mirror of
https://github.com/github/codeql.git
synced 2026-04-29 10:45:15 +02:00
Merge branch 'main' into java/UnsafeDeserialization
This commit is contained in:
haby0
2
java/change-notes/2021-03-10-guava-base.md
Normal file
2
java/change-notes/2021-03-10-guava-base.md
Normal file
@@ -0,0 +1,2 @@
|
||||
lgtm,codescanning
|
||||
* Increased coverage of the Guava framework by modelling additional classes in the `com.google.common.base` package. This may result in more results for security queries on projects where the Guava framework is used.
|
||||
2
java/change-notes/2021-03-11-commons-strbuilder.md
Normal file
2
java/change-notes/2021-03-11-commons-strbuilder.md
Normal file
@@ -0,0 +1,2 @@
|
||||
lgtm,codescanning
|
||||
* Added support for the Apache Commons Lang and Commons Text StrBuilder class, and its successor TextStringBuilder.
|
||||
2
java/change-notes/2021-03-18-commons-tostring-builder.md
Normal file
2
java/change-notes/2021-03-18-commons-tostring-builder.md
Normal file
@@ -0,0 +1,2 @@
|
||||
lgtm,codescanning
|
||||
* Added models for Apache Commons Lang's `ToStringBuilder` class. This may lead to more results from any data-flow query where ToStringBuilder operations fall between the relevant untrusted source and vulnerable sink.
|
||||
2
java/change-notes/2021-04-14-membertype.md
Normal file
2
java/change-notes/2021-04-14-membertype.md
Normal file
@@ -0,0 +1,2 @@
|
||||
lgtm,codescanning
|
||||
* A CodeQL class `MemberType` is introduced to describe nested classes. Its `getQualifiedName` method returns `$`-delimited nested type names (for example, `mypackage.Outer$Middle$Inner`), where previously the same type would be named differently depending on whether it was addressed as a `NestedType` or a `Member`.
|
||||
2
java/change-notes/2021-04-26-xpath-injection-query.md
Normal file
2
java/change-notes/2021-04-26-xpath-injection-query.md
Normal file
@@ -0,0 +1,2 @@
|
||||
lgtm,codescanning
|
||||
* The query "XPath injection" (`java/xml/xpath-injection`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @SpaceWhite](https://github.com/github/codeql/pull/2800)
|
||||
2
java/change-notes/2021-05-03-guava-first-non-null.md
Normal file
2
java/change-notes/2021-05-03-guava-first-non-null.md
Normal file
@@ -0,0 +1,2 @@
|
||||
lgtm,codescanning
|
||||
* Increase coverage of the Guava framework by adding support for `com.google.common.base.MoreObjects#firstNonNull`.
|
||||
@@ -0,0 +1,2 @@
|
||||
lgtm,codescanning
|
||||
* Increase coverage of dataflow through Jackson JSON deserialized objects.
|
||||
2
java/change-notes/2021-05-04-jexl-injection-query.md
Normal file
2
java/change-notes/2021-05-04-jexl-injection-query.md
Normal file
@@ -0,0 +1,2 @@
|
||||
lgtm,codescanning
|
||||
* The query "Expression language injection (JEXL)" (`java/jexl-expression-injection`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @artem-smotrakov](https://github.com/github/codeql/pull/4965)
|
||||
3
java/change-notes/2021-05-05-kryo-improvements.md
Normal file
3
java/change-notes/2021-05-05-kryo-improvements.md
Normal file
@@ -0,0 +1,3 @@
|
||||
lgtm,codescanning
|
||||
* Add support for version 5 of the Kryo serialization/deserialization framework.
|
||||
* Add support for detecting safe uses of Kryo utilizing `KryoPool.Builder`. [#4992](https://github.com/github/codeql/issues/4992)
|
||||
2
java/change-notes/2021-05-12-xxe-fp-fix.md
Normal file
2
java/change-notes/2021-05-12-xxe-fp-fix.md
Normal file
@@ -0,0 +1,2 @@
|
||||
lgtm,codescanning
|
||||
* The query "Resolving XML external entity in user-controlled data" (`java/xxe`) has been improved to report fewer false positives when a Builder / Factory (e.g. an `XMLInputFactory`) is configured safely by using a boxed boolean as second argument to one or more of its configuration methods.
|
||||
@@ -0,0 +1,2 @@
|
||||
lgtm,codescanning
|
||||
* The "Potential input resource leak" (`java/input-resource-leak`) and "Potential output resource leak" (`java/output-resource-leak`) queries no longer confuse `java.io` classes such as `Reader` with others that happen to share the same base name. Additionally the number of false positives has been reduced by recognizing `CharArrayReader` and `CharArrayWriter` as types that don't need to be closed.
|
||||
@@ -0,0 +1,3 @@
|
||||
lgtm,codescanning
|
||||
* Invocations of methods from `org.springframework.security.web.savedrequest.SavedRequest`
|
||||
have been added as sources of tainted data for all security queries.
|
||||
@@ -0,0 +1,2 @@
|
||||
lgtm,codescanning
|
||||
* The query "Cross-site scripting" (`java/xss`) has been improved to report fewer false positives by removing the `javax.servlet.http.HttpServletResponse.sendError` sink since Servlet API implementations generally already escape the error message, preventing script injection.
|
||||
5
java/change-notes/2021-06-01-collection-flow.md
Normal file
5
java/change-notes/2021-06-01-collection-flow.md
Normal file
@@ -0,0 +1,5 @@
|
||||
lgtm,codescanning
|
||||
* Data flow now tracks steps through collections and arrays more precisely.
|
||||
That means that collection and array read steps are now matched up with
|
||||
preceding store steps. This results in increased precision for all flow-based
|
||||
queries, in particular most of the security queries.
|
||||
2
java/change-notes/2021-06-01-statement-toString.md
Normal file
2
java/change-notes/2021-06-01-statement-toString.md
Normal file
@@ -0,0 +1,2 @@
|
||||
lgtm,codescanning
|
||||
* The CodeQL predicate `toString()` has been overridden for subclasses of `Stmt` to be more descriptive.
|
||||
2
java/change-notes/2021-06-11-tainted-key-read-steps.md
Normal file
2
java/change-notes/2021-06-11-tainted-key-read-steps.md
Normal file
@@ -0,0 +1,2 @@
|
||||
lgtm,codescanning
|
||||
* Data flow now propagates taint from tainted Maps to read steps of their keys (e.g. `tainted.keySet()`).
|
||||
8
java/documentation/library-coverage/cwe-sink.csv
Normal file
8
java/documentation/library-coverage/cwe-sink.csv
Normal file
@@ -0,0 +1,8 @@
|
||||
CWE,Sink identifier,Label
|
||||
CWE‑089,sql,SQL injection
|
||||
CWE‑022,create-file,Path injection
|
||||
CWE‑036,url-open-stream,Path traversal
|
||||
CWE‑094,bean-validation,Code injection
|
||||
CWE‑319,open-url,Cleartext transmission
|
||||
CWE‑079,xss,Cross-site scripting
|
||||
CWE‑090,ldap,LDAP injection
|
||||
|
42
java/documentation/library-coverage/flow-model-coverage.csv
Normal file
42
java/documentation/library-coverage/flow-model-coverage.csv
Normal file
@@ -0,0 +1,42 @@
|
||||
package,sink,source,summary,sink:bean-validation,sink:create-file,sink:header-splitting,sink:information-leak,sink:ldap,sink:open-url,sink:set-hostname-verifier,sink:url-open-stream,sink:xpath,sink:xss,source:remote,summary:taint,summary:value
|
||||
android.util,,16,,,,,,,,,,,,16,,
|
||||
android.webkit,3,2,,,,,,,,,,,3,2,,
|
||||
com.esotericsoftware.kryo.io,,,1,,,,,,,,,,,,1,
|
||||
com.esotericsoftware.kryo5.io,,,1,,,,,,,,,,,,1,
|
||||
com.fasterxml.jackson.databind,,,2,,,,,,,,,,,,2,
|
||||
com.google.common.base,,,28,,,,,,,,,,,,22,6
|
||||
com.google.common.io,6,,69,,,,,,,,6,,,,68,1
|
||||
com.unboundid.ldap.sdk,17,,,,,,,17,,,,,,,,
|
||||
java.beans,,,1,,,,,,,,,,,,1,
|
||||
java.io,3,,20,,3,,,,,,,,,,20,
|
||||
java.lang,,,1,,,,,,,,,,,,1,
|
||||
java.net,2,3,4,,,,,,2,,,,,3,4,
|
||||
java.nio,10,,2,,10,,,,,,,,,,2,
|
||||
java.util,,,13,,,,,,,,,,,,13,
|
||||
javax.naming.directory,1,,,,,,,1,,,,,,,,
|
||||
javax.net.ssl,2,,,,,,,,,2,,,,,,
|
||||
javax.servlet,4,21,2,,,3,1,,,,,,,21,2,
|
||||
javax.validation,1,1,,1,,,,,,,,,,1,,
|
||||
javax.ws.rs.core,1,,,,,1,,,,,,,,,,
|
||||
javax.xml.transform.sax,,,4,,,,,,,,,,,,4,
|
||||
javax.xml.transform.stream,,,2,,,,,,,,,,,,2,
|
||||
javax.xml.xpath,3,,,,,,,,,,,3,,,,
|
||||
org.apache.commons.codec,,,2,,,,,,,,,,,,2,
|
||||
org.apache.commons.io,,,22,,,,,,,,,,,,22,
|
||||
org.apache.commons.lang3,,,313,,,,,,,,,,,,299,14
|
||||
org.apache.commons.text,,,203,,,,,,,,,,,,203,
|
||||
org.apache.directory.ldap.client.api,1,,,,,,,1,,,,,,,,
|
||||
org.apache.hc.core5.function,,,1,,,,,,,,,,,,1,
|
||||
org.apache.hc.core5.http,1,2,39,,,,,,,,,,1,2,39,
|
||||
org.apache.hc.core5.net,,,2,,,,,,,,,,,,2,
|
||||
org.apache.hc.core5.util,,,22,,,,,,,,,,,,18,4
|
||||
org.apache.http,2,3,66,,,,,,,,,,2,3,59,7
|
||||
org.dom4j,20,,,,,,,,,,,20,,,,
|
||||
org.springframework.ldap.core,14,,,,,,,14,,,,,,,,
|
||||
org.springframework.security.web.savedrequest,,6,,,,,,,,,,,,6,,
|
||||
org.springframework.web.client,,3,,,,,,,,,,,,3,,
|
||||
org.springframework.web.context.request,,8,,,,,,,,,,,,8,,
|
||||
org.springframework.web.multipart,,12,,,,,,,,,,,,12,,
|
||||
org.xml.sax,,,1,,,,,,,,,,,,1,
|
||||
org.xmlpull.v1,,3,,,,,,,,,,,,3,,
|
||||
play.mvc,,4,,,,,,,,,,,,4,,
|
||||
|
19
java/documentation/library-coverage/flow-model-coverage.rst
Normal file
19
java/documentation/library-coverage/flow-model-coverage.rst
Normal file
@@ -0,0 +1,19 @@
|
||||
Java framework & library support
|
||||
================================
|
||||
|
||||
.. csv-table::
|
||||
:header-rows: 1
|
||||
:class: fullWidthTable
|
||||
:widths: auto
|
||||
|
||||
Framework / library,Package,Remote flow sources,Taint & value steps,Sinks (total),`CWE‑022` :sub:`Path injection`,`CWE‑036` :sub:`Path traversal`,`CWE‑079` :sub:`Cross-site scripting`,`CWE‑089` :sub:`SQL injection`,`CWE‑090` :sub:`LDAP injection`,`CWE‑094` :sub:`Code injection`,`CWE‑319` :sub:`Cleartext transmission`
|
||||
Android,``android.*``,18,,3,,,3,,,,
|
||||
Apache,``org.apache.*``,5,648,4,,,3,,1,,
|
||||
`Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,22,,,,,,,,
|
||||
Google,``com.google.common.*``,,97,6,,6,,,,,
|
||||
Java Standard Library,``java.*``,3,41,15,13,,,,,,2
|
||||
Java extensions,``javax.*``,22,8,12,,,,,1,1,
|
||||
`Spring <https://spring.io/>`_,``org.springframework.*``,29,,14,,,,,14,,
|
||||
Others,"``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.databind``, ``com.unboundid.ldap.sdk``, ``org.dom4j``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``",7,5,37,,,,,17,,
|
||||
Totals,,84,821,91,13,6,6,,33,1,2
|
||||
|
||||
8
java/documentation/library-coverage/frameworks.csv
Normal file
8
java/documentation/library-coverage/frameworks.csv
Normal file
@@ -0,0 +1,8 @@
|
||||
Framework name,URL,Package prefix
|
||||
Java Standard Library,,java.*
|
||||
Google,,com.google.common.*
|
||||
Apache,,org.apache.*
|
||||
Apache Commons IO,https://commons.apache.org/proper/commons-io/,org.apache.commons.io
|
||||
Android,,android.*
|
||||
Spring,https://spring.io/,org.springframework.*
|
||||
Java extensions,,javax.*
|
||||
|
84
java/ql/src/Diagnostics/DiagnosticsReporting.qll
Normal file
84
java/ql/src/Diagnostics/DiagnosticsReporting.qll
Normal file
@@ -0,0 +1,84 @@
|
||||
/**
|
||||
* Provides classes and predicates for reporting extractor diagnostics to end users.
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
/** Gets the SARIF severity level that indicates an error. */
|
||||
private int getErrorSeverity() { result = 2 }
|
||||
|
||||
/** Gets the SARIF severity level that indicates a warning. */
|
||||
private int getWarnSeverity() { result = 1 }
|
||||
|
||||
private predicate knownWarnings(@diagnostic d, string msg, int sev) {
|
||||
exists(string filename |
|
||||
diagnostics(d, 2, _, "Skipping Lombok-ed source file: " + filename, _, _) and
|
||||
msg = "Use of Lombok detected. Skipping file: " + filename and
|
||||
sev = getWarnSeverity()
|
||||
)
|
||||
}
|
||||
|
||||
private predicate knownErrors(@diagnostic d, string msg, int sev) {
|
||||
exists(string numErr, Location l |
|
||||
diagnostics(d, 6, _, numErr, _, l) and
|
||||
msg = "Frontend errors in file: " + l.getFile().getAbsolutePath() + " (" + numErr + ")" and
|
||||
sev = getErrorSeverity()
|
||||
)
|
||||
or
|
||||
exists(string filename, Location l |
|
||||
diagnostics(d, 7, _, "Exception compiling file " + filename, _, l) and
|
||||
msg = "Extraction incomplete in file: " + filename and
|
||||
sev = getErrorSeverity()
|
||||
)
|
||||
or
|
||||
exists(string errMsg, Location l |
|
||||
diagnostics(d, 8, _, errMsg, _, l) and
|
||||
msg = "Severe error: " + errMsg and
|
||||
sev = getErrorSeverity()
|
||||
)
|
||||
}
|
||||
|
||||
private predicate unknownErrors(@diagnostic d, string msg, int sev) {
|
||||
not knownErrors(d, _, _) and
|
||||
exists(Location l, File f, int diagSev |
|
||||
diagnostics(d, diagSev, _, _, _, l) and l.getFile() = f and diagSev > 3
|
||||
|
|
||||
exists(f.getRelativePath()) and
|
||||
msg = "Unknown errors in file: " + f.getAbsolutePath() + " (" + diagSev + ")" and
|
||||
sev = getErrorSeverity()
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if an extraction error or warning occurred that should be reported to end users,
|
||||
* with the message `msg` and SARIF severity `sev`.
|
||||
*/
|
||||
predicate reportableDiagnostics(@diagnostic d, string msg, int sev) {
|
||||
reportableWarnings(d, msg, sev) or reportableErrors(d, msg, sev)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if an extraction error occurred that should be reported to end users,
|
||||
* with the message `msg` and SARIF severity `sev`.
|
||||
*/
|
||||
predicate reportableErrors(@diagnostic d, string msg, int sev) {
|
||||
knownErrors(d, msg, sev) or unknownErrors(d, msg, sev)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if an extraction warning occurred that should be reported to end users,
|
||||
* with the message `msg` and SARIF severity `sev`.
|
||||
*/
|
||||
predicate reportableWarnings(@diagnostic d, string msg, int sev) { knownWarnings(d, msg, sev) }
|
||||
|
||||
/**
|
||||
* Holds if compilation unit `f` is a source file that has
|
||||
* no relevant extraction diagnostics associated with it.
|
||||
*/
|
||||
predicate successfullyExtracted(CompilationUnit f) {
|
||||
not exists(@diagnostic d, Location l |
|
||||
reportableDiagnostics(d, _, _) and diagnostics(d, _, _, _, _, l) and l.getFile() = f
|
||||
) and
|
||||
exists(f.getRelativePath()) and
|
||||
f.fromSource()
|
||||
}
|
||||
13
java/ql/src/Diagnostics/ExtractionErrors.ql
Normal file
13
java/ql/src/Diagnostics/ExtractionErrors.ql
Normal file
@@ -0,0 +1,13 @@
|
||||
/**
|
||||
* @name Extraction errors
|
||||
* @description A list of extraction errors for files in the source code directory.
|
||||
* @kind diagnostic
|
||||
* @id java/diagnostics/extraction-errors
|
||||
*/
|
||||
|
||||
import java
|
||||
import DiagnosticsReporting
|
||||
|
||||
from string msg, int sev
|
||||
where reportableErrors(_, msg, sev)
|
||||
select msg, sev
|
||||
13
java/ql/src/Diagnostics/ExtractionWarnings.ql
Normal file
13
java/ql/src/Diagnostics/ExtractionWarnings.ql
Normal file
@@ -0,0 +1,13 @@
|
||||
/**
|
||||
* @name Extraction warnings
|
||||
* @description A list of extraction warnings for files in the source code directory.
|
||||
* @kind diagnostic
|
||||
* @id java/diagnostics/extraction-warnings
|
||||
*/
|
||||
|
||||
import java
|
||||
import DiagnosticsReporting
|
||||
|
||||
from string msg, int sev
|
||||
where reportableWarnings(_, msg, sev)
|
||||
select msg, sev
|
||||
14
java/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
Normal file
14
java/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
Normal file
@@ -0,0 +1,14 @@
|
||||
/**
|
||||
* @name Successfully extracted files
|
||||
* @description A list of all files in the source code directory that
|
||||
* were extracted without encountering an error in the file.
|
||||
* @kind diagnostic
|
||||
* @id java/diagnostics/successfully-extracted-files
|
||||
*/
|
||||
|
||||
import java
|
||||
import DiagnosticsReporting
|
||||
|
||||
from CompilationUnit f
|
||||
where successfullyExtracted(f)
|
||||
select f, ""
|
||||
@@ -7,6 +7,7 @@
|
||||
* Such operations could interfere with the EJB container's operation.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 4.9
|
||||
* @precision low
|
||||
* @id java/ejb/container-interference
|
||||
* @tags reliability
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
* for enterprise components.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 4.9
|
||||
* @precision low
|
||||
* @id java/ejb/file-io
|
||||
* @tags reliability
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* Such use could compromise security and system stability.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 4.9
|
||||
* @precision low
|
||||
* @id java/ejb/native-code
|
||||
* @tags reliability
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* as this could compromise security.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 4.9
|
||||
* @precision low
|
||||
* @id java/ejb/reflection
|
||||
* @tags external/cwe/cwe-573
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
* This functionality is reserved for the EJB container for security reasons.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 4.9
|
||||
* @precision low
|
||||
* @id java/ejb/security-configuration-access
|
||||
* @tags external/cwe/cwe-573
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* the Java serialization protocol, since their use could compromise security.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 4.9
|
||||
* @precision low
|
||||
* @id java/ejb/substitution-in-serialization
|
||||
* @tags external/cwe/cwe-573
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
* compromise security or interfere with the EJB container's operation.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 4.9
|
||||
* @precision low
|
||||
* @id java/ejb/socket-or-stream-handler-factory
|
||||
* @tags reliability
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
* numeric errors such as overflows.
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 5.9
|
||||
* @precision very-high
|
||||
* @id java/implicit-cast-in-compound-assignment
|
||||
* @tags reliability
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* guarantee an evenly distributed sequence of random numbers.
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 5.9
|
||||
* @precision medium
|
||||
* @id java/random-used-once
|
||||
* @tags reliability
|
||||
|
||||
@@ -41,7 +41,7 @@ initialized. This results in the program outputting "hello my friend".</p>
|
||||
|
||||
<li>
|
||||
IBM developerWorks:
|
||||
<a href="http://www.ibm.com/developerworks/java/library/j-jtp0618/index.html#4">Don't start threads from within constructors</a>.
|
||||
<a href="https://web.archive.org/web/20200417101823/http://www.ibm.com/developerworks/java/library/j-jtp0618/index.html#4">Don't start threads from within constructors</a>.
|
||||
</li>
|
||||
|
||||
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* may cause a deadlock.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 6.9
|
||||
* @precision medium
|
||||
* @id java/unreleased-lock
|
||||
* @tags reliability
|
||||
|
||||
@@ -94,7 +94,7 @@ D. Flanagan, <em>Java Foundation Classes in a Nutshell</em>, p.28. O'Reilly, 199
|
||||
</li>
|
||||
<li>
|
||||
Java Developer's Journal:
|
||||
<a href="http://www2.sys-con.com/itsg/virtualcd/java/archives/0605/ford/index.html">Building Thread-Safe GUIs with Swing</a>.
|
||||
<a href="http://www.comscigate.com/JDJ/archives/0605/ford/index.html">Building Thread-Safe GUIs with Swing</a>.
|
||||
</li>
|
||||
<li>
|
||||
The Java Tutorials:
|
||||
|
||||
@@ -41,7 +41,7 @@ J. Bloch and N. Gafter, <em>Java Puzzlers: Traps, Pitfalls, and Corner Cases</em
|
||||
Addison-Wesley, 2005.
|
||||
</li>
|
||||
<li>
|
||||
NetBeans IDE: <a href="http://wiki.netbeans.org/Java_Hints">Java Hints</a>
|
||||
NetBeans IDE: <a href="https://web.archive.org/web/20210117160808/http://wiki.netbeans.org/Java_Hints">Java Hints</a>
|
||||
</li>
|
||||
<li>
|
||||
PMD: <a href="https://pmd.github.io/latest/pmd_rules_java_errorprone.html#stringbufferinstantiationwithchar">Rule StringBufferInstantiationWithChar</a>
|
||||
|
||||
@@ -14,7 +14,7 @@ but not closed may cause a resource leak.
|
||||
|
||||
<p>Ensure that the resource is always closed to avoid a resource leak. Note that, because of exceptions,
|
||||
it is safest to close a resource in a <code>finally</code> block. (However, this is unnecessary for
|
||||
subclasses of <code>StringReader</code> and <code>ByteArrayInputStream</code>.)
|
||||
subclasses of <code>CharArrayReader</code>, <code>StringReader</code> and <code>ByteArrayInputStream</code>.)
|
||||
</p>
|
||||
|
||||
<p>For Java 7 or later, the recommended way to close resources that implement <code>java.lang.AutoCloseable</code>
|
||||
@@ -51,7 +51,7 @@ In this case, the inner expression needs to be assigned to a local variable and
|
||||
|
||||
|
||||
<li>
|
||||
IBM developerWorks: <a href="https://www.ibm.com/developerworks/java/library/j-jtp03216/index.html">Java theory and practice: Good housekeeping practices</a>.
|
||||
IBM developerWorks: <a href="https://web.archive.org/web/20201109041839/http://www.ibm.com/developerworks/java/library/j-jtp03216/index.html">Java theory and practice: Good housekeeping practices</a>.
|
||||
</li>
|
||||
<li>
|
||||
The Java Tutorials: <a href="https://docs.oracle.com/javase/tutorial/essential/exceptions/tryResourceClose.html">The try-with-resources Statement</a>.
|
||||
|
||||
@@ -17,16 +17,16 @@ import CloseType
|
||||
|
||||
predicate readerType(RefType t) {
|
||||
exists(RefType sup | sup = t.getASupertype*() |
|
||||
sup.hasName("Reader") or
|
||||
sup.hasName("InputStream") or
|
||||
sup.hasQualifiedName("java.io", ["Reader", "InputStream"]) or
|
||||
sup.hasQualifiedName("java.util.zip", "ZipFile")
|
||||
)
|
||||
}
|
||||
|
||||
predicate safeReaderType(RefType t) {
|
||||
exists(RefType sup | sup = t.getASupertype*() |
|
||||
sup.hasName("StringReader") or
|
||||
sup.hasName("ByteArrayInputStream") or
|
||||
sup.hasQualifiedName("java.io", ["CharArrayReader", "StringReader", "ByteArrayInputStream"])
|
||||
or
|
||||
// Note: It is unclear which specific class this is supposed to match
|
||||
sup.hasName("StringInputStream")
|
||||
)
|
||||
}
|
||||
|
||||
@@ -40,7 +40,7 @@ by the code that created it or by a server shutdown procedure, as appropriate.</
|
||||
|
||||
|
||||
<li>
|
||||
IBM developerWorks: <a href="https://www.ibm.com/developerworks/java/library/j-jtp03216/index.html">Java theory and practice: Good housekeeping practices</a>.
|
||||
IBM developerWorks: <a href="https://web.archive.org/web/20201109041839/http://www.ibm.com/developerworks/java/library/j-jtp03216/index.html">Java theory and practice: Good housekeeping practices</a>.
|
||||
</li>
|
||||
<li>
|
||||
The Java Tutorials: <a href="https://docs.oracle.com/javase/tutorial/essential/exceptions/tryResourceClose.html">The try-with-resources Statement</a>.
|
||||
|
||||
@@ -14,7 +14,7 @@ but not properly closed later may cause a resource leak.
|
||||
|
||||
<p>Ensure that the resource is always closed to avoid a resource leak. Note that, because of exceptions,
|
||||
it is safest to close a resource properly in a <code>finally</code> block. (However, this is unnecessary for
|
||||
subclasses of <code>StringWriter</code> and <code>ByteArrayOutputStream</code>.)</p>
|
||||
subclasses of <code>CharArrayWriter</code>, <code>StringWriter</code> and <code>ByteArrayOutputStream</code>.)</p>
|
||||
|
||||
<p>For Java 7 or later, the recommended way to close resources that implement <code>java.lang.AutoCloseable</code>
|
||||
is to declare them within a <code>try-with-resources</code> statement, so that they are closed implicitly.</p>
|
||||
@@ -50,7 +50,7 @@ In this case, the inner expression needs to be assigned to a local variable and
|
||||
|
||||
|
||||
<li>
|
||||
IBM developerWorks: <a href="https://www.ibm.com/developerworks/java/library/j-jtp03216/index.html">Java theory and practice: Good housekeeping practices</a>.
|
||||
IBM developerWorks: <a href="https://web.archive.org/web/20201109041839/http://www.ibm.com/developerworks/java/library/j-jtp03216/index.html">Java theory and practice: Good housekeeping practices</a>.
|
||||
</li>
|
||||
<li>
|
||||
The Java Tutorials: <a href="https://docs.oracle.com/javase/tutorial/essential/exceptions/tryResourceClose.html">The try-with-resources Statement</a>.
|
||||
|
||||
@@ -17,15 +17,13 @@ import CloseType
|
||||
|
||||
predicate writerType(RefType t) {
|
||||
exists(RefType sup | sup = t.getASupertype*() |
|
||||
sup.hasName("Writer") or
|
||||
sup.hasName("OutputStream")
|
||||
sup.hasQualifiedName("java.io", ["Writer", "OutputStream"])
|
||||
)
|
||||
}
|
||||
|
||||
predicate safeWriterType(RefType t) {
|
||||
exists(RefType sup | sup = t.getASupertype*() |
|
||||
sup.hasName("StringWriter") or
|
||||
sup.hasName("ByteArrayOutputStream")
|
||||
sup.hasQualifiedName("java.io", ["CharArrayWriter", "StringWriter", "ByteArrayOutputStream"])
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
@@ -51,7 +51,7 @@ so the general technique is quite widely applicable.
|
||||
|
||||
|
||||
<li>
|
||||
IBM developerWorks: <a href="http://www.ibm.com/developerworks/library/j-eaed6/">Evolutionary architecture and emergent design: Emergent design through metrics</a>.
|
||||
IBM developerWorks: <a href="https://web.archive.org/web/20190919085934/https://www.ibm.com/developerworks/library/j-eaed6/">Evolutionary architecture and emergent design: Emergent design through metrics</a>.
|
||||
</li>
|
||||
<li>
|
||||
R. Martin, <em>Agile Software Development: Principles, Patterns and Practices</em>. Pearson, 2011.
|
||||
|
||||
@@ -81,7 +81,7 @@ so the general technique is quite widely applicable.
|
||||
|
||||
|
||||
<li>
|
||||
A. Glover. <a href="http://7thgen.info/wiki/Code_Quality_For_Software_Architects">Code quality for software architects</a>. Published online, 2006.
|
||||
A. Glover. <a href="https://web.archive.org/web/20190919093358/http://7thgen.info/wiki/Code_Quality_For_Software_Architects">Code quality for software architects</a>. Published online, 2006.
|
||||
</li>
|
||||
<li>
|
||||
R. Martin. <em>Agile Software Development: Principles, Patterns and Practices</em>. Pearson, 2011.
|
||||
|
||||
14
java/ql/src/Metrics/Summaries/LinesOfCode.ql
Normal file
14
java/ql/src/Metrics/Summaries/LinesOfCode.ql
Normal file
@@ -0,0 +1,14 @@
|
||||
/**
|
||||
* @id java/summary/lines-of-code
|
||||
* @name Total lines of code in the database
|
||||
* @description The total number of lines of code across all files. This is a useful metric of the size of a database.
|
||||
* For all files that were seen during the build, this query counts the lines of code, excluding whitespace
|
||||
* or comments.
|
||||
* @kind metric
|
||||
* @tags summary
|
||||
* lines-of-code
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
select sum(CompilationUnit f | f.fromSource() | f.getNumberOfLinesOfCode())
|
||||
@@ -100,8 +100,7 @@ predicate potentiallyStatic(InnerClass c) {
|
||||
m = a.getEnclosingCallable() and
|
||||
m.getDeclaringType() = c
|
||||
) and
|
||||
not c instanceof AnonymousClass and
|
||||
not c instanceof LocalClass and
|
||||
c instanceof MemberType and
|
||||
forall(
|
||||
InnerClass other // If nested and non-static, ...
|
||||
|
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
* @kind path-problem
|
||||
* @precision low
|
||||
* @problem.severity error
|
||||
* @security-severity 5.9
|
||||
* @tags security external/cwe/cwe-20
|
||||
*/
|
||||
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
* @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @security-severity 6.4
|
||||
* @precision high
|
||||
* @id java/path-injection
|
||||
* @tags security
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
* @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 6.4
|
||||
* @precision medium
|
||||
* @id java/path-injection-local
|
||||
* @tags security
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
* @kind path-problem
|
||||
* @id java/zipslip
|
||||
* @problem.severity error
|
||||
* @security-severity 6.4
|
||||
* @precision high
|
||||
* @tags security
|
||||
* external/cwe/cwe-022
|
||||
@@ -17,6 +18,7 @@ import semmle.code.java.dataflow.SSA
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import DataFlow
|
||||
import PathGraph
|
||||
private import semmle.code.java.dataflow.ExternalFlow
|
||||
|
||||
/**
|
||||
* A method that returns the name of an archive entry.
|
||||
@@ -33,34 +35,6 @@ class ArchiveEntryNameMethod extends Method {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* An expression that will be treated as the destination of a write.
|
||||
*/
|
||||
class WrittenFileName extends Expr {
|
||||
WrittenFileName() {
|
||||
// Constructors that write to their first argument.
|
||||
exists(ConstructorCall ctr | this = ctr.getArgument(0) |
|
||||
exists(Class c | ctr.getConstructor() = c.getAConstructor() |
|
||||
c.hasQualifiedName("java.io", "FileOutputStream") or
|
||||
c.hasQualifiedName("java.io", "RandomAccessFile") or
|
||||
c.hasQualifiedName("java.io", "FileWriter")
|
||||
)
|
||||
)
|
||||
or
|
||||
// Methods that write to their n'th argument
|
||||
exists(MethodAccess call, int n | this = call.getArgument(n) |
|
||||
call.getMethod().getDeclaringType().hasQualifiedName("java.nio.file", "Files") and
|
||||
(
|
||||
call.getMethod().getName().regexpMatch("new.*Reader|newOutputStream|create.*") and n = 0
|
||||
or
|
||||
call.getMethod().hasName("copy") and n = 1
|
||||
or
|
||||
call.getMethod().hasName("move") and n = 1
|
||||
)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `n1` to `n2` is a dataflow step that converts between `String`,
|
||||
* `File`, and `Path`.
|
||||
@@ -151,7 +125,7 @@ class ZipSlipConfiguration extends TaintTracking::Configuration {
|
||||
source.asExpr().(MethodAccess).getMethod() instanceof ArchiveEntryNameMethod
|
||||
}
|
||||
|
||||
override predicate isSink(Node sink) { sink.asExpr() instanceof WrittenFileName }
|
||||
override predicate isSink(Node sink) { sink instanceof FileCreationSink }
|
||||
|
||||
override predicate isAdditionalTaintStep(Node n1, Node n2) {
|
||||
filePathStep(n1, n2) or fileTaintStep(n1, n2)
|
||||
@@ -173,6 +147,13 @@ class ZipSlipConfiguration extends TaintTracking::Configuration {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A sink that represents a file creation, such as a file write, copy or move operation.
|
||||
*/
|
||||
private class FileCreationSink extends DataFlow::Node {
|
||||
FileCreationSink() { sinkNode(this, "create-file") }
|
||||
}
|
||||
|
||||
from PathNode source, PathNode sink
|
||||
where any(ZipSlipConfiguration c).hasFlowPath(source, sink)
|
||||
select source.getNode(), source, sink,
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* malicious changes in the PATH environment variable.
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 5.9
|
||||
* @precision medium
|
||||
* @id java/relative-path-command
|
||||
* @tags security
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* changes in the strings.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @security-severity 5.9
|
||||
* @precision high
|
||||
* @id java/command-line-injection
|
||||
* @tags security
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* changes in the strings.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 5.9
|
||||
* @precision medium
|
||||
* @id java/command-line-injection-local
|
||||
* @tags security
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* insertion of special characters in the strings.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 5.9
|
||||
* @precision high
|
||||
* @id java/concatenated-command-line
|
||||
* @tags security
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* allows for a cross-site scripting vulnerability.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @security-severity 2.9
|
||||
* @precision high
|
||||
* @id java/xss
|
||||
* @tags security
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* allows for a cross-site scripting vulnerability.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 2.9
|
||||
* @precision medium
|
||||
* @id java/xss-local
|
||||
* @tags security
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* malicious code by the user.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @security-severity 6.4
|
||||
* @precision high
|
||||
* @id java/sql-injection
|
||||
* @tags security
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* malicious code by the user.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 6.4
|
||||
* @precision medium
|
||||
* @id java/sql-injection-local
|
||||
* @tags security
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* characters is vulnerable to insertion of malicious code.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 6.4
|
||||
* @precision high
|
||||
* @id java/concatenated-sql-query
|
||||
* @tags security
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* malicious LDAP code by the user.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @security-severity 5.9
|
||||
* @precision high
|
||||
* @id java/ldap-injection
|
||||
* @tags security
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
* @description User-controlled data may be evaluated as a Java EL expression, leading to arbitrary code execution.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @security-severity 10.0
|
||||
* @precision high
|
||||
* @id java/insecure-bean-validation
|
||||
* @tags security
|
||||
@@ -13,6 +14,7 @@ import java
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import DataFlow::PathGraph
|
||||
private import semmle.code.java.dataflow.ExternalFlow
|
||||
|
||||
/**
|
||||
* A message interpolator Type that perform Expression Language (EL) evaluations
|
||||
@@ -50,19 +52,6 @@ class SetMessageInterpolatorCall extends MethodAccess {
|
||||
predicate isSafe() { not this.getAnArgument().getType() instanceof ELMessageInterpolatorType }
|
||||
}
|
||||
|
||||
/**
|
||||
* A method named `buildConstraintViolationWithTemplate` declared on a subtype
|
||||
* of `javax.validation.ConstraintValidatorContext`.
|
||||
*/
|
||||
class BuildConstraintViolationWithTemplateMethod extends Method {
|
||||
BuildConstraintViolationWithTemplateMethod() {
|
||||
this.getDeclaringType()
|
||||
.getASupertype*()
|
||||
.hasQualifiedName("javax.validation", "ConstraintValidatorContext") and
|
||||
this.hasName("buildConstraintViolationWithTemplate")
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Taint tracking BeanValidationConfiguration describing the flow of data from user input
|
||||
* to the argument of a method that builds constraint error messages.
|
||||
@@ -72,12 +61,15 @@ class BeanValidationConfig extends TaintTracking::Configuration {
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodAccess ma |
|
||||
ma.getMethod() instanceof BuildConstraintViolationWithTemplateMethod and
|
||||
sink.asExpr() = ma.getArgument(0)
|
||||
)
|
||||
}
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink }
|
||||
}
|
||||
|
||||
/**
|
||||
* A bean validation sink, such as method `buildConstraintViolationWithTemplate`
|
||||
* declared on a subtype of `javax.validation.ConstraintValidatorContext`.
|
||||
*/
|
||||
private class BeanValidationSink extends DataFlow::Node {
|
||||
BeanValidationSink() { sinkNode(this, "bean-validation") }
|
||||
}
|
||||
|
||||
from BeanValidationConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
38
java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
Normal file
38
java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
Normal file
@@ -0,0 +1,38 @@
|
||||
/**
|
||||
* @name Expression language injection (JEXL)
|
||||
* @description Evaluation of a user-controlled JEXL expression
|
||||
* may lead to arbitrary code execution.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @security-severity 10.0
|
||||
* @precision high
|
||||
* @id java/jexl-expression-injection
|
||||
* @tags security
|
||||
* external/cwe/cwe-094
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.security.JexlInjection
|
||||
import DataFlow::PathGraph
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for unsafe user input
|
||||
* that is used to construct and evaluate a JEXL expression.
|
||||
* It supports both JEXL 2 and 3.
|
||||
*/
|
||||
class JexlInjectionConfig extends TaintTracking::Configuration {
|
||||
JexlInjectionConfig() { this = "JexlInjectionConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
any(JexlInjectionAdditionalTaintStep c).step(node1, node2)
|
||||
}
|
||||
}
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, JexlInjectionConfig conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "JEXL injection from $@.", source.getNode(), "this user input"
|
||||
@@ -3,6 +3,7 @@
|
||||
* @description Using a deprecated artifact repository may eventually give attackers access for a supply chain attack.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 6.5
|
||||
* @precision very-high
|
||||
* @id java/maven/dependency-upon-bintray
|
||||
* @tags security
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
* an HTTP header.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 3.6
|
||||
* @precision high
|
||||
* @id java/netty-http-response-splitting
|
||||
* @tags security
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* makes code vulnerable to attack by header splitting.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @security-severity 3.6
|
||||
* @precision high
|
||||
* @id java/http-response-splitting
|
||||
* @tags security
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* makes code vulnerable to attack by header splitting.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 3.6
|
||||
* @precision medium
|
||||
* @id java/http-response-splitting-local
|
||||
* @tags security
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
* @description Using unvalidated external input as the argument to a construction of an array can lead to index out of bound exceptions.
|
||||
* @kind path-problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 5.9
|
||||
* @precision medium
|
||||
* @id java/improper-validation-of-array-construction
|
||||
* @tags security
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* a construction of an array can lead to index out of bound exceptions.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 5.9
|
||||
* @precision medium
|
||||
* @id java/improper-validation-of-array-construction-code-specified
|
||||
* @tags security
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* a construction of an array can lead to index out of bound exceptions.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 5.9
|
||||
* @precision medium
|
||||
* @id java/improper-validation-of-array-construction-local
|
||||
* @tags security
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
* @description Using external input as an index to an array, without proper validation, can lead to index out of bound exceptions.
|
||||
* @kind path-problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 5.9
|
||||
* @precision medium
|
||||
* @id java/improper-validation-of-array-index
|
||||
* @tags security
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* proper validation, can lead to index out of bound exceptions.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 5.9
|
||||
* @precision medium
|
||||
* @id java/improper-validation-of-array-index-code-specified
|
||||
* @tags security
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* proper validation, can lead to index out of bound exceptions.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 5.9
|
||||
* @precision medium
|
||||
* @id java/improper-validation-of-array-index-local
|
||||
* @tags security
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
* @description Using external input in format strings can lead to exceptions or information leaks.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @security-severity 6.9
|
||||
* @precision high
|
||||
* @id java/tainted-format-string
|
||||
* @tags security
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
* @description Using external input in format strings can lead to exceptions or information leaks.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 6.9
|
||||
* @precision medium
|
||||
* @id java/tainted-format-string-local
|
||||
* @tags security
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* overflows.
|
||||
* @kind path-problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 5.9
|
||||
* @precision medium
|
||||
* @id java/tainted-arithmetic
|
||||
* @tags security
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* overflows.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 5.9
|
||||
* @precision medium
|
||||
* @id java/tainted-arithmetic-local
|
||||
* @tags security
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* overflows.
|
||||
* @kind path-problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 5.9
|
||||
* @precision medium
|
||||
* @id java/uncontrolled-arithmetic
|
||||
* @tags security
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* is then used in an arithmetic expression, this may result in an overflow.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 5.9
|
||||
* @precision medium
|
||||
* @id java/extreme-value-arithmetic
|
||||
* @tags security
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* to behave unexpectedly.
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 5.9
|
||||
* @precision medium
|
||||
* @id java/comparison-with-wider-type
|
||||
* @tags reliability
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
* that are useful to an attacker for developing a subsequent exploit.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 3.6
|
||||
* @precision high
|
||||
* @id java/stack-trace-exposure
|
||||
* @tags security
|
||||
@@ -15,7 +16,7 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.security.XSS
|
||||
import semmle.code.java.security.InformationLeak
|
||||
|
||||
/**
|
||||
* One of the `printStackTrace()` overloads on `Throwable`.
|
||||
@@ -79,19 +80,18 @@ predicate stackTraceExpr(Expr exception, MethodAccess stackTraceString) {
|
||||
printStackCall.getAnArgument() = printWriter and
|
||||
printStackCall.getQualifier() = exception and
|
||||
stackTraceString.getQualifier() = stringWriterVar.getAnAccess() and
|
||||
stackTraceString.getMethod().getName() = "toString" and
|
||||
stackTraceString.getMethod().getNumberOfParameters() = 0
|
||||
stackTraceString.getMethod() instanceof ToStringMethod
|
||||
)
|
||||
}
|
||||
|
||||
class StackTraceStringToXssSinkFlowConfig extends TaintTracking::Configuration {
|
||||
StackTraceStringToXssSinkFlowConfig() {
|
||||
this = "StackTraceExposure::StackTraceStringToXssSinkFlowConfig"
|
||||
class StackTraceStringToHttpResponseSinkFlowConfig extends TaintTracking::Configuration {
|
||||
StackTraceStringToHttpResponseSinkFlowConfig() {
|
||||
this = "StackTraceExposure::StackTraceStringToHttpResponseSinkFlowConfig"
|
||||
}
|
||||
|
||||
override predicate isSource(DataFlow::Node src) { stackTraceExpr(_, src.asExpr()) }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof InformationLeakSink }
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -106,8 +106,8 @@ predicate printsStackExternally(MethodAccess call, Expr stackTrace) {
|
||||
/**
|
||||
* A stringified stack trace flows to an external sink.
|
||||
*/
|
||||
predicate stringifiedStackFlowsExternally(XssSink externalExpr, Expr stackTrace) {
|
||||
exists(MethodAccess stackTraceString, StackTraceStringToXssSinkFlowConfig conf |
|
||||
predicate stringifiedStackFlowsExternally(DataFlow::Node externalExpr, Expr stackTrace) {
|
||||
exists(MethodAccess stackTraceString, StackTraceStringToHttpResponseSinkFlowConfig conf |
|
||||
stackTraceExpr(stackTrace, stackTraceString) and
|
||||
conf.hasFlow(DataFlow::exprNode(stackTraceString), externalExpr)
|
||||
)
|
||||
@@ -124,21 +124,21 @@ class GetMessageFlowSource extends MethodAccess {
|
||||
}
|
||||
}
|
||||
|
||||
class GetMessageFlowSourceToXssSinkFlowConfig extends TaintTracking::Configuration {
|
||||
GetMessageFlowSourceToXssSinkFlowConfig() {
|
||||
this = "StackTraceExposure::GetMessageFlowSourceToXssSinkFlowConfig"
|
||||
class GetMessageFlowSourceToHttpResponseSinkFlowConfig extends TaintTracking::Configuration {
|
||||
GetMessageFlowSourceToHttpResponseSinkFlowConfig() {
|
||||
this = "StackTraceExposure::GetMessageFlowSourceToHttpResponseSinkFlowConfig"
|
||||
}
|
||||
|
||||
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof GetMessageFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof InformationLeakSink }
|
||||
}
|
||||
|
||||
/**
|
||||
* A call to `getMessage()` that then flows to a servlet response.
|
||||
*/
|
||||
predicate getMessageFlowsExternally(XssSink externalExpr, GetMessageFlowSource getMessage) {
|
||||
any(GetMessageFlowSourceToXssSinkFlowConfig conf)
|
||||
predicate getMessageFlowsExternally(DataFlow::Node externalExpr, GetMessageFlowSource getMessage) {
|
||||
any(GetMessageFlowSourceToHttpResponseSinkFlowConfig conf)
|
||||
.hasFlow(DataFlow::exprNode(getMessage), externalExpr)
|
||||
}
|
||||
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
* @description Marking a certificate as valid for a host without checking the certificate hostname allows an attacker to perform a machine-in-the-middle attack.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @security-severity 4.9
|
||||
* @precision high
|
||||
* @id java/unsafe-hostname-verification
|
||||
* @tags security
|
||||
@@ -15,6 +16,7 @@ import semmle.code.java.dataflow.DataFlow
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.security.Encryption
|
||||
import DataFlow::PathGraph
|
||||
private import semmle.code.java.dataflow.ExternalFlow
|
||||
|
||||
/**
|
||||
* Holds if `m` always returns `true` ignoring any exceptional flow.
|
||||
@@ -49,14 +51,7 @@ class TrustAllHostnameVerifierConfiguration extends DataFlow::Configuration {
|
||||
source.asExpr().(ClassInstanceExpr).getConstructedType() instanceof TrustAllHostnameVerifier
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodAccess ma, Method m |
|
||||
(m instanceof SetDefaultHostnameVerifierMethod or m instanceof SetHostnameVerifierMethod) and
|
||||
ma.getMethod() = m
|
||||
|
|
||||
ma.getArgument(0) = sink.asExpr()
|
||||
)
|
||||
}
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof HostnameVerifierSink }
|
||||
|
||||
override predicate isBarrier(DataFlow::Node barrier) {
|
||||
// ignore nodes that are in functions that intentionally disable hostname verification
|
||||
@@ -84,6 +79,13 @@ class TrustAllHostnameVerifierConfiguration extends DataFlow::Configuration {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A sink that sets the `HostnameVerifier` on `HttpsURLConnection`.
|
||||
*/
|
||||
private class HostnameVerifierSink extends DataFlow::Node {
|
||||
HostnameVerifierSink() { sinkNode(this, "set-hostname-verifier") }
|
||||
}
|
||||
|
||||
bindingset[result]
|
||||
private string getAFlagName() {
|
||||
result
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
* @description Storing sensitive information in cleartext can expose it to an attacker.
|
||||
* @kind problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 5.9
|
||||
* @precision medium
|
||||
* @id java/cleartext-storage-in-class
|
||||
* @tags security
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
* @description Storing sensitive information in cleartext can expose it to an attacker.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 2.9
|
||||
* @precision high
|
||||
* @id java/cleartext-storage-in-cookie
|
||||
* @tags security
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
* @description Storing sensitive information in cleartext can expose it to an attacker.
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 6.4
|
||||
* @precision medium
|
||||
* @id java/cleartext-storage-in-properties
|
||||
* @tags security
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
* @description Non-HTTPS connections can be intercepted by third parties.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 5.2
|
||||
* @precision medium
|
||||
* @id java/non-https-url
|
||||
* @tags security
|
||||
@@ -13,9 +14,10 @@ import java
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.frameworks.Networking
|
||||
import DataFlow::PathGraph
|
||||
private import semmle.code.java.dataflow.ExternalFlow
|
||||
|
||||
class HTTPString extends StringLiteral {
|
||||
HTTPString() {
|
||||
class HttpString extends StringLiteral {
|
||||
HttpString() {
|
||||
// Avoid matching "https" here.
|
||||
exists(string s | this.getRepresentedString() = s |
|
||||
(
|
||||
@@ -30,26 +32,12 @@ class HTTPString extends StringLiteral {
|
||||
}
|
||||
}
|
||||
|
||||
class URLOpenMethod extends Method {
|
||||
URLOpenMethod() {
|
||||
this.getDeclaringType().getQualifiedName() = "java.net.URL" and
|
||||
(
|
||||
this.getName() = "openConnection" or
|
||||
this.getName() = "openStream"
|
||||
)
|
||||
}
|
||||
}
|
||||
class HttpStringToUrlOpenMethodFlowConfig extends TaintTracking::Configuration {
|
||||
HttpStringToUrlOpenMethodFlowConfig() { this = "HttpsUrls::HttpStringToUrlOpenMethodFlowConfig" }
|
||||
|
||||
class HTTPStringToURLOpenMethodFlowConfig extends TaintTracking::Configuration {
|
||||
HTTPStringToURLOpenMethodFlowConfig() { this = "HttpsUrls::HTTPStringToURLOpenMethodFlowConfig" }
|
||||
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof HttpString }
|
||||
|
||||
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof HTTPString }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodAccess m |
|
||||
sink.asExpr() = m.getQualifier() and m.getMethod() instanceof URLOpenMethod
|
||||
)
|
||||
}
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof UrlOpenSink }
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
exists(UrlConstructorCall u |
|
||||
@@ -63,10 +51,17 @@ class HTTPStringToURLOpenMethodFlowConfig extends TaintTracking::Configuration {
|
||||
}
|
||||
}
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, MethodAccess m, HTTPString s
|
||||
/**
|
||||
* A sink that represents a URL opening method call, such as a call to `java.net.URL.openConnection()`.
|
||||
*/
|
||||
private class UrlOpenSink extends DataFlow::Node {
|
||||
UrlOpenSink() { sinkNode(this, "open-url") }
|
||||
}
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, MethodAccess m, HttpString s
|
||||
where
|
||||
source.getNode().asExpr() = s and
|
||||
sink.getNode().asExpr() = m.getQualifier() and
|
||||
any(HTTPStringToURLOpenMethodFlowConfig c).hasFlowPath(source, sink)
|
||||
any(HttpStringToUrlOpenMethodFlowConfig c).hasFlowPath(source, sink)
|
||||
select m, source, sink, "URL may have been constructed with HTTP protocol, using $@.", s,
|
||||
"this source"
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
* @description Non-SSL connections can be intercepted by third parties.
|
||||
* @kind problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 5.2
|
||||
* @precision medium
|
||||
* @id java/non-ssl-connection
|
||||
* @tags security
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* third parties.
|
||||
* @kind problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 5.2
|
||||
* @precision medium
|
||||
* @id java/non-ssl-socket-factory
|
||||
* @tags security
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
* @description Using broken or weak cryptographic algorithms can allow an attacker to compromise security.
|
||||
* @kind path-problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 5.2
|
||||
* @precision high
|
||||
* @id java/weak-cryptographic-algorithm
|
||||
* @tags security
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
* @description Using broken or weak cryptographic algorithms can allow an attacker to compromise security.
|
||||
* @kind path-problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 5.2
|
||||
* @precision medium
|
||||
* @id java/potentially-weak-cryptographic-algorithm
|
||||
* @tags security
|
||||
@@ -33,9 +34,8 @@ class InsecureAlgoLiteral extends ShortStringLiteral {
|
||||
}
|
||||
|
||||
predicate objectToString(MethodAccess ma) {
|
||||
exists(Method m |
|
||||
exists(ToStringMethod m |
|
||||
m = ma.getMethod() and
|
||||
m.hasName("toString") and
|
||||
m.getDeclaringType() instanceof TypeObject and
|
||||
variableTrack(ma.getQualifier()).getType().getErasure() instanceof TypeObject
|
||||
)
|
||||
|
||||
@@ -3,9 +3,11 @@
|
||||
* @description Using a predictable seed in a pseudo-random number generator can lead to predictability of the numbers generated by it.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 5.9
|
||||
* @precision high
|
||||
* @id java/predictable-seed
|
||||
* @tags security
|
||||
* external/cwe/cwe-335
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
* @description Using a vulnerable version of JHipster to generate random numbers makes it easier for attackers to take over accounts.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 5.9
|
||||
* @precision very-high
|
||||
* @id java/jhipster-prng
|
||||
* @tags security
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* a Cross-Site Request Forgery (CSRF) attack.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 6.4
|
||||
* @precision high
|
||||
* @id java/spring-disabled-csrf-protection
|
||||
* @tags security
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* if the state may be changed between the check and use.
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 5.9
|
||||
* @precision medium
|
||||
* @id java/toctou-race-condition
|
||||
* @tags security
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
* @description Opening a socket after authenticating via a different channel may allow an attacker to connect to the port first.
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 10.0
|
||||
* @precision medium
|
||||
* @id java/socket-auth-race-condition
|
||||
* @tags security
|
||||
|
||||
@@ -69,7 +69,7 @@ Or How I Learned to Start Worrying and Hate Java Object Deserialization</a>.
|
||||
</li>
|
||||
<li>
|
||||
Alvaro Muñoz & Christian Schneider, RSAConference 2016:
|
||||
<a href="https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf">Serial Killer: Silently Pwning Your Java Endpoints</a>.
|
||||
<a href="https://speakerdeck.com/pwntester/serial-killer-silently-pwning-your-java-endpoints">Serial Killer: Silently Pwning Your Java Endpoints</a>.
|
||||
</li>
|
||||
<li>
|
||||
SnakeYaml documentation on deserialization:
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
* execute arbitrary code.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @security-severity 5.9
|
||||
* @precision high
|
||||
* @id java/unsafe-deserialization
|
||||
* @tags security
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user