mirror of
https://github.com/github/codeql.git
synced 2026-03-04 14:46:48 +01:00
Merge pull request #16362 from michaelnebel/java/removelocalqueries
Java: Remove local query variants.
This commit is contained in:
Michael Nebel
@@ -1,5 +0,0 @@
|
||||
<!DOCTYPE qhelp PUBLIC
|
||||
"-//Semmle//qhelp//EN"
|
||||
"qhelp.dtd">
|
||||
<qhelp>
|
||||
<include src="TaintedPath.qhelp" /></qhelp>
|
||||
@@ -1,24 +0,0 @@
|
||||
/**
|
||||
* @name Local-user-controlled data in path expression
|
||||
* @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 7.5
|
||||
* @precision medium
|
||||
* @id java/path-injection-local
|
||||
* @tags security
|
||||
* external/cwe/cwe-022
|
||||
* external/cwe/cwe-023
|
||||
* external/cwe/cwe-036
|
||||
* external/cwe/cwe-073
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.security.PathCreation
|
||||
import semmle.code.java.security.TaintedPathQuery
|
||||
import TaintedPathLocalFlow::PathGraph
|
||||
|
||||
from TaintedPathLocalFlow::PathNode source, TaintedPathLocalFlow::PathNode sink
|
||||
where TaintedPathLocalFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "This path depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
@@ -14,11 +14,10 @@
|
||||
|
||||
import java
|
||||
import semmle.code.java.security.CommandLineQuery
|
||||
import RemoteUserInputToArgumentToExecFlow::PathGraph
|
||||
import InputToArgumentToExecFlow::PathGraph
|
||||
|
||||
from
|
||||
RemoteUserInputToArgumentToExecFlow::PathNode source,
|
||||
RemoteUserInputToArgumentToExecFlow::PathNode sink, Expr execArg
|
||||
InputToArgumentToExecFlow::PathNode source, InputToArgumentToExecFlow::PathNode sink, Expr execArg
|
||||
where execIsTainted(source, sink, execArg)
|
||||
select execArg, source, sink, "This command line depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
<!DOCTYPE qhelp PUBLIC
|
||||
"-//Semmle//qhelp//EN"
|
||||
"qhelp.dtd">
|
||||
<qhelp>
|
||||
<include src="ExecTainted.qhelp" /></qhelp>
|
||||
@@ -1,27 +0,0 @@
|
||||
/**
|
||||
* @name Local-user-controlled command line
|
||||
* @description Using externally controlled strings in a command line is vulnerable to malicious
|
||||
* changes in the strings.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 9.8
|
||||
* @precision medium
|
||||
* @id java/command-line-injection-local
|
||||
* @tags security
|
||||
* external/cwe/cwe-078
|
||||
* external/cwe/cwe-088
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.security.CommandLineQuery
|
||||
import semmle.code.java.security.ExternalProcess
|
||||
import LocalUserInputToArgumentToExecFlow::PathGraph
|
||||
|
||||
from
|
||||
LocalUserInputToArgumentToExecFlow::PathNode source,
|
||||
LocalUserInputToArgumentToExecFlow::PathNode sink, Expr e
|
||||
where
|
||||
LocalUserInputToArgumentToExecFlow::flowPath(source, sink) and
|
||||
argumentToExec(e, sink.getNode())
|
||||
select e, source, sink, "This command line depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
@@ -1,5 +0,0 @@
|
||||
<!DOCTYPE qhelp PUBLIC
|
||||
"-//Semmle//qhelp//EN"
|
||||
"qhelp.dtd">
|
||||
<qhelp>
|
||||
<include src="XSS.qhelp" /></qhelp>
|
||||
@@ -1,21 +0,0 @@
|
||||
/**
|
||||
* @name Cross-site scripting from local source
|
||||
* @description Writing user input directly to a web page
|
||||
* allows for a cross-site scripting vulnerability.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 6.1
|
||||
* @precision medium
|
||||
* @id java/xss-local
|
||||
* @tags security
|
||||
* external/cwe/cwe-079
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.security.XssLocalQuery
|
||||
import XssLocalFlow::PathGraph
|
||||
|
||||
from XssLocalFlow::PathNode source, XssLocalFlow::PathNode sink
|
||||
where XssLocalFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
@@ -1,5 +0,0 @@
|
||||
<!DOCTYPE qhelp PUBLIC
|
||||
"-//Semmle//qhelp//EN"
|
||||
"qhelp.dtd">
|
||||
<qhelp>
|
||||
<include src="SqlTainted.qhelp" /></qhelp>
|
||||
@@ -1,24 +0,0 @@
|
||||
/**
|
||||
* @name Query built from local-user-controlled sources
|
||||
* @description Building a SQL or Java Persistence query from user-controlled sources is vulnerable to insertion of
|
||||
* malicious code by the user.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 8.8
|
||||
* @precision medium
|
||||
* @id java/sql-injection-local
|
||||
* @tags security
|
||||
* external/cwe/cwe-089
|
||||
* external/cwe/cwe-564
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.security.SqlTaintedLocalQuery
|
||||
import LocalUserInputToQueryInjectionFlow::PathGraph
|
||||
|
||||
from
|
||||
LocalUserInputToQueryInjectionFlow::PathNode source,
|
||||
LocalUserInputToQueryInjectionFlow::PathNode sink
|
||||
where LocalUserInputToQueryInjectionFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
@@ -1,5 +0,0 @@
|
||||
<!DOCTYPE qhelp PUBLIC
|
||||
"-//Semmle//qhelp//EN"
|
||||
"qhelp.dtd">
|
||||
<qhelp>
|
||||
<include src="ResponseSplitting.qhelp" /></qhelp>
|
||||
@@ -1,22 +0,0 @@
|
||||
/**
|
||||
* @name HTTP response splitting from local source
|
||||
* @description Writing user input directly to an HTTP header
|
||||
* makes code vulnerable to attack by header splitting.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 6.1
|
||||
* @precision medium
|
||||
* @id java/http-response-splitting-local
|
||||
* @tags security
|
||||
* external/cwe/cwe-113
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.security.ResponseSplittingLocalQuery
|
||||
import ResponseSplittingLocalFlow::PathGraph
|
||||
|
||||
from ResponseSplittingLocalFlow::PathNode source, ResponseSplittingLocalFlow::PathNode sink
|
||||
where ResponseSplittingLocalFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"This header depends on a $@, which may cause a response-splitting vulnerability.",
|
||||
source.getNode(), "user-provided value"
|
||||
@@ -1,5 +0,0 @@
|
||||
<!DOCTYPE qhelp PUBLIC
|
||||
"-//Semmle//qhelp//EN"
|
||||
"qhelp.dtd">
|
||||
<qhelp>
|
||||
<include src="ImproperValidationOfArrayConstruction.qhelp" /></qhelp>
|
||||
@@ -1,29 +0,0 @@
|
||||
/**
|
||||
* @name Improper validation of local user-provided size used for array construction
|
||||
* @description Using unvalidated local input as the argument to
|
||||
* a construction of an array can lead to index out of bound exceptions.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 8.8
|
||||
* @precision medium
|
||||
* @id java/improper-validation-of-array-construction-local
|
||||
* @tags security
|
||||
* external/cwe/cwe-129
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.security.internal.ArraySizing
|
||||
import semmle.code.java.security.ImproperValidationOfArrayConstructionLocalQuery
|
||||
import ImproperValidationOfArrayConstructionLocalFlow::PathGraph
|
||||
|
||||
from
|
||||
ImproperValidationOfArrayConstructionLocalFlow::PathNode source,
|
||||
ImproperValidationOfArrayConstructionLocalFlow::PathNode sink, Expr sizeExpr,
|
||||
ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess
|
||||
where
|
||||
arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sizeExpr, arrayCreation) and
|
||||
sizeExpr = sink.getNode().asExpr() and
|
||||
ImproperValidationOfArrayConstructionLocalFlow::flowPath(source, sink)
|
||||
select arrayAccess.getIndexExpr(), source, sink,
|
||||
"This accesses the $@, but the array is initialized using a $@ which may be zero.", arrayCreation,
|
||||
"array", source.getNode(), "user-provided value"
|
||||
@@ -1,5 +0,0 @@
|
||||
<!DOCTYPE qhelp PUBLIC
|
||||
"-//Semmle//qhelp//EN"
|
||||
"qhelp.dtd">
|
||||
<qhelp>
|
||||
<include src="ImproperValidationOfArrayIndex.qhelp" /></qhelp>
|
||||
@@ -1,27 +0,0 @@
|
||||
/**
|
||||
* @name Improper validation of local user-provided array index
|
||||
* @description Using local user input as an index to an array, without
|
||||
* proper validation, can lead to index out of bound exceptions.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 8.8
|
||||
* @precision medium
|
||||
* @id java/improper-validation-of-array-index-local
|
||||
* @tags security
|
||||
* external/cwe/cwe-129
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.security.internal.ArraySizing
|
||||
import semmle.code.java.security.ImproperValidationOfArrayIndexLocalQuery
|
||||
import ImproperValidationOfArrayIndexLocalFlow::PathGraph
|
||||
|
||||
from
|
||||
ImproperValidationOfArrayIndexLocalFlow::PathNode source,
|
||||
ImproperValidationOfArrayIndexLocalFlow::PathNode sink, CheckableArrayAccess arrayAccess
|
||||
where
|
||||
arrayAccess.canThrowOutOfBounds(sink.getNode().asExpr()) and
|
||||
ImproperValidationOfArrayIndexLocalFlow::flowPath(source, sink)
|
||||
select arrayAccess.getIndexExpr(), source, sink,
|
||||
"This index depends on a $@ which can cause an ArrayIndexOutOfBoundsException.", source.getNode(),
|
||||
"user-provided value"
|
||||
@@ -1,5 +0,0 @@
|
||||
<!DOCTYPE qhelp PUBLIC
|
||||
"-//Semmle//qhelp//EN"
|
||||
"qhelp.dtd">
|
||||
<qhelp>
|
||||
<include src="ExternallyControlledFormatString.qhelp" /></qhelp>
|
||||
@@ -1,25 +0,0 @@
|
||||
/**
|
||||
* @name Use of externally-controlled format string from local source
|
||||
* @description Using external input in format strings can lead to exceptions or information leaks.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 9.3
|
||||
* @precision medium
|
||||
* @id java/tainted-format-string-local
|
||||
* @tags security
|
||||
* external/cwe/cwe-134
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.StringFormat
|
||||
import semmle.code.java.security.ExternallyControlledFormatStringLocalQuery
|
||||
import ExternallyControlledFormatStringLocalFlow::PathGraph
|
||||
|
||||
from
|
||||
ExternallyControlledFormatStringLocalFlow::PathNode source,
|
||||
ExternallyControlledFormatStringLocalFlow::PathNode sink, StringFormat formatCall
|
||||
where
|
||||
ExternallyControlledFormatStringLocalFlow::flowPath(source, sink) and
|
||||
sink.getNode().asExpr() = formatCall.getFormatArgument()
|
||||
select formatCall.getFormatArgument(), source, sink, "Format string depends on a $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
@@ -18,18 +18,18 @@ import semmle.code.java.security.ArithmeticCommon
|
||||
import semmle.code.java.security.ArithmeticTaintedQuery
|
||||
|
||||
module Flow =
|
||||
DataFlow::MergePathGraph<RemoteUserInputOverflow::PathNode, RemoteUserInputUnderflow::PathNode,
|
||||
RemoteUserInputOverflow::PathGraph, RemoteUserInputUnderflow::PathGraph>;
|
||||
DataFlow::MergePathGraph<ArithmeticOverflow::PathNode, ArithmeticUnderflow::PathNode,
|
||||
ArithmeticOverflow::PathGraph, ArithmeticUnderflow::PathGraph>;
|
||||
|
||||
import Flow::PathGraph
|
||||
|
||||
from Flow::PathNode source, Flow::PathNode sink, ArithExpr exp, string effect
|
||||
where
|
||||
RemoteUserInputOverflow::flowPath(source.asPathNode1(), sink.asPathNode1()) and
|
||||
ArithmeticOverflow::flowPath(source.asPathNode1(), sink.asPathNode1()) and
|
||||
overflowSink(exp, sink.getNode().asExpr()) and
|
||||
effect = "overflow"
|
||||
or
|
||||
RemoteUserInputUnderflow::flowPath(source.asPathNode2(), sink.asPathNode2()) and
|
||||
ArithmeticUnderflow::flowPath(source.asPathNode2(), sink.asPathNode2()) and
|
||||
underflowSink(exp, sink.getNode().asExpr()) and
|
||||
effect = "underflow"
|
||||
select exp, source, sink,
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
<!DOCTYPE qhelp PUBLIC
|
||||
"-//Semmle//qhelp//EN"
|
||||
"qhelp.dtd">
|
||||
<qhelp>
|
||||
<include src="ArithmeticTainted.qhelp" /></qhelp>
|
||||
@@ -1,38 +0,0 @@
|
||||
/**
|
||||
* @name Local-user-controlled data in arithmetic expression
|
||||
* @description Arithmetic operations on user-controlled data that is not validated can cause
|
||||
* overflows.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 8.6
|
||||
* @precision medium
|
||||
* @id java/tainted-arithmetic-local
|
||||
* @tags security
|
||||
* external/cwe/cwe-190
|
||||
* external/cwe/cwe-191
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
import semmle.code.java.security.ArithmeticCommon
|
||||
import semmle.code.java.security.ArithmeticTaintedLocalQuery
|
||||
|
||||
module Flow =
|
||||
DataFlow::MergePathGraph<ArithmeticTaintedLocalOverflowFlow::PathNode,
|
||||
ArithmeticTaintedLocalUnderflowFlow::PathNode, ArithmeticTaintedLocalOverflowFlow::PathGraph,
|
||||
ArithmeticTaintedLocalUnderflowFlow::PathGraph>;
|
||||
|
||||
import Flow::PathGraph
|
||||
|
||||
from Flow::PathNode source, Flow::PathNode sink, ArithExpr exp, string effect
|
||||
where
|
||||
ArithmeticTaintedLocalOverflowFlow::flowPath(source.asPathNode1(), sink.asPathNode1()) and
|
||||
overflowSink(exp, sink.getNode().asExpr()) and
|
||||
effect = "overflow"
|
||||
or
|
||||
ArithmeticTaintedLocalUnderflowFlow::flowPath(source.asPathNode2(), sink.asPathNode2()) and
|
||||
underflowSink(exp, sink.getNode().asExpr()) and
|
||||
effect = "underflow"
|
||||
select exp, source, sink,
|
||||
"This arithmetic expression depends on a $@, potentially causing an " + effect + ".",
|
||||
source.getNode(), "user-provided value"
|
||||
@@ -1,5 +0,0 @@
|
||||
<!DOCTYPE qhelp PUBLIC
|
||||
"-//Semmle//qhelp//EN"
|
||||
"qhelp.dtd">
|
||||
<qhelp>
|
||||
<include src="UrlRedirect.qhelp" /></qhelp>
|
||||
@@ -1,21 +0,0 @@
|
||||
/**
|
||||
* @name URL redirection from local source
|
||||
* @description URL redirection based on unvalidated user-input
|
||||
* may cause redirection to malicious web sites.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 6.1
|
||||
* @precision medium
|
||||
* @id java/unvalidated-url-redirection-local
|
||||
* @tags security
|
||||
* external/cwe/cwe-601
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.security.UrlRedirectLocalQuery
|
||||
import UrlRedirectLocalFlow::PathGraph
|
||||
|
||||
from UrlRedirectLocalFlow::PathNode source, UrlRedirectLocalFlow::PathNode sink
|
||||
where UrlRedirectLocalFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Untrusted URL redirection depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
@@ -1,5 +0,0 @@
|
||||
<!DOCTYPE qhelp PUBLIC
|
||||
"-//Semmle//qhelp//EN"
|
||||
"qhelp.dtd">
|
||||
<qhelp>
|
||||
<include src="XXE.qhelp" /></qhelp>
|
||||
@@ -1,25 +0,0 @@
|
||||
/**
|
||||
* @name Resolving XML external entity in user-controlled data from local source
|
||||
* @description Parsing user-controlled XML documents and allowing expansion of external entity
|
||||
* references may lead to disclosure of confidential data or denial of service.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 9.1
|
||||
* @precision medium
|
||||
* @id java/xxe-local
|
||||
* @tags security
|
||||
* external/cwe/cwe-611
|
||||
* external/cwe/cwe-776
|
||||
* external/cwe/cwe-827
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
import semmle.code.java.security.XxeLocalQuery
|
||||
import XxeLocalFlow::PathGraph
|
||||
|
||||
from XxeLocalFlow::PathNode source, XxeLocalFlow::PathNode sink
|
||||
where XxeLocalFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"XML parsing depends on a $@ without guarding against external entity expansion.",
|
||||
source.getNode(), "user-provided value"
|
||||
@@ -1,5 +0,0 @@
|
||||
<!DOCTYPE qhelp PUBLIC
|
||||
"-//Semmle//qhelp//EN"
|
||||
"qhelp.dtd">
|
||||
<qhelp>
|
||||
<include src="NumericCastTainted.qhelp" /></qhelp>
|
||||
@@ -1,29 +0,0 @@
|
||||
/**
|
||||
* @name Local-user-controlled data in numeric cast
|
||||
* @description Casting user-controlled numeric data to a narrower type without validation
|
||||
* can cause unexpected truncation.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 9.0
|
||||
* @precision medium
|
||||
* @id java/tainted-numeric-cast-local
|
||||
* @tags security
|
||||
* external/cwe/cwe-197
|
||||
* external/cwe/cwe-681
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.security.NumericCastTaintedQuery
|
||||
import NumericCastLocalFlow::PathGraph
|
||||
|
||||
from
|
||||
NumericCastLocalFlow::PathNode source, NumericCastLocalFlow::PathNode sink,
|
||||
NumericNarrowingCastExpr exp, VarAccess tainted
|
||||
where
|
||||
exp.getExpr() = tainted and
|
||||
sink.getNode().asExpr() = tainted and
|
||||
NumericCastLocalFlow::flowPath(source, sink) and
|
||||
not exists(RightShiftOp e | e.getShiftedVariable() = tainted.getVariable())
|
||||
select exp, source, sink,
|
||||
"This cast to a narrower type depends on a $@, potentially causing truncation.", source.getNode(),
|
||||
"user-provided value"
|
||||
Reference in New Issue
Block a user