Compare commits

...

524 Commits

Author SHA1 Message Date
Max Schaefer
152b290bdf Revert "JS: More robust hasUnderlyingType"
This reverts commit 3e5dc1efb7.
2021-07-21 11:31:38 +01:00
Max Schaefer
044c759682 Revert "JavaScript: Model chaining calls in sqlite3."
This reverts commit 8f91e9eba0.
2021-07-21 11:28:53 +01:00
Cornelius Riemenschneider
a1c38b78a9 Merge pull request #6163 from adityasharad/lines-of-code-make-unique
Ensure only one query per language is tagged `lines-of-code`
2021-06-28 10:57:29 +02:00
Aditya Sharad
61e6dcb56d Ensure only one query per language is tagged lines-of-code
Some languages have multiple `summary` queries for lines of code,
representing different forms of counting (user written, total, etc).
When Code Scanning sees results from multiple such summary queries in a single run,
it will need to choose one as the primary LoC count to display in the UI.

By ensuring only one query per language has the `lines-of-code` tag,
in future we can teach Code Scanning to look for this particular tag
to identify the primary LoC count.

If a "lines of user code" query is available, use that.
Otherwise use the total "lines of code".

(It is completely fine for multiple queries to be tagged with `summary`.)
2021-06-25 16:45:37 -07:00
Chris Smowton
8aa9cd52b5 Merge pull request #5811 from mogwailabs/insecureJmxRmiServerEnvironment
Java: Add query - insecure environment configuration during JMX/RMI server init
2021-06-25 22:09:20 +01:00
Timo Mueller
e5fa5325b5 Auto formatting .ql file 2021-06-25 22:31:29 +02:00
Timo Mueller
eb0a13f60f Merge branch 'insecureJmxRmiServerEnvironment' of github.com:mogwailabs/codeql into insecureJmxRmiServerEnvironment 2021-06-25 22:29:43 +02:00
Chris Smowton
def4a23af2 Merge pull request #4879 from intrigus-lgtm/java/improve-trustmanager
Java: Add/improve insecure trustmanager query
2021-06-25 18:15:55 +01:00
Tom Hvitved
e624fb46f9 Merge pull request #6152 from hvitved/csharp/dataflow/csv-out-ref 2021-06-25 18:02:59 +02:00
intrigus
5aa711a956 Accept test changes. 2021-06-25 17:04:36 +02:00
Owen Mansel-Chan
44f0411b7c Merge pull request #6138 from owen-mc/java/model/apache-commons-collections
Model Apache commons collections MapUtils class and keyvalue package
2021-06-25 15:53:03 +01:00
Anders Schack-Mulligen
a79356e316 Apply suggestions from code review 2021-06-25 16:47:26 +02:00
intrigus
be57aeccf2 Remove change-note. 2021-06-25 16:47:26 +02:00
intrigus
5106aec319 Fix test location. 2021-06-25 16:47:25 +02:00
intrigus
36575bb26f Move back to experimental......... 2021-06-25 16:47:25 +02:00
intrigus
fe923facc8 Java: Move comments to separate lines.
Move comments to separate lines to improve
the rendering in the finished query help.
2021-06-25 16:47:25 +02:00
intrigus-lgtm
f527df73d5 Apply suggestions from code review.
Co-authored-by: Felicity Chapman <felicitymay@github.com>
2021-06-25 16:47:25 +02:00
intrigus
f0d4b1d2b0 Java: Add change-note. 2021-06-25 16:47:25 +02:00
intrigus
6bfdf8d148 Java: Fix qhelp errors. 2021-06-25 16:47:24 +02:00
intrigus
dc0b06a735 Java: Factor out SecurityFlag library. 2021-06-25 16:47:24 +02:00
intrigus-lgtm
51fdcf86c8 Apply suggestions from code review
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
2021-06-25 16:47:24 +02:00
intrigus
6f217d37da Java: Apply suggestions from review. 2021-06-25 16:47:24 +02:00
intrigus
4a00670b68 Java: Reduce long comment. 2021-06-25 16:47:24 +02:00
intrigus
45cec3df1c Java: Use this consistently in QL classes. 2021-06-25 16:47:24 +02:00
intrigus
0c1ce74135 Java: Switch from tabs to spaces. 2021-06-25 16:47:24 +02:00
intrigus
281e0859d1 Java: Accept test changes. 2021-06-25 16:47:23 +02:00
intrigus
6413af4fbe Java: Expand tests. 2021-06-25 16:47:23 +02:00
intrigus
484533c659 Java: Flag "intentionally" unsafe methods in tests.
Previously intentionally unsafe methods such as `disableCertificate`
would be ignored by this query. But now they will also be flagged
as it is hard to guess intentions...
Adjust the tests to account for this change.
2021-06-25 16:47:23 +02:00
intrigus
7023793af4 Java: Fix compilation errors in test. 2021-06-25 16:47:23 +02:00
intrigus
6d09db6fd6 Java: Explicitly list custom flow steps. 2021-06-25 16:47:23 +02:00
intrigus
e4775e0fae Java: Remove "intention-guessing" sanitizer & simplify.
This removes the sanitizer part that classified some results as FP
if the results were in methods with certain names, like
`disableVerification()`. I now think that it's a bad idea to filter
based on the method name.
The custom flow steps in `flagFlowStep` are now listed explicitly.
Simplified check whether a method throws an exception.
2021-06-25 16:47:23 +02:00
intrigus
8a7f6b72e9 Java: Apply suggestions for QHelp 2021-06-25 16:47:23 +02:00
intrigus
d37d922e8f Java: Fix Typos 2021-06-25 16:47:22 +02:00
intrigus-lgtm
030c286902 Java: Use machine-in-the-middle consistently 2021-06-25 16:47:22 +02:00
intrigus-lgtm
f52e438f3e Java: Apply suggestions from code review
Co-authored-by: Chris Smowton <smowton@github.com>
2021-06-25 16:47:22 +02:00
intrigus
592fd1e8ca Java: Accept test changes 2021-06-25 16:47:22 +02:00
intrigus
1b96d0ac54 Java: Remove overlapping code 2021-06-25 16:47:22 +02:00
intrigus
87554a78d4 Java: Add insecure trust manager query. 2021-06-25 16:47:22 +02:00
Timo Müller
8daa398af6 Update InsecureRmiJmxEnvironmentConfiguration.ql 2021-06-25 16:12:37 +02:00
Timo Mueller
b969b9b5e7 Merge branch 'insecureJmxRmiServerEnvironment' of github.com:mogwailabs/codeql into insecureJmxRmiServerEnvironment 2021-06-25 16:11:47 +02:00
Timo Mueller
72ef4983db Fixed wrong match for symbolic constant 2021-06-25 16:11:37 +02:00
Timo Müller
328b69f46c Update java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql 2021-06-25 16:10:20 +02:00
Owen Mansel-Chan
bad32716e8 Import Apache Collections models in ExternalFlow 2021-06-25 14:51:09 +01:00
Timo Mueller
5aeeb3a801 Fixed and validated qhelp 2021-06-25 15:37:47 +02:00
Owen Mansel-Chan
044ecc51e5 Manually improve tests #2 2021-06-25 13:51:18 +01:00
Owen Mansel-Chan
e2803800dc Add change note 2021-06-25 12:55:09 +01:00
Owen Mansel-Chan
2fd4c9f1b9 Manually improve tests 2021-06-25 11:17:11 +01:00
Owen Mansel-Chan
1bb33bca33 Add Apache Commons Collections to coverage reports 2021-06-25 11:17:10 +01:00
Owen Mansel-Chan
eb469c0811 Duplicate models for old package name
The package name was org.apache.commons.collection until release 4.0.
2021-06-25 11:17:09 +01:00
Owen Mansel-Chan
2e670c4050 Manually update automatically generated stubs 2021-06-25 11:17:08 +01:00
Owen Mansel-Chan
acc43fcaca Add options file 2021-06-25 11:17:07 +01:00
Owen Mansel-Chan
5feee9cc17 Add automatically-generated stubs 2021-06-25 11:17:06 +01:00
Owen Mansel-Chan
7004c87ec0 Manually edit tests so they pass 2021-06-25 11:17:05 +01:00
Owen Mansel-Chan
4388f19ddf Add automatically-generated tests 2021-06-25 11:17:04 +01:00
Owen Mansel-Chan
224fd343f3 Fix models (addressing PR review comments) 2021-06-25 11:17:03 +01:00
Owen Mansel-Chan
e78d56e7e9 Model MapUtils class and keyvalue package 2021-06-25 11:17:02 +01:00
Owen Mansel-Chan
213f5d6a37 Model and use isEmpty from Apache Collections 2021-06-25 11:17:01 +01:00
Owen Mansel-Chan
492f6ebc7c Model isNotEmpty from Apache Commons Collections 2021-06-25 11:17:00 +01:00
Anders Schack-Mulligen
2d24387e9e Merge pull request #6149 from edoardopirovano/fix-java-regression
Performance: Fix bad join order in Java dataflow library
2021-06-25 10:42:05 +02:00
Timo Müller
d0478eac95 XML validation and spelling/ordering changes
* XML validation and summary changes in qhelp file
;

* Encode entities within <code> snippet

* Updated minor descriptions and examples

* Implemented spelling review
2021-06-25 09:45:46 +02:00
Tamás Vajk
1cddcdfcb1 Merge pull request #6123 from tamasvajk/feature/framework-coverage-pr
Add scheduled job to update framework coverage
2021-06-25 09:18:10 +02:00
CodeQL CI
28c060e758 Merge pull request #6113 from erik-krogh/promise
Approved by esbena
2021-06-24 13:25:42 -07:00
yo-h
61c89369b8 Merge pull request #6151 from tamasvajk/fix/csv-comment-backwards-compat
Fix framework coverage commenting action
2021-06-24 15:57:03 -04:00
Tom Hvitved
7a9f9e245f C#: Handle CSV data-flow summaries with out/ref parameters 2021-06-24 18:34:25 +02:00
Chris Smowton
2acb4de2cb Merge pull request #5955 from haby0/java/JShellCodeInjection
Java: JShell Injection
2021-06-24 17:03:30 +01:00
Anders Schack-Mulligen
95ad8b55fe Merge pull request #6107 from aschackmull/dataflow/implicit-reads
Dataflow: Add support for implicit reads
2021-06-24 15:38:35 +02:00
Anders Schack-Mulligen
01fc3e6559 C++/C#/Java/Python: Add change notes. 2021-06-24 14:29:34 +02:00
Anders Schack-Mulligen
cd0efbe7ce Dataflow: Sync. 2021-06-24 14:19:17 +02:00
Anders Schack-Mulligen
1c1d11a4a4 DataFlow: Address review comments. 2021-06-24 14:18:45 +02:00
haby0
3cf71c50b8 Mobile stubs 2021-06-24 19:24:38 +08:00
Anders Schack-Mulligen
1e511c0a9e Merge pull request #6137 from smowton/smowton/feature/java-util-optional
Java: Model java.util.Optional
2021-06-24 13:21:36 +02:00
Tamás Vajk
173be0cce0 Merge pull request #6144 from tamasvajk/feature/stub-dapper
C#: Change Dapper stub to nuget-based one (stub also System.Data.SqlC…
2021-06-24 11:41:12 +02:00
Rasmus Wriedt Larsen
686638a65f Merge pull request #6049 from RasmusWL/jmespath
Python: Add modeling of `jmespath`
2021-06-24 11:13:19 +02:00
Tamas Vajk
477dfa28ec Fix framework coverage commenting action
This commit handles the case when the current run finds no coverage change and the previous run is identified,
but it doesn't have the required artifacts.
2021-06-24 10:44:36 +02:00
Edoardo Pirovano
0909c9ff22 Performance: Fix bad join order in dataflow library 2021-06-24 08:24:17 +01:00
Tamas Vajk
ad6e47be39 Apply code review findings 2021-06-24 09:13:08 +02:00
Tamas Vajk
7557b7a67d Add scheduled coverage job to open PR with changes 2021-06-24 09:13:08 +02:00
Tamás Vajk
4a19a9978a Merge pull request #6115 from tamasvajk/feature/framework-coverage-comment-noise
Only post comment with framework coverage change if it changed or wasn't done before
2021-06-24 08:44:03 +02:00
CodeQL CI
c02c96369d Merge pull request #6139 from erik-krogh/colors
Approved by esbena
2021-06-23 14:02:17 -07:00
yo-h
ffdc752720 Merge pull request #6059 from smowton/smowton/fix/qualified-name-generic-types
Adapt to static methods and nested types returning unbound declaring types
2021-06-23 14:45:51 -04:00
Chris Smowton
4c777eb04a Add change note 2021-06-23 18:54:27 +01:00
Tamás Vajk
8518e7c5a3 Merge pull request #6146 from tamasvajk/feature/stub-nhibernate
C#: Change nHibernate stub to nuget-based one
2021-06-23 18:00:45 +02:00
Tamás Vajk
4dc70fa959 Merge pull request #6145 from tamasvajk/feature/stub-jsonnet
C#: Change Newtonsoft.Json stub to nuget-based one
2021-06-23 18:00:27 +02:00
Chris Smowton
f6ba4e0235 Merge pull request #6142 from artem-smotrakov/better-spring-exporters
Added sinks for RmiBasedExporter and HessianExporter
2021-06-23 16:39:10 +01:00
CodeQL CI
469e709113 Merge pull request #6055 from RasmusWL/rsa-modeling
Approved by yoff
2021-06-23 08:35:25 -07:00
Chris Smowton
9c91d1a965 Add change note 2021-06-23 16:09:29 +01:00
Chris Smowton
74feaf2893 Adapt to static methods and nested types returning unbound declaring types
Previously these returned raw declaring types instead
2021-06-23 16:03:18 +01:00
Chris Smowton
b34448af87 {Generic,Parameterized,Raw}Type: implement getAPrimaryQlClass
An aid to debugging
2021-06-23 15:58:31 +01:00
Mathias Vorreiter Pedersen
9b8f558fb8 Merge pull request #6125 from MathiasVP/improve-tainted-arithmetic
C++: Add more barriers to `cpp/tainted-arithmetic`
2021-06-23 16:44:20 +02:00
Mathias Vorreiter Pedersen
295e022df3 Merge branch 'main' into improve-tainted-arithmetic 2021-06-23 15:45:18 +02:00
Ian Lynagh
089e4e2e1e Merge pull request #6147 from AlexDenisov/adjust_test_expectation
C++: Adjust test expectations after frontend upgrade
2021-06-23 14:43:47 +01:00
Tamas Vajk
b0447089d9 C#: Change Dapper stub to nuget-based one (stub also System.Data.SqlClient) 2021-06-23 15:04:57 +02:00
Anders Schack-Mulligen
6374914053 Java: Fix bad magic. 2021-06-23 14:39:18 +02:00
Alex Denisov
653afc8448 C++: Adjust test expectations after frontend upgrade 2021-06-23 14:39:16 +02:00
Mathias Vorreiter Pedersen
c44475458e Update cpp/ql/src/Security/CWE/CWE-190/Bounded.qll
Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
2021-06-23 14:38:36 +02:00
Erik Krogh Kristensen
dbc8b9cf6a autoformat 2021-06-23 14:21:15 +02:00
CodeQL CI
a86f50e091 Merge pull request #6135 from erik-krogh/chokidar
Approved by esbena
2021-06-23 05:16:06 -07:00
CodeQL CI
b66f4cb965 Merge pull request #6134 from erik-krogh/templates
Approved by asgerf, esbena
2021-06-23 05:09:23 -07:00
Tamas Vajk
f352bcb0a3 C#: Change nHibernate stub to nuget-based one 2021-06-23 13:55:19 +02:00
Tamas Vajk
1188e1b678 Fix extra constructor stubbing 2021-06-23 13:50:54 +02:00
Tamas Vajk
e200ecde4a C#: Change Newtonsoft.Json stub to nuget-based one 2021-06-23 13:49:11 +02:00
Rasmus Wriedt Larsen
0774e985ce Python: Apply suggestions from code review
Co-authored-by: yoff <lerchedahl@gmail.com>
2021-06-23 13:37:38 +02:00
Tamás Vajk
2dc0849b79 Merge pull request #5664 from tamasvajk/feature/stub-generation
C#: Stub generation
2021-06-23 13:33:10 +02:00
Rasmus Wriedt Larsen
447099a1df Python: Update jmespath tests 2021-06-23 13:32:19 +02:00
Artem Smotrakov
0dfb869c5b Apply suggestions from code review
Co-authored-by: Chris Smowton <smowton@github.com>
2021-06-23 13:23:54 +02:00
Mathias Vorreiter Pedersen
6379463bcf Merge branch 'main' into improve-tainted-arithmetic 2021-06-23 11:42:45 +02:00
Tamas Vajk
09dd615c6b Regenerate stubs (add System.Void struct) 2021-06-23 11:38:41 +02:00
Geoffrey White
298f70f082 Merge pull request #6120 from MathiasVP/not-overflow-is-barrier-in-cwe-190
C++: Recognize any non-overflowing arithmetic expression as a barrier for `cpp/uncontrolled-arithmetic`
2021-06-23 10:35:33 +01:00
Tamas Vajk
d698f0ae27 Fix VoidType handling 2021-06-23 11:30:47 +02:00
Mathias Vorreiter Pedersen
9b94f3a650 Merge branch 'main' into improve-tainted-arithmetic 2021-06-23 11:04:08 +02:00
Rasmus Wriedt Larsen
c0964617d7 Merge pull request #6111 from tausbn/python-a-few-minor-cleanups
Python: A few minor bits of cleanup
2021-06-23 10:42:41 +02:00
Erik Krogh Kristensen
6cf275bb36 update change-note
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
2021-06-23 10:42:26 +02:00
Erik Krogh Kristensen
700dfcc3a7 add comment about why colors/safe is not safe
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
2021-06-23 10:39:56 +02:00
Mathias Vorreiter Pedersen
a611e76ed2 C++: Respond to review comments. 2021-06-23 10:28:00 +02:00
Erik Krogh Kristensen
8b5c285ac8 add support for the chokidar library 2021-06-23 09:59:34 +02:00
Artem Smotrakov
14e724bce6 Added sinks for RmiBasedExporter and HessianExporter 2021-06-23 09:53:47 +02:00
Tamas Vajk
133d760659 Regenerate stubs to update nested class names in comments 2021-06-23 09:53:39 +02:00
Tamas Vajk
9ba1529f19 Fix nested class names in comments of stubs expected test file 2021-06-23 09:38:29 +02:00
Tamas Vajk
b40b6f40b6 Change frameworks folder to _frameworks 2021-06-23 09:26:55 +02:00
Tamas Vajk
5b2be8ce2d Fix code review findings 2021-06-23 09:26:55 +02:00
Tom Hvitved
026bcc72f2 C#: Improve performance of stubbing library 2021-06-23 09:26:54 +02:00
Tamas Vajk
405c008b47 Fix conversion operator stubbing + reduce skipped ctor noise in stubs 2021-06-23 09:26:54 +02:00
Tamas Vajk
e4b02e377c Add .net core and asp.net core stubs 2021-06-23 09:26:54 +02:00
Tamas Vajk
0f18fd6892 Adjust script to handle .net core framework reference 2021-06-23 09:26:54 +02:00
Tamas Vajk
4eee6ef1d9 Handle system.object missing base type 2021-06-23 09:26:54 +02:00
Tamas Vajk
97cd006b2c Add missing required private constructors 2021-06-23 09:26:54 +02:00
Tamas Vajk
d7a93a5367 Move default excluded assembly definition 2021-06-23 09:26:54 +02:00
Tamas Vajk
f597c9a7ed Handle special case of duplicate type constraints 2021-06-23 09:26:54 +02:00
Tamas Vajk
42fcfad0d8 Handle types defined in multiple assemblies 2021-06-23 09:26:54 +02:00
Tamas Vajk
22f3b05170 Handle all structs (simple types, intptr, system.void) 2021-06-23 09:26:54 +02:00
Tamas Vajk
914da6bdd2 Fix various stubbing issues 2021-06-23 09:26:54 +02:00
Tamas Vajk
fec0ddd2d2 Add test for tuples with arity < 2 2021-06-23 09:26:54 +02:00
Tamas Vajk
d7d653b9d2 Fix tuple stubbing with arity < 2 2021-06-23 09:26:54 +02:00
Tamas Vajk
2edfa15472 Reduce size of stubDefaultArguments predicate 2021-06-23 09:26:54 +02:00
Tamas Vajk
e93736f583 Change base class of GeneratedDeclaration to Modifiable 2021-06-23 09:26:54 +02:00
Tamas Vajk
53054290d1 Improve QL check for path match on netcore.app.ref in exluded assemblies 2021-06-23 09:26:54 +02:00
Tamas Vajk
a00c2ccf31 Remove _stub.cs file generation 2021-06-23 09:26:54 +02:00
Tamas Vajk
31795c3e6b Introduce test option to include files from projects 2021-06-23 09:26:54 +02:00
Tamas Vajk
cce7404470 Add csproj generation 2021-06-23 09:26:54 +02:00
Tamas Vajk
b725f6e547 Handle types that are defined in multiple assemblies 2021-06-23 09:26:54 +02:00
Tamas Vajk
ce214cfbf8 Split generated stubs to separate files 2021-06-23 09:26:53 +02:00
Tamas Vajk
88c97bd34e Generate stubs per assembly 2021-06-23 09:26:53 +02:00
Tamas Vajk
ba238578d1 Add stubbing tests 2021-06-23 09:26:53 +02:00
Tamas Vajk
7e7a52de3c Stub IndexerName attribute 2021-06-23 09:26:53 +02:00
Tamas Vajk
5e07d82b42 Stub unsafe modifier 2021-06-23 09:26:53 +02:00
Tamas Vajk
4e0bbffac4 Fix ExtraGeneratedConstructor to exclude static constructors and take into account generic derived classes 2021-06-23 09:26:53 +02:00
Tamas Vajk
e96754c2d5 Fix all remaining issues to stub entity framework core 2021-06-23 09:26:53 +02:00
Tamas Vajk
3e92be5324 Extract private/internal members from referenced assemblies + stub required non public constructors 2021-06-23 09:26:53 +02:00
Tamas Vajk
bd83f74dca Fix generic type constraint order 2021-06-23 09:26:53 +02:00
Tamas Vajk
9b6e9ab148 Escape field names 2021-06-23 09:26:53 +02:00
Tamas Vajk
3c3ddcc8fb Fix protected internal on override in the same assembly 2021-06-23 09:26:53 +02:00
Tamas Vajk
e6bfb0d1d2 Fix qualified name stubbing for nested types 2021-06-23 09:26:53 +02:00
Tamas Vajk
8cbdd30e1e Fix generic type constraint stubbing on overrides 2021-06-23 09:26:53 +02:00
Tamas Vajk
ff4db5b8d2 Fix abstract override member generation 2021-06-23 09:26:53 +02:00
Tamas Vajk
cda285de18 Use dotnet format to format the output stub file 2021-06-23 09:26:53 +02:00
Tamas Vajk
53655d4ae4 Only stub declarations from libraries 2021-06-23 09:26:53 +02:00
Tamas Vajk
eabf6b0be8 Only stub effectively public declarations 2021-06-23 09:26:53 +02:00
Tamas Vajk
66eca53b00 Fix accessibility modifier stubbing 2021-06-23 09:26:53 +02:00
Tamas Vajk
1aadd3f3d6 Fix constant value stubbing 2021-06-23 09:26:53 +02:00
Tamas Vajk
264d216a33 Generate stub for nested classes 2021-06-23 09:26:53 +02:00
Tamas Vajk
27608b3b38 Add support for event stubbing 2021-06-23 09:26:53 +02:00
Tamas Vajk
85b3ec6096 Add support for base ctor calls in stubbing 2021-06-23 09:26:53 +02:00
Tamas Vajk
7bf1794310 Add support for delegate stubbing 2021-06-23 09:26:53 +02:00
Tamas Vajk
a273f88a51 Add support for explicitly implemented indexers 2021-06-23 09:26:53 +02:00
Tamas Vajk
481ae0ff19 Exclude default struct constructors from stubs 2021-06-23 09:26:53 +02:00
Tamas Vajk
3f0a158b3c Add query to select all public declarations from target assemblies 2021-06-23 09:26:53 +02:00
Tamas Vajk
bfa9bf33c0 C#: Add nuget based stubbing script 2021-06-23 09:26:53 +02:00
Erik Krogh Kristensen
fa02651542 add taint step through the strip-ansi library 2021-06-23 09:13:03 +02:00
Erik Krogh Kristensen
fe76341820 add taint step through the chalk library 2021-06-23 09:12:48 +02:00
Erik Krogh Kristensen
053d9b5564 add taint step through the kleur library 2021-06-23 09:12:25 +02:00
Tamas Vajk
9d004ec2d5 Handle case when changes had been reported, and then removed 2021-06-23 08:25:20 +02:00
Tamas Vajk
5657c215e9 Change workflow step name 2021-06-23 08:25:20 +02:00
Tamas Vajk
a165cde808 Compute framework coverage diff in artifacts job 2021-06-23 08:25:20 +02:00
Tamas Vajk
d6361d8500 Use string interpolation 2021-06-23 08:23:44 +02:00
Tamas Vajk
12e4ad2640 Fix code quality issues 2021-06-23 08:23:44 +02:00
Tamas Vajk
d28fd363f9 Fix string vs int ID comparison 2021-06-23 08:23:44 +02:00
Tamas Vajk
801007357f Only post comment with framework coverage change if it changed or wasn't done before 2021-06-23 08:23:44 +02:00
Tamas Vajk
0e91269a23 Refactor framework coverage job to download artifacts from python 2021-06-23 08:23:44 +02:00
Tamás Vajk
fa215bcda5 Merge pull request #6132 from tamasvajk/fix/coverage-commenter-base
Fix framework coverage commenter to use merge commit parent instead o…
2021-06-23 08:12:07 +02:00
CodeQL CI
37b66f9045 Merge pull request #6117 from asgerf/js/sharpen-match-calls
Approved by esbena
2021-06-22 22:52:37 -07:00
Erik Krogh Kristensen
6e2b92468f add taint step through the slice-ansi library 2021-06-22 23:14:14 +02:00
Erik Krogh Kristensen
35c513d38a add taint step through the cli-color library 2021-06-22 23:10:40 +02:00
Erik Krogh Kristensen
ec9c885908 add taint step through the cli-highlight library 2021-06-22 23:06:50 +02:00
Erik Krogh Kristensen
d114cdc6e5 add taint step through the colorette library 2021-06-22 23:02:01 +02:00
Erik Krogh Kristensen
e4427bb34a add taint step through the wrap-ansi library 2021-06-22 22:59:03 +02:00
Erik Krogh Kristensen
626a653401 add taint step through the colors library 2021-06-22 22:55:15 +02:00
Erik Krogh Kristensen
a21ebbbe8f add taint step through the ansi-colors library 2021-06-22 22:47:58 +02:00
Chris Smowton
9fd1606238 Model java.util.Optional 2021-06-22 21:17:22 +01:00
CodeQL CI
d719a1e627 Merge pull request #6114 from erik-krogh/promisify
Approved by esbena
2021-06-22 12:19:38 -07:00
Erik Krogh Kristensen
2ba2642c7a add more template sinks for the js/code-injection query 2021-06-22 20:24:42 +02:00
CodeQL CI
bde1bb4030 Merge pull request #6126 from erik-krogh/dates
Approved by esbena
2021-06-22 10:35:51 -07:00
Taus
317c6867aa Python: Fix sneaky semantic change
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
2021-06-22 16:46:54 +02:00
CodeQL CI
eb95dff746 Merge pull request #6129 from erik-krogh/ReDoSCWE
Approved by esbena
2021-06-22 07:02:39 -07:00
Shati Patel
396de59ad7 Merge pull request #6131 from erik-krogh/toUnicodeDoc
mention the new `toUnicode` method in the QL language specification
2021-06-22 14:36:16 +01:00
Erik Krogh Kristensen
062502fecc add back support for util-promisifyall 2021-06-22 15:34:51 +02:00
Tamas Vajk
870e4125dc Fix framework coverage commenter to use merge commit parent instead of (old) base repo SHA 2021-06-22 13:24:26 +02:00
Erik Krogh Kristensen
3bdd9f7a30 mention the new toUnicode method in the QL language specification 2021-06-22 13:13:30 +02:00
Tom Hvitved
38a38fd2c1 Merge pull request #6003 from hvitved/csharp/external-summaries
C#: CSV-based flow summaries
2021-06-22 12:59:44 +02:00
Asger Feldthaus
16e3681fd3 JS: Update RegExpInjection test case 2021-06-22 12:00:04 +02:00
Anders Schack-Mulligen
206a37cf08 Merge pull request #6130 from aschackmull/java/collection-test
Java: Improve test and fix a few missing cases.
2021-06-22 11:56:44 +02:00
Erik Krogh Kristensen
4360e5dcbc add model of the thenify library 2021-06-22 11:55:58 +02:00
Erik Krogh Kristensen
61cc415a32 add model of the util.promisify library 2021-06-22 11:55:58 +02:00
Erik Krogh Kristensen
2f3ea4412f add model of the pify library 2021-06-22 11:55:54 +02:00
Rasmus Wriedt Larsen
5db627042f Merge pull request #6091 from tausbn/python-exclude-main-py-files
Python: Avoid `__main__.py` files as entry points.
2021-06-22 11:29:02 +02:00
Rasmus Wriedt Larsen
e05d6e71b8 Merge pull request #6064 from tausbn/python-add-get-method-call
Python: Add `getAMethodCall` to `LocalSourceNode`
2021-06-22 11:16:39 +02:00
Anders Schack-Mulligen
38fc8a750c Java: Improve test and fix a few missing cases. 2021-06-22 11:16:02 +02:00
Jonas Jensen
ae296fc6db Merge pull request #6101 from github/AlonaHlobina-patch-3
Adding C++20 Beta support.rst
2021-06-22 11:02:15 +02:00
Erik Krogh Kristensen
c736606695 add support for moment/dayjs/luxon instances returned by @date-io adapters 2021-06-22 10:42:24 +02:00
Erik Krogh Kristensen
f2ca2134d1 refactor promisify models into a module 2021-06-22 10:40:22 +02:00
Erik Krogh Kristensen
f53955fb5e add support for the promise.allsettled library 2021-06-22 10:30:33 +02:00
Erik Krogh Kristensen
95a7b16315 add support for the lie polyfill 2021-06-22 10:30:33 +02:00
Erik Krogh Kristensen
085efe5d20 add support for the any-promise polyfill 2021-06-22 10:30:33 +02:00
Erik Krogh Kristensen
cb82cdf6e9 add support for the synchronous-promise library 2021-06-22 10:30:33 +02:00
Erik Krogh Kristensen
5cb3c2c650 add support for the pinkie polyfill 2021-06-22 10:30:33 +02:00
Erik Krogh Kristensen
b574292dab add support for the pinkie-promise polyfill 2021-06-22 10:30:33 +02:00
Erik Krogh Kristensen
bb1c971348 add support for the when polyfill, and expand the defition of ES2015PromiseDefinition 2021-06-22 10:30:32 +02:00
Erik Krogh Kristensen
e467ea2ea6 add support for the native-promise-only polyfill 2021-06-22 10:30:32 +02:00
Erik Krogh Kristensen
ebde9015d8 add support for the rsvp and es6-promise polyfill 2021-06-22 10:30:32 +02:00
Erik Krogh Kristensen
d7a47e8fbd add support for the promise-polyfill polyfill 2021-06-22 10:30:32 +02:00
Erik Krogh Kristensen
f095e190a9 add support for the promise polyfill 2021-06-22 10:30:32 +02:00
Erik Krogh Kristensen
967ccfef0c add support for kew 2021-06-22 10:30:28 +02:00
Erik Krogh Kristensen
a4303bc81d add CWE-1333 to the JS ReDoS queries 2021-06-22 10:24:56 +02:00
AlonaHlobina
2a9d0009be Update versions-compilers.rst 2021-06-22 10:36:19 +03:00
Erik Krogh Kristensen
227f61b954 add model for the luxon library 2021-06-21 23:29:12 +02:00
Erik Krogh Kristensen
cdf3cdcf71 add model for the formatByString and formatByNumber functions in @date-io 2021-06-21 23:29:01 +02:00
Erik Krogh Kristensen
2a4570eaaa add model for the dayjs library 2021-06-21 23:28:45 +02:00
Taus
ba6ab8ff3d Python: Expand __main__.py comment
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
2021-06-21 18:14:03 +02:00
Taus
768cab3642 Python: Address review comments
- changes `getReceiver` to `getObject`
- fixes `calls` to avoid unwanted cross-talk
- adds some more documentation to highlight the above issue
2021-06-21 14:57:19 +00:00
Mathias Vorreiter Pedersen
3bc6b11ae5 C++: Share the 'bounded' predicate from 'cpp/uncontrolled-arithmetic' and use it in 'cpp/tainted-arithmetic'. 2021-06-21 16:38:17 +02:00
Anders Schack-Mulligen
c06e152e90 Java: Remove outdated test. 2021-06-21 16:08:59 +02:00
Anders Schack-Mulligen
27c973e157 Java: Fix some qltests. 2021-06-21 16:08:52 +02:00
Mathias Vorreiter Pedersen
05389bb9d4 Merge pull request #6099 from geoffw0/weak-crypto3
Further improvements to cpp/weak-cryptographic-algorithm
2021-06-21 15:46:50 +02:00
Rasmus Wriedt Larsen
1c48aca630 Merge branch 'main' into jmespath 2021-06-21 15:26:45 +02:00
CodeQL CI
565af1a879 Merge pull request #6071 from RasmusWL/fix-input-cwe
Approved by calumgrant, tausbn
2021-06-21 06:23:18 -07:00
Geoffrey White
05ed4ed739 Update cpp/change-notes/2021-06-21-weak-cryptographic-algorithm.md
Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
2021-06-21 14:22:56 +01:00
AlonaHlobina
281a619646 Merge branch 'main' into AlonaHlobina-patch-3 2021-06-21 16:22:10 +03:00
yoff
baf8d0a990 Merge pull request #6045 from RasmusWL/twisted
Python: Model twisted
2021-06-21 14:52:57 +02:00
Anders Schack-Mulligen
810de73246 C/C++: Update qltest expected output. 2021-06-21 14:47:31 +02:00
Anders Schack-Mulligen
14b485efa4 Merge pull request #6119 from smowton/smowton/fix/jaxrs-tests-field-flow
Increase field flow branch limit in Jax-RS tests
2021-06-21 14:43:59 +02:00
Anders Schack-Mulligen
d383c0f69b Java: Remove temporary store-as-taint. 2021-06-21 14:42:47 +02:00
Anders Schack-Mulligen
65ac8be5ac Java: Add defaultImplicitTaintRead and sync. 2021-06-21 14:42:47 +02:00
Anders Schack-Mulligen
38319a4832 C/C++: Make Content public as DataFlow::Content. 2021-06-21 14:42:47 +02:00
Anders Schack-Mulligen
aa82d0b815 Java: Make Content public as DataFlow::Content. 2021-06-21 14:42:47 +02:00
Anders Schack-Mulligen
80880320d5 Dataflow: Sync. 2021-06-21 14:42:47 +02:00
Anders Schack-Mulligen
b7ac329ba1 DataFlow: Add support for configuration-specific implicit reads. 2021-06-21 14:41:19 +02:00
Mathias Vorreiter Pedersen
238c483e5b C++: Make any non-overflowing arithmetic operation a barrier. 2021-06-21 14:05:34 +02:00
Mathias Vorreiter Pedersen
18e5d3cce8 C++: Add false positive with multiplication. 2021-06-21 14:04:27 +02:00
Chris Smowton
e2aaae8181 Increase test fieldFlowBranchLimit to 1000
Might as well head off future failures in this test

Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
2021-06-21 12:51:37 +01:00
Chris Smowton
c5eef7be8c Increase field flow branch limit in Jax-RS tests
This fixes apparently-missing results by allowing the dataflow library to persist even when there are many Map implementations possibly available.
2021-06-21 12:46:13 +01:00
Geoffrey White
6f808c9e4c C++: Update change note. 2021-06-21 12:32:48 +01:00
Geoffrey White
79198974dc Merge branch 'main' into weak-crypto3 2021-06-21 11:55:29 +01:00
Anders Schack-Mulligen
9110dfaeb3 Merge pull request #6095 from hvitved/dataflow/local-cc-join
Data flow: Fix `getLocalCallContext` join-order
2021-06-21 12:53:38 +02:00
Geoffrey White
90e2a2d222 C++: Change note. 2021-06-21 11:30:12 +01:00
Asger Feldthaus
0754ed2b5c JS: Change note 2021-06-21 11:46:44 +02:00
Rasmus Wriedt Larsen
d6ec4d30fc Python: Twisted refactor of getRequestParamIndex 2021-06-21 10:54:28 +02:00
Rasmus Wriedt Larsen
8208aebd7e Python: Apply suggestions from code review
Co-authored-by: yoff <lerchedahl@gmail.com>
2021-06-21 10:43:25 +02:00
Shati Patel
bbb5a39c02 Merge pull request #6072 from shati-patel/shati-patel/vs-code-setting
[Already shipped] Docs: Update setting in CodeQL for VS Code
2021-06-21 08:34:14 +01:00
Taus
3aea270e10 Python: Autoformat 2021-06-18 18:30:27 +00:00
yo-h
26a04d6659 Merge pull request #6108 from tamasvajk/fix/coverage-commenter
Fix diff in the framework coverage PR comment
2021-06-18 14:02:15 -04:00
Taus
aeac03663f Python: Remove old ClickHouseDriver.qll
The merge must've gone wrong some way, as this file is not supposed to
exist in `experimental` anymore.
2021-06-18 17:41:09 +00:00
Taus
348b20ca9d Merge branch 'main' of https://github.com/github/codeql into python-a-few-minor-cleanups 2021-06-18 17:38:43 +00:00
Taus
9351688da8 Python: asCfgNode cleanup 2021-06-18 17:22:42 +00:00
Taus
c386f4a009 Python: Clean up py/insecure-protocol
Going all the way to the AST layer seemed excessive to me, so I rewrote
it to do most of the logic at the data-flow layer. In principle this
_could_ result in more names being computed (due to splitting), but in
practice I don't expect this make a big difference.
2021-06-18 17:22:42 +00:00
Taus
f24a9a46d9 Python: add getAnAttributeWrite 2021-06-18 17:22:42 +00:00
Taus
c78ba476cf Python: Clean up a few verbose casts 2021-06-18 17:22:42 +00:00
Tamas Vajk
b3f44f457a Fix diff in the framework coverage PR comment 2021-06-18 16:33:50 +02:00
haby0
1750efad2a fix 2021-06-18 21:46:48 +08:00
haby0
dca737190b Modify JShellInjection.expected 2021-06-18 21:36:45 +08:00
haby0
2b77f7d1bc Modify isAdditionalTaintStep 2021-06-18 21:36:44 +08:00
haby0
a71757f0f4 Update java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.qhelp
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
2021-06-18 21:36:44 +08:00
haby0
bfe0d40987 using isAdditionalTaintStep 2021-06-18 21:36:44 +08:00
haby0
3a2a99e289 Fix 1 2021-06-18 21:36:44 +08:00
haby0
ed0aabef46 add isAdditionalTaintStep 2021-06-18 21:36:44 +08:00
haby0
921b8e80a2 Jshell Injection 2021-06-18 21:36:44 +08:00
Mathias Vorreiter Pedersen
17df8e44d0 C++: Convert 'cpp/tainted-arithmetic' to a 'path-problem' query. 2021-06-18 14:56:17 +02:00
AlonaHlobina
ac35438b5f Update versions-compilers.rst 2021-06-18 15:35:37 +03:00
CodeQL CI
081fd28090 Merge pull request #6102 from RasmusWL/js-qhelp-fixup
Approved by erik-krogh
2021-06-18 04:52:48 -07:00
Chris Smowton
6302187a5d Merge pull request #5957 from haby0/java/BeanShellInjection
Java: BeanShell Injection
2021-06-18 12:38:51 +01:00
Jonas Jensen
f829fff2ad Merge pull request #6100 from github/AlonaHlobina-patch-2
Update C/C++ Clang and GCC versions.rst
2021-06-18 13:10:29 +02:00
AlonaHlobina
288a314108 Update versions-compilers.rst 2021-06-18 13:35:11 +03:00
Rasmus Wriedt Larsen
968a0921d4 JS: Fix secure example inclusion in InsecureDownload.qhelp 2021-06-18 12:12:06 +02:00
Anders Schack-Mulligen
7eb6da3888 Merge pull request #5772 from smowton/smowton/feature/apache-tuple-flow
Add models for Apache Commons Lang's tuple types
2021-06-18 11:25:07 +02:00
AlonaHlobina
bd820458f5 Update docs/codeql/support/reusables/versions-compilers.rst
Co-authored-by: Jonas Jensen <jbj@github.com>
2021-06-18 12:24:34 +03:00
haby0
a73cb3f04a Fix error 2021-06-18 17:22:26 +08:00
CodeQL CI
1ffd9c9ba7 Merge pull request #6086 from asgerf/js/knex
Approved by esbena
2021-06-18 01:58:21 -07:00
Calum Grant
32f6a465b0 Merge pull request #6080 from github/calumgrant/security-severities
Update security-severity scores
2021-06-18 09:40:40 +01:00
Tom Hvitved
eb86bceb4d Address review comments 2021-06-18 10:18:47 +02:00
AlonaHlobina
9c5ba8d4f6 Adding C++20 Beta support.rst 2021-06-18 10:56:11 +03:00
haby0
0d18e4ff9c BeanShell Injection 2021-06-18 15:54:13 +08:00
AlonaHlobina
9feda2ddd6 Update C/C++ Clang and GCC versions.rst 2021-06-18 10:46:22 +03:00
Tamás Vajk
0545bcfbd2 Merge pull request #6028 from github/tamasvajk/feature/csv-coverage-report-comment
Add CSV coverage PR commenter
2021-06-18 09:32:45 +02:00
Tom Hvitved
66e4940ac3 C#: Remove bad magic 2021-06-17 20:47:20 +02:00
Tom Hvitved
d5163ca244 C#: Cache NamedElement::hasQualifiedName/2 2021-06-17 20:47:07 +02:00
Geoffrey White
b4cbe6dce8 C++: Increase query precision to high. 2021-06-17 14:33:17 +01:00
Geoffrey White
b5c71fd1d7 C++: Repair funcion call in a function call. 2021-06-17 14:33:16 +01:00
Geoffrey White
e5147c2a1f C++: Exclude functions that don't involve buffers. 2021-06-17 14:33:16 +01:00
Tom Hvitved
eca11f1b40 C#: Adjust getQualifiedName for type parameters 2021-06-17 14:47:19 +02:00
Chris Smowton
64001cc02c Merge pull request #5587 from smowton/smowton/admin/promote-ssrf-query
Promote SSRF query from experimental
2021-06-17 13:02:33 +01:00
Chris Smowton
d28c95d16c Field foo of -> Field[foo] of 2021-06-17 12:49:25 +01:00
Chris Smowton
74b2a2c7a6 Improve style of interpretField 2021-06-17 12:45:44 +01:00
Geoffrey White
a481e5c292 C++: Exclude template code. 2021-06-17 12:36:14 +01:00
Geoffrey White
8efdf359dc C++: Fix some incorrect uses of 'const' in the tests. 2021-06-17 12:36:13 +01:00
Geoffrey White
3641cdcc1f C++: Add a test case involving an array. 2021-06-17 12:36:09 +01:00
Chris Smowton
5cf0243dd0 Add change note 2021-06-17 12:34:40 +01:00
Chris Smowton
2cc1f46871 Model constructors for (Imm|M)utable(Pair|Triple) 2021-06-17 12:34:40 +01:00
Chris Smowton
fbaa382158 Add tests for Pair.of and Triple.of 2021-06-17 12:34:40 +01:00
Chris Smowton
eebaab8fe9 Order left and right consistently 2021-06-17 12:34:40 +01:00
Chris Smowton
365aab9bd9 Improve matching of Field specifiers; add Field recognition in tests 2021-06-17 12:34:36 +01:00
Geoffrey White
23db21cd90 C++: Test spacing. 2021-06-17 12:33:31 +01:00
Chris Smowton
472a2a64dd Add models for Apache Commons tuples 2021-06-17 12:25:21 +01:00
Chris Smowton
73fa680224 Add support for CSV-specified flow to or from fields. 2021-06-17 12:24:28 +01:00
Geoffrey White
d590952aaa C++: Add a test case involving nested function calls. 2021-06-17 12:23:18 +01:00
Geoffrey White
7632c9edb5 C++: Add test cases involving strings and comparisons. 2021-06-17 12:23:17 +01:00
Geoffrey White
2e236dd2a9 C++: Add a test case involving a harmless assert. 2021-06-17 12:23:17 +01:00
Geoffrey White
dca397dfb1 C++: Add a test case with a template class. 2021-06-17 12:23:16 +01:00
Tamas Vajk
07b83d5dc1 Remove commented code 2021-06-17 13:04:39 +02:00
Tamás Vajk
c532db58fd Apply suggestions from code review
Co-authored-by: Aditya Sharad <6874315+adityasharad@users.noreply.github.com>
2021-06-17 13:04:39 +02:00
Tamas Vajk
e61f725196 Apply code review findings 2021-06-17 13:04:39 +02:00
Tamas Vajk
4abaa7870f Add CSV coverage PR commenter 2021-06-17 13:04:39 +02:00
Tamás Vajk
200126b302 Merge pull request #6008 from github/tamasvajk/feature/csv-coverage-report
Add timeseries CSV generator script
2021-06-17 13:03:41 +02:00
Chris Smowton
11b70326fd Add Jakarta WS url-open sink 2021-06-17 11:58:41 +01:00
Chris Smowton
da1e760269 Adjust Spring models to use erased function signatures 2021-06-17 11:43:33 +01:00
Chris Smowton
1176fec287 Improve docs
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
2021-06-17 11:43:33 +01:00
Chris Smowton
09f27554d0 Note incidental extra models in change note 2021-06-17 11:43:33 +01:00
Chris Smowton
7509e36382 Remove no-longer-needed BasicRequestLine model from InsecureBasicAuth.ql; adjust test expectations accordingly 2021-06-17 11:43:33 +01:00
Chris Smowton
c531b81ebe Rename RequestForgery.java -> SanitizationTests.java 2021-06-17 11:43:33 +01:00
Chris Smowton
cb99e17f4d Split and rename JavaNetHttp and ApacheHttp tests for consistency 2021-06-17 11:43:32 +01:00
Chris Smowton
6c4a909b86 Remove dead code from test 2021-06-17 11:43:32 +01:00
Chris Smowton
08ab5f5546 Remove redundant test 2021-06-17 11:43:32 +01:00
Chris Smowton
74569ce316 Tidy Jax-RS test 2021-06-17 11:43:32 +01:00
Chris Smowton
57ca36baad Tidy Spring test 2021-06-17 11:43:32 +01:00
Chris Smowton
8b080a94e7 Convert request forgery tests to inline expectations; add missing models revealed by this process. 2021-06-17 11:43:32 +01:00
Chris Smowton
b66dcbe5b6 Factor request-forgery config so it can be used in an inline-expectations test 2021-06-17 11:43:32 +01:00
Chris Smowton
ee872f1752 Add missing tests, add additional models revealed missing in the process, and add stubs to support them all. 2021-06-17 11:43:32 +01:00
Chris Smowton
49bbfc3f4b Convert SSRF sinks into url-open CSV sinks
I also drop the previous approach of taint-tracking through various builder objects in favour of assuming that a URI set in a request-builder object is highly likely to end up requested in some way or another.

This will cause the `java/non-https-url` query to pick the new sinks up too, and fixes a Spring case that had never worked but went unnoticed until now.
2021-06-17 11:43:30 +01:00
Chris Smowton
0f2139ff5d Fix and document one-based argument indexing in StringFormat's getAnArgUsageOffset 2021-06-17 11:41:06 +01:00
Chris Smowton
55c72cebf2 Improve StringBuilder append chain tracking
Previously this didn't catch the case of constructors chaining directly into appends, like `StringBuilder sb = new StringBuilder("1").append("2")`
2021-06-17 11:41:06 +01:00
Chris Smowton
5b25694a52 Simplify and improve AddExpr logic
The improvement is in considering (userSupplied + "/") itself a sanitising prefix.
2021-06-17 11:41:06 +01:00
Chris Smowton
6b76f42d22 Broaden PrimitiveSanitizer to include boxed primitives and other java.lang.Numbers 2021-06-17 11:41:06 +01:00
Chris Smowton
3167af29bd Tidy and remove catersian product from getUrlArgument 2021-06-17 11:41:05 +01:00
Chris Smowton
f388aae78e Fix getAnArgUsageOffset and improve its space complexity
Also add tests checking the output of the new function
2021-06-17 11:41:05 +01:00
Chris Smowton
0db5484399 Copyedit documentation
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
2021-06-17 11:41:05 +01:00
Chris Smowton
1549993565 Update test results to account for changed model structure
(Models now have internal nodes in order to allow field flow through them)
2021-06-17 11:41:05 +01:00
Chris Smowton
8d70e3d22e Fix casing of change note 2021-06-17 11:41:05 +01:00
Chris Smowton
9138d2b8f5 Improve comment casing
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
2021-06-17 11:41:05 +01:00
Chris Smowton
b25e8671b9 Java SSRF query: comment on sanitizing regex 2021-06-17 11:41:05 +01:00
Chris Smowton
a665d5d111 Improve RequestForgery.qhelp recommendation 2021-06-17 11:41:05 +01:00
Chris Smowton
0d9a6e2b61 Update java/ql/src/semmle/code/java/security/RequestForgery.qll
SpringRestTemplateUrlMethods -> SpringRestTemplateUrlMethod
2021-06-17 11:41:05 +01:00
Chris Smowton
fb2989c16b Copyedit comments and function names
Co-authored-by: Felicity Chapman <felicitymay@github.com>
2021-06-17 11:41:04 +01:00
Chris Smowton
960a903185 Java SSRF query: document RequestForgeryAdditionalTaintStep and use Unit not string for a supertype. 2021-06-17 11:41:04 +01:00
Chris Smowton
575198a0e4 Java SSRF query: Server Side -> Server-Side everywhere. 2021-06-17 11:41:04 +01:00
Chris Smowton
7899e17f3a Java SSRF query: move RequestForgery qll file into semmle/code hierarchy
This makes it importable by people wishing to extend the query.
2021-06-17 11:41:04 +01:00
Chris Smowton
532a10bfdf Java SSRF query: Provide hook for custom taint-propagating steps; make all default sinks/sanitizers/steps private. 2021-06-17 11:41:04 +01:00
Chris Smowton
5bdd9da27a Java SSRF query: credit original author 2021-06-17 11:41:04 +01:00
Chris Smowton
e8613367e8 Java SSRF query: copyedit qhelp 2021-06-17 11:41:04 +01:00
Chris Smowton
3333e7d186 Java SSRF query: sanitize primitives
Even 'char' isn't a realistic vector for an exploit, unless somebody is copying out a string char by char.
2021-06-17 11:41:04 +01:00
Chris Smowton
93a9f471ce Add change note 2021-06-17 11:41:04 +01:00
Chris Smowton
77904d9597 Remove failing test
The case where something might be exactly a constant is general across all queries, and not handled yet, particularly in the case where the result of `getParameter("uri")` might have changed between the check and the use.
2021-06-17 11:41:04 +01:00
Chris Smowton
6933d06a46 Add exactly the string '/' as a sanitizing prefix.
Usually this is ignored for suspicion that it could be taken for a protocol specifier, but on balance the context `(something) + "/" + tainted()` is more likely to be taken for a user-controlled location within a host the user does not control.
2021-06-17 11:41:03 +01:00
Chris Smowton
bc43b6d760 Fix typo 2021-06-17 11:41:03 +01:00
Chris Smowton
e6249eed79 Add doc comments 2021-06-17 11:41:03 +01:00
Chris Smowton
26e10f3ad5 SSRF: don't consider results of fetches we initiated to be untrustworthy 2021-06-17 11:41:03 +01:00
Chris Smowton
c63d5986cf Sanitize StringBuilder appends that follow directly from a constructor.
Note that some of this logic ought to be incorporated into StringBuilderVar once that code can be reviewed.
2021-06-17 11:41:03 +01:00
Chris Smowton
b5a450b881 SSRF query: add sanitizer looking for a variety of ways of prepending a sanitizing prefix, such as one that restricts the hostname a URI will refer to. 2021-06-17 11:41:03 +01:00
Chris Smowton
487c1db6ed Promote SSRF query to main query set 2021-06-17 11:41:01 +01:00
Anders Schack-Mulligen
6ca8d69b26 Merge pull request #5881 from haby0/java/UnsafeDeserialization
Java: CWE-502 Add UnsafeDeserialization sinks
2021-06-17 12:36:34 +02:00
Anders Schack-Mulligen
8fe2f4a554 Merge pull request #6034 from owen-mc/java/jax-rs
Improve JAX-WS and JAX-RS models
2021-06-17 12:35:34 +02:00
Anders Schack-Mulligen
b173b4141d Merge pull request #6096 from smowton/smowton/fix/inline-expectations-missing-prefix
Inline expectation tests: accept // $MISSING: and // $SPURIOUS:
2021-06-17 11:41:15 +02:00
haby0
363ad5b470 Fix error 2021-06-17 17:36:35 +08:00
Owen Mansel-Chan
945db01f56 Address review comments 2021-06-17 10:29:33 +01:00
Owen Mansel-Chan
b9bc1f978c Update style of inline expectation comments 2021-06-17 10:04:15 +01:00
Chris Smowton
558813acf7 Inline expectation tests: accept // $MISSING: and // $SPURIOUS:
Previously there had to be a space after the $ token, unlike ordinary expectations (i.e., // $xss was already accepted)
2021-06-17 09:44:39 +01:00
Owen Mansel-Chan
0987425f94 Reinstate failing tests with MISSING: prefix 2021-06-17 09:36:51 +01:00
Tom Hvitved
0febf5a592 Merge pull request #6094 from hvitved/dataflow/consistency-compiler-too-smart
Data flow: Workaround for too clever compiler in consistency queries
2021-06-17 10:23:31 +02:00
Tom Hvitved
ffb2350a54 Data flow: Fix getLocalCallContext join-order 2021-06-17 10:02:31 +02:00
Tom Hvitved
cc383e0f6a Data flow: Workaround for too clever compiler in consistency queries 2021-06-17 09:43:36 +02:00
haby0
3dd851fffb expected 2021-06-17 15:20:03 +08:00
Owen Mansel-Chan
5f82993b0b Put parameters with inline expectation comments on their own lines 2021-06-17 06:41:01 +01:00
Tom Hvitved
3f6beaf9df C#: Add tests for complex CSV flow summaries 2021-06-16 19:36:05 +02:00
Tom Hvitved
0af44a7f94 C#: Changes to Type::{getQualifier,hasQualifiedName} 2021-06-16 19:36:05 +02:00
CodeQL CI
bcafe532ac Merge pull request #5944 from RasmusWL/async-api-graph-tests
Approved by tausbn
2021-06-16 08:46:26 -07:00
CodeQL CI
9b84a8e146 Merge pull request #6048 from erik-krogh/graphql
Approved by esbena
2021-06-16 06:35:42 -07:00
Tom Hvitved
8866e6c969 C#: Always use fully qualified names in CSV data-flow summaries 2021-06-16 14:09:45 +02:00
Tom Hvitved
def3d6bac4 C#: CSV-based flow summaries 2021-06-16 14:09:45 +02:00
Owen Mansel-Chan
5d00bb23e4 Move logic for URL redirection sinks 2021-06-16 12:48:11 +01:00
yoff
0ddeb7a8c1 Merge pull request #5950 from RasmusWL/promote-clickhouse
Python: Promote ClickHouse SQL models
2021-06-16 13:38:41 +02:00
Taus
e647403948 Python: Avoid __main__.py files as entry points.
According to the official documentation, the purpose of `__main__.py`
files is that their presence in a package (say, `foo`) means one can
execute the package directly using `python -m foo` (which will run the
aforementioned `foo/__main__.py` file).

In principle this means that adding `if __name__ == "__main__"` in these
files is superfluous, as they are only intended to be executed (and not
imported by some other file).

However, in practice people often _do_ include the above construct.
Here are some instances of this on LGTM.com:
https://lgtm.com/query/7521266095072095777/

In particular, 10 out of 33 files in `cpython` have this construct.

This causes some confusion in our module naming, as we usually see the
presence of `__name__ == "__main__"` as an indication that a file may
be run directly (and hence with "absolute import" semantics). However,
when run with `python -m`, the interpreter uses the usual package
semantics, and this leads to modules getting multiple names.

For this reason, I think it makes sense to simply exclude `__main__.py`
files from consideration. Note that if there is a `#!` line mentioning
the Python interpreter, then they will still be included as entry
points.
2021-06-16 10:59:56 +00:00
Tamás Vajk
eaa69dfa5d Merge pull request #6084 from tamasvajk/feature/effective-publicness
C#: Fix isEffectively* visibility predicates
2021-06-16 12:52:38 +02:00
Anders Schack-Mulligen
75d5fe67ea Merge pull request #6090 from atorralba/atorralba/move-httpsurls-tests
Java: Move/tweak some tests
2021-06-16 12:00:55 +02:00
Tamas Vajk
28ef0e86f6 Apply code review findings 2021-06-16 10:51:52 +02:00
Tamas Vajk
c5b8acf216 Add change notes 2021-06-16 10:51:52 +02:00
Tamas Vajk
db8a777aa9 Fix isEffectively* predicates to members extracted from multiple assemblies 2021-06-16 10:51:52 +02:00
Tamas Vajk
77f8f3fa8a Adjust comments on isEffectively* 2021-06-16 10:51:52 +02:00
Tamas Vajk
eea96a5585 Fix effective publicness of protected private and protected internal 2021-06-16 10:51:52 +02:00
Tamas Vajk
f715445c7a Fix effective privateness of explicitly implemented members 2021-06-16 10:51:08 +02:00
Tamas Vajk
a24006239b C#: Add more tests to effective visibility 2021-06-16 10:50:15 +02:00
Taus
96d8fc78f8 Merge pull request #6078 from hvitved/type-tracker-caching
Python: Move cached predicates in type tracker library to same stage
2021-06-16 10:45:02 +02:00
Tamás Vajk
9f44bc575f Merge pull request #6089 from tamasvajk/feature/interface-member-modifier
C#: Allow abstract modifier on interface members
2021-06-16 10:44:43 +02:00
haby0
c1ada6d85b Merge branch 'main' into java/UnsafeDeserialization 2021-06-16 16:37:03 +08:00
Tamás Vajk
386d88ab93 Merge pull request #6085 from tamasvajk/feature/unsafe
C#: Fix `Modifiable::isUnsafe` to handle declarations extracted from assemblies
2021-06-16 10:30:09 +02:00
Tony Torralba
e2918d55b5 Move tests back from internal repo 2021-06-16 10:09:44 +02:00
Tamas Vajk
66835651fe C#: Allow abstract modifier on interface members 2021-06-16 09:56:36 +02:00
Tamas Vajk
dacb044790 C#: Add tests for abstract/virtual modifier of interface members 2021-06-16 09:54:34 +02:00
Asger Feldthaus
5838e54a46 JS: Sharpen recognition of string 'match' calls 2021-06-16 09:27:02 +02:00
haby0
9badd7aa27 change name 2021-06-16 11:29:37 +08:00
Taus
359bc5eff9 Python: Autoformat 2021-06-15 15:56:40 +00:00
Tamas Vajk
74c4765ab9 Add change note 2021-06-15 17:30:48 +02:00
Tamas Vajk
44b30b70da C#: Fix Modifiable::isUnsafe to handle declarations extracted from assemblies 2021-06-15 17:30:48 +02:00
Asger Feldthaus
af9cc07066 JS: Change note 2021-06-15 17:19:39 +02:00
Asger Feldthaus
9f052a2ecd JS: Add Knex model 2021-06-15 17:19:39 +02:00
CodeQL CI
847faf536d Merge pull request #6070 from asgerf/js/script-with-tsx-lang
Approved by erik-krogh
2021-06-15 08:17:53 -07:00
Taus
b55c034502 Python: Fix up getAMethodCall
Now that we have a `MethodCallNode` class, it would be silly not to use
that as the return type.
2021-06-15 15:13:54 +00:00
Taus
92063dc191 Python: Add change note 2021-06-15 15:13:03 +00:00
Taus
41ee325bc9 Python: Clean up Stdlib.qll
Not as many opportunities to clean stuff up here.
2021-06-15 15:04:30 +00:00
Taus
e90ec807ef Python: Clean up Ssl.qll 2021-06-15 15:04:29 +00:00
Taus
82fab3ba75 Python: Clean up Cryptography.qll 2021-06-15 15:04:29 +00:00
Taus
d4b05547ba Python: Add MethodCallNode class
Roughly patterned after the JS equivalent.
2021-06-15 15:04:29 +00:00
Calum Grant
771e686946 Update security-severity scores 2021-06-15 13:25:17 +01:00
Tom Hvitved
c03ee32f02 Python: Move cached predicates in type tracker library to same stage 2021-06-15 13:42:43 +02:00
Tamas Vajk
255e422172 Apply code review findings 2021-06-15 11:35:10 +02:00
Rasmus Wriedt Larsen
00af18a622 Python: Autoformat 2021-06-15 11:31:38 +02:00
Rasmus Wriedt Larsen
156b10cb59 Merge branch 'main' into promote-clickhouse 2021-06-15 11:30:19 +02:00
Erik Krogh Kristensen
60920c1ecc require that the URL refers to graphql in some way 2021-06-15 09:53:32 +02:00
Erik Krogh Kristensen
416c986cbc add support for graphql in @actions/github 2021-06-15 09:43:11 +02:00
Asger Feldthaus
53bef94b75 JS: Extractor version bump 2021-06-15 09:34:54 +02:00
shati-patel
17f9aecab8 Docs: Update setting in CodeQL for VS Code 2021-06-14 13:38:06 +01:00
Rasmus Wriedt Larsen
4eed94a262 Python: Fix CWE tag for py/use-of-input
So it better matches what is in `py/code-injection`. I had my doubts
about CWE-95, but after reading
https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection
I think it's fine to add CWE-95 as well 👍

Definitions are:

CWE-78: Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')

CWE-94: Improper Control of Generation of Code ('Code Injection')

CWE-95: Improper Neutralization of Directives in Dynamically Evaluated
Code ('Eval Injection')
2021-06-14 14:08:34 +02:00
Asger Feldthaus
c58942092f JS: Add change note 2021-06-14 13:43:11 +02:00
Asger Feldthaus
bc375196d1 JS: Extract script tags with lang=tsx 2021-06-14 13:40:53 +02:00
Owen Mansel-Chan
5e89fce734 Avoid strange bug by commenting out two tests 2021-06-14 10:57:28 +01:00
Owen Mansel-Chan
8cf47f12b4 Model constructors of classes implementing MultivaluedMap 2021-06-14 10:56:35 +01:00
Taus
6333752014 Python: Add getAMethodCall to LocalSourceNode
This seems like something we have been missing for a while now, so I
figured it might be useful to add. It is roughly based on the JavaScript
equivalent, with one major difference: in the JavaScript libraries,
`getAMethodCall` is reserved for syntactic method calls (`obj.m(...)`)
whereas `getAMemberInvocation` is used for both this and the case where
the bound method `obj.m` is stored in a temporary variable and then
subsequently invoked in the same local scope.

It seems to me that the more general predicate is more useful, and hence
should have the simpler name. (And also we don't really work with a
notion of "invocation" in the Python libraries, so we would need a
better name for it anyway.)

I think as long as the documentation makes the behaviour clear, it
should be okay.
2021-06-11 21:26:58 +00:00
Rasmus Wriedt Larsen
6f29b01abc Python: Model rsa 2021-06-11 11:23:06 +02:00
Rasmus Wriedt Larsen
40714c05b7 Python: Add tests for rsa PyPI package 2021-06-11 11:17:13 +02:00
Erik Krogh Kristensen
50d574d20d add graphql injection to the sql-injection query 2021-06-10 21:01:54 +02:00
Tamas Vajk
916780a452 Fix codeql CLI path 2021-06-10 15:07:54 +02:00
Owen Mansel-Chan
e0130a932e Update experimental query using NewCookie 2021-06-10 13:33:20 +01:00
Owen Mansel-Chan
c173b89529 Model NewCookie 2021-06-10 13:32:39 +01:00
Owen Mansel-Chan
ee6019a2d8 Fix tests for experimental httponly query 2021-06-10 13:31:28 +01:00
Owen Mansel-Chan
d5d27d5ccf Duplicate tests for Jakarta 2021-06-10 10:43:40 +01:00
Owen Mansel-Chan
0ad35421f2 Comment out stubs (Jakarta) 2021-06-10 10:43:40 +01:00
Owen Mansel-Chan
318d1ea484 Stubs in javax-ws-rs-api-3.0.0
Generated using java-autostub
2021-06-10 10:43:39 +01:00
Owen Mansel-Chan
e6a6a8898b Move Jax XSS sinks to JaxWS.qll and add tests 2021-06-10 10:43:39 +01:00
Owen Mansel-Chan
d1fe62d4d5 (Minor) Update comments to match ExternalFlow docs 2021-06-10 10:43:38 +01:00
Owen Mansel-Chan
1ae9d68409 Move and convert URL redirect sinks
Adds for them as well
2021-06-10 10:43:37 +01:00
Owen Mansel-Chan
f2ff2aa3e1 Add flow tests for JAX-RS 2021-06-10 10:43:37 +01:00
Owen Mansel-Chan
155d63d5f7 Add tests for JAX-RS 2021-06-10 10:43:36 +01:00
Owen Mansel-Chan
f63fd68bfb Fix models to work with collection flow
And also removal of `Argument` with indices
2021-06-10 10:43:36 +01:00
Owen Mansel-Chan
e929de98ec Delete duplicated taint summary rows 2021-06-10 10:43:35 +01:00
Owen Mansel-Chan
2b8bb5c231 Fix JAX-RS models 2021-06-10 10:43:35 +01:00
Owen Mansel-Chan
baa21c5bcf Manually comment out parts of stubs
This is to avoid having to make more stubs, which we don't really need
2021-06-10 10:43:34 +01:00
Owen Mansel-Chan
caf96b01e1 Stubs in javax-ws-rs-api-2.1.1
Generated using java-autostub
2021-06-10 10:43:34 +01:00
Owen Mansel-Chan
7b3acd8b45 (Minor) Add missing this. 2021-06-10 10:43:33 +01:00
Owen Mansel-Chan
07f7fd0342 Add missing QLDocs in JaxWS.qll
And correct one QLDoc
2021-06-10 10:43:15 +01:00
Tamas Vajk
b067309909 Change artifact names 2021-06-10 11:26:07 +02:00
Tamas Vajk
73aaeb4c0d Change workflow names 2021-06-10 11:01:45 +02:00
Tamas Vajk
55dd6ed3d1 Allow space separated package patterns in framework-aggregated reports 2021-06-10 10:54:12 +02:00
Tamas Vajk
74c00383d2 Update java framework coverage reports 2021-06-10 10:26:34 +02:00
Tamas Vajk
3605b9f720 Update java framework data 2021-06-10 10:11:24 +02:00
Tamas Vajk
ba9c2e0702 Rework CSV report generator and change timeseries report to use framework.csv 2021-06-10 10:11:24 +02:00
Tamas Vajk
c6cb7c6eed Rename time-series file to timeseries 2021-06-10 10:11:24 +02:00
Tamas Vajk
d0ec1e2f37 Generate file with package info 2021-06-10 10:11:24 +02:00
Tamas Vajk
3353c3ecdd Add workflow to generate timeseries CSV coverage report 2021-06-10 10:11:24 +02:00
Tamas Vajk
4de4277a8d Add timeseries CSV generator script 2021-06-10 10:11:23 +02:00
Tamas Vajk
270cf62f08 Fix variable reference 2021-06-10 10:11:23 +02:00
Tamas Vajk
49190615a7 Cleanup CSV coverage report generator 2021-06-10 10:11:23 +02:00
Rasmus Wriedt Larsen
dec6723183 Python: Minor refactor
A bit too much copy paste 😄
2021-06-09 12:19:11 +02:00
Rasmus Wriedt Larsen
fa6abea465 Python: Add modeling of jmespath 2021-06-09 12:14:35 +02:00
Rasmus Wriedt Larsen
5cdd60d0d6 Python: Add jmespath tests 2021-06-09 12:12:50 +02:00
Rasmus Wriedt Larsen
7c758f5c81 Python: Add change-note for twisted 2021-06-08 16:20:29 +02:00
Rasmus Wriedt Larsen
23f668f8ee Python: Model redirects in twisted 2021-06-08 16:16:56 +02:00
Owen Mansel-Chan
2cb76fe407 Test JAX-WS endpoints 2021-06-08 15:12:04 +01:00
Owen Mansel-Chan
d9cf1aaf39 Add stubs for JAX-WS 2021-06-08 15:12:04 +01:00
Chris Smowton
55d584b044 Add doc comment for JaxWS file 2021-06-08 15:12:03 +01:00
Chris Smowton
f71897d166 Rename JAX-WS -> JAX-RS where necessary. Improve change note and fix missing QLDoc. 2021-06-08 15:12:03 +01:00
Chris Smowton
ca684bea0e Jax-WS: support jakarta.ws.rs package everywhere
Releases since Java EE 9 use this.
2021-06-08 15:12:02 +01:00
Chris Smowton
adb5764aac Add URL redirect sinks relating to JAX-WS 2021-06-08 15:12:02 +01:00
Chris Smowton
260a228367 Add change note 2021-06-08 15:12:02 +01:00
Chris Smowton
314980c64c Model taint-propagating methods in the core JAX-WS library. 2021-06-08 15:11:57 +01:00
Rasmus Wriedt Larsen
a21039170b Python: Model (most of) twisted 2021-06-08 16:11:18 +02:00
Chris Smowton
9335e095a9 MIME type -> content type
This matches the terminology used elsewhere
2021-06-08 15:05:28 +01:00
Chris Smowton
5f7165efbb Add JaxWS XSS sink
Based on d44e4d0e63 by @lcartey
2021-06-08 15:05:27 +01:00
lcartey@github.com
cc497bf213 Java: Improve JaxRS modelling
- Handle inherited annotations
 - Fix `ResponseBuilder` charpred.
 - Model `@Produces` annotations.
2021-06-08 15:05:14 +01:00
Rasmus Wriedt Larsen
151a733ff2 Python: Add tests for twisted
These were largely based on the old tests in
6011cb74f8/python/ql/test/library-tests/web/twisted/test.py
2021-06-08 15:27:51 +02:00
Chris Smowton
4ddf4558a7 Merged simplified query 2021-06-04 16:07:15 +02:00
haby0
d6782767b7 Fix typos 2021-05-31 11:12:22 +08:00
Timo Mueller
75f6ec1f0d Updated test cases to include test for java10+ CREDENTIALS_FILTER_PATTERN constant 2021-05-25 17:08:58 +02:00
Timo Mueller
72901e3724 Merge branch 'insecureJmxRmiServerEnvironment' of github.com:mogwailabs/codeql into insecureJmxRmiServerEnvironment 2021-05-25 16:41:17 +02:00
Timo Mueller
59ebe08c78 Added stup for RMIConnectorServer for valid test case 2021-05-25 16:40:41 +02:00
Rasmus Wriedt Larsen
1b3f857a2f Python: Promote ClickHouse SQL models 2021-05-25 16:27:23 +02:00
Rasmus Wriedt Larsen
eb1da152a0 Python: Rewrite ClickHouse SQL lib modeling
This did turn into a few changes, that maybe could have been split into
separate PRs 🤷

* Rename `ClickHouseDriver` => `ClickhouseDriver`, to better follow
  import name in `.qll` name
* Rewrote modeling to use API graphs
* Split modeling of `aioch` into separate `.qll` file, which does re-use
  the `getExecuteMethodName` predicate. I feel that sharing code between
  the modeling like this was the best approach, and stuck the
  `INTERNAL: Do not use.` labels on both modules.
* I also added handling of keyword arguments (see change in .py files)
2021-05-25 16:13:31 +02:00
Rasmus Wriedt Larsen
c9a9535dbc Python: Use ConceptsTests for ClickHouse SQL libs
This did reveal a few places where we do not detect the incoming SQL
2021-05-25 16:10:06 +02:00
Rasmus Wriedt Larsen
ee3477c20a Python: Remove dummy clickhouse SQL injection query 2021-05-25 14:27:29 +02:00
Timo Müller
f44b97c1c3 Apply suggestions from code review
Improved variable naming in examples and some documentation clearup

Co-authored-by: Chris Smowton <smowton@github.com>
2021-05-25 13:03:07 +02:00
Timo Müller
e7021ffbee Apply suggestions from code review
More clear or precise wording within the documentation

Co-authored-by: Chris Smowton <smowton@github.com>
2021-05-25 12:53:47 +02:00
Rasmus Wriedt Larsen
c4e244eb80 Python: Add getAwaited to API::Node
I _really_ wanted to call this `.await()`, but that did not fit in with
the convention, or the corresponding `getPromised` in JS.

54f191cfe3/javascript/ql/src/semmle/javascript/ApiGraphs.qll (L184)
2021-05-21 17:11:20 +02:00
Rasmus Wriedt Larsen
e29b7568bf Python: Add missing QLDoc for subclass label 2021-05-21 16:17:17 +02:00
Rasmus Wriedt Larsen
2408573a0a Python: Add API graph test for calling coroutines 2021-05-21 16:08:15 +02:00
Rasmus Wriedt Larsen
7a5fd02442 Python: API graph tests: add --max-import-depth=1
Before this, I ended up extracting 454 modules locally 😱
2021-05-21 15:58:15 +02:00
Rasmus Wriedt Larsen
9a4709c134 Python: API graph tests: Disallow results outside project
Running the tests locally would result in thousands of results before
this 😱
2021-05-21 15:57:10 +02:00
haby0
689c28a178 modified JsonIoSafeOptionalArgs 2021-05-17 19:00:59 +08:00
haby0
95c33a240f Update java/change-notes/2021-05-17-add-unsafe-deserialization-sinks.md
Co-authored-by: Chris Smowton <smowton@github.com>
2021-05-17 18:49:16 +08:00
haby0
58d774ae85 add change notes 2021-05-17 14:52:05 +08:00
haby0
60fc607449 Modify ql 2021-05-14 18:17:05 +08:00
haby0
12f47bcf24 Add UnsafeDeserialization 2021-05-12 12:37:16 +08:00
Timo Müller
a65481d24b Apply suggestions from code review more precise help text 2021-05-04 17:30:49 +02:00
Timo Müller
65642df1a0 Apply suggestions from code review for help text
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
2021-05-04 17:28:34 +02:00
Timo Mueller
152f4862ec Reworked the references a bit 2021-05-04 16:10:15 +02:00
Timo Mueller
81363a8843 Some better (and more styleguide compliant) descriptions within the query. 2021-05-04 15:57:47 +02:00
Timo Mueller
f7437422c1 InstanceOf check instead of comparing classnames 2021-05-04 15:51:40 +02:00
Timo Mueller
fd52135f29 Removed unnecessary check for type 2021-05-04 15:45:30 +02:00
Timo Mueller
787a4ede85 Fixed file reference in test cases 2021-05-04 15:33:53 +02:00
Timo Mueller
374ed851a0 Fixed file reference in test cases 2021-05-04 15:12:50 +02:00
Timo Müller
c476b6c088 Fix accordance to style guide
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
2021-05-04 14:00:01 +02:00
Timo Müller
030e2bdd9b Fix accordance to style guide
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
2021-05-04 13:59:52 +02:00
Timo Müller
ab308b5e9e Fix accordance to style guide
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
2021-05-04 13:59:43 +02:00
Timo Müller
485a3a139a Fixed content to confirm with the style guide
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
2021-05-04 13:58:38 +02:00
Timo Müller
45443baf84 Fixed Typo
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
2021-05-04 13:58:00 +02:00
Timo Müller
1fd2be3879 Added more clear reference
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
2021-05-04 13:57:19 +02:00
Timo Müller
7026d82a72 Fixed typo
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
2021-05-04 13:53:14 +02:00
Timo Müller
f28e994121 Update java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.qhelp
More descriptive (and PC) description.

Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
2021-05-04 13:52:47 +02:00
Timo Mueller
c22eeacbfc Fixed accidential double init of variable 2021-04-30 16:28:56 +02:00
Timo Mueller
61d053f6b3 Fixed missing metadata description 2021-04-30 16:28:17 +02:00
Timo Mueller
15a3068f8a Added query for insecure environment configuration RMI JMX (CVE-2016-8735) 2021-04-30 16:23:17 +02:00
1269 changed files with 180064 additions and 16613 deletions

View File

@@ -0,0 +1,97 @@
name: Check framework coverage changes
on:
pull_request:
paths:
- '.github/workflows/csv-coverage-pr-comment.yml'
- '*/ql/src/**/*.ql'
- '*/ql/src/**/*.qll'
- 'misc/scripts/library-coverage/*.py'
# input data files
- '*/documentation/library-coverage/cwe-sink.csv'
- '*/documentation/library-coverage/frameworks.csv'
branches:
- main
- 'rc/*'
jobs:
generate:
name: Generate framework coverage artifacts
runs-on: ubuntu-latest
steps:
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
run: echo "$GITHUB_CONTEXT"
- name: Clone self (github/codeql) - MERGE
uses: actions/checkout@v2
with:
path: merge
- name: Clone self (github/codeql) - BASE
uses: actions/checkout@v2
with:
fetch-depth: 2
path: base
- run: |
git checkout HEAD^1
git log -1 --format='%H'
working-directory: base
- name: Set up Python 3.8
uses: actions/setup-python@v2
with:
python-version: 3.8
- name: Download CodeQL CLI
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
- name: Unzip CodeQL CLI
run: unzip -d codeql-cli codeql-linux64.zip
- name: Generate CSV files on merge commit of the PR
run: |
echo "Running generator on merge"
PATH="$PATH:codeql-cli/codeql" python merge/misc/scripts/library-coverage/generate-report.py ci merge merge
mkdir out_merge
cp framework-coverage-*.csv out_merge/
cp framework-coverage-*.rst out_merge/
- name: Generate CSV files on base commit of the PR
run: |
echo "Running generator on base"
PATH="$PATH:codeql-cli/codeql" python base/misc/scripts/library-coverage/generate-report.py ci base base
mkdir out_base
cp framework-coverage-*.csv out_base/
cp framework-coverage-*.rst out_base/
- name: Generate diff of coverage reports
run: |
python base/misc/scripts/library-coverage/compare-folders.py out_base out_merge comparison.md
- name: Upload CSV package list
uses: actions/upload-artifact@v2
with:
name: csv-framework-coverage-merge
path: |
out_merge/framework-coverage-*.csv
out_merge/framework-coverage-*.rst
- name: Upload CSV package list
uses: actions/upload-artifact@v2
with:
name: csv-framework-coverage-base
path: |
out_base/framework-coverage-*.csv
out_base/framework-coverage-*.rst
- name: Upload comparison results
uses: actions/upload-artifact@v2
with:
name: comparison
path: |
comparison.md
- name: Save PR number
run: |
mkdir -p pr
echo ${{ github.event.pull_request.number }} > pr/NR
- name: Upload PR number
uses: actions/upload-artifact@v2
with:
name: pr
path: pr/

View File

@@ -0,0 +1,34 @@
name: Comment on PR with framework coverage changes
on:
workflow_run:
workflows: ["Check framework coverage changes"]
types:
- completed
jobs:
check:
name: Check framework coverage differences and comment
runs-on: ubuntu-latest
if: >
${{ github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success' }}
steps:
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
run: echo "$GITHUB_CONTEXT"
- name: Clone self (github/codeql)
uses: actions/checkout@v2
- name: Set up Python 3.8
uses: actions/setup-python@v2
with:
python-version: 3.8
- name: Check coverage difference file and comment
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
RUN_ID: ${{ github.event.workflow_run.id }}
run: |
python misc/scripts/library-coverage/comment-pr.py "$GITHUB_REPOSITORY" "$RUN_ID"

View File

@@ -0,0 +1,42 @@
name: Build framework coverage timeseries reports
on:
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Clone self (github/codeql)
uses: actions/checkout@v2
with:
path: script
- name: Clone self (github/codeql) for analysis
uses: actions/checkout@v2
with:
path: codeqlModels
fetch-depth: 0
- name: Set up Python 3.8
uses: actions/setup-python@v2
with:
python-version: 3.8
- name: Download CodeQL CLI
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
- name: Unzip CodeQL CLI
run: unzip -d codeql-cli codeql-linux64.zip
- name: Build modeled package list
run: |
CLI=$(realpath "codeql-cli/codeql")
echo $CLI
PATH="$PATH:$CLI" python script/misc/scripts/library-coverage/generate-timeseries.py codeqlModels
- name: Upload timeseries CSV
uses: actions/upload-artifact@v2
with:
name: framework-coverage-timeseries
path: framework-coverage-timeseries-*.csv

View File

@@ -0,0 +1,44 @@
name: Update framework coverage reports
on:
workflow_dispatch:
schedule:
- cron: "0 0 * * *"
jobs:
update:
name: Update framework coverage report
if: github.event.repository.fork == false
runs-on: ubuntu-latest
steps:
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
run: echo "$GITHUB_CONTEXT"
- name: Clone self (github/codeql)
uses: actions/checkout@v2
with:
path: ql
fetch-depth: 0
- name: Set up Python 3.8
uses: actions/setup-python@v2
with:
python-version: 3.8
- name: Download CodeQL CLI
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
- name: Unzip CodeQL CLI
run: unzip -d codeql-cli codeql-linux64.zip
- name: Generate coverage files
run: |
PATH="$PATH:codeql-cli/codeql" python ql/misc/scripts/library-coverage/generate-report.py ci ql ql
- name: Create pull request with changes
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
python ql/misc/scripts/library-coverage/create-pr.py ql "$GITHUB_REPOSITORY"

View File

@@ -1,4 +1,4 @@
name: Build/check CSV flow coverage report
name: Build framework coverage reports
on:
workflow_dispatch:
@@ -6,22 +6,6 @@ on:
qlModelShaOverride:
description: 'github/codeql repo SHA used for looking up the CSV models'
required: false
push:
branches:
- main
- 'rc/**'
pull_request:
paths:
- '.github/workflows/csv-coverage.yml'
- '*/ql/src/**/*.ql'
- '*/ql/src/**/*.qll'
- 'misc/scripts/library-coverage/*.py'
# input data files
- '*/documentation/library-coverage/cwe-sink.csv'
- '*/documentation/library-coverage/frameworks.csv'
# coverage report files
- '*/documentation/library-coverage/flow-model-coverage.csv'
- '*/documentation/library-coverage/flow-model-coverage.rst'
jobs:
build:
@@ -33,28 +17,20 @@ jobs:
uses: actions/checkout@v2
with:
path: script
- name: Clone self (github/codeql) at a given SHA for analysis
if: github.event.inputs.qlModelShaOverride != ''
uses: actions/checkout@v2
with:
path: codeqlModels
ref: github.event.inputs.qlModelShaOverride
- name: Clone self (github/codeql) for analysis
if: github.event.inputs.qlModelShaOverride == ''
uses: actions/checkout@v2
with:
path: codeqlModels
ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
- name: Set up Python 3.8
uses: actions/setup-python@v2
with:
python-version: 3.8
- name: Download CodeQL CLI
uses: dsaltares/fetch-gh-release-asset@aa37ae5c44d3c9820bc12fe675e8670ecd93bd1c
with:
repo: "github/codeql-cli-binaries"
version: "latest"
file: "codeql-linux64.zip"
token: ${{ secrets.GITHUB_TOKEN }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
- name: Unzip CodeQL CLI
run: unzip -d codeql-cli codeql-linux64.zip
- name: Build modeled package list
@@ -63,15 +39,11 @@ jobs:
- name: Upload CSV package list
uses: actions/upload-artifact@v2
with:
name: csv-flow-model-coverage
path: flow-model-coverage-*.csv
name: framework-coverage-csv
path: framework-coverage-*.csv
- name: Upload RST package list
uses: actions/upload-artifact@v2
with:
name: rst-flow-model-coverage
path: flow-model-coverage-*.rst
# - name: Check coverage files
# if: github.event.pull_request
# run: |
# python script/misc/scripts/library-coverage/compare-files.py codeqlModels
name: framework-coverage-rst
path: framework-coverage-*.rst

View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been further improved to reduce false positives and its `@precision` increased to `high`.

View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The DataFlow libraries have been augmented with support for `Configuration`-specific in-place read steps at, for example, sinks and custom taint steps. This means that it is now possible to specify sinks that accept flow with non-empty access paths.

View File

@@ -5,7 +5,7 @@
* @kind problem
* @id cpp/offset-use-before-range-check
* @problem.severity warning
* @security-severity 5.9
* @security-severity 8.2
* @precision medium
* @tags reliability
* security

View File

@@ -4,7 +4,7 @@
* @kind problem
* @id cpp/descriptor-may-not-be-closed
* @problem.severity warning
* @security-severity 5.9
* @security-severity 7.8
* @tags efficiency
* security
* external/cwe/cwe-775

View File

@@ -4,7 +4,7 @@
* @kind problem
* @id cpp/descriptor-never-closed
* @problem.severity warning
* @security-severity 5.9
* @security-severity 7.8
* @tags efficiency
* security
* external/cwe/cwe-775

View File

@@ -4,7 +4,7 @@
* @kind problem
* @id cpp/file-may-not-be-closed
* @problem.severity warning
* @security-severity 5.9
* @security-severity 7.8
* @tags efficiency
* security
* external/cwe/cwe-775

View File

@@ -4,7 +4,7 @@
* @kind problem
* @id cpp/file-never-closed
* @problem.severity warning
* @security-severity 5.9
* @security-severity 7.8
* @tags efficiency
* security
* external/cwe/cwe-775

View File

@@ -4,7 +4,7 @@
* @kind problem
* @id cpp/global-use-before-init
* @problem.severity warning
* @security-severity 6.9
* @security-severity 7.8
* @tags reliability
* security
* external/cwe/cwe-457

View File

@@ -4,7 +4,7 @@
* @kind problem
* @id cpp/inconsistent-nullness-testing
* @problem.severity warning
* @security-severity 3.6
* @security-severity 7.5
* @tags reliability
* security
* external/cwe/cwe-476

View File

@@ -4,7 +4,7 @@
* @kind problem
* @id cpp/initialization-not-run
* @problem.severity warning
* @security-severity 6.4
* @security-severity 7.5
* @tags reliability
* security
* external/cwe/cwe-456

View File

@@ -6,7 +6,7 @@
* @kind problem
* @id cpp/late-negative-test
* @problem.severity warning
* @security-severity 10.0
* @security-severity 9.3
* @tags reliability
* security
* external/cwe/cwe-823

View File

@@ -4,7 +4,7 @@
* @kind problem
* @id cpp/memory-may-not-be-freed
* @problem.severity warning
* @security-severity 3.6
* @security-severity 7.5
* @tags efficiency
* security
* external/cwe/cwe-401

View File

@@ -4,7 +4,7 @@
* @kind problem
* @id cpp/memory-never-freed
* @problem.severity warning
* @security-severity 3.6
* @security-severity 7.5
* @tags efficiency
* security
* external/cwe/cwe-401

View File

@@ -5,7 +5,7 @@
* @kind problem
* @id cpp/missing-negativity-test
* @problem.severity warning
* @security-severity 10.0
* @security-severity 9.3
* @tags reliability
* security
* external/cwe/cwe-823

View File

@@ -4,7 +4,7 @@
* @kind problem
* @id cpp/missing-null-test
* @problem.severity recommendation
* @security-severity 3.6
* @security-severity 7.5
* @tags reliability
* security
* external/cwe/cwe-476

View File

@@ -3,7 +3,7 @@
* @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
* @kind problem
* @problem.severity warning
* @security-severity 3.6
* @security-severity 7.5
* @precision high
* @id cpp/new-free-mismatch
* @tags reliability

View File

@@ -4,7 +4,7 @@
* @kind problem
* @id cpp/overflow-calculated
* @problem.severity warning
* @security-severity 5.9
* @security-severity 9.8
* @tags reliability
* security
* external/cwe/cwe-131

View File

@@ -5,7 +5,7 @@
* @kind problem
* @id cpp/overflow-destination
* @problem.severity warning
* @security-severity 10.0
* @security-severity 9.3
* @precision low
* @tags reliability
* security

View File

@@ -4,7 +4,7 @@
* may result in a buffer overflow.
* @kind problem
* @problem.severity warning
* @security-severity 10.0
* @security-severity 9.3
* @precision medium
* @id cpp/static-buffer-overflow
* @tags reliability

View File

@@ -4,7 +4,7 @@
* @kind problem
* @id cpp/return-stack-allocated-object
* @problem.severity warning
* @security-severity 2.9
* @security-severity 2.1
* @tags reliability
* security
* external/cwe/cwe-562

View File

@@ -4,7 +4,7 @@
* an instance of the type of the pointer may result in a buffer overflow
* @kind problem
* @problem.severity warning
* @security-severity 6.4
* @security-severity 8.1
* @precision medium
* @id cpp/allocation-too-small
* @tags reliability

View File

@@ -4,7 +4,7 @@
* multiple instances of the type of the pointer may result in a buffer overflow
* @kind problem
* @problem.severity warning
* @security-severity 6.4
* @security-severity 8.1
* @precision medium
* @id cpp/suspicious-allocation-size
* @tags reliability

View File

@@ -4,7 +4,7 @@
* @kind problem
* @id cpp/use-after-free
* @problem.severity warning
* @security-severity 5.9
* @security-severity 9.3
* @tags reliability
* security
* external/cwe/cwe-416

View File

@@ -6,7 +6,7 @@
* to a larger type.
* @kind problem
* @problem.severity error
* @security-severity 5.9
* @security-severity 8.1
* @precision very-high
* @id cpp/bad-addition-overflow-check
* @tags reliability

View File

@@ -4,7 +4,7 @@
* be a sign that the result can overflow the type converted from.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @security-severity 8.1
* @precision high
* @id cpp/integer-multiplication-cast-to-long
* @tags reliability

View File

@@ -5,7 +5,7 @@
* unsigned integer values.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @security-severity 8.1
* @precision high
* @id cpp/signed-overflow-check
* @tags correctness

View File

@@ -6,7 +6,7 @@
* use the width of the base type, leading to misaligned reads.
* @kind path-problem
* @problem.severity warning
* @security-severity 10.0
* @security-severity 9.3
* @precision high
* @id cpp/upcast-array-pointer-arithmetic
* @tags correctness

View File

@@ -6,7 +6,7 @@
* from an untrusted source, this can be used for exploits.
* @kind problem
* @problem.severity recommendation
* @security-severity 6.9
* @security-severity 9.3
* @precision high
* @id cpp/non-constant-format
* @tags maintainability

View File

@@ -3,7 +3,7 @@
* @description Using the return value from snprintf without proper checks can cause overflow.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @security-severity 8.1
* @precision high
* @id cpp/overflowing-snprintf
* @tags reliability

View File

@@ -4,7 +4,7 @@
* a source of security issues.
* @kind problem
* @problem.severity error
* @security-severity 2.9
* @security-severity 5.0
* @precision high
* @id cpp/wrong-number-format-arguments
* @tags reliability

View File

@@ -4,7 +4,7 @@
* behavior.
* @kind problem
* @problem.severity error
* @security-severity 6.4
* @security-severity 7.5
* @precision high
* @id cpp/wrong-type-format-argument
* @tags reliability

View File

@@ -6,7 +6,7 @@
* @kind problem
* @id cpp/incorrect-not-operator-usage
* @problem.severity warning
* @security-severity 3.6
* @security-severity 7.5
* @precision medium
* @tags security
* external/cwe/cwe-480

View File

@@ -3,7 +3,7 @@
* @description Using alloca in a loop can lead to a stack overflow
* @kind problem
* @problem.severity warning
* @security-severity 3.6
* @security-severity 7.5
* @precision high
* @id cpp/alloca-in-loop
* @tags reliability

View File

@@ -5,7 +5,7 @@
* @kind problem
* @id cpp/improper-null-termination
* @problem.severity warning
* @security-severity 5.9
* @security-severity 7.8
* @tags security
* external/cwe/cwe-170
* external/cwe/cwe-665

View File

@@ -4,7 +4,7 @@
* on undefined behavior and may lead to memory corruption.
* @kind problem
* @problem.severity error
* @security-severity 2.9
* @security-severity 2.1
* @precision high
* @id cpp/pointer-overflow-check
* @tags reliability

View File

@@ -4,7 +4,7 @@
* as the third argument may result in a buffer overflow.
* @kind problem
* @problem.severity warning
* @security-severity 10.0
* @security-severity 9.3
* @precision medium
* @id cpp/bad-strncpy-size
* @tags reliability

View File

@@ -3,7 +3,7 @@
* @description Calling 'strncat' with an incorrect size argument may result in a buffer overflow.
* @kind problem
* @problem.severity warning
* @security-severity 10.0
* @security-severity 9.3
* @precision medium
* @id cpp/unsafe-strncat
* @tags reliability

View File

@@ -5,7 +5,7 @@
* the machine pointer size.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @security-severity 8.8
* @precision medium
* @id cpp/suspicious-sizeof
* @tags reliability

View File

@@ -5,7 +5,7 @@
* @kind problem
* @id cpp/uninitialized-local
* @problem.severity warning
* @security-severity 5.9
* @security-severity 7.8
* @precision medium
* @tags security
* external/cwe/cwe-665

View File

@@ -4,7 +4,7 @@
* may result in a buffer overflow
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @security-severity 9.8
* @precision medium
* @id cpp/unsafe-strcat
* @tags reliability

View File

@@ -6,7 +6,7 @@
* @kind problem
* @id cpp/self-assignment-check
* @problem.severity warning
* @security-severity 5.9
* @security-severity 7.0
* @tags reliability
* security
* external/cwe/cwe-826

View File

@@ -6,7 +6,7 @@
* @kind path-problem
* @id cpp/unsafe-use-of-this
* @problem.severity error
* @security-severity 3.6
* @security-severity 7.5
* @precision very-high
* @tags correctness
* language-features

View File

@@ -7,7 +7,7 @@
* undefined data.
* @kind problem
* @problem.severity error
* @security-severity 2.9
* @security-severity 5.0
* @precision very-high
* @id cpp/too-few-arguments
* @tags correctness

View File

@@ -5,7 +5,7 @@
* @kind problem
* @id cpp/memset-may-be-deleted
* @problem.severity warning
* @security-severity 6.4
* @security-severity 7.8
* @precision high
* @tags security
* external/cwe/cwe-14

View File

@@ -5,7 +5,7 @@
* @kind path-problem
* @precision low
* @problem.severity error
* @security-severity 5.9
* @security-severity 7.8
* @tags security external/cwe/cwe-20
*/

View File

@@ -5,7 +5,7 @@
* @kind path-problem
* @precision low
* @problem.severity error
* @security-severity 5.9
* @security-severity 7.8
* @tags security external/cwe/cwe-20
*/

View File

@@ -4,7 +4,7 @@
* attacker to access unexpected resources.
* @kind path-problem
* @problem.severity warning
* @security-severity 6.4
* @security-severity 7.5
* @precision medium
* @id cpp/path-injection
* @tags security

View File

@@ -5,7 +5,7 @@
* to command injection.
* @kind problem
* @problem.severity error
* @security-severity 5.9
* @security-severity 9.8
* @precision low
* @id cpp/command-line-injection
* @tags security

View File

@@ -4,7 +4,7 @@
* allows for a cross-site scripting vulnerability.
* @kind path-problem
* @problem.severity error
* @security-severity 2.9
* @security-severity 6.1
* @precision high
* @id cpp/cgi-xss
* @tags security

View File

@@ -5,7 +5,7 @@
* to SQL Injection.
* @kind path-problem
* @problem.severity error
* @security-severity 6.4
* @security-severity 8.8
* @precision high
* @id cpp/sql-injection
* @tags security

View File

@@ -5,7 +5,7 @@
* commands.
* @kind path-problem
* @problem.severity warning
* @security-severity 6.0
* @security-severity 8.2
* @precision medium
* @id cpp/uncontrolled-process-operation
* @tags security

View File

@@ -6,7 +6,7 @@
* @kind problem
* @id cpp/overflow-buffer
* @problem.severity recommendation
* @security-severity 10.0
* @security-severity 9.3
* @tags security
* external/cwe/cwe-119
* external/cwe/cwe-121

View File

@@ -5,7 +5,7 @@
* overflow.
* @kind problem
* @problem.severity error
* @security-severity 5.9
* @security-severity 9.3
* @precision high
* @id cpp/badly-bounded-write
* @tags reliability

View File

@@ -4,7 +4,7 @@
* of data written may overflow.
* @kind problem
* @problem.severity error
* @security-severity 5.9
* @security-severity 9.3
* @precision medium
* @id cpp/overrunning-write
* @tags reliability

View File

@@ -5,7 +5,7 @@
* take extreme values.
* @kind problem
* @problem.severity error
* @security-severity 5.9
* @security-severity 9.3
* @precision medium
* @id cpp/overrunning-write-with-float
* @tags reliability

View File

@@ -4,7 +4,7 @@
* of data written may overflow.
* @kind path-problem
* @problem.severity error
* @security-severity 5.9
* @security-severity 9.3
* @precision medium
* @id cpp/unbounded-write
* @tags reliability

View File

@@ -5,7 +5,7 @@
* a specific value to terminate the argument list.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @security-severity 8.8
* @precision medium
* @id cpp/unterminated-variadic-call
* @tags reliability

View File

@@ -6,7 +6,7 @@
* @kind problem
* @id cpp/unclear-array-index-validation
* @problem.severity warning
* @security-severity 5.9
* @security-severity 8.8
* @tags security
* external/cwe/cwe-129
*/

View File

@@ -5,7 +5,7 @@
* terminator can cause a buffer overrun.
* @kind problem
* @problem.severity error
* @security-severity 5.9
* @security-severity 9.8
* @precision high
* @id cpp/no-space-for-terminator
* @tags reliability

View File

@@ -5,7 +5,7 @@
* or data representation problems.
* @kind path-problem
* @problem.severity warning
* @security-severity 6.9
* @security-severity 9.3
* @precision high
* @id cpp/tainted-format-string
* @tags reliability

View File

@@ -5,7 +5,7 @@
* or data representation problems.
* @kind path-problem
* @problem.severity warning
* @security-severity 6.9
* @security-severity 9.3
* @precision high
* @id cpp/tainted-format-string-through-global
* @tags reliability

View File

@@ -2,9 +2,9 @@
* @name User-controlled data in arithmetic expression
* @description Arithmetic operations on user-controlled data that is
* not validated can cause overflows.
* @kind problem
* @kind path-problem
* @problem.severity warning
* @security-severity 5.9
* @security-severity 8.6
* @precision low
* @id cpp/tainted-arithmetic
* @tags security
@@ -16,22 +16,39 @@ import cpp
import semmle.code.cpp.security.Overflow
import semmle.code.cpp.security.Security
import semmle.code.cpp.security.TaintTracking
import TaintedWithPath
import Bounded
from Expr origin, Operation op, Expr e, string effect
bindingset[op]
predicate missingGuard(Operation op, Expr e, string effect) {
missingGuardAgainstUnderflow(op, e) and effect = "underflow"
or
missingGuardAgainstOverflow(op, e) and effect = "overflow"
or
not e instanceof VariableAccess and effect = "overflow"
}
class Configuration extends TaintTrackingConfiguration {
override predicate isSink(Element e) {
exists(Operation op |
missingGuard(op, e, _) and
op.getAnOperand() = e
|
op instanceof UnaryArithmeticOperation or
op instanceof BinaryArithmeticOperation
)
}
override predicate isBarrier(Expr e) {
super.isBarrier(e) or bounded(e) or e.getUnspecifiedType().(IntegralType).getSize() <= 1
}
}
from Expr origin, Expr e, string effect, PathNode sourceNode, PathNode sinkNode, Operation op
where
isUserInput(origin, _) and
tainted(origin, e) and
taintedWithPath(origin, e, sourceNode, sinkNode) and
op.getAnOperand() = e and
(
missingGuardAgainstUnderflow(op, e) and effect = "underflow"
or
missingGuardAgainstOverflow(op, e) and effect = "overflow"
or
not e instanceof VariableAccess and effect = "overflow"
) and
(
op instanceof UnaryArithmeticOperation or
op instanceof BinaryArithmeticOperation
)
select e, "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
origin, "User-provided value"
missingGuard(op, e, effect)
select e, sourceNode, sinkNode,
"$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", origin,
"User-provided value"

View File

@@ -4,7 +4,7 @@
* validated can cause overflows.
* @kind path-problem
* @problem.severity warning
* @security-severity 5.9
* @security-severity 8.6
* @precision medium
* @id cpp/uncontrolled-arithmetic
* @tags security
@@ -16,8 +16,8 @@ import cpp
import semmle.code.cpp.security.Overflow
import semmle.code.cpp.security.Security
import semmle.code.cpp.security.TaintTracking
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
import TaintedWithPath
import Bounded
predicate isUnboundedRandCall(FunctionCall fc) {
exists(Function func | func = fc.getTarget() |
@@ -27,74 +27,6 @@ predicate isUnboundedRandCall(FunctionCall fc) {
)
}
/**
* An operand `e` of a division expression (i.e., `e` is an operand of either a `DivExpr` or
* a `AssignDivExpr`) is bounded when `e` is the left-hand side of the division.
*/
pragma[inline]
predicate boundedDiv(Expr e, Expr left) { e = left }
/**
* An operand `e` of a remainder expression `rem` (i.e., `rem` is either a `RemExpr` or
* an `AssignRemExpr`) with left-hand side `left` and right-ahnd side `right` is bounded
* when `e` is `left` and `right` is upper bounded by some number that is less than the maximum integer
* allowed by the result type of `rem`.
*/
pragma[inline]
predicate boundedRem(Expr e, Expr rem, Expr left, Expr right) {
e = left and
upperBound(right.getFullyConverted()) < exprMaxVal(rem.getFullyConverted())
}
/**
* An operand `e` of a bitwise and expression `andExpr` (i.e., `andExpr` is either an `BitwiseAndExpr`
* or an `AssignAndExpr`) with operands `operand1` and `operand2` is the operand that is not `e` is upper
* bounded by some number that is less than the maximum integer allowed by the result type of `andExpr`.
*/
pragma[inline]
predicate boundedBitwiseAnd(Expr e, Expr andExpr, Expr operand1, Expr operand2) {
operand1 != operand2 and
e = operand1 and
upperBound(operand2.getFullyConverted()) < exprMaxVal(andExpr.getFullyConverted())
}
/**
* Holds if `fc` is a part of the left operand of a binary operation that greatly reduces the range
* of possible values.
*/
predicate bounded(Expr e) {
// For `%` and `&` we require that `e` is bounded by a value that is strictly smaller than the
// maximum possible value of the result type of the operation.
// For example, the function call `rand()` is considered bounded in the following program:
// ```
// int i = rand() % (UINT8_MAX + 1);
// ```
// but not in:
// ```
// unsigned char uc = rand() % (UINT8_MAX + 1);
// ```
exists(RemExpr rem | boundedRem(e, rem, rem.getLeftOperand(), rem.getRightOperand()))
or
exists(AssignRemExpr rem | boundedRem(e, rem, rem.getLValue(), rem.getRValue()))
or
exists(BitwiseAndExpr andExpr |
boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
)
or
exists(AssignAndExpr andExpr |
boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
)
or
// Optimitically assume that a division always yields a much smaller value.
boundedDiv(e, any(DivExpr div).getLeftOperand())
or
boundedDiv(e, any(AssignDivExpr div).getLValue())
or
boundedDiv(e, any(RShiftExpr shift).getLeftOperand())
or
boundedDiv(e, any(AssignRShiftExpr div).getLValue())
}
predicate isUnboundedRandCallOrParent(Expr e) {
isUnboundedRandCall(e)
or

View File

@@ -6,7 +6,7 @@
* @kind problem
* @id cpp/arithmetic-with-extreme-values
* @problem.severity warning
* @security-severity 5.9
* @security-severity 8.6
* @precision low
* @tags security
* reliability

View File

@@ -0,0 +1,83 @@
/**
* This file provides the `bounded` predicate that is used in both `cpp/uncontrolled-arithmetic`
* and `cpp/tainted-arithmetic`.
*/
private import cpp
private import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
/**
* An operand `e` of a division expression (i.e., `e` is an operand of either a `DivExpr` or
* a `AssignDivExpr`) is bounded when `e` is the left-hand side of the division.
*/
pragma[inline]
private predicate boundedDiv(Expr e, Expr left) { e = left }
/**
* An operand `e` of a remainder expression `rem` (i.e., `rem` is either a `RemExpr` or
* an `AssignRemExpr`) with left-hand side `left` and right-ahnd side `right` is bounded
* when `e` is `left` and `right` is upper bounded by some number that is less than the maximum integer
* allowed by the result type of `rem`.
*/
pragma[inline]
private predicate boundedRem(Expr e, Expr rem, Expr left, Expr right) {
e = left and
upperBound(right.getFullyConverted()) < exprMaxVal(rem.getFullyConverted())
}
/**
* An operand `e` of a bitwise and expression `andExpr` (i.e., `andExpr` is either an `BitwiseAndExpr`
* or an `AssignAndExpr`) with operands `operand1` and `operand2` is the operand that is not `e` is upper
* bounded by some number that is less than the maximum integer allowed by the result type of `andExpr`.
*/
pragma[inline]
private predicate boundedBitwiseAnd(Expr e, Expr andExpr, Expr operand1, Expr operand2) {
operand1 != operand2 and
e = operand1 and
upperBound(operand2.getFullyConverted()) < exprMaxVal(andExpr.getFullyConverted())
}
/**
* Holds if `e` is an arithmetic expression that cannot overflow, or if `e` is an operand of an
* operation that may greatly reduce the range of possible values.
*/
predicate bounded(Expr e) {
(
e instanceof UnaryArithmeticOperation or
e instanceof BinaryArithmeticOperation or
e instanceof AssignArithmeticOperation
) and
not convertedExprMightOverflow(e)
or
// For `%` and `&` we require that `e` is bounded by a value that is strictly smaller than the
// maximum possible value of the result type of the operation.
// For example, the function call `rand()` is considered bounded in the following program:
// ```
// int i = rand() % (UINT8_MAX + 1);
// ```
// but not in:
// ```
// unsigned char uc = rand() % (UINT8_MAX + 1);
// ```
exists(RemExpr rem | boundedRem(e, rem, rem.getLeftOperand(), rem.getRightOperand()))
or
exists(AssignRemExpr rem | boundedRem(e, rem, rem.getLValue(), rem.getRValue()))
or
exists(BitwiseAndExpr andExpr |
boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
)
or
exists(AssignAndExpr andExpr |
boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
)
or
// Optimitically assume that a division always yields a much smaller value.
boundedDiv(e, any(DivExpr div).getLeftOperand())
or
boundedDiv(e, any(AssignDivExpr div).getLValue())
or
boundedDiv(e, any(RShiftExpr shift).getLeftOperand())
or
boundedDiv(e, any(AssignRShiftExpr div).getLValue())
}

View File

@@ -5,7 +5,7 @@
* @id cpp/comparison-with-wider-type
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @security-severity 7.8
* @precision high
* @tags reliability
* security

View File

@@ -5,7 +5,7 @@
* @kind problem
* @id cpp/integer-overflow-tainted
* @problem.severity warning
* @security-severity 5.9
* @security-severity 8.1
* @precision low
* @tags security
* external/cwe/cwe-190

View File

@@ -4,7 +4,7 @@
* user can result in integer overflow.
* @kind path-problem
* @problem.severity error
* @security-severity 5.9
* @security-severity 8.1
* @precision medium
* @id cpp/uncontrolled-allocation-size
* @tags reliability

View File

@@ -4,7 +4,7 @@
* @kind problem
* @id cpp/unsigned-difference-expression-compared-zero
* @problem.severity warning
* @security-severity 5.9
* @security-severity 9.8
* @precision medium
* @tags security
* correctness

View File

@@ -4,7 +4,7 @@
* @kind problem
* @id cpp/hresult-boolean-conversion
* @problem.severity error
* @security-severity 4.2
* @security-severity 7.5
* @precision high
* @tags security
* external/cwe/cwe-253

View File

@@ -5,7 +5,7 @@
* vulnerable to spoofing attacks.
* @kind path-problem
* @problem.severity warning
* @security-severity 5.8
* @security-severity 8.1
* @precision medium
* @id cpp/user-controlled-bypass
* @tags security

View File

@@ -4,7 +4,7 @@
* to an attacker.
* @kind path-problem
* @problem.severity warning
* @security-severity 5.9
* @security-severity 7.5
* @precision medium
* @id cpp/cleartext-storage-buffer
* @tags security

View File

@@ -4,7 +4,7 @@
* to an attacker.
* @kind problem
* @problem.severity warning
* @security-severity 6.4
* @security-severity 7.5
* @precision medium
* @id cpp/cleartext-storage-file
* @tags security

View File

@@ -4,7 +4,7 @@
* database can expose it to an attacker.
* @kind path-problem
* @problem.severity warning
* @security-severity 6.4
* @security-severity 7.5
* @precision medium
* @id cpp/cleartext-storage-database
* @tags security

View File

@@ -4,8 +4,8 @@
* an attacker to compromise security.
* @kind problem
* @problem.severity error
* @security-severity 5.2
* @precision medium
* @security-severity 7.5
* @precision high
* @id cpp/weak-cryptographic-algorithm
* @tags security
* external/cwe/cwe-327
@@ -70,9 +70,12 @@ EnumConstant getAdditionalEvidenceEnumConst() { isEncryptionAdditionalEvidence(r
predicate getInsecureEncryptionEvidence(FunctionCall fc, Element blame, string description) {
// find use of an insecure algorithm name
(
fc.getTarget() = getAnInsecureEncryptionFunction() and
blame = fc and
description = "call to " + fc.getTarget().getName()
exists(FunctionCall fc2 |
fc.getAChild*() = fc2 and
fc2.getTarget() = getAnInsecureEncryptionFunction() and
blame = fc2 and
description = "call to " + fc.getTarget().getName()
)
or
exists(MacroInvocation mi |
(
@@ -93,7 +96,10 @@ predicate getInsecureEncryptionEvidence(FunctionCall fc, Element blame, string d
) and
// find additional evidence that this function is related to encryption.
(
fc.getTarget() = getAnAdditionalEvidenceFunction()
exists(FunctionCall fc2 |
fc.getAChild*() = fc2 and
fc2.getTarget() = getAnAdditionalEvidenceFunction()
)
or
exists(MacroInvocation mi |
(
@@ -107,6 +113,27 @@ predicate getInsecureEncryptionEvidence(FunctionCall fc, Element blame, string d
ec = fc.getAnArgument() and
ec.getTarget() = getAdditionalEvidenceEnumConst()
)
) and
// exclude calls from templates as this is rarely the right place to flag an
// issue
not fc.isFromTemplateInstantiation(_) and
(
// the function should have an input that looks like a non-constant buffer
exists(Expr e |
fc.getAnArgument() = e and
(
e.getUnspecifiedType() instanceof PointerType or
e.getUnspecifiedType() instanceof ReferenceType or
e.getUnspecifiedType() instanceof ArrayType
) and
not e.getType().isDeeplyConstBelow() and
not e.isConstant()
)
or
// or be a non-const member function of an object
fc.getTarget() instanceof MemberFunction and
not fc.getTarget() instanceof ConstMemberFunction and
not fc.getTarget().isStatic()
)
}

View File

@@ -4,7 +4,7 @@
* attackers to retrieve portions of memory.
* @kind problem
* @problem.severity error
* @security-severity 5.2
* @security-severity 7.5
* @precision very-high
* @id cpp/openssl-heartbleed
* @tags security

View File

@@ -5,7 +5,7 @@
* the two operations.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @security-severity 7.7
* @precision medium
* @id cpp/toctou-race-condition
* @tags security

View File

@@ -4,7 +4,7 @@
* @id cpp/unsafe-create-process-call
* @kind problem
* @problem.severity error
* @security-severity 5.9
* @security-severity 7.8
* @precision medium
* @msrc.severity important
* @tags security

View File

@@ -5,7 +5,7 @@
* state, and reading the variable may result in undefined behavior.
* @kind problem
* @problem.severity warning
* @security-severity 6.9
* @security-severity 7.8
* @opaque-id SM02313
* @id cpp/conditionally-uninitialized-variable
* @tags security

View File

@@ -4,7 +4,7 @@
* can cause buffer overflow conditions.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @security-severity 8.8
* @precision medium
* @id cpp/suspicious-pointer-scaling
* @tags security

View File

@@ -5,7 +5,7 @@
* @kind problem
* @id cpp/incorrect-pointer-scaling-char
* @problem.severity warning
* @security-severity 5.9
* @security-severity 8.8
* @precision low
* @tags security
* external/cwe/cwe-468

View File

@@ -4,7 +4,7 @@
* can cause buffer overflow conditions.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @security-severity 8.8
* @precision medium
* @id cpp/suspicious-pointer-scaling-void
* @tags security

View File

@@ -5,7 +5,7 @@
* implicitly scaled.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @security-severity 8.8
* @precision high
* @id cpp/suspicious-add-sizeof
* @tags security

View File

@@ -5,7 +5,7 @@
* attack plan.
* @kind problem
* @problem.severity warning
* @security-severity 3.6
* @security-severity 6.5
* @precision medium
* @id cpp/system-data-exposure
* @tags security

View File

@@ -6,7 +6,7 @@
* @kind problem
* @id cpp/incorrect-string-type-conversion
* @problem.severity error
* @security-severity 5.9
* @security-severity 8.8
* @precision high
* @tags security
* external/cwe/cwe-704

View File

@@ -3,7 +3,7 @@
* @description Creating a file that is world-writable can allow an attacker to write to the file.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @security-severity 7.8
* @precision medium
* @id cpp/world-writable-file-creation
* @tags security

View File

@@ -7,7 +7,7 @@
* @id cpp/unsafe-dacl-security-descriptor
* @kind problem
* @problem.severity error
* @security-severity 5.9
* @security-severity 7.8
* @precision high
* @tags security
* external/cwe/cwe-732

View File

@@ -5,7 +5,7 @@
* @kind problem
* @id cpp/lock-order-cycle
* @problem.severity error
* @security-severity 6.9
* @security-severity 5.0
* @tags security
* external/cwe/cwe-764
* external/cwe/cwe-833

View File

@@ -5,7 +5,7 @@
* @kind problem
* @id cpp/twice-locked
* @problem.severity error
* @security-severity 6.9
* @security-severity 5.0
* @precision low
* @tags security
* external/cwe/cwe-764

View File

@@ -5,7 +5,7 @@
* @kind problem
* @id cpp/unreleased-lock
* @problem.severity error
* @security-severity 6.9
* @security-severity 5.0
* @precision low
* @tags security
* external/cwe/cwe-764

View File

@@ -5,7 +5,7 @@
* attack.
* @kind path-problem
* @problem.severity warning
* @security-severity 6.4
* @security-severity 7.5
* @precision medium
* @id cpp/tainted-permissions-check
* @tags security

View File

@@ -6,7 +6,7 @@
* @kind problem
* @id cpp/infinite-loop-with-unsatisfiable-exit-condition
* @problem.severity warning
* @security-severity 3.6
* @security-severity 7.5
* @tags security
* external/cwe/cwe-835
*/

View File

@@ -4,7 +4,6 @@
* @description The total number of lines of C/C++ code across all files, including system headers, libraries, and auto-generated files. This is a useful metric of the size of a database. For all files that were seen during the build, this query counts the lines of code, excluding whitespace or comments.
* @kind metric
* @tags summary
* lines-of-code
*/
import cpp

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

Some files were not shown because too many files have changed in this diff Show More