Chris Smowton
575198a0e4
Java SSRF query: Server Side -> Server-Side everywhere.
2021-06-17 11:41:04 +01:00
Chris Smowton
7899e17f3a
Java SSRF query: move RequestForgery qll file into semmle/code hierarchy
...
This makes it importable by people wishing to extend the query.
2021-06-17 11:41:04 +01:00
Chris Smowton
532a10bfdf
Java SSRF query: Provide hook for custom taint-propagating steps; make all default sinks/sanitizers/steps private.
2021-06-17 11:41:04 +01:00
Chris Smowton
5bdd9da27a
Java SSRF query: credit original author
2021-06-17 11:41:04 +01:00
Chris Smowton
e8613367e8
Java SSRF query: copyedit qhelp
2021-06-17 11:41:04 +01:00
Chris Smowton
3333e7d186
Java SSRF query: sanitize primitives
...
Even 'char' isn't a realistic vector for an exploit, unless somebody is copying out a string char by char.
2021-06-17 11:41:04 +01:00
Chris Smowton
93a9f471ce
Add change note
2021-06-17 11:41:04 +01:00
Chris Smowton
77904d9597
Remove failing test
...
The case where something might be exactly a constant is general across all queries, and not handled yet, particularly in the case where the result of `getParameter("uri")` might have changed between the check and the use.
2021-06-17 11:41:04 +01:00
Chris Smowton
6933d06a46
Add exactly the string '/' as a sanitizing prefix.
...
Usually this is ignored for suspicion that it could be taken for a protocol specifier, but on balance the context `(something) + "/" + tainted()` is more likely to be taken for a user-controlled location within a host the user does not control.
2021-06-17 11:41:03 +01:00
Chris Smowton
bc43b6d760
Fix typo
2021-06-17 11:41:03 +01:00
Chris Smowton
e6249eed79
Add doc comments
2021-06-17 11:41:03 +01:00
Chris Smowton
26e10f3ad5
SSRF: don't consider results of fetches we initiated to be untrustworthy
2021-06-17 11:41:03 +01:00
Chris Smowton
c63d5986cf
Sanitize StringBuilder appends that follow directly from a constructor.
...
Note that some of this logic ought to be incorporated into StringBuilderVar once that code can be reviewed.
2021-06-17 11:41:03 +01:00
Chris Smowton
b5a450b881
SSRF query: add sanitizer looking for a variety of ways of prepending a sanitizing prefix, such as one that restricts the hostname a URI will refer to.
2021-06-17 11:41:03 +01:00
Chris Smowton
487c1db6ed
Promote SSRF query to main query set
2021-06-17 11:41:01 +01:00
Anders Schack-Mulligen
6ca8d69b26
Merge pull request #5881 from haby0/java/UnsafeDeserialization
...
Java: CWE-502 Add UnsafeDeserialization sinks
2021-06-17 12:36:34 +02:00
Anders Schack-Mulligen
8fe2f4a554
Merge pull request #6034 from owen-mc/java/jax-rs
...
Improve JAX-WS and JAX-RS models
2021-06-17 12:35:34 +02:00
Anders Schack-Mulligen
b173b4141d
Merge pull request #6096 from smowton/smowton/fix/inline-expectations-missing-prefix
...
Inline expectation tests: accept // $MISSING: and // $SPURIOUS:
2021-06-17 11:41:15 +02:00
haby0
363ad5b470
Fix error
2021-06-17 17:36:35 +08:00
Owen Mansel-Chan
945db01f56
Address review comments
2021-06-17 10:29:33 +01:00
Owen Mansel-Chan
b9bc1f978c
Update style of inline expectation comments
2021-06-17 10:04:15 +01:00
Tom Hvitved
41ed9f3e1b
Data flow: Fix inconsistencies
2021-06-17 10:48:32 +02:00
Chris Smowton
558813acf7
Inline expectation tests: accept // $MISSING: and // $SPURIOUS:
...
Previously there had to be a space after the $ token, unlike ordinary expectations (i.e., // $xss was already accepted)
2021-06-17 09:44:39 +01:00
Owen Mansel-Chan
0987425f94
Reinstate failing tests with MISSING: prefix
2021-06-17 09:36:51 +01:00
Tom Hvitved
00e544189e
Data flow: Add consistency queries
2021-06-17 10:26:56 +02:00
Tom Hvitved
ad54f2e1f4
Bump codeql submodule
2021-06-17 10:24:19 +02:00
Tom Hvitved
0febf5a592
Merge pull request #6094 from hvitved/dataflow/consistency-compiler-too-smart
...
Data flow: Workaround for too clever compiler in consistency queries
2021-06-17 10:23:31 +02:00
edvraa
ac777d237d
autoformat
2021-06-17 09:23:26 +01:00
edvraa
0456d4793a
Fix path tracking
2021-06-17 09:23:26 +01:00
edvraa
4576b16f30
Use dataflow gettype
2021-06-17 09:23:26 +01:00
edvraa
062acedd49
Unify and make getValueForFieldWrite private
2021-06-17 09:23:26 +01:00
edvraa
236b623f60
Get rid of NetHttpCookieTrackingConfiguration
2021-06-17 09:23:26 +01:00
edvraa
031a79b8f5
Gorilla Store Save sink
2021-06-17 09:23:26 +01:00
edvraa
8110c3d059
Use HasFlow
2021-06-17 09:23:26 +01:00
edvraa
d60d18a8d0
Stay on dataflow level
2021-06-17 09:23:26 +01:00
edvraa
ed8d025bdf
Dedicated types
2021-06-17 09:23:26 +01:00
edvraa
cba4f0448e
Use package
2021-06-17 09:23:26 +01:00
edvraa
167496edff
Use MethodCallNode and hasQualifiedName
2021-06-17 09:23:26 +01:00
edvraa
5929f66efb
No need for Function f
2021-06-17 09:23:26 +01:00
edvraa
06c328c5aa
Fix comment
2021-06-17 09:23:26 +01:00
edvraa
3ac1b4ba0b
Use CallNode
2021-06-17 09:23:26 +01:00
edvraa
d06f4ca21e
Fix argumnt nr
2021-06-17 09:23:26 +01:00
edvraa
9224a315f1
inline isGinContextCookieFlow
2021-06-17 09:23:26 +01:00
edvraa
4d397d9974
Fix tests
2021-06-17 09:23:26 +01:00
edvraa
5349c98ae1
Comments
2021-06-17 09:23:26 +01:00
edvraa
0b9959e4ef
Default stub
2021-06-17 09:23:26 +01:00
edvraa
d32fa19c12
reformat
2021-06-17 09:23:26 +01:00
edvraa
4eb4787692
simplify expressions
2021-06-17 09:23:26 +01:00
edvraa
f537c479c9
path tracking
2021-06-17 09:23:26 +01:00
edvraa
253abc55d9
get rid of AuthCookieNameConfiguration
2021-06-17 09:23:26 +01:00