hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into atorralba/promote-jndi-injection

Browse Source
This commit is contained in:
Tony Torralba
2021-06-16 15:34:37 +02:00
committed by GitHub
parent 58aa25ddc2 0ddeb7a8c1
commit bf2be6ec7c
1047 changed files with 28727 additions and 9038 deletions
Download Patch File Download Diff File Expand all files Collapse all files

120
java/ql/test/experimental/query-tests/security/CWE-094/Jexl2Injection.java
View File

@@ -1,120 +0,0 @@
import org.apache.commons.jexl2.*;
import java.io.StringWriter;
import java.net.ServerSocket;
import java.net.Socket;
import java.util.function.Consumer;
public class Jexl2Injection {
private static void runJexlExpression(String jexlExpr) {
JexlEngine jexl = new JexlEngine();
Expression e = jexl.createExpression(jexlExpr);
JexlContext jc = new MapContext();
e.evaluate(jc);
}
private static void runJexlExpressionWithJexlInfo(String jexlExpr) {
JexlEngine jexl = new JexlEngine();
Expression e = jexl.createExpression(
jexlExpr, new DebugInfo("unknown", 0, 0));
JexlContext jc = new MapContext();
e.evaluate(jc);
}
private static void runJexlScript(String jexlExpr) {
JexlEngine jexl = new JexlEngine();
Script script = jexl.createScript(jexlExpr);
JexlContext jc = new MapContext();
script.execute(jc);
}
private static void runJexlScriptViaCallable(String jexlExpr) {
JexlEngine jexl = new JexlEngine();
Script script = jexl.createScript(jexlExpr);
JexlContext jc = new MapContext();
try {
script.callable(jc).call();
} catch (Exception e) {
throw new RuntimeException(e);
}
}
private static void runJexlExpressionViaGetProperty(String jexlExpr) {
JexlEngine jexl = new JexlEngine();
jexl.getProperty(new Object(), jexlExpr);
}
private static void runJexlExpressionViaSetProperty(String jexlExpr) {
JexlEngine jexl = new JexlEngine();
jexl.setProperty(new Object(), jexlExpr, new Object());
}
private static void runJexlExpressionViaUnifiedJEXLParseAndEvaluate(String jexlExpr) {
JexlEngine jexl = new JexlEngine();
UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
unifiedJEXL.parse(jexlExpr).evaluate(new MapContext());
}
private static void runJexlExpressionViaUnifiedJEXLParseAndPrepare(String jexlExpr) {
JexlEngine jexl = new JexlEngine();
UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
unifiedJEXL.parse(jexlExpr).prepare(new MapContext());
}
private static void runJexlExpressionViaUnifiedJEXLTemplateEvaluate(String jexlExpr) {
JexlEngine jexl = new JexlEngine();
UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
unifiedJEXL.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter());
}
private static void testWithSocket(Consumer<String> action) throws Exception {
try (ServerSocket serverSocket = new ServerSocket(0)) {
try (Socket socket = serverSocket.accept()) {
byte[] bytes = new byte[1024];
int n = socket.getInputStream().read(bytes);
String jexlExpr = new String(bytes, 0, n);
action.accept(jexlExpr);
}
}
}
// below are tests for the query
public static void testWithJexlExpressionEvaluate() throws Exception {
testWithSocket(Jexl2Injection::runJexlExpression);
}
public static void testWithJexlExpressionEvaluateWithInfo() throws Exception {
testWithSocket(Jexl2Injection::runJexlExpressionWithJexlInfo);
}
public static void testWithJexlScriptExecute() throws Exception {
testWithSocket(Jexl2Injection::runJexlScript);
}
public static void testWithJexlScriptCallable() throws Exception {
testWithSocket(Jexl2Injection::runJexlScriptViaCallable);
}
public static void testWithJexlEngineGetProperty() throws Exception {
testWithSocket(Jexl2Injection::runJexlExpressionViaGetProperty);
}
public static void testWithJexlEngineSetProperty() throws Exception {
testWithSocket(Jexl2Injection::runJexlExpressionViaSetProperty);
}
public static void testWithUnifiedJEXLParseAndEvaluate() throws Exception {
testWithSocket(Jexl2Injection::runJexlExpressionViaUnifiedJEXLParseAndEvaluate);
}
public static void testWithUnifiedJEXLParseAndPrepare() throws Exception {
testWithSocket(Jexl2Injection::runJexlExpressionViaUnifiedJEXLParseAndPrepare);
}
public static void testWithUnifiedJEXLTemplateEvaluate() throws Exception {
testWithSocket(Jexl2Injection::runJexlExpressionViaUnifiedJEXLTemplateEvaluate);
}
}

196
java/ql/test/experimental/query-tests/security/CWE-094/Jexl3Injection.java
View File

@@ -1,196 +0,0 @@
import java.io.StringWriter;
import java.net.ServerSocket;
import java.net.Socket;
import java.util.function.Consumer;
import org.apache.commons.jexl3.*;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
@Controller
public class Jexl3Injection {
private static void runJexlExpression(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
JexlExpression e = jexl.createExpression(jexlExpr);
JexlContext jc = new MapContext();
e.evaluate(jc);
}
private static void runJexlExpressionWithJexlInfo(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
JexlExpression e = jexl.createExpression(new JexlInfo("unknown", 0, 0), jexlExpr);
JexlContext jc = new MapContext();
e.evaluate(jc);
}
private static void runJexlScript(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
JexlScript script = jexl.createScript(jexlExpr);
JexlContext jc = new MapContext();
script.execute(jc);
}
private static void runJexlScriptViaCallable(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
JexlScript script = jexl.createScript(jexlExpr);
JexlContext jc = new MapContext();
try {
script.callable(jc).call();
} catch (Exception e) {
throw new RuntimeException(e);
}
}
private static void runJexlExpressionViaGetProperty(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
jexl.getProperty(new Object(), jexlExpr);
}
private static void runJexlExpressionViaSetProperty(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
jexl.setProperty(new Object(), jexlExpr, new Object());
}
private static void runJexlExpressionViaJxltEngineExpressionEvaluate(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
JxltEngine jxlt = jexl.createJxltEngine();
jxlt.createExpression(jexlExpr).evaluate(new MapContext());
}
private static void runJexlExpressionViaJxltEngineExpressionPrepare(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
JxltEngine jxlt = jexl.createJxltEngine();
jxlt.createExpression(jexlExpr).prepare(new MapContext());
}
private static void runJexlExpressionViaJxltEngineTemplateEvaluate(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
JxltEngine jxlt = jexl.createJxltEngine();
jxlt.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter());
}
private static void runJexlExpressionViaCallable(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
JexlExpression e = jexl.createExpression(jexlExpr);
JexlContext jc = new MapContext();
try {
e.callable(jc).call();
} catch (Exception ex) {
throw new RuntimeException(ex);
}
}
private static void testWithSocket(Consumer<String> action) throws Exception {
try (ServerSocket serverSocket = new ServerSocket(0)) {
try (Socket socket = serverSocket.accept()) {
byte[] bytes = new byte[1024];
int n = socket.getInputStream().read(bytes);
String jexlExpr = new String(bytes, 0, n);
action.accept(jexlExpr);
}
}
}
// below are tests for the query
public static void testWithJexlExpressionEvaluate() throws Exception {
testWithSocket(Jexl3Injection::runJexlExpression);
}
public static void testWithJexlExpressionEvaluateWithInfo() throws Exception {
testWithSocket(Jexl3Injection::runJexlExpressionWithJexlInfo);
}
public static void testWithJexlScriptExecute() throws Exception {
testWithSocket(Jexl3Injection::runJexlScript);
}
public static void testWithJexlScriptCallable() throws Exception {
testWithSocket(Jexl3Injection::runJexlScriptViaCallable);
}
public static void testWithJexlEngineGetProperty() throws Exception {
testWithSocket(Jexl3Injection::runJexlExpressionViaGetProperty);
}
public static void testWithJexlEngineSetProperty() throws Exception {
testWithSocket(Jexl3Injection::runJexlExpressionViaSetProperty);
}
public static void testWithJxltEngineExpressionEvaluate() throws Exception {
testWithSocket(Jexl3Injection::runJexlExpressionViaJxltEngineExpressionEvaluate);
}
public static void testWithJxltEngineExpressionPrepare() throws Exception {
testWithSocket(Jexl3Injection::runJexlExpressionViaJxltEngineExpressionPrepare);
}
public static void testWithJxltEngineTemplateEvaluate() throws Exception {
testWithSocket(Jexl3Injection::runJexlExpressionViaJxltEngineTemplateEvaluate);
}
public static void testWithJexlExpressionCallable() throws Exception {
testWithSocket(Jexl3Injection::runJexlExpressionViaCallable);
}
@PostMapping("/request")
public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromPathVariable(
@PathVariable String expr) {
runJexlExpression(expr);
return ResponseEntity.ok(HttpStatus.OK);
}
@PostMapping("/request")
public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBody(
@RequestBody Data data) {
String expr = data.getExpr();
runJexlExpression(expr);
return ResponseEntity.ok(HttpStatus.OK);
}
@PostMapping("/request")
public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBodyWithNestedObjects(
@RequestBody CustomRequest customRequest) {
String expr = customRequest.getData().getExpr();
runJexlExpression(expr);
return ResponseEntity.ok(HttpStatus.OK);
}
public static class CustomRequest {
private Data data;
CustomRequest(Data data) {
this.data = data;
}
public Data getData() {
return data;
}
}
public static class Data {
private String expr;
Data(String expr) {
this.expr = expr;
}
public String getExpr() {
return expr;
}
}
}

199
java/ql/test/experimental/query-tests/security/CWE-094/JexlInjection.expected
View File

@@ -1,199 +0,0 @@
edges
| Jexl2Injection.java:10:43:10:57 | jexlExpr : String | Jexl2Injection.java:14:9:14:9 | e |
| Jexl2Injection.java:17:55:17:69 | jexlExpr : String | Jexl2Injection.java:22:9:22:9 | e |
| Jexl2Injection.java:25:39:25:53 | jexlExpr : String | Jexl2Injection.java:29:9:29:14 | script |
| Jexl2Injection.java:32:50:32:64 | jexlExpr : String | Jexl2Injection.java:38:13:38:18 | script |
| Jexl2Injection.java:44:57:44:71 | jexlExpr : String | Jexl2Injection.java:46:40:46:47 | jexlExpr |
| Jexl2Injection.java:49:57:49:71 | jexlExpr : String | Jexl2Injection.java:51:40:51:47 | jexlExpr |
| Jexl2Injection.java:54:73:54:87 | jexlExpr : String | Jexl2Injection.java:57:9:57:35 | parse(...) |
| Jexl2Injection.java:60:72:60:86 | jexlExpr : String | Jexl2Injection.java:63:9:63:35 | parse(...) |
| Jexl2Injection.java:66:73:66:87 | jexlExpr : String | Jexl2Injection.java:69:9:69:44 | createTemplate(...) |
| Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:76:54:76:58 | bytes [post update] : byte[] |
| Jexl2Injection.java:76:54:76:58 | bytes [post update] : byte[] | Jexl2Injection.java:78:31:78:38 | jexlExpr : String |
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:86:24:86:56 | jexlExpr : String |
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:90:24:90:68 | jexlExpr : String |
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:94:24:94:52 | jexlExpr : String |
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:98:24:98:63 | jexlExpr : String |
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:102:24:102:70 | jexlExpr : String |
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:106:24:106:70 | jexlExpr : String |
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:110:24:110:86 | jexlExpr : String |
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:114:24:114:85 | jexlExpr : String |
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:118:24:118:86 | jexlExpr : String |
| Jexl2Injection.java:86:24:86:56 | jexlExpr : String | Jexl2Injection.java:10:43:10:57 | jexlExpr : String |
| Jexl2Injection.java:86:24:86:56 | jexlExpr : String | Jexl2Injection.java:86:24:86:56 | jexlExpr : String |
| Jexl2Injection.java:90:24:90:68 | jexlExpr : String | Jexl2Injection.java:17:55:17:69 | jexlExpr : String |
| Jexl2Injection.java:90:24:90:68 | jexlExpr : String | Jexl2Injection.java:90:24:90:68 | jexlExpr : String |
| Jexl2Injection.java:94:24:94:52 | jexlExpr : String | Jexl2Injection.java:25:39:25:53 | jexlExpr : String |
| Jexl2Injection.java:94:24:94:52 | jexlExpr : String | Jexl2Injection.java:94:24:94:52 | jexlExpr : String |
| Jexl2Injection.java:98:24:98:63 | jexlExpr : String | Jexl2Injection.java:32:50:32:64 | jexlExpr : String |
| Jexl2Injection.java:98:24:98:63 | jexlExpr : String | Jexl2Injection.java:98:24:98:63 | jexlExpr : String |
| Jexl2Injection.java:102:24:102:70 | jexlExpr : String | Jexl2Injection.java:44:57:44:71 | jexlExpr : String |
| Jexl2Injection.java:102:24:102:70 | jexlExpr : String | Jexl2Injection.java:102:24:102:70 | jexlExpr : String |
| Jexl2Injection.java:106:24:106:70 | jexlExpr : String | Jexl2Injection.java:49:57:49:71 | jexlExpr : String |
| Jexl2Injection.java:106:24:106:70 | jexlExpr : String | Jexl2Injection.java:106:24:106:70 | jexlExpr : String |
| Jexl2Injection.java:110:24:110:86 | jexlExpr : String | Jexl2Injection.java:54:73:54:87 | jexlExpr : String |
| Jexl2Injection.java:110:24:110:86 | jexlExpr : String | Jexl2Injection.java:110:24:110:86 | jexlExpr : String |
| Jexl2Injection.java:114:24:114:85 | jexlExpr : String | Jexl2Injection.java:60:72:60:86 | jexlExpr : String |
| Jexl2Injection.java:114:24:114:85 | jexlExpr : String | Jexl2Injection.java:114:24:114:85 | jexlExpr : String |
| Jexl2Injection.java:118:24:118:86 | jexlExpr : String | Jexl2Injection.java:66:73:66:87 | jexlExpr : String |
| Jexl2Injection.java:118:24:118:86 | jexlExpr : String | Jexl2Injection.java:118:24:118:86 | jexlExpr : String |
| Jexl3Injection.java:17:43:17:57 | jexlExpr : String | Jexl3Injection.java:21:9:21:9 | e |
| Jexl3Injection.java:24:55:24:69 | jexlExpr : String | Jexl3Injection.java:28:9:28:9 | e |
| Jexl3Injection.java:31:39:31:53 | jexlExpr : String | Jexl3Injection.java:35:9:35:14 | script |
| Jexl3Injection.java:38:50:38:64 | jexlExpr : String | Jexl3Injection.java:44:13:44:18 | script |
| Jexl3Injection.java:50:57:50:71 | jexlExpr : String | Jexl3Injection.java:52:40:52:47 | jexlExpr |
| Jexl3Injection.java:55:57:55:71 | jexlExpr : String | Jexl3Injection.java:57:40:57:47 | jexlExpr |
| Jexl3Injection.java:60:74:60:88 | jexlExpr : String | Jexl3Injection.java:63:9:63:39 | createExpression(...) |
| Jexl3Injection.java:66:73:66:87 | jexlExpr : String | Jexl3Injection.java:69:9:69:39 | createExpression(...) |
| Jexl3Injection.java:72:72:72:86 | jexlExpr : String | Jexl3Injection.java:75:9:75:37 | createTemplate(...) |
| Jexl3Injection.java:78:54:78:68 | jexlExpr : String | Jexl3Injection.java:84:13:84:13 | e |
| Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:94:54:94:58 | bytes [post update] : byte[] |
| Jexl3Injection.java:94:54:94:58 | bytes [post update] : byte[] | Jexl3Injection.java:96:31:96:38 | jexlExpr : String |
| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:104:24:104:56 | jexlExpr : String |
| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:108:24:108:68 | jexlExpr : String |
| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:112:24:112:52 | jexlExpr : String |
| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:116:24:116:63 | jexlExpr : String |
| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:120:24:120:70 | jexlExpr : String |
| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:124:24:124:70 | jexlExpr : String |
| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:128:24:128:87 | jexlExpr : String |
| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:132:24:132:86 | jexlExpr : String |
| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:136:24:136:85 | jexlExpr : String |
| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:140:24:140:67 | jexlExpr : String |
| Jexl3Injection.java:104:24:104:56 | jexlExpr : String | Jexl3Injection.java:17:43:17:57 | jexlExpr : String |
| Jexl3Injection.java:104:24:104:56 | jexlExpr : String | Jexl3Injection.java:104:24:104:56 | jexlExpr : String |
| Jexl3Injection.java:108:24:108:68 | jexlExpr : String | Jexl3Injection.java:24:55:24:69 | jexlExpr : String |
| Jexl3Injection.java:108:24:108:68 | jexlExpr : String | Jexl3Injection.java:108:24:108:68 | jexlExpr : String |
| Jexl3Injection.java:112:24:112:52 | jexlExpr : String | Jexl3Injection.java:31:39:31:53 | jexlExpr : String |
| Jexl3Injection.java:112:24:112:52 | jexlExpr : String | Jexl3Injection.java:112:24:112:52 | jexlExpr : String |
| Jexl3Injection.java:116:24:116:63 | jexlExpr : String | Jexl3Injection.java:38:50:38:64 | jexlExpr : String |
| Jexl3Injection.java:116:24:116:63 | jexlExpr : String | Jexl3Injection.java:116:24:116:63 | jexlExpr : String |
| Jexl3Injection.java:120:24:120:70 | jexlExpr : String | Jexl3Injection.java:50:57:50:71 | jexlExpr : String |
| Jexl3Injection.java:120:24:120:70 | jexlExpr : String | Jexl3Injection.java:120:24:120:70 | jexlExpr : String |
| Jexl3Injection.java:124:24:124:70 | jexlExpr : String | Jexl3Injection.java:55:57:55:71 | jexlExpr : String |
| Jexl3Injection.java:124:24:124:70 | jexlExpr : String | Jexl3Injection.java:124:24:124:70 | jexlExpr : String |
| Jexl3Injection.java:128:24:128:87 | jexlExpr : String | Jexl3Injection.java:60:74:60:88 | jexlExpr : String |
| Jexl3Injection.java:128:24:128:87 | jexlExpr : String | Jexl3Injection.java:128:24:128:87 | jexlExpr : String |
| Jexl3Injection.java:132:24:132:86 | jexlExpr : String | Jexl3Injection.java:66:73:66:87 | jexlExpr : String |
| Jexl3Injection.java:132:24:132:86 | jexlExpr : String | Jexl3Injection.java:132:24:132:86 | jexlExpr : String |
| Jexl3Injection.java:136:24:136:85 | jexlExpr : String | Jexl3Injection.java:72:72:72:86 | jexlExpr : String |
| Jexl3Injection.java:136:24:136:85 | jexlExpr : String | Jexl3Injection.java:136:24:136:85 | jexlExpr : String |
| Jexl3Injection.java:140:24:140:67 | jexlExpr : String | Jexl3Injection.java:78:54:78:68 | jexlExpr : String |
| Jexl3Injection.java:140:24:140:67 | jexlExpr : String | Jexl3Injection.java:140:24:140:67 | jexlExpr : String |
| Jexl3Injection.java:145:13:145:37 | expr : String | Jexl3Injection.java:147:27:147:30 | expr : String |
| Jexl3Injection.java:147:27:147:30 | expr : String | Jexl3Injection.java:17:43:17:57 | jexlExpr : String |
| Jexl3Injection.java:153:13:153:34 | data : Data | Jexl3Injection.java:156:27:156:30 | expr : String |
| Jexl3Injection.java:156:27:156:30 | expr : String | Jexl3Injection.java:17:43:17:57 | jexlExpr : String |
| Jexl3Injection.java:163:13:163:52 | customRequest : CustomRequest | Jexl3Injection.java:166:27:166:30 | expr : String |
| Jexl3Injection.java:166:27:166:30 | expr : String | Jexl3Injection.java:17:43:17:57 | jexlExpr : String |
nodes
| Jexl2Injection.java:10:43:10:57 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:14:9:14:9 | e | semmle.label | e |
| Jexl2Injection.java:17:55:17:69 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:22:9:22:9 | e | semmle.label | e |
| Jexl2Injection.java:25:39:25:53 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:29:9:29:14 | script | semmle.label | script |
| Jexl2Injection.java:32:50:32:64 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:38:13:38:18 | script | semmle.label | script |
| Jexl2Injection.java:44:57:44:71 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:46:40:46:47 | jexlExpr | semmle.label | jexlExpr |
| Jexl2Injection.java:49:57:49:71 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:51:40:51:47 | jexlExpr | semmle.label | jexlExpr |
| Jexl2Injection.java:54:73:54:87 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:57:9:57:35 | parse(...) | semmle.label | parse(...) |
| Jexl2Injection.java:60:72:60:86 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:63:9:63:35 | parse(...) | semmle.label | parse(...) |
| Jexl2Injection.java:66:73:66:87 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:69:9:69:44 | createTemplate(...) | semmle.label | createTemplate(...) |
| Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| Jexl2Injection.java:76:54:76:58 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:86:24:86:56 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:86:24:86:56 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:90:24:90:68 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:90:24:90:68 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:94:24:94:52 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:94:24:94:52 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:98:24:98:63 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:98:24:98:63 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:102:24:102:70 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:102:24:102:70 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:106:24:106:70 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:106:24:106:70 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:110:24:110:86 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:110:24:110:86 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:114:24:114:85 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:114:24:114:85 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:118:24:118:86 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl2Injection.java:118:24:118:86 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:17:43:17:57 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:21:9:21:9 | e | semmle.label | e |
| Jexl3Injection.java:24:55:24:69 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:28:9:28:9 | e | semmle.label | e |
| Jexl3Injection.java:31:39:31:53 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:35:9:35:14 | script | semmle.label | script |
| Jexl3Injection.java:38:50:38:64 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:44:13:44:18 | script | semmle.label | script |
| Jexl3Injection.java:50:57:50:71 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:52:40:52:47 | jexlExpr | semmle.label | jexlExpr |
| Jexl3Injection.java:55:57:55:71 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:57:40:57:47 | jexlExpr | semmle.label | jexlExpr |
| Jexl3Injection.java:60:74:60:88 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:63:9:63:39 | createExpression(...) | semmle.label | createExpression(...) |
| Jexl3Injection.java:66:73:66:87 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:69:9:69:39 | createExpression(...) | semmle.label | createExpression(...) |
| Jexl3Injection.java:72:72:72:86 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:75:9:75:37 | createTemplate(...) | semmle.label | createTemplate(...) |
| Jexl3Injection.java:78:54:78:68 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:84:13:84:13 | e | semmle.label | e |
| Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| Jexl3Injection.java:94:54:94:58 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:104:24:104:56 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:104:24:104:56 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:108:24:108:68 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:108:24:108:68 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:112:24:112:52 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:112:24:112:52 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:116:24:116:63 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:116:24:116:63 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:120:24:120:70 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:120:24:120:70 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:124:24:124:70 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:124:24:124:70 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:128:24:128:87 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:128:24:128:87 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:132:24:132:86 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:132:24:132:86 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:136:24:136:85 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:136:24:136:85 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:140:24:140:67 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:140:24:140:67 | jexlExpr : String | semmle.label | jexlExpr : String |
| Jexl3Injection.java:145:13:145:37 | expr : String | semmle.label | expr : String |
| Jexl3Injection.java:147:27:147:30 | expr : String | semmle.label | expr : String |
| Jexl3Injection.java:153:13:153:34 | data : Data | semmle.label | data : Data |
| Jexl3Injection.java:156:27:156:30 | expr : String | semmle.label | expr : String |
| Jexl3Injection.java:163:13:163:52 | customRequest : CustomRequest | semmle.label | customRequest : CustomRequest |
| Jexl3Injection.java:166:27:166:30 | expr : String | semmle.label | expr : String |
#select
| Jexl2Injection.java:14:9:14:9 | e | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:14:9:14:9 | e | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
| Jexl2Injection.java:22:9:22:9 | e | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:22:9:22:9 | e | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
| Jexl2Injection.java:29:9:29:14 | script | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:29:9:29:14 | script | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
| Jexl2Injection.java:38:13:38:18 | script | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:38:13:38:18 | script | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
| Jexl2Injection.java:46:40:46:47 | jexlExpr | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:46:40:46:47 | jexlExpr | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
| Jexl2Injection.java:51:40:51:47 | jexlExpr | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:51:40:51:47 | jexlExpr | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
| Jexl2Injection.java:57:9:57:35 | parse(...) | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:57:9:57:35 | parse(...) | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
| Jexl2Injection.java:63:9:63:35 | parse(...) | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:63:9:63:35 | parse(...) | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
| Jexl2Injection.java:69:9:69:44 | createTemplate(...) | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:69:9:69:44 | createTemplate(...) | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
| Jexl3Injection.java:21:9:21:9 | e | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:21:9:21:9 | e | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
| Jexl3Injection.java:21:9:21:9 | e | Jexl3Injection.java:145:13:145:37 | expr : String | Jexl3Injection.java:21:9:21:9 | e | JEXL injection from $@. | Jexl3Injection.java:145:13:145:37 | expr | this user input |
| Jexl3Injection.java:21:9:21:9 | e | Jexl3Injection.java:153:13:153:34 | data : Data | Jexl3Injection.java:21:9:21:9 | e | JEXL injection from $@. | Jexl3Injection.java:153:13:153:34 | data | this user input |
| Jexl3Injection.java:21:9:21:9 | e | Jexl3Injection.java:163:13:163:52 | customRequest : CustomRequest | Jexl3Injection.java:21:9:21:9 | e | JEXL injection from $@. | Jexl3Injection.java:163:13:163:52 | customRequest | this user input |
| Jexl3Injection.java:28:9:28:9 | e | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:28:9:28:9 | e | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
| Jexl3Injection.java:35:9:35:14 | script | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:35:9:35:14 | script | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
| Jexl3Injection.java:44:13:44:18 | script | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:44:13:44:18 | script | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
| Jexl3Injection.java:52:40:52:47 | jexlExpr | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:52:40:52:47 | jexlExpr | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
| Jexl3Injection.java:57:40:57:47 | jexlExpr | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:57:40:57:47 | jexlExpr | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
| Jexl3Injection.java:63:9:63:39 | createExpression(...) | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:63:9:63:39 | createExpression(...) | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
| Jexl3Injection.java:69:9:69:39 | createExpression(...) | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:69:9:69:39 | createExpression(...) | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
| Jexl3Injection.java:75:9:75:37 | createTemplate(...) | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:75:9:75:37 | createTemplate(...) | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
| Jexl3Injection.java:84:13:84:13 | e | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:84:13:84:13 | e | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |

1
java/ql/test/experimental/query-tests/security/CWE-094/JexlInjection.qlref
View File

@@ -1 +0,0 @@
experimental/Security/CWE/CWE-094/JexlInjection.ql

47
java/ql/test/experimental/query-tests/security/CWE-094/SandboxedJexl2.java
View File

@@ -1,47 +0,0 @@
import org.apache.commons.jexl2.*;
import org.apache.commons.jexl2.introspection.*;
import java.net.ServerSocket;
import java.net.Socket;
import java.util.function.Consumer;
public class SandboxedJexl2 {
private static void runJexlExpressionWithSandbox(String jexlExpr) {
Sandbox sandbox = new Sandbox();
sandbox.white(SandboxedJexl2.class.getCanonicalName());
Uberspect uberspect = new SandboxUberspectImpl(null, sandbox);
JexlEngine jexl = new JexlEngine(uberspect, null, null, null);
Expression e = jexl.createExpression(jexlExpr);
JexlContext jc = new MapContext();
e.evaluate(jc);
}
private static void runJexlExpressionViaSandboxedUnifiedJexl(String jexlExpr) {
Sandbox sandbox = new Sandbox();
sandbox.white(SandboxedJexl2.class.getCanonicalName());
Uberspect uberspect = new SandboxUberspectImpl(null, sandbox);
JexlEngine jexl = new JexlEngine(uberspect, null, null, null);
UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
unifiedJEXL.parse(jexlExpr).evaluate(new MapContext());
}
private static void simpleServer(Consumer<String> action) throws Exception {
try (ServerSocket serverSocket = new ServerSocket(0)) {
try (Socket socket = serverSocket.accept()) {
byte[] bytes = new byte[1024];
int n = socket.getInputStream().read(bytes);
String jexlExpr = new String(bytes, 0, n);
action.accept(jexlExpr);
}
}
}
public static void saferJexlExpressionEvaluate() throws Exception {
simpleServer(SandboxedJexl2::runJexlExpressionWithSandbox);
}
public static void saferJexlExpressionEvaluateViaUnifiedJexl() throws Exception {
simpleServer(SandboxedJexl2::runJexlExpressionViaSandboxedUnifiedJexl);
}
}

76
java/ql/test/experimental/query-tests/security/CWE-094/SandboxedJexl3.java
View File

@@ -1,76 +0,0 @@
import java.net.ServerSocket;
import java.net.Socket;
import java.security.AccessControlException;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.function.Consumer;
import org.apache.commons.jexl3.*;
import org.apache.commons.jexl3.introspection.*;
public class SandboxedJexl3 {
private static void runJexlExpressionWithSandbox(String jexlExpr) {
JexlSandbox sandbox = new JexlSandbox(false);
sandbox.white(SandboxedJexl3.class.getCanonicalName());
JexlEngine jexl = new JexlBuilder().sandbox(sandbox).create();
JexlExpression e = jexl.createExpression(jexlExpr);
JexlContext jc = new MapContext();
e.evaluate(jc);
}
private static void runJexlExpressionWithUberspectSandbox(String jexlExpr) {
JexlUberspect sandbox = new JexlUberspectSandbox();
JexlEngine jexl = new JexlBuilder().uberspect(sandbox).create();
JexlExpression e = jexl.createExpression(jexlExpr);
JexlContext jc = new MapContext();
e.evaluate(jc);
}
private static JexlBuilder STATIC_JEXL_BUILDER;
static {
JexlSandbox sandbox = new JexlSandbox(false);
sandbox.white(SandboxedJexl3.class.getCanonicalName());
STATIC_JEXL_BUILDER = new JexlBuilder().sandbox(sandbox);
}
private static void runJexlExpressionViaJxltEngineWithSandbox(String jexlExpr) {
JexlEngine jexl = STATIC_JEXL_BUILDER.create();
JxltEngine jxlt = jexl.createJxltEngine();
jxlt.createExpression(jexlExpr).evaluate(new MapContext());
}
private static class JexlUberspectSandbox implements JexlUberspect {
}
private static void withSocket(Consumer<String> action) throws Exception {
try (ServerSocket serverSocket = new ServerSocket(0)) {
try (Socket socket = serverSocket.accept()) {
byte[] bytes = new byte[1024];
int n = socket.getInputStream().read(bytes);
String jexlExpr = new String(bytes, 0, n);
action.accept(jexlExpr);
}
}
}
// below are examples of safer Jexl usage
// with JexlSandbox
public static void saferJexlExpressionInSandbox() throws Exception {
withSocket(SandboxedJexl3::runJexlExpressionWithSandbox);
}
// with a custom sandbox implemented with JexlUberspect
public static void saferJexlExpressionInUberspectSandbox() throws Exception {
withSocket(SandboxedJexl3::runJexlExpressionWithUberspectSandbox);
}
// with JexlSandbox and JxltEngine
public static void saferJxltExpressionInSandbox() throws Exception {
withSocket(SandboxedJexl3::runJexlExpressionViaJxltEngineWithSandbox);
}
}

3
java/ql/test/experimental/query-tests/security/CWE-094/options
View File

@@ -1,2 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jython-2.7.2:${testdir}/../../../../experimental/stubs/rhino-1.7.13
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jython-2.7.2:${testdir}/../../../../experimental/stubs/rhino-1.7.13

3
java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected
View File

@@ -1,7 +1,9 @@
edges
| ClientSuppliedIpUsedInSecurityCheck.java:16:21:16:33 | getClientIP(...) : String | ClientSuppliedIpUsedInSecurityCheck.java:17:37:17:38 | ip |
| ClientSuppliedIpUsedInSecurityCheck.java:24:21:24:33 | getClientIP(...) : String | ClientSuppliedIpUsedInSecurityCheck.java:25:33:25:34 | ip |
| ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) : String | ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:34 | split(...) : String[] |
| ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) : String | ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:37 | ...[...] : String |
| ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:34 | split(...) : String[] | ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:37 | ...[...] : String |
| ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:37 | ...[...] : String | ClientSuppliedIpUsedInSecurityCheck.java:16:21:16:33 | getClientIP(...) : String |
| ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:37 | ...[...] : String | ClientSuppliedIpUsedInSecurityCheck.java:24:21:24:33 | getClientIP(...) : String |
nodes
@@ -10,6 +12,7 @@ nodes
| ClientSuppliedIpUsedInSecurityCheck.java:24:21:24:33 | getClientIP(...) : String | semmle.label | getClientIP(...) : String |
| ClientSuppliedIpUsedInSecurityCheck.java:25:33:25:34 | ip | semmle.label | ip |
| ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) : String | semmle.label | getHeader(...) : String |
| ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:34 | split(...) : String[] | semmle.label | split(...) : String[] |
| ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:37 | ...[...] : String | semmle.label | ...[...] : String |
#select
| ClientSuppliedIpUsedInSecurityCheck.java:17:37:17:38 | ip | ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) : String | ClientSuppliedIpUsedInSecurityCheck.java:17:37:17:38 | ip | IP address spoofing might include code from $@. | ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) | this user input |

15
java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.expected Normal file
View File

@@ -0,0 +1,15 @@
edges
| UnsafeDeserializationRmi.java:17:68:17:95 | new UnsafeRemoteObjectImpl(...) : UnsafeRemoteObjectImpl | UnsafeDeserializationRmi.java:17:35:17:96 | exportObject(...) |
nodes
| UnsafeDeserializationRmi.java:15:33:15:60 | new UnsafeRemoteObjectImpl(...) | semmle.label | new UnsafeRemoteObjectImpl(...) |
| UnsafeDeserializationRmi.java:16:35:16:62 | new UnsafeRemoteObjectImpl(...) | semmle.label | new UnsafeRemoteObjectImpl(...) |
| UnsafeDeserializationRmi.java:17:35:17:96 | exportObject(...) | semmle.label | exportObject(...) |
| UnsafeDeserializationRmi.java:17:68:17:95 | new UnsafeRemoteObjectImpl(...) : UnsafeRemoteObjectImpl | semmle.label | new UnsafeRemoteObjectImpl(...) : UnsafeRemoteObjectImpl |
| UnsafeDeserializationRmi.java:29:31:29:58 | new UnsafeRemoteObjectImpl(...) | semmle.label | new UnsafeRemoteObjectImpl(...) |
| UnsafeDeserializationRmi.java:30:33:30:60 | new UnsafeRemoteObjectImpl(...) | semmle.label | new UnsafeRemoteObjectImpl(...) |
#select
| UnsafeDeserializationRmi.java:15:33:15:60 | new UnsafeRemoteObjectImpl(...) | UnsafeDeserializationRmi.java:15:33:15:60 | new UnsafeRemoteObjectImpl(...) | UnsafeDeserializationRmi.java:15:33:15:60 | new UnsafeRemoteObjectImpl(...) | Unsafe deserialization in a remote object. |
| UnsafeDeserializationRmi.java:16:35:16:62 | new UnsafeRemoteObjectImpl(...) | UnsafeDeserializationRmi.java:16:35:16:62 | new UnsafeRemoteObjectImpl(...) | UnsafeDeserializationRmi.java:16:35:16:62 | new UnsafeRemoteObjectImpl(...) | Unsafe deserialization in a remote object. |
| UnsafeDeserializationRmi.java:17:35:17:96 | exportObject(...) | UnsafeDeserializationRmi.java:17:68:17:95 | new UnsafeRemoteObjectImpl(...) : UnsafeRemoteObjectImpl | UnsafeDeserializationRmi.java:17:35:17:96 | exportObject(...) | Unsafe deserialization in a remote object. |
| UnsafeDeserializationRmi.java:29:31:29:58 | new UnsafeRemoteObjectImpl(...) | UnsafeDeserializationRmi.java:29:31:29:58 | new UnsafeRemoteObjectImpl(...) | UnsafeDeserializationRmi.java:29:31:29:58 | new UnsafeRemoteObjectImpl(...) | Unsafe deserialization in a remote object. |
| UnsafeDeserializationRmi.java:30:33:30:60 | new UnsafeRemoteObjectImpl(...) | UnsafeDeserializationRmi.java:30:33:30:60 | new UnsafeRemoteObjectImpl(...) | UnsafeDeserializationRmi.java:30:33:30:60 | new UnsafeRemoteObjectImpl(...) | Unsafe deserialization in a remote object. |

73
java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.java Normal file
View File

@@ -0,0 +1,73 @@
import java.io.ObjectInputFilter;
import java.io.ObjectInputStream;
import java.rmi.Naming;
import java.rmi.Remote;
import java.rmi.RemoteException;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
import java.rmi.server.UnicastRemoteObject;
public class UnsafeDeserializationRmi {
// BAD (bind a remote object that has a vulnerable method)
public static void testRegistryBindWithObjectParameter() throws Exception {
Registry registry = LocateRegistry.createRegistry(1099);
registry.bind("unsafe", new UnsafeRemoteObjectImpl());
registry.rebind("unsafe", new UnsafeRemoteObjectImpl());
registry.rebind("unsafe", UnicastRemoteObject.exportObject(new UnsafeRemoteObjectImpl()));
}
// GOOD (bind a remote object that has methods that takes safe parameters)
public static void testRegistryBindWithIntParameter() throws Exception {
Registry registry = LocateRegistry.createRegistry(1099);
registry.bind("safe", new SafeRemoteObjectImpl());
registry.rebind("safe", new SafeRemoteObjectImpl());
}
// BAD (bind a remote object that has a vulnerable method)
public static void testNamingBindWithObjectParameter() throws Exception {
Naming.bind("unsafe", new UnsafeRemoteObjectImpl());
Naming.rebind("unsafe", new UnsafeRemoteObjectImpl());
}
// GOOD (bind a remote object that has methods that takes safe parameters)
public static void testNamingBindWithIntParameter() throws Exception {
Naming.bind("safe", new SafeRemoteObjectImpl());
Naming.rebind("safe", new SafeRemoteObjectImpl());
}
// GOOD (bind a remote object with a deserialization filter)
public static void testRegistryBindWithDeserializationFilter() throws Exception {
Registry registry = LocateRegistry.createRegistry(1099);
ObjectInputFilter filter = info -> {
if (info.serialClass().getCanonicalName().startsWith("com.safe.package.")) {
return ObjectInputFilter.Status.ALLOWED;
}
return ObjectInputFilter.Status.REJECTED;
};
registry.rebind("safe", UnicastRemoteObject.exportObject(new UnsafeRemoteObjectImpl(), 12345, filter));
}
}
interface UnsafeRemoteObject extends Remote {
void take(Object obj) throws RemoteException;
}
class UnsafeRemoteObjectImpl implements UnsafeRemoteObject {
public void take(Object obj) throws RemoteException {}
}
interface SafeRemoteObject extends Remote {
void take(int n) throws RemoteException;
void take(double n) throws RemoteException;
void take(String s) throws RemoteException;
void take(ObjectInputStream ois) throws RemoteException;
}
class SafeRemoteObjectImpl implements SafeRemoteObject {
public void take(int n) throws RemoteException {}
public void take(double n) throws RemoteException {}
public void take(String s) throws RemoteException {}
public void take(ObjectInputStream ois) throws RemoteException {}
public void safeMethod(Object object) {} // this method is not declared in SafeRemoteObject
}

1
java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql

40
java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
View File

@@ -1,52 +1,88 @@
edges
| InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:15:41:15:47 | ldapUrl : String |
| InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:20:49:20:59 | environment |
| InsecureLdapAuth.java:15:3:15:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:20:49:20:59 | environment |
| InsecureLdapAuth.java:15:41:15:47 | ldapUrl : String | InsecureLdapAuth.java:15:3:15:13 | environment [post update] : Hashtable |
| InsecureLdapAuth.java:17:3:17:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:20:49:20:59 | environment |
| InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:29:41:29:47 | ldapUrl : String |
| InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:34:49:34:59 | environment |
| InsecureLdapAuth.java:29:3:29:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:34:49:34:59 | environment |
| InsecureLdapAuth.java:29:41:29:47 | ldapUrl : String | InsecureLdapAuth.java:29:3:29:13 | environment [post update] : Hashtable |
| InsecureLdapAuth.java:31:3:31:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:34:49:34:59 | environment |
| InsecureLdapAuth.java:45:3:45:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:48:49:48:59 | environment |
| InsecureLdapAuth.java:53:20:53:50 | "ldap://ad.your-server.com:636" : String | InsecureLdapAuth.java:57:41:57:47 | ldapUrl : String |
| InsecureLdapAuth.java:53:20:53:50 | "ldap://ad.your-server.com:636" : String | InsecureLdapAuth.java:63:49:63:59 | environment |
| InsecureLdapAuth.java:57:3:57:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:63:49:63:59 | environment |
| InsecureLdapAuth.java:57:41:57:47 | ldapUrl : String | InsecureLdapAuth.java:57:3:57:13 | environment [post update] : Hashtable |
| InsecureLdapAuth.java:59:3:59:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:63:49:63:59 | environment |
| InsecureLdapAuth.java:62:3:62:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:63:49:63:59 | environment |
| InsecureLdapAuth.java:68:20:68:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:72:41:72:47 | ldapUrl : String |
| InsecureLdapAuth.java:68:20:68:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:77:49:77:59 | environment |
| InsecureLdapAuth.java:72:3:72:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:77:49:77:59 | environment |
| InsecureLdapAuth.java:72:41:72:47 | ldapUrl : String | InsecureLdapAuth.java:72:3:72:13 | environment [post update] : Hashtable |
| InsecureLdapAuth.java:88:3:88:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:91:49:91:59 | environment |
| InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:100:41:100:47 | ldapUrl : String |
| InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:105:59:105:69 | environment |
| InsecureLdapAuth.java:100:3:100:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:105:59:105:69 | environment |
| InsecureLdapAuth.java:100:41:100:47 | ldapUrl : String | InsecureLdapAuth.java:100:3:100:13 | environment [post update] : Hashtable |
| InsecureLdapAuth.java:102:3:102:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:105:59:105:69 | environment |
| InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:115:47:115:53 | ldapUrl : String |
| InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:120:49:120:59 | environment |
| InsecureLdapAuth.java:115:3:115:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:120:49:120:59 | environment |
| InsecureLdapAuth.java:115:47:115:53 | ldapUrl : String | InsecureLdapAuth.java:115:3:115:13 | environment [post update] : Hashtable |
| InsecureLdapAuth.java:117:3:117:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:120:49:120:59 | environment |
| InsecureLdapAuth.java:124:3:124:5 | env [post update] : Hashtable | InsecureLdapAuth.java:137:10:137:20 | environment [post update] : Hashtable |
| InsecureLdapAuth.java:128:3:128:5 | env [post update] : Hashtable | InsecureLdapAuth.java:141:16:141:26 | environment [post update] : Hashtable |
| InsecureLdapAuth.java:128:3:128:5 | env [post update] : Hashtable | InsecureLdapAuth.java:152:16:152:26 | environment [post update] : Hashtable |
| InsecureLdapAuth.java:135:20:135:39 | ... + ... : String | InsecureLdapAuth.java:140:41:140:47 | ldapUrl : String |
| InsecureLdapAuth.java:135:20:135:39 | ... + ... : String | InsecureLdapAuth.java:142:50:142:60 | environment |
| InsecureLdapAuth.java:137:10:137:20 | environment [post update] : Hashtable | InsecureLdapAuth.java:142:50:142:60 | environment |
| InsecureLdapAuth.java:140:3:140:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:142:50:142:60 | environment |
| InsecureLdapAuth.java:140:41:140:47 | ldapUrl : String | InsecureLdapAuth.java:140:3:140:13 | environment [post update] : Hashtable |
| InsecureLdapAuth.java:141:16:141:26 | environment [post update] : Hashtable | InsecureLdapAuth.java:142:50:142:60 | environment |
| InsecureLdapAuth.java:147:20:147:39 | ... + ... : String | InsecureLdapAuth.java:151:41:151:47 | ldapUrl : String |
| InsecureLdapAuth.java:147:20:147:39 | ... + ... : String | InsecureLdapAuth.java:153:50:153:60 | environment |
| InsecureLdapAuth.java:151:3:151:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:153:50:153:60 | environment |
| InsecureLdapAuth.java:151:41:151:47 | ldapUrl : String | InsecureLdapAuth.java:151:3:151:13 | environment [post update] : Hashtable |
| InsecureLdapAuth.java:152:16:152:26 | environment [post update] : Hashtable | InsecureLdapAuth.java:153:50:153:60 | environment |
nodes
| InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
| InsecureLdapAuth.java:15:3:15:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:15:41:15:47 | ldapUrl : String | semmle.label | ldapUrl : String |
| InsecureLdapAuth.java:17:3:17:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:20:49:20:59 | environment | semmle.label | environment |
| InsecureLdapAuth.java:20:49:20:59 | environment | semmle.label | environment |
| InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | semmle.label | ... + ... : String |
| InsecureLdapAuth.java:29:3:29:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:29:41:29:47 | ldapUrl : String | semmle.label | ldapUrl : String |
| InsecureLdapAuth.java:31:3:31:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:34:49:34:59 | environment | semmle.label | environment |
| InsecureLdapAuth.java:34:49:34:59 | environment | semmle.label | environment |
| InsecureLdapAuth.java:45:3:45:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:48:49:48:59 | environment | semmle.label | environment |
| InsecureLdapAuth.java:53:20:53:50 | "ldap://ad.your-server.com:636" : String | semmle.label | "ldap://ad.your-server.com:636" : String |
| InsecureLdapAuth.java:57:3:57:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:57:41:57:47 | ldapUrl : String | semmle.label | ldapUrl : String |
| InsecureLdapAuth.java:59:3:59:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:62:3:62:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:63:49:63:59 | environment | semmle.label | environment |
| InsecureLdapAuth.java:63:49:63:59 | environment | semmle.label | environment |
| InsecureLdapAuth.java:63:49:63:59 | environment | semmle.label | environment |
| InsecureLdapAuth.java:68:20:68:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
| InsecureLdapAuth.java:72:3:72:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:72:41:72:47 | ldapUrl : String | semmle.label | ldapUrl : String |
| InsecureLdapAuth.java:77:49:77:59 | environment | semmle.label | environment |
| InsecureLdapAuth.java:88:3:88:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:91:49:91:59 | environment | semmle.label | environment |
| InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
| InsecureLdapAuth.java:100:3:100:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:100:41:100:47 | ldapUrl : String | semmle.label | ldapUrl : String |
| InsecureLdapAuth.java:102:3:102:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:105:59:105:69 | environment | semmle.label | environment |
| InsecureLdapAuth.java:105:59:105:69 | environment | semmle.label | environment |
| InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
| InsecureLdapAuth.java:115:3:115:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:115:47:115:53 | ldapUrl : String | semmle.label | ldapUrl : String |
| InsecureLdapAuth.java:117:3:117:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:120:49:120:59 | environment | semmle.label | environment |
| InsecureLdapAuth.java:120:49:120:59 | environment | semmle.label | environment |
@@ -54,11 +90,15 @@ nodes
| InsecureLdapAuth.java:128:3:128:5 | env [post update] : Hashtable | semmle.label | env [post update] : Hashtable |
| InsecureLdapAuth.java:135:20:135:39 | ... + ... : String | semmle.label | ... + ... : String |
| InsecureLdapAuth.java:137:10:137:20 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:140:3:140:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:140:41:140:47 | ldapUrl : String | semmle.label | ldapUrl : String |
| InsecureLdapAuth.java:141:16:141:26 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:142:50:142:60 | environment | semmle.label | environment |
| InsecureLdapAuth.java:142:50:142:60 | environment | semmle.label | environment |
| InsecureLdapAuth.java:142:50:142:60 | environment | semmle.label | environment |
| InsecureLdapAuth.java:147:20:147:39 | ... + ... : String | semmle.label | ... + ... : String |
| InsecureLdapAuth.java:151:3:151:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:151:41:151:47 | ldapUrl : String | semmle.label | ldapUrl : String |
| InsecureLdapAuth.java:152:16:152:26 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
| InsecureLdapAuth.java:153:50:153:60 | environment | semmle.label | environment |
| InsecureLdapAuth.java:153:50:153:60 | environment | semmle.label | environment |

6
java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.expected
View File

@@ -1,7 +1,9 @@
edges
| SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object |
| SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | SensitiveGetQuery2.java:14:30:14:32 | map : Map |
| SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object | SensitiveGetQuery2.java:15:29:15:36 | password |
| SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object | SensitiveGetQuery2.java:15:29:15:36 | password : Object |
| SensitiveGetQuery2.java:14:30:14:32 | map : Map | SensitiveGetQuery2.java:14:30:14:48 | get(...) : Object |
| SensitiveGetQuery2.java:14:30:14:48 | get(...) : Object | SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object |
| SensitiveGetQuery2.java:15:29:15:36 | password : Object | SensitiveGetQuery2.java:18:40:18:54 | password : Object |
| SensitiveGetQuery2.java:18:40:18:54 | password : Object | SensitiveGetQuery2.java:19:61:19:68 | password |
| SensitiveGetQuery3.java:12:21:12:60 | getRequestParameter(...) : String | SensitiveGetQuery3.java:13:57:13:64 | password |
@@ -15,6 +17,8 @@ edges
nodes
| SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | semmle.label | getParameterMap(...) : Map |
| SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object | semmle.label | (...)... : Object |
| SensitiveGetQuery2.java:14:30:14:32 | map : Map | semmle.label | map : Map |
| SensitiveGetQuery2.java:14:30:14:48 | get(...) : Object | semmle.label | get(...) : Object |
| SensitiveGetQuery2.java:15:29:15:36 | password | semmle.label | password |
| SensitiveGetQuery2.java:15:29:15:36 | password : Object | semmle.label | password : Object |
| SensitiveGetQuery2.java:18:40:18:54 | password : Object | semmle.label | password : Object |

67
java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.expected Normal file
View File

@@ -0,0 +1,67 @@
edges
| RegexInjection.java:13:22:13:52 | getParameter(...) : String | RegexInjection.java:16:26:16:47 | ... + ... |
| RegexInjection.java:20:22:20:52 | getParameter(...) : String | RegexInjection.java:23:24:23:30 | pattern |
| RegexInjection.java:27:22:27:52 | getParameter(...) : String | RegexInjection.java:30:31:30:37 | pattern |
| RegexInjection.java:34:22:34:52 | getParameter(...) : String | RegexInjection.java:37:29:37:35 | pattern |
| RegexInjection.java:41:22:41:52 | getParameter(...) : String | RegexInjection.java:44:34:44:40 | pattern |
| RegexInjection.java:51:22:51:52 | getParameter(...) : String | RegexInjection.java:54:28:54:34 | pattern |
| RegexInjection.java:58:22:58:52 | getParameter(...) : String | RegexInjection.java:61:28:61:34 | pattern |
| RegexInjection.java:65:22:65:52 | getParameter(...) : String | RegexInjection.java:68:36:68:42 | pattern : String |
| RegexInjection.java:68:32:68:43 | foo(...) : String | RegexInjection.java:68:26:68:52 | ... + ... |
| RegexInjection.java:68:36:68:42 | pattern : String | RegexInjection.java:68:32:68:43 | foo(...) : String |
| RegexInjection.java:84:22:84:52 | getParameter(...) : String | RegexInjection.java:90:26:90:47 | ... + ... |
| RegexInjection.java:100:22:100:52 | getParameter(...) : String | RegexInjection.java:103:40:103:46 | pattern |
| RegexInjection.java:107:22:107:52 | getParameter(...) : String | RegexInjection.java:110:42:110:48 | pattern |
| RegexInjection.java:114:22:114:52 | getParameter(...) : String | RegexInjection.java:117:44:117:50 | pattern |
| RegexInjection.java:121:22:121:52 | getParameter(...) : String | RegexInjection.java:124:41:124:47 | pattern |
| RegexInjection.java:128:22:128:52 | getParameter(...) : String | RegexInjection.java:131:43:131:49 | pattern |
| RegexInjection.java:143:22:143:52 | getParameter(...) : String | RegexInjection.java:146:45:146:51 | pattern |
nodes
| RegexInjection.java:13:22:13:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:16:26:16:47 | ... + ... | semmle.label | ... + ... |
| RegexInjection.java:20:22:20:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:23:24:23:30 | pattern | semmle.label | pattern |
| RegexInjection.java:27:22:27:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:30:31:30:37 | pattern | semmle.label | pattern |
| RegexInjection.java:34:22:34:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:37:29:37:35 | pattern | semmle.label | pattern |
| RegexInjection.java:41:22:41:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:44:34:44:40 | pattern | semmle.label | pattern |
| RegexInjection.java:51:22:51:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:54:28:54:34 | pattern | semmle.label | pattern |
| RegexInjection.java:58:22:58:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:61:28:61:34 | pattern | semmle.label | pattern |
| RegexInjection.java:65:22:65:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:68:26:68:52 | ... + ... | semmle.label | ... + ... |
| RegexInjection.java:68:32:68:43 | foo(...) : String | semmle.label | foo(...) : String |
| RegexInjection.java:68:36:68:42 | pattern : String | semmle.label | pattern : String |
| RegexInjection.java:84:22:84:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:90:26:90:47 | ... + ... | semmle.label | ... + ... |
| RegexInjection.java:100:22:100:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:103:40:103:46 | pattern | semmle.label | pattern |
| RegexInjection.java:107:22:107:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:110:42:110:48 | pattern | semmle.label | pattern |
| RegexInjection.java:114:22:114:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:117:44:117:50 | pattern | semmle.label | pattern |
| RegexInjection.java:121:22:121:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:124:41:124:47 | pattern | semmle.label | pattern |
| RegexInjection.java:128:22:128:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:131:43:131:49 | pattern | semmle.label | pattern |
| RegexInjection.java:143:22:143:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:146:45:146:51 | pattern | semmle.label | pattern |
#select
| RegexInjection.java:16:26:16:47 | ... + ... | RegexInjection.java:13:22:13:52 | getParameter(...) : String | RegexInjection.java:16:26:16:47 | ... + ... | $@ is user controlled. | RegexInjection.java:13:22:13:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:23:24:23:30 | pattern | RegexInjection.java:20:22:20:52 | getParameter(...) : String | RegexInjection.java:23:24:23:30 | pattern | $@ is user controlled. | RegexInjection.java:20:22:20:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:30:31:30:37 | pattern | RegexInjection.java:27:22:27:52 | getParameter(...) : String | RegexInjection.java:30:31:30:37 | pattern | $@ is user controlled. | RegexInjection.java:27:22:27:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:37:29:37:35 | pattern | RegexInjection.java:34:22:34:52 | getParameter(...) : String | RegexInjection.java:37:29:37:35 | pattern | $@ is user controlled. | RegexInjection.java:34:22:34:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:44:34:44:40 | pattern | RegexInjection.java:41:22:41:52 | getParameter(...) : String | RegexInjection.java:44:34:44:40 | pattern | $@ is user controlled. | RegexInjection.java:41:22:41:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:54:28:54:34 | pattern | RegexInjection.java:51:22:51:52 | getParameter(...) : String | RegexInjection.java:54:28:54:34 | pattern | $@ is user controlled. | RegexInjection.java:51:22:51:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:61:28:61:34 | pattern | RegexInjection.java:58:22:58:52 | getParameter(...) : String | RegexInjection.java:61:28:61:34 | pattern | $@ is user controlled. | RegexInjection.java:58:22:58:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:68:26:68:52 | ... + ... | RegexInjection.java:65:22:65:52 | getParameter(...) : String | RegexInjection.java:68:26:68:52 | ... + ... | $@ is user controlled. | RegexInjection.java:65:22:65:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:90:26:90:47 | ... + ... | RegexInjection.java:84:22:84:52 | getParameter(...) : String | RegexInjection.java:90:26:90:47 | ... + ... | $@ is user controlled. | RegexInjection.java:84:22:84:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:103:40:103:46 | pattern | RegexInjection.java:100:22:100:52 | getParameter(...) : String | RegexInjection.java:103:40:103:46 | pattern | $@ is user controlled. | RegexInjection.java:100:22:100:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:110:42:110:48 | pattern | RegexInjection.java:107:22:107:52 | getParameter(...) : String | RegexInjection.java:110:42:110:48 | pattern | $@ is user controlled. | RegexInjection.java:107:22:107:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:117:44:117:50 | pattern | RegexInjection.java:114:22:114:52 | getParameter(...) : String | RegexInjection.java:117:44:117:50 | pattern | $@ is user controlled. | RegexInjection.java:114:22:114:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:124:41:124:47 | pattern | RegexInjection.java:121:22:121:52 | getParameter(...) : String | RegexInjection.java:124:41:124:47 | pattern | $@ is user controlled. | RegexInjection.java:121:22:121:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:131:43:131:49 | pattern | RegexInjection.java:128:22:128:52 | getParameter(...) : String | RegexInjection.java:131:43:131:49 | pattern | $@ is user controlled. | RegexInjection.java:128:22:128:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:146:45:146:51 | pattern | RegexInjection.java:143:22:143:52 | getParameter(...) : String | RegexInjection.java:146:45:146:51 | pattern | $@ is user controlled. | RegexInjection.java:143:22:143:52 | getParameter(...) | This regular expression pattern |

148
java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.java Normal file
View File

@@ -0,0 +1,148 @@
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.ServletException;
import org.apache.commons.lang3.RegExUtils;
public class RegexInjection extends HttpServlet {
public boolean string1(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
return input.matches("^" + pattern + "=.*$"); // BAD
}
public boolean string2(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
return input.split(pattern).length > 0; // BAD
}
public boolean string3(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
return input.replaceFirst(pattern, "").length() > 0; // BAD
}
public boolean string4(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
return input.replaceAll(pattern, "").length() > 0; // BAD
}
public boolean pattern1(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
Pattern pt = Pattern.compile(pattern);
Matcher matcher = pt.matcher(input);
return matcher.find(); // BAD
}
public boolean pattern2(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
return Pattern.compile(pattern).matcher(input).matches(); // BAD
}
public boolean pattern3(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
return Pattern.matches(pattern, input); // BAD
}
public boolean pattern4(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
return input.matches("^" + foo(pattern) + "=.*$"); // BAD
}
String foo(String str) {
return str;
}
public boolean pattern5(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
// GOOD: User input is sanitized before constructing the regex
return input.matches("^" + escapeSpecialRegexChars(pattern) + "=.*$");
}
public boolean pattern6(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
escapeSpecialRegexChars(pattern);
// BAD: the pattern is not really sanitized
return input.matches("^" + pattern + "=.*$");
}
Pattern SPECIAL_REGEX_CHARS = Pattern.compile("[{}()\\[\\]><-=!.+*?^$\\\\|]");
String escapeSpecialRegexChars(String str) {
return SPECIAL_REGEX_CHARS.matcher(str).replaceAll("\\\\$0");
}
public boolean apache1(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
return RegExUtils.removeAll(input, pattern).length() > 0; // BAD
}
public boolean apache2(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
return RegExUtils.removeFirst(input, pattern).length() > 0; // BAD
}
public boolean apache3(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
return RegExUtils.removePattern(input, pattern).length() > 0; // BAD
}
public boolean apache4(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
return RegExUtils.replaceAll(input, pattern, "").length() > 0; // BAD
}
public boolean apache5(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
return RegExUtils.replaceFirst(input, pattern, "").length() > 0; // BAD
}
public boolean apache6(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
Pattern pt = (Pattern)(Object) pattern;
return RegExUtils.replaceFirst(input, pt, "").length() > 0; // GOOD, Pattern compile is the sink instead
}
public boolean apache7(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
return RegExUtils.replacePattern(input, pattern, "").length() > 0; // BAD
}
}

1
java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-730/RegexInjection.ql

1
java/ql/test/experimental/query-tests/security/CWE-730/options Normal file
View File

@@ -0,0 +1 @@
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/apache-commons-lang3-3.7

4
java/ql/test/experimental/query-tests/security/CWE-927/SensitiveBroadcast.expected
View File

@@ -3,7 +3,8 @@ edges
| SensitiveBroadcast.java:13:41:13:52 | refreshToken : String | SensitiveBroadcast.java:14:31:14:36 | intent |
| SensitiveBroadcast.java:25:32:25:39 | password : String | SensitiveBroadcast.java:26:31:26:36 | intent |
| SensitiveBroadcast.java:36:35:36:39 | email : String | SensitiveBroadcast.java:38:31:38:36 | intent |
| SensitiveBroadcast.java:50:22:50:29 | password : String | SensitiveBroadcast.java:52:31:52:36 | intent |
| SensitiveBroadcast.java:50:9:50:16 | userinfo [post update] : ArrayList | SensitiveBroadcast.java:52:31:52:36 | intent |
| SensitiveBroadcast.java:50:22:50:29 | password : String | SensitiveBroadcast.java:50:9:50:16 | userinfo [post update] : ArrayList |
| SensitiveBroadcast.java:97:35:97:40 | ticket : String | SensitiveBroadcast.java:98:54:98:59 | intent |
| SensitiveBroadcast.java:109:32:109:39 | passcode : String | SensitiveBroadcast.java:111:54:111:59 | intent |
| SensitiveBroadcast.java:136:33:136:38 | passwd : String | SensitiveBroadcast.java:140:54:140:59 | intent |
@@ -15,6 +16,7 @@ nodes
| SensitiveBroadcast.java:26:31:26:36 | intent | semmle.label | intent |
| SensitiveBroadcast.java:36:35:36:39 | email : String | semmle.label | email : String |
| SensitiveBroadcast.java:38:31:38:36 | intent | semmle.label | intent |
| SensitiveBroadcast.java:50:9:50:16 | userinfo [post update] : ArrayList | semmle.label | userinfo [post update] : ArrayList |
| SensitiveBroadcast.java:50:22:50:29 | password : String | semmle.label | password : String |
| SensitiveBroadcast.java:52:31:52:36 | intent | semmle.label | intent |
| SensitiveBroadcast.java:97:35:97:40 | ticket : String | semmle.label | ticket : String |