hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-14 19:29:28 +02:00
Code Issues Packages Projects Releases Wiki Activity
87,241 Commits 1,758 Branches 167 Tags
dbc9d0de4a17ac5fa39ffe1deea4ec2448c615fb
Commit Graph

52 Commits

Author SHA1 Message Date
MarkLee131
119994b59f Java: move File inspection methods to path-injection[read] 
Per review feedback on #21741: File.canRead/canWrite/canExecute,
exists/isDirectory/isFile/isHidden only inspect a path, so move them
under the path-injection[read] sub-kind. Update TaintedPath.expected
and the experimental CWE-073 expected to match.
 2026-05-01 16:04:29 +08:00
MarkLee131
c336a1595d Java: split read-only path sinks into path-injection[read] 
Introduce a new Models-as-Data sink sub-kind path-injection[read] for
models that only read from or inspect a path. The general
java/path-injection query and its PathInjectionSanitizer barrier
continue to consider both path-injection and path-injection[read]
sinks, so no alerts are lost. The java/zipslip query deliberately
selects only path-injection sinks, since read-only accesses such as
ClassLoader.getResource or FileInputStream are outside the archive
extraction threat model.

Addresses https://github.com/github/codeql/issues/21606 along the lines
proposed on the issue thread: prefer path-injection[read] over a
[create] sub-kind so that miscategorizing a sink causes a false
positive (easy to spot) rather than a false negative.

- shared/mad/codeql/mad/ModelValidation.qll: allow path-injection[...]
  as a valid sink kind.
- java/ql/lib/ext/*.model.yml: relabel the models that PR #12916
  migrated from the historical read-file kind (plus the newer
  ClassLoader resource-lookup variants that share the same read-only
  semantics).
- java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll and
  PathSanitizer.qll: select both path-injection and
  path-injection[read] sinks/barriers.
- java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll: keep only
  path-injection, with a comment explaining why path-injection[read]
  is excluded.
- java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipTest.java:
  add m7 regression covering the Dubbo-style classpath lookup from
  issue #21606 and assert no alert is produced.
- Update TaintedPath.expected for the renamed kinds in the models list.
- Add change-notes under java/ql/lib/change-notes and
  java/ql/src/change-notes.
 2026-04-21 09:17:36 +10:00
Owen Mansel-Chan
f6e3c77145 Convert path injection barrier to MaD 2025-12-11 16:24:27 +01:00
Jami Cogswell
c0ebeb9c7b Java: use AdditionalTaintStep 2025-02-14 13:52:43 -05:00
Anders Schack-Mulligen
d7fbf68a59 Merge pull request #17597 from aschackmull/java/chararraywriter-tostring 
Java: Add model for CharArrayWriter.toString().
 2024-11-12 12:55:44 +01:00
Michael Nebel
9a44eec04c Java: Add manual models for FileReader (they would also have disappeared if models were re-generated without using mixed mode). 2024-10-21 15:19:37 +02:00
Anders Schack-Mulligen
2d76752ca0 Java: Add model for CharArrayWriter.toString(). 2024-09-27 11:28:20 +02:00
Tony Torralba
f16dd8c010 Apply code review suggestions. 2024-06-04 10:35:11 +02:00
Tony Torralba
f84c2a842d Java: Add more File-related sinks for path-injection 2024-06-04 10:35:07 +02:00
Owen Mansel-Chan
23a58a0835 Add df-manual models related to existing df-manual models 2024-03-17 14:21:05 +00:00
Owen Mansel-Chan
8e52483beb Add df-manual models in manually modeled classes 2024-03-15 10:10:23 +00:00
Tony Torralba
eecab9122a Recognize the model generator involvement in the models' provenances 2024-03-14 08:56:23 +01:00
Tony Torralba
039bea1625 Java: Add more neutral JDK models 
This is similar to https://github.com/github/codeql/pull/15766, in the sense that it adds neutral models to prevent the model generator from generating summaries for them. These models were spotted while evaluating https://github.com/github/codeql/pull/14919.
 2024-03-13 16:59:38 +01:00
Max Schaefer
93990ec9df Merge pull request #15486 from github/java/update-mad-decls-after-triage-2024-01-31T11-16-45 
Java: Update MaD Declarations after Triage
 2024-02-09 11:18:17 +00:00
Max Schaefer
ad8038bade Update MaD Declarations after Triage 2024-01-31 11:28:10 +00:00
Tony Torralba
e2bf9ea2eb Consider File.exists() et al a path-injection sink 2024-01-30 14:51:36 +01:00
Tony Torralba
19cb7adb6d Migrate path injection sinks to MaD 
Deprecate and stop using PathCreation

Path creation sinks are now summaries
 2024-01-26 12:19:54 +01:00
Edward Minnix III
655470f3da Refactor EnvInput to MaD 2023-10-03 22:28:47 -04:00
Tony Torralba
29543f5726 Change InputStream.read from neutral to summary 2023-07-19 14:44:18 +02:00
Tony Torralba
2dbbcc2413 Java: Avoid low-confidence dispatch to InputStream methods 
Also adds a neutral model for `InputStream.read`, which offers a high-confidence alternative for this method.
 2023-07-19 11:30:53 +02:00
Stephan Brandauer
8f697ac1ee Java: fix broken MaD export format 2023-06-08 12:02:50 +02:00
Stephan Brandauer
c6f10519fa Merge branch 'main' into java/update-mad-decls-after-triage-2023-06-08T08-51-47 2023-06-08 12:00:07 +02:00
Stephan Brandauer
bda938c544 Update MaD Declarations after Triage 2023-06-08 10:51:48 +02:00
Tony Torralba
527fe523a8 Add PathCreation.qll sinks to models-as-data 
The old PathCreation sinks can't be removed because doing so would cause alert wobble in the path injection queries. See their getReportingNode predicates.
 2023-06-02 09:14:35 +02:00
Jami
617107de35 Merge pull request #12916 from jcogs33/jcogs33/revamp-java-sink-kinds 
Java: revamp MaD sink kinds
 2023-06-01 12:48:30 -04:00
Jami Cogswell
cb10f4976b Java: update create/read-file sink kinds to path-injection 2023-05-31 15:49:07 -04:00
Jami Cogswell
eb1a8e2189 Java: update write-file sink kind to file-system-store 2023-05-31 15:49:07 -04:00
Jami Cogswell
7e6913af62 Java: update provenance to 'hq-manual' 2023-05-26 18:55:13 -04:00
Jami Cogswell
65dd7eb8e7 Java: add neutral models discovered with path-inj and ssrf heuristics 2023-05-26 18:55:13 -04:00
Michael Nebel
bd23814e7c Java: Update existing neutrals to include kind information. 2023-05-08 16:18:59 +02:00
Michael Nebel
169d8d5cf9 Java: All ai-generated models have been manually verified. 2023-04-13 09:21:06 +02:00
Tony Torralba
944bdfde45 Apply suggestions from code review 2023-04-11 09:47:47 +02:00
Stephan Brandauer
cb8506d51a Update MaD Declarations after Triage 2023-04-11 09:25:39 +02:00
Tony Torralba
cdb3d9ea5a Apply suggestions from code review 2023-04-06 12:23:50 +02:00
Stephan Brandauer
18801b39c6 Update MaD Declarations after Triage 2023-04-06 12:23:50 +02:00
Jami Cogswell
8046ec2f78 Java: update -1 to this 2023-03-23 18:01:28 -04:00
Jami Cogswell
0f3a0a1e81 Java: remove ArrayElement from listFiles 2023-03-23 18:00:21 -04:00
Jami Cogswell
79ce46a221 Java: remove FileInputStream summary model since causing issues in DCA 2023-03-23 18:00:20 -04:00
Jami Cogswell
bdd7f18e35 Java: remove some comments 2023-03-23 18:00:20 -04:00
Jami Cogswell
17e0920325 Java: resolve more conflicts 2023-03-23 18:00:14 -04:00
Jami Cogswell
c213d56d2c Java: resolve some more -1 to this conflicts 2023-03-23 17:56:46 -04:00
Jami Cogswell
44c3a41194 Java: resolve more -1 to this conflicts 2023-03-23 17:53:27 -04:00
Jami Cogswell
971b0e8814 Java: -1 to this conflict 2023-03-23 17:50:08 -04:00
Michael Nebel
e86f1e4961 Java: Replace Argument[-1] with Argument[this]. 2023-03-20 10:14:20 +01:00
Tony Torralba
db83fe6f42 Fix incorrect java.io models 2023-03-14 11:21:17 +01:00
Tony Torralba
698dfa46fc Minor fixes to the models 2023-03-10 12:35:13 +01:00
Stephan Brandauer
0c19da926c Update MaD Declarations after Triage 2023-03-10 12:35:13 +01:00
Jami Cogswell
21a018e5c5 Java: add summary model and test for File.getName 2023-01-03 13:12:24 -05:00
Jami Cogswell
939279af38 Java: add comments 2022-12-22 16:25:12 -05:00
Jami Cogswell
99ddd484be Java: add java.io models 2022-12-21 12:34:26 -05:00