mirror of
https://github.com/github/codeql.git
synced 2026-04-26 01:05:15 +02:00
Java: Deprecate experimental queries.
This commit is contained in:
Michael Nebel
@@ -111,9 +111,11 @@ predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationPropertie
|
||||
)
|
||||
}
|
||||
|
||||
from SpringBootPom pom, ApplicationProperties ap, Dependency d
|
||||
where
|
||||
hasConfidentialEndPointExposed(pom, ap) and
|
||||
d = pom.getADependency() and
|
||||
d.getArtifact().getValue() = "spring-boot-starter-actuator"
|
||||
select d, "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints."
|
||||
deprecated query predicate problems(Dependency d, string message) {
|
||||
exists(SpringBootPom pom |
|
||||
hasConfidentialEndPointExposed(pom, _) and
|
||||
d = pom.getADependency() and
|
||||
d.getArtifact().getValue() = "spring-boot-starter-actuator"
|
||||
) and
|
||||
message = "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints."
|
||||
}
|
||||
|
||||
@@ -12,8 +12,9 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import SpringBootActuators
|
||||
deprecated import SpringBootActuators
|
||||
|
||||
from PermitAllCall permitAllCall
|
||||
where permitAllCall.permitsSpringBootActuators()
|
||||
select permitAllCall, "Unauthenticated access to Spring Boot actuator is allowed."
|
||||
deprecated query predicate problems(PermitAllCall permitAllCall, string message) {
|
||||
permitAllCall.permitsSpringBootActuators() and
|
||||
message = "Unauthenticated access to Spring Boot actuator is allowed."
|
||||
}
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
|
||||
/** The class `org.springframework.security.config.annotation.web.builders.HttpSecurity`. */
|
||||
|
||||
@@ -52,7 +52,13 @@ module Log4jInjectionConfig implements DataFlow::ConfigSig {
|
||||
*/
|
||||
module Log4jInjectionFlow = TaintTracking::Global<Log4jInjectionConfig>;
|
||||
|
||||
from Log4jInjectionFlow::PathNode source, Log4jInjectionFlow::PathNode sink
|
||||
where Log4jInjectionFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Log4j log entry depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, Log4jInjectionFlow::PathNode source, Log4jInjectionFlow::PathNode sink,
|
||||
string message1, DataFlow::Node sourceNode, string message2
|
||||
) {
|
||||
Log4jInjectionFlow::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "Log4j log entry depends on a $@." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "user-provided value"
|
||||
}
|
||||
|
||||
@@ -53,11 +53,11 @@ module RemoteUrlToOpenStreamFlowConfig implements DataFlow::ConfigSig {
|
||||
|
||||
module RemoteUrlToOpenStreamFlow = TaintTracking::Global<RemoteUrlToOpenStreamFlowConfig>;
|
||||
|
||||
from
|
||||
RemoteUrlToOpenStreamFlow::PathNode source, RemoteUrlToOpenStreamFlow::PathNode sink,
|
||||
MethodCall call
|
||||
where
|
||||
deprecated query predicate problems(
|
||||
MethodCall call, RemoteUrlToOpenStreamFlow::PathNode source,
|
||||
RemoteUrlToOpenStreamFlow::PathNode sink, string message
|
||||
) {
|
||||
sink.getNode().asExpr() = call.getQualifier() and
|
||||
RemoteUrlToOpenStreamFlow::flowPath(source, sink)
|
||||
select call, source, sink,
|
||||
"URL on which openStream is called may have been constructed from remote source."
|
||||
RemoteUrlToOpenStreamFlow::flowPath(source, sink) and
|
||||
message = "URL on which openStream is called may have been constructed from remote source."
|
||||
}
|
||||
|
||||
@@ -17,7 +17,7 @@ import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.dataflow.ExternalFlow
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.security.TaintedPathQuery
|
||||
import JFinalController
|
||||
deprecated import JFinalController
|
||||
import semmle.code.java.security.PathSanitizer
|
||||
private import semmle.code.java.security.Sanitizers
|
||||
import InjectFilePathFlow::PathGraph
|
||||
@@ -66,7 +66,13 @@ module InjectFilePathConfig implements DataFlow::ConfigSig {
|
||||
|
||||
module InjectFilePathFlow = TaintTracking::Global<InjectFilePathConfig>;
|
||||
|
||||
from InjectFilePathFlow::PathNode source, InjectFilePathFlow::PathNode sink
|
||||
where InjectFilePathFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "External control of file name or path due to $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, InjectFilePathFlow::PathNode source, InjectFilePathFlow::PathNode sink,
|
||||
string message1, DataFlow::Node sourceNode, string message2
|
||||
) {
|
||||
InjectFilePathFlow::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "External control of file name or path due to $@." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "user-provided value"
|
||||
}
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
private import semmle.code.java.dataflow.FlowSources
|
||||
|
||||
|
||||
@@ -11,15 +11,21 @@
|
||||
* external/cwe/cwe-078
|
||||
*/
|
||||
|
||||
import CommandInjectionRuntimeExec
|
||||
import ExecUserFlow::PathGraph
|
||||
deprecated import CommandInjectionRuntimeExec
|
||||
deprecated import ExecUserFlow::PathGraph
|
||||
|
||||
class ThreatModelSource extends Source instanceof ActiveThreatModelSource { }
|
||||
deprecated class ThreatModelSource extends Source instanceof ActiveThreatModelSource { }
|
||||
|
||||
from
|
||||
ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink, DataFlow::Node sourceCmd,
|
||||
DataFlow::Node sinkCmd
|
||||
where callIsTaintedByUserInputAndDangerousCommand(source, sink, sourceCmd, sinkCmd)
|
||||
select sink, source, sink,
|
||||
"Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
|
||||
sourceCmd, sourceCmd.toString(), source.getNode(), source.toString()
|
||||
deprecated query predicate problems(
|
||||
ExecUserFlow::PathNode sink, ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink0,
|
||||
string message1, DataFlow::Node sourceCmd, string message2, DataFlow::Node sourceNode,
|
||||
string message3
|
||||
) {
|
||||
callIsTaintedByUserInputAndDangerousCommand(source, sink, sourceCmd, _) and
|
||||
sink0 = sink and
|
||||
message1 =
|
||||
"Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'" and
|
||||
message2 = sourceCmd.toString() and
|
||||
sourceNode = source.getNode() and
|
||||
message3 = source.toString()
|
||||
}
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
import semmle.code.java.frameworks.javaee.ejb.EJBRestrictions
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
|
||||
@@ -12,15 +12,21 @@
|
||||
* external/cwe/cwe-078
|
||||
*/
|
||||
|
||||
import CommandInjectionRuntimeExec
|
||||
import ExecUserFlow::PathGraph
|
||||
deprecated import CommandInjectionRuntimeExec
|
||||
deprecated import ExecUserFlow::PathGraph
|
||||
|
||||
class LocalSource extends Source instanceof LocalUserInput { }
|
||||
deprecated class LocalSource extends Source instanceof LocalUserInput { }
|
||||
|
||||
from
|
||||
ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink, DataFlow::Node sourceCmd,
|
||||
DataFlow::Node sinkCmd
|
||||
where callIsTaintedByUserInputAndDangerousCommand(source, sink, sourceCmd, sinkCmd)
|
||||
select sink, source, sink,
|
||||
"Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
|
||||
sourceCmd, sourceCmd.toString(), source.getNode(), source.toString()
|
||||
deprecated query predicate problems(
|
||||
ExecUserFlow::PathNode sink, ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink0,
|
||||
string message1, DataFlow::Node sourceCmd, string message2, DataFlow::Node sourceNode,
|
||||
string message3
|
||||
) {
|
||||
callIsTaintedByUserInputAndDangerousCommand(source, sink, sourceCmd, _) and
|
||||
sink0 = sink and
|
||||
message1 =
|
||||
"Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'" and
|
||||
message2 = sourceCmd.toString() and
|
||||
sourceNode = source.getNode() and
|
||||
message3 = source.toString()
|
||||
}
|
||||
|
||||
@@ -13,6 +13,7 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
import semmle.code.java.security.CommandLineQuery
|
||||
import InputToArgumentToExecFlow::PathGraph
|
||||
private import semmle.code.java.dataflow.ExternalFlow
|
||||
@@ -22,8 +23,13 @@ private class ActivateModels extends ActiveExperimentalModels {
|
||||
}
|
||||
|
||||
// This is a clone of query `java/command-line-injection` that also includes experimental sinks.
|
||||
from
|
||||
InputToArgumentToExecFlow::PathNode source, InputToArgumentToExecFlow::PathNode sink, Expr execArg
|
||||
where execIsTainted(source, sink, execArg)
|
||||
select execArg, source, sink, "This command line depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
deprecated query predicate problems(
|
||||
Expr execArg, InputToArgumentToExecFlow::PathNode source,
|
||||
InputToArgumentToExecFlow::PathNode sink, string message1, DataFlow::Node sourceNode,
|
||||
string message2
|
||||
) {
|
||||
execIsTainted(source, sink, execArg) and
|
||||
message1 = "This command line depends on a $@." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "user-provided value"
|
||||
}
|
||||
|
||||
@@ -13,14 +13,13 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import MyBatisCommonLib
|
||||
import MyBatisAnnotationSqlInjectionLib
|
||||
deprecated import MyBatisAnnotationSqlInjectionLib
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
private import semmle.code.java.security.Sanitizers
|
||||
import MyBatisAnnotationSqlInjectionFlow::PathGraph
|
||||
deprecated import MyBatisAnnotationSqlInjectionFlow::PathGraph
|
||||
|
||||
private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSig {
|
||||
deprecated private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisAnnotatedMethodCallArgument }
|
||||
@@ -37,22 +36,27 @@ private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSi
|
||||
}
|
||||
}
|
||||
|
||||
private module MyBatisAnnotationSqlInjectionFlow =
|
||||
deprecated private module MyBatisAnnotationSqlInjectionFlow =
|
||||
TaintTracking::Global<MyBatisAnnotationSqlInjectionConfig>;
|
||||
|
||||
from
|
||||
MyBatisAnnotationSqlInjectionFlow::PathNode source,
|
||||
MyBatisAnnotationSqlInjectionFlow::PathNode sink, IbatisSqlOperationAnnotation isoa,
|
||||
MethodCall ma, string unsafeExpression
|
||||
where
|
||||
MyBatisAnnotationSqlInjectionFlow::flowPath(source, sink) and
|
||||
ma.getAnArgument() = sink.getNode().asExpr() and
|
||||
myBatisSqlOperationAnnotationFromMethod(ma.getMethod(), isoa) and
|
||||
unsafeExpression = getAMybatisAnnotationSqlValue(isoa) and
|
||||
(
|
||||
isMybatisXmlOrAnnotationSqlInjection(sink.getNode(), ma, unsafeExpression) or
|
||||
isMybatisCollectionTypeSqlInjection(sink.getNode(), ma, unsafeExpression)
|
||||
)
|
||||
select sink.getNode(), source, sink,
|
||||
"MyBatis annotation SQL injection might include code from $@ to $@.", source.getNode(),
|
||||
"this user input", isoa, "this SQL operation"
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, MyBatisAnnotationSqlInjectionFlow::PathNode source,
|
||||
MyBatisAnnotationSqlInjectionFlow::PathNode sink, string message1, DataFlow::Node sourceNode,
|
||||
string message2, IbatisSqlOperationAnnotation isoa, string message3
|
||||
) {
|
||||
exists(MethodCall ma, string unsafeExpression |
|
||||
MyBatisAnnotationSqlInjectionFlow::flowPath(source, sink) and
|
||||
ma.getAnArgument() = sinkNode.asExpr() and
|
||||
myBatisSqlOperationAnnotationFromMethod(ma.getMethod(), isoa) and
|
||||
unsafeExpression = getAMybatisAnnotationSqlValue(isoa) and
|
||||
(
|
||||
isMybatisXmlOrAnnotationSqlInjection(sinkNode, ma, unsafeExpression) or
|
||||
isMybatisCollectionTypeSqlInjection(sinkNode, ma, unsafeExpression)
|
||||
)
|
||||
) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "MyBatis annotation SQL injection might include code from $@ to $@." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "this user input" and
|
||||
message3 = "this SQL operation"
|
||||
}
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
/**
|
||||
* Provides classes for SQL injection detection regarding MyBatis annotated methods.
|
||||
*/
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
import MyBatisCommonLib
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
/**
|
||||
* Provides public classes for MyBatis SQL injection detection.
|
||||
*/
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
import semmle.code.xml.MyBatisMapperXML
|
||||
|
||||
@@ -13,14 +13,14 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import MyBatisCommonLib
|
||||
import MyBatisMapperXmlSqlInjectionLib
|
||||
deprecated import MyBatisCommonLib
|
||||
deprecated import MyBatisMapperXmlSqlInjectionLib
|
||||
import semmle.code.xml.MyBatisMapperXML
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
private import semmle.code.java.security.Sanitizers
|
||||
import MyBatisMapperXmlSqlInjectionFlow::PathGraph
|
||||
deprecated import MyBatisMapperXmlSqlInjectionFlow::PathGraph
|
||||
|
||||
private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig {
|
||||
deprecated private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisMapperMethodCallAnArgument }
|
||||
@@ -37,24 +37,29 @@ private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig
|
||||
}
|
||||
}
|
||||
|
||||
private module MyBatisMapperXmlSqlInjectionFlow =
|
||||
deprecated private module MyBatisMapperXmlSqlInjectionFlow =
|
||||
TaintTracking::Global<MyBatisMapperXmlSqlInjectionConfig>;
|
||||
|
||||
from
|
||||
MyBatisMapperXmlSqlInjectionFlow::PathNode source,
|
||||
MyBatisMapperXmlSqlInjectionFlow::PathNode sink, MyBatisMapperXmlElement mmxe, MethodCall ma,
|
||||
string unsafeExpression
|
||||
where
|
||||
MyBatisMapperXmlSqlInjectionFlow::flowPath(source, sink) and
|
||||
ma.getAnArgument() = sink.getNode().asExpr() and
|
||||
myBatisMapperXmlElementFromMethod(ma.getMethod(), mmxe) and
|
||||
unsafeExpression = getAMybatisXmlSetValue(mmxe) and
|
||||
(
|
||||
isMybatisXmlOrAnnotationSqlInjection(sink.getNode(), ma, unsafeExpression)
|
||||
or
|
||||
mmxe instanceof MyBatisMapperForeach and
|
||||
isMybatisCollectionTypeSqlInjection(sink.getNode(), ma, unsafeExpression)
|
||||
)
|
||||
select sink.getNode(), source, sink,
|
||||
"MyBatis Mapper XML SQL injection might include code from $@ to $@.", source.getNode(),
|
||||
"this user input", mmxe, "this SQL operation"
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, MyBatisMapperXmlSqlInjectionFlow::PathNode source,
|
||||
MyBatisMapperXmlSqlInjectionFlow::PathNode sink, string message1, DataFlow::Node sourceNode,
|
||||
string message2, MyBatisMapperXmlElement mmxe, string message3
|
||||
) {
|
||||
exists(MethodCall ma, string unsafeExpression |
|
||||
MyBatisMapperXmlSqlInjectionFlow::flowPath(source, sink) and
|
||||
ma.getAnArgument() = sinkNode.asExpr() and
|
||||
myBatisMapperXmlElementFromMethod(ma.getMethod(), mmxe) and
|
||||
unsafeExpression = getAMybatisXmlSetValue(mmxe) and
|
||||
(
|
||||
isMybatisXmlOrAnnotationSqlInjection(sinkNode, ma, unsafeExpression)
|
||||
or
|
||||
mmxe instanceof MyBatisMapperForeach and
|
||||
isMybatisCollectionTypeSqlInjection(sinkNode, ma, unsafeExpression)
|
||||
)
|
||||
) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "MyBatis Mapper XML SQL injection might include code from $@ to $@." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "this user input" and
|
||||
message3 = "this SQL operation"
|
||||
}
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
/**
|
||||
* Provide classes for SQL injection detection in MyBatis Mapper XML.
|
||||
*/
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
import semmle.code.xml.MyBatisMapperXML
|
||||
|
||||
@@ -12,12 +12,12 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import BeanShellInjection
|
||||
deprecated import BeanShellInjection
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import BeanShellInjectionFlow::PathGraph
|
||||
deprecated import BeanShellInjectionFlow::PathGraph
|
||||
|
||||
module BeanShellInjectionConfig implements DataFlow::ConfigSig {
|
||||
deprecated module BeanShellInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof BeanShellInjectionSink }
|
||||
@@ -41,9 +41,15 @@ module BeanShellInjectionConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module BeanShellInjectionFlow = TaintTracking::Global<BeanShellInjectionConfig>;
|
||||
deprecated module BeanShellInjectionFlow = TaintTracking::Global<BeanShellInjectionConfig>;
|
||||
|
||||
from BeanShellInjectionFlow::PathNode source, BeanShellInjectionFlow::PathNode sink
|
||||
where BeanShellInjectionFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "BeanShell injection from $@.", source.getNode(),
|
||||
"this user input"
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, BeanShellInjectionFlow::PathNode source,
|
||||
BeanShellInjectionFlow::PathNode sink, string message1, DataFlow::Node sourceNode, string message2
|
||||
) {
|
||||
BeanShellInjectionFlow::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "BeanShell injection from $@." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "this user input"
|
||||
}
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
|
||||
|
||||
@@ -12,10 +12,17 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import InsecureDexLoading
|
||||
import InsecureDexFlow::PathGraph
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
deprecated import InsecureDexLoading
|
||||
deprecated import InsecureDexFlow::PathGraph
|
||||
|
||||
from InsecureDexFlow::PathNode source, InsecureDexFlow::PathNode sink
|
||||
where InsecureDexFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Potential arbitrary code execution due to $@.",
|
||||
source.getNode(), "a value loaded from a world-writable source."
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, InsecureDexFlow::PathNode source, InsecureDexFlow::PathNode sink,
|
||||
string message1, DataFlow::Node sourceNode, string message2
|
||||
) {
|
||||
InsecureDexFlow::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "Potential arbitrary code execution due to $@." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "a value loaded from a world-writable source."
|
||||
}
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
|
||||
@@ -12,12 +12,12 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import JShellInjection
|
||||
deprecated import JShellInjection
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import JShellInjectionFlow::PathGraph
|
||||
deprecated import JShellInjectionFlow::PathGraph
|
||||
|
||||
module JShellInjectionConfig implements DataFlow::ConfigSig {
|
||||
deprecated module JShellInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof JShellInjectionSink }
|
||||
@@ -33,9 +33,15 @@ module JShellInjectionConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module JShellInjectionFlow = TaintTracking::Global<JShellInjectionConfig>;
|
||||
deprecated module JShellInjectionFlow = TaintTracking::Global<JShellInjectionConfig>;
|
||||
|
||||
from JShellInjectionFlow::PathNode source, JShellInjectionFlow::PathNode sink
|
||||
where JShellInjectionFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "JShell injection from $@.", source.getNode(),
|
||||
"this user input"
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, JShellInjectionFlow::PathNode source, JShellInjectionFlow::PathNode sink,
|
||||
string message1, DataFlow::Node sourceNode, string message2
|
||||
) {
|
||||
JShellInjectionFlow::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "JShell injection from $@." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "this user input"
|
||||
}
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
|
||||
|
||||
@@ -12,10 +12,17 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import JakartaExpressionInjectionLib
|
||||
import JakartaExpressionInjectionFlow::PathGraph
|
||||
deprecated import JakartaExpressionInjectionLib
|
||||
deprecated import JakartaExpressionInjectionFlow::PathGraph
|
||||
|
||||
from JakartaExpressionInjectionFlow::PathNode source, JakartaExpressionInjectionFlow::PathNode sink
|
||||
where JakartaExpressionInjectionFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Jakarta Expression Language injection from $@.",
|
||||
source.getNode(), "this user input"
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, JakartaExpressionInjectionFlow::PathNode source,
|
||||
JakartaExpressionInjectionFlow::PathNode sink, string message1, DataFlow::Node sourceNode,
|
||||
string message2
|
||||
) {
|
||||
JakartaExpressionInjectionFlow::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "Jakarta Expression Language injection from $@." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "this user input"
|
||||
}
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
import FlowUtils
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
|
||||
@@ -114,7 +114,13 @@ module CodeInjectionConfig implements DataFlow::ConfigSig {
|
||||
*/
|
||||
module CodeInjectionFlow = TaintTracking::Global<CodeInjectionConfig>;
|
||||
|
||||
from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
|
||||
where CodeInjectionFlow::flowPath(source, sink)
|
||||
select sink.getNode().(CodeInjectionSink).getMethodCall(), source, sink, "Jython evaluate $@.",
|
||||
source.getNode(), "user input"
|
||||
deprecated query predicate problems(
|
||||
MethodCall sinkCall, CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink,
|
||||
string message1, DataFlow::Node sourceNode, string message2
|
||||
) {
|
||||
CodeInjectionFlow::flowPath(source, sink) and
|
||||
sinkCall = sink.getNode().(CodeInjectionSink).getMethodCall() and
|
||||
message1 = "Jython evaluate $@." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "user input"
|
||||
}
|
||||
|
||||
@@ -142,7 +142,13 @@ module ScriptInjectionConfig implements DataFlow::ConfigSig {
|
||||
|
||||
module ScriptInjectionFlow = TaintTracking::Global<ScriptInjectionConfig>;
|
||||
|
||||
from ScriptInjectionFlow::PathNode source, ScriptInjectionFlow::PathNode sink
|
||||
where ScriptInjectionFlow::flowPath(source, sink)
|
||||
select sink.getNode().(ScriptInjectionSink).getMethodCall(), source, sink,
|
||||
"Java Script Engine evaluate $@.", source.getNode(), "user input"
|
||||
deprecated query predicate problems(
|
||||
MethodCall sinkCall, ScriptInjectionFlow::PathNode source, ScriptInjectionFlow::PathNode sink,
|
||||
string message1, DataFlow::Node sourceNode, string message2
|
||||
) {
|
||||
ScriptInjectionFlow::flowPath(source, sink) and
|
||||
sinkCall = sink.getNode().(ScriptInjectionSink).getMethodCall() and
|
||||
message1 = "Java Script Engine evaluate $@." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "user input"
|
||||
}
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
|
||||
|
||||
@@ -11,9 +11,9 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import SpringViewManipulationLib
|
||||
deprecated import SpringViewManipulationLib
|
||||
|
||||
private predicate canResultInImplicitViewConversion(Method m) {
|
||||
deprecated private predicate canResultInImplicitViewConversion(Method m) {
|
||||
m.getReturnType() instanceof VoidType
|
||||
or
|
||||
m.getReturnType() instanceof MapType
|
||||
@@ -31,7 +31,7 @@ private predicate maybeATestMethod(Method m) {
|
||||
)
|
||||
}
|
||||
|
||||
private predicate mayBeExploitable(Method m) {
|
||||
deprecated private predicate mayBeExploitable(Method m) {
|
||||
// There should be a attacker controlled parameter in the URI for the attack to be exploitable.
|
||||
// This is possible only when there exists a parameter with the Spring `@PathVariable` annotation
|
||||
// applied to it.
|
||||
@@ -48,8 +48,7 @@ private predicate mayBeExploitable(Method m) {
|
||||
not maybeATestMethod(m)
|
||||
}
|
||||
|
||||
from SpringRequestMappingMethod m
|
||||
where
|
||||
deprecated query predicate problems(SpringRequestMappingMethod m, string message) {
|
||||
thymeleafIsUsed() and
|
||||
mayBeExploitable(m) and
|
||||
canResultInImplicitViewConversion(m) and
|
||||
@@ -61,5 +60,6 @@ where
|
||||
m.getAnAnnotation().getType() instanceof SpringRequestMappingAnnotationType and
|
||||
not m.getAnAnnotation().getType() instanceof SpringResponseBodyAnnotationType and
|
||||
// `@RestController` inherits `@ResponseBody` internally so it should be ignored.
|
||||
not m.getDeclaringType() instanceof SpringRestController
|
||||
select m, "This method may be vulnerable to spring view manipulation vulnerabilities."
|
||||
not m.getDeclaringType() instanceof SpringRestController and
|
||||
message = "This method may be vulnerable to spring view manipulation vulnerabilities."
|
||||
}
|
||||
|
||||
@@ -11,12 +11,19 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import SpringViewManipulationLib
|
||||
import SpringViewManipulationFlow::PathGraph
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
deprecated import SpringViewManipulationLib
|
||||
deprecated import SpringViewManipulationFlow::PathGraph
|
||||
|
||||
from SpringViewManipulationFlow::PathNode source, SpringViewManipulationFlow::PathNode sink
|
||||
where
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, SpringViewManipulationFlow::PathNode source,
|
||||
SpringViewManipulationFlow::PathNode sink, string message1, DataFlow::Node sourceNode,
|
||||
string message2
|
||||
) {
|
||||
thymeleafIsUsed() and
|
||||
SpringViewManipulationFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Potential Spring Expression Language injection from $@.",
|
||||
source.getNode(), "this user input"
|
||||
SpringViewManipulationFlow::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "Potential Spring Expression Language injection from $@." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "this user input"
|
||||
}
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
/**
|
||||
* Provides classes for reasoning about Spring View Manipulation vulnerabilities
|
||||
*/
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
|
||||
@@ -21,7 +21,8 @@ private class HttpOnlyConfig extends WebContextParameter {
|
||||
predicate isHttpOnlySet() { this.getParamValueElementValue().toLowerCase() = "false" }
|
||||
}
|
||||
|
||||
from HttpOnlyConfig config
|
||||
where config.isHttpOnlySet()
|
||||
select config,
|
||||
"'httpOnly' should be enabled in tomcat config file to help mitigate cross-site scripting (XSS) attacks."
|
||||
deprecated query predicate problems(HttpOnlyConfig config, string message) {
|
||||
config.isHttpOnlySet() and
|
||||
message =
|
||||
"'httpOnly' should be enabled in tomcat config file to help mitigate cross-site scripting (XSS) attacks."
|
||||
}
|
||||
|
||||
@@ -212,7 +212,13 @@ module MissingHttpOnlyConfig implements DataFlow::ConfigSig {
|
||||
|
||||
module MissingHttpOnlyFlow = TaintTracking::Global<MissingHttpOnlyConfig>;
|
||||
|
||||
from MissingHttpOnlyFlow::PathNode source, MissingHttpOnlyFlow::PathNode sink
|
||||
where MissingHttpOnlyFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "$@ doesn't have the HttpOnly flag set.", source.getNode(),
|
||||
"This sensitive cookie"
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, MissingHttpOnlyFlow::PathNode source, MissingHttpOnlyFlow::PathNode sink,
|
||||
string message1, DataFlow::Node sourceNode, string message2
|
||||
) {
|
||||
MissingHttpOnlyFlow::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "$@ doesn't have the HttpOnly flag set." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "This sensitive cookie"
|
||||
}
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
/** Provides Android sink models related to file creation. */
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
/** Provides summary models relating to file content inputs of Android. */
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
/** Provides Android methods relating to web resource response. */
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
private import semmle.code.java.dataflow.DataFlow
|
||||
|
||||
@@ -15,10 +15,10 @@ import semmle.code.java.controlflow.Guards
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.security.PathSanitizer
|
||||
import AndroidWebResourceResponse
|
||||
import InsecureWebResourceResponseFlow::PathGraph
|
||||
deprecated import AndroidWebResourceResponse
|
||||
deprecated import InsecureWebResourceResponseFlow::PathGraph
|
||||
|
||||
module InsecureWebResourceResponseConfig implements DataFlow::ConfigSig {
|
||||
deprecated module InsecureWebResourceResponseConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof WebResourceResponseSink }
|
||||
@@ -26,10 +26,17 @@ module InsecureWebResourceResponseConfig implements DataFlow::ConfigSig {
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof PathInjectionSanitizer }
|
||||
}
|
||||
|
||||
module InsecureWebResourceResponseFlow = TaintTracking::Global<InsecureWebResourceResponseConfig>;
|
||||
deprecated module InsecureWebResourceResponseFlow =
|
||||
TaintTracking::Global<InsecureWebResourceResponseConfig>;
|
||||
|
||||
from
|
||||
InsecureWebResourceResponseFlow::PathNode source, InsecureWebResourceResponseFlow::PathNode sink
|
||||
where InsecureWebResourceResponseFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Leaking arbitrary content in Android from $@.",
|
||||
source.getNode(), "this user input"
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, InsecureWebResourceResponseFlow::PathNode source,
|
||||
InsecureWebResourceResponseFlow::PathNode sink, string message1, DataFlow::Node sourceNode,
|
||||
string message2
|
||||
) {
|
||||
InsecureWebResourceResponseFlow::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "Leaking arbitrary content in Android from $@." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "this user input"
|
||||
}
|
||||
|
||||
@@ -12,9 +12,9 @@
|
||||
|
||||
import java
|
||||
import semmle.code.java.controlflow.Guards
|
||||
import AndroidFileIntentSink
|
||||
import AndroidFileIntentSource
|
||||
import AndroidFileLeakFlow::PathGraph
|
||||
deprecated import AndroidFileIntentSink
|
||||
deprecated import AndroidFileIntentSource
|
||||
deprecated import AndroidFileLeakFlow::PathGraph
|
||||
|
||||
private predicate startsWithSanitizer(Guard g, Expr e, boolean branch) {
|
||||
exists(MethodCall ma |
|
||||
@@ -25,7 +25,7 @@ private predicate startsWithSanitizer(Guard g, Expr e, boolean branch) {
|
||||
)
|
||||
}
|
||||
|
||||
module AndroidFileLeakConfig implements DataFlow::ConfigSig {
|
||||
deprecated module AndroidFileLeakConfig implements DataFlow::ConfigSig {
|
||||
/**
|
||||
* Holds if `src` is a read of some Intent-typed variable guarded by a check like
|
||||
* `requestCode == someCode`, where `requestCode` is the first
|
||||
@@ -75,9 +75,15 @@ module AndroidFileLeakConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module AndroidFileLeakFlow = TaintTracking::Global<AndroidFileLeakConfig>;
|
||||
deprecated module AndroidFileLeakFlow = TaintTracking::Global<AndroidFileLeakConfig>;
|
||||
|
||||
from AndroidFileLeakFlow::PathNode source, AndroidFileLeakFlow::PathNode sink
|
||||
where AndroidFileLeakFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Leaking arbitrary Android file from $@.", source.getNode(),
|
||||
"this user input"
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, AndroidFileLeakFlow::PathNode source, AndroidFileLeakFlow::PathNode sink,
|
||||
string message1, DataFlow::Node sourceNode, string message2
|
||||
) {
|
||||
AndroidFileLeakFlow::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "Leaking arbitrary Android file from $@." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "this user input"
|
||||
}
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
/**
|
||||
* Provides classes and predicates for queries that detect timing attacks.
|
||||
*/
|
||||
deprecated module;
|
||||
|
||||
import semmle.code.java.controlflow.Guards
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
|
||||
@@ -14,12 +14,18 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import NonConstantTimeCheckOnSignatureQuery
|
||||
import NonConstantTimeCryptoComparisonFlow::PathGraph
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
deprecated import NonConstantTimeCheckOnSignatureQuery
|
||||
deprecated import NonConstantTimeCryptoComparisonFlow::PathGraph
|
||||
|
||||
from
|
||||
NonConstantTimeCryptoComparisonFlow::PathNode source,
|
||||
NonConstantTimeCryptoComparisonFlow::PathNode sink
|
||||
where NonConstantTimeCryptoComparisonFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Possible timing attack against $@ validation.", source,
|
||||
source.getNode().(CryptoOperationSource).getCall().getResultType()
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, NonConstantTimeCryptoComparisonFlow::PathNode source,
|
||||
NonConstantTimeCryptoComparisonFlow::PathNode sink, string message1,
|
||||
NonConstantTimeCryptoComparisonFlow::PathNode source0, string message2
|
||||
) {
|
||||
NonConstantTimeCryptoComparisonFlow::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "Possible timing attack against $@ validation." and
|
||||
source = source0 and
|
||||
message2 = source.getNode().(CryptoOperationSource).getCall().getResultType()
|
||||
}
|
||||
|
||||
@@ -65,7 +65,14 @@ module NonConstantTimeComparisonConfig implements DataFlow::ConfigSig {
|
||||
|
||||
module NonConstantTimeComparisonFlow = TaintTracking::Global<NonConstantTimeComparisonConfig>;
|
||||
|
||||
from NonConstantTimeComparisonFlow::PathNode source, NonConstantTimeComparisonFlow::PathNode sink
|
||||
where NonConstantTimeComparisonFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Possible timing attack against $@ validation.",
|
||||
source.getNode(), "client-supplied token"
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, NonConstantTimeComparisonFlow::PathNode source,
|
||||
NonConstantTimeComparisonFlow::PathNode sink, string message1, DataFlow::Node sourceNode,
|
||||
string message2
|
||||
) {
|
||||
NonConstantTimeComparisonFlow::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "Possible timing attack against $@ validation." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "client-supplied token"
|
||||
}
|
||||
|
||||
@@ -15,17 +15,22 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import NonConstantTimeCheckOnSignatureQuery
|
||||
import NonConstantTimeCryptoComparisonFlow::PathGraph
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
deprecated import NonConstantTimeCheckOnSignatureQuery
|
||||
deprecated import NonConstantTimeCryptoComparisonFlow::PathGraph
|
||||
|
||||
from
|
||||
NonConstantTimeCryptoComparisonFlow::PathNode source,
|
||||
NonConstantTimeCryptoComparisonFlow::PathNode sink
|
||||
where
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, NonConstantTimeCryptoComparisonFlow::PathNode source,
|
||||
NonConstantTimeCryptoComparisonFlow::PathNode sink, string message1,
|
||||
NonConstantTimeCryptoComparisonFlow::PathNode source0, string message2
|
||||
) {
|
||||
NonConstantTimeCryptoComparisonFlow::flowPath(source, sink) and
|
||||
(
|
||||
source.getNode().(CryptoOperationSource).includesUserInput() and
|
||||
sink.getNode().(NonConstantTimeComparisonSink).includesUserInput()
|
||||
)
|
||||
select sink.getNode(), source, sink, "Timing attack against $@ validation.", source,
|
||||
source.getNode().(CryptoOperationSource).getCall().getResultType()
|
||||
sinkNode.(NonConstantTimeComparisonSink).includesUserInput()
|
||||
) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "Timing attack against $@ validation." and
|
||||
source = source0 and
|
||||
message2 = source.getNode().(CryptoOperationSource).getCall().getResultType()
|
||||
}
|
||||
|
||||
@@ -83,9 +83,9 @@ private module JxBrowserFlowConfig implements DataFlow::ConfigSig {
|
||||
|
||||
private module JxBrowserFlow = DataFlow::Global<JxBrowserFlowConfig>;
|
||||
|
||||
from DataFlow::Node src
|
||||
where
|
||||
deprecated query predicate problems(DataFlow::Node src, string message) {
|
||||
JxBrowserFlowConfig::isSource(src) and
|
||||
not JxBrowserFlow::flow(src, _) and
|
||||
not isSafeJxBrowserVersion()
|
||||
select src, "This JxBrowser instance may not check HTTPS certificates."
|
||||
not isSafeJxBrowserVersion() and
|
||||
message = "This JxBrowser instance may not check HTTPS certificates."
|
||||
}
|
||||
|
||||
@@ -25,6 +25,7 @@ private class HostnameVerificationCall extends MethodCall {
|
||||
predicate isIgnored() { this instanceof ValueDiscardingExpr }
|
||||
}
|
||||
|
||||
from HostnameVerificationCall verification
|
||||
where verification.isIgnored()
|
||||
select verification, "Ignored result of hostname verification."
|
||||
deprecated query predicate problems(HostnameVerificationCall verification, string message) {
|
||||
verification.isIgnored() and
|
||||
message = "Ignored result of hostname verification."
|
||||
}
|
||||
|
||||
@@ -104,8 +104,8 @@ predicate isInsecureSslEndpoint(MethodCall ma) {
|
||||
)
|
||||
}
|
||||
|
||||
from MethodCall ma
|
||||
where
|
||||
deprecated query predicate problems(MethodCall ma, string message) {
|
||||
isInsecureSslEndpoint(ma) and
|
||||
not isTestMethod(ma)
|
||||
select ma, "LDAPS configuration allows insecure endpoint identification."
|
||||
not isTestMethod(ma) and
|
||||
message = "LDAPS configuration allows insecure endpoint identification."
|
||||
}
|
||||
|
||||
@@ -12,9 +12,14 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import RevocationCheckingLib
|
||||
import DisabledRevocationCheckingFlow::PathGraph
|
||||
deprecated import RevocationCheckingLib
|
||||
deprecated import DisabledRevocationCheckingFlow::PathGraph
|
||||
|
||||
from DisabledRevocationCheckingFlow::PathNode source, DisabledRevocationCheckingFlow::PathNode sink
|
||||
where DisabledRevocationCheckingFlow::flowPath(source, sink)
|
||||
select source.getNode(), source, sink, "This disables revocation checking."
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sourceNode, DisabledRevocationCheckingFlow::PathNode source,
|
||||
DisabledRevocationCheckingFlow::PathNode sink, string message
|
||||
) {
|
||||
DisabledRevocationCheckingFlow::flowPath(source, sink) and
|
||||
sourceNode = source.getNode() and
|
||||
message = "This disables revocation checking."
|
||||
}
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import DataFlow
|
||||
|
||||
@@ -78,12 +78,14 @@ predicate isCreatingSafeAzureClientSideEncryptionObject(Call call, Class c, Expr
|
||||
)
|
||||
}
|
||||
|
||||
from Expr e, Class c
|
||||
where
|
||||
exists(Expr argVersion |
|
||||
isCreatingAzureClientSideEncryptionObjectNewVersion(e, c, argVersion) and
|
||||
not isCreatingSafeAzureClientSideEncryptionObject(e, c, argVersion)
|
||||
)
|
||||
or
|
||||
isCreatingOutdatedAzureClientSideEncryptionObject(e, c)
|
||||
select e, "Unsafe usage of v1 version of Azure Storage client-side encryption."
|
||||
deprecated query predicate problems(Expr e, string message) {
|
||||
exists(Class c |
|
||||
exists(Expr argVersion |
|
||||
isCreatingAzureClientSideEncryptionObjectNewVersion(e, c, argVersion) and
|
||||
not isCreatingSafeAzureClientSideEncryptionObject(e, c, argVersion)
|
||||
)
|
||||
or
|
||||
isCreatingOutdatedAzureClientSideEncryptionObject(e, c)
|
||||
) and
|
||||
message = "Unsafe usage of v1 version of Azure Storage client-side encryption."
|
||||
}
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
import semmle.code.java.security.Encryption
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
|
||||
@@ -12,10 +12,16 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import SslLib
|
||||
import UnsafeTlsVersionFlow::PathGraph
|
||||
deprecated import SslLib
|
||||
deprecated import UnsafeTlsVersionFlow::PathGraph
|
||||
|
||||
from UnsafeTlsVersionFlow::PathNode source, UnsafeTlsVersionFlow::PathNode sink
|
||||
where UnsafeTlsVersionFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "$@ is unsafe.", source.getNode(),
|
||||
source.getNode().asExpr().(StringLiteral).getValue()
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, UnsafeTlsVersionFlow::PathNode source,
|
||||
UnsafeTlsVersionFlow::PathNode sink, string message1, DataFlow::Node sourceNode, string message2
|
||||
) {
|
||||
UnsafeTlsVersionFlow::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "$@ is unsafe." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = source.getNode().asExpr().(StringLiteral).getValue()
|
||||
}
|
||||
|
||||
@@ -81,9 +81,14 @@ private module CorsOriginConfig implements DataFlow::ConfigSig {
|
||||
|
||||
private module CorsOriginFlow = TaintTracking::Global<CorsOriginConfig>;
|
||||
|
||||
from CorsOriginFlow::PathNode source, CorsOriginFlow::PathNode sink
|
||||
where
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, CorsOriginFlow::PathNode source, CorsOriginFlow::PathNode sink,
|
||||
string message1, DataFlow::Node sourceNode, string message2
|
||||
) {
|
||||
CorsOriginFlow::flowPath(source, sink) and
|
||||
not CorsSourceReachesCheckFlow::flow(source.getNode(), _)
|
||||
select sink.getNode(), source, sink, "CORS header is being set using user controlled value $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
not CorsSourceReachesCheckFlow::flow(sourceNode, _) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "CORS header is being set using user controlled value $@." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "user-provided value"
|
||||
}
|
||||
|
||||
@@ -12,9 +12,9 @@
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import JwtAuth0 as JwtAuth0
|
||||
deprecated import JwtAuth0 as JwtAuth0
|
||||
|
||||
module JwtDecodeConfig implements DataFlow::ConfigSig {
|
||||
deprecated module JwtDecodeConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source instanceof RemoteFlowSource and
|
||||
not FlowToJwtVerify::flow(source, _)
|
||||
@@ -41,19 +41,25 @@ module JwtDecodeConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module FlowToJwtVerifyConfig implements DataFlow::ConfigSig {
|
||||
deprecated module FlowToJwtVerifyConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(JwtAuth0::Verify a).getArgument(0) }
|
||||
}
|
||||
|
||||
module JwtDecode = TaintTracking::Global<JwtDecodeConfig>;
|
||||
deprecated module JwtDecode = TaintTracking::Global<JwtDecodeConfig>;
|
||||
|
||||
module FlowToJwtVerify = TaintTracking::Global<FlowToJwtVerifyConfig>;
|
||||
deprecated module FlowToJwtVerify = TaintTracking::Global<FlowToJwtVerifyConfig>;
|
||||
|
||||
import JwtDecode::PathGraph
|
||||
deprecated import JwtDecode::PathGraph
|
||||
|
||||
from JwtDecode::PathNode source, JwtDecode::PathNode sink
|
||||
where JwtDecode::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "This parses a $@, but the signature is not verified.",
|
||||
source.getNode(), "JWT"
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, JwtDecode::PathNode source, JwtDecode::PathNode sink, string message1,
|
||||
DataFlow::Node sourceNode, string message2
|
||||
) {
|
||||
JwtDecode::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "This parses a $@, but the signature is not verified." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "JWT"
|
||||
}
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
|
||||
class PayloadType extends RefType {
|
||||
|
||||
@@ -15,13 +15,13 @@ import java
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.security.Sanitizers
|
||||
import ClientSuppliedIpUsedInSecurityCheckLib
|
||||
import ClientSuppliedIpUsedInSecurityCheckFlow::PathGraph
|
||||
deprecated import ClientSuppliedIpUsedInSecurityCheckLib
|
||||
deprecated import ClientSuppliedIpUsedInSecurityCheckFlow::PathGraph
|
||||
|
||||
/**
|
||||
* Taint-tracking configuration tracing flow from obtaining a client ip from an HTTP header to a sensitive use.
|
||||
*/
|
||||
module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::ConfigSig {
|
||||
deprecated module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source instanceof ClientSuppliedIpUsedInSecurityCheck
|
||||
}
|
||||
@@ -43,12 +43,17 @@ module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::ConfigSig
|
||||
}
|
||||
}
|
||||
|
||||
module ClientSuppliedIpUsedInSecurityCheckFlow =
|
||||
deprecated module ClientSuppliedIpUsedInSecurityCheckFlow =
|
||||
TaintTracking::Global<ClientSuppliedIpUsedInSecurityCheckConfig>;
|
||||
|
||||
from
|
||||
ClientSuppliedIpUsedInSecurityCheckFlow::PathNode source,
|
||||
ClientSuppliedIpUsedInSecurityCheckFlow::PathNode sink
|
||||
where ClientSuppliedIpUsedInSecurityCheckFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "IP address spoofing might include code from $@.",
|
||||
source.getNode(), "this user input"
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, ClientSuppliedIpUsedInSecurityCheckFlow::PathNode source,
|
||||
ClientSuppliedIpUsedInSecurityCheckFlow::PathNode sink, string message1,
|
||||
DataFlow::Node sourceNode, string message2
|
||||
) {
|
||||
ClientSuppliedIpUsedInSecurityCheckFlow::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "IP address spoofing might include code from $@." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "this user input"
|
||||
}
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
import DataFlow
|
||||
import semmle.code.java.frameworks.Networking
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
|
||||
@@ -16,11 +16,11 @@ import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.deadcode.WebEntryPoints
|
||||
import semmle.code.java.security.XSS
|
||||
import JsonpInjectionLib
|
||||
import RequestResponseFlow::PathGraph
|
||||
deprecated import JsonpInjectionLib
|
||||
deprecated import RequestResponseFlow::PathGraph
|
||||
|
||||
/** Taint-tracking configuration tracing flow from get method request sources to output jsonp data. */
|
||||
module RequestResponseFlowConfig implements DataFlow::ConfigSig {
|
||||
deprecated module RequestResponseFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source instanceof ActiveThreatModelSource and
|
||||
any(RequestGetMethod m).polyCalls*(source.getEnclosingCallable())
|
||||
@@ -38,11 +38,16 @@ module RequestResponseFlowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module RequestResponseFlow = TaintTracking::Global<RequestResponseFlowConfig>;
|
||||
deprecated module RequestResponseFlow = TaintTracking::Global<RequestResponseFlowConfig>;
|
||||
|
||||
from RequestResponseFlow::PathNode source, RequestResponseFlow::PathNode sink
|
||||
where
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, RequestResponseFlow::PathNode source, RequestResponseFlow::PathNode sink,
|
||||
string message1, DataFlow::Node sourceNode, string message2
|
||||
) {
|
||||
RequestResponseFlow::flowPath(source, sink) and
|
||||
JsonpInjectionFlow::flowTo(sink.getNode())
|
||||
select sink.getNode(), source, sink, "Jsonp response might include code from $@.", source.getNode(),
|
||||
"this user input"
|
||||
JsonpInjectionFlow::flowTo(sink.getNode()) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "Jsonp response might include code from $@." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "this user input"
|
||||
}
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
private import JsonStringLib
|
||||
private import semmle.code.java.security.XSS
|
||||
|
||||
@@ -10,10 +10,10 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import ThreadResourceAbuse
|
||||
deprecated import ThreadResourceAbuse
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import ThreadResourceAbuseFlow::PathGraph
|
||||
deprecated import ThreadResourceAbuseFlow::PathGraph
|
||||
|
||||
/** The `getInitParameter` method of servlet or JSF. */
|
||||
class GetInitParameter extends Method {
|
||||
@@ -42,7 +42,7 @@ class InitParameterInput extends LocalUserInput {
|
||||
}
|
||||
|
||||
/** Taint configuration of uncontrolled thread resource consumption from local user input. */
|
||||
module ThreadResourceAbuseConfig implements DataFlow::ConfigSig {
|
||||
deprecated module ThreadResourceAbuseConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof PauseThreadSink }
|
||||
@@ -63,9 +63,16 @@ module ThreadResourceAbuseConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module ThreadResourceAbuseFlow = TaintTracking::Global<ThreadResourceAbuseConfig>;
|
||||
deprecated module ThreadResourceAbuseFlow = TaintTracking::Global<ThreadResourceAbuseConfig>;
|
||||
|
||||
from ThreadResourceAbuseFlow::PathNode source, ThreadResourceAbuseFlow::PathNode sink
|
||||
where ThreadResourceAbuseFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Possible uncontrolled resource consumption due to $@.",
|
||||
source.getNode(), "local user-provided value"
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, ThreadResourceAbuseFlow::PathNode source,
|
||||
ThreadResourceAbuseFlow::PathNode sink, string message1, DataFlow::Node sourceNode,
|
||||
string message2
|
||||
) {
|
||||
ThreadResourceAbuseFlow::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "Possible uncontrolled resource consumption due to $@." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "local user-provided value"
|
||||
}
|
||||
|
||||
@@ -11,12 +11,12 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import ThreadResourceAbuse
|
||||
deprecated import ThreadResourceAbuse
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import ThreadResourceAbuseFlow::PathGraph
|
||||
deprecated import ThreadResourceAbuseFlow::PathGraph
|
||||
|
||||
/** Taint configuration of uncontrolled thread resource consumption. */
|
||||
module ThreadResourceAbuseConfig implements DataFlow::ConfigSig {
|
||||
deprecated module ThreadResourceAbuseConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof PauseThreadSink }
|
||||
@@ -37,10 +37,16 @@ module ThreadResourceAbuseConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module ThreadResourceAbuseFlow = TaintTracking::Global<ThreadResourceAbuseConfig>;
|
||||
deprecated module ThreadResourceAbuseFlow = TaintTracking::Global<ThreadResourceAbuseConfig>;
|
||||
|
||||
from ThreadResourceAbuseFlow::PathNode source, ThreadResourceAbuseFlow::PathNode sink
|
||||
where ThreadResourceAbuseFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"Vulnerability of uncontrolled resource consumption due to $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, ThreadResourceAbuseFlow::PathNode source,
|
||||
ThreadResourceAbuseFlow::PathNode sink, string message1, DataFlow::Node sourceNode,
|
||||
string message2
|
||||
) {
|
||||
ThreadResourceAbuseFlow::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "Vulnerability of uncontrolled resource consumption due to $@." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "user-provided value"
|
||||
}
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
/** Provides sink models and classes related to pausing thread operations. */
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
|
||||
@@ -82,7 +82,13 @@ module InsecureLoadFlow = TaintTracking::Global<InsecureLoadingConfig>;
|
||||
|
||||
import InsecureLoadFlow::PathGraph
|
||||
|
||||
from InsecureLoadFlow::PathNode source, InsecureLoadFlow::PathNode sink
|
||||
where InsecureLoadFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Class loaded from a $@ without signature check",
|
||||
source.getNode(), "third party library"
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, InsecureLoadFlow::PathNode source, InsecureLoadFlow::PathNode sink,
|
||||
string message1, DataFlow::Node sourceNode, string message2
|
||||
) {
|
||||
InsecureLoadFlow::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "Class loaded from a $@ without signature check" and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "third party library"
|
||||
}
|
||||
|
||||
@@ -13,11 +13,11 @@
|
||||
|
||||
import java
|
||||
import DataFlow
|
||||
import UnsafeReflectionLib
|
||||
deprecated import UnsafeReflectionLib
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.controlflow.Guards
|
||||
import UnsafeReflectionFlow::PathGraph
|
||||
deprecated import UnsafeReflectionFlow::PathGraph
|
||||
|
||||
private predicate containsSanitizer(Guard g, Expr e, boolean branch) {
|
||||
g.(MethodCall).getMethod().hasName("contains") and
|
||||
@@ -31,7 +31,7 @@ private predicate equalsSanitizer(Guard g, Expr e, boolean branch) {
|
||||
branch = true
|
||||
}
|
||||
|
||||
module UnsafeReflectionConfig implements DataFlow::ConfigSig {
|
||||
deprecated module UnsafeReflectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeReflectionSink }
|
||||
@@ -79,19 +79,25 @@ module UnsafeReflectionConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module UnsafeReflectionFlow = TaintTracking::Global<UnsafeReflectionConfig>;
|
||||
deprecated module UnsafeReflectionFlow = TaintTracking::Global<UnsafeReflectionConfig>;
|
||||
|
||||
private Expr getAMethodArgument(MethodCall reflectiveCall) {
|
||||
deprecated private Expr getAMethodArgument(MethodCall reflectiveCall) {
|
||||
result = reflectiveCall.(NewInstance).getAnArgument()
|
||||
or
|
||||
result = reflectiveCall.(MethodInvokeCall).getAnArgument()
|
||||
}
|
||||
|
||||
from
|
||||
UnsafeReflectionFlow::PathNode source, UnsafeReflectionFlow::PathNode sink,
|
||||
MethodCall reflectiveCall
|
||||
where
|
||||
UnsafeReflectionFlow::flowPath(source, sink) and
|
||||
sink.getNode().asExpr() = reflectiveCall.getQualifier() and
|
||||
UnsafeReflectionFlow::flowToExpr(getAMethodArgument(reflectiveCall))
|
||||
select sink.getNode(), source, sink, "Unsafe reflection of $@.", source.getNode(), "user input"
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, UnsafeReflectionFlow::PathNode source,
|
||||
UnsafeReflectionFlow::PathNode sink, string message1, DataFlow::Node sourceNode, string message2
|
||||
) {
|
||||
exists(MethodCall reflectiveCall |
|
||||
UnsafeReflectionFlow::flowPath(source, sink) and
|
||||
sinkNode.asExpr() = reflectiveCall.getQualifier() and
|
||||
UnsafeReflectionFlow::flowToExpr(getAMethodArgument(reflectiveCall))
|
||||
) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "Unsafe reflection of $@." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "user input"
|
||||
}
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
import DataFlow
|
||||
import semmle.code.java.Reflection
|
||||
|
||||
@@ -12,10 +12,10 @@
|
||||
|
||||
import java
|
||||
import semmle.code.java.J2EE
|
||||
import TestLib
|
||||
deprecated import TestLib
|
||||
|
||||
/** The `main` method in an Enterprise Java Bean. */
|
||||
class EnterpriseBeanMainMethod extends Method {
|
||||
deprecated class EnterpriseBeanMainMethod extends Method {
|
||||
EnterpriseBeanMainMethod() {
|
||||
this.getDeclaringType() instanceof EnterpriseBean and
|
||||
this instanceof MainMethod and
|
||||
@@ -23,5 +23,6 @@ class EnterpriseBeanMainMethod extends Method {
|
||||
}
|
||||
}
|
||||
|
||||
from EnterpriseBeanMainMethod sm
|
||||
select sm, "Java EE application has a main method."
|
||||
deprecated query predicate problems(EnterpriseBeanMainMethod sm, string message) {
|
||||
exists(sm) and message = "Java EE application has a main method."
|
||||
}
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
/** Definitions related to test methods. */
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
|
||||
import java
|
||||
import semmle.code.java.frameworks.Servlets
|
||||
import TestLib
|
||||
deprecated import TestLib
|
||||
|
||||
/** The java type `javax.servlet.Filter`. */
|
||||
class ServletFilterClass extends Class {
|
||||
@@ -32,7 +32,7 @@ class ServletListenerClass extends Class {
|
||||
}
|
||||
|
||||
/** The `main` method in `Servlet` and `Action` of the Spring and Struts framework. */
|
||||
class WebComponentMainMethod extends Method {
|
||||
deprecated class WebComponentMainMethod extends Method {
|
||||
WebComponentMainMethod() {
|
||||
(
|
||||
this.getDeclaringType() instanceof ServletClass or
|
||||
@@ -54,5 +54,6 @@ class WebComponentMainMethod extends Method {
|
||||
}
|
||||
}
|
||||
|
||||
from WebComponentMainMethod sm
|
||||
select sm, "Web application has a main method."
|
||||
deprecated query predicate problems(WebComponentMainMethod sm, string message) {
|
||||
exists(sm) and message = "Web application has a main method."
|
||||
}
|
||||
|
||||
@@ -12,14 +12,14 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import experimental.semmle.code.xml.StrutsXML
|
||||
deprecated import experimental.semmle.code.xml.StrutsXML
|
||||
|
||||
bindingset[path]
|
||||
predicate isLikelyDemoProject(string path) { path.regexpMatch("(?i).*(demo|test|example).*") }
|
||||
|
||||
from ConstantParameter c
|
||||
where
|
||||
deprecated query predicate problems(ConstantParameter c, string message) {
|
||||
c.getNameValue() = "struts.devMode" and
|
||||
c.getValueValue() = "true" and
|
||||
not isLikelyDemoProject(c.getFile().getRelativePath())
|
||||
select c, "Enabling development mode in production environments is dangerous."
|
||||
not isLikelyDemoProject(c.getFile().getRelativePath()) and
|
||||
message = "Enabling development mode in production environments is dangerous."
|
||||
}
|
||||
|
||||
@@ -73,6 +73,11 @@ private module BindingUnsafeRemoteObjectConfig implements DataFlow::ConfigSig {
|
||||
private module BindingUnsafeRemoteObjectFlow =
|
||||
TaintTracking::Global<BindingUnsafeRemoteObjectConfig>;
|
||||
|
||||
from BindingUnsafeRemoteObjectFlow::PathNode source, BindingUnsafeRemoteObjectFlow::PathNode sink
|
||||
where BindingUnsafeRemoteObjectFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Unsafe deserialization in a remote object."
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, BindingUnsafeRemoteObjectFlow::PathNode source,
|
||||
BindingUnsafeRemoteObjectFlow::PathNode sink, string message
|
||||
) {
|
||||
BindingUnsafeRemoteObjectFlow::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
message = "Unsafe deserialization in a remote object."
|
||||
}
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import UnsafeSpringExporterLib
|
||||
deprecated import UnsafeSpringExporterLib
|
||||
|
||||
/**
|
||||
* Holds if `type` is a Spring configuration that declares beans.
|
||||
@@ -34,7 +34,7 @@ private predicate isConfigurationAnnotation(Annotation annotation) {
|
||||
/**
|
||||
* A method that initializes a unsafe bean based on `RemoteInvocationSerializingExporter`.
|
||||
*/
|
||||
private class UnsafeBeanInitMethod extends Method {
|
||||
deprecated private class UnsafeBeanInitMethod extends Method {
|
||||
string identifier;
|
||||
|
||||
UnsafeBeanInitMethod() {
|
||||
@@ -54,6 +54,6 @@ private class UnsafeBeanInitMethod extends Method {
|
||||
string getBeanIdentifier() { result = identifier }
|
||||
}
|
||||
|
||||
from UnsafeBeanInitMethod method
|
||||
select method,
|
||||
"Unsafe deserialization in a Spring exporter bean '" + method.getBeanIdentifier() + "'."
|
||||
deprecated query predicate problems(UnsafeBeanInitMethod method, string message) {
|
||||
message = "Unsafe deserialization in a Spring exporter bean '" + method.getBeanIdentifier() + "'."
|
||||
}
|
||||
|
||||
@@ -14,8 +14,9 @@
|
||||
|
||||
import java
|
||||
import semmle.code.java.frameworks.spring.SpringBean
|
||||
import UnsafeSpringExporterLib
|
||||
deprecated import UnsafeSpringExporterLib
|
||||
|
||||
from SpringBean bean
|
||||
where isRemoteInvocationSerializingExporter(bean.getClass())
|
||||
select bean, "Unsafe deserialization in a Spring exporter bean '" + bean.getBeanIdentifier() + "'."
|
||||
deprecated query predicate problems(SpringBean bean, string message) {
|
||||
isRemoteInvocationSerializingExporter(bean.getClass()) and
|
||||
message = "Unsafe deserialization in a Spring exporter bean '" + bean.getBeanIdentifier() + "'."
|
||||
}
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
|
||||
/**
|
||||
|
||||
@@ -12,10 +12,16 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import experimental.semmle.code.java.security.DecompressionBombQuery
|
||||
import DecompressionBombsFlow::PathGraph
|
||||
deprecated import experimental.semmle.code.java.security.DecompressionBombQuery
|
||||
deprecated import DecompressionBombsFlow::PathGraph
|
||||
|
||||
from DecompressionBombsFlow::PathNode source, DecompressionBombsFlow::PathNode sink
|
||||
where DecompressionBombsFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "This file extraction depends on a $@.", source.getNode(),
|
||||
"potentially untrusted source"
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, DecompressionBombsFlow::PathNode source,
|
||||
DecompressionBombsFlow::PathNode sink, string message1, DataFlow::Node sourceNode, string message2
|
||||
) {
|
||||
DecompressionBombsFlow::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "This file extraction depends on a $@." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "potentially untrusted source"
|
||||
}
|
||||
|
||||
@@ -46,6 +46,7 @@ class DirectoryListingInitParam extends WebXmlElement {
|
||||
}
|
||||
}
|
||||
|
||||
from DirectoryListingInitParam initp
|
||||
where initp.isListingEnabled()
|
||||
select initp, "Directory listing should be disabled to mitigate filename and path disclosure."
|
||||
deprecated query predicate problems(DirectoryListingInitParam initp, string message) {
|
||||
initp.isListingEnabled() and
|
||||
message = "Directory listing should be disabled to mitigate filename and path disclosure."
|
||||
}
|
||||
|
||||
@@ -21,17 +21,18 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import experimental.semmle.code.java.frameworks.CredentialsInPropertiesFile
|
||||
deprecated import experimental.semmle.code.java.frameworks.CredentialsInPropertiesFile
|
||||
|
||||
/**
|
||||
* Holds if the credentials are in a non-production properties file indicated by:
|
||||
* a) in a non-production directory
|
||||
* b) with a non-production file name
|
||||
*/
|
||||
predicate isNonProdCredentials(CredentialsConfig cc) {
|
||||
deprecated predicate isNonProdCredentials(CredentialsConfig cc) {
|
||||
cc.getFile().getAbsolutePath().matches(["%dev%", "%test%", "%sample%"])
|
||||
}
|
||||
|
||||
from CredentialsConfig cc
|
||||
where not isNonProdCredentials(cc)
|
||||
select cc, cc.getConfigDesc()
|
||||
deprecated query predicate problems(CredentialsConfig cc, string message) {
|
||||
not isNonProdCredentials(cc) and
|
||||
message = cc.getConfigDesc()
|
||||
}
|
||||
|
||||
@@ -33,20 +33,22 @@ predicate hasEmbeddedPassword(string value) {
|
||||
)
|
||||
}
|
||||
|
||||
from XmlAttribute nameAttr
|
||||
where
|
||||
nameAttr.getName().toLowerCase() in ["password", "pwd"] and
|
||||
not isNotPassword(nameAttr.getValue().trim()) // Attribute name "password" or "pwd"
|
||||
or
|
||||
exists(
|
||||
XmlAttribute valueAttr // name/value pair like <property name="password" value="mysecret"/>
|
||||
|
|
||||
valueAttr.getElement() = nameAttr.getElement() and
|
||||
nameAttr.getName().toLowerCase() = "name" and
|
||||
nameAttr.getValue().toLowerCase() in ["password", "pwd"] and
|
||||
valueAttr.getName().toLowerCase() = "value" and
|
||||
not isNotPassword(valueAttr.getValue().trim())
|
||||
)
|
||||
or
|
||||
hasEmbeddedPassword(nameAttr.getValue().trim()) // Attribute value matches password pattern
|
||||
select nameAttr, "Avoid plaintext passwords in configuration files."
|
||||
deprecated query predicate problems(XmlAttribute nameAttr, string message) {
|
||||
(
|
||||
nameAttr.getName().toLowerCase() in ["password", "pwd"] and
|
||||
not isNotPassword(nameAttr.getValue().trim()) // Attribute name "password" or "pwd"
|
||||
or
|
||||
exists(
|
||||
XmlAttribute valueAttr // name/value pair like <property name="password" value="mysecret"/>
|
||||
|
|
||||
valueAttr.getElement() = nameAttr.getElement() and
|
||||
nameAttr.getName().toLowerCase() = "name" and
|
||||
nameAttr.getValue().toLowerCase() in ["password", "pwd"] and
|
||||
valueAttr.getName().toLowerCase() = "value" and
|
||||
not isNotPassword(valueAttr.getValue().trim())
|
||||
)
|
||||
or
|
||||
hasEmbeddedPassword(nameAttr.getValue().trim()) // Attribute value matches password pattern
|
||||
) and
|
||||
message = "Avoid plaintext passwords in configuration files."
|
||||
}
|
||||
|
||||
@@ -73,8 +73,13 @@ module SensitiveGetQueryConfig implements DataFlow::ConfigSig {
|
||||
|
||||
module SensitiveGetQueryFlow = TaintTracking::Global<SensitiveGetQueryConfig>;
|
||||
|
||||
from SensitiveGetQueryFlow::PathNode source, SensitiveGetQueryFlow::PathNode sink
|
||||
where SensitiveGetQueryFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"$@ uses the GET request method to transmit sensitive information.", source.getNode(),
|
||||
"This request"
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, SensitiveGetQueryFlow::PathNode source,
|
||||
SensitiveGetQueryFlow::PathNode sink, string message1, DataFlow::Node sourceNode, string message2
|
||||
) {
|
||||
SensitiveGetQueryFlow::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "$@ uses the GET request method to transmit sensitive information." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "This request"
|
||||
}
|
||||
|
||||
@@ -74,7 +74,15 @@ module UncaughtServletExceptionConfig implements DataFlow::ConfigSig {
|
||||
|
||||
module UncaughtServletExceptionFlow = TaintTracking::Global<UncaughtServletExceptionConfig>;
|
||||
|
||||
from UncaughtServletExceptionFlow::PathNode source, UncaughtServletExceptionFlow::PathNode sink
|
||||
where UncaughtServletExceptionFlow::flowPath(source, sink) and not hasErrorPage()
|
||||
select sink.getNode(), source, sink, "This value depends on a $@ and can throw uncaught exception.",
|
||||
source.getNode(), "user-provided value"
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, UncaughtServletExceptionFlow::PathNode source,
|
||||
UncaughtServletExceptionFlow::PathNode sink, string message1, DataFlow::Node sourceNode,
|
||||
string message2
|
||||
) {
|
||||
UncaughtServletExceptionFlow::flowPath(source, sink) and
|
||||
not hasErrorPage() and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "This value depends on a $@ and can throw uncaught exception." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "user-provided value"
|
||||
}
|
||||
|
||||
@@ -12,10 +12,10 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import experimental.semmle.code.java.security.SpringUrlRedirect
|
||||
deprecated import experimental.semmle.code.java.security.SpringUrlRedirect
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.controlflow.Guards
|
||||
import SpringUrlRedirectFlow::PathGraph
|
||||
deprecated import SpringUrlRedirectFlow::PathGraph
|
||||
|
||||
private predicate startsWithSanitizer(Guard g, Expr e, boolean branch) {
|
||||
g.(MethodCall).getMethod().hasName("startsWith") and
|
||||
@@ -25,7 +25,7 @@ private predicate startsWithSanitizer(Guard g, Expr e, boolean branch) {
|
||||
branch = true
|
||||
}
|
||||
|
||||
module SpringUrlRedirectFlowConfig implements DataFlow::ConfigSig {
|
||||
deprecated module SpringUrlRedirectFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof SpringUrlRedirectSink }
|
||||
@@ -60,9 +60,15 @@ module SpringUrlRedirectFlowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module SpringUrlRedirectFlow = TaintTracking::Global<SpringUrlRedirectFlowConfig>;
|
||||
deprecated module SpringUrlRedirectFlow = TaintTracking::Global<SpringUrlRedirectFlowConfig>;
|
||||
|
||||
from SpringUrlRedirectFlow::PathNode source, SpringUrlRedirectFlow::PathNode sink
|
||||
where SpringUrlRedirectFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Potentially untrusted URL redirection due to $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, SpringUrlRedirectFlow::PathNode source,
|
||||
SpringUrlRedirectFlow::PathNode sink, string message1, DataFlow::Node sourceNode, string message2
|
||||
) {
|
||||
SpringUrlRedirectFlow::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "Potentially untrusted URL redirection due to $@." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "user-provided value"
|
||||
}
|
||||
|
||||
@@ -14,10 +14,16 @@
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import MatchRegexFlow::PathGraph
|
||||
import PermissiveDotRegexQuery
|
||||
deprecated import MatchRegexFlow::PathGraph
|
||||
deprecated import PermissiveDotRegexQuery
|
||||
|
||||
from MatchRegexFlow::PathNode source, MatchRegexFlow::PathNode sink
|
||||
where MatchRegexFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Potentially authentication bypass due to $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, MatchRegexFlow::PathNode source, MatchRegexFlow::PathNode sink,
|
||||
string message1, DataFlow::Node sourceNode, string message2
|
||||
) {
|
||||
MatchRegexFlow::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "Potentially authentication bypass due to $@." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "user-provided value"
|
||||
}
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
/** Provides classes related to security-centered regular expression matching. */
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
private import semmle.code.java.dataflow.ExternalFlow
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
/** Provides methods related to regular expression matching. */
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
|
||||
|
||||
@@ -13,13 +13,13 @@
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import XQueryInjectionLib
|
||||
import XQueryInjectionFlow::PathGraph
|
||||
deprecated import XQueryInjectionLib
|
||||
deprecated import XQueryInjectionFlow::PathGraph
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration tracing flow from remote sources, through an XQuery parser, to its eventual execution.
|
||||
*/
|
||||
module XQueryInjectionConfig implements DataFlow::ConfigSig {
|
||||
deprecated module XQueryInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
@@ -39,9 +39,15 @@ module XQueryInjectionConfig implements DataFlow::ConfigSig {
|
||||
/**
|
||||
* Taint-tracking flow from remote sources, through an XQuery parser, to its eventual execution.
|
||||
*/
|
||||
module XQueryInjectionFlow = TaintTracking::Global<XQueryInjectionConfig>;
|
||||
deprecated module XQueryInjectionFlow = TaintTracking::Global<XQueryInjectionConfig>;
|
||||
|
||||
from XQueryInjectionFlow::PathNode source, XQueryInjectionFlow::PathNode sink
|
||||
where XQueryInjectionFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "XQuery query might include code from $@.", source.getNode(),
|
||||
"this user input"
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, XQueryInjectionFlow::PathNode source, XQueryInjectionFlow::PathNode sink,
|
||||
string message1, DataFlow::Node sourceNode, string message2
|
||||
) {
|
||||
XQueryInjectionFlow::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "XQuery query might include code from $@." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "this user input"
|
||||
}
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
|
||||
/** A call to `XQConnection.prepareExpression`. */
|
||||
|
||||
@@ -83,9 +83,10 @@ string getRmiResult(Expr e) {
|
||||
"RMI/JMX server initialized with insecure environment $@, which never restricts accepted client objects to 'java.lang.String'. This exposes to deserialization attacks against the RMI authentication method."
|
||||
}
|
||||
|
||||
from Call c, Expr envArg
|
||||
where
|
||||
deprecated query predicate problems(Call c, string message1, Expr envArg, string message2) {
|
||||
(isRmiOrJmxServerCreateConstructor(c.getCallee()) or isRmiOrJmxServerCreateMethod(c.getCallee())) and
|
||||
envArg = c.getArgument(1) and
|
||||
not SafeFlow::flowToExpr(envArg)
|
||||
select c, getRmiResult(envArg), envArg, envArg.toString()
|
||||
not SafeFlow::flowToExpr(envArg) and
|
||||
message1 = getRmiResult(envArg) and
|
||||
message2 = envArg.toString()
|
||||
}
|
||||
|
||||
@@ -42,8 +42,13 @@ module NfeLocalDoSConfig implements DataFlow::ConfigSig {
|
||||
|
||||
module NfeLocalDoSFlow = TaintTracking::Global<NfeLocalDoSConfig>;
|
||||
|
||||
from NfeLocalDoSFlow::PathNode source, NfeLocalDoSFlow::PathNode sink
|
||||
where NfeLocalDoSFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"Uncaught NumberFormatException in an exported Android component due to $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
deprecated query predicate problems(
|
||||
DataFlow::Node sinkNode, NfeLocalDoSFlow::PathNode source, NfeLocalDoSFlow::PathNode sink,
|
||||
string message1, DataFlow::Node sourceNode, string message2
|
||||
) {
|
||||
NfeLocalDoSFlow::flowPath(source, sink) and
|
||||
sinkNode = sink.getNode() and
|
||||
message1 = "Uncaught NumberFormatException in an exported Android component due to $@." and
|
||||
sourceNode = source.getNode() and
|
||||
message2 = "user-provided value"
|
||||
}
|
||||
|
||||
@@ -174,6 +174,14 @@ module HashWithoutSaltConfig implements DataFlow::ConfigSig {
|
||||
|
||||
module HashWithoutSaltFlow = TaintTracking::Global<HashWithoutSaltConfig>;
|
||||
|
||||
from HashWithoutSaltFlow::PathNode source, HashWithoutSaltFlow::PathNode sink
|
||||
where HashWithoutSaltFlow::flowPath(source, sink)
|
||||
select sink, source, sink, "$@ is hashed without a salt.", source, "The password"
|
||||
deprecated query predicate problems(
|
||||
HashWithoutSaltFlow::PathNode sink, HashWithoutSaltFlow::PathNode source,
|
||||
HashWithoutSaltFlow::PathNode sink0, string message1, HashWithoutSaltFlow::PathNode source0,
|
||||
string message2
|
||||
) {
|
||||
HashWithoutSaltFlow::flowPath(source, sink) and
|
||||
sink = sink0 and
|
||||
source = source0 and
|
||||
message1 = "$@ is hashed without a salt." and
|
||||
message2 = "The password"
|
||||
}
|
||||
|
||||
@@ -88,6 +88,11 @@ class HostVerificationMethodCall extends MethodCall {
|
||||
}
|
||||
}
|
||||
|
||||
from UriGetHostMethod um, MethodCall uma, HostVerificationMethodCall hma
|
||||
where hma.getQualifier() = uma and uma.getMethod() = um
|
||||
select hma, "Method has potentially $@.", hma.getArgument(0), "improper URL verification"
|
||||
deprecated query predicate problems(
|
||||
HostVerificationMethodCall hma, string message1, Expr arg, string message2
|
||||
) {
|
||||
exists(UriGetHostMethod um, MethodCall uma | hma.getQualifier() = uma and uma.getMethod() = um) and
|
||||
message1 = "Method has potentially $@." and
|
||||
arg = hma.getArgument(0) and
|
||||
message2 = "improper URL verification"
|
||||
}
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
/**
|
||||
* Provides classes for analyzing properties files.
|
||||
*/
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
import semmle.code.configfiles.ConfigFiles
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
/**
|
||||
* Provides classes and predicates for working with the Java Server Faces (JSF).
|
||||
*/
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
/**
|
||||
* Provides classes for working with resource loading in Spring.
|
||||
*/
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
private import semmle.code.java.dataflow.FlowSources
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
private import semmle.code.java.dataflow.TaintTracking
|
||||
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
deprecated module;
|
||||
|
||||
import experimental.semmle.code.java.security.FileAndFormRemoteSource
|
||||
import experimental.semmle.code.java.security.DecompressionBomb::DecompressionBomb
|
||||
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
/** Provides classes and predicates related to Spring URL redirect. */
|
||||
deprecated module;
|
||||
|
||||
private import java
|
||||
private import semmle.code.java.dataflow.FlowSources
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
deprecated module;
|
||||
|
||||
import java
|
||||
|
||||
/**
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
import java
|
||||
import experimental.semmle.code.java.security.DecompressionBombQuery
|
||||
deprecated import experimental.semmle.code.java.security.DecompressionBombQuery
|
||||
import utils.test.InlineFlowTest
|
||||
import TaintFlowTestArgString<DecompressionBombsConfig, getArgString/2>
|
||||
deprecated import TaintFlowTestArgString<DecompressionBombsConfig, getArgString/2>
|
||||
|
||||
string getArgString(DataFlow::Node src, DataFlow::Node sink) {
|
||||
exists(src) and
|
||||
|
||||
@@ -4,7 +4,8 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import experimental.semmle.code.java.frameworks.CredentialsInPropertiesFile
|
||||
deprecated import experimental.semmle.code.java.frameworks.CredentialsInPropertiesFile
|
||||
|
||||
from CredentialsConfig cc
|
||||
select cc, cc.getConfigDesc()
|
||||
deprecated query predicate problems(CredentialsConfig cc, string message) {
|
||||
message = cc.getConfigDesc()
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user