mirror of
https://github.com/github/codeql.git
synced 2026-04-25 16:55:19 +02:00
Merge branch 'main' into java/update-mad-decls-after-triage-2023-06-08T08-51-47
This commit is contained in:
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Path creation sinks modeled in `PathCreation.qll` have been added to the models-as-data sink kind `path-injection`.
|
||||
7
java/ql/lib/change-notes/2023-06-01-new-models.md
Normal file
7
java/ql/lib/change-notes/2023-06-01-new-models.md
Normal file
@@ -0,0 +1,7 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added models for the following packages:
|
||||
|
||||
* java.lang
|
||||
* java.nio.file
|
||||
6
java/ql/lib/change-notes/2023-06-02-delete-deps.md
Normal file
6
java/ql/lib/change-notes/2023-06-02-delete-deps.md
Normal file
@@ -0,0 +1,6 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Deleted the deprecated `getRHS` predicate from the `LValue` class, use `getRhs` instead.
|
||||
* Deleted the deprecated `getCFGNode` predicate from the `SsaVariable` class, use `getCfgNode` instead.
|
||||
* Deleted many deprecated predicates and classes with uppercase `XML`, `JSON`, `URL`, `API`, etc. in their names. Use the PascalCased versions instead.
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added flow through the block arguments of `kotlin.io.use` and `kotlin.with`.
|
||||
15
java/ql/lib/change-notes/2023-06-06-new-models.md
Normal file
15
java/ql/lib/change-notes/2023-06-06-new-models.md
Normal file
@@ -0,0 +1,15 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added models for the following packages:
|
||||
|
||||
* com.alibaba.druid.sql
|
||||
* com.fasterxml.jackson.databind
|
||||
* com.jcraft.jsch
|
||||
* io.netty.handler.ssl
|
||||
* okhttp3
|
||||
* org.antlr.runtime
|
||||
* org.fusesource.leveldbjni
|
||||
* org.influxdb
|
||||
* org.springframework.core.io
|
||||
* org.yaml.snakeyaml
|
||||
6
java/ql/lib/ext/com.alibaba.druid.sql.model.yml
Normal file
6
java/ql/lib/ext/com.alibaba.druid.sql.model.yml
Normal file
@@ -0,0 +1,6 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: codeql/java-all
|
||||
extensible: summaryModel
|
||||
data:
|
||||
- ["com.alibaba.druid.sql", "SQLUtils", False, "toMySqlString", "(SQLObject)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
|
||||
@@ -9,3 +9,9 @@ extensions:
|
||||
- ["com.fasterxml.jackson.databind", "ObjectMapper", True, "valueToTree", "", "", "Argument[0].MapValue", "ReturnValue", "taint", "manual"]
|
||||
- ["com.fasterxml.jackson.databind", "ObjectMapper", True, "valueToTree", "", "", "Argument[0].MapValue.Element", "ReturnValue", "taint", "manual"]
|
||||
- ["com.fasterxml.jackson.databind", "ObjectReader", False, "createParser", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
|
||||
- addsTo:
|
||||
pack: codeql/java-all
|
||||
extensible: sinkModel
|
||||
data:
|
||||
- ["com.fasterxml.jackson.databind", "ObjectMapper", True, "readValue", "(File,Class)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
- ["com.fasterxml.jackson.databind", "ObjectMapper", True, "writeValue", "(File,Object)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
|
||||
@@ -26,7 +26,12 @@ extensions:
|
||||
- ["com.google.gson", "JsonElement", True, "getAsJsonPrimitive", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
|
||||
- ["com.google.gson", "JsonElement", True, "getAsString", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
|
||||
- ["com.google.gson", "JsonElement", True, "toString", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
|
||||
- ["com.google.gson", "JsonArray", True, "add", "", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
|
||||
- ["com.google.gson", "JsonArray", True, "add", "(Boolean)", "", "Argument[0]", "Argument[this].Element", "taint", "manual"]
|
||||
- ["com.google.gson", "JsonArray", True, "add", "(Character)", "", "Argument[0]", "Argument[this].Element", "taint", "manual"]
|
||||
- ["com.google.gson", "JsonArray", True, "add", "(JsonElement)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
|
||||
- ["com.google.gson", "JsonArray", True, "add", "(Number)", "", "Argument[0]", "Argument[this].Element", "taint", "manual"]
|
||||
- ["com.google.gson", "JsonArray", True, "add", "(String)", "", "Argument[0]", "Argument[this].Element", "taint", "manual"]
|
||||
- ["com.google.gson", "JsonArray", True, "addAll", "(JsonArray)", "", "Argument[0].Element", "Argument[this].Element", "value", "manual"]
|
||||
- ["com.google.gson", "JsonArray", True, "asList", "", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
|
||||
- ["com.google.gson", "JsonArray", True, "get", "", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
|
||||
- ["com.google.gson", "JsonArray", True, "set", "", "", "Argument[1]", "Argument[this].Element", "value", "manual"]
|
||||
|
||||
11
java/ql/lib/ext/com.jcraft.jsch.model.yml
Normal file
11
java/ql/lib/ext/com.jcraft.jsch.model.yml
Normal file
@@ -0,0 +1,11 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: codeql/java-all
|
||||
extensible: sinkModel
|
||||
data:
|
||||
- ["com.jcraft.jsch", "JSch", True, "getSession", "(String,String,int)", "", "Argument[1]", "request-forgery", "ai-manual"]
|
||||
- addsTo:
|
||||
pack: codeql/java-all
|
||||
extensible: summaryModel
|
||||
data:
|
||||
- ["com.jcraft.jsch", "ChannelSftp", True, "realpath", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
|
||||
@@ -5,3 +5,5 @@ extensions:
|
||||
data:
|
||||
- ["io.netty.handler.ssl", "OpenSslServerContext", False, "OpenSslServerContext", "(File,File)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
- ["io.netty.handler.ssl", "SslContextBuilder", False, "forServer", "(File,File)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
- ["io.netty.handler.ssl", "SslContextBuilder", False, "trustManager", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
- ["io.netty.handler.ssl", "SslContextBuilder", False, "trustManager", "(InputStream)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
|
||||
@@ -3,6 +3,10 @@ extensions:
|
||||
pack: codeql/java-all
|
||||
extensible: sinkModel
|
||||
data:
|
||||
- ["java.io", "File", False, "File", "(File,String)", "", "Argument[1]", "path-injection", "manual"] # old PathCreation
|
||||
- ["java.io", "File", False, "File", "(String)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
|
||||
- ["java.io", "File", False, "File", "(String,String)", "", "Argument[0..1]", "path-injection", "manual"] # old PathCreation
|
||||
- ["java.io", "File", False, "File", "(URI)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
|
||||
- ["java.io", "File", True, "createNewFile", "()", "", "Argument[undefined]", "path-injection", "ai-manual"]
|
||||
- ["java.io", "File", True, "createTempFile", "(String,String,File)", "", "Argument[2]", "path-injection", "ai-manual"]
|
||||
- ["java.io", "File", True, "renameTo", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
@@ -12,6 +16,7 @@ extensions:
|
||||
- ["java.io", "FileOutputStream", False, "write", "", "", "Argument[0]", "file-content-store", "manual"]
|
||||
- ["java.io", "FileReader", True, "FileReader", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
- ["java.io", "FileReader", True, "FileReader", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
- ["java.io", "FileReader", True, "FileReader", "(String,Charset)", "", "Argument[0]", "path-injection", "manual"]
|
||||
- ["java.io", "FileSystem", True, "createDirectory", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
- ["java.io", "FileWriter", False, "FileWriter", "", "", "Argument[0]", "path-injection", "manual"]
|
||||
- ["java.io", "PrintStream", False, "PrintStream", "(File)", "", "Argument[0]", "path-injection", "manual"]
|
||||
|
||||
@@ -8,6 +8,9 @@ extensions:
|
||||
- ["java.lang", "ClassLoader", True, "getSystemResource", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
- ["java.lang", "ClassLoader", True, "getSystemResourceAsStream", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
- ["java.lang", "Module", True, "getResourceAsStream", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
# These are potential vulnerabilities, but not for command-injection. No query for this kind of vulnerability currently exists.
|
||||
# - ["java.lang", "Runtime", False, "load", "(String)", "", "Argument[0]", "command-injection", "ai-manual"]
|
||||
# - ["java.lang", "Runtime", False, "loadLibrary", "(String)", "", "Argument[0]", "command-injection", "ai-manual"]
|
||||
# These are modeled in plain CodeQL. TODO: migrate them.
|
||||
# - ["java.lang", "ProcessBuilder", False, "command", "(String[])", "", "Argument[0]", "command-injection", "ai-manual"]
|
||||
# - ["java.lang", "ProcessBuilder", False, "directory", "(File)", "", "Argument[0]", "command-injection", "ai-manual"]
|
||||
|
||||
@@ -18,6 +18,7 @@ extensions:
|
||||
- ["java.nio.file", "Files", False, "delete", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
- ["java.nio.file", "Files", False, "deleteIfExists", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
- ["java.nio.file", "Files", False, "deleteIfExists", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
- ["java.nio.file", "Files", False, "getFileStore", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"] # the FileStore class is unlikely to be used for later sanitization
|
||||
- ["java.nio.file", "Files", False, "lines", "(Path,Charset)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
- ["java.nio.file", "Files", False, "lines", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
- ["java.nio.file", "Files", False, "move", "", "", "Argument[1]", "path-injection", "manual"]
|
||||
@@ -26,6 +27,7 @@ extensions:
|
||||
- ["java.nio.file", "Files", False, "newBufferedWriter", "", "", "Argument[0]", "path-injection", "manual"]
|
||||
- ["java.nio.file", "Files", False, "newInputStream", "(Path,OpenOption[])", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
- ["java.nio.file", "Files", False, "newOutputStream", "", "", "Argument[0]", "path-injection", "manual"]
|
||||
- ["java.nio.file", "Files", False, "probeContentType", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"] # accesses the file based on user input, but only reads its content type from it
|
||||
- ["java.nio.file", "Files", False, "readAllBytes", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
- ["java.nio.file", "Files", False, "readAllLines", "(Path,Charset)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
- ["java.nio.file", "Files", False, "readAllLines", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
@@ -40,14 +42,25 @@ extensions:
|
||||
- ["java.nio.file", "Files", True, "delete", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
- ["java.nio.file", "Files", True, "newInputStream", "(Path,OpenOption[])", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
- ["java.nio.file", "Files", True, "newOutputStream", "(Path,OpenOption[])", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
- ["java.nio.file", "FileSystem", False, "getPath", "", "", "Argument[0..1]", "path-injection", "manual"] # old PathCreation
|
||||
- ["java.nio.file", "FileSystems", False, "newFileSystem", "(URI,Map)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
- ["java.nio.file", "FileSystems", False, "newFileSystem", "(URI,Map)", "", "Argument[0]", "request-forgery", "ai-manual"]
|
||||
- ["java.nio.file", "Path", False, "of", "(String,String[])", "", "Argument[0..1]", "path-injection", "manual"] # old PathCreation
|
||||
- ["java.nio.file", "Path", False, "of", "(URI)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
|
||||
- ["java.nio.file", "Path", False, "resolve", "(String)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
|
||||
- ["java.nio.file", "Path", False, "resolveSibling", "(String)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
|
||||
- ["java.nio.file", "Paths", False, "get", "(String,String[])", "", "Argument[0..1]", "path-injection", "manual"] # old PathCreation
|
||||
- ["java.nio.file", "Paths", False, "get", "(URI)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
|
||||
- ["java.nio.file", "SecureDirectoryStream", True, "deleteDirectory", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
- ["java.nio.file", "SecureDirectoryStream", True, "deleteFile", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
- addsTo:
|
||||
pack: codeql/java-all
|
||||
extensible: summaryModel
|
||||
data:
|
||||
- ["java.nio.file", "Files", False, "find", "(Path,int,BiPredicate,FileVisitOption[])", "", "Argument[0]", "ReturnValue.Element", "taint", "ai-manual"]
|
||||
- ["java.nio.file", "Files", False, "find", "(Path,int,BiPredicate,FileVisitOption[])", "", "Argument[2]", "ReturnValue.Element", "taint", "ai-manual"]
|
||||
- ["java.nio.file", "Files", False, "list", "(Path)", "", "Argument[0]", "ReturnValue.Element", "taint", "ai-manual"]
|
||||
- ["java.nio.file", "Files", False, "readSymbolicLink", "(Path)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"] # this can be used to enumerate a file system
|
||||
- ["java.nio.file", "Files", True, "newBufferedReader", "(Path,Charset)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
|
||||
- ["java.nio.file", "Files", True, "newBufferedReader", "(Path)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
|
||||
- ["java.nio.file", "Files", True, "newByteChannel", "(Path,OpenOption[])", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
|
||||
|
||||
@@ -11,6 +11,8 @@ extensions:
|
||||
pack: codeql/java-all
|
||||
extensible: summaryModel
|
||||
data:
|
||||
- ["kotlin.io", "CloseableKt", False, "use", "", "", "Argument[0]", "Argument[1].Parameter[0]", "value", "manual"]
|
||||
- ["kotlin.io", "CloseableKt", False, "use", "", "", "Argument[1].ReturnValue", "ReturnValue", "value", "manual"]
|
||||
- ["kotlin.io", "FilesKt", False, "normalize", "(File)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
|
||||
- ["kotlin.io", "FilesKt", False, "relativeTo", "(File,File)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
|
||||
- ["kotlin.io", "FilesKt", False, "relativeTo", "(File,File)", "", "Argument[1]", "ReturnValue", "taint", "ai-manual"]
|
||||
|
||||
7
java/ql/lib/ext/kotlin.model.yml
Normal file
7
java/ql/lib/ext/kotlin.model.yml
Normal file
@@ -0,0 +1,7 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: codeql/java-all
|
||||
extensible: summaryModel
|
||||
data:
|
||||
- ["kotlin", "StandardKt", False, "with", "", "", "Argument[0]", "Argument[1].Parameter[0]", "value", "manual"]
|
||||
- ["kotlin", "StandardKt", False, "with", "", "", "Argument[1].ReturnValue", "ReturnValue", "value", "manual"]
|
||||
@@ -59,5 +59,6 @@ extensions:
|
||||
- ["okhttp3", "HttpUrl$Builder", False, "setQueryParameter", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
|
||||
- ["okhttp3", "HttpUrl$Builder", False, "setQueryParameter", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
|
||||
- ["okhttp3", "HttpUrl$Builder", False, "username", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
|
||||
- ["okhttp3", "Request$Builder", False, "get", "()", "", "Argument[undefined]", "ReturnValue", "taint", "ai-manual"] # this creates a GET request
|
||||
- ["okhttp3", "Request$Builder", False, "url", "(String)", "", "Argument[undefined]", "ReturnValue", "taint", "ai-manual"]
|
||||
- ["okhttp3", "Request$Builder", False, "get", "()", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"] # this creates a GET request
|
||||
- ["okhttp3", "Request$Builder", False, "url", "(String)", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"]
|
||||
- ["okhttp3", "Request$Builder", True, "build", "()", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"]
|
||||
|
||||
6
java/ql/lib/ext/org.antlr.runtime.model.yml
Normal file
6
java/ql/lib/ext/org.antlr.runtime.model.yml
Normal file
@@ -0,0 +1,6 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: codeql/java-all
|
||||
extensible: sinkModel
|
||||
data:
|
||||
- ["org.antlr.runtime", "ANTLRFileStream", True, "ANTLRFileStream", "(String,String)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
6
java/ql/lib/ext/org.fusesource.leveldbjni.model.yml
Normal file
6
java/ql/lib/ext/org.fusesource.leveldbjni.model.yml
Normal file
@@ -0,0 +1,6 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: codeql/java-all
|
||||
extensible: sinkModel
|
||||
data:
|
||||
- ["org.fusesource.leveldbjni", "JniDBFactory", True, "open", "(File,Options)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
6
java/ql/lib/ext/org.influxdb.model.yml
Normal file
6
java/ql/lib/ext/org.influxdb.model.yml
Normal file
@@ -0,0 +1,6 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: codeql/java-all
|
||||
extensible: sinkModel
|
||||
data:
|
||||
- ["org.influxdb", "InfluxDBFactory", False, "connect", "(String,String,String,Builder)", "", "Argument[0]", "request-forgery", "ai-manual"]
|
||||
7
java/ql/lib/ext/org.springframework.core.io.model.yml
Normal file
7
java/ql/lib/ext/org.springframework.core.io.model.yml
Normal file
@@ -0,0 +1,7 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: codeql/java-all
|
||||
extensible: sinkModel
|
||||
data:
|
||||
- ["org.springframework.core.io", "ResourceLoader", True, "getResource", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
|
||||
- ["org.springframework.core.io", "ResourceLoader", True, "getResource", "(String)", "", "Argument[0]", "request-forgery", "manual"]
|
||||
6
java/ql/lib/ext/org.yaml.snakeyaml.model.yml
Normal file
6
java/ql/lib/ext/org.yaml.snakeyaml.model.yml
Normal file
@@ -0,0 +1,6 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: codeql/java-all
|
||||
extensible: summaryModel
|
||||
data:
|
||||
- ["org.yaml.snakeyaml", "Yaml", True, "load", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
|
||||
@@ -1809,9 +1809,6 @@ class LValue extends VarAccess {
|
||||
* are source expressions of the assignment.
|
||||
*/
|
||||
Expr getRhs() { exists(Assignment e | e.getDest() = this and e.getSource() = result) }
|
||||
|
||||
/** DEPRECATED: Alias for getRhs */
|
||||
deprecated Expr getRHS() { result = this.getRhs() }
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -6,15 +6,6 @@
|
||||
|
||||
import java
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `conditionCheckMethodArgument` instead.
|
||||
* Holds if `m` is a non-overridable method that checks that its first argument
|
||||
* is equal to `checkTrue` and throws otherwise.
|
||||
*/
|
||||
deprecated predicate conditionCheckMethod(Method m, boolean checkTrue) {
|
||||
conditionCheckMethodArgument(m, 0, checkTrue)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `m` is a non-overridable method that checks that its zero-indexed `argument`
|
||||
* is equal to `checkTrue` and throws otherwise.
|
||||
|
||||
@@ -931,9 +931,6 @@ class SsaVariable extends TSsaVariable {
|
||||
this = TSsaUntracked(_, result)
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for getCfgNode */
|
||||
deprecated ControlFlowNode getCFGNode() { result = this.getCfgNode() }
|
||||
|
||||
/** Gets a textual representation of this SSA variable. */
|
||||
string toString() { none() }
|
||||
|
||||
|
||||
@@ -483,9 +483,6 @@ class BaseSsaVariable extends TBaseSsaVariable {
|
||||
this = TSsaEntryDef(_, result)
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for getCfgNode */
|
||||
deprecated ControlFlowNode getCFGNode() { result = this.getCfgNode() }
|
||||
|
||||
string toString() { none() }
|
||||
|
||||
Location getLocation() { result = this.getCfgNode().getLocation() }
|
||||
|
||||
@@ -456,9 +456,6 @@ class ArbitraryXmlEntryPoint extends ReflectivelyConstructedClass {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for ArbitraryXmlEntryPoint */
|
||||
deprecated class ArbitraryXMLEntryPoint = ArbitraryXmlEntryPoint;
|
||||
|
||||
/** A Selenium PageObject, created by a call to PageFactory.initElements(..). */
|
||||
class SeleniumPageObjectEntryPoint extends ReflectivelyConstructedClass instanceof SeleniumPageObject
|
||||
{ }
|
||||
|
||||
@@ -38,9 +38,6 @@ class UrlConnectionGetInputStreamMethod extends Method {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for UrlConnectionGetInputStreamMethod */
|
||||
deprecated class URLConnectionGetInputStreamMethod = UrlConnectionGetInputStreamMethod;
|
||||
|
||||
/** The method `java.net.Socket::getInputStream`. */
|
||||
class SocketGetInputStreamMethod extends Method {
|
||||
SocketGetInputStreamMethod() {
|
||||
|
||||
@@ -128,9 +128,6 @@ class HttpServletRequestGetRequestUrlMethod extends Method {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for HttpServletRequestGetRequestUrlMethod */
|
||||
deprecated class HttpServletRequestGetRequestURLMethod = HttpServletRequestGetRequestUrlMethod;
|
||||
|
||||
/**
|
||||
* The method `getRequestURI()` declared in `javax.servlet.http.HttpServletRequest`.
|
||||
*/
|
||||
@@ -339,9 +336,6 @@ class ServletWebXmlListenerType extends RefType {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for ServletWebXmlListenerType */
|
||||
deprecated class ServletWebXMLListenerType = ServletWebXmlListenerType;
|
||||
|
||||
/** Holds if `m` is a request handler method (for example `doGet` or `doPost`). */
|
||||
predicate isServletRequestMethod(Method m) {
|
||||
m.getDeclaringType() instanceof ServletClass and
|
||||
|
||||
@@ -29,9 +29,6 @@ class TypeUnboundIdLdapConnection extends Class {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for TypeUnboundIdLdapConnection */
|
||||
deprecated class TypeUnboundIdLDAPConnection = TypeUnboundIdLdapConnection;
|
||||
|
||||
/*--- Methods ---*/
|
||||
/** A method with the name `setBaseDN` declared in `com.unboundid.ldap.sdk.SearchRequest`. */
|
||||
class MethodUnboundIdSearchRequestSetBaseDN extends Method {
|
||||
@@ -103,9 +100,6 @@ class MethodUnboundIdLdapConnectionSearch extends Method {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for MethodUnboundIdLdapConnectionSearch */
|
||||
deprecated class MethodUnboundIdLDAPConnectionSearch = MethodUnboundIdLdapConnectionSearch;
|
||||
|
||||
/** A method with the name `asyncSearch` declared in `com.unboundid.ldap.sdk.LDAPConnection`. */
|
||||
class MethodUnboundIdLdapConnectionAsyncSearch extends Method {
|
||||
MethodUnboundIdLdapConnectionAsyncSearch() {
|
||||
@@ -114,10 +108,6 @@ class MethodUnboundIdLdapConnectionAsyncSearch extends Method {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for MethodUnboundIdLdapConnectionAsyncSearch */
|
||||
deprecated class MethodUnboundIdLDAPConnectionAsyncSearch =
|
||||
MethodUnboundIdLdapConnectionAsyncSearch;
|
||||
|
||||
/** A method with the name `searchForEntry` declared in `com.unboundid.ldap.sdk.LDAPConnection`. */
|
||||
class MethodUnboundIdLdapConnectionSearchForEntry extends Method {
|
||||
MethodUnboundIdLdapConnectionSearchForEntry() {
|
||||
@@ -125,7 +115,3 @@ class MethodUnboundIdLdapConnectionSearchForEntry extends Method {
|
||||
this.hasName("searchForEntry")
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for MethodUnboundIdLdapConnectionSearchForEntry */
|
||||
deprecated class MethodUnboundIdLDAPConnectionSearchForEntry =
|
||||
MethodUnboundIdLdapConnectionSearchForEntry;
|
||||
|
||||
@@ -20,9 +20,6 @@ class JacksonJsonIgnoreAnnotation extends NonReflectiveAnnotation {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for JacksonJsonIgnoreAnnotation */
|
||||
deprecated class JacksonJSONIgnoreAnnotation = JacksonJsonIgnoreAnnotation;
|
||||
|
||||
/** A type whose values may be serialized using the Jackson JSON framework. */
|
||||
abstract class JacksonSerializableType extends Type { }
|
||||
|
||||
|
||||
@@ -26,9 +26,6 @@ class PersistenceXmlFile extends XmlFile {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for PersistenceXmlFile */
|
||||
deprecated class PersistenceXMLFile = PersistenceXmlFile;
|
||||
|
||||
/** The root `persistence` XML element in a `persistence.xml` file. */
|
||||
class PersistenceXmlRoot extends XmlElement {
|
||||
PersistenceXmlRoot() {
|
||||
|
||||
@@ -35,9 +35,6 @@ class EjbJarXmlFile extends XmlFile {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for EjbJarXmlFile */
|
||||
deprecated class EjbJarXMLFile = EjbJarXmlFile;
|
||||
|
||||
/** The root `ejb-jar` XML element in an `ejb-jar.xml` file. */
|
||||
class EjbJarRootElement extends XmlElement {
|
||||
EjbJarRootElement() {
|
||||
|
||||
@@ -16,9 +16,6 @@ class FacesConfigXmlFile extends XmlFile {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for FacesConfigXmlFile */
|
||||
deprecated class FacesConfigXMLFile = FacesConfigXmlFile;
|
||||
|
||||
/**
|
||||
* An XML element in a `FacesConfigXMLFile`.
|
||||
*/
|
||||
@@ -31,9 +28,6 @@ class FacesConfigXmlElement extends XmlElement {
|
||||
string getValue() { result = this.allCharactersString().trim() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for FacesConfigXmlElement */
|
||||
deprecated class FacesConfigXMLElement = FacesConfigXmlElement;
|
||||
|
||||
/**
|
||||
* An element in a JSF config file that declares a managed bean.
|
||||
*/
|
||||
|
||||
@@ -100,9 +100,6 @@ class SpringBeanXmlAutowiredSetterMethod extends Method {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SpringBeanXmlAutowiredSetterMethod */
|
||||
deprecated class SpringBeanXMLAutowiredSetterMethod = SpringBeanXmlAutowiredSetterMethod;
|
||||
|
||||
/**
|
||||
* A callable that is annotated with `@Autowired`.
|
||||
*
|
||||
|
||||
@@ -13,9 +13,6 @@ class SpringCamelXmlElement extends SpringXmlElement {
|
||||
SpringCamelXmlElement() { this.getNamespace().getUri() = "http://camel.apache.org/schema/spring" }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SpringCamelXmlElement */
|
||||
deprecated class SpringCamelXMLElement = SpringCamelXmlElement;
|
||||
|
||||
/**
|
||||
* An element in a Spring beans file that defines an Apache Camel context.
|
||||
*
|
||||
@@ -25,9 +22,6 @@ class SpringCamelXmlContext extends SpringCamelXmlElement {
|
||||
SpringCamelXmlContext() { this.getName() = "camelContext" }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SpringCamelXmlContext */
|
||||
deprecated class SpringCamelXMLContext = SpringCamelXmlContext;
|
||||
|
||||
/**
|
||||
* An element in a Spring beans file that defines an Apache Camel route context.
|
||||
*
|
||||
@@ -38,9 +32,6 @@ class SpringCamelXmlRouteContext extends SpringCamelXmlElement {
|
||||
SpringCamelXmlRouteContext() { this.getName() = "routeContext" }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SpringCamelXmlRouteContext */
|
||||
deprecated class SpringCamelXMLRouteContext = SpringCamelXmlRouteContext;
|
||||
|
||||
/**
|
||||
* An element in a Spring beans files that defines an Apache Camel route.
|
||||
*
|
||||
@@ -58,9 +49,6 @@ class SpringCamelXmlRoute extends SpringCamelXmlElement {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SpringCamelXmlRoute */
|
||||
deprecated class SpringCamelXMLRoute = SpringCamelXmlRoute;
|
||||
|
||||
/**
|
||||
* An element in a Spring bean file that is logically contained in an Apache Camel route.
|
||||
*/
|
||||
@@ -71,9 +59,6 @@ class SpringCamelXmlRouteElement extends SpringCamelXmlElement {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SpringCamelXmlRouteElement */
|
||||
deprecated class SpringCamelXMLRouteElement = SpringCamelXmlRouteElement;
|
||||
|
||||
/**
|
||||
* A reference to a Spring bean in an Apache Camel route defined in a Spring beans file.
|
||||
*
|
||||
@@ -98,9 +83,6 @@ class SpringCamelXmlBeanRef extends SpringCamelXmlRouteElement {
|
||||
RefType getBeanType() { result.getQualifiedName() = this.getAttribute("beanType").getValue() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SpringCamelXmlBeanRef */
|
||||
deprecated class SpringCamelXMLBeanRef = SpringCamelXmlBeanRef;
|
||||
|
||||
/**
|
||||
* A declaration of a target in an Apache Camel route defined in a Spring beans file.
|
||||
*
|
||||
@@ -120,9 +102,6 @@ class SpringCamelXmlToElement extends SpringCamelXmlRouteElement {
|
||||
deprecated string getURI() { result = this.getUri() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SpringCamelXmlToElement */
|
||||
deprecated class SpringCamelXMLToElement = SpringCamelXmlToElement;
|
||||
|
||||
/**
|
||||
* A declaration of a Apache Camel "method" expression defined in a Spring beans file.
|
||||
*
|
||||
@@ -147,6 +126,3 @@ class SpringCamelXmlMethodElement extends SpringCamelXmlElement {
|
||||
*/
|
||||
RefType getBeanType() { result.getQualifiedName() = this.getAttribute("beanType").getValue() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SpringCamelXmlMethodElement */
|
||||
deprecated class SpringCamelXMLMethodElement = SpringCamelXmlMethodElement;
|
||||
|
||||
@@ -23,9 +23,6 @@ class SpringXmlComponentScan extends SpringXmlElement {
|
||||
string getAProfileExpr() { result = this.getSpringBeanFile().getAProfileExpr() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SpringXmlComponentScan */
|
||||
deprecated class SpringXMLComponentScan = SpringXmlComponentScan;
|
||||
|
||||
/**
|
||||
* An annotation of a class that configures which packages are considered to be "base" packages
|
||||
* when performing the Spring component scan.
|
||||
|
||||
@@ -57,11 +57,6 @@ class SpringRemotingDestinationClass extends Class {
|
||||
*/
|
||||
SpringRemotingDestination getRemotingDestinationXml() { this = result.getSpringBean().getClass() }
|
||||
|
||||
/** DEPRECATED: Alias for getRemotingDestinationXml */
|
||||
deprecated SpringRemotingDestination getRemotingDestinationXML() {
|
||||
result = this.getRemotingDestinationXml()
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if the class is operating on an "include" or "exclude" basis.
|
||||
*
|
||||
|
||||
@@ -37,6 +37,3 @@ class SpringXmlElement extends XmlElement {
|
||||
|
||||
string getContentString() { result = this.allCharactersString() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SpringXmlElement */
|
||||
deprecated class SpringXMLElement = SpringXmlElement;
|
||||
|
||||
@@ -77,9 +77,6 @@ StrutsXmlFile getRootXmlFile(RefType refType) {
|
||||
)
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for getRootXmlFile */
|
||||
deprecated StrutsXMLFile getRootXMLFile(RefType refType) { result = getRootXmlFile(refType) }
|
||||
|
||||
/**
|
||||
* Gets the suffix used for automatically identifying actions when using the convention plugin.
|
||||
*
|
||||
|
||||
@@ -5,9 +5,6 @@ import java
|
||||
*/
|
||||
predicate isStrutsXmlIncluded() { exists(StrutsXmlFile strutsXml) }
|
||||
|
||||
/** DEPRECATED: Alias for isStrutsXmlIncluded */
|
||||
deprecated predicate isStrutsXMLIncluded = isStrutsXmlIncluded/0;
|
||||
|
||||
/**
|
||||
* A struts 2 configuration file.
|
||||
*/
|
||||
@@ -51,9 +48,6 @@ abstract class StrutsXmlFile extends XmlFile {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for StrutsXmlFile */
|
||||
deprecated class StrutsXMLFile = StrutsXmlFile;
|
||||
|
||||
/**
|
||||
* A Struts 2 "root" configuration XML file directly read by struts.
|
||||
*
|
||||
@@ -66,9 +60,6 @@ class StrutsRootXmlFile extends StrutsXmlFile {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for StrutsRootXmlFile */
|
||||
deprecated class StrutsRootXMLFile = StrutsRootXmlFile;
|
||||
|
||||
/**
|
||||
* A Struts 2 configuration XML file included, directly or indirectly, by a root Struts configuration.
|
||||
*/
|
||||
@@ -76,9 +67,6 @@ class StrutsIncludedXmlFile extends StrutsXmlFile {
|
||||
StrutsIncludedXmlFile() { exists(StrutsXmlInclude include | this = include.getIncludedFile()) }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for StrutsIncludedXmlFile */
|
||||
deprecated class StrutsIncludedXMLFile = StrutsIncludedXmlFile;
|
||||
|
||||
/**
|
||||
* A Folder which has one or more Struts 2 root configurations.
|
||||
*/
|
||||
@@ -116,9 +104,6 @@ class StrutsXmlElement extends XmlElement {
|
||||
string getValue() { result = this.allCharactersString().trim() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for StrutsXmlElement */
|
||||
deprecated class StrutsXMLElement = StrutsXmlElement;
|
||||
|
||||
/**
|
||||
* A `<include>` element within a `struts.xml` file.
|
||||
*
|
||||
@@ -141,9 +126,6 @@ class StrutsXmlInclude extends StrutsXmlElement {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for StrutsXmlInclude */
|
||||
deprecated class StrutsXMLInclude = StrutsXmlInclude;
|
||||
|
||||
/**
|
||||
* Escape a string for use as the matcher in a string.match(..) call.
|
||||
*/
|
||||
@@ -192,9 +174,6 @@ class StrutsXmlAction extends StrutsXmlElement {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for StrutsXmlAction */
|
||||
deprecated class StrutsXMLAction = StrutsXmlAction;
|
||||
|
||||
/**
|
||||
* A `<constant>` property, representing a configuration parameter to struts.
|
||||
*/
|
||||
@@ -205,6 +184,3 @@ class StrutsXmlConstant extends StrutsXmlElement {
|
||||
|
||||
string getConstantValue() { result = this.getAttribute("value").getValue() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for StrutsXmlConstant */
|
||||
deprecated class StrutsXMLConstant = StrutsXmlConstant;
|
||||
|
||||
@@ -25,9 +25,6 @@ class HttpsUrlConnection extends RefType {
|
||||
HttpsUrlConnection() { this.hasQualifiedName("javax.net.ssl", "HttpsURLConnection") }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for HttpsUrlConnection */
|
||||
deprecated class HttpsURLConnection = HttpsUrlConnection;
|
||||
|
||||
class SslSocketFactory extends RefType {
|
||||
SslSocketFactory() { this.hasQualifiedName("javax.net.ssl", "SSLSocketFactory") }
|
||||
}
|
||||
|
||||
@@ -12,9 +12,6 @@ import semmle.code.java.dataflow.TaintTracking
|
||||
*/
|
||||
abstract class SafeExternalApiMethod extends Method { }
|
||||
|
||||
/** DEPRECATED: Alias for SafeExternalApiMethod */
|
||||
deprecated class SafeExternalAPIMethod = SafeExternalApiMethod;
|
||||
|
||||
/** The default set of "safe" external APIs. */
|
||||
private class DefaultSafeExternalApiMethod extends SafeExternalApiMethod {
|
||||
DefaultSafeExternalApiMethod() {
|
||||
@@ -95,9 +92,6 @@ class ExternalApiDataNode extends DataFlow::Node {
|
||||
string getMethodDescription() { result = this.getMethod().getQualifiedName() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for ExternalApiDataNode */
|
||||
deprecated class ExternalAPIDataNode = ExternalApiDataNode;
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `UntrustedDataToExternalApiFlow` instead.
|
||||
*
|
||||
@@ -125,9 +119,6 @@ module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
|
||||
*/
|
||||
module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExternalApiConfig>;
|
||||
|
||||
/** DEPRECATED: Alias for UntrustedDataToExternalApiConfig */
|
||||
deprecated class UntrustedDataToExternalAPIConfig = UntrustedDataToExternalApiConfig;
|
||||
|
||||
/** A node representing untrusted data being passed to an external API. */
|
||||
class UntrustedExternalApiDataNode extends ExternalApiDataNode {
|
||||
UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flowTo(this) }
|
||||
@@ -136,9 +127,6 @@ class UntrustedExternalApiDataNode extends ExternalApiDataNode {
|
||||
DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for UntrustedExternalApiDataNode */
|
||||
deprecated class UntrustedExternalAPIDataNode = UntrustedExternalApiDataNode;
|
||||
|
||||
/** An external API which is used with untrusted data. */
|
||||
private newtype TExternalApi =
|
||||
/** An untrusted API method `m` where untrusted data is passed at `index`. */
|
||||
@@ -172,6 +160,3 @@ class ExternalApiUsedWithUntrustedData extends TExternalApi {
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for ExternalApiUsedWithUntrustedData */
|
||||
deprecated class ExternalAPIUsedWithUntrustedData = ExternalApiUsedWithUntrustedData;
|
||||
|
||||
@@ -5,7 +5,6 @@ import semmle.code.java.frameworks.Networking
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
private import semmle.code.java.dataflow.ExternalFlow
|
||||
import semmle.code.java.security.PathCreation
|
||||
import semmle.code.java.security.PathSanitizer
|
||||
|
||||
/**
|
||||
@@ -55,11 +54,7 @@ private class TaintPreservingUriCtorParam extends Parameter {
|
||||
module TaintedPathConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
sink.asExpr() = any(PathCreation p).getAnInput()
|
||||
or
|
||||
sinkNode(sink, "path-injection")
|
||||
}
|
||||
predicate isSink(DataFlow::Node sink) { sinkNode(sink, "path-injection") }
|
||||
|
||||
predicate isBarrier(DataFlow::Node sanitizer) {
|
||||
sanitizer.getType() instanceof BoxedType or
|
||||
@@ -82,11 +77,7 @@ module TaintedPathFlow = TaintTracking::Global<TaintedPathConfig>;
|
||||
module TaintedPathLocalConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
sink.asExpr() = any(PathCreation p).getAnInput()
|
||||
or
|
||||
sinkNode(sink, "path-injection")
|
||||
}
|
||||
predicate isSink(DataFlow::Node sink) { sinkNode(sink, "path-injection") }
|
||||
|
||||
predicate isBarrier(DataFlow::Node sanitizer) {
|
||||
sanitizer.getType() instanceof BoxedType or
|
||||
|
||||
@@ -337,9 +337,6 @@ class SaxBuilder extends RefType {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SaxBuilder */
|
||||
deprecated class SAXBuilder = SaxBuilder;
|
||||
|
||||
/**
|
||||
* A call to `SAXBuilder.build.`
|
||||
*/
|
||||
@@ -359,9 +356,6 @@ class SaxBuilderParse extends XmlParserCall {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SaxBuilderParse */
|
||||
deprecated class SAXBuilderParse = SaxBuilderParse;
|
||||
|
||||
private module SafeSaxBuilderToSaxBuilderParseFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxBuilder }
|
||||
|
||||
@@ -386,9 +380,6 @@ class SaxBuilderConfig extends ParserConfig {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SaxBuilderConfig */
|
||||
deprecated class SAXBuilderConfig = SaxBuilderConfig;
|
||||
|
||||
/** A safely configured `SaxBuilder`. */
|
||||
class SafeSaxBuilder extends VarAccess {
|
||||
SafeSaxBuilder() {
|
||||
@@ -404,9 +395,6 @@ class SafeSaxBuilder extends VarAccess {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SafeSaxBuilder */
|
||||
deprecated class SafeSAXBuilder = SafeSaxBuilder;
|
||||
|
||||
/*
|
||||
* The case in
|
||||
* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxb-unmarshaller
|
||||
@@ -420,17 +408,11 @@ class SaxParser extends RefType {
|
||||
SaxParser() { this.hasQualifiedName("javax.xml.parsers", "SAXParser") }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SaxParser */
|
||||
deprecated class SAXParser = SaxParser;
|
||||
|
||||
/** The class `javax.xml.parsers.SAXParserFactory`. */
|
||||
class SaxParserFactory extends RefType {
|
||||
SaxParserFactory() { this.hasQualifiedName("javax.xml.parsers", "SAXParserFactory") }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SaxParserFactory */
|
||||
deprecated class SAXParserFactory = SaxParserFactory;
|
||||
|
||||
/** A call to `SAXParser.parse`. */
|
||||
class SaxParserParse extends XmlParserCall {
|
||||
SaxParserParse() {
|
||||
@@ -446,9 +428,6 @@ class SaxParserParse extends XmlParserCall {
|
||||
override predicate isSafe() { SafeSaxParserFlow::flowToExpr(this.getQualifier()) }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SaxParserParse */
|
||||
deprecated class SAXParserParse = SaxParserParse;
|
||||
|
||||
/** A `ParserConfig` that is specific to `SaxParserFactory`. */
|
||||
class SaxParserFactoryConfig extends ParserConfig {
|
||||
SaxParserFactoryConfig() {
|
||||
@@ -460,9 +439,6 @@ class SaxParserFactoryConfig extends ParserConfig {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SaxParserFactoryConfig */
|
||||
deprecated class SAXParserFactoryConfig = SaxParserFactoryConfig;
|
||||
|
||||
/**
|
||||
* A safely configured `SAXParserFactory`.
|
||||
*/
|
||||
@@ -496,9 +472,6 @@ class SafeSaxParserFactory extends VarAccess {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SafeSaxParserFactory */
|
||||
deprecated class SafeSAXParserFactory = SafeSaxParserFactory;
|
||||
|
||||
private module SafeSaxParserFactoryToNewSaxParserFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxParserFactory }
|
||||
|
||||
@@ -540,9 +513,6 @@ class SafeSaxParser extends MethodAccess {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SafeSaxParser */
|
||||
deprecated class SafeSAXParser = SafeSaxParser;
|
||||
|
||||
/* SAXReader: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#saxreader */
|
||||
/**
|
||||
* The class `org.dom4j.io.SAXReader`.
|
||||
@@ -551,9 +521,6 @@ class SaxReader extends RefType {
|
||||
SaxReader() { this.hasQualifiedName("org.dom4j.io", "SAXReader") }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SaxReader */
|
||||
deprecated class SAXReader = SaxReader;
|
||||
|
||||
/** A call to `SAXReader.read`. */
|
||||
class SaxReaderRead extends XmlParserCall {
|
||||
SaxReaderRead() {
|
||||
@@ -569,9 +536,6 @@ class SaxReaderRead extends XmlParserCall {
|
||||
override predicate isSafe() { SafeSaxReaderFlow::flowToExpr(this.getQualifier()) }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SaxReaderRead */
|
||||
deprecated class SAXReaderRead = SaxReaderRead;
|
||||
|
||||
/** A `ParserConfig` specific to `SaxReader`. */
|
||||
class SaxReaderConfig extends ParserConfig {
|
||||
SaxReaderConfig() {
|
||||
@@ -583,9 +547,6 @@ class SaxReaderConfig extends ParserConfig {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SaxReaderConfig */
|
||||
deprecated class SAXReaderConfig = SaxReaderConfig;
|
||||
|
||||
private module SafeSaxReaderFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxReader }
|
||||
|
||||
@@ -626,9 +587,6 @@ class SafeSaxReader extends VarAccess {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SafeSaxReader */
|
||||
deprecated class SafeSAXReader = SafeSaxReader;
|
||||
|
||||
/* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlreader */
|
||||
/** The class `org.xml.sax.XMLReader`. */
|
||||
class XmlReader extends RefType {
|
||||
@@ -640,9 +598,6 @@ class InputSource extends Class {
|
||||
InputSource() { this.hasQualifiedName("org.xml.sax", "InputSource") }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for XmlReader */
|
||||
deprecated class XMLReader = XmlReader;
|
||||
|
||||
/** A call to `XMLReader.read`. */
|
||||
class XmlReaderParse extends XmlParserCall {
|
||||
XmlReaderParse() {
|
||||
@@ -661,9 +616,6 @@ class XmlReaderParse extends XmlParserCall {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for XmlReaderParse */
|
||||
deprecated class XMLReaderParse = XmlReaderParse;
|
||||
|
||||
/** A `ParserConfig` specific to the `XmlReader`. */
|
||||
class XmlReaderConfig extends ParserConfig {
|
||||
XmlReaderConfig() {
|
||||
@@ -675,9 +627,6 @@ class XmlReaderConfig extends ParserConfig {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for XmlReaderConfig */
|
||||
deprecated class XMLReaderConfig = XmlReaderConfig;
|
||||
|
||||
private module ExplicitlySafeXmlReaderFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof ExplicitlySafeXmlReader }
|
||||
|
||||
@@ -697,9 +646,6 @@ class SafeXmlReaderFlowSink extends Expr {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SafeXmlReaderFlowSink */
|
||||
deprecated class SafeXMLReaderFlowSink = SafeXmlReaderFlowSink;
|
||||
|
||||
/** An `XmlReader` that is explicitly configured to be safe. */
|
||||
class ExplicitlySafeXmlReader extends VarAccess {
|
||||
ExplicitlySafeXmlReader() {
|
||||
@@ -739,9 +685,6 @@ class ExplicitlySafeXmlReader extends VarAccess {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for ExplicitlySafeXmlReader */
|
||||
deprecated class ExplicitlySafeXMLReader = ExplicitlySafeXmlReader;
|
||||
|
||||
private module CreatedSafeXmlReaderFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof CreatedSafeXmlReader }
|
||||
|
||||
@@ -778,9 +721,6 @@ class CreatedSafeXmlReader extends Call {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for CreatedSafeXmlReader */
|
||||
deprecated class CreatedSafeXMLReader = CreatedSafeXmlReader;
|
||||
|
||||
/*
|
||||
* SAXSource in
|
||||
* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxb-unmarshaller
|
||||
@@ -791,9 +731,6 @@ class SaxSource extends RefType {
|
||||
SaxSource() { this.hasQualifiedName("javax.xml.transform.sax", "SAXSource") }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SaxSource */
|
||||
deprecated class SAXSource = SaxSource;
|
||||
|
||||
/** A call to the constructor of `SAXSource` with `XmlReader` and `InputSource`. */
|
||||
class ConstructedSaxSource extends ClassInstanceExpr {
|
||||
ConstructedSaxSource() {
|
||||
@@ -814,9 +751,6 @@ class ConstructedSaxSource extends ClassInstanceExpr {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for ConstructedSaxSource */
|
||||
deprecated class ConstructedSAXSource = ConstructedSaxSource;
|
||||
|
||||
/** A call to the `SAXSource.setXMLReader` method. */
|
||||
class SaxSourceSetReader extends MethodAccess {
|
||||
SaxSourceSetReader() {
|
||||
@@ -828,9 +762,6 @@ class SaxSourceSetReader extends MethodAccess {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SaxSourceSetReader */
|
||||
deprecated class SAXSourceSetReader = SaxSourceSetReader;
|
||||
|
||||
/** A `SaxSource` that is safe to use. */
|
||||
class SafeSaxSource extends Expr {
|
||||
SafeSaxSource() {
|
||||
@@ -847,9 +778,6 @@ class SafeSaxSource extends Expr {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SafeSaxSource */
|
||||
deprecated class SafeSAXSource = SafeSaxSource;
|
||||
|
||||
/* Transformer: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory */
|
||||
/** An access to a method use for configuring a transformer or schema. */
|
||||
abstract class TransformerConfig extends MethodAccess {
|
||||
@@ -1063,9 +991,6 @@ class SaxTransformerFactoryNewXmlFilter extends XmlParserCall {
|
||||
override predicate isSafe() { SafeTransformerFactoryFlow::flowToExpr(this.getQualifier()) }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SaxTransformerFactoryNewXmlFilter */
|
||||
deprecated class SAXTransformerFactoryNewXMLFilter = SaxTransformerFactoryNewXmlFilter;
|
||||
|
||||
/* Schema: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory */
|
||||
/** The class `javax.xml.validation.SchemaFactory`. */
|
||||
class SchemaFactory extends RefType {
|
||||
@@ -1197,9 +1122,6 @@ class SimpleXmlPersisterCall extends XmlParserCall {
|
||||
override predicate isSafe() { none() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SimpleXmlPersisterCall */
|
||||
deprecated class SimpleXMLPersisterCall = SimpleXmlPersisterCall;
|
||||
|
||||
/** A call to `provide` in `Provider`. */
|
||||
class SimpleXmlProviderCall extends XmlParserCall {
|
||||
SimpleXmlProviderCall() {
|
||||
@@ -1218,9 +1140,6 @@ class SimpleXmlProviderCall extends XmlParserCall {
|
||||
override predicate isSafe() { none() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SimpleXmlProviderCall */
|
||||
deprecated class SimpleXMLProviderCall = SimpleXmlProviderCall;
|
||||
|
||||
/** A call to `read` in `NodeBuilder`. */
|
||||
class SimpleXmlNodeBuilderCall extends XmlParserCall {
|
||||
SimpleXmlNodeBuilderCall() {
|
||||
@@ -1236,9 +1155,6 @@ class SimpleXmlNodeBuilderCall extends XmlParserCall {
|
||||
override predicate isSafe() { none() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SimpleXmlNodeBuilderCall */
|
||||
deprecated class SimpleXMLNodeBuilderCall = SimpleXmlNodeBuilderCall;
|
||||
|
||||
/** A call to the `format` method of the `Formatter`. */
|
||||
class SimpleXmlFormatterCall extends XmlParserCall {
|
||||
SimpleXmlFormatterCall() {
|
||||
@@ -1254,9 +1170,6 @@ class SimpleXmlFormatterCall extends XmlParserCall {
|
||||
override predicate isSafe() { none() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for SimpleXmlFormatterCall */
|
||||
deprecated class SimpleXMLFormatterCall = SimpleXmlFormatterCall;
|
||||
|
||||
/** A configuration for secure processing. */
|
||||
Expr configSecureProcessing() {
|
||||
result.(ConstantStringExpr).getStringValue() =
|
||||
|
||||
@@ -4,6 +4,7 @@ import java
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.security.PathSanitizer
|
||||
private import semmle.code.java.dataflow.ExternalFlow
|
||||
private import semmle.code.java.security.PathCreation
|
||||
|
||||
/**
|
||||
* A method that returns the name of an archive entry.
|
||||
@@ -40,5 +41,28 @@ module ZipSlipFlow = TaintTracking::Global<ZipSlipConfig>;
|
||||
* A sink that represents a file creation, such as a file write, copy or move operation.
|
||||
*/
|
||||
private class FileCreationSink extends DataFlow::Node {
|
||||
FileCreationSink() { sinkNode(this, "path-injection") }
|
||||
FileCreationSink() {
|
||||
sinkNode(this, "path-injection") and
|
||||
not isPathCreation(this)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `sink` is a path creation node that doesn't imply a read/write filesystem operation.
|
||||
* This is to avoid creating new spurious alerts, since `PathCreation` sinks weren't
|
||||
* previously part of this query.
|
||||
*/
|
||||
private predicate isPathCreation(DataFlow::Node sink) {
|
||||
exists(PathCreation pc |
|
||||
pc.getAnInput() = sink.asExpr()
|
||||
or
|
||||
pc.getAnInput().(Argument).isVararg() and sink.(DataFlow::ImplicitVarargsArray).getCall() = pc
|
||||
|
|
||||
// exclude actual read/write operations included in `PathCreation`
|
||||
not pc.(Call)
|
||||
.getCallee()
|
||||
.getDeclaringType()
|
||||
.hasQualifiedName("java.io",
|
||||
["FileInputStream", "FileOutputStream", "FileReader", "FileWriter"])
|
||||
)
|
||||
}
|
||||
|
||||
@@ -5,9 +5,6 @@ import java
|
||||
*/
|
||||
predicate isWebXmlIncluded() { exists(WebXmlFile webXml) }
|
||||
|
||||
/** DEPRECATED: Alias for isWebXmlIncluded */
|
||||
deprecated predicate isWebXMLIncluded = isWebXmlIncluded/0;
|
||||
|
||||
/**
|
||||
* A deployment descriptor file, typically called `web.xml`.
|
||||
*/
|
||||
@@ -31,9 +28,6 @@ class WebXmlFile extends XmlFile {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for WebXmlFile */
|
||||
deprecated class WebXMLFile = WebXmlFile;
|
||||
|
||||
/**
|
||||
* An XML element in a `WebXMLFile`.
|
||||
*/
|
||||
@@ -46,9 +40,6 @@ class WebXmlElement extends XmlElement {
|
||||
string getValue() { result = this.allCharactersString().trim() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for WebXmlElement */
|
||||
deprecated class WebXMLElement = WebXmlElement;
|
||||
|
||||
/**
|
||||
* A `<context-param>` element in a `web.xml` file.
|
||||
*/
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
/**
|
||||
* @id java/summary/lines-of-code
|
||||
* @name Total lines of Java code in the database
|
||||
* @description The total number of lines of code across all files. This is a useful metric of the size of a database.
|
||||
* For all files that were seen during the build, this query counts the lines of code, excluding whitespace
|
||||
* @description The total number of lines of code across all Java files. This is a useful metric of the size of a database.
|
||||
* For all Java files that were seen during the build, this query counts the lines of code, excluding whitespace
|
||||
* or comments.
|
||||
* @kind metric
|
||||
* @tags summary
|
||||
@@ -11,4 +11,4 @@
|
||||
|
||||
import java
|
||||
|
||||
select sum(CompilationUnit f | f.fromSource() | f.getNumberOfLinesOfCode())
|
||||
select sum(CompilationUnit f | f.fromSource() and f.isJavaSourceFile() | f.getNumberOfLinesOfCode())
|
||||
|
||||
18
java/ql/src/Metrics/Summaries/LinesOfCodeKotlin.ql
Normal file
18
java/ql/src/Metrics/Summaries/LinesOfCodeKotlin.ql
Normal file
@@ -0,0 +1,18 @@
|
||||
/**
|
||||
* @id java/summary/lines-of-code-kotlin
|
||||
* @name Total lines of Kotlin code in the database
|
||||
* @description The total number of lines of code across all Kotlin files. This is a useful metric of the size of a database.
|
||||
* For all Kotlin files that were seen during the build, this query counts the lines of code, excluding whitespace
|
||||
* or comments.
|
||||
* @kind metric
|
||||
* @tags summary
|
||||
* lines-of-code
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
select sum(CompilationUnit f |
|
||||
f.fromSource() and f.isKotlinSourceFile()
|
||||
|
|
||||
f.getNumberOfLinesOfCode()
|
||||
)
|
||||
@@ -14,6 +14,7 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.security.PathCreation
|
||||
import semmle.code.java.security.TaintedPathQuery
|
||||
import TaintedPathFlow::PathGraph
|
||||
|
||||
|
||||
@@ -14,6 +14,7 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.security.PathCreation
|
||||
import semmle.code.java.security.TaintedPathQuery
|
||||
import TaintedPathLocalFlow::PathGraph
|
||||
|
||||
|
||||
@@ -128,4 +128,4 @@ where
|
||||
not exists(Property p | p.getBackingField() = f)
|
||||
select c,
|
||||
c.getName() + " exposes the internal representation stored in field " + f.getName() +
|
||||
". The value may be modified $@.", why.getLocation(), whyText
|
||||
". The value may be modified $@.", why, whyText
|
||||
|
||||
4
java/ql/src/change-notes/2023-06-05-lines-of-code.md
Normal file
4
java/ql/src/change-notes/2023-06-05-lines-of-code.md
Normal file
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The `java/summary/lines-of-code` query now only counts lines of Java code. The new `java/summary/lines-of-code-kotlin` counts lines of Kotlin code.
|
||||
@@ -16,7 +16,6 @@ import java
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.dataflow.ExternalFlow
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.security.PathCreation
|
||||
import JFinalController
|
||||
import semmle.code.java.security.PathSanitizer
|
||||
import InjectFilePathFlow::PathGraph
|
||||
@@ -52,7 +51,7 @@ module InjectFilePathConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
sink.asExpr() = any(PathCreation p).getAnInput() and
|
||||
sinkNode(sink, "path-injection") and
|
||||
not sink instanceof NormalizedPathNode
|
||||
}
|
||||
|
||||
|
||||
@@ -56,9 +56,6 @@ predicate myBatisMapperXmlElementFromMethod(Method method, MyBatisMapperXmlEleme
|
||||
)
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for myBatisMapperXmlElementFromMethod */
|
||||
deprecated predicate myBatisMapperXMLElementFromMethod = myBatisMapperXmlElementFromMethod/2;
|
||||
|
||||
/** Holds if the specified `method` has Ibatis Sql operation annotation `isoa`. */
|
||||
predicate myBatisSqlOperationAnnotationFromMethod(Method method, IbatisSqlOperationAnnotation isoa) {
|
||||
exists(MyBatisSqlOperationAnnotationMethod msoam |
|
||||
|
||||
@@ -10,9 +10,6 @@ class StrutsXmlFile extends XmlFile {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for StrutsXmlFile */
|
||||
deprecated class StrutsXMLFile = StrutsXmlFile;
|
||||
|
||||
/**
|
||||
* An XML element in a `StrutsXMLFile`.
|
||||
*/
|
||||
@@ -25,9 +22,6 @@ class StrutsXmlElement extends XmlElement {
|
||||
string getValue() { result = this.allCharactersString().trim() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for StrutsXmlElement */
|
||||
deprecated class StrutsXMLElement = StrutsXmlElement;
|
||||
|
||||
/**
|
||||
* A `<constant>` element in a `StrutsXMLFile`.
|
||||
*/
|
||||
|
||||
@@ -14,9 +14,6 @@ class MyBatisMapperXmlFile extends XmlFile {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for MyBatisMapperXmlFile */
|
||||
deprecated class MyBatisMapperXMLFile = MyBatisMapperXmlFile;
|
||||
|
||||
/**
|
||||
* An XML element in a `MyBatisMapperXMLFile`.
|
||||
*/
|
||||
@@ -36,9 +33,6 @@ class MyBatisMapperXmlElement extends XmlElement {
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for MyBatisMapperXmlElement */
|
||||
deprecated class MyBatisMapperXMLElement = MyBatisMapperXmlElement;
|
||||
|
||||
/**
|
||||
* An MyBatis Mapper sql operation element.
|
||||
*/
|
||||
|
||||
@@ -2,7 +2,12 @@ edges
|
||||
| FilePathInjection.java:21:21:21:34 | getPara(...) : String | FilePathInjection.java:26:47:26:59 | finalFilePath |
|
||||
| FilePathInjection.java:64:21:64:34 | getPara(...) : String | FilePathInjection.java:72:47:72:59 | finalFilePath |
|
||||
| FilePathInjection.java:87:21:87:34 | getPara(...) : String | FilePathInjection.java:95:47:95:59 | finalFilePath |
|
||||
| FilePathInjection.java:177:50:177:58 | file : File | FilePathInjection.java:182:30:182:33 | file |
|
||||
| FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:209:24:209:31 | filePath |
|
||||
| FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:209:24:209:31 | filePath : String |
|
||||
| FilePathInjection.java:209:15:209:32 | new File(...) : File | FilePathInjection.java:217:19:217:22 | file : File |
|
||||
| FilePathInjection.java:209:24:209:31 | filePath : String | FilePathInjection.java:209:15:209:32 | new File(...) : File |
|
||||
| FilePathInjection.java:217:19:217:22 | file : File | FilePathInjection.java:177:50:177:58 | file : File |
|
||||
nodes
|
||||
| FilePathInjection.java:21:21:21:34 | getPara(...) : String | semmle.label | getPara(...) : String |
|
||||
| FilePathInjection.java:26:47:26:59 | finalFilePath | semmle.label | finalFilePath |
|
||||
@@ -10,11 +15,17 @@ nodes
|
||||
| FilePathInjection.java:72:47:72:59 | finalFilePath | semmle.label | finalFilePath |
|
||||
| FilePathInjection.java:87:21:87:34 | getPara(...) : String | semmle.label | getPara(...) : String |
|
||||
| FilePathInjection.java:95:47:95:59 | finalFilePath | semmle.label | finalFilePath |
|
||||
| FilePathInjection.java:177:50:177:58 | file : File | semmle.label | file : File |
|
||||
| FilePathInjection.java:182:30:182:33 | file | semmle.label | file |
|
||||
| FilePathInjection.java:205:17:205:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| FilePathInjection.java:209:15:209:32 | new File(...) : File | semmle.label | new File(...) : File |
|
||||
| FilePathInjection.java:209:24:209:31 | filePath | semmle.label | filePath |
|
||||
| FilePathInjection.java:209:24:209:31 | filePath : String | semmle.label | filePath : String |
|
||||
| FilePathInjection.java:217:19:217:22 | file : File | semmle.label | file : File |
|
||||
subpaths
|
||||
#select
|
||||
| FilePathInjection.java:26:47:26:59 | finalFilePath | FilePathInjection.java:21:21:21:34 | getPara(...) : String | FilePathInjection.java:26:47:26:59 | finalFilePath | External control of file name or path due to $@. | FilePathInjection.java:21:21:21:34 | getPara(...) | user-provided value |
|
||||
| FilePathInjection.java:72:47:72:59 | finalFilePath | FilePathInjection.java:64:21:64:34 | getPara(...) : String | FilePathInjection.java:72:47:72:59 | finalFilePath | External control of file name or path due to $@. | FilePathInjection.java:64:21:64:34 | getPara(...) | user-provided value |
|
||||
| FilePathInjection.java:95:47:95:59 | finalFilePath | FilePathInjection.java:87:21:87:34 | getPara(...) : String | FilePathInjection.java:95:47:95:59 | finalFilePath | External control of file name or path due to $@. | FilePathInjection.java:87:21:87:34 | getPara(...) | user-provided value |
|
||||
| FilePathInjection.java:182:30:182:33 | file | FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:182:30:182:33 | file | External control of file name or path due to $@. | FilePathInjection.java:205:17:205:44 | getParameter(...) | user-provided value |
|
||||
| FilePathInjection.java:209:24:209:31 | filePath | FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:209:24:209:31 | filePath | External control of file name or path due to $@. | FilePathInjection.java:205:17:205:44 | getParameter(...) | user-provided value |
|
||||
|
||||
@@ -3,6 +3,7 @@ edges
|
||||
| UnsafeLoadSpringResource.java:31:27:31:57 | new ClassPathResource(...) : ClassPathResource | UnsafeLoadSpringResource.java:35:31:35:33 | clr |
|
||||
| UnsafeLoadSpringResource.java:31:49:31:56 | fileName : String | UnsafeLoadSpringResource.java:31:27:31:57 | new ClassPathResource(...) : ClassPathResource |
|
||||
| UnsafeLoadSpringResource.java:68:32:68:77 | fileName : String | UnsafeLoadSpringResource.java:76:38:76:45 | fileName |
|
||||
| UnsafeLoadSpringResource.java:108:32:108:77 | fileName : String | UnsafeLoadSpringResource.java:116:51:116:58 | fileName |
|
||||
| UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) : String | UnsafeRequestPath.java:23:33:23:36 | path |
|
||||
| UnsafeResourceGet2.java:16:32:16:79 | getRequestParameterMap(...) : Map | UnsafeResourceGet2.java:17:20:17:25 | params : Map |
|
||||
| UnsafeResourceGet2.java:17:20:17:25 | params : Map | UnsafeResourceGet2.java:17:20:17:40 | get(...) : Object |
|
||||
@@ -35,6 +36,8 @@ nodes
|
||||
| UnsafeLoadSpringResource.java:35:31:35:33 | clr | semmle.label | clr |
|
||||
| UnsafeLoadSpringResource.java:68:32:68:77 | fileName : String | semmle.label | fileName : String |
|
||||
| UnsafeLoadSpringResource.java:76:38:76:45 | fileName | semmle.label | fileName |
|
||||
| UnsafeLoadSpringResource.java:108:32:108:77 | fileName : String | semmle.label | fileName : String |
|
||||
| UnsafeLoadSpringResource.java:116:51:116:58 | fileName | semmle.label | fileName |
|
||||
| UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) : String | semmle.label | getServletPath(...) : String |
|
||||
| UnsafeRequestPath.java:23:33:23:36 | path | semmle.label | path |
|
||||
| UnsafeResourceGet2.java:16:32:16:79 | getRequestParameterMap(...) : Map | semmle.label | getRequestParameterMap(...) : Map |
|
||||
@@ -83,6 +86,7 @@ subpaths
|
||||
#select
|
||||
| UnsafeLoadSpringResource.java:35:31:35:33 | clr | UnsafeLoadSpringResource.java:27:32:27:77 | fileName : String | UnsafeLoadSpringResource.java:35:31:35:33 | clr | Potentially untrusted URL forward due to $@. | UnsafeLoadSpringResource.java:27:32:27:77 | fileName | user-provided value |
|
||||
| UnsafeLoadSpringResource.java:76:38:76:45 | fileName | UnsafeLoadSpringResource.java:68:32:68:77 | fileName : String | UnsafeLoadSpringResource.java:76:38:76:45 | fileName | Potentially untrusted URL forward due to $@. | UnsafeLoadSpringResource.java:68:32:68:77 | fileName | user-provided value |
|
||||
| UnsafeLoadSpringResource.java:116:51:116:58 | fileName | UnsafeLoadSpringResource.java:108:32:108:77 | fileName : String | UnsafeLoadSpringResource.java:116:51:116:58 | fileName | Potentially untrusted URL forward due to $@. | UnsafeLoadSpringResource.java:108:32:108:77 | fileName | user-provided value |
|
||||
| UnsafeRequestPath.java:23:33:23:36 | path | UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) : String | UnsafeRequestPath.java:23:33:23:36 | path | Potentially untrusted URL forward due to $@. | UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) | user-provided value |
|
||||
| UnsafeResourceGet2.java:19:93:19:99 | loadUrl | UnsafeResourceGet2.java:16:32:16:79 | getRequestParameterMap(...) : Map | UnsafeResourceGet2.java:19:93:19:99 | loadUrl | Potentially untrusted URL forward due to $@. | UnsafeResourceGet2.java:16:32:16:79 | getRequestParameterMap(...) | user-provided value |
|
||||
| UnsafeResourceGet2.java:37:20:37:22 | url | UnsafeResourceGet2.java:32:32:32:79 | getRequestParameterMap(...) : Map | UnsafeResourceGet2.java:37:20:37:22 | url | Potentially untrusted URL forward due to $@. | UnsafeResourceGet2.java:32:32:32:79 | getRequestParameterMap(...) | user-provided value |
|
||||
|
||||
11
java/ql/test/kotlin/library-tests/dataflow/summaries/use.kt
Normal file
11
java/ql/test/kotlin/library-tests/dataflow/summaries/use.kt
Normal file
@@ -0,0 +1,11 @@
|
||||
import java.io.Closeable
|
||||
|
||||
class UseFlowTest {
|
||||
fun <T> taint(t: T) = t
|
||||
fun sink(s: Closeable) { }
|
||||
|
||||
fun test(input: Closeable) {
|
||||
taint(input).use { it -> sink(it) } // $ hasValueFlow
|
||||
sink(taint(input).use { it }) // $ hasValueFlow
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
class WithFlowTest {
|
||||
fun <T> taint(t: T) = t
|
||||
fun sink(s: String) { }
|
||||
|
||||
fun test(input: String) {
|
||||
with(taint(input)) { sink(this) } // $ hasValueFlow
|
||||
sink(with(taint(input)) { this }) // $ hasValueFlow
|
||||
}
|
||||
}
|
||||
31
java/ql/test/library-tests/dispatch/CallableViaSummary.java
Normal file
31
java/ql/test/library-tests/dispatch/CallableViaSummary.java
Normal file
@@ -0,0 +1,31 @@
|
||||
import java.util.*;
|
||||
|
||||
public class CallableViaSummary {
|
||||
public interface Element {
|
||||
public void handle(String message);
|
||||
}
|
||||
|
||||
public void main(String[] args) {
|
||||
List<Element> elements = new ArrayList<>();
|
||||
|
||||
List<Element> elements2 = new ArrayList<>();
|
||||
|
||||
elements.add(new Element() {
|
||||
@Override
|
||||
public void handle(String message) {
|
||||
System.out.println(message);
|
||||
}
|
||||
});
|
||||
|
||||
elements.add(message -> System.out.println(message));
|
||||
|
||||
// This dispatches to the two added elements because
|
||||
// the summary of ArrayList causes flow via type tracking.
|
||||
elements.get(0).handle("Hello, world!");
|
||||
|
||||
// This does not dispatch to anything, showing that the
|
||||
// open-world assumption does not apply
|
||||
// (and hence that type tracking is necessary above).
|
||||
elements2.get(0).handle("Hello, world!");
|
||||
}
|
||||
}
|
||||
2
java/ql/test/library-tests/dispatch/viaSummary.expected
Normal file
2
java/ql/test/library-tests/dispatch/viaSummary.expected
Normal file
@@ -0,0 +1,2 @@
|
||||
| CallableViaSummary.java:24:9:24:47 | handle(...) | CallableViaSummary.java:15:25:15:30 | handle |
|
||||
| CallableViaSummary.java:24:9:24:47 | handle(...) | CallableViaSummary.java:20:22:20:59 | handle |
|
||||
9
java/ql/test/library-tests/dispatch/viaSummary.ql
Normal file
9
java/ql/test/library-tests/dispatch/viaSummary.ql
Normal file
@@ -0,0 +1,9 @@
|
||||
import java
|
||||
import semmle.code.java.dispatch.VirtualDispatch
|
||||
|
||||
from MethodAccess ma, Method m
|
||||
where
|
||||
m = viableImpl(ma) and
|
||||
m.fromSource() and
|
||||
ma.getFile().toString() = "CallableViaSummary"
|
||||
select ma, m
|
||||
@@ -25,7 +25,7 @@ public class Test {
|
||||
<K> K getMapKeyDefault(Map.Entry<K,?> container) { return container.getKey(); }
|
||||
JsonElement getMapValueDefault(JsonObject container) { return container.get(null); }
|
||||
<V> V getMapValueDefault(Map.Entry<?,V> container) { return container.getValue(); }
|
||||
JsonArray newWithElementDefault(String element) { JsonArray a = new JsonArray(); a.add(element); return a; }
|
||||
JsonArray newWithElementDefault(JsonElement element) { JsonArray a = new JsonArray(); a.add(element); return a; }
|
||||
JsonObject newWithMapKeyDefault(String key) { JsonObject o = new JsonObject(); o.add(key, (JsonElement) null); return o; }
|
||||
JsonObject newWithMapValueDefault(JsonElement element) { JsonObject o = new JsonObject(); o.add(null, element); return o; }
|
||||
Object source() { return null; }
|
||||
@@ -232,51 +232,58 @@ public class Test {
|
||||
sink(out); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual"
|
||||
// "com.google.gson;JsonArray;true;add;(Boolean);;Argument[0];Argument[this].Element;taint;manual"
|
||||
JsonArray out = null;
|
||||
Boolean in = (Boolean)source();
|
||||
out.add(in);
|
||||
sink(getElement(out)); // $ hasValueFlow
|
||||
sink(getElement(out)); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual"
|
||||
// "com.google.gson;JsonArray;true;add;(Character);;Argument[0];Argument[this].Element;taint;manual"
|
||||
JsonArray out = null;
|
||||
Character in = (Character)source();
|
||||
out.add(in);
|
||||
sink(getElement(out)); // $ hasValueFlow
|
||||
sink(getElement(out)); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual"
|
||||
// "com.google.gson;JsonArray;true;add;(JsonElement);;Argument[0];Argument[this].Element;value;manual"
|
||||
JsonArray out = null;
|
||||
JsonElement in = (JsonElement)source();
|
||||
out.add(in);
|
||||
sink(getElement(out)); // $ hasValueFlow
|
||||
}
|
||||
{
|
||||
// "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual"
|
||||
// "com.google.gson;JsonArray;true;add;(Number);;Argument[0];Argument[this].Element;taint;manual"
|
||||
JsonArray out = null;
|
||||
Number in = (Number)source();
|
||||
out.add(in);
|
||||
sink(getElement(out)); // $ hasValueFlow
|
||||
sink(getElement(out)); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual"
|
||||
// "com.google.gson;JsonArray;true;add;(String);;Argument[0];Argument[this].Element;taint;manual"
|
||||
JsonArray out = null;
|
||||
String in = (String)source();
|
||||
out.add(in);
|
||||
sink(getElement(out)); // $ hasTaintFlow
|
||||
}
|
||||
{
|
||||
// "com.google.gson;JsonArray;true;addAll;(JsonArray);;Argument[0].Element;Argument[this].Element;value;manual"
|
||||
JsonArray out = null;
|
||||
JsonArray in = newWithElementDefault((JsonElement) source());
|
||||
out.addAll(in);
|
||||
sink(getElement(out)); // $ hasValueFlow
|
||||
}
|
||||
{
|
||||
// "com.google.gson;JsonArray;true;asList;;;Argument[this].Element;ReturnValue.Element;value;manual"
|
||||
List out = null;
|
||||
JsonArray in = (JsonArray)newWithElementDefault((String) source());
|
||||
JsonArray in = newWithElementDefault((JsonElement) source());
|
||||
out = in.asList();
|
||||
sink(getElement(out)); // $ hasValueFlow
|
||||
}
|
||||
{
|
||||
// "com.google.gson;JsonArray;true;get;;;Argument[this].Element;ReturnValue;value;manual"
|
||||
JsonElement out = null;
|
||||
JsonArray in = (JsonArray)newWithElementDefault((String) source());
|
||||
JsonArray in = newWithElementDefault((JsonElement) source());
|
||||
out = in.get(0);
|
||||
sink(out); // $ hasValueFlow
|
||||
}
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
| ExposesRep.java:11:19:11:28 | getStrings | getStrings exposes the internal representation stored in field strings. The value may be modified $@. | User.java:5:5:5:19 | User.java:5:5:5:19 | after this call to getStrings |
|
||||
| ExposesRep.java:11:19:11:28 | getStrings | getStrings exposes the internal representation stored in field strings. The value may be modified $@. | User.java:13:12:13:26 | User.java:13:12:13:26 | after this call to getStrings |
|
||||
| ExposesRep.java:11:19:11:28 | getStrings | getStrings exposes the internal representation stored in field strings. The value may be modified $@. | User.java:38:12:38:26 | User.java:38:12:38:26 | after this call to getStrings |
|
||||
| ExposesRep.java:13:30:13:41 | getStringMap | getStringMap exposes the internal representation stored in field stringMap. The value may be modified $@. | User.java:9:5:9:21 | User.java:9:5:9:21 | after this call to getStringMap |
|
||||
| ExposesRep.java:17:15:17:24 | setStrings | setStrings exposes the internal representation stored in field strings. The value may be modified $@. | User.java:22:5:22:6 | User.java:22:5:22:6 | through the variable ss |
|
||||
| ExposesRep.java:21:15:21:26 | setStringMap | setStringMap exposes the internal representation stored in field stringMap. The value may be modified $@. | User.java:27:5:27:5 | User.java:27:5:27:5 | through the variable m |
|
||||
| ExposesRep.java:29:14:29:21 | getArray | getArray exposes the internal representation stored in field array. The value may be modified $@. | User.java:31:5:31:18 | User.java:31:5:31:18 | after this call to getArray |
|
||||
| ExposesRep.java:11:19:11:28 | getStrings | getStrings exposes the internal representation stored in field strings. The value may be modified $@. | User.java:5:5:5:19 | getStrings(...) | after this call to getStrings |
|
||||
| ExposesRep.java:11:19:11:28 | getStrings | getStrings exposes the internal representation stored in field strings. The value may be modified $@. | User.java:13:12:13:26 | getStrings(...) | after this call to getStrings |
|
||||
| ExposesRep.java:11:19:11:28 | getStrings | getStrings exposes the internal representation stored in field strings. The value may be modified $@. | User.java:38:12:38:26 | getStrings(...) | after this call to getStrings |
|
||||
| ExposesRep.java:13:30:13:41 | getStringMap | getStringMap exposes the internal representation stored in field stringMap. The value may be modified $@. | User.java:9:5:9:21 | getStringMap(...) | after this call to getStringMap |
|
||||
| ExposesRep.java:17:15:17:24 | setStrings | setStrings exposes the internal representation stored in field strings. The value may be modified $@. | User.java:22:5:22:6 | ss | through the variable ss |
|
||||
| ExposesRep.java:21:15:21:26 | setStringMap | setStringMap exposes the internal representation stored in field stringMap. The value may be modified $@. | User.java:27:5:27:5 | m | through the variable m |
|
||||
| ExposesRep.java:29:14:29:21 | getArray | getArray exposes the internal representation stored in field array. The value may be modified $@. | User.java:31:5:31:18 | getArray(...) | after this call to getArray |
|
||||
|
||||
@@ -1,2 +1,3 @@
|
||||
| java.io.File#File(String) | 1 |
|
||||
| java.io.FileWriter#FileWriter(File) | 1 |
|
||||
| java.net.URL#openStream() | 1 |
|
||||
|
||||
Reference in New Issue
Block a user