hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into feat/JLL/depricated_bintray_usage

Browse Source
This commit is contained in:
Jonathan Leitschuh
2021-02-15 10:48:28 -05:00
committed by GitHub
parent 73fba3a3c0 28d5ef919c
commit d82e8216ed
245 changed files with 15781 additions and 8365 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.java
View File

@@ -100,7 +100,7 @@ class CloseReader {
private void init(InputStreamReader reader) {
fileRd = new BufferedReader(reader);
}
public void readStuff() {
public void readStuff() throws java.io.IOException {
System.out.println(fileRd.readLine());
fileRd.close();
}

26
java/ql/test/query-tests/ContinueInFalseLoop/A.java
View File

@@ -30,21 +30,21 @@ public class A {
break;
} while (c.cond());
// --- while, for loops ---
while (false) {
if (c.cond())
continue; // GOOD [never reached, if the condition changed so it was then the result would no longer apply]
if (c.cond())
break;
}
for (i = 0; false; i++) {
if (c.cond())
continue; // GOOD [never reached, if the condition changed so it was then the result would no longer apply]
if (c.cond())
break;
}
// --- nested loops ---

4
java/ql/test/query-tests/MissingCallToSuperClone/Test.java
View File

@@ -1,10 +1,10 @@
class IAmAGoodCloneable implements Cloneable {
public Object clone() {
public Object clone() throws CloneNotSupportedException {
return super.clone();
}
}
class Sub1 extends IAmAGoodCloneable { public Object clone() { return super.clone(); } }
class Sub1 extends IAmAGoodCloneable { public Object clone() throws CloneNotSupportedException { return super.clone(); } }
class IAmABadCloneable implements Cloneable {
public Object clone() {

2
java/ql/test/query-tests/MissingInstanceofInEquals/GoodReturn.java
View File

@@ -3,7 +3,7 @@ class GoodReturn {
@Override
public int hashCode() {
getClass().hashCode();
return getClass().hashCode();
}
@Override

4
java/ql/test/query-tests/Nullness/C.java
View File

@@ -171,7 +171,7 @@ public class C {
private void verifyBool(boolean b) {
if (!b) {
throw new Exception();
throw new Error();
}
}
@@ -192,7 +192,7 @@ public class C {
private void verifyNotNull(Object obj) {
if (obj == null) {
throw new Exception();
throw new Error();
}
}

4
java/ql/test/query-tests/RangeAnalysis/A.java
View File

@@ -5,7 +5,7 @@ public class A {
public A(int[] arr2, int n) {
if (arr2.length % 2 != 0)
throw new Exception();
throw new Error();
this.arr2 = arr2;
this.arr3 = new int[n << 1];
}
@@ -168,7 +168,7 @@ public class A {
if (n > 0) {
a = n > 0 ? new int[3 * n] : null;
}
int sum;
int sum = 0;
if (a != null) {
for (int i = 0; i < a.length; i += 3) {
sum += a[i + 2]; // OK

14
java/ql/test/query-tests/UseBraces/UseBraces.java
View File

@@ -7,9 +7,9 @@ class UseBraces
void f() { }
void g() { }
void h() { }
void test()
void test(boolean bb)
{
int x, y;
int x = 0, y;
int[] branches = new int[10];
// If-then statement
@@ -67,27 +67,27 @@ class UseBraces
// While statement
while(false)
while(bb)
{
f();
}
g(); // No alert
while(false)
while(bb)
f();
g();
while(false)
while(bb )
f();
g(); // Alert
g(); // No alert
while(false)
while(bb )
f(); g(); // Alert
while(false)
while(bb)
if (x != 0) x = 1;
// Do-while statement

2
java/ql/test/query-tests/UselessComparisonTest/Test.java
View File

@@ -3,7 +3,7 @@ class Test {
void test(int x) {
z = getInt();
if (x < 0 || z < 0) {
throw new Exception();
throw new Error();
}
int y = 0;
if (x >= 0) y++; // useless test due to test in line 5 being false

4
java/ql/test/query-tests/UselessNullCheck/A.java
View File

@@ -7,7 +7,7 @@ public class A {
new Object();
} catch(Exception e) {
if (e == null) { // Useless check
throw new Exception();
throw new Error();
}
}
}
@@ -16,7 +16,7 @@ public class A {
if (o instanceof A) {
A a = (A)o;
if (a != null) { // Useless check
throw new Exception();
throw new Error();
}
}
}

2
java/ql/test/query-tests/dead-code/DeadField/ReflectionTest.java
View File

@@ -16,7 +16,7 @@ public class ReflectionTest {
public int shadowedField;
}
public static void main(String[] args) {
public static void main(String[] args) throws NoSuchFieldException {
// Ensure the two classes are live, otherwise we might hide some results
new ParentClass();
new ChildClass();

2
java/ql/test/query-tests/dead-code/DeadMethod/ReflectionMethodTest.java
View File

@@ -19,7 +19,7 @@ public class ReflectionMethodTest {
public void test4() { }
}
public static void main(String[] args) throws InstantiationException, IllegalAccessException, ClassNotFoundException {
public static void main(String[] args) throws InstantiationException, IllegalAccessException, ClassNotFoundException, NoSuchMethodException {
// Get class by name
Class.forName("ReflectionTest$TestObject1").getMethod("test1");
// Use classloader

14
java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipTest.java
View File

@@ -3,7 +3,7 @@ import java.nio.file.*;
import java.util.zip.*;
public class ZipTest {
public void m1(ZipEntry entry, File dir) {
public void m1(ZipEntry entry, File dir) throws Exception {
String name = entry.getName();
File file = new File(dir, name);
FileOutputStream os = new FileOutputStream(file); // ZipSlip
@@ -11,7 +11,7 @@ public class ZipTest {
FileWriter fw = new FileWriter(file); // ZipSlip
}
public void m2(ZipEntry entry, File dir) {
public void m2(ZipEntry entry, File dir) throws Exception {
String name = entry.getName();
File file = new File(dir, name);
File canFile = file.getCanonicalFile();
@@ -21,7 +21,7 @@ public class ZipTest {
FileOutputStream os = new FileOutputStream(file); // OK
}
public void m3(ZipEntry entry, File dir) {
public void m3(ZipEntry entry, File dir) throws Exception {
String name = entry.getName();
File file = new File(dir, name);
if (!file.toPath().normalize().startsWith(dir.toPath()))
@@ -29,20 +29,20 @@ public class ZipTest {
FileOutputStream os = new FileOutputStream(file); // OK
}
private void validate(File tgtdir, File file) {
private void validate(File tgtdir, File file) throws Exception {
File canFile = file.getCanonicalFile();
if (!canFile.toPath().startsWith(tgtdir.toPath()))
throw new Exception();
}
public void m4(ZipEntry entry, File dir) {
public void m4(ZipEntry entry, File dir) throws Exception {
String name = entry.getName();
File file = new File(dir, name);
validate(dir, file);
FileOutputStream os = new FileOutputStream(file); // OK
}
public void m5(ZipEntry entry, File dir) {
public void m5(ZipEntry entry, File dir) throws Exception {
String name = entry.getName();
File file = new File(dir, name);
Path absfile = file.toPath().toAbsolutePath().normalize();
@@ -52,7 +52,7 @@ public class ZipTest {
FileOutputStream os = new FileOutputStream(file); // OK
}
public void m6(ZipEntry entry, Path dir) {
public void m6(ZipEntry entry, Path dir) throws Exception {
String canonicalDest = dir.toFile().getCanonicalPath();
Path target = dir.resolve(entry.getName());
String canonicalTarget = target.toFile().getCanonicalPath();

10
java/ql/test/query-tests/security/CWE-078/Test.java
View File

@@ -3,7 +3,7 @@ import java.util.List;
import java.util.ArrayList;
class Test {
public static void shellCommand(String arg) {
public static void shellCommand(String arg) throws java.io.IOException {
ProcessBuilder pb = new ProcessBuilder("/bin/bash -c echo " + arg);
pb.start();
@@ -25,7 +25,7 @@ class Test {
pb.start();
}
public static void nonShellCommand(String arg) {
public static void nonShellCommand(String arg) throws java.io.IOException {
ProcessBuilder pb = new ProcessBuilder("./customTool " + arg);
pb.start();
@@ -46,7 +46,7 @@ class Test {
pb.start();
}
public static void relativeCommand() {
public static void relativeCommand() throws java.io.IOException {
ProcessBuilder pb = new ProcessBuilder("ls");
pb.start();
@@ -54,11 +54,11 @@ class Test {
pb.start();
}
public static void main(String[] args) {
public static void main(String[] args) throws java.io.IOException {
String arg = args.length > 1 ? args[1] : "default";
shellCommand(arg);
nonShellCommand(arg);
relativeCommand();
}
}
}

2
java/ql/test/query-tests/security/CWE-297/UnsafeHostnameVerification.java
View File

@@ -66,7 +66,7 @@ public class UnsafeHostnameVerification {
HostnameVerifier verifier = new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
verify(hostname, session.getPeerCertificates());
try { verify(hostname, session.getPeerCertificates()); } catch (Exception e) { throw new RuntimeException(); }
return true; // GOOD [but detected as BAD]. The verification of the certificate is done in
// another method and
// in the case of a mismatch, an `Exception` is thrown so the `return true`

2
java/ql/test/query-tests/security/CWE-311/CWE-319/Test.java
View File

@@ -3,7 +3,7 @@ import javax.net.ssl.HttpsURLConnection;
import java.io.*;
class Test {
public void m1(HttpURLConnection connection) {
public void m1(HttpURLConnection connection) throws java.io.IOException {
InputStream input;
if (connection instanceof HttpsURLConnection) {
input = connection.getInputStream(); // OK

4
java/ql/test/query-tests/security/CWE-421/semmle/Test.java
View File

@@ -31,7 +31,7 @@ class Test {
return true;
}
public void doConnect(int desiredPort, String username) {
public void doConnect(int desiredPort, String username) throws Exception {
ServerSocket listenSocket = new ServerSocket(desiredPort);
if (isAuthenticated(username)) {
@@ -56,7 +56,7 @@ class Test {
}
public void doConnectChannel(int desiredPort, String username) {
public void doConnectChannel(int desiredPort, String username) throws Exception {
ServerSocketChannel listenChannel = ServerSocketChannel.open();
SocketAddress port = new InetSocketAddress(desiredPort);
listenChannel.bind(port);

22
java/ql/test/query-tests/security/CWE-502/A.java
View File

@@ -9,32 +9,32 @@ import org.yaml.snakeyaml.constructor.Constructor;
import org.yaml.snakeyaml.Yaml;
public class A {
public Object deserialize1(Socket sock) {
public Object deserialize1(Socket sock) throws java.io.IOException, ClassNotFoundException {
InputStream inputStream = sock.getInputStream();
ObjectInputStream in = new ObjectInputStream(inputStream);
return in.readObject(); // unsafe
}
public Object deserialize2(Socket sock) {
public Object deserialize2(Socket sock) throws java.io.IOException, ClassNotFoundException {
InputStream inputStream = sock.getInputStream();
ObjectInputStream in = new ObjectInputStream(inputStream);
return in.readUnshared(); // unsafe
}
public Object deserialize3(Socket sock) {
public Object deserialize3(Socket sock) throws java.io.IOException {
InputStream inputStream = sock.getInputStream();
XMLDecoder d = new XMLDecoder(inputStream);
return d.readObject(); // unsafe
}
public Object deserialize4(Socket sock) {
public Object deserialize4(Socket sock) throws java.io.IOException {
XStream xs = new XStream();
InputStream inputStream = sock.getInputStream();
Reader reader = new InputStreamReader(inputStream);
return xs.fromXML(reader); // unsafe
}
public void deserialize5(Socket sock) {
public void deserialize5(Socket sock) throws java.io.IOException {
Kryo kryo = new Kryo();
Input input = new Input(sock.getInputStream());
A a1 = kryo.readObject(input, A.class); // unsafe
@@ -42,20 +42,20 @@ public class A {
Object o = kryo.readClassAndObject(input); // unsafe
}
private Kryo getSafeKryo() {
private Kryo getSafeKryo() throws java.io.IOException {
Kryo kryo = new Kryo();
kryo.setRegistrationRequired(true);
// ... kryo.register(A.class) ...
return kryo;
}
public void deserialize6(Socket sock) {
public void deserialize6(Socket sock) throws java.io.IOException {
Kryo kryo = getSafeKryo();
Input input = new Input(sock.getInputStream());
Object o = kryo.readClassAndObject(input); // OK
}
public void deserializeSnakeYaml(Socket sock) {
public void deserializeSnakeYaml(Socket sock) throws java.io.IOException {
Yaml yaml = new Yaml();
InputStream input = sock.getInputStream();
Object o = yaml.load(input); //unsafe
@@ -65,7 +65,7 @@ public class A {
A o5 = yaml.loadAs(new InputStreamReader(input), A.class); //unsafe
}
public void deserializeSnakeYaml2(Socket sock) {
public void deserializeSnakeYaml2(Socket sock) throws java.io.IOException {
Yaml yaml = new Yaml(new Constructor());
InputStream input = sock.getInputStream();
Object o = yaml.load(input); //unsafe
@@ -75,7 +75,7 @@ public class A {
A o5 = yaml.loadAs(new InputStreamReader(input), A.class); //unsafe
}
public void deserializeSnakeYaml3(Socket sock) {
public void deserializeSnakeYaml3(Socket sock) throws java.io.IOException {
Yaml yaml = new Yaml(new SafeConstructor());
InputStream input = sock.getInputStream();
Object o = yaml.load(input); //OK
@@ -85,7 +85,7 @@ public class A {
A o5 = yaml.loadAs(new InputStreamReader(input), A.class); //OK
}
public void deserializeSnakeYaml4(Socket sock) {
public void deserializeSnakeYaml4(Socket sock) throws java.io.IOException {
Yaml yaml = new Yaml(new Constructor(A.class));
InputStream input = sock.getInputStream();
Object o = yaml.load(input); //OK

8
java/ql/test/query-tests/security/CWE-502/B.java
View File

@@ -3,19 +3,19 @@ import java.net.Socket;
import com.alibaba.fastjson.JSON;
public class B {
public Object deserializeJson1(Socket sock) {
public Object deserializeJson1(Socket sock) throws java.io.IOException {
InputStream inputStream = sock.getInputStream();
return JSON.parseObject(inputStream, null); // unsafe
}
public Object deserializeJson2(Socket sock) {
public Object deserializeJson2(Socket sock) throws java.io.IOException {
InputStream inputStream = sock.getInputStream();
byte[] bytes = new byte[100];
inputStream.read(bytes);
return JSON.parse(bytes); // unsafe
}
public Object deserializeJson3(Socket sock) {
public Object deserializeJson3(Socket sock) throws java.io.IOException {
InputStream inputStream = sock.getInputStream();
byte[] bytes = new byte[100];
inputStream.read(bytes);
@@ -23,7 +23,7 @@ public class B {
return JSON.parseObject(s); // unsafe
}
public Object deserializeJson4(Socket sock) {
public Object deserializeJson4(Socket sock) throws java.io.IOException {
InputStream inputStream = sock.getInputStream();
byte[] bytes = new byte[100];
inputStream.read(bytes);

4
java/ql/test/query-tests/security/CWE-611/DocumentBuilderTests.java
View File

@@ -102,7 +102,7 @@ class DocumentBuilderTests {
builder.parse(source.getInputStream()); //unsafe
}
private static DocumentBuilderFactory getDocumentBuilderFactory() {
private static DocumentBuilderFactory getDocumentBuilderFactory() throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
String feature = "";
feature = "http://xml.org/sax/features/external-parameter-entities";
@@ -115,8 +115,8 @@ class DocumentBuilderTests {
private static final ThreadLocal<DocumentBuilder> XML_DOCUMENT_BUILDER = new ThreadLocal<DocumentBuilder>() {
@Override
protected DocumentBuilder initialValue() {
DocumentBuilderFactory factory = getDocumentBuilderFactory();
try {
DocumentBuilderFactory factory = getDocumentBuilderFactory();
return factory.newDocumentBuilder();
} catch (Exception ex) {
throw new RuntimeException(ex);

4
java/ql/test/query-tests/security/CWE-732/semmle/tests/Test.java
View File

@@ -31,11 +31,11 @@ class Test {
new FileInputStream(f2);
}
public static void readFile(File f) {
public static void readFile(File f) throws java.io.FileNotFoundException {
new FileReader(f);
}
public static void setWorldWritable(File f) {
f.setWritable(true, false);
}
}
}

2
java/ql/test/query-tests/security/CWE-833/semmle/tests/LockOrderInconsistency.expected
View File

@@ -1,4 +1,4 @@
| MethodAccessLockOrder.java:29:4:29:40 | transferFrom(...) | Synchronization here and $@ may be performed in reverse order starting $@ and result in deadlock. | MethodAccessLockOrder.java:8:21:8:41 | subtract(...) | here | MethodAccessLockOrder.java:31:4:31:40 | transferFrom(...) | here |
| MethodAccessLockOrder.java:29:11:29:47 | transferFrom(...) | Synchronization here and $@ may be performed in reverse order starting $@ and result in deadlock. | MethodAccessLockOrder.java:8:21:8:41 | subtract(...) | here | MethodAccessLockOrder.java:31:11:31:47 | transferFrom(...) | here |
| ReentrantLockOrder.java:11:4:11:21 | lock(...) | Synchronization here and $@ may be performed in reverse order starting $@ and result in deadlock. | ReentrantLockOrder.java:12:4:12:21 | lock(...) | here | ReentrantLockOrder.java:28:4:28:21 | lock(...) | here |
| ReentrantLockOrder.java:28:4:28:21 | lock(...) | Synchronization here and $@ may be performed in reverse order starting $@ and result in deadlock. | ReentrantLockOrder.java:29:4:29:21 | lock(...) | here | ReentrantLockOrder.java:11:4:11:21 | lock(...) | here |
| SynchronizedStmtLockOrder.java:8:16:8:26 | primaryLock | Synchronization here and $@ may be performed in reverse order starting $@ and result in deadlock. | SynchronizedStmtLockOrder.java:9:17:9:27 | savingsLock | here | SynchronizedStmtLockOrder.java:22:16:22:26 | savingsLock | here |

4
java/ql/test/query-tests/security/CWE-833/semmle/tests/MethodAccessLockOrder.java
View File

@@ -26,9 +26,9 @@ class MethodAccessLockOrder {
public boolean initiateTransfer(boolean fromSavings, int amount) {
// AVOID: inconsistent lock order
if (fromSavings) {
primary.transferFrom(savings, amount);
return primary.transferFrom(savings, amount);
} else {
savings.transferFrom(primary, amount);
return savings.transferFrom(primary, amount);
}
}