `java/partial-path-traversal` and `java/partial-path-traversal-from-remote` queries now correctly recognize file separator appends using `+=`.

9
java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md → java/ql/lib/change-notes/released/9.0.3.md
View File

@@ -1,5 +1,8 @@
---
category: minorAnalysis
---
## 9.0.3
### Minor Analysis Improvements
* The `java/tainted-arithmetic` query no longer flags arithmetic expressions that are used directly as an operand of a comparison in `if`-condition bounds-checking patterns. For example, `if (off + len > array.length)` is now recognized as a bounds check rather than a potentially vulnerable computation, reducing false positives.
* The `java/potentially-weak-cryptographic-algorithm` query no longer flags Elliptic Curve algorithms (`EC`, `ECDSA`, `ECDH`, `EdDSA`, `Ed25519`, `Ed448`, `XDH`, `X25519`, `X448`), HMAC-based algorithms (`HMACSHA1`, `HMACSHA256`, `HMACSHA384`, `HMACSHA512`), or PBKDF2 key derivation as potentially insecure. These are modern, secure algorithms recommended by NIST and other standards bodies. This will reduce the number of false positives for this query.
* The first argument of the method `getInstance` of `java.security.Signature` is now modeled as a sink for `java/potentially-weak-cryptographic-algorithm`, `java/weak-cryptographic-algorithm` and `java/rsa-without-oaep`. This will increase the number of alerts for these queries.
* Kotlin versions up to 2.3.20 are now supported.

5
java/ql/lib/change-notes/released/9.0.4.md Normal file
View File

@@ -0,0 +1,5 @@
## 9.0.4
### Minor Analysis Improvements
* The queries "Resolving XML external entity in user-controlled data" (`java/xxe`) and "Resolving XML external entity in user-controlled data from local source" (`java/xxe-local`) now recognize sinks in the Woodstox StAX library when `com.ctc.wstx.stax.WstxInputFactory` or `org.codehaus.stax2.XMLInputFactory2` are used directly.

2
java/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 9.0.2
lastReleaseVersion: 9.0.4

2
java/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-all
version: 9.0.3-dev
version: 9.0.5-dev
groups: java
dbscheme: config/semmlecode.dbscheme
extractor: java

66
java/ql/lib/semmle/code/java/ControlFlowGraph.qll
View File

@@ -91,9 +91,13 @@ private module Ast implements AstSig<Location> {
class ContinueStmt = J::ContinueStmt;
class GotoStmt extends Stmt {
GotoStmt() { none() }
}
class ReturnStmt = J::ReturnStmt;
class ThrowStmt = J::ThrowStmt;
class Throw = J::ThrowStmt;
final private class FinalTryStmt = J::TryStmt;
@@ -181,11 +185,37 @@ private module Ast implements AstSig<Location> {
class LogicalNotExpr = LogNotExpr;
class Assignment = J::Assignment;
class AssignExpr = J::AssignExpr;
class CompoundAssignment = J::AssignOp;
class AssignLogicalAndExpr extends CompoundAssignment {
AssignLogicalAndExpr() { none() }
}
class AssignLogicalOrExpr extends CompoundAssignment {
AssignLogicalOrExpr() { none() }
}
class AssignNullCoalescingExpr extends CompoundAssignment {
AssignNullCoalescingExpr() { none() }
}
final private class FinalBooleanLiteral = J::BooleanLiteral;
class BooleanLiteral extends FinalBooleanLiteral {
boolean getValue() { result = this.getBooleanValue() }
}
final private class FinalInstanceOfExpr = J::InstanceOfExpr;
class PatternMatchExpr extends FinalInstanceOfExpr {
PatternMatchExpr() { this.isPattern() }
AstNode getPattern() { result = super.getPattern() }
}
}
private module Exceptions {
@@ -522,14 +552,8 @@ private module Input implements InputSig1, InputSig2 {
private string assertThrowNodeTag() { result = "[assert-throw]" }
private string instanceofTrueNodeTag() { result = "[instanceof-true]" }
predicate additionalNode(Ast::AstNode n, string tag, NormalSuccessor t) {
n instanceof AssertStmt and tag = assertThrowNodeTag() and t instanceof DirectSuccessor
or
n.(InstanceOfExpr).isPattern() and
tag = instanceofTrueNodeTag() and
t.(BooleanSuccessor).getValue() = true
}
/**
@@ -571,34 +595,6 @@ private module Input implements InputSig1, InputSig2 {
/** Holds if there is a local non-abrupt step from `n1` to `n2`. */
predicate step(PreControlFlowNode n1, PreControlFlowNode n2) {
exists(InstanceOfExpr ioe |
// common
n1.isBefore(ioe) and
n2.isBefore(ioe.getExpr())
or
n1.isAfter(ioe.getExpr()) and
n2.isIn(ioe)
or
// std postorder:
not ioe.isPattern() and
n1.isIn(ioe) and
n2.isAfter(ioe)
or
// pattern case:
ioe.isPattern() and
n1.isIn(ioe) and
n2.isAfterValue(ioe, any(BooleanSuccessor s | s.getValue() = false))
or
n1.isIn(ioe) and
n2.isAdditional(ioe, instanceofTrueNodeTag())
or
n1.isAdditional(ioe, instanceofTrueNodeTag()) and
n2.isBefore(ioe.getPattern())
or
n1.isAfter(ioe.getPattern()) and
n2.isAfterValue(ioe, any(BooleanSuccessor s | s.getValue() = true))
)
or
exists(AssertStmt assertstmt |
n1.isBefore(assertstmt) and
n2.isBefore(assertstmt.getExpr())

27
java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
View File

@@ -4,13 +4,17 @@
* Provides classes and predicates for dealing with flow models specified
* in data extensions and CSV format.
*
* The CSV specification has the following columns:
* The extensible relations have the following columns:
* - Sources:
* `package; type; subtypes; name; signature; ext; output; kind; provenance`
* - Sinks:
* `package; type; subtypes; name; signature; ext; input; kind; provenance`
* - Summaries:
* `package; type; subtypes; name; signature; ext; input; output; kind; provenance`
* - Barriers:
* `package; type; subtypes; name; signature; ext; output; kind; provenance`
* - BarrierGuards:
* `package; type; subtypes; name; signature; ext; input; acceptingValue; kind; provenance`
* - Neutrals:
* `package; type; name; signature; kind; provenance`
* A neutral is used to indicate that a callable is neutral with respect to flow (no summary), source (is not a source) or sink (is not a sink).
@@ -69,14 +73,17 @@
* in the given range. The range is inclusive at both ends.
* - "ReturnValue": Selects the return value of a call to the selected element.
* - "Element": Selects the collection elements of the selected element.
* 8. The `kind` column is a tag that can be referenced from QL to determine to
* 8. The `acceptingValue` column of barrier guard models specifies the condition
* under which the guard blocks flow. It can be one of "true" or "false". In
* the future "no-exception", "not-zero", "null", "not-null" may be supported.
* 9. The `kind` column is a tag that can be referenced from QL to determine to
* which classes the interpreted elements should be added. For example, for
* sources "remote" indicates a default remote flow source, and for summaries
* "taint" indicates a default additional taint step and "value" indicates a
* globally applicable value-preserving step. For neutrals the kind can be `summary`,
* `source` or `sink` to indicate that the neutral is neutral with respect to
* flow (no summary), source (is not a source) or sink (is not a sink).
* 9. The `provenance` column is a tag to indicate the origin and verification of a model.
* 10. The `provenance` column is a tag to indicate the origin and verification of a model.
* The format is {origin}-{verification} or just "manual" where the origin describes
* the origin of the model and verification describes how the model has been verified.
* Some examples are:
@@ -358,11 +365,11 @@ module ModelValidation {
result = "Unrecognized provenance description \"" + provenance + "\" in " + pred + " model."
)
or
exists(string acceptingvalue |
barrierGuardModel(_, _, _, _, _, _, _, acceptingvalue, _, _, _) and
invalidAcceptingValue(acceptingvalue) and
exists(string acceptingValue |
barrierGuardModel(_, _, _, _, _, _, _, acceptingValue, _, _, _) and
invalidAcceptingValue(acceptingValue) and
result =
"Unrecognized accepting value description \"" + acceptingvalue +
"Unrecognized accepting value description \"" + acceptingValue +
"\" in barrier guard model."
)
}
@@ -583,13 +590,13 @@ private module Cached {
private predicate barrierGuardChecks(Guard g, Expr e, GuardValue gv, TKindModelPair kmp) {
exists(
SourceSinkInterpretationInput::InterpretNode n, AcceptingValue acceptingvalue, string kind,
SourceSinkInterpretationInput::InterpretNode n, AcceptingValue acceptingValue, string kind,
string model
|
isBarrierGuardNode(n, acceptingvalue, kind, model) and
isBarrierGuardNode(n, acceptingValue, kind, model) and
n.asNode().asExpr() = e and
kmp = TMkPair(kind, model) and
gv = convertAcceptingValue(acceptingvalue)
gv = convertAcceptingValue(acceptingValue)
|
g.(Call).getAnArgument() = e or g.(MethodCall).getQualifier() = e
)

2
java/ql/lib/semmle/code/java/dataflow/internal/ExternalFlowExtensions.qll
View File

@@ -35,7 +35,7 @@ extensible predicate barrierModel(
*/
extensible predicate barrierGuardModel(
string package, string type, boolean subtypes, string name, string signature, string ext,
string input, string acceptingvalue, string kind, string provenance, QlBuiltins::ExtensionId madId
string input, string acceptingValue, string kind, string provenance, QlBuiltins::ExtensionId madId
);
/**

4
java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
View File

@@ -282,7 +282,7 @@ module SourceSinkInterpretationInput implements
}
predicate barrierGuardElement(
Element e, string input, Public::AcceptingValue acceptingvalue, string kind,
Element e, string input, Public::AcceptingValue acceptingValue, string kind,
Public::Provenance provenance, string model
) {
exists(
@@ -290,7 +290,7 @@ module SourceSinkInterpretationInput implements
SourceOrSinkElement baseBarrier, string originalInput
|
barrierGuardModel(namespace, type, subtypes, name, signature, ext, originalInput,
acceptingvalue, kind, provenance, model) and
acceptingValue, kind, provenance, model) and
baseBarrier = interpretElement(namespace, type, subtypes, name, signature, ext, _) and
(
e = baseBarrier and input = originalInput

7
java/ql/lib/semmle/code/java/security/PartialPathTraversal.qll
View File

@@ -40,8 +40,11 @@ private class CharacterLiteralFileSeparatorExpr extends FileSeparatorExpr, Chara
CharacterLiteralFileSeparatorExpr() { this.getValue() = "/" or this.getValue() = "\\" }
}
private class FileSeparatorAppend extends AddExpr {
FileSeparatorAppend() { this.getRightOperand() instanceof FileSeparatorExpr }
private class FileSeparatorAppend extends BinaryExpr {
FileSeparatorAppend() {
this.(AddExpr).getRightOperand() instanceof FileSeparatorExpr or
this.(AssignAddExpr).getRightOperand() instanceof FileSeparatorExpr
}
}
private predicate isSafe(Expr expr) {

16
java/ql/lib/semmle/code/java/security/SensitiveActions.qll
View File

@@ -40,14 +40,26 @@ string getCommonSensitiveInfoRegex() {
/**
* Gets a regular expression for matching common names of variables that
* indicate the value being held does not contains sensitive information,
* indicate the value being held does not contain sensitive information,
* but is a false positive for `getCommonSensitiveInfoRegex`.
*
* - "tokenizer" is often used for java.util.StringTokenizer.
* - "tokenImage" appears in parser code generated by JavaCC.
* - Pagination/iteration tokens: "nextToken" (AWS SDK), "pageToken" (GCP), etc.
* - Token metadata: "tokenType" (OAuth), "tokenEndpoint" (OIDC), "tokenCount", etc.
* - Secret metadata: "secretName" (K8s/AWS), "secretId" (Azure), "secretVersion", etc.
*/
string getCommonSensitiveInfoFPRegex() {
result = "(?i).*(null|tokenizer).*" or result = "tokenImage"
result =
[
"(?i).*(null|tokenizer).*", "tokenImage",
// Pagination/iteration tokens (e.g., AWS SDK pagination cursors, parser tokens)
"(?i).*(next|previous|current|page|continuation|cursor)tokens?.*",
// Token metadata/infrastructure (token followed by a non-value descriptor)
"(?i).*tokens?(type|kind|count|index|position|length|offset|endpoint|url|uri|bucket|rate|delimiter|separator|format|number|name|id|prefix|suffix|pattern|class|style).*",
// Secret metadata (secret followed by a non-value descriptor)
"(?i).*secrets?(name|id|version|ref|arn|path|type|label|description|manager|client|provider|store|factory|properties).*"
]
}
/** An expression that might contain sensitive data. */

31
java/ql/lib/semmle/code/java/security/XmlParsers.qll
View File

@@ -179,12 +179,29 @@ class XmlInputFactory extends RefType {
XmlInputFactory() { this.hasQualifiedName(javaxOrJakarta() + ".xml.stream", "XMLInputFactory") }
}
/** A call to `XMLInputFactory.createXMLStreamReader`. */
/**
* The class `com.ctc.wstx.stax.WstxInputFactory` or its abstract supertype
* `org.codehaus.stax2.XMLInputFactory2` from the Woodstox StAX library.
*/
class WstxInputFactory extends RefType {
WstxInputFactory() {
this.hasQualifiedName("com.ctc.wstx.stax", "WstxInputFactory") or
this.hasQualifiedName("org.codehaus.stax2", "XMLInputFactory2")
}
}
/**
* A call to `XMLInputFactory.createXMLStreamReader` or the equivalent method on the
* Woodstox `WstxInputFactory`.
*/
class XmlInputFactoryStreamReader extends XmlParserCall {
XmlInputFactoryStreamReader() {
exists(Method m |
this.getMethod() = m and
m.getDeclaringType() instanceof XmlInputFactory and
(
m.getDeclaringType() instanceof XmlInputFactory or
m.getDeclaringType() instanceof WstxInputFactory
) and
m.hasName("createXMLStreamReader")
)
}
@@ -212,7 +229,10 @@ class XmlInputFactoryEventReader extends XmlParserCall {
XmlInputFactoryEventReader() {
exists(Method m |
this.getMethod() = m and
m.getDeclaringType() instanceof XmlInputFactory and
(
m.getDeclaringType() instanceof XmlInputFactory or
m.getDeclaringType() instanceof WstxInputFactory
) and
m.hasName("createXMLEventReader")
)
}
@@ -235,7 +255,10 @@ class XmlInputFactoryConfig extends ParserConfig {
XmlInputFactoryConfig() {
exists(Method m |
m = this.getMethod() and
m.getDeclaringType() instanceof XmlInputFactory and
(
m.getDeclaringType() instanceof XmlInputFactory or
m.getDeclaringType() instanceof WstxInputFactory
) and
m.hasName("setProperty")
)
}

11
java/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,14 @@
## 1.11.1
No user-facing changes.
## 1.11.0
### Query Metadata Changes
* The `@security-severity` metadata of `java/log-injection` has been reduced from 7.8 (high) to 6.1 (medium).
* The `@security-severity` metadata of `java/android/webview-addjavascriptinterface`, `java/android/websettings-javascript-enabled` and `java/xss` has been increased from 6.1 (medium) to 7.8 (high).
## 1.10.11
No user-facing changes.

7
java/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md → java/ql/src/change-notes/released/1.11.0.md
View File

@@ -1,5 +1,6 @@
---
category: queryMetadata
---
## 1.11.0
### Query Metadata Changes
* The `@security-severity` metadata of `java/log-injection` has been reduced from 7.8 (high) to 6.1 (medium).
* The `@security-severity` metadata of `java/android/webview-addjavascriptinterface`, `java/android/websettings-javascript-enabled` and `java/xss` has been increased from 6.1 (medium) to 7.8 (high).

3
java/ql/src/change-notes/released/1.11.1.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.11.1
No user-facing changes.

2
java/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.10.11
lastReleaseVersion: 1.11.1

2
java/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-queries
version: 1.10.12-dev
version: 1.11.2-dev
groups:
- java
- queries

16
java/ql/test-kotlin1/library-tests/java-kotlin-collection-type-generic-methods/test.expected
View File

@@ -196,6 +196,8 @@ methodWithDuplicate
| List | listIterator | int |
| List | of | E |
| List | of | E[] |
| List | ofLazy | IntFunction<? extends E> |
| List | ofLazy | int |
| List | remove | Object |
| List | remove | int |
| List | removeAll | Collection<?> |
@@ -222,6 +224,8 @@ methodWithDuplicate
| List<E> | listIterator | int |
| List<E> | of | E |
| List<E> | of | E[] |
| List<E> | ofLazy | IntFunction<? extends E> |
| List<E> | ofLazy | int |
| List<E> | remove | Object |
| List<E> | remove | int |
| List<E> | removeAll | Collection<?> |
@@ -248,6 +252,8 @@ methodWithDuplicate
| List<String> | listIterator | int |
| List<String> | of | E |
| List<String> | of | E[] |
| List<String> | ofLazy | IntFunction<? extends E> |
| List<String> | ofLazy | int |
| List<String> | remove | Object |
| List<String> | remove | int |
| List<String> | removeAll | Collection<?> |
@@ -280,6 +286,8 @@ methodWithDuplicate
| Map | of | K |
| Map | of | V |
| Map | ofEntries | Entry<? extends K,? extends V>[] |
| Map | ofLazy | Function<? super K,? extends V> |
| Map | ofLazy | Set<? extends K> |
| Map | put | K |
| Map | put | V |
| Map | putAll | Map<? extends K,? extends V> |
@@ -310,6 +318,8 @@ methodWithDuplicate
| Map<Identity,Object> | of | K |
| Map<Identity,Object> | of | V |
| Map<Identity,Object> | ofEntries | Entry<? extends K,? extends V>[] |
| Map<Identity,Object> | ofLazy | Function<? super K,? extends V> |
| Map<Identity,Object> | ofLazy | Set<? extends K> |
| Map<Identity,Object> | put | Identity |
| Map<Identity,Object> | put | Object |
| Map<Identity,Object> | putAll | Map<? extends Identity,? extends Object> |
@@ -341,6 +351,8 @@ methodWithDuplicate
| Map<K,V> | of | K |
| Map<K,V> | of | V |
| Map<K,V> | ofEntries | Entry<? extends K,? extends V>[] |
| Map<K,V> | ofLazy | Function<? super K,? extends V> |
| Map<K,V> | ofLazy | Set<? extends K> |
| Map<K,V> | put | K |
| Map<K,V> | put | V |
| Map<K,V> | putAll | Map<? extends K,? extends V> |
@@ -370,6 +382,8 @@ methodWithDuplicate
| Map<Object,Object> | of | K |
| Map<Object,Object> | of | V |
| Map<Object,Object> | ofEntries | Entry<? extends K,? extends V>[] |
| Map<Object,Object> | ofLazy | Function<? super K,? extends V> |
| Map<Object,Object> | ofLazy | Set<? extends K> |
| Map<Object,Object> | put | Object |
| Map<Object,Object> | putAll | Map<? extends Object,? extends Object> |
| Map<Object,Object> | putIfAbsent | Object |
@@ -397,6 +411,8 @@ methodWithDuplicate
| Map<String,String> | of | K |
| Map<String,String> | of | V |
| Map<String,String> | ofEntries | Entry<? extends K,? extends V>[] |
| Map<String,String> | ofLazy | Function<? super K,? extends V> |
| Map<String,String> | ofLazy | Set<? extends K> |
| Map<String,String> | put | String |
| Map<String,String> | putAll | Map<? extends String,? extends String> |
| Map<String,String> | putIfAbsent | String |

16
java/ql/test-kotlin2/library-tests/java-kotlin-collection-type-generic-methods/test.expected
View File

@@ -191,6 +191,8 @@ methodWithDuplicate
| List | listIterator | int |
| List | of | E |
| List | of | E[] |
| List | ofLazy | IntFunction<? extends E> |
| List | ofLazy | int |
| List | remove | Object |
| List | remove | int |
| List | removeAll | Collection<?> |
@@ -216,6 +218,8 @@ methodWithDuplicate
| List<E> | listIterator | int |
| List<E> | of | E |
| List<E> | of | E[] |
| List<E> | ofLazy | IntFunction<? extends E> |
| List<E> | ofLazy | int |
| List<E> | remove | Object |
| List<E> | remove | int |
| List<E> | removeAll | Collection<?> |
@@ -242,6 +246,8 @@ methodWithDuplicate
| List<String> | listIterator | int |
| List<String> | of | E |
| List<String> | of | E[] |
| List<String> | ofLazy | IntFunction<? extends E> |
| List<String> | ofLazy | int |
| List<String> | remove | Object |
| List<String> | remove | int |
| List<String> | removeAll | Collection<?> |
@@ -274,6 +280,8 @@ methodWithDuplicate
| Map | of | K |
| Map | of | V |
| Map | ofEntries | Entry<? extends K,? extends V>[] |
| Map | ofLazy | Function<? super K,? extends V> |
| Map | ofLazy | Set<? extends K> |
| Map | put | K |
| Map | put | V |
| Map | putAll | Map<? extends K,? extends V> |
@@ -303,6 +311,8 @@ methodWithDuplicate
| Map<Identity,Object> | of | K |
| Map<Identity,Object> | of | V |
| Map<Identity,Object> | ofEntries | Entry<? extends K,? extends V>[] |
| Map<Identity,Object> | ofLazy | Function<? super K,? extends V> |
| Map<Identity,Object> | ofLazy | Set<? extends K> |
| Map<Identity,Object> | put | Identity |
| Map<Identity,Object> | put | Object |
| Map<Identity,Object> | putAll | Map<? extends Identity,? extends Object> |
@@ -333,6 +343,8 @@ methodWithDuplicate
| Map<K,V> | of | K |
| Map<K,V> | of | V |
| Map<K,V> | ofEntries | Entry<? extends K,? extends V>[] |
| Map<K,V> | ofLazy | Function<? super K,? extends V> |
| Map<K,V> | ofLazy | Set<? extends K> |
| Map<K,V> | put | K |
| Map<K,V> | put | V |
| Map<K,V> | putAll | Map<? extends K,? extends V> |
@@ -361,6 +373,8 @@ methodWithDuplicate
| Map<Object,Object> | of | K |
| Map<Object,Object> | of | V |
| Map<Object,Object> | ofEntries | Entry<? extends K,? extends V>[] |
| Map<Object,Object> | ofLazy | Function<? super K,? extends V> |
| Map<Object,Object> | ofLazy | Set<? extends K> |
| Map<Object,Object> | put | Object |
| Map<Object,Object> | putAll | Map<? extends Object,? extends Object> |
| Map<Object,Object> | putIfAbsent | Object |
@@ -388,6 +402,8 @@ methodWithDuplicate
| Map<String,String> | of | K |
| Map<String,String> | of | V |
| Map<String,String> | ofEntries | Entry<? extends K,? extends V>[] |
| Map<String,String> | ofLazy | Function<? super K,? extends V> |
| Map<String,String> | ofLazy | Set<? extends K> |
| Map<String,String> | put | String |
| Map<String,String> | putAll | Map<? extends String,? extends String> |
| Map<String,String> | putIfAbsent | String |

1
java/ql/test-kotlin2/library-tests/reflection/reflection.expected
View File

@@ -266,6 +266,7 @@ compGenerated
| file://<external>/AccessFlag$Location.class:0:0:0:0 | getEntries | Default property accessor |
| file://<external>/AccessFlag.class:0:0:0:0 | getEntries | Default property accessor |
| file://<external>/AccessMode.class:0:0:0:0 | getEntries | Default property accessor |
| file://<external>/ByteOrder.class:0:0:0:0 | getEntries | Default property accessor |
| file://<external>/CharProgression.class:0:0:0:0 | forEach | Forwarder for a Kotlin class inheriting an interface default method |
| file://<external>/CharProgression.class:0:0:0:0 | spliterator | Forwarder for a Kotlin class inheriting an interface default method |
| file://<external>/CharRange.class:0:0:0:0 | forEach | Forwarder for a Kotlin class inheriting an interface default method |

2
java/ql/test/library-tests/compact-source-files/CompactSourceAnalysis.expected
View File

@@ -1 +1 @@
| Test.java:0:0:0:0 | Test | Test.java:1:1:1:1 | Test | Compact source file 'Test' contains implicit class 'Test' |
| Test.java:0:0:0:0 | Test | Test.java:1:1:29:1 | Test | Compact source file 'Test' contains implicit class 'Test' |

2
java/ql/test/library-tests/compact-source-files/ImplicitClassDetection.expected
View File

@@ -1,2 +1,2 @@
| Test.java:1:1:1:1 | Test | implicit |
| Test.java:1:1:29:1 | Test | implicit |
| Test.java:25:7:25:16 | NotCompact | not implicit |

4
java/ql/test/library-tests/compact-source-files/MethodInCompactSource.expected
View File

@@ -1,5 +1,5 @@
| Test.java:1:1:1:1 | <clinit> | in compact source |
| Test.java:1:1:1:1 | <obinit> | in compact source |
| Test.java:1:1:29:1 | <clinit> | in compact source |
| Test.java:1:1:29:1 | <obinit> | in compact source |
| Test.java:5:6:5:9 | main | in compact source |
| Test.java:11:6:11:16 | processData | in compact source |
| Test.java:16:14:16:31 | updatePrivateField | in compact source |

2
java/ql/test/library-tests/compact-source-files/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args --release 25 --enable-preview
//semmle-extractor-options: --javac-args --release 25

2
java/ql/test/library-tests/dataflow/kdf/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args --enable-preview --release 25
//semmle-extractor-options: --javac-args --release 25

2
java/ql/test/library-tests/dataflow/scoped-values/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -source 25 -target 25 --enable-preview
//semmle-extractor-options: --javac-args -source 25 -target 25

1
java/ql/test/library-tests/errorexpr/Test.java
View File

@@ -13,6 +13,5 @@ public class Test {
}
// Diagnostic Matches: Erroneous node in tree: (ERROR)
// Diagnostic Matches: In file Test.java:8:15 no end location for JCMethodInvocation : yield(x)
// Diagnostic Matches: 1 errors during annotation processing
// Diagnostic Matches: Unknown or erroneous type for expression of kind ErrorExpr

2
java/ql/test/library-tests/flexible-constructors/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args --release 25 --enable-preview
//semmle-extractor-options: --javac-args --release 25

2
java/ql/test/library-tests/module-import-declarations/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args --release 25 --enable-preview
//semmle-extractor-options: --javac-args --release 25

5
java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversal.qlref
View File

@@ -1 +1,4 @@
Security/CWE/CWE-023/PartialPathTraversal.ql
query: Security/CWE/CWE-023/PartialPathTraversal.ql
postprocess:
- utils/test/PrettyPrintModels.ql
- utils/test/InlineExpectationsTestQuery.ql

98
java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalFromRemoteTest.expected
View File

@@ -1,19 +1,19 @@
#select
| PartialPathTraversalTest.java:13:14:13:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:13:14:13:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:20:10:20:33 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:20:10:20:33 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:32:14:32:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:32:14:32:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:38:14:38:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:38:14:38:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:45:14:45:26 | canonicalPath | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:45:14:45:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:52:14:52:26 | canonicalPath | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:52:14:52:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:56:14:56:27 | canonicalPath2 | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:56:14:56:27 | canonicalPath2 | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:64:14:64:26 | canonicalPath | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:64:14:64:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:67:14:67:27 | canonicalPath2 | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:67:14:67:27 | canonicalPath2 | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:97:14:97:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:97:14:97:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:105:14:105:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:105:14:105:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:108:14:108:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:108:14:108:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:176:14:176:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:176:14:176:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:194:18:194:47 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:194:18:194:47 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:212:14:212:26 | canonicalPath | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:212:14:212:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:13:14:13:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:13:14:13:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:20:10:20:33 | getCanonicalPath(...) | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:20:10:20:33 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:32:14:32:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:32:14:32:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:38:14:38:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:38:14:38:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:45:14:45:26 | canonicalPath | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:45:14:45:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:52:14:52:26 | canonicalPath | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:52:14:52:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:56:14:56:27 | canonicalPath2 | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:56:14:56:27 | canonicalPath2 | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:64:14:64:26 | canonicalPath | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:64:14:64:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:67:14:67:27 | canonicalPath2 | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:67:14:67:27 | canonicalPath2 | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:97:14:97:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:97:14:97:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:105:14:105:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:105:14:105:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:108:14:108:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:108:14:108:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:176:14:176:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:176:14:176:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:194:18:194:47 | getCanonicalPath(...) | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:194:18:194:47 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
| PartialPathTraversalTest.java:212:14:212:26 | canonicalPath | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:212:14:212:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
edges
| PartialPathTraversalTest.java:13:14:13:18 | dir(...) : File | PartialPathTraversalTest.java:13:14:13:37 | getCanonicalPath(...) | provenance | MaD:6 |
| PartialPathTraversalTest.java:20:10:20:14 | dir(...) : File | PartialPathTraversalTest.java:20:10:20:33 | getCanonicalPath(...) | provenance | MaD:6 |
@@ -43,30 +43,30 @@ edges
| PartialPathTraversalTest.java:194:18:194:28 | encodedFile : File | PartialPathTraversalTest.java:194:18:194:47 | getCanonicalPath(...) | provenance | MaD:6 |
| PartialPathTraversalTest.java:211:46:211:50 | dir(...) : File | PartialPathTraversalTest.java:211:46:211:69 | getCanonicalPath(...) : String | provenance | MaD:6 |
| PartialPathTraversalTest.java:211:46:211:69 | getCanonicalPath(...) : String | PartialPathTraversalTest.java:212:14:212:26 | canonicalPath | provenance | |
| PartialPathTraversalTest.java:252:45:252:117 | new BufferedReader(...) : BufferedReader | PartialPathTraversalTest.java:253:31:253:44 | filenameReader : BufferedReader | provenance | |
| PartialPathTraversalTest.java:252:64:252:116 | new InputStreamReader(...) : InputStreamReader | PartialPathTraversalTest.java:252:45:252:117 | new BufferedReader(...) : BufferedReader | provenance | MaD:2 |
| PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:252:64:252:116 | new InputStreamReader(...) : InputStreamReader | provenance | Src:MaD:1 MaD:7 |
| PartialPathTraversalTest.java:253:31:253:44 | filenameReader : BufferedReader | PartialPathTraversalTest.java:253:31:253:55 | readLine(...) : String | provenance | MaD:3 |
| PartialPathTraversalTest.java:253:31:253:55 | readLine(...) : String | PartialPathTraversalTest.java:254:29:254:36 | filename : String | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:13:14:13:18 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:20:10:20:14 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:32:14:32:18 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:38:14:38:18 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:44:32:44:36 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:51:32:51:36 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:55:33:55:37 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:62:32:62:36 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:63:33:63:37 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:97:14:97:18 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:105:14:105:18 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:108:14:108:18 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:176:14:176:18 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:211:46:211:50 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:261:16:261:20 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:254:29:254:36 | filename : String | PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | provenance | MaD:4 |
| PartialPathTraversalTest.java:261:16:261:20 | dir(...) : File | PartialPathTraversalTest.java:261:16:261:38 | getAbsolutePath(...) : String | provenance | MaD:5 |
| PartialPathTraversalTest.java:261:16:261:38 | getAbsolutePath(...) : String | PartialPathTraversalTest.java:261:16:261:60 | split(...) : String[] | provenance | MaD:10 |
| PartialPathTraversalTest.java:261:16:261:60 | split(...) : String[] | PartialPathTraversalTest.java:186:25:186:30 | path(...) : String[] | provenance | |
| PartialPathTraversalTest.java:260:45:260:117 | new BufferedReader(...) : BufferedReader | PartialPathTraversalTest.java:261:31:261:44 | filenameReader : BufferedReader | provenance | |
| PartialPathTraversalTest.java:260:64:260:116 | new InputStreamReader(...) : InputStreamReader | PartialPathTraversalTest.java:260:45:260:117 | new BufferedReader(...) : BufferedReader | provenance | MaD:2 |
| PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:260:64:260:116 | new InputStreamReader(...) : InputStreamReader | provenance | Src:MaD:1 MaD:7 |
| PartialPathTraversalTest.java:261:31:261:44 | filenameReader : BufferedReader | PartialPathTraversalTest.java:261:31:261:55 | readLine(...) : String | provenance | MaD:3 |
| PartialPathTraversalTest.java:261:31:261:55 | readLine(...) : String | PartialPathTraversalTest.java:262:29:262:36 | filename : String | provenance | |
| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:13:14:13:18 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:20:10:20:14 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:32:14:32:18 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:38:14:38:18 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:44:32:44:36 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:51:32:51:36 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:55:33:55:37 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:62:32:62:36 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:63:33:63:37 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:97:14:97:18 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:105:14:105:18 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:108:14:108:18 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:176:14:176:18 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:211:46:211:50 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:269:16:269:20 | dir(...) : File | provenance | |
| PartialPathTraversalTest.java:262:29:262:36 | filename : String | PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | provenance | MaD:4 |
| PartialPathTraversalTest.java:269:16:269:20 | dir(...) : File | PartialPathTraversalTest.java:269:16:269:38 | getAbsolutePath(...) : String | provenance | MaD:5 |
| PartialPathTraversalTest.java:269:16:269:38 | getAbsolutePath(...) : String | PartialPathTraversalTest.java:269:16:269:60 | split(...) : String[] | provenance | MaD:10 |
| PartialPathTraversalTest.java:269:16:269:60 | split(...) : String[] | PartialPathTraversalTest.java:186:25:186:30 | path(...) : String[] | provenance | |
models
| 1 | Source: java.net; Socket; false; getInputStream; (); ; ReturnValue; remote; manual |
| 2 | Summary: java.io; BufferedReader; false; BufferedReader; ; ; Argument[0]; Argument[this]; taint; manual |
@@ -122,14 +122,14 @@ nodes
| PartialPathTraversalTest.java:211:46:211:50 | dir(...) : File | semmle.label | dir(...) : File |
| PartialPathTraversalTest.java:211:46:211:69 | getCanonicalPath(...) : String | semmle.label | getCanonicalPath(...) : String |
| PartialPathTraversalTest.java:212:14:212:26 | canonicalPath | semmle.label | canonicalPath |
| PartialPathTraversalTest.java:252:45:252:117 | new BufferedReader(...) : BufferedReader | semmle.label | new BufferedReader(...) : BufferedReader |
| PartialPathTraversalTest.java:252:64:252:116 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
| PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| PartialPathTraversalTest.java:253:31:253:44 | filenameReader : BufferedReader | semmle.label | filenameReader : BufferedReader |
| PartialPathTraversalTest.java:253:31:253:55 | readLine(...) : String | semmle.label | readLine(...) : String |
| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | semmle.label | new File(...) : File |
| PartialPathTraversalTest.java:254:29:254:36 | filename : String | semmle.label | filename : String |
| PartialPathTraversalTest.java:261:16:261:20 | dir(...) : File | semmle.label | dir(...) : File |
| PartialPathTraversalTest.java:261:16:261:38 | getAbsolutePath(...) : String | semmle.label | getAbsolutePath(...) : String |
| PartialPathTraversalTest.java:261:16:261:60 | split(...) : String[] | semmle.label | split(...) : String[] |
| PartialPathTraversalTest.java:260:45:260:117 | new BufferedReader(...) : BufferedReader | semmle.label | new BufferedReader(...) : BufferedReader |
| PartialPathTraversalTest.java:260:64:260:116 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
| PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| PartialPathTraversalTest.java:261:31:261:44 | filenameReader : BufferedReader | semmle.label | filenameReader : BufferedReader |
| PartialPathTraversalTest.java:261:31:261:55 | readLine(...) : String | semmle.label | readLine(...) : String |
| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | semmle.label | new File(...) : File |
| PartialPathTraversalTest.java:262:29:262:36 | filename : String | semmle.label | filename : String |
| PartialPathTraversalTest.java:269:16:269:20 | dir(...) : File | semmle.label | dir(...) : File |
| PartialPathTraversalTest.java:269:16:269:38 | getAbsolutePath(...) : String | semmle.label | getAbsolutePath(...) : String |
| PartialPathTraversalTest.java:269:16:269:60 | split(...) : String[] | semmle.label | split(...) : String[] |
subpaths

40
java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalTest.java
View File

@@ -10,14 +10,14 @@ import java.net.Socket;
public class PartialPathTraversalTest {
public void esapiExample(File parent) throws IOException {
if (!dir().getCanonicalPath().startsWith(parent.getCanonicalPath())) { // $ Alert
if (!dir().getCanonicalPath().startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
@SuppressWarnings("ResultOfMethodCallIgnored")
void foo1(File parent) throws IOException {
(dir().getCanonicalPath()).startsWith((parent.getCanonicalPath())); // $ Alert
(dir().getCanonicalPath()).startsWith((parent.getCanonicalPath())); // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
}
void foo2(File parent) throws IOException {
@@ -29,31 +29,31 @@ public class PartialPathTraversalTest {
void foo3(File parent) throws IOException {
String parentPath = parent.getCanonicalPath();
if (!dir().getCanonicalPath().startsWith(parentPath)) { // $ Alert
if (!dir().getCanonicalPath().startsWith(parentPath)) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
void foo4() throws IOException {
if (!dir().getCanonicalPath().startsWith("/usr" + "/dir")) { // $ Alert
if (!dir().getCanonicalPath().startsWith("/usr" + "/dir")) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
void foo5(File parent) throws IOException {
String canonicalPath = dir().getCanonicalPath();
if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert
if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
void foo6(File parent) throws IOException {
String canonicalPath = dir().getCanonicalPath();
if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert
if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
String canonicalPath2 = dir().getCanonicalPath();
if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $ Alert
if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
@@ -61,10 +61,10 @@ public class PartialPathTraversalTest {
void foo7(File dir, File parent) throws IOException {
String canonicalPath = dir().getCanonicalPath();
String canonicalPath2 = dir().getCanonicalPath();
if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert
if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $ Alert
if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
@@ -75,7 +75,7 @@ public class PartialPathTraversalTest {
void foo8(File parent) throws IOException {
String canonicalPath = getChild().getCanonicalPath();
if (!canonicalPath.startsWith(parent.getCanonicalPath())) {
if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal]
throw new IOException("Invalid directory: " + getChild().getCanonicalPath());
}
}
@@ -94,7 +94,7 @@ public class PartialPathTraversalTest {
void foo11(File parent) throws IOException {
String parentCanonical = parent.getCanonicalPath();
if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert
if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
@@ -102,10 +102,10 @@ public class PartialPathTraversalTest {
void foo12(File parent) throws IOException {
String parentCanonical = parent.getCanonicalPath();
String parentCanonical2 = parent.getCanonicalPath();
if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert
if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
if (!dir().getCanonicalPath().startsWith(parentCanonical2)) { // $ Alert
if (!dir().getCanonicalPath().startsWith(parentCanonical2)) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
@@ -173,7 +173,7 @@ public class PartialPathTraversalTest {
void foo19(File parent) throws IOException {
String parentCanonical = parent.getCanonicalPath() + "/potato";
if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert
if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
@@ -191,7 +191,7 @@ public class PartialPathTraversalTest {
String filePath = sb.toString();
File encodedFile = new File(filePath);
try {
if (!encodedFile.getCanonicalPath().startsWith(cacheDir.getCanonicalPath())) { // $ Alert
if (!encodedFile.getCanonicalPath().startsWith(cacheDir.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
return null;
}
return Files.newInputStream(encodedFile.toPath());
@@ -209,7 +209,7 @@ public class PartialPathTraversalTest {
void foo22(File dir2, File parent, boolean conditional) throws IOException {
String canonicalPath = conditional ? dir().getCanonicalPath() : dir2.getCanonicalPath();
if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert
if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
@@ -228,6 +228,14 @@ public class PartialPathTraversalTest {
}
}
void foo25(File parent) throws IOException {
String path = parent.getCanonicalPath();
path += File.separator;
if (!dir().getCanonicalPath().startsWith(path)) {
throw new IOException("Invalid directory: " + dir().getCanonicalPath());
}
}
public void doesNotFlagOptimalSafeVersion(File parent) throws IOException {
if (!dir().toPath().normalize().startsWith(parent.toPath())) { // Safe
throw new IOException("Path traversal attempt: " + dir().getCanonicalPath());

32
java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.expected
View File

@@ -3,6 +3,14 @@
| Test.java:12:22:12:52 | ... + ... | Test.java:12:44:12:52 | authToken : String | Test.java:12:22:12:52 | ... + ... | This $@ is written to a log file. | Test.java:12:44:12:52 | authToken | potentially sensitive information |
| Test.java:21:22:21:75 | ... + ... | Test.java:21:44:21:52 | authToken : String | Test.java:21:22:21:75 | ... + ... | This $@ is written to a log file. | Test.java:21:44:21:52 | authToken | potentially sensitive information |
| Test.java:22:22:22:75 | ... + ... | Test.java:22:44:22:52 | authToken : String | Test.java:22:22:22:75 | ... + ... | This $@ is written to a log file. | Test.java:22:44:22:52 | authToken | potentially sensitive information |
| Test.java:66:21:66:43 | ... + ... | Test.java:66:33:66:43 | accessToken : String | Test.java:66:21:66:43 | ... + ... | This $@ is written to a log file. | Test.java:66:33:66:43 | accessToken | potentially sensitive information |
| Test.java:67:21:67:45 | ... + ... | Test.java:67:34:67:45 | clientSecret : String | Test.java:67:21:67:45 | ... + ... | This $@ is written to a log file. | Test.java:67:34:67:45 | clientSecret | potentially sensitive information |
| Test.java:68:21:68:42 | ... + ... | Test.java:68:34:68:42 | apiSecret : String | Test.java:68:21:68:42 | ... + ... | This $@ is written to a log file. | Test.java:68:34:68:42 | apiSecret | potentially sensitive information |
| Test.java:69:21:69:44 | ... + ... | Test.java:69:33:69:44 | sessionToken : String | Test.java:69:21:69:44 | ... + ... | This $@ is written to a log file. | Test.java:69:33:69:44 | sessionToken | potentially sensitive information |
| Test.java:70:21:70:43 | ... + ... | Test.java:70:33:70:43 | bearerToken : String | Test.java:70:21:70:43 | ... + ... | This $@ is written to a log file. | Test.java:70:33:70:43 | bearerToken | potentially sensitive information |
| Test.java:71:21:71:39 | ... + ... | Test.java:71:31:71:39 | secretKey : String | Test.java:71:21:71:39 | ... + ... | This $@ is written to a log file. | Test.java:71:31:71:39 | secretKey | potentially sensitive information |
| Test.java:72:21:72:44 | ... + ... | Test.java:72:33:72:44 | refreshToken : String | Test.java:72:21:72:44 | ... + ... | This $@ is written to a log file. | Test.java:72:33:72:44 | refreshToken | potentially sensitive information |
| Test.java:73:21:73:43 | ... + ... | Test.java:73:33:73:43 | secretValue : String | Test.java:73:21:73:43 | ... + ... | This $@ is written to a log file. | Test.java:73:33:73:43 | secretValue | potentially sensitive information |
edges
| Test.java:11:46:11:53 | password : String | Test.java:11:21:11:53 | ... + ... | provenance | Sink:MaD:2 |
| Test.java:12:44:12:52 | authToken : String | Test.java:12:22:12:52 | ... + ... | provenance | Sink:MaD:1 |
@@ -10,6 +18,14 @@ edges
| Test.java:21:44:21:67 | substring(...) : String | Test.java:21:22:21:75 | ... + ... | provenance | Sink:MaD:1 |
| Test.java:22:44:22:52 | authToken : String | Test.java:22:44:22:67 | substring(...) : String | provenance | MaD:3 |
| Test.java:22:44:22:67 | substring(...) : String | Test.java:22:22:22:75 | ... + ... | provenance | Sink:MaD:1 |
| Test.java:66:33:66:43 | accessToken : String | Test.java:66:21:66:43 | ... + ... | provenance | Sink:MaD:2 |
| Test.java:67:34:67:45 | clientSecret : String | Test.java:67:21:67:45 | ... + ... | provenance | Sink:MaD:2 |
| Test.java:68:34:68:42 | apiSecret : String | Test.java:68:21:68:42 | ... + ... | provenance | Sink:MaD:2 |
| Test.java:69:33:69:44 | sessionToken : String | Test.java:69:21:69:44 | ... + ... | provenance | Sink:MaD:2 |
| Test.java:70:33:70:43 | bearerToken : String | Test.java:70:21:70:43 | ... + ... | provenance | Sink:MaD:2 |
| Test.java:71:31:71:39 | secretKey : String | Test.java:71:21:71:39 | ... + ... | provenance | Sink:MaD:2 |
| Test.java:72:33:72:44 | refreshToken : String | Test.java:72:21:72:44 | ... + ... | provenance | Sink:MaD:2 |
| Test.java:73:33:73:43 | secretValue : String | Test.java:73:21:73:43 | ... + ... | provenance | Sink:MaD:2 |
models
| 1 | Sink: org.apache.logging.log4j; Logger; true; error; (String); ; Argument[0]; log-injection; manual |
| 2 | Sink: org.apache.logging.log4j; Logger; true; info; (String); ; Argument[0]; log-injection; manual |
@@ -25,4 +41,20 @@ nodes
| Test.java:22:22:22:75 | ... + ... | semmle.label | ... + ... |
| Test.java:22:44:22:52 | authToken : String | semmle.label | authToken : String |
| Test.java:22:44:22:67 | substring(...) : String | semmle.label | substring(...) : String |
| Test.java:66:21:66:43 | ... + ... | semmle.label | ... + ... |
| Test.java:66:33:66:43 | accessToken : String | semmle.label | accessToken : String |
| Test.java:67:21:67:45 | ... + ... | semmle.label | ... + ... |
| Test.java:67:34:67:45 | clientSecret : String | semmle.label | clientSecret : String |
| Test.java:68:21:68:42 | ... + ... | semmle.label | ... + ... |
| Test.java:68:34:68:42 | apiSecret : String | semmle.label | apiSecret : String |
| Test.java:69:21:69:44 | ... + ... | semmle.label | ... + ... |
| Test.java:69:33:69:44 | sessionToken : String | semmle.label | sessionToken : String |
| Test.java:70:21:70:43 | ... + ... | semmle.label | ... + ... |
| Test.java:70:33:70:43 | bearerToken : String | semmle.label | bearerToken : String |
| Test.java:71:21:71:39 | ... + ... | semmle.label | ... + ... |
| Test.java:71:31:71:39 | secretKey : String | semmle.label | secretKey : String |
| Test.java:72:21:72:44 | ... + ... | semmle.label | ... + ... |
| Test.java:72:33:72:44 | refreshToken : String | semmle.label | refreshToken : String |
| Test.java:73:21:73:43 | ... + ... | semmle.label | ... + ... |
| Test.java:73:33:73:43 | secretValue : String | semmle.label | secretValue : String |
subpaths

51
java/ql/test/query-tests/security/CWE-532/Test.java
View File

@@ -21,4 +21,55 @@ class Test {
logger.error("Auth failed for: " + authToken.substring(1,5) + "..."); // $ Alert
logger.error("Auth failed for: " + authToken.substring(0,8) + "..."); // $ Alert
}
// Tests for false positive exclusions: variables with "token" or "secret" in the name
// that do not hold sensitive data.
void testFalsePositiveExclusions(
String nextToken, String pageToken, String continuationToken, String cursorToken,
String tokenType, String tokenEndpoint, String tokenCount, String tokenUrl,
String tokenIndex, String tokenLength, String tokenName, String tokenId,
String secretName, String secretId, String secretVersion, String secretArn,
String secretPath, String secretType,
String secretManager, String secretProperties
) {
Logger logger = null;
// Pagination/iteration tokens (e.g., AWS SDK, GCP, Azure pagination cursors)
logger.info("cursor: " + nextToken); // Safe
logger.info("cursor: " + pageToken); // Safe
logger.info("cursor: " + continuationToken); // Safe
logger.info("cursor: " + cursorToken); // Safe
// Token metadata (e.g., OAuth token type, OIDC discovery endpoint)
logger.info("type: " + tokenType); // Safe
logger.info("endpoint: " + tokenEndpoint); // Safe
logger.info("count: " + tokenCount); // Safe
logger.info("url: " + tokenUrl); // Safe
logger.info("index: " + tokenIndex); // Safe
logger.info("length: " + tokenLength); // Safe
logger.info("name: " + tokenName); // Safe
logger.info("id: " + tokenId); // Safe
// Secret metadata (e.g., K8s secret name, AWS Secrets Manager identifiers)
logger.info("name: " + secretName); // Safe
logger.info("id: " + secretId); // Safe
logger.info("version: " + secretVersion); // Safe
logger.info("arn: " + secretArn); // Safe
logger.info("path: " + secretPath); // Safe
logger.info("type: " + secretType); // Safe
logger.info("manager: " + secretManager); // Safe
logger.info("properties: " + secretProperties); // Safe
}
// These should still be flagged as sensitive
void testTruePositives(String accessToken, String clientSecret, String apiSecret,
String sessionToken, String bearerToken, String secretKey,
String refreshToken, String secretValue) {
Logger logger = null;
logger.info("token: " + accessToken); // $ Alert
logger.info("secret: " + clientSecret); // $ Alert
logger.info("secret: " + apiSecret); // $ Alert
logger.info("token: " + sessionToken); // $ Alert
logger.info("token: " + bearerToken); // $ Alert
logger.info("key: " + secretKey); // $ Alert
logger.info("token: " + refreshToken); // $ Alert
logger.info("value: " + secretValue); // $ Alert
}
}

44
java/ql/test/query-tests/security/CWE-611/WstxInputFactoryTests.java Normal file
View File

@@ -0,0 +1,44 @@
import java.net.Socket;
import javax.xml.stream.XMLInputFactory;
import com.ctc.wstx.stax.WstxInputFactory;
public class WstxInputFactoryTests {
public void unconfiguredFactory(Socket sock) throws Exception {
WstxInputFactory factory = new WstxInputFactory();
factory.createXMLStreamReader(sock.getInputStream()); // $ Alert
factory.createXMLEventReader(sock.getInputStream()); // $ Alert
}
public void safeFactory(Socket sock) throws Exception {
WstxInputFactory factory = new WstxInputFactory();
factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
factory.createXMLStreamReader(sock.getInputStream()); // safe
factory.createXMLEventReader(sock.getInputStream()); // safe
}
public void safeFactoryStringProperties(Socket sock) throws Exception {
WstxInputFactory factory = new WstxInputFactory();
factory.setProperty("javax.xml.stream.supportDTD", false);
factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
factory.createXMLStreamReader(sock.getInputStream()); // safe
factory.createXMLEventReader(sock.getInputStream()); // safe
}
public void misConfiguredFactory(Socket sock) throws Exception {
WstxInputFactory factory = new WstxInputFactory();
factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
factory.createXMLStreamReader(sock.getInputStream()); // $ Alert
factory.createXMLEventReader(sock.getInputStream()); // $ Alert
}
public void misConfiguredFactory2(Socket sock) throws Exception {
WstxInputFactory factory = new WstxInputFactory();
factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
factory.createXMLStreamReader(sock.getInputStream()); // $ Alert
factory.createXMLEventReader(sock.getInputStream()); // $ Alert
}
}

12
java/ql/test/query-tests/security/CWE-611/XXE.expected
View File

@@ -89,6 +89,12 @@
| TransformerTests.java:141:21:141:73 | new SAXSource(...) | TransformerTests.java:141:51:141:71 | getInputStream(...) : InputStream | TransformerTests.java:141:21:141:73 | new SAXSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:141:51:141:71 | getInputStream(...) | user-provided value |
| UnmarshallerTests.java:29:18:29:38 | getInputStream(...) | UnmarshallerTests.java:29:18:29:38 | getInputStream(...) | UnmarshallerTests.java:29:18:29:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | UnmarshallerTests.java:29:18:29:38 | getInputStream(...) | user-provided value |
| ValidatorTests.java:22:28:22:33 | source | ValidatorTests.java:17:49:17:72 | getInputStream(...) : ServletInputStream | ValidatorTests.java:22:28:22:33 | source | XML parsing depends on a $@ without guarding against external entity expansion. | ValidatorTests.java:17:49:17:72 | getInputStream(...) | user-provided value |
| WstxInputFactoryTests.java:11:35:11:55 | getInputStream(...) | WstxInputFactoryTests.java:11:35:11:55 | getInputStream(...) | WstxInputFactoryTests.java:11:35:11:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | WstxInputFactoryTests.java:11:35:11:55 | getInputStream(...) | user-provided value |
| WstxInputFactoryTests.java:12:34:12:54 | getInputStream(...) | WstxInputFactoryTests.java:12:34:12:54 | getInputStream(...) | WstxInputFactoryTests.java:12:34:12:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | WstxInputFactoryTests.java:12:34:12:54 | getInputStream(...) | user-provided value |
| WstxInputFactoryTests.java:34:35:34:55 | getInputStream(...) | WstxInputFactoryTests.java:34:35:34:55 | getInputStream(...) | WstxInputFactoryTests.java:34:35:34:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | WstxInputFactoryTests.java:34:35:34:55 | getInputStream(...) | user-provided value |
| WstxInputFactoryTests.java:35:34:35:54 | getInputStream(...) | WstxInputFactoryTests.java:35:34:35:54 | getInputStream(...) | WstxInputFactoryTests.java:35:34:35:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | WstxInputFactoryTests.java:35:34:35:54 | getInputStream(...) | user-provided value |
| WstxInputFactoryTests.java:41:35:41:55 | getInputStream(...) | WstxInputFactoryTests.java:41:35:41:55 | getInputStream(...) | WstxInputFactoryTests.java:41:35:41:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | WstxInputFactoryTests.java:41:35:41:55 | getInputStream(...) | user-provided value |
| WstxInputFactoryTests.java:42:34:42:54 | getInputStream(...) | WstxInputFactoryTests.java:42:34:42:54 | getInputStream(...) | WstxInputFactoryTests.java:42:34:42:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | WstxInputFactoryTests.java:42:34:42:54 | getInputStream(...) | user-provided value |
| XMLDecoderTests.java:18:9:18:18 | xmlDecoder | XMLDecoderTests.java:16:49:16:72 | getInputStream(...) : ServletInputStream | XMLDecoderTests.java:18:9:18:18 | xmlDecoder | XML parsing depends on a $@ without guarding against external entity expansion. | XMLDecoderTests.java:16:49:16:72 | getInputStream(...) | user-provided value |
| XMLReaderTests.java:16:18:16:55 | new InputSource(...) | XMLReaderTests.java:16:34:16:54 | getInputStream(...) : InputStream | XMLReaderTests.java:16:18:16:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:16:34:16:54 | getInputStream(...) | user-provided value |
| XMLReaderTests.java:56:18:56:55 | new InputSource(...) | XMLReaderTests.java:56:34:56:54 | getInputStream(...) : InputStream | XMLReaderTests.java:56:18:56:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:56:34:56:54 | getInputStream(...) | user-provided value |
@@ -390,6 +396,12 @@ nodes
| ValidatorTests.java:21:31:21:66 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
| ValidatorTests.java:21:48:21:65 | servletInputStream : ServletInputStream | semmle.label | servletInputStream : ServletInputStream |
| ValidatorTests.java:22:28:22:33 | source | semmle.label | source |
| WstxInputFactoryTests.java:11:35:11:55 | getInputStream(...) | semmle.label | getInputStream(...) |
| WstxInputFactoryTests.java:12:34:12:54 | getInputStream(...) | semmle.label | getInputStream(...) |
| WstxInputFactoryTests.java:34:35:34:55 | getInputStream(...) | semmle.label | getInputStream(...) |
| WstxInputFactoryTests.java:35:34:35:54 | getInputStream(...) | semmle.label | getInputStream(...) |
| WstxInputFactoryTests.java:41:35:41:55 | getInputStream(...) | semmle.label | getInputStream(...) |
| WstxInputFactoryTests.java:42:34:42:54 | getInputStream(...) | semmle.label | getInputStream(...) |
| XMLDecoderTests.java:16:49:16:72 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
| XMLDecoderTests.java:17:33:17:66 | new XMLDecoder(...) : XMLDecoder | semmle.label | new XMLDecoder(...) : XMLDecoder |
| XMLDecoderTests.java:17:48:17:65 | servletInputStream : ServletInputStream | semmle.label | servletInputStream : ServletInputStream |

2
java/ql/test/query-tests/security/CWE-611/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1:${testdir}/../../../stubs/jaxb-api-2.3.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/apache-commons-digester3-3.2:${testdir}/../../../stubs/servlet-api-2.4/:${testdir}/../../../stubs/rundeck-api-java-client-13.2:${testdir}/../../../stubs/springframework-5.8.x/:${testdir}/../../../stubs/mdht-1.2.0/
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1:${testdir}/../../../stubs/jaxb-api-2.3.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/apache-commons-digester3-3.2:${testdir}/../../../stubs/servlet-api-2.4/:${testdir}/../../../stubs/rundeck-api-java-client-13.2:${testdir}/../../../stubs/springframework-5.8.x/:${testdir}/../../../stubs/mdht-1.2.0/:${testdir}/../../../stubs/woodstox-core-6.4.0

1
java/ql/test/query-tests/security/CWE-676/semmle/tests/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args --release 25

49
java/ql/test/stubs/woodstox-core-6.4.0/com/ctc/wstx/stax/WstxInputFactory.java generated Normal file
View File

@@ -0,0 +1,49 @@
// Generated automatically from com.ctc.wstx.stax.WstxInputFactory for testing purposes
package com.ctc.wstx.stax;
import java.io.InputStream;
import java.io.Reader;
import javax.xml.stream.EventFilter;
import javax.xml.stream.StreamFilter;
import javax.xml.stream.XMLEventReader;
import javax.xml.stream.XMLReporter;
import javax.xml.stream.XMLResolver;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import javax.xml.stream.util.XMLEventAllocator;
import javax.xml.transform.Source;
import org.codehaus.stax2.XMLInputFactory2;
public class WstxInputFactory extends XMLInputFactory2 {
public WstxInputFactory() {}
public XMLStreamReader createXMLStreamReader(InputStream in) throws XMLStreamException { return null; }
public XMLStreamReader createXMLStreamReader(InputStream in, String enc) throws XMLStreamException { return null; }
public XMLStreamReader createXMLStreamReader(Reader r) throws XMLStreamException { return null; }
public XMLStreamReader createXMLStreamReader(Source src) throws XMLStreamException { return null; }
public XMLStreamReader createXMLStreamReader(String systemId, InputStream in) throws XMLStreamException { return null; }
public XMLStreamReader createXMLStreamReader(String systemId, Reader r) throws XMLStreamException { return null; }
public XMLEventReader createXMLEventReader(InputStream in) throws XMLStreamException { return null; }
public XMLEventReader createXMLEventReader(InputStream in, String enc) throws XMLStreamException { return null; }
public XMLEventReader createXMLEventReader(Reader r) throws XMLStreamException { return null; }
public XMLEventReader createXMLEventReader(Source src) throws XMLStreamException { return null; }
public XMLEventReader createXMLEventReader(String systemId, InputStream in) throws XMLStreamException { return null; }
public XMLEventReader createXMLEventReader(String systemId, Reader r) throws XMLStreamException { return null; }
public XMLEventReader createXMLEventReader(XMLStreamReader sr) throws XMLStreamException { return null; }
public XMLStreamReader createFilteredReader(XMLStreamReader reader, StreamFilter filter) { return null; }
public XMLEventReader createFilteredReader(XMLEventReader reader, EventFilter filter) { return null; }
public void setProperty(String name, Object value) {}
public Object getProperty(String name) { return null; }
public boolean isPropertySupported(String name) { return false; }
public XMLResolver getXMLResolver() { return null; }
public void setXMLResolver(XMLResolver r) {}
public XMLReporter getXMLReporter() { return null; }
public void setXMLReporter(XMLReporter r) {}
public XMLEventAllocator getEventAllocator() { return null; }
public void setEventAllocator(XMLEventAllocator a) {}
}

9
java/ql/test/stubs/woodstox-core-6.4.0/org/codehaus/stax2/XMLInputFactory2.java generated Normal file
View File

@@ -0,0 +1,9 @@
// Generated automatically from org.codehaus.stax2.XMLInputFactory2 for testing purposes
package org.codehaus.stax2;
import javax.xml.stream.XMLInputFactory;
public abstract class XMLInputFactory2 extends XMLInputFactory {
protected XMLInputFactory2() {}
}