mirror of
https://github.com/github/codeql.git
synced 2026-04-25 08:45:14 +02:00
Merge branch 'main' into redsun82/kotlin
This commit is contained in:
Paolo Tranquilli
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* JDK version detection based on Gradle projects has been improved. Java extraction using build-modes `autobuild` or `none` is more likely to pick an appropriate JDK version, particularly when the Android Gradle Plugin or Spring Boot Plugin are in use.
|
||||
@@ -6,6 +6,7 @@ import semmle.code.java.security.PathSanitizer
|
||||
private import semmle.code.java.dataflow.ExternalFlow
|
||||
private import semmle.code.java.dataflow.FlowSources
|
||||
private import semmle.code.java.security.PathCreation
|
||||
private import semmle.code.java.security.Sanitizers
|
||||
|
||||
/**
|
||||
* A method that returns the name of an archive entry.
|
||||
@@ -39,7 +40,10 @@ module ZipSlipConfig implements DataFlow::ConfigSig {
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof FileCreationSink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof PathInjectionSanitizer }
|
||||
predicate isBarrier(DataFlow::Node node) {
|
||||
node instanceof SimpleTypeSanitizer or
|
||||
node instanceof PathInjectionSanitizer
|
||||
}
|
||||
}
|
||||
|
||||
/** Tracks flow from archive entries to file creation. */
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The sanitizer of the query `java/zipslip` has been improved to include nodes that are safe due to having certain safe types. This reduces false positives.
|
||||
@@ -6,6 +6,29 @@
|
||||
private import CaptureModelsSpecific
|
||||
private import CaptureModelsPrinting
|
||||
|
||||
/**
|
||||
* A node from which flow can return to the caller. This is either a regular
|
||||
* `ReturnNode` or a `PostUpdateNode` corresponding to the value of a parameter.
|
||||
*/
|
||||
private class ReturnNodeExt extends DataFlow::Node {
|
||||
private DataFlowImplCommon::ReturnKindExt kind;
|
||||
|
||||
ReturnNodeExt() {
|
||||
kind = DataFlowImplCommon::getValueReturnPosition(this).getKind() or
|
||||
kind = DataFlowImplCommon::getParamReturnPosition(this, _).getKind()
|
||||
}
|
||||
|
||||
string getOutput() {
|
||||
kind instanceof DataFlowImplCommon::ValueReturnKind and
|
||||
result = "ReturnValue"
|
||||
or
|
||||
exists(ParameterPosition pos |
|
||||
pos = kind.(DataFlowImplCommon::ParamUpdateReturnKind).getPosition() and
|
||||
result = paramReturnNodeAsOutput(returnNodeEnclosingCallable(this), pos)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
class DataFlowTargetApi extends TargetApiSpecific {
|
||||
DataFlowTargetApi() { not isUninterestingForDataFlowModels(this) }
|
||||
}
|
||||
@@ -65,7 +88,7 @@ string asInputArgument(DataFlow::Node source) { result = asInputArgumentSpecific
|
||||
* Gets the summary model of `api`, if it follows the `fluent` programming pattern (returns `this`).
|
||||
*/
|
||||
string captureQualifierFlow(TargetApiSpecific api) {
|
||||
exists(DataFlowImplCommon::ReturnNodeExt ret |
|
||||
exists(ReturnNodeExt ret |
|
||||
api = returnNodeEnclosingCallable(ret) and
|
||||
isOwnInstanceAccessNode(ret)
|
||||
) and
|
||||
@@ -130,7 +153,7 @@ module ThroughFlowConfig implements DataFlow::StateConfigSig {
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node sink, FlowState state) {
|
||||
sink instanceof DataFlowImplCommon::ReturnNodeExt and
|
||||
sink instanceof ReturnNodeExt and
|
||||
not isOwnInstanceAccessNode(sink) and
|
||||
not exists(captureQualifierFlow(sink.asExpr().getEnclosingCallable())) and
|
||||
(state instanceof TaintRead or state instanceof TaintStore)
|
||||
@@ -171,14 +194,11 @@ private module ThroughFlow = TaintTracking::GlobalWithState<ThroughFlowConfig>;
|
||||
* Gets the summary model(s) of `api`, if there is flow from parameters to return value or parameter.
|
||||
*/
|
||||
string captureThroughFlow(DataFlowTargetApi api) {
|
||||
exists(
|
||||
DataFlow::ParameterNode p, DataFlowImplCommon::ReturnNodeExt returnNodeExt, string input,
|
||||
string output
|
||||
|
|
||||
exists(DataFlow::ParameterNode p, ReturnNodeExt returnNodeExt, string input, string output |
|
||||
ThroughFlow::flow(p, returnNodeExt) and
|
||||
returnNodeExt.(DataFlow::Node).getEnclosingCallable() = api and
|
||||
input = parameterNodeAsInput(p) and
|
||||
output = returnNodeAsOutput(returnNodeExt) and
|
||||
output = returnNodeExt.getOutput() and
|
||||
input != output and
|
||||
result = ModelPrinting::asTaintModel(api, input, output)
|
||||
)
|
||||
@@ -196,7 +216,7 @@ module FromSourceConfig implements DataFlow::ConfigSig {
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(DataFlowTargetApi c |
|
||||
sink instanceof DataFlowImplCommon::ReturnNodeExt and
|
||||
sink instanceof ReturnNodeExt and
|
||||
sink.getEnclosingCallable() = c
|
||||
)
|
||||
}
|
||||
@@ -214,12 +234,12 @@ private module FromSource = TaintTracking::Global<FromSourceConfig>;
|
||||
* Gets the source model(s) of `api`, if there is flow from an existing known source to the return of `api`.
|
||||
*/
|
||||
string captureSource(DataFlowTargetApi api) {
|
||||
exists(DataFlow::Node source, DataFlow::Node sink, string kind |
|
||||
exists(DataFlow::Node source, ReturnNodeExt sink, string kind |
|
||||
FromSource::flow(source, sink) and
|
||||
ExternalFlow::sourceNode(source, kind) and
|
||||
api = sink.getEnclosingCallable() and
|
||||
isRelevantSourceKind(kind) and
|
||||
result = ModelPrinting::asSourceModel(api, returnNodeAsOutput(sink), kind)
|
||||
result = ModelPrinting::asSourceModel(api, sink.getOutput(), kind)
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
@@ -13,6 +13,7 @@ private import semmle.code.java.dataflow.TaintTracking as Tt
|
||||
import semmle.code.java.dataflow.ExternalFlow as ExternalFlow
|
||||
import semmle.code.java.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon
|
||||
import semmle.code.java.dataflow.internal.DataFlowPrivate as DataFlowPrivate
|
||||
import semmle.code.java.dataflow.internal.DataFlowDispatch as DataFlowDispatch
|
||||
|
||||
module DataFlow = Df::DataFlow;
|
||||
|
||||
@@ -202,26 +203,23 @@ string parameterAccess(J::Parameter p) {
|
||||
|
||||
class InstanceParameterNode = DataFlow::InstanceParameterNode;
|
||||
|
||||
class ParameterPosition = DataFlowDispatch::ParameterPosition;
|
||||
|
||||
/**
|
||||
* Gets the MaD string represention of the the return node `node`.
|
||||
* Gets the MaD string representation of return through parameter at position
|
||||
* `pos` of callable `c`.
|
||||
*/
|
||||
string returnNodeAsOutput(DataFlowImplCommon::ReturnNodeExt node) {
|
||||
if node.getKind() instanceof DataFlowImplCommon::ValueReturnKind
|
||||
then result = "ReturnValue"
|
||||
else
|
||||
exists(int pos |
|
||||
pos = node.getKind().(DataFlowImplCommon::ParamUpdateReturnKind).getPosition()
|
||||
|
|
||||
result = parameterAccess(node.(DataFlow::Node).getEnclosingCallable().getParameter(pos))
|
||||
or
|
||||
result = qualifierString() and pos = -1
|
||||
)
|
||||
bindingset[c]
|
||||
string paramReturnNodeAsOutput(Callable c, ParameterPosition pos) {
|
||||
result = parameterAccess(c.getParameter(pos))
|
||||
or
|
||||
result = qualifierString() and pos = -1
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the enclosing callable of `ret`.
|
||||
*/
|
||||
Callable returnNodeEnclosingCallable(DataFlowImplCommon::ReturnNodeExt ret) {
|
||||
Callable returnNodeEnclosingCallable(DataFlow::Node ret) {
|
||||
result = DataFlowImplCommon::getNodeEnclosingCallable(ret).asCallable()
|
||||
}
|
||||
|
||||
|
||||
@@ -1,54 +1,5 @@
|
||||
import java as J
|
||||
|
||||
private signature module InlineMadTestLangSig {
|
||||
/**
|
||||
* A base class of callables for modeling.
|
||||
*/
|
||||
class Callable;
|
||||
|
||||
/**
|
||||
* Gets a relevant code comment for `c`, if any.
|
||||
*/
|
||||
string getComment(Callable c);
|
||||
}
|
||||
|
||||
private module InlineMadTestImpl<InlineMadTestLangSig Lang> {
|
||||
private class Callable = Lang::Callable;
|
||||
|
||||
signature module InlineMadTestConfigSig {
|
||||
/**
|
||||
* Gets the kind of a captured model.
|
||||
*/
|
||||
string getKind();
|
||||
|
||||
/**
|
||||
* Gets a captured model for `c`, if any.
|
||||
*/
|
||||
string getCapturedModel(Callable c);
|
||||
}
|
||||
|
||||
module InlineMadTest<InlineMadTestConfigSig Input> {
|
||||
private string expects(Callable c) {
|
||||
Lang::getComment(c).regexpCapture(" *(SPURIOUS-)?" + Input::getKind() + "=(.*)", 2) = result
|
||||
}
|
||||
|
||||
query predicate unexpectedModel(string msg) {
|
||||
exists(Callable c, string flow |
|
||||
flow = Input::getCapturedModel(c) and
|
||||
not flow = expects(c) and
|
||||
msg = "Unexpected " + Input::getKind() + " found: " + flow
|
||||
)
|
||||
}
|
||||
|
||||
query predicate expectedModel(string msg) {
|
||||
exists(Callable c, string e |
|
||||
e = expects(c) and
|
||||
not e = Input::getCapturedModel(c) and
|
||||
msg = "Expected " + Input::getKind() + " missing: " + e
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
private import java as J
|
||||
private import codeql.mad.test.InlineMadTest
|
||||
|
||||
private module InlineMadTestLang implements InlineMadTestLangSig {
|
||||
class Callable = J::Callable;
|
||||
|
||||
@@ -1,11 +1,13 @@
|
||||
edges
|
||||
| DisabledRevocationChecking.java:17:5:17:8 | this <.field> [post update] : DisabledRevocationChecking [flag] : Boolean | DisabledRevocationChecking.java:21:5:21:31 | this <.method> [post update] : DisabledRevocationChecking [flag] : Boolean | provenance | |
|
||||
| DisabledRevocationChecking.java:16:15:16:39 | parameter this [Return] : DisabledRevocationChecking [flag] : Boolean | DisabledRevocationChecking.java:21:5:21:31 | this <.method> [post update] : DisabledRevocationChecking [flag] : Boolean | provenance | |
|
||||
| DisabledRevocationChecking.java:17:5:17:8 | this <.field> [post update] : DisabledRevocationChecking [flag] : Boolean | DisabledRevocationChecking.java:16:15:16:39 | parameter this [Return] : DisabledRevocationChecking [flag] : Boolean | provenance | |
|
||||
| DisabledRevocationChecking.java:17:12:17:16 | false : Boolean | DisabledRevocationChecking.java:17:5:17:8 | this <.field> [post update] : DisabledRevocationChecking [flag] : Boolean | provenance | |
|
||||
| DisabledRevocationChecking.java:21:5:21:31 | this <.method> [post update] : DisabledRevocationChecking [flag] : Boolean | DisabledRevocationChecking.java:22:5:22:31 | this <.method> : DisabledRevocationChecking [flag] : Boolean | provenance | |
|
||||
| DisabledRevocationChecking.java:22:5:22:31 | this <.method> : DisabledRevocationChecking [flag] : Boolean | DisabledRevocationChecking.java:25:15:25:22 | parameter this : DisabledRevocationChecking [flag] : Boolean | provenance | |
|
||||
| DisabledRevocationChecking.java:25:15:25:22 | parameter this : DisabledRevocationChecking [flag] : Boolean | DisabledRevocationChecking.java:28:33:28:36 | this <.field> : DisabledRevocationChecking [flag] : Boolean | provenance | |
|
||||
| DisabledRevocationChecking.java:28:33:28:36 | this <.field> : DisabledRevocationChecking [flag] : Boolean | DisabledRevocationChecking.java:28:33:28:36 | flag | provenance | |
|
||||
nodes
|
||||
| DisabledRevocationChecking.java:16:15:16:39 | parameter this [Return] : DisabledRevocationChecking [flag] : Boolean | semmle.label | parameter this [Return] : DisabledRevocationChecking [flag] : Boolean |
|
||||
| DisabledRevocationChecking.java:17:5:17:8 | this <.field> [post update] : DisabledRevocationChecking [flag] : Boolean | semmle.label | this <.field> [post update] : DisabledRevocationChecking [flag] : Boolean |
|
||||
| DisabledRevocationChecking.java:17:12:17:16 | false : Boolean | semmle.label | false : Boolean |
|
||||
| DisabledRevocationChecking.java:21:5:21:31 | this <.method> [post update] : DisabledRevocationChecking [flag] : Boolean | semmle.label | this <.method> [post update] : DisabledRevocationChecking [flag] : Boolean |
|
||||
|
||||
@@ -4,6 +4,7 @@ edges
|
||||
| ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number | ThreadResourceAbuse.java:40:4:40:37 | new UncheckedSyncAction(...) : UncheckedSyncAction [waitTime] : Number | provenance | |
|
||||
| ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | provenance | |
|
||||
| ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number | provenance | |
|
||||
| ThreadResourceAbuse.java:67:4:67:7 | this [post update] : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:66:10:66:28 | parameter this [Return] : UncheckedSyncAction [waitTime] : Number | provenance | |
|
||||
| ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number | ThreadResourceAbuse.java:67:4:67:7 | this [post update] : UncheckedSyncAction [waitTime] : Number | provenance | |
|
||||
| ThreadResourceAbuse.java:71:15:71:17 | parameter this : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:74:18:74:25 | this <.field> : UncheckedSyncAction [waitTime] : Number | provenance | |
|
||||
| ThreadResourceAbuse.java:74:18:74:25 | this <.field> : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:74:18:74:25 | waitTime | provenance | Sink:MaD:1982 |
|
||||
@@ -11,6 +12,7 @@ nodes
|
||||
| ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) : String | semmle.label | getInitParameter(...) : String |
|
||||
| ThreadResourceAbuse.java:40:4:40:37 | new UncheckedSyncAction(...) : UncheckedSyncAction [waitTime] : Number | semmle.label | new UncheckedSyncAction(...) : UncheckedSyncAction [waitTime] : Number |
|
||||
| ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number | semmle.label | delayTime : Number |
|
||||
| ThreadResourceAbuse.java:66:10:66:28 | parameter this [Return] : UncheckedSyncAction [waitTime] : Number | semmle.label | parameter this [Return] : UncheckedSyncAction [waitTime] : Number |
|
||||
| ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | semmle.label | waitTime : Number |
|
||||
| ThreadResourceAbuse.java:67:4:67:7 | this [post update] : UncheckedSyncAction [waitTime] : Number | semmle.label | this [post update] : UncheckedSyncAction [waitTime] : Number |
|
||||
| ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number | semmle.label | waitTime : Number |
|
||||
@@ -18,6 +20,6 @@ nodes
|
||||
| ThreadResourceAbuse.java:74:18:74:25 | this <.field> : UncheckedSyncAction [waitTime] : Number | semmle.label | this <.field> : UncheckedSyncAction [waitTime] : Number |
|
||||
| ThreadResourceAbuse.java:74:18:74:25 | waitTime | semmle.label | waitTime |
|
||||
subpaths
|
||||
| ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:67:4:67:7 | this [post update] : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:40:4:40:37 | new UncheckedSyncAction(...) : UncheckedSyncAction [waitTime] : Number |
|
||||
| ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:66:10:66:28 | parameter this [Return] : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:40:4:40:37 | new UncheckedSyncAction(...) : UncheckedSyncAction [waitTime] : Number |
|
||||
#select
|
||||
| ThreadResourceAbuse.java:74:18:74:25 | waitTime | ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) : String | ThreadResourceAbuse.java:74:18:74:25 | waitTime | Possible uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) | local user-provided value |
|
||||
|
||||
@@ -8,6 +8,7 @@ edges
|
||||
| ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | ThreadResourceAbuse.java:30:4:30:37 | new UncheckedSyncAction(...) : UncheckedSyncAction [waitTime] : Number | provenance | |
|
||||
| ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | provenance | |
|
||||
| ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number | provenance | |
|
||||
| ThreadResourceAbuse.java:67:4:67:7 | this [post update] : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:66:10:66:28 | parameter this [Return] : UncheckedSyncAction [waitTime] : Number | provenance | |
|
||||
| ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number | ThreadResourceAbuse.java:67:4:67:7 | this [post update] : UncheckedSyncAction [waitTime] : Number | provenance | |
|
||||
| ThreadResourceAbuse.java:71:15:71:17 | parameter this : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:74:18:74:25 | this <.field> : UncheckedSyncAction [waitTime] : Number | provenance | |
|
||||
| ThreadResourceAbuse.java:74:18:74:25 | this <.field> : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:74:18:74:25 | waitTime | provenance | Sink:MaD:1982 |
|
||||
@@ -23,6 +24,7 @@ edges
|
||||
| ThreadResourceAbuse.java:230:3:230:12 | retryAfter : Number | ThreadResourceAbuse.java:230:3:230:20 | ...*=... : Number | provenance | |
|
||||
| ThreadResourceAbuse.java:230:3:230:20 | ...*=... : Number | ThreadResourceAbuse.java:233:17:233:26 | retryAfter | provenance | Sink:MaD:1982 |
|
||||
| UploadListener.java:15:24:15:44 | sleepMilliseconds : Number | UploadListener.java:16:17:16:33 | sleepMilliseconds : Number | provenance | |
|
||||
| UploadListener.java:16:3:16:13 | this <.field> [post update] : UploadListener [slowUploads] : Number | UploadListener.java:15:9:15:22 | parameter this [Return] : UploadListener [slowUploads] : Number | provenance | |
|
||||
| UploadListener.java:16:17:16:33 | sleepMilliseconds : Number | UploadListener.java:16:3:16:13 | this <.field> [post update] : UploadListener [slowUploads] : Number | provenance | |
|
||||
| UploadListener.java:28:14:28:19 | parameter this : UploadListener [slowUploads] : Number | UploadListener.java:29:3:29:11 | this <.field> : UploadListener [slowUploads] : Number | provenance | |
|
||||
| UploadListener.java:29:3:29:11 | this <.field> : UploadListener [slowUploads] : Number | UploadListener.java:30:3:30:15 | this <.field> : UploadListener [slowUploads] : Number | provenance | |
|
||||
@@ -38,6 +40,7 @@ nodes
|
||||
| ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| ThreadResourceAbuse.java:30:4:30:37 | new UncheckedSyncAction(...) : UncheckedSyncAction [waitTime] : Number | semmle.label | new UncheckedSyncAction(...) : UncheckedSyncAction [waitTime] : Number |
|
||||
| ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | semmle.label | delayTime : Number |
|
||||
| ThreadResourceAbuse.java:66:10:66:28 | parameter this [Return] : UncheckedSyncAction [waitTime] : Number | semmle.label | parameter this [Return] : UncheckedSyncAction [waitTime] : Number |
|
||||
| ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | semmle.label | waitTime : Number |
|
||||
| ThreadResourceAbuse.java:67:4:67:7 | this [post update] : UncheckedSyncAction [waitTime] : Number | semmle.label | this [post update] : UncheckedSyncAction [waitTime] : Number |
|
||||
| ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number | semmle.label | waitTime : Number |
|
||||
@@ -58,6 +61,7 @@ nodes
|
||||
| ThreadResourceAbuse.java:230:3:230:12 | retryAfter : Number | semmle.label | retryAfter : Number |
|
||||
| ThreadResourceAbuse.java:230:3:230:20 | ...*=... : Number | semmle.label | ...*=... : Number |
|
||||
| ThreadResourceAbuse.java:233:17:233:26 | retryAfter | semmle.label | retryAfter |
|
||||
| UploadListener.java:15:9:15:22 | parameter this [Return] : UploadListener [slowUploads] : Number | semmle.label | parameter this [Return] : UploadListener [slowUploads] : Number |
|
||||
| UploadListener.java:15:24:15:44 | sleepMilliseconds : Number | semmle.label | sleepMilliseconds : Number |
|
||||
| UploadListener.java:16:3:16:13 | this <.field> [post update] : UploadListener [slowUploads] : Number | semmle.label | this <.field> [post update] : UploadListener [slowUploads] : Number |
|
||||
| UploadListener.java:16:17:16:33 | sleepMilliseconds : Number | semmle.label | sleepMilliseconds : Number |
|
||||
@@ -69,9 +73,9 @@ nodes
|
||||
| UploadListener.java:35:18:35:28 | slowUploads | semmle.label | slowUploads |
|
||||
| UploadListener.java:35:18:35:28 | this <.field> : UploadListener [slowUploads] : Number | semmle.label | this <.field> : UploadListener [slowUploads] : Number |
|
||||
subpaths
|
||||
| ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:67:4:67:7 | this [post update] : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:21:4:21:37 | new UncheckedSyncAction(...) : UncheckedSyncAction [waitTime] : Number |
|
||||
| ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:67:4:67:7 | this [post update] : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:30:4:30:37 | new UncheckedSyncAction(...) : UncheckedSyncAction [waitTime] : Number |
|
||||
| ThreadResourceAbuse.java:209:49:209:59 | uploadDelay : Number | UploadListener.java:15:24:15:44 | sleepMilliseconds : Number | UploadListener.java:16:3:16:13 | this <.field> [post update] : UploadListener [slowUploads] : Number | ThreadResourceAbuse.java:209:30:209:87 | new UploadListener(...) : UploadListener [slowUploads] : Number |
|
||||
| ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:66:10:66:28 | parameter this [Return] : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:21:4:21:37 | new UncheckedSyncAction(...) : UncheckedSyncAction [waitTime] : Number |
|
||||
| ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:66:10:66:28 | parameter this [Return] : UncheckedSyncAction [waitTime] : Number | ThreadResourceAbuse.java:30:4:30:37 | new UncheckedSyncAction(...) : UncheckedSyncAction [waitTime] : Number |
|
||||
| ThreadResourceAbuse.java:209:49:209:59 | uploadDelay : Number | UploadListener.java:15:24:15:44 | sleepMilliseconds : Number | UploadListener.java:15:9:15:22 | parameter this [Return] : UploadListener [slowUploads] : Number | ThreadResourceAbuse.java:209:30:209:87 | new UploadListener(...) : UploadListener [slowUploads] : Number |
|
||||
#select
|
||||
| ThreadResourceAbuse.java:74:18:74:25 | waitTime | ThreadResourceAbuse.java:18:25:18:57 | getParameter(...) : String | ThreadResourceAbuse.java:74:18:74:25 | waitTime | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:18:25:18:57 | getParameter(...) | user-provided value |
|
||||
| ThreadResourceAbuse.java:74:18:74:25 | waitTime | ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) : String | ThreadResourceAbuse.java:74:18:74:25 | waitTime | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) | user-provided value |
|
||||
|
||||
@@ -45,6 +45,7 @@
|
||||
| A.java:23:11:23:13 | "C" : String | A.java:35:26:35:27 | this : new A(...) { ... } [String s] |
|
||||
| A.java:23:11:23:13 | "C" : String | A.java:39:12:39:12 | String s : String |
|
||||
| A.java:23:11:23:13 | "C" : String | A.java:39:12:39:12 | a : new A(...) { ... } [String s] |
|
||||
| A.java:25:22:25:24 | "D" : String | A.java:4:5:4:7 | parameter this [Return] : Box [elem] |
|
||||
| A.java:25:22:25:24 | "D" : String | A.java:4:9:4:16 | e : String |
|
||||
| A.java:25:22:25:24 | "D" : String | A.java:4:21:4:24 | this <.field> [post update] : Box [elem] |
|
||||
| A.java:25:22:25:24 | "D" : String | A.java:4:21:4:28 | ...=... : String |
|
||||
@@ -68,6 +69,7 @@
|
||||
| A.java:25:22:25:24 | "D" : String | A.java:35:26:35:27 | this : new A(...) { ... } [Box b1, ... (2)] |
|
||||
| A.java:25:22:25:24 | "D" : String | A.java:39:12:39:12 | Box b1 : Box [elem] |
|
||||
| A.java:25:22:25:24 | "D" : String | A.java:39:12:39:12 | a : new A(...) { ... } [Box b1, ... (2)] |
|
||||
| A.java:27:16:27:18 | "E" : String | A.java:5:10:5:16 | parameter this [Return] : Box [elem] |
|
||||
| A.java:27:16:27:18 | "E" : String | A.java:5:18:5:25 | e : String |
|
||||
| A.java:27:16:27:18 | "E" : String | A.java:5:30:5:33 | this <.field> [post update] : Box [elem] |
|
||||
| A.java:27:16:27:18 | "E" : String | A.java:5:30:5:37 | ...=... : String |
|
||||
|
||||
@@ -1,18 +1,22 @@
|
||||
edges
|
||||
| A.java:4:16:4:18 | this <constr(this)> [post update] [elem] | A.java:22:17:22:25 | new Box(...) [elem] |
|
||||
| A.java:4:16:4:18 | parameter this [Return] [elem] | A.java:22:17:22:25 | new Box(...) [elem] |
|
||||
| A.java:4:16:4:18 | this <constr(this)> [post update] [elem] | A.java:4:16:4:18 | parameter this [Return] [elem] |
|
||||
| A.java:5:19:5:22 | elem | A.java:24:10:24:19 | other.elem |
|
||||
| A.java:22:17:22:25 | new Box(...) [elem] | A.java:23:13:23:17 | other [elem] |
|
||||
| A.java:23:13:23:17 | other [elem] | A.java:24:10:24:14 | other [elem] |
|
||||
| A.java:23:13:23:17 | other [post update] [elem] | A.java:24:10:24:14 | other [elem] |
|
||||
| A.java:24:10:24:14 | other [elem] | A.java:24:10:24:19 | other.elem |
|
||||
| A.java:28:5:28:5 | b [post update] [elem] | A.java:23:13:23:17 | other [post update] [elem] |
|
||||
| A.java:27:16:27:20 | b [Return] [elem] | A.java:23:13:23:17 | other [post update] [elem] |
|
||||
| A.java:28:5:28:5 | b [post update] [elem] | A.java:27:16:27:20 | b [Return] [elem] |
|
||||
| A.java:28:14:28:25 | new Object(...) | A.java:28:5:28:5 | b [post update] [elem] |
|
||||
#select
|
||||
| 0 | A.java:22:17:22:25 | new Box(...) [elem] |
|
||||
| 0 | A.java:23:13:23:17 | other [elem] |
|
||||
| 0 | A.java:23:13:23:17 | other [post update] [elem] |
|
||||
| 0 | A.java:24:10:24:14 | other [elem] |
|
||||
| 1 | A.java:4:16:4:18 | parameter this [Return] [elem] |
|
||||
| 1 | A.java:4:16:4:18 | this <constr(this)> [post update] [elem] |
|
||||
| 1 | A.java:5:19:5:22 | elem |
|
||||
| 1 | A.java:27:16:27:20 | b [Return] [elem] |
|
||||
| 1 | A.java:28:5:28:5 | b [post update] [elem] |
|
||||
| 1 | A.java:28:14:28:25 | new Object(...) |
|
||||
|
||||
@@ -37,6 +37,7 @@ edges
|
||||
| ArithmeticTainted.java:133:27:133:34 | data : Number | ArithmeticTainted.java:135:3:135:6 | data | provenance | |
|
||||
| ArithmeticTainted.java:137:27:137:34 | data : Number | ArithmeticTainted.java:139:5:139:8 | data | provenance | |
|
||||
| Holder.java:12:22:12:26 | d : Number | Holder.java:13:9:13:9 | d : Number | provenance | |
|
||||
| Holder.java:13:3:13:5 | this <.field> [post update] : Holder [dat] : Number | Holder.java:12:14:12:20 | parameter this [Return] : Holder [dat] : Number | provenance | |
|
||||
| Holder.java:13:9:13:9 | d : Number | Holder.java:13:3:13:5 | this <.field> [post update] : Holder [dat] : Number | provenance | |
|
||||
| Holder.java:16:13:16:19 | parameter this : Holder [dat] : Number | Holder.java:17:10:17:12 | this <.field> : Holder [dat] : Number | provenance | |
|
||||
| Holder.java:17:10:17:12 | this <.field> : Holder [dat] : Number | Holder.java:17:10:17:12 | dat : Number | provenance | |
|
||||
@@ -78,6 +79,7 @@ nodes
|
||||
| ArithmeticTainted.java:135:3:135:6 | data | semmle.label | data |
|
||||
| ArithmeticTainted.java:137:27:137:34 | data : Number | semmle.label | data : Number |
|
||||
| ArithmeticTainted.java:139:5:139:8 | data | semmle.label | data |
|
||||
| Holder.java:12:14:12:20 | parameter this [Return] : Holder [dat] : Number | semmle.label | parameter this [Return] : Holder [dat] : Number |
|
||||
| Holder.java:12:22:12:26 | d : Number | semmle.label | d : Number |
|
||||
| Holder.java:13:3:13:5 | this <.field> [post update] : Holder [dat] : Number | semmle.label | this <.field> [post update] : Holder [dat] : Number |
|
||||
| Holder.java:13:9:13:9 | d : Number | semmle.label | d : Number |
|
||||
@@ -85,7 +87,7 @@ nodes
|
||||
| Holder.java:17:10:17:12 | dat : Number | semmle.label | dat : Number |
|
||||
| Holder.java:17:10:17:12 | this <.field> : Holder [dat] : Number | semmle.label | this <.field> : Holder [dat] : Number |
|
||||
subpaths
|
||||
| ArithmeticTainted.java:64:20:64:23 | data : Number | Holder.java:12:22:12:26 | d : Number | Holder.java:13:3:13:5 | this <.field> [post update] : Holder [dat] : Number | ArithmeticTainted.java:64:4:64:10 | tainted [post update] : Holder [dat] : Number |
|
||||
| ArithmeticTainted.java:64:20:64:23 | data : Number | Holder.java:12:22:12:26 | d : Number | Holder.java:12:14:12:20 | parameter this [Return] : Holder [dat] : Number | ArithmeticTainted.java:64:4:64:10 | tainted [post update] : Holder [dat] : Number |
|
||||
| ArithmeticTainted.java:66:18:66:24 | tainted : Holder [dat] : Number | Holder.java:16:13:16:19 | parameter this : Holder [dat] : Number | Holder.java:17:10:17:12 | dat : Number | ArithmeticTainted.java:66:18:66:34 | getData(...) : Number |
|
||||
#select
|
||||
| ArithmeticTainted.java:32:17:32:25 | ... + ... | ArithmeticTainted.java:17:46:17:54 | System.in : InputStream | ArithmeticTainted.java:32:17:32:20 | data | This arithmetic expression depends on a $@, potentially causing an overflow. | ArithmeticTainted.java:17:46:17:54 | System.in | user-provided value |
|
||||
|
||||
Reference in New Issue
Block a user