Commit Graph

4491 Commits

Author SHA1 Message Date
MarkLee131
f338ded349 Java: treat hash/encrypt/digest methods as sensitive-log sanitizers
The sensitive-log query (CWE-532) lacked sanitizers for hashed or
encrypted data, while the sibling cleartext-storage query (CWE-312)
already recognized methods with "encrypt", "hash", or "digest" in their
names as sanitizers (CleartextStorageQuery.qll:86).

This adds an EncryptionBarrier to SensitiveLoggingQuery that applies the
same name-based heuristic, making the two queries consistent. Calls like
DigestUtils.sha256Hex(password) or hashPassword(secret) are no longer
flagged when their results are logged.
2026-04-04 21:35:36 +08:00
MarkLee131
20cfe29199 Java: reduce false positives in sensitive-log by expanding FP exclusion regex
The getCommonSensitiveInfoFPRegex() only excluded "null", "tokenizer", and
"tokenImage", causing widespread false positives for common non-sensitive
variable names containing "token" or "secret".

This adds exclusions for three categories:
- Pagination/iteration tokens: nextToken (AWS SDK), pageToken (GCP),
  continuationToken (Azure), etc.
- Token metadata: tokenType (OAuth), tokenEndpoint (OIDC), tokenCount,
  tokenIndex, tokenLength, tokenUrl, etc.
- Secret metadata: secretName (K8s/AWS), secretId (Azure),
  secretVersion, secretArn, secretPath, etc.

All truly sensitive variable names (accessToken, clientSecret, secretKey,
refreshToken, etc.) remain correctly flagged.
2026-04-04 21:33:35 +08:00
MarkLee131
9ff4ed286f Java: recognize Path.toRealPath() as path normalization sanitizer
PathNormalizeSanitizer recognized Path.normalize() and
File.getCanonicalPath()/getCanonicalFile(), but not Path.toRealPath().

toRealPath() is strictly stronger than normalize() (resolves symlinks
and verifies file existence in addition to normalizing ".." components),
and is functionally equivalent to File.getCanonicalPath() for the NIO.2
API. CERT FIO16-J and OWASP both recommend it for path traversal defense.

This adds toRealPath to PathNormalizeSanitizer alongside normalize,
reducing false positives for code using idiomatic NIO.2 path handling.
2026-04-04 20:59:45 +08:00
MarkLee131
e6adfbca77 Address review: update QLDoc comment and fix expected test output
- Clarify that arithmeticUsedInBoundsCheck applies to if-condition
  comparisons, not all comparisons
- Update expected test line numbers to reflect added test calls
2026-03-29 11:53:06 +08:00
Kaixuan Li
938039d82c Merge branch 'main' into fix/tainted-arithmetic-bounds-check-barrier 2026-03-29 10:25:39 +08:00
Kaixuan Li
f5cfc5e282 Update java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.java
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
2026-03-29 10:25:10 +08:00
MarkLee131
0c5e89a68e Exclude bounds-check arithmetic from tainted-arithmetic sinks
The java/tainted-arithmetic query now recognizes when an arithmetic
expression appears directly as an operand of a comparison (e.g.,
`if (off + len > array.length)`). Such expressions are bounds checks,
not vulnerable computations, and are excluded via the existing
overflowIrrelevant predicate.

Add test cases for bounds-checking patterns that should not be flagged.
2026-03-28 17:39:40 +08:00
MarkLee131
da4a2238bc Address PR review: add Signature.getInstance sink, HMAC/PBKDF2 whitelist, fix test APIs
- Model Signature.getInstance() as CryptoAlgoSpec sink (previously only
  Signature constructor was modeled)
- Add HMAC-based algorithms (HMACSHA1/256/384/512, HmacSHA1/256/384/512)
  and PBKDF2 to the secure algorithm whitelist
- Fix XDH/X25519/X448 tests to use KeyAgreement.getInstance() instead of
  KeyPairGenerator.getInstance() to match their key agreement semantics
- Add test cases for SHA384withECDSA, HMACSHA*, and PBKDF2WithHmacSHA1
  from user-reported false positives
- Update change note to document all additions
2026-03-28 16:53:46 +08:00
MarkLee131
a9449cc991 Add EC to secure algorithm whitelist for Java CWE-327 query 2026-03-28 16:48:58 +08:00
Owen Mansel-Chan
e96ba4806b Merge pull request #21415 from owen-mc/java/validate-constructor-summary-models
Java: validate constructor summary models
2026-03-06 09:09:18 +00:00
Owen Mansel-Chan
92a719092a Update models in test output 2026-03-05 13:32:52 +00:00
Anders Schack-Mulligen
8ef4be49aa Merge pull request #21412 from aschackmull/java/binary-assignment
Java: Make Assignment extend BinaryExpr.
2026-03-05 13:19:45 +01:00
Owen Mansel-Chan
579c871b69 Fix incorrect constructor summary models 2026-03-05 12:03:21 +00:00
Owen Mansel-Chan
63c71b418c Add model validation for constructor summary models 2026-03-05 12:02:37 +00:00
Anders Schack-Mulligen
ec1d034ee0 Java: Make Assignment extend BinaryExpr. 2026-03-05 11:31:59 +01:00
Owen Mansel-Chan
2b3111441d Add space before $ in xml test file 2026-03-04 15:03:24 +00:00
Owen Mansel-Chan
aa28c94562 Remove double space after $ in inline expectations tests 2026-03-04 14:12:42 +00:00
Owen Mansel-Chan
f41c30e335 java: Inline expectation should have space before $ 2026-03-04 13:11:33 +00:00
Anders Schack-Mulligen
3c129fcd23 Java: Align BinaryExpr.getOp() with AssignOp.getOp(). 2026-03-04 13:46:04 +01:00
Owen Mansel-Chan
05a77a2005 Java: Update test expectations 2026-03-04 12:44:56 +00:00
Owen Mansel-Chan
ef345a3279 Java: Inline expectation should have space after $
This was a regex-find-replace from `// \$(?! )` (using a negative lookahead) to `// $ `.
2026-03-04 12:44:54 +00:00
Anders Schack-Mulligen
daefd5988e Java: Accept CFG diff. 2026-03-03 14:18:10 +01:00
Anders Schack-Mulligen
2b8e719034 Java: Add nullness test covering known FP. 2026-02-23 15:10:03 +01:00
Anders Schack-Mulligen
d4873dd35e Java: Adjust switch case guards test. 2026-02-23 15:10:01 +01:00
Anders Schack-Mulligen
352b3711f6 Java: Remove obsolete tests - false successors are no longer special. 2026-02-23 15:10:00 +01:00
Anders Schack-Mulligen
eb37c413f2 Java: Accept revised CFG. 2026-02-23 15:10:00 +01:00
Anders Schack-Mulligen
d84e0e262d Java: Accept removal of spurious reason (the alert stays). 2026-02-23 15:09:59 +01:00
Anders Schack-Mulligen
8b0dd7b866 Java: Accept new TP in NullMaybe. 2026-02-23 15:09:58 +01:00
Anders Schack-Mulligen
a72cf56a05 Java: Accept dispatch precision improvement. 2026-02-23 15:09:57 +01:00
Anders Schack-Mulligen
4d9c0e0c26 Java: Accept new locations for SSA definitions. 2026-02-23 15:09:57 +01:00
Anders Schack-Mulligen
a6ee1df567 Java: Remove test. Flexible constructors need AST-based tests, which are already in place, not CFG tests. 2026-02-23 15:09:56 +01:00
Anders Schack-Mulligen
581679d27d Java: Fix reference to entry node. 2026-02-23 15:09:56 +01:00
Anders Schack-Mulligen
a844d60174 Java: Accept new CFG nodes. 2026-02-23 15:09:54 +01:00
Anders Schack-Mulligen
6ac8c4f544 Java: Accept test changes due to pruned CFG, after-nodes, and reduced exception precision. 2026-02-23 15:09:54 +01:00
Anders Schack-Mulligen
e0eb653dcc Java: Accept guards test changes for revised switch CFG. 2026-02-23 15:09:53 +01:00
Anders Schack-Mulligen
fb2799bd47 Java: Adjust idominance tests. 2026-02-23 15:09:53 +01:00
Anders Schack-Mulligen
12b9999289 Java: Adjust BasicBlock-based qltests. 2026-02-23 15:09:52 +01:00
Anders Schack-Mulligen
48e3724299 Java/Cfg: Introduce new shared CFG library and replace the Java CFG. 2026-02-23 15:09:50 +01:00
Anders Schack-Mulligen
0c9931ff8a Java: Replace idominance tests. 2026-02-23 15:09:50 +01:00
Owen Mansel-Chan
cf73d96c9d Update test results (remove SPURIOUS annotations) 2026-02-16 12:03:02 +00:00
Owen Mansel-Chan
9fc95f5171 Expand log injection sanitizers to annotation regex matches 2026-02-16 12:01:13 +00:00
Owen Mansel-Chan
146fc7a8c0 Add failing log injection test for @Pattern validation 2026-02-16 12:01:07 +00:00
Owen Mansel-Chan
47a9f87d9b Merge pull request #21310 from owen-mc/java/regex-execution
Java: Add RegexMatch concept and recognise `@Pattern` annotation as sanitizer
2026-02-16 09:11:47 +00:00
Owen Mansel-Chan
8f8f4c2d52 Fix Matcher.matches edge case 2026-02-14 00:28:37 +00:00
Owen Mansel-Chan
90befa0c00 Add failing test for Matcher.matches() edge case 2026-02-14 00:28:34 +00:00
Owen Mansel-Chan
bfe26c1989 Add @Pattern as RegexExecution => SSRF sanitizer 2026-02-12 16:57:11 +00:00
Owen Mansel-Chan
d0999e3abd Add failing test for @Pattern validation 2026-02-12 16:57:04 +00:00
Anders Schack-Mulligen
5c53677051 Java: Deprecate UnreachableBlocks. 2026-02-12 11:06:34 +01:00
Anders Schack-Mulligen
6f40ac15b4 Java: Rename ReturnStmt.getResult to getExpr. 2026-02-04 14:43:31 +01:00
Anders Schack-Mulligen
5e6e64b2b7 Java: Rename UnaryExpr.getExpr to getOperand. 2026-02-04 10:50:49 +01:00