Commit Graph

4490 Commits

Author SHA1 Message Date
Mathias Vorreiter Pedersen
b7b731bab7 Merge branch 'main' into mad-write-through-model 2026-06-30 15:12:02 +01:00
Geoffrey White
c0871defe9 Merge pull request #22077 from geoffw0/javainline
Java: Address testFailures in inline expectations tests
2026-06-30 10:49:24 +01:00
Geoffrey White
897d16929b Java: Add missing $ Source annotations. 2026-06-26 16:22:05 +01:00
Geoffrey White
6f997ae15c Java: Label spurious results. 2026-06-26 16:22:03 +01:00
Geoffrey White
300e48e48e Java: Move $ Source annotations that were incorrectly placed. 2026-06-26 16:21:49 +01:00
Geoffrey White
f840f6104a Java: Make some $ Source annotations query specific. 2026-06-26 16:21:46 +01:00
Mathias Vorreiter Pedersen
7861e9e596 Java: Fix a library test. 2026-06-26 14:18:23 +01:00
Anders Schack-Mulligen
11725e8921 Java: Accept test changes. 2026-06-23 14:28:44 +02:00
Owen Mansel-Chan
4bc083fd7f Remove confusing comments 2026-06-12 21:51:52 +01:00
Owen Mansel-Chan
89c1d66f90 Add SPURIOUS and MISSING alerts based on existing comments 2026-06-12 21:51:50 +01:00
Owen Mansel-Chan
3693185b6b Second pass 2026-06-10 09:14:47 +02:00
Owen Mansel-Chan
1c1d26453d First pass converting qlref tests to inline expectation with postprocess 2026-06-10 07:46:42 +02:00
Owen Mansel-Chan
52f2a5825a Merge pull request #21804 from github/copilot/add-tests-for-models
Java: Update CWE-918 model coverage for Apache HttpClient `execute` sinks
2026-06-03 12:55:56 +01:00
Owen Mansel-Chan
d95d99848c Build RequestBuilder more realistically 2026-05-28 11:05:40 +01:00
Owen Mansel-Chan
37589dd8a0 Improve how org.apache.http.client.HttpClient is created in test 2026-05-28 10:30:43 +01:00
Owen Mansel-Chan
a159dc1c66 Change variable name in test 2026-05-28 10:28:14 +01:00
Owen Mansel-Chan
36554d160c Merge pull request #21741 from MarkLee131/fix/path-injection-read-subkind
Fix/path injection read subkind
2026-05-08 12:38:16 +01:00
Anders Schack-Mulligen
6b6df374fa C#/Java: Accept test changes. 2026-05-07 15:07:31 +02:00
Owen Mansel-Chan
dd35bc0722 Update test output 2026-05-07 10:17:47 +01:00
copilot-swe-agent[bot]
043ec857ab Replace fluent SSRF changes with Apache HttpClient execute model tests
Agent-Logs-Url: https://github.com/github/codeql/sessions/3db201db-a1b5-4353-a94a-14a8d156dd3b

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
2026-05-06 20:31:34 +00:00
copilot-swe-agent[bot]
f5b17b0b48 Add SSRF tests and stubs for Apache Http fluent Request models
Agent-Logs-Url: https://github.com/github/codeql/sessions/bd4fa112-dbc3-47e8-9cef-9b1b13c7e549

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
2026-05-06 16:08:02 +00:00
MarkLee131
bafa892116 Merge branch 'main' into fix/path-injection-read-subkind 2026-05-01 16:06:35 +08:00
MarkLee131
119994b59f Java: move File inspection methods to path-injection[read]
Per review feedback on #21741: File.canRead/canWrite/canExecute,
exists/isDirectory/isFile/isHidden only inspect a path, so move them
under the path-injection[read] sub-kind. Update TaintedPath.expected
and the experimental CWE-073 expected to match.
2026-05-01 16:04:29 +08:00
Owen Mansel-Chan
87c35e6401 Merge pull request #21654 from MarkLee131/fix/sensitive-log-hash-sanitizer
Java: treat hash/encrypt/digest methods as sensitive-log sanitizers
2026-04-30 13:21:03 +01:00
MarkLee131
90741b15e2 Merge branch 'main' into fix/path-injection-read-subkind 2026-04-30 18:37:12 +08:00
MarkLee131
28a6ff208c Merge remote-tracking branch 'origin/main' into fix/sensitive-log-hash-sanitizer
# Conflicts:
#	java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.expected
#	java/ql/test/query-tests/security/CWE-532/Test.java
2026-04-29 20:59:59 +08:00
MarkLee131
75162bb9eb Update java/ql/test/query-tests/security/CWE-532/Test.java
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
2026-04-29 20:53:58 +08:00
MarkLee131
49d014cbac Merge branch 'main' into fix/trust-boundary-regexp-barrier 2026-04-29 20:48:22 +08:00
Owen Mansel-Chan
9fbe447428 Merge pull request #21749 from github/copilot/add-hibernate-sql-injection-tests
Add Hibernate SQL injection sink models and coverage
2026-04-24 09:36:46 +01:00
copilot-swe-agent[bot]
25d232b815 Model additional Hibernate query sinks
Agent-Logs-Url: https://github.com/github/codeql/sessions/fc2c7f71-3493-4bf7-9136-34571a1d4b47

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
2026-04-23 13:41:03 +00:00
copilot-swe-agent[bot]
081ad03b4b Add Hibernate SQL injection sink tests
Agent-Logs-Url: https://github.com/github/codeql/sessions/2e7aecca-63ea-489f-8b87-4cc557655919

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
2026-04-23 10:04:52 +00:00
Owen Mansel-Chan
9f19791d8c Merge branch 'main' into fix/path-injection-torealpath 2026-04-23 10:40:47 +01:00
Kaixuan Li
af794ed3c0 Merge branch 'main' into fix/trust-boundary-regexp-barrier 2026-04-21 23:01:06 +10:00
Kaixuan Li
07e97e20d8 Merge branch 'github:main' into fix/path-injection-read-subkind 2026-04-21 22:59:53 +10:00
Owen Mansel-Chan
c91b5b3c2e Merge pull request #21650 from MarkLee131/fix/sensitive-log-fp-regex
Java: reduce false positives in sensitive-log
2026-04-21 13:48:32 +01:00
MarkLee131
6d10b1582f Java: update regression-test expectations for path-injection[read]
The sink-model generator and the experimental java/file-path-injection
query now observe the new path-injection[read] sub-kind for the
FileInputStream and Files.copy source-argument models.

- CWE-073 FilePathInjection.expected: refresh the models table for the
  renamed kind on FileInputStream(File); alerts unchanged.
- modelgenerator Sinks.java: update the inline sink annotation for
  copyFileToDirectory(Path,Path,CopyOption[]) Argument[0] to the new
  path-injection[read] sub-kind, mirroring the library change.
2026-04-21 19:45:13 +08:00
MarkLee131
c336a1595d Java: split read-only path sinks into path-injection[read]
Introduce a new Models-as-Data sink sub-kind path-injection[read] for
models that only read from or inspect a path. The general
java/path-injection query and its PathInjectionSanitizer barrier
continue to consider both path-injection and path-injection[read]
sinks, so no alerts are lost. The java/zipslip query deliberately
selects only path-injection sinks, since read-only accesses such as
ClassLoader.getResource or FileInputStream are outside the archive
extraction threat model.

Addresses https://github.com/github/codeql/issues/21606 along the lines
proposed on the issue thread: prefer path-injection[read] over a
[create] sub-kind so that miscategorizing a sink causes a false
positive (easy to spot) rather than a false negative.

- shared/mad/codeql/mad/ModelValidation.qll: allow path-injection[...]
  as a valid sink kind.
- java/ql/lib/ext/*.model.yml: relabel the models that PR #12916
  migrated from the historical read-file kind (plus the newer
  ClassLoader resource-lookup variants that share the same read-only
  semantics).
- java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll and
  PathSanitizer.qll: select both path-injection and
  path-injection[read] sinks/barriers.
- java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll: keep only
  path-injection, with a comment explaining why path-injection[read]
  is excluded.
- java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipTest.java:
  add m7 regression covering the Dubbo-style classpath lookup from
  issue #21606 and assert no alert is produced.
- Update TaintedPath.expected for the renamed kinds in the models list.
- Add change-notes under java/ql/lib/change-notes and
  java/ql/src/change-notes.
2026-04-21 09:17:36 +10:00
Owen Mansel-Chan
9f310c20f3 Merge pull request #21734 from owen-mc/java/fix-partial-path-traversal
Java: fix bug in partial path traversal
2026-04-20 11:52:55 +01:00
Owen Mansel-Chan
6d4a3974ce Fix bug so += File.separator is recognized 2026-04-19 07:18:42 +01:00
Owen Mansel-Chan
6099c5d034 Add SPURIOUS test for += File.separator 2026-04-19 07:18:00 +01:00
Owen Mansel-Chan
63d20a54d4 Use inline expectations with second test
Co-authored-by: Copilot <copilot@github.com>
2026-04-19 07:17:05 +01:00
Owen Mansel-Chan
dca7046d8c Make inline expectation comments specify query 2026-04-18 10:35:15 +01:00
Salah Baddou
f5131f9bc6 Java: Add XXE sink model for Woodstox WstxInputFactory
`com.ctc.wstx.stax.WstxInputFactory` overrides `createXMLStreamReader`,
`createXMLEventReader` and `setProperty` from `XMLInputFactory`, so the
existing `XmlInputFactory` model in `XmlParsers.qll` does not match calls
where the static receiver type is `WstxInputFactory` (or its supertype
`org.codehaus.stax2.XMLInputFactory2`). Woodstox is vulnerable to XXE in
its default configuration, so these missed sinks were false negatives in
`java/xxe`.

This adds a scoped framework model under
`semmle/code/java/frameworks/woodstox/WoodstoxXml.qll` (registered in the
`Frameworks` module of `XmlParsers.qll`) that recognises these calls as
XXE sinks and treats the factory as safe when both
`javax.xml.stream.supportDTD` and
`javax.xml.stream.isSupportingExternalEntities` are disabled — mirroring
the existing `XMLInputFactory` safe-configuration logic.
2026-04-17 18:46:51 +04:00
idrissrio
5a6eb79470 Java: Pin CWE-676 test to --release 25
Thread.stop() was removed in JDK 26. Pin the test to --release 25.
2026-04-07 09:28:22 +02:00
idrissrio
74b0e8c19a Java: Accept new test results after JDK 26 extractor upgrade 2026-04-07 09:28:20 +02:00
MarkLee131
b49c6dcbd4 Add @Pattern annotation test case and javax-validation-constraints stub
Adds a dedicated test verifying that fields annotated with
@javax.validation.constraints.Pattern are recognized as sanitized
by RegexpCheckBarrier, in addition to the existing String.matches()
guard test.
2026-04-04 22:04:05 +08:00
Kaixuan Li
258a53e146 Update java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-04-04 22:02:00 +08:00
MarkLee131
46ef0204ef Remove secretQuestion from FP exclusion list
secretQuestion is ambiguous: it could be the question text (not
sensitive) or a security question answer. Worse, the regex
secrets?(question) also matches secretQuestionAnswer, which is
clearly sensitive. Drop it to avoid false negatives.
2026-04-04 21:58:32 +08:00
MarkLee131
345b842edc Java: add RegexpCheckBarrier to trust-boundary-violation sanitizers
The trust-boundary-violation query only recognized OWASP ESAPI validators
as sanitizers. ESAPI is rarely used in modern Java projects, while regex
validation via String.matches() and @javax.validation.constraints.Pattern
is the standard approach in Spring/Jakarta applications.

RegexpCheckBarrier already exists in Sanitizers.qll and is used by other
queries (e.g., RequestForgery). This wires it into TrustBoundaryConfig,
so patterns like input.matches("[a-zA-Z0-9]+") and @Pattern annotations
are recognized as sanitizers, consistent with the existing ESAPI treatment.
2026-04-04 21:36:37 +08:00
MarkLee131
f338ded349 Java: treat hash/encrypt/digest methods as sensitive-log sanitizers
The sensitive-log query (CWE-532) lacked sanitizers for hashed or
encrypted data, while the sibling cleartext-storage query (CWE-312)
already recognized methods with "encrypt", "hash", or "digest" in their
names as sanitizers (CleartextStorageQuery.qll:86).

This adds an EncryptionBarrier to SensitiveLoggingQuery that applies the
same name-based heuristic, making the two queries consistent. Calls like
DigestUtils.sha256Hex(password) or hashPassword(secret) are no longer
flagged when their results are logged.
2026-04-04 21:35:36 +08:00