hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 18:25:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into atorralba/promote-mvel-injection

Browse Source
This commit is contained in:
Tony Torralba
2021-06-16 15:44:43 +02:00
committed by GitHub
parent 34a8383c1a 9b84a8e146
commit dab33b21fb
800 changed files with 15540 additions and 6277 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
java/ql/test/query-tests/security/CWE-078/ExecTaintedLocal.expected
View File

@@ -1,8 +1,10 @@
edges
| Test.java:6:35:6:44 | arg : String | Test.java:7:44:7:69 | ... + ... |
| Test.java:6:35:6:44 | arg : String | Test.java:10:29:10:74 | new String[] |
| Test.java:6:35:6:44 | arg : String | Test.java:18:29:18:31 | cmd |
| Test.java:6:35:6:44 | arg : String | Test.java:16:13:16:25 | ... + ... : String |
| Test.java:6:35:6:44 | arg : String | Test.java:24:29:24:32 | cmd1 |
| Test.java:16:5:16:7 | cmd [post update] : List | Test.java:18:29:18:31 | cmd |
| Test.java:16:13:16:25 | ... + ... : String | Test.java:16:5:16:7 | cmd [post update] : List |
| Test.java:28:38:28:47 | arg : String | Test.java:29:44:29:64 | ... + ... |
| Test.java:57:27:57:39 | args : String[] | Test.java:60:20:60:22 | arg : String |
| Test.java:57:27:57:39 | args : String[] | Test.java:61:23:61:25 | arg : String |
@@ -12,6 +14,8 @@ nodes
| Test.java:6:35:6:44 | arg : String | semmle.label | arg : String |
| Test.java:7:44:7:69 | ... + ... | semmle.label | ... + ... |
| Test.java:10:29:10:74 | new String[] | semmle.label | new String[] |
| Test.java:16:5:16:7 | cmd [post update] : List | semmle.label | cmd [post update] : List |
| Test.java:16:13:16:25 | ... + ... : String | semmle.label | ... + ... : String |
| Test.java:18:29:18:31 | cmd | semmle.label | cmd |
| Test.java:24:29:24:32 | cmd1 | semmle.label | cmd1 |
| Test.java:28:38:28:47 | arg : String | semmle.label | arg : String |

4
java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.expected
View File

@@ -1,19 +1,15 @@
edges
| XSS.java:23:21:23:48 | getParameter(...) : String | XSS.java:23:5:23:70 | ... + ... |
| XSS.java:27:21:27:48 | getParameter(...) : String | XSS.java:27:5:27:70 | ... + ... |
| XSS.java:38:67:38:87 | getPathInfo(...) : String | XSS.java:38:30:38:87 | ... + ... |
| XSS.java:41:36:41:56 | getPathInfo(...) : String | XSS.java:41:36:41:67 | getBytes(...) |
nodes
| XSS.java:23:5:23:70 | ... + ... | semmle.label | ... + ... |
| XSS.java:23:21:23:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| XSS.java:27:5:27:70 | ... + ... | semmle.label | ... + ... |
| XSS.java:27:21:27:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| XSS.java:38:30:38:87 | ... + ... | semmle.label | ... + ... |
| XSS.java:38:67:38:87 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
| XSS.java:41:36:41:56 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
| XSS.java:41:36:41:67 | getBytes(...) | semmle.label | getBytes(...) |
#select
| XSS.java:23:5:23:70 | ... + ... | XSS.java:23:21:23:48 | getParameter(...) : String | XSS.java:23:5:23:70 | ... + ... | Cross-site scripting vulnerability due to $@. | XSS.java:23:21:23:48 | getParameter(...) | user-provided value |
| XSS.java:27:5:27:70 | ... + ... | XSS.java:27:21:27:48 | getParameter(...) : String | XSS.java:27:5:27:70 | ... + ... | Cross-site scripting vulnerability due to $@. | XSS.java:27:21:27:48 | getParameter(...) | user-provided value |
| XSS.java:38:30:38:87 | ... + ... | XSS.java:38:67:38:87 | getPathInfo(...) : String | XSS.java:38:30:38:87 | ... + ... | Cross-site scripting vulnerability due to $@. | XSS.java:38:67:38:87 | getPathInfo(...) | user-provided value |
| XSS.java:41:36:41:67 | getBytes(...) | XSS.java:41:36:41:56 | getPathInfo(...) : String | XSS.java:41:36:41:67 | getBytes(...) | Cross-site scripting vulnerability due to $@. | XSS.java:41:36:41:56 | getPathInfo(...) | user-provided value |

4
java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java
View File

@@ -22,7 +22,7 @@ public class XSS extends HttpServlet {
response.getWriter().print(
"The page \"" + request.getParameter("page") + "\" was not found.");
// BAD: a request parameter is written directly to an error response page
// GOOD: servlet API encodes the error message HTML for the HTML context
response.sendError(HttpServletResponse.SC_NOT_FOUND,
"The page \"" + request.getParameter("page") + "\" was not found.");
@@ -30,7 +30,7 @@ public class XSS extends HttpServlet {
response.sendError(HttpServletResponse.SC_NOT_FOUND,
"The page \"" + encodeForHtml(request.getParameter("page")) + "\" was not found.");
// FALSE NEGATIVE: passed through function that is not a secure check
// GOOD: servlet API encodes the error message HTML for the HTML context
response.sendError(HttpServletResponse.SC_NOT_FOUND,
"The page \"" + capitalizeName(request.getParameter("page")) + "\" was not found.");

119
java/ql/test/query-tests/security/CWE-094/Jexl2Injection.java Normal file
View File

@@ -0,0 +1,119 @@
import org.apache.commons.jexl2.*;
import java.io.StringWriter;
import java.net.ServerSocket;
import java.net.Socket;
import java.util.function.Consumer;
public class Jexl2Injection {
private static void runJexlExpression(String jexlExpr) {
JexlEngine jexl = new JexlEngine();
Expression e = jexl.createExpression(jexlExpr);
JexlContext jc = new MapContext();
e.evaluate(jc); // $hasJexlInjection
}
private static void runJexlExpressionWithJexlInfo(String jexlExpr) {
JexlEngine jexl = new JexlEngine();
Expression e = jexl.createExpression(jexlExpr, new DebugInfo("unknown", 0, 0));
JexlContext jc = new MapContext();
e.evaluate(jc); // $hasJexlInjection
}
private static void runJexlScript(String jexlExpr) {
JexlEngine jexl = new JexlEngine();
Script script = jexl.createScript(jexlExpr);
JexlContext jc = new MapContext();
script.execute(jc); // $hasJexlInjection
}
private static void runJexlScriptViaCallable(String jexlExpr) {
JexlEngine jexl = new JexlEngine();
Script script = jexl.createScript(jexlExpr);
JexlContext jc = new MapContext();
try {
script.callable(jc).call(); // $hasJexlInjection
} catch (Exception e) {
throw new RuntimeException(e);
}
}
private static void runJexlExpressionViaGetProperty(String jexlExpr) {
JexlEngine jexl = new JexlEngine();
jexl.getProperty(new Object(), jexlExpr); // $hasJexlInjection
}
private static void runJexlExpressionViaSetProperty(String jexlExpr) {
JexlEngine jexl = new JexlEngine();
jexl.setProperty(new Object(), jexlExpr, new Object()); // $hasJexlInjection
}
private static void runJexlExpressionViaUnifiedJEXLParseAndEvaluate(String jexlExpr) {
JexlEngine jexl = new JexlEngine();
UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
unifiedJEXL.parse(jexlExpr).evaluate(new MapContext()); // $hasJexlInjection
}
private static void runJexlExpressionViaUnifiedJEXLParseAndPrepare(String jexlExpr) {
JexlEngine jexl = new JexlEngine();
UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
unifiedJEXL.parse(jexlExpr).prepare(new MapContext()); // $hasJexlInjection
}
private static void runJexlExpressionViaUnifiedJEXLTemplateEvaluate(String jexlExpr) {
JexlEngine jexl = new JexlEngine();
UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
unifiedJEXL.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $hasJexlInjection
}
private static void testWithSocket(Consumer<String> action) throws Exception {
try (ServerSocket serverSocket = new ServerSocket(0)) {
try (Socket socket = serverSocket.accept()) {
byte[] bytes = new byte[1024];
int n = socket.getInputStream().read(bytes);
String jexlExpr = new String(bytes, 0, n);
action.accept(jexlExpr);
}
}
}
// below are tests for the query
public static void testWithJexlExpressionEvaluate() throws Exception {
testWithSocket(Jexl2Injection::runJexlExpression);
}
public static void testWithJexlExpressionEvaluateWithInfo() throws Exception {
testWithSocket(Jexl2Injection::runJexlExpressionWithJexlInfo);
}
public static void testWithJexlScriptExecute() throws Exception {
testWithSocket(Jexl2Injection::runJexlScript);
}
public static void testWithJexlScriptCallable() throws Exception {
testWithSocket(Jexl2Injection::runJexlScriptViaCallable);
}
public static void testWithJexlEngineGetProperty() throws Exception {
testWithSocket(Jexl2Injection::runJexlExpressionViaGetProperty);
}
public static void testWithJexlEngineSetProperty() throws Exception {
testWithSocket(Jexl2Injection::runJexlExpressionViaSetProperty);
}
public static void testWithUnifiedJEXLParseAndEvaluate() throws Exception {
testWithSocket(Jexl2Injection::runJexlExpressionViaUnifiedJEXLParseAndEvaluate);
}
public static void testWithUnifiedJEXLParseAndPrepare() throws Exception {
testWithSocket(Jexl2Injection::runJexlExpressionViaUnifiedJEXLParseAndPrepare);
}
public static void testWithUnifiedJEXLTemplateEvaluate() throws Exception {
testWithSocket(Jexl2Injection::runJexlExpressionViaUnifiedJEXLTemplateEvaluate);
}
}

194
java/ql/test/query-tests/security/CWE-094/Jexl3Injection.java Normal file
View File

@@ -0,0 +1,194 @@
import java.io.StringWriter;
import java.net.ServerSocket;
import java.net.Socket;
import java.util.function.Consumer;
import org.apache.commons.jexl3.*;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
@Controller
public class Jexl3Injection {
private static void runJexlExpression(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
JexlExpression e = jexl.createExpression(jexlExpr);
JexlContext jc = new MapContext();
e.evaluate(jc); // $hasJexlInjection
}
private static void runJexlExpressionWithJexlInfo(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
JexlExpression e = jexl.createExpression(new JexlInfo("unknown", 0, 0), jexlExpr);
JexlContext jc = new MapContext();
e.evaluate(jc); // $hasJexlInjection
}
private static void runJexlScript(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
JexlScript script = jexl.createScript(jexlExpr);
JexlContext jc = new MapContext();
script.execute(jc); // $hasJexlInjection
}
private static void runJexlScriptViaCallable(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
JexlScript script = jexl.createScript(jexlExpr);
JexlContext jc = new MapContext();
try {
script.callable(jc).call(); // $hasJexlInjection
} catch (Exception e) {
throw new RuntimeException(e);
}
}
private static void runJexlExpressionViaGetProperty(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
jexl.getProperty(new Object(), jexlExpr); // $hasJexlInjection
}
private static void runJexlExpressionViaSetProperty(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
jexl.setProperty(new Object(), jexlExpr, new Object()); // $hasJexlInjection
}
private static void runJexlExpressionViaJxltEngineExpressionEvaluate(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
JxltEngine jxlt = jexl.createJxltEngine();
jxlt.createExpression(jexlExpr).evaluate(new MapContext()); // $hasJexlInjection
}
private static void runJexlExpressionViaJxltEngineExpressionPrepare(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
JxltEngine jxlt = jexl.createJxltEngine();
jxlt.createExpression(jexlExpr).prepare(new MapContext()); // $hasJexlInjection
}
private static void runJexlExpressionViaJxltEngineTemplateEvaluate(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
JxltEngine jxlt = jexl.createJxltEngine();
jxlt.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $hasJexlInjection
}
private static void runJexlExpressionViaCallable(String jexlExpr) {
JexlEngine jexl = new JexlBuilder().create();
JexlExpression e = jexl.createExpression(jexlExpr);
JexlContext jc = new MapContext();
try {
e.callable(jc).call(); // $hasJexlInjection
} catch (Exception ex) {
throw new RuntimeException(ex);
}
}
private static void testWithSocket(Consumer<String> action) throws Exception {
try (ServerSocket serverSocket = new ServerSocket(0)) {
try (Socket socket = serverSocket.accept()) {
byte[] bytes = new byte[1024];
int n = socket.getInputStream().read(bytes);
String jexlExpr = new String(bytes, 0, n);
action.accept(jexlExpr);
}
}
}
// below are tests for the query
public static void testWithJexlExpressionEvaluate() throws Exception {
testWithSocket(Jexl3Injection::runJexlExpression);
}
public static void testWithJexlExpressionEvaluateWithInfo() throws Exception {
testWithSocket(Jexl3Injection::runJexlExpressionWithJexlInfo);
}
public static void testWithJexlScriptExecute() throws Exception {
testWithSocket(Jexl3Injection::runJexlScript);
}
public static void testWithJexlScriptCallable() throws Exception {
testWithSocket(Jexl3Injection::runJexlScriptViaCallable);
}
public static void testWithJexlEngineGetProperty() throws Exception {
testWithSocket(Jexl3Injection::runJexlExpressionViaGetProperty);
}
public static void testWithJexlEngineSetProperty() throws Exception {
testWithSocket(Jexl3Injection::runJexlExpressionViaSetProperty);
}
public static void testWithJxltEngineExpressionEvaluate() throws Exception {
testWithSocket(Jexl3Injection::runJexlExpressionViaJxltEngineExpressionEvaluate);
}
public static void testWithJxltEngineExpressionPrepare() throws Exception {
testWithSocket(Jexl3Injection::runJexlExpressionViaJxltEngineExpressionPrepare);
}
public static void testWithJxltEngineTemplateEvaluate() throws Exception {
testWithSocket(Jexl3Injection::runJexlExpressionViaJxltEngineTemplateEvaluate);
}
public static void testWithJexlExpressionCallable() throws Exception {
testWithSocket(Jexl3Injection::runJexlExpressionViaCallable);
}
@PostMapping("/request")
public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromPathVariable(@PathVariable String expr) {
runJexlExpression(expr);
return ResponseEntity.ok(HttpStatus.OK);
}
@PostMapping("/request")
public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBody(@RequestBody Data data) {
String expr = data.getExpr();
runJexlExpression(expr);
return ResponseEntity.ok(HttpStatus.OK);
}
@PostMapping("/request")
public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBodyWithNestedObjects(
@RequestBody CustomRequest customRequest) {
String expr = customRequest.getData().getExpr();
runJexlExpression(expr);
return ResponseEntity.ok(HttpStatus.OK);
}
public static class CustomRequest {
private Data data;
CustomRequest(Data data) {
this.data = data;
}
public Data getData() {
return data;
}
}
public static class Data {
private String expr;
Data(String expr) {
this.expr = expr;
}
public String getExpr() {
return expr;
}
}
}

0
java/ql/test/query-tests/security/CWE-094/JexlInjectionTest.expected Normal file
View File

33
java/ql/test/query-tests/security/CWE-094/JexlInjectionTest.ql Normal file
View File

@@ -0,0 +1,33 @@
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.FlowSteps
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.JexlInjection
import TestUtilities.InlineExpectationsTest
class Conf extends TaintTracking::Configuration {
Conf() { this = "qltest:cwe:jexl-injection" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
any(JexlInjectionAdditionalTaintStep c).step(node1, node2)
}
}
class JexlInjectionTest extends InlineExpectationsTest {
JexlInjectionTest() { this = "HasJexlInjectionTest" }
override string getARelevantTag() { result = "hasJexlInjection" }
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasJexlInjection" and
exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}

47
java/ql/test/query-tests/security/CWE-094/SandboxedJexl2.java Normal file
View File

@@ -0,0 +1,47 @@
import org.apache.commons.jexl2.*;
import org.apache.commons.jexl2.introspection.*;
import java.net.ServerSocket;
import java.net.Socket;
import java.util.function.Consumer;
public class SandboxedJexl2 {
private static void runJexlExpressionWithSandbox(String jexlExpr) {
Sandbox sandbox = new Sandbox();
sandbox.white(SandboxedJexl2.class.getCanonicalName());
Uberspect uberspect = new SandboxUberspectImpl(null, sandbox);
JexlEngine jexl = new JexlEngine(uberspect, null, null, null);
Expression e = jexl.createExpression(jexlExpr);
JexlContext jc = new MapContext();
e.evaluate(jc); // Safe
}
private static void runJexlExpressionViaSandboxedUnifiedJexl(String jexlExpr) {
Sandbox sandbox = new Sandbox();
sandbox.white(SandboxedJexl2.class.getCanonicalName());
Uberspect uberspect = new SandboxUberspectImpl(null, sandbox);
JexlEngine jexl = new JexlEngine(uberspect, null, null, null);
UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
unifiedJEXL.parse(jexlExpr).evaluate(new MapContext()); // Safe
}
private static void simpleServer(Consumer<String> action) throws Exception {
try (ServerSocket serverSocket = new ServerSocket(0)) {
try (Socket socket = serverSocket.accept()) {
byte[] bytes = new byte[1024];
int n = socket.getInputStream().read(bytes);
String jexlExpr = new String(bytes, 0, n);
action.accept(jexlExpr);
}
}
}
public static void saferJexlExpressionEvaluate() throws Exception {
simpleServer(SandboxedJexl2::runJexlExpressionWithSandbox);
}
public static void saferJexlExpressionEvaluateViaUnifiedJexl() throws Exception {
simpleServer(SandboxedJexl2::runJexlExpressionViaSandboxedUnifiedJexl);
}
}

76
java/ql/test/query-tests/security/CWE-094/SandboxedJexl3.java Normal file
View File

@@ -0,0 +1,76 @@
import java.net.ServerSocket;
import java.net.Socket;
import java.security.AccessControlException;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.function.Consumer;
import org.apache.commons.jexl3.*;
import org.apache.commons.jexl3.introspection.*;
public class SandboxedJexl3 {
private static void runJexlExpressionWithSandbox(String jexlExpr) {
JexlSandbox sandbox = new JexlSandbox(false);
sandbox.white(SandboxedJexl3.class.getCanonicalName());
JexlEngine jexl = new JexlBuilder().sandbox(sandbox).create();
JexlExpression e = jexl.createExpression(jexlExpr); // Safe
JexlContext jc = new MapContext();
e.evaluate(jc); // Safe
}
private static void runJexlExpressionWithUberspectSandbox(String jexlExpr) {
JexlUberspect sandbox = new JexlUberspectSandbox();
JexlEngine jexl = new JexlBuilder().uberspect(sandbox).create();
JexlExpression e = jexl.createExpression(jexlExpr); // Safe
JexlContext jc = new MapContext();
e.evaluate(jc); // Safe
}
private static JexlBuilder STATIC_JEXL_BUILDER;
static {
JexlSandbox sandbox = new JexlSandbox(false);
sandbox.white(SandboxedJexl3.class.getCanonicalName());
STATIC_JEXL_BUILDER = new JexlBuilder().sandbox(sandbox);
}
private static void runJexlExpressionViaJxltEngineWithSandbox(String jexlExpr) {
JexlEngine jexl = STATIC_JEXL_BUILDER.create();
JxltEngine jxlt = jexl.createJxltEngine();
jxlt.createExpression(jexlExpr).evaluate(new MapContext()); // Safe
}
private static class JexlUberspectSandbox implements JexlUberspect {
}
private static void withSocket(Consumer<String> action) throws Exception {
try (ServerSocket serverSocket = new ServerSocket(0)) {
try (Socket socket = serverSocket.accept()) {
byte[] bytes = new byte[1024];
int n = socket.getInputStream().read(bytes);
String jexlExpr = new String(bytes, 0, n);
action.accept(jexlExpr);
}
}
}
// below are examples of safer Jexl usage
// with JexlSandbox
public static void saferJexlExpressionInSandbox() throws Exception {
withSocket(SandboxedJexl3::runJexlExpressionWithSandbox);
}
// with a custom sandbox implemented with JexlUberspect
public static void saferJexlExpressionInUberspectSandbox() throws Exception {
withSocket(SandboxedJexl3::runJexlExpressionWithUberspectSandbox);
}
// with JexlSandbox and JxltEngine
public static void saferJxltExpressionInSandbox() throws Exception {
withSocket(SandboxedJexl3::runJexlExpressionViaJxltEngineWithSandbox);
}
}

2
java/ql/test/query-tests/security/CWE-094/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../stubs/mvel2-2.4.7:${testdir}/../../../stubs/scriptengine:${testdir}/../../../stubs/jsr223-api:${testdir}
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../stubs/apache-commons-logging-1.2:${testdir}/../../../stubs/mvel2-2.4.7:${testdir}/../../../stubs/scriptengine:${testdir}/../../../stubs/jsr223-api

19
java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrls.expected Normal file
View File

@@ -0,0 +1,19 @@
edges
| HttpsUrlsTest.java:23:23:23:31 | "http://" : String | HttpsUrlsTest.java:28:50:28:50 | u |
| HttpsUrlsTest.java:36:23:36:28 | "http" : String | HttpsUrlsTest.java:41:50:41:50 | u |
| HttpsUrlsTest.java:49:23:49:31 | "http://" : String | HttpsUrlsTest.java:55:50:55:50 | u |
| HttpsUrlsTest.java:87:23:87:28 | "http" : String | HttpsUrlsTest.java:92:50:92:50 | u |
nodes
| HttpsUrlsTest.java:23:23:23:31 | "http://" : String | semmle.label | "http://" : String |
| HttpsUrlsTest.java:28:50:28:50 | u | semmle.label | u |
| HttpsUrlsTest.java:36:23:36:28 | "http" : String | semmle.label | "http" : String |
| HttpsUrlsTest.java:41:50:41:50 | u | semmle.label | u |
| HttpsUrlsTest.java:49:23:49:31 | "http://" : String | semmle.label | "http://" : String |
| HttpsUrlsTest.java:55:50:55:50 | u | semmle.label | u |
| HttpsUrlsTest.java:87:23:87:28 | "http" : String | semmle.label | "http" : String |
| HttpsUrlsTest.java:92:50:92:50 | u | semmle.label | u |
#select
| HttpsUrlsTest.java:28:50:28:67 | openConnection(...) | HttpsUrlsTest.java:23:23:23:31 | "http://" : String | HttpsUrlsTest.java:28:50:28:50 | u | URL may have been constructed with HTTP protocol, using $@. | HttpsUrlsTest.java:23:23:23:31 | "http://" | this source |
| HttpsUrlsTest.java:41:50:41:67 | openConnection(...) | HttpsUrlsTest.java:36:23:36:28 | "http" : String | HttpsUrlsTest.java:41:50:41:50 | u | URL may have been constructed with HTTP protocol, using $@. | HttpsUrlsTest.java:36:23:36:28 | "http" | this source |
| HttpsUrlsTest.java:55:50:55:67 | openConnection(...) | HttpsUrlsTest.java:49:23:49:31 | "http://" : String | HttpsUrlsTest.java:55:50:55:50 | u | URL may have been constructed with HTTP protocol, using $@. | HttpsUrlsTest.java:49:23:49:31 | "http://" | this source |
| HttpsUrlsTest.java:92:50:92:67 | openConnection(...) | HttpsUrlsTest.java:87:23:87:28 | "http" : String | HttpsUrlsTest.java:92:50:92:50 | u | URL may have been constructed with HTTP protocol, using $@. | HttpsUrlsTest.java:87:23:87:28 | "http" | this source |

1
java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrls.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-319/HttpsUrls.ql

119
java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrlsTest.java Normal file
View File

@@ -0,0 +1,119 @@
// Semmle test case for CWE-319: Cleartext Transmission of Sensitive Data
// http://cwe.mitre.org/data/definitions/319.html
package test.cwe319.cwe.examples;
import java.net.URL;
import java.io.*;
import java.rmi.*;
import java.rmi.server.*;
import java.rmi.registry.*;
import javax.net.ssl.HttpsURLConnection;
import javax.rmi.ssl.*;
interface Hello extends java.rmi.Remote {
String sayHello() throws java.rmi.RemoteException;
}
class HelloImpl implements Hello {
public static void main(String[] args) {
try {
// HttpsUrls
{
String protocol = "http://";
URL u = new URL(protocol + "www.secret.example.org/");
// using HttpsURLConnections to enforce SSL is desirable
// BAD: this will give a ClassCastException at runtime, as the
// http URL cannot be used to make an HttpsURLConnection
HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
hu.setRequestMethod("PUT");
hu.connect();
OutputStream os = hu.getOutputStream();
hu.disconnect();
}
{
String protocol = "http";
URL u = new URL(protocol, "www.secret.example.org", "foo");
// using HttpsURLConnections to enforce SSL is desirable
// BAD: this will give a ClassCastException at runtime, as the
// http URL cannot be used to make an HttpsURLConnection
HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
hu.setRequestMethod("PUT");
hu.connect();
OutputStream os = hu.getOutputStream();
hu.disconnect();
}
{
String protocol = "http://";
// the second URL overwrites the first, as it has a protocol
URL u = new URL(new URL("https://www.secret.example.org"), protocol + "www.secret.example.org");
// using HttpsURLConnections to enforce SSL is desirable
// BAD: this will give a ClassCastException at runtime, as the
// http URL cannot be used to make an HttpsURLConnection
HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
hu.setRequestMethod("PUT");
hu.connect();
OutputStream os = hu.getOutputStream();
hu.disconnect();
}
{
String protocol = "https://";
URL u = new URL(protocol + "www.secret.example.org/");
// using HttpsURLConnections to enforce SSL is desirable
// GOOD: open connection to URL using HTTPS
HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
hu.setRequestMethod("PUT");
hu.connect();
OutputStream os = hu.getOutputStream();
hu.disconnect();
}
{
String protocol = "https";
URL u = new URL(protocol, "www.secret.example.org", "foo");
// using HttpsURLConnections to enforce SSL is desirable
// GOOD: open connection to URL using HTTPS
HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
hu.setRequestMethod("PUT");
hu.connect();
OutputStream os = hu.getOutputStream();
hu.disconnect();
}
{
String protocol = "http";
URL u = new URL(protocol, "internal-url", "foo");
// FALSE POSITIVE: the query has no way of knowing whether the url will
// resolve to somewhere outside the internal network, where there
// are unlikely to be interception attempts
HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
hu.setRequestMethod("PUT");
hu.connect();
OutputStream os = hu.getOutputStream();
hu.disconnect();
}
{
String input = "URL is: http://www.secret-example.org";
String url = input.substring(8);
URL u = new URL(url);
// FALSE NEGATIVE: we cannot tell that the substring results in a url
// string
HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
hu.setRequestMethod("PUT");
hu.connect();
OutputStream os = hu.getOutputStream();
hu.disconnect();
}
} catch (Exception e) {
// fail
}
}
public String sayHello() {
return "Hello";
}
}

2
java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSL.expected
View File

@@ -1 +1 @@
| Test.java:11:15:11:41 | getInputStream(...) | Stream using vulnerable non-SSL connection. |
| UseSSLTest.java:11:15:11:41 | getInputStream(...) | Stream using vulnerable non-SSL connection. |

2
java/ql/test/query-tests/security/CWE-311/CWE-319/Test.java → java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSLTest.java
View File

@@ -2,7 +2,7 @@ import java.net.HttpURLConnection;
import javax.net.ssl.HttpsURLConnection;
import java.io.*;
class Test {
class UseSSLTest {
public void m1(HttpURLConnection connection) throws java.io.IOException {
InputStream input;
if (connection instanceof HttpsURLConnection) {

2
java/ql/test/query-tests/security/CWE-835/semmle/tests/InfiniteLoop.expected
View File

@@ -1 +1 @@
| InfiniteLoop.java:4:13:4:36 | stmt | Loop might not terminate, as termination depends in part on $@ being false but it is always true. | InfiniteLoop.java:4:27:4:30 | ... < ... | this test |
| InfiniteLoop.java:4:13:4:36 | for (...;...;...) | Loop might not terminate, as termination depends in part on $@ being false but it is always true. | InfiniteLoop.java:4:27:4:30 | ... < ... | this test |