hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Use range analysis and improve tests

Browse Source
This commit is contained in:
Owen Mansel-Chan
2025-11-21 10:31:50 +00:00
committed by GitHub
parent ce136684e6
commit ec381e4ec5
3 changed files with 42 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll
View File

@@ -87,10 +87,11 @@ private class PrefixSuffixBarrier extends SensitiveLoggerBarrier {
bindingset[limit, isKotlin]
private predicate singleArgLimit(MethodCall mc, int limit, boolean isKotlin) {
mc.getNumArgument() = 1 and
exists(int firstArgIndex |
(if isKotlin = true then firstArgIndex = 1 else firstArgIndex = 0) and
mc.getArgument(firstArgIndex).getUnderlyingExpr().(CompileTimeConstantExpr).getIntValue() <=
limit
exists(int firstArgIndex, int delta |
if isKotlin = true then firstArgIndex = 1 else firstArgIndex = 0
|
bounded(mc.getArgument(firstArgIndex).getUnderlyingExpr(), any(ZeroBound z), delta, true, _) and
delta <= limit
)
}
@@ -98,15 +99,16 @@ private predicate singleArgLimit(MethodCall mc, int limit, boolean isKotlin) {
bindingset[limit, isKotlin]
private predicate twoArgLimit(MethodCall mc, int limit, boolean isKotlin) {
mc.getNumArgument() = 2 and
exists(int firstArgIndex, int secondArgIndex |
(
isKotlin = true and firstArgIndex = 1 and secondArgIndex = 2
or
isKotlin = false and firstArgIndex = 0 and secondArgIndex = 1
) and
mc.getArgument(firstArgIndex).getUnderlyingExpr().(CompileTimeConstantExpr).getIntValue() = 0 and
mc.getArgument(secondArgIndex).getUnderlyingExpr().(CompileTimeConstantExpr).getIntValue() <=
limit
exists(int firstArgIndex, int secondArgIndex, int delta |
isKotlin = true and firstArgIndex = 1 and secondArgIndex = 2
or
isKotlin = false and firstArgIndex = 0 and secondArgIndex = 1
|
// mc.getArgument(firstArgIndex).getUnderlyingExpr().(CompileTimeConstantExpr).getIntValue() = 0 and
bounded(mc.getArgument(firstArgIndex).getUnderlyingExpr(), any(ZeroBound z), 0, true, _) and
bounded(mc.getArgument(firstArgIndex).getUnderlyingExpr(), any(ZeroBound z), 0, false, _) and
bounded(mc.getArgument(secondArgIndex).getUnderlyingExpr(), any(ZeroBound z), delta, true, _) and
delta <= limit
)
}

40
java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.expected
View File

@@ -1,28 +1,28 @@
#select
| Test.java:7:21:7:53 | ... + ... | Test.java:7:46:7:53 | password : String | Test.java:7:21:7:53 | ... + ... | This $@ is written to a log file. | Test.java:7:46:7:53 | password | potentially sensitive information |
| Test.java:8:22:8:52 | ... + ... | Test.java:8:44:8:52 | authToken : String | Test.java:8:22:8:52 | ... + ... | This $@ is written to a log file. | Test.java:8:44:8:52 | authToken | potentially sensitive information |
| Test.java:14:22:14:75 | ... + ... | Test.java:14:44:14:52 | authToken : String | Test.java:14:22:14:75 | ... + ... | This $@ is written to a log file. | Test.java:14:44:14:52 | authToken | potentially sensitive information |
| Test.java:15:22:15:75 | ... + ... | Test.java:15:44:15:52 | authToken : String | Test.java:15:22:15:75 | ... + ... | This $@ is written to a log file. | Test.java:15:44:15:52 | authToken | potentially sensitive information |
| Test.java:11:21:11:53 | ... + ... | Test.java:11:46:11:53 | password : String | Test.java:11:21:11:53 | ... + ... | This $@ is written to a log file. | Test.java:11:46:11:53 | password | potentially sensitive information |
| Test.java:12:22:12:52 | ... + ... | Test.java:12:44:12:52 | authToken : String | Test.java:12:22:12:52 | ... + ... | This $@ is written to a log file. | Test.java:12:44:12:52 | authToken | potentially sensitive information |
| Test.java:21:22:21:75 | ... + ... | Test.java:21:44:21:52 | authToken : String | Test.java:21:22:21:75 | ... + ... | This $@ is written to a log file. | Test.java:21:44:21:52 | authToken | potentially sensitive information |
| Test.java:22:22:22:75 | ... + ... | Test.java:22:44:22:52 | authToken : String | Test.java:22:22:22:75 | ... + ... | This $@ is written to a log file. | Test.java:22:44:22:52 | authToken | potentially sensitive information |
edges
| Test.java:7:46:7:53 | password : String | Test.java:7:21:7:53 | ... + ... | provenance | Sink:MaD:2 |
| Test.java:8:44:8:52 | authToken : String | Test.java:8:22:8:52 | ... + ... | provenance | Sink:MaD:1 |
| Test.java:14:44:14:52 | authToken : String | Test.java:14:44:14:67 | substring(...) : String | provenance | MaD:3 |
| Test.java:14:44:14:67 | substring(...) : String | Test.java:14:22:14:75 | ... + ... | provenance | Sink:MaD:1 |
| Test.java:15:44:15:52 | authToken : String | Test.java:15:44:15:67 | substring(...) : String | provenance | MaD:3 |
| Test.java:15:44:15:67 | substring(...) : String | Test.java:15:22:15:75 | ... + ... | provenance | Sink:MaD:1 |
| Test.java:11:46:11:53 | password : String | Test.java:11:21:11:53 | ... + ... | provenance | Sink:MaD:2 |
| Test.java:12:44:12:52 | authToken : String | Test.java:12:22:12:52 | ... + ... | provenance | Sink:MaD:1 |
| Test.java:21:44:21:52 | authToken : String | Test.java:21:44:21:67 | substring(...) : String | provenance | MaD:3 |
| Test.java:21:44:21:67 | substring(...) : String | Test.java:21:22:21:75 | ... + ... | provenance | Sink:MaD:1 |
| Test.java:22:44:22:52 | authToken : String | Test.java:22:44:22:67 | substring(...) : String | provenance | MaD:3 |
| Test.java:22:44:22:67 | substring(...) : String | Test.java:22:22:22:75 | ... + ... | provenance | Sink:MaD:1 |
models
| 1 | Sink: org.apache.logging.log4j; Logger; true; error; (String); ; Argument[0]; log-injection; manual |
| 2 | Sink: org.apache.logging.log4j; Logger; true; info; (String); ; Argument[0]; log-injection; manual |
| 3 | Summary: java.lang; String; false; substring; ; ; Argument[this]; ReturnValue; taint; manual |
nodes
| Test.java:7:21:7:53 | ... + ... | semmle.label | ... + ... |
| Test.java:7:46:7:53 | password : String | semmle.label | password : String |
| Test.java:8:22:8:52 | ... + ... | semmle.label | ... + ... |
| Test.java:8:44:8:52 | authToken : String | semmle.label | authToken : String |
| Test.java:14:22:14:75 | ... + ... | semmle.label | ... + ... |
| Test.java:14:44:14:52 | authToken : String | semmle.label | authToken : String |
| Test.java:14:44:14:67 | substring(...) : String | semmle.label | substring(...) : String |
| Test.java:15:22:15:75 | ... + ... | semmle.label | ... + ... |
| Test.java:15:44:15:52 | authToken : String | semmle.label | authToken : String |
| Test.java:15:44:15:67 | substring(...) : String | semmle.label | substring(...) : String |
| Test.java:11:21:11:53 | ... + ... | semmle.label | ... + ... |
| Test.java:11:46:11:53 | password : String | semmle.label | password : String |
| Test.java:12:22:12:52 | ... + ... | semmle.label | ... + ... |
| Test.java:12:44:12:52 | authToken : String | semmle.label | authToken : String |
| Test.java:21:22:21:75 | ... + ... | semmle.label | ... + ... |
| Test.java:21:44:21:52 | authToken : String | semmle.label | authToken : String |
| Test.java:21:44:21:67 | substring(...) : String | semmle.label | substring(...) : String |
| Test.java:22:22:22:75 | ... + ... | semmle.label | ... + ... |
| Test.java:22:44:22:52 | authToken : String | semmle.label | authToken : String |
| Test.java:22:44:22:67 | substring(...) : String | semmle.label | substring(...) : String |
subpaths

7
java/ql/test/query-tests/security/CWE-532/Test.java
View File

@@ -3,6 +3,10 @@ import org.apache.logging.log4j.Logger;
class Test {
void test(String password, String authToken, String username, String nullToken, String stringTokenizer) {
Logger logger = null;
int zero = 0;
int four = 4;
short zeroS = 0;
long fourL = 4;
logger.info("User's password is: " + password); // $ Alert
logger.error("Auth failed for: " + authToken); // $ Alert
@@ -10,7 +14,10 @@ class Test {
logger.error("Auth failed for: " + nullToken); // Safe
logger.error("Auth failed for: " + stringTokenizer); // Safe
logger.error("Auth failed for: " + authToken.substring(4) + "..."); // Safe
logger.error("Auth failed for: " + authToken.substring(four) + "..."); // Safe
logger.error("Auth failed for: " + authToken.substring(0,4) + "..."); // Safe
logger.error("Auth failed for: " + authToken.substring(zero,four) + "..."); // Safe
logger.error("Auth failed for: " + authToken.substring((int)zeroS,(int)fourL) + "..."); // Safe
logger.error("Auth failed for: " + authToken.substring(1,5) + "..."); // $ Alert
logger.error("Auth failed for: " + authToken.substring(0,8) + "..."); // $ Alert
}