mirror of
https://github.com/github/codeql.git
synced 2026-07-08 13:05:36 +02:00
Compare commits
3 Commits
codeql-cli
...
jhelie/aut
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
cc0acb66ba | ||
|
|
d60d8837cd | ||
|
|
045b270924 |
194
java/ql/lib/ext/generated_models_positive.model.yml
Normal file
194
java/ql/lib/ext/generated_models_positive.model.yml
Normal file
@@ -0,0 +1,194 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: codeql/java-all
|
||||
extensible: sinkModel
|
||||
data:
|
||||
- ["java.sql", "Statement", True, "execute", "(String)", "", "Argument[this]", "sql-injection", "ai-generated"]
|
||||
- ["jakarta.persistence", "EntityManager", True, "find", "(Class,Object)", "", "Argument[1]", "sql-injection", "ai-generated"]
|
||||
- ["org.hibernate.query", "Query", True, "executeUpdate", "()", "", "Argument[this]", "sql-injection", "ai-generated"]
|
||||
- ["jakarta.persistence", "EntityManager", True, "createQuery", "(String)", "", "Argument[this]", "sql-injection", "ai-generated"]
|
||||
- ["jakarta.persistence", "EntityManager", True, "createQuery", "(CriteriaUpdate)", "", "Argument[0]", "sql-injection", "ai-generated"]
|
||||
- ["jakarta.persistence", "EntityManager", True, "createQuery", "(CriteriaQuery)", "", "Argument[0]", "sql-injection", "ai-generated"]
|
||||
- ["java.sql", "ResultSet", True, "getString", "(String)", "", "Argument[0]", "sql-injection", "ai-generated"]
|
||||
- ["java.util.function", "Function", True, "apply", "(URL)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["java.sql", "Connection", True, "prepareStatement", "(String)", "", "Argument[this]", "sql-injection", "ai-generated"]
|
||||
- ["java.sql", "Connection", True, "prepareStatement", "(String,int)", "", "Argument[this]", "sql-injection", "ai-generated"]
|
||||
- ["jakarta.persistence", "TypedQuery", True, "setParameter", "(String,Object)", "", "Argument[1]", "sql-injection", "ai-generated"]
|
||||
- ["java.sql", "PreparedStatement", True, "setString", "(int,String)", "", "Argument[1]", "sql-injection", "ai-generated"]
|
||||
- ["jakarta.persistence", "Query", True, "executeUpdate", "()", "", "Argument[this]", "sql-injection", "ai-generated"]
|
||||
- ["org.hibernate.query", "Query", True, "setParameter", "(int,Object)", "", "Argument[1]", "sql-injection", "ai-generated"]
|
||||
- ["java.sql", "PreparedStatement", True, "setObject", "(int,Object)", "", "Argument[1]", "sql-injection", "ai-generated"]
|
||||
- ["java.lang", "Runtime", True, "addShutdownHook", "(Thread)", "", "Argument[0]", "command-injection", "ai-generated"]
|
||||
- ["jakarta.persistence", "EntityManager", True, "remove", "(Object)", "", "Argument[0]", "sql-injection", "ai-generated"]
|
||||
- ["java.lang", "Class", False, "getResourceAsStream", "(String)", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["java.lang", "ClassLoader", True, "getResourceAsStream", "(String)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["java.lang", "Class", False, "getResourceAsStream", "(String)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["jakarta.ws.rs.core", "MultivaluedMap", True, "getFirst", "(String)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["jakarta.ws.rs.client", "Invocation$Builder", False, "header", "(String,Object)", "", "Argument[1]", "request-forgery", "ai-generated"]
|
||||
- ["jakarta.ws.rs.client", "Invocation$Builder", False, "header", "(String,Object)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["org.apache.dubbo.rpc.cluster.router.state", "StateRouter", True, "route", "(BitList,URL,Invocation,boolean,Holder)", "", "Argument[1]", "request-forgery", "ai-generated"]
|
||||
- ["jakarta.persistence.criteria", "CriteriaBuilder", True, "function", "(String,Class,Expression[])", "", "Argument[0]", "sql-injection", "ai-generated"]
|
||||
- ["jakarta.ws.rs.client", "SyncInvoker", True, "get", "()", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["jakarta.persistence", "EntityManager", True, "createNativeQuery", "(String)", "", "Argument[0]", "sql-injection", "ai-generated"]
|
||||
- ["jakarta.persistence", "EntityManager", True, "createNativeQuery", "(String)", "", "Argument[this]", "sql-injection", "ai-generated"]
|
||||
- ["jakarta.persistence", "EntityManager", True, "createNativeQuery", "(String,Class)", "", "Argument[0]", "sql-injection", "ai-generated"]
|
||||
- ["com.alibaba.nacos.api.naming", "NamingService", True, "batchRegisterInstance", "(String,String,List)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["java.lang", "ClassLoader", True, "getResource", "(String)", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["java.net", "Socket", True, "connect", "(SocketAddress,int)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["java.net", "InetSocketAddress", True, "InetSocketAddress", "(InetAddress,int)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["java.net", "Socket", True, "connect", "(SocketAddress)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["java.sql", "Connection", True, "prepareCall", "(String)", "", "Argument[this]", "sql-injection", "ai-generated"]
|
||||
- ["java.lang", "Class", False, "getResource", "(String)", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["jakarta.ws.rs.core", "UriBuilder", True, "build", "(Object[])", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["jakarta.ws.rs.client", "SyncInvoker", True, "post", "(Entity,Class)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["jakarta.ws.rs.client", "SyncInvoker", True, "post", "(Entity)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["jakarta.ws.rs.client", "SyncInvoker", True, "post", "(Entity)", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["java.lang", "Class", False, "getResource", "(String)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["java.sql", "PreparedStatement", True, "setDate", "(int,Date)", "", "Argument[1]", "sql-injection", "ai-generated"]
|
||||
- ["me.chanjar.weixin.common.util.http", "RequestExecutor", True, "execute", "(String,String,WxType)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["me.chanjar.weixin.common.util.http", "RequestExecutor", True, "execute", "(String,WxMpMaterial,WxType)", "", "Argument[2]", "request-forgery", "ai-generated"]
|
||||
- ["org.apache.kafka.clients.consumer", "KafkaConsumer", True, "KafkaConsumer<byte[],byte[]>", "(Map)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["java.sql", "CallableStatement", True, "getObject", "(String,Class)", "", "Argument[0]", "sql-injection", "ai-generated"]
|
||||
- ["javax.servlet.http", "HttpServletResponse", True, "setHeader", "(String,String)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["javax.servlet.http", "HttpServletResponse", True, "setHeader", "(String,String)", "", "Argument[1]", "url-redirection", "ai-generated"]
|
||||
- ["org.apache.http.message", "AbstractHttpMessage", True, "setHeader", "(String,String)", "", "Argument[1]", "request-forgery", "ai-generated"]
|
||||
- ["java.net", "URLConnection", True, "getInputStream", "()", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["org.apache.dubbo.rpc.cluster.router", "MockInvoker", True, "MockInvoker<String>", "(URL,boolean)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["org.apache.dubbo.rpc.cluster.router", "MockInvoker", True, "MockInvoker<String>", "(URL)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["org.apache.dubbo.remoting.zookeeper", "AbstractZookeeperClient", True, "create", "(String,boolean,boolean)", "", "Argument[0]", "path-injection", "ai-generated"]
|
||||
- ["java.io", "File", True, "listFiles", "(FileFilter)", "", "Argument[this]", "path-injection", "ai-generated"]
|
||||
- ["java.sql", "CallableStatement", True, "setCharacterStream", "(String,Reader,long)", "", "Argument[0]", "sql-injection", "ai-generated"]
|
||||
- ["java.sql", "CallableStatement", True, "setObject", "(String,Object)", "", "Argument[0]", "sql-injection", "ai-generated"]
|
||||
- ["jakarta.persistence", "EntityManager", True, "createNamedQuery", "(String)", "", "Argument[this]", "sql-injection", "ai-generated"]
|
||||
- ["jakarta.persistence.criteria", "CriteriaBuilder", True, "like", "(Expression,String)", "", "Argument[0]", "sql-injection", "ai-generated"]
|
||||
- ["jakarta.persistence.criteria", "CriteriaBuilder", True, "like", "(Expression,String)", "", "Argument[1]", "sql-injection", "ai-generated"]
|
||||
- ["jakarta.ws.rs.core", "UriBuilder", True, "queryParam", "(String,Object[])", "", "Argument[1]", "request-forgery", "ai-generated"]
|
||||
- ["jakarta.ws.rs.client", "Entity", False, "form", "(Form)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["java.io", "File", True, "listFiles", "(FilenameFilter)", "", "Argument[0]", "path-injection", "ai-generated"]
|
||||
- ["okhttp3.mockwebserver", "MockWebServer", False, "url", "(String)", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["org.apache.http.client.methods", "HttpRequestBase", True, "setConfig", "(RequestConfig)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["jodd.http", "ProxyInfo", True, "ProxyInfo", "(ProxyType,String,int,String,String)", "", "Argument[1]", "request-forgery", "ai-generated"]
|
||||
- ["redis.clients.jedis", "JedisPool", True, "JedisPool", "(GenericObjectPoolConfig,String,int,int,String,int)", "", "Argument[4]", "command-injection", "ai-generated"]
|
||||
- ["io.restassured.specification", "RequestSenderOptions", True, "get", "(String,Object[])", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["io.restassured.specification", "RequestSenderOptions", True, "get", "(String,Object[])", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["org.apache.curator.framework.api", "Pathable", True, "forPath", "(String)", "", "Argument[0]", "path-injection", "ai-generated"]
|
||||
- ["com.alibaba.druid.sql.repository", "SchemaRepository", True, "console", "(String)", "", "Argument[0]", "sql-injection", "ai-generated"]
|
||||
- ["org.apache.dubbo.rpc.cluster.router.mesh.route", "StandardMeshRuleRouter", True, "StandardMeshRuleRouter<>", "(URL)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["org.apache.kafka.clients.producer", "KafkaProducer", True, "KafkaProducer<K,V>", "(Properties)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["apache.rocketmq.v2", "Address$Builder", False, "setHost", "(String)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["org.apache.hc.client5.http.impl.async", "CloseableHttpAsyncClient", False, "execute", "(SimpleHttpRequest,FutureCallback)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["java.lang", "Runtime", True, "exec", "(String[])", "", "Argument[this]", "command-injection", "ai-generated"]
|
||||
- ["org.jboss.shrinkwrap.api.exporter", "StreamExporter", True, "exportTo", "(File,boolean)", "", "Argument[0]", "path-injection", "ai-generated"]
|
||||
- ["java.io", "BufferedWriter", True, "BufferedWriter", "(Writer)", "", "Argument[0]", "path-injection", "ai-generated"]
|
||||
- ["javax.cache.spi", "CachingProvider", True, "getCacheManager", "(URI,ClassLoader)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["org.keycloak.authorization.client.util", "HttpMethod", True, "param", "(String,String)", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["org.keycloak.authorization.client.util", "HttpMethod", True, "param", "(String,String)", "", "Argument[1]", "request-forgery", "ai-generated"]
|
||||
- ["java.net", "URL", False, "getFile", "()", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["jakarta.ws.rs.core", "UriInfo", True, "getBaseUriBuilder", "()", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["org.wildfly.extras.creaper.core.online", "OnlineManagementClient", True, "execute", "(String)", "", "Argument[this]", "command-injection", "ai-generated"]
|
||||
- ["org.jboss.shrinkwrap.api", "Archive", True, "add", "(Asset,String)", "", "Argument[1]", "request-forgery", "ai-generated"]
|
||||
- ["java.lang", "Runtime", True, "exec", "(String)", "", "Argument[this]", "command-injection", "ai-generated"]
|
||||
- ["io.netty.util", "DomainNameMappingBuilder", False, "add", "(String,SslContext)", "", "Argument[1]", "request-forgery", "ai-generated"]
|
||||
- ["com.alibaba.druid.pool", "DruidAbstractDataSource", True, "setUrl", "(String)", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["com.alibaba.druid.sql", "SQLUtils", False, "parseStatements", "(String,String)", "", "Argument[0]", "sql-injection", "ai-generated"]
|
||||
- ["redis.clients.jedis", "JedisPool", True, "JedisPool", "(GenericObjectPoolConfig,String,int,int,String,int)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["okio", "Okio", False, "source", "(File)", "", "Argument[0]", "path-injection", "ai-generated"]
|
||||
- ["jodd.http", "HttpRequest", False, "post", "(String)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["me.chanjar.weixin.cp.bean", "WxCpAgentWorkBench$WxCpAgentWorkBenchBuilder", False, "url", "(String)", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["me.chanjar.weixin.cp.bean.templatecard", "HorizontalContent$HorizontalContentBuilder", False, "url", "(String)", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["me.chanjar.weixin.cp.tp.service.impl", "BaseWxCpTpServiceImpl", True, "post", "(String,String)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["okhttp3", "Request$Builder", False, "get", "()", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["jodd.http", "HttpRequest", False, "get", "(String)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["okhttp3", "Request$Builder", False, "post", "(RequestBody)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["okhttp3", "RequestBody", False, "create", "(MediaType,String)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["org.redisson", "Redisson", False, "create", "(Config)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["jodd.http", "HttpConnectionProvider", True, "useProxy", "(ProxyInfo)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["io.grpc", "ManagedChannelBuilder", False, "forAddress", "(String,int)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["io.restassured.specification", "RequestSpecification", True, "header", "(String,Object,Object[])", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["org.springframework.web.reactive.function.server", "ServerResponse$HeadersBuilder", False, "build", "()", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["com.alibaba.csp.sentinel.datasource", "FileRefreshableDataSource", True, "FileRefreshableDataSource<List<SystemRule>>", "(String,Converter)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["com.ecwid.consul.v1", "ConsulClient", True, "ConsulClient", "(String,int)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["com.alibaba.csp.sentinel.datasource.redis", "RedisDataSource", True, "RedisDataSource<List<FlowRule>>", "(RedisConnectionConfig,String,String,Converter)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["org.apache.http.client.utils", "URIBuilder", True, "setPath", "(String)", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["org.apache.http.client.utils", "URIBuilder", True, "setScheme", "(String)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["org.elasticsearch.client.support", "AbstractClient", True, "prepareUpdate", "(String,String,String)", "", "Argument[1]", "request-forgery", "ai-generated"]
|
||||
- ["org.apache.hadoop.hbase.client", "HTable", True, "getScanner", "(Scan)", "", "Argument[0]", "sql-injection", "ai-generated"]
|
||||
- ["org.apache.kudu.client", "KuduClient", True, "openTable", "(String)", "", "Argument[0]", "sql-injection", "ai-generated"]
|
||||
- ["com.alicloud.openservices.tablestore", "DefaultTableStoreWriter", True, "DefaultTableStoreWriter", "(String,ServiceCredentials,String,String,WriterConfig,TableStoreCallback)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["org.apache.commons.io", "FileUtils", False, "listFiles", "(File,IOFileFilter,IOFileFilter)", "", "Argument[0]", "path-injection", "ai-generated"]
|
||||
- ["org.apache.commons.io", "FileUtils", False, "forceMkdir", "(File)", "", "Argument[0]", "path-injection", "ai-generated"]
|
||||
- ["org.apache.dubbo.config", "ReferenceConfigBase", True, "setUrl", "(String)", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["org.springframework.context.support", "ClassPathXmlApplicationContext", True, "ClassPathXmlApplicationContext", "(String)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["com.alibaba.nacos.api", "NacosFactory", False, "createConfigService", "(Properties)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["java.io", "File", True, "renameTo", "(File)", "", "Argument[this]", "path-injection", "ai-generated"]
|
||||
- ["org.apache.dubbo.rpc", "ServerService", True, "getInvoker", "(URL)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["java.net", "URLEncoder", False, "encode", "(String,String)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["org.apache.commons.exec", "PumpStreamHandler", True, "PumpStreamHandler", "(OutputStream,OutputStream,InputStream)", "", "Argument[0]", "command-injection", "ai-generated"]
|
||||
- ["org.rocksdb", "RocksDB", False, "open", "(DBOptions,String,List,List)", "", "Argument[2]", "path-injection", "ai-generated"]
|
||||
- ["org.apache.kafka.streams.processor.api", "MockProcessorContext", True, "MockProcessorContext<Void,Void>", "(Properties,TaskId,File)", "", "Argument[2]", "path-injection", "ai-generated"]
|
||||
- ["javax.management.remote", "JMXConnectorServerFactory", False, "newJMXConnectorServer", "(JMXServiceURL,Map,MBeanServer)", "", "Argument[1]", "request-forgery", "ai-generated"]
|
||||
- ["java.net", "HttpURLConnection", True, "setRequestMethod", "(String)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["java.nio.file", "Paths", False, "get", "(String,String[])", "", "Argument[1]", "path-injection", "ai-generated"]
|
||||
- ["org.apache.commons.io", "FileUtils", False, "deleteDirectory", "(File)", "", "Argument[0]", "path-injection", "ai-generated"]
|
||||
- ["java.sql", "DatabaseMetaData", True, "getExportedKeys", "(String,String,String)", "", "Argument[0]", "sql-injection", "ai-generated"]
|
||||
- ["java.sql", "DatabaseMetaData", True, "getPseudoColumns", "(String,String,String,String)", "", "Argument[2]", "sql-injection", "ai-generated"]
|
||||
- ["org.eclipse.jetty.http", "HttpTester$Request", False, "setURI", "(String)", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["java.io", "File", True, "mkdir", "()", "", "Argument[this]", "path-injection", "ai-generated"]
|
||||
- ["java.io", "FilePermission", False, "FilePermission", "(String,String)", "", "Argument[0]", "path-injection", "ai-generated"]
|
||||
- ["org.h2.mvstore", "FileStore", True, "open", "(String,boolean)", "", "Argument[0]", "path-injection", "ai-generated"]
|
||||
- ["java.nio.file", "Files", False, "createTempFile", "(String,String,FileAttribute[])", "", "Argument[1]", "path-injection", "ai-generated"]
|
||||
- ["java.sql", "DatabaseMetaData", True, "getProcedures", "(String,String,String)", "", "Argument[1]", "sql-injection", "ai-generated"]
|
||||
- ["java.sql", "CallableStatement", True, "setBinaryStream", "(String,InputStream,long)", "", "Argument[0]", "sql-injection", "ai-generated"]
|
||||
- ["org.postgresql.util", "PGobject", True, "setValue", "(String)", "", "Argument[0]", "sql-injection", "ai-generated"]
|
||||
- ["org.postgresql.util", "PGobject", False, "setType", "(String)", "", "Argument[0]", "sql-injection", "ai-generated"]
|
||||
- ["org.jboss.shrinkwrap.api.container", "ResourceContainer", True, "addAsResource", "(File,ArchivePath)", "", "Argument[1]", "path-injection", "ai-generated"]
|
||||
- ["java.sql", "CallableStatement", True, "setString", "(String,String)", "", "Argument[1]", "sql-injection", "ai-generated"]
|
||||
- ["org.gradle.process", "ExecSpec", True, "args", "(Object[])", "", "Argument[2]", "command-injection", "ai-generated"]
|
||||
- ["org.gradle.process", "JavaExecSpec", True, "args", "(Object[])", "", "Argument[0]", "command-injection", "ai-generated"]
|
||||
- ["org.gradle.api.file", "Directory", True, "getAsFile", "()", "", "Argument[this]", "path-injection", "ai-generated"]
|
||||
- ["java.io", "File", True, "createNewFile", "()", "", "Argument[this]", "path-injection", "ai-generated"]
|
||||
- ["org.gradle.api.tasks", "SourceTask", True, "source", "(Object[])", "", "Argument[0]", "path-injection", "ai-generated"]
|
||||
- ["org.gradle.testkit.runner", "GradleRunner", True, "withProjectDir", "(File)", "", "Argument[0]", "path-injection", "ai-generated"]
|
||||
- ["javax.servlet", "ServletContext", True, "getResourceAsStream", "(String)", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["javax.servlet.http", "HttpServletResponse", True, "sendRedirect", "(String)", "", "Argument[0]", "url-redirection", "ai-generated"]
|
||||
- ["org.keycloak.saml", "BaseSAML2BindingBuilder", True, "relayState", "(String)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["jakarta.servlet.http", "HttpServletResponse", True, "sendRedirect", "(String)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["java.nio.file", "Files", False, "getFileAttributeView", "(Path,Class,LinkOption[])", "", "Argument[0]", "path-injection", "ai-generated"]
|
||||
- ["liquibase.statement.core", "UpdateStatement", True, "UpdateStatement", "(String,String,String)", "", "Argument[2]", "sql-injection", "ai-generated"]
|
||||
- ["liquibase.database.jvm", "JdbcConnection", True, "prepareStatement", "(String)", "", "Argument[0]", "sql-injection", "ai-generated"]
|
||||
- ["liquibase.executor", "Executor", True, "execute", "(SqlStatement)", "", "Argument[0]", "sql-injection", "ai-generated"]
|
||||
- ["com.openshift.restclient", "ClientBuilder", True, "ClientBuilder", "(String)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["javax.naming.ldap", "InitialLdapContext", True, "InitialLdapContext", "(Hashtable,Control[])", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["java.lang", "Process", True, "destroy", "()", "", "Argument[this]", "command-injection", "ai-generated"]
|
||||
- ["jakarta.ws.rs.core", "UriInfo", True, "getBaseUri", "()", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["jakarta.mail", "Part", True, "setHeader", "(String,String)", "", "Argument[1]", "request-forgery", "ai-generated"]
|
||||
- ["jakarta.ws.rs.core", "Response$ResponseBuilder", False, "location", "(URI)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["jakarta.servlet", "ServletContext", True, "getResourceAsStream", "(String)", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["jakarta.servlet", "ServletRequest", True, "getRequestDispatcher", "(String)", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["io.undertow", "Undertow$Builder", False, "addHttpsListener", "(int,String,SSLContext)", "", "Argument[1]", "request-forgery", "ai-generated"]
|
||||
- ["org.keycloak.saml", "BaseSAML2BindingBuilder", True, "redirectBinding", "(Document)", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["java.net", "URI", False, "getAuthority", "()", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["org.jfree.chart", "ChartUtilities", False, "saveChartAsPNG", "(File,JFreeChart,int,int)", "", "Argument[0]", "path-injection", "ai-generated"]
|
||||
- ["java.net", "URL", False, "URL", "(String,String,int,String)", "", "Argument[1]", "request-forgery", "ai-generated"]
|
||||
- ["org.jboss.resteasy.plugins.providers.multipart", "MultipartFormDataOutput", True, "addFormData", "(String,Object,MediaType)", "", "Argument[2]", "request-forgery", "ai-generated"]
|
||||
- ["jakarta.ws.rs.client", "WebTarget", True, "path", "(String)", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["org.apache.http.impl.cookie", "BasicClientCookie", True, "BasicClientCookie", "(String,String)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["jakarta.ws.rs.client", "Client", True, "target", "(String)", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["org.apache.ibatis.jdbc", "AbstractSQL", True, "HAVING", "(String[])", "", "Argument[this]", "sql-injection", "ai-generated"]
|
||||
- ["io.netty.resolver", "AddressResolver", True, "resolve", "(SocketAddress)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["net.sf.jsqlparser.expression", "BinaryExpression", True, "setRightExpression", "(Expression)", "", "Argument[0]", "sql-injection", "ai-generated"]
|
||||
- ["net.sf.jsqlparser.schema", "Column", True, "Column", "(String)", "", "Argument[0]", "sql-injection", "ai-generated"]
|
||||
- ["net.sf.jsqlparser.parser", "CCJSqlParserUtil", False, "parse", "(String)", "", "Argument[0]", "sql-injection", "ai-generated"]
|
||||
- ["org.apache.ibatis.io", "Resources", False, "getResourceAsReader", "(String)", "", "Argument[0]", "path-injection", "ai-generated"]
|
||||
- ["com.ecwid.consul.v1", "ConsulClient", True, "setKVValue", "(String,String,String,PutParams)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["com.alibaba.nacos.api.config", "ConfigService", True, "removeConfig", "(String,String)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["io.etcd.jetcd", "ClientBuilder", False, "endpoints", "(String[])", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["com.weibo.api.motan.config", "AbstractServiceConfig", True, "setExport", "(String)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["com.alibaba.druid.pool", "DruidAbstractDataSource", True, "setValidationQuery", "(String)", "", "Argument[0]", "sql-injection", "ai-generated"]
|
||||
- ["java.net", "Authenticator", False, "requestPasswordAuthentication", "(String,InetAddress,int,String,String,String,URL,RequestorType)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["java.net", "HttpCookie", False, "setDomain", "(String)", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["java.net", "Proxy", True, "Proxy", "(Type,SocketAddress)", "", "Argument[1]", "request-forgery", "ai-generated"]
|
||||
- ["okio", "FileSystem", False, "createDirectories", "(Path)", "", "Argument[0]", "path-injection", "ai-generated"]
|
||||
- ["java.security", "Provider", True, "configure", "(String)", "", "Argument[0]", "request-forgery", "ai-generated"]
|
||||
- ["okhttp3", "HttpUrl", False, "newBuilder", "()", "", "Argument[this]", "request-forgery", "ai-generated"]
|
||||
- ["javax.imageio", "ImageIO", False, "read", "(File)", "", "Argument[0]", "path-injection", "ai-generated"]
|
||||
87
java/ql/lib/semmle/code/java/AutomodelSinkTriageUtils.qll
Normal file
87
java/ql/lib/semmle/code/java/AutomodelSinkTriageUtils.qll
Normal file
@@ -0,0 +1,87 @@
|
||||
private import java
|
||||
private import semmle.code.java.dataflow.ExternalFlow as ExternalFlow
|
||||
private import semmle.code.java.dataflow.TaintTracking::TaintTracking
|
||||
|
||||
/** Gets the models-as-data description for the method argument with the index `index`. */
|
||||
bindingset[index]
|
||||
private string getArgumentForIndex(int index) {
|
||||
index = -1 and result = "Argument[this]"
|
||||
or
|
||||
index >= 0 and result = "Argument[" + index + "]"
|
||||
}
|
||||
|
||||
private boolean considerSubtypes(Callable callable) {
|
||||
if
|
||||
callable.isStatic() or
|
||||
callable.getDeclaringType().isStatic() or
|
||||
callable.isFinal() or
|
||||
callable.getDeclaringType().isFinal()
|
||||
then result = false
|
||||
else result = true
|
||||
}
|
||||
|
||||
private class SinkModelExpr extends Expr {
|
||||
predicate hasSignature(
|
||||
string package, string type, boolean subtypes, string name, string signature, string input
|
||||
) {
|
||||
exists(Call call, Callable callable, int argIdx |
|
||||
call.getCallee() = callable and
|
||||
(
|
||||
this = call.getArgument(argIdx)
|
||||
or
|
||||
this = call.getQualifier() and argIdx = -1
|
||||
) and
|
||||
input = getArgumentForIndex(argIdx) and
|
||||
package = callable.getDeclaringType().getPackage().getName() and
|
||||
type = callable.getDeclaringType().getErasure().(RefType).nestedName() and
|
||||
subtypes = considerSubtypes(callable) and
|
||||
name = callable.getName() and
|
||||
signature = ExternalFlow::paramsString(callable)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
private string pyBool(boolean b) {
|
||||
b = true and result = "True"
|
||||
or
|
||||
b = false and result = "False"
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets a string representation of the existing sink model at the expression `e`, in the format in
|
||||
* which it would appear in a Models-as-Data file.
|
||||
*/
|
||||
string getSinkModelRepr(SinkModelExpr e) {
|
||||
exists(
|
||||
string package, string type, boolean subtypes, string name, string signature, string input,
|
||||
string ext, string kind, string provenance
|
||||
|
|
||||
e.hasSignature(package, type, subtypes, name, signature, input) and
|
||||
ExternalFlow::sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance) and
|
||||
provenance = "ai-generated" and
|
||||
result =
|
||||
"\"" + package + "\", \"" + type + "\", " + pyBool(subtypes) + ", \"" + name + "\", \"" +
|
||||
signature + "\", \"" + ext + "\", \"" + input + "\", \"" + kind + "\", \"" + provenance +
|
||||
"\""
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the string representation of a sink model in a format suitable for appending to an alert
|
||||
* message.
|
||||
*/
|
||||
string getSinkModelQueryRepr(SinkModelExpr e) { result = "\nsinkModel: " + getSinkModelRepr(e) }
|
||||
// TODO: make this logic more generic
|
||||
// private predicate relevantSinkModel(int c, string s) {
|
||||
// exists(RequestForgeryFlow::PathNode source, RequestForgeryFlow::PathNode sink |
|
||||
// RequestForgeryFlow::flowPath(source, sink) and
|
||||
// s = getSinkModelRepr(sink.getNode().asExpr())
|
||||
// ) and
|
||||
// c =
|
||||
// count(RequestForgeryFlow::PathNode sink |
|
||||
// exists(RequestForgeryFlow::PathNode source |
|
||||
// RequestForgeryFlow::flowPath(source, sink) and
|
||||
// s = getSinkModelRepr(sink.getNode().asExpr())
|
||||
// )
|
||||
// )
|
||||
// }
|
||||
41
java/ql/src/Security/CWE/CWE-022/TaintedPathAutomodel.ql
Normal file
41
java/ql/src/Security/CWE/CWE-022/TaintedPathAutomodel.ql
Normal file
@@ -0,0 +1,41 @@
|
||||
/**
|
||||
* @name Uncontrolled data used in path expression
|
||||
* @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @security-severity 7.5
|
||||
* @precision high
|
||||
* @id java/path-injection-automodel
|
||||
* @tags security
|
||||
* external/cwe/cwe-022
|
||||
* external/cwe/cwe-023
|
||||
* external/cwe/cwe-036
|
||||
* external/cwe/cwe-073
|
||||
* ai-generated
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.security.PathCreation
|
||||
import semmle.code.java.security.TaintedPathQuery
|
||||
import TaintedPathFlow::PathGraph
|
||||
private import semmle.code.java.AutomodelSinkTriageUtils
|
||||
|
||||
/**
|
||||
* Gets the data-flow node at which to report a path ending at `sink`.
|
||||
*
|
||||
* Previously this query flagged alerts exclusively at `PathCreation` sites,
|
||||
* so to avoid perturbing existing alerts, where a `PathCreation` exists we
|
||||
* continue to report there; otherwise we report directly at `sink`.
|
||||
*/
|
||||
DataFlow::Node getReportingNode(DataFlow::Node sink) {
|
||||
TaintedPathFlow::flowTo(sink) and
|
||||
if exists(PathCreation pc | pc.getAnInput() = sink.asExpr())
|
||||
then result.asExpr() = any(PathCreation pc | pc.getAnInput() = sink.asExpr())
|
||||
else result = sink
|
||||
}
|
||||
|
||||
from TaintedPathFlow::PathNode source, TaintedPathFlow::PathNode sink
|
||||
where TaintedPathFlow::flowPath(source, sink)
|
||||
select getReportingNode(sink.getNode()), source, sink,
|
||||
"This path depends on a $@." + getSinkModelQueryRepr(sink.getNode().asExpr()), source.getNode(),
|
||||
"user-provided value"
|
||||
27
java/ql/src/Security/CWE/CWE-078/ExecTaintedAutomodel.ql
Normal file
27
java/ql/src/Security/CWE/CWE-078/ExecTaintedAutomodel.ql
Normal file
@@ -0,0 +1,27 @@
|
||||
/**
|
||||
* @name Uncontrolled command line
|
||||
* @description Using externally controlled strings in a command line is vulnerable to malicious
|
||||
* changes in the strings.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @security-severity 9.8
|
||||
* @precision high
|
||||
* @id java/command-line-injection-automodel
|
||||
* @tags security
|
||||
* external/cwe/cwe-078
|
||||
* external/cwe/cwe-088
|
||||
* ai-generated
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.security.CommandLineQuery
|
||||
import RemoteUserInputToArgumentToExecFlow::PathGraph
|
||||
private import semmle.code.java.AutomodelSinkTriageUtils
|
||||
|
||||
from
|
||||
RemoteUserInputToArgumentToExecFlow::PathNode source,
|
||||
RemoteUserInputToArgumentToExecFlow::PathNode sink, Expr execArg
|
||||
where execIsTainted(source, sink, execArg)
|
||||
select execArg, source, sink,
|
||||
"This command line depends on a $@." + getSinkModelQueryRepr(sink.getNode().asExpr()),
|
||||
source.getNode(), "user-provided value"
|
||||
35
java/ql/src/Security/CWE/CWE-089/SqlConcatenatedAutomodel.ql
Normal file
35
java/ql/src/Security/CWE/CWE-089/SqlConcatenatedAutomodel.ql
Normal file
@@ -0,0 +1,35 @@
|
||||
/**
|
||||
* @name Query built by concatenation with a possibly-untrusted string
|
||||
* @description Building a SQL or Java Persistence query by concatenating a possibly-untrusted string
|
||||
* is vulnerable to insertion of malicious code.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 8.8
|
||||
* @precision medium
|
||||
* @id java/concatenated-sql-query-automodel
|
||||
* @tags security
|
||||
* external/cwe/cwe-089
|
||||
* external/cwe/cwe-564
|
||||
* ai-generated
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.security.SqlConcatenatedLib
|
||||
import semmle.code.java.security.SqlInjectionQuery
|
||||
import semmle.code.java.security.SqlConcatenatedQuery
|
||||
private import semmle.code.java.AutomodelSinkTriageUtils
|
||||
|
||||
from QueryInjectionSink query, Expr uncontrolled
|
||||
where
|
||||
(
|
||||
builtFromUncontrolledConcat(query.asExpr(), uncontrolled)
|
||||
or
|
||||
exists(StringBuilderVar sbv |
|
||||
uncontrolledStringBuilderQuery(sbv, uncontrolled) and
|
||||
UncontrolledStringBuilderSourceFlow::flow(DataFlow::exprNode(sbv.getToStringCall()), query)
|
||||
)
|
||||
) and
|
||||
not queryIsTaintedBy(query, _, _)
|
||||
select query,
|
||||
"Query built by concatenation with $@, which may be untrusted." +
|
||||
getSinkModelQueryRepr(query.asExpr()), uncontrolled, "this expression"
|
||||
27
java/ql/src/Security/CWE/CWE-089/SqlTaintedAutomodel.ql
Normal file
27
java/ql/src/Security/CWE/CWE-089/SqlTaintedAutomodel.ql
Normal file
@@ -0,0 +1,27 @@
|
||||
/**
|
||||
* @name Query built from user-controlled sources
|
||||
* @description Building a SQL or Java Persistence query from user-controlled sources is vulnerable to insertion of
|
||||
* malicious code by the user.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @security-severity 8.8
|
||||
* @precision high
|
||||
* @id java/sql-injection-automodel
|
||||
* @tags security
|
||||
* external/cwe/cwe-089
|
||||
* external/cwe/cwe-564
|
||||
* ai-generated
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.security.SqlInjectionQuery
|
||||
import QueryInjectionFlow::PathGraph
|
||||
private import semmle.code.java.AutomodelSinkTriageUtils
|
||||
|
||||
from
|
||||
QueryInjectionSink query, QueryInjectionFlow::PathNode source, QueryInjectionFlow::PathNode sink
|
||||
where queryIsTaintedBy(query, source, sink)
|
||||
select query, source, sink,
|
||||
"This query depends on a $@." + getSinkModelQueryRepr(sink.getNode().asExpr()), source.getNode(),
|
||||
"user-provided value"
|
||||
@@ -0,0 +1,26 @@
|
||||
/**
|
||||
* @name Android missing certificate pinning
|
||||
* @description Network connections that do not use certificate pinning may allow attackers to eavesdrop on communications.
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 5.9
|
||||
* @precision medium
|
||||
* @id java/android/missing-certificate-pinning-automodel
|
||||
* @tags security
|
||||
* external/cwe/cwe-295
|
||||
* ai-generated
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.security.AndroidCertificatePinningQuery
|
||||
private import semmle.code.java.AutomodelSinkTriageUtils
|
||||
|
||||
from DataFlow::Node node, string domain, string msg
|
||||
where
|
||||
missingPinning(node, domain) and
|
||||
if domain = ""
|
||||
then msg = "(no explicitly trusted domains)"
|
||||
else msg = "(" + domain + " is not trusted by a pin)"
|
||||
select node,
|
||||
"This network call does not implement certificate pinning. " + msg +
|
||||
getSinkModelQueryRepr(node.asExpr())
|
||||
@@ -0,0 +1,24 @@
|
||||
/**
|
||||
* @name Insertion of sensitive information into log files
|
||||
* @description Writing sensitive information to log files can allow that
|
||||
* information to be leaked to an attacker more easily.
|
||||
* @kind path-problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 7.5
|
||||
* @precision medium
|
||||
* @id java/sensitive-log-automodel
|
||||
* @tags security
|
||||
* external/cwe/cwe-532
|
||||
* ai-generated
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.security.SensitiveLoggingQuery
|
||||
import SensitiveLoggerFlow::PathGraph
|
||||
private import semmle.code.java.AutomodelSinkTriageUtils
|
||||
|
||||
from SensitiveLoggerFlow::PathNode source, SensitiveLoggerFlow::PathNode sink
|
||||
where SensitiveLoggerFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"This $@ is written to a log file." + getSinkModelQueryRepr(sink.getNode().asExpr()),
|
||||
source.getNode(), "potentially sensitive information"
|
||||
24
java/ql/src/Security/CWE/CWE-601/UrlRedirectAutomodel.ql
Normal file
24
java/ql/src/Security/CWE/CWE-601/UrlRedirectAutomodel.ql
Normal file
@@ -0,0 +1,24 @@
|
||||
/**
|
||||
* @name URL redirection from remote source
|
||||
* @description URL redirection based on unvalidated user-input
|
||||
* may cause redirection to malicious web sites.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @security-severity 6.1
|
||||
* @precision high
|
||||
* @id java/unvalidated-url-redirection-automodel
|
||||
* @tags security
|
||||
* external/cwe/cwe-601
|
||||
* ai-generated
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.security.UrlRedirectQuery
|
||||
import UrlRedirectFlow::PathGraph
|
||||
private import semmle.code.java.AutomodelSinkTriageUtils
|
||||
|
||||
from UrlRedirectFlow::PathNode source, UrlRedirectFlow::PathNode sink
|
||||
where UrlRedirectFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"Untrusted URL redirection depends on a $@." + getSinkModelQueryRepr(sink.getNode().asExpr()),
|
||||
source.getNode(), "user-provided value"
|
||||
24
java/ql/src/Security/CWE/CWE-918/RequestForgeryAutomodel.ql
Normal file
24
java/ql/src/Security/CWE/CWE-918/RequestForgeryAutomodel.ql
Normal file
@@ -0,0 +1,24 @@
|
||||
/**
|
||||
* @name Server-side request forgery
|
||||
* @description Making web requests based on unvalidated user-input
|
||||
* may cause the server to communicate with malicious servers.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @security-severity 9.1
|
||||
* @precision high
|
||||
* @id java/ssrf-automodel
|
||||
* @tags security
|
||||
* external/cwe/cwe-918
|
||||
* ai-generated
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.security.RequestForgeryConfig
|
||||
import RequestForgeryFlow::PathGraph
|
||||
private import semmle.code.java.AutomodelSinkTriageUtils
|
||||
|
||||
from RequestForgeryFlow::PathNode source, RequestForgeryFlow::PathNode sink
|
||||
where RequestForgeryFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"Potential server-side request forgery due to a $@." +
|
||||
getSinkModelQueryRepr(sink.getNode().asExpr()), source.getNode(), "user-provided value"
|
||||
2370
java/ql/src/Telemetry/IdentifyReposUsingModels.ql
Normal file
2370
java/ql/src/Telemetry/IdentifyReposUsingModels.ql
Normal file
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user