mirror of
https://github.com/github/codeql.git
synced 2026-06-13 17:01:10 +02:00
Compare commits
15 Commits
copilot/ql
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
|
daefaff969 | ||
|
|
b9670ef831 | ||
|
|
912dc9c0bd | ||
|
|
de7afcaec3 | ||
|
|
f3ec7087e3 | ||
|
|
bea5522473 | ||
|
|
eedef515f7 | ||
|
|
9078b511c6 | ||
|
|
1ac079d066 | ||
|
|
29b0c286a7 | ||
|
|
a4bf2b8f58 | ||
|
|
a375e186ed | ||
|
|
3693185b6b | ||
|
|
1c1d26453d | ||
|
|
01173bf383 |
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: fix
|
||||
---
|
||||
* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.
|
||||
@@ -2,10 +2,12 @@ import actions
|
||||
|
||||
bindingset[runner]
|
||||
predicate isGithubHostedRunner(string runner) {
|
||||
// list of github hosted repos: https://github.com/actions/runner-images/blob/main/README.md#available-images
|
||||
runner
|
||||
.toLowerCase()
|
||||
.regexpMatch("^(ubuntu-([0-9.]+|latest)|macos-([0-9]+|latest)(-x?large)?|windows-([0-9.]+|latest))$")
|
||||
// The list of github hosted repos:
|
||||
// https://github.com/actions/runner-images/blob/main/README.md#available-images
|
||||
// https://docs.github.com/en/enterprise-cloud@latest/actions/how-tos/write-workflows/choose-where-workflows-run/choose-the-runner-for-a-job#standard-github-hosted-runners-for-public-repositories
|
||||
runner.toLowerCase().regexpMatch("^ubuntu-([0-9.]+|latest|slim)(-arm)?$") or
|
||||
runner.toLowerCase().regexpMatch("^macos-([0-9]+|latest)(-x?large|-intel)?$") or
|
||||
runner.toLowerCase().regexpMatch("^windows-([0-9.]+|latest)(-vs[0-9.]+)?(-arm)?$")
|
||||
}
|
||||
|
||||
bindingset[runner]
|
||||
|
||||
43
actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test3.yml
vendored
Normal file
43
actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test3.yml
vendored
Normal file
@@ -0,0 +1,43 @@
|
||||
name: test
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
|
||||
jobs:
|
||||
test:
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
os:
|
||||
- ubuntu-latest
|
||||
- ubuntu-24.04
|
||||
- ubuntu-24.04-arm
|
||||
- ubuntu-22.04
|
||||
- ubuntu-22.04-arm
|
||||
- ubuntu-26.04
|
||||
- ubuntu-26.04-arm
|
||||
- ubuntu-slim
|
||||
- macos-26
|
||||
- macos-26-xlarge
|
||||
- macos-26-intel
|
||||
- macos-26-large
|
||||
- macos-latest-large
|
||||
- macos-15-large
|
||||
- macos-15
|
||||
- macos-15-intel
|
||||
- macos-latest
|
||||
- macos-15
|
||||
- macos-15-xlarge
|
||||
- macos-14-large
|
||||
- macos-14
|
||||
- macos-14-xlarge
|
||||
- windows-2025-vs2026
|
||||
- windows-latest
|
||||
- windows-2025
|
||||
- windows-2022
|
||||
- windows-11
|
||||
- windows-11-arm
|
||||
- windows-11-vs2026-arm
|
||||
runs-on: ${{ matrix.os }}
|
||||
steps:
|
||||
- run: cmd
|
||||
@@ -203,7 +203,7 @@ module Ast implements AstSig<Location> {
|
||||
final private class FinalTryStmt = CS::TryStmt;
|
||||
|
||||
class TryStmt extends FinalTryStmt {
|
||||
Stmt getBody() { result = this.getBlock() }
|
||||
AstNode getBody(int index) { index = 0 and result = this.getBlock() }
|
||||
|
||||
CatchClause getCatch(int index) { result = this.getCatchClause(index) }
|
||||
|
||||
|
||||
@@ -10,7 +10,7 @@ toolchain go1.26.4
|
||||
// bazel mod tidy
|
||||
require (
|
||||
golang.org/x/mod v0.37.0
|
||||
golang.org/x/tools v0.45.0
|
||||
golang.org/x/tools v0.46.0
|
||||
)
|
||||
|
||||
require github.com/stretchr/testify v1.11.1
|
||||
@@ -18,6 +18,6 @@ require github.com/stretchr/testify v1.11.1
|
||||
require (
|
||||
github.com/davecgh/go-spew v1.1.1 // indirect
|
||||
github.com/pmezard/go-difflib v1.0.0 // indirect
|
||||
golang.org/x/sync v0.20.0 // indirect
|
||||
golang.org/x/sync v0.21.0 // indirect
|
||||
gopkg.in/yaml.v3 v3.0.1 // indirect
|
||||
)
|
||||
|
||||
@@ -8,10 +8,10 @@ github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu
|
||||
github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
|
||||
golang.org/x/mod v0.37.0 h1:vF1DjpVEshcIqoEaauuHebaLk1O1forxjxBaVn884JQ=
|
||||
golang.org/x/mod v0.37.0/go.mod h1:m8S8VeM9r4dzDwjrKO0a1sZP3YjeMamRRlD+fmR2Q/0=
|
||||
golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
|
||||
golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
|
||||
golang.org/x/tools v0.45.0 h1:18qN3FAooORvApf5XjCXgsuayZOEtXf6JK18I3+ONa8=
|
||||
golang.org/x/tools v0.45.0/go.mod h1:LuUGqqaXcXMEFEruIVJVm5mgDD8vww/z/SR1gQ4uE/0=
|
||||
golang.org/x/sync v0.21.0 h1:HLII4xRRTtCRkxYp4HNFF0Js/Og6q2i++KXbg0gHCwM=
|
||||
golang.org/x/sync v0.21.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
|
||||
golang.org/x/tools v0.46.0 h1:7jTurBkPZu4moS/Uy4OQT1M+QBlsj3wejyZwsT8Z7rk=
|
||||
golang.org/x/tools v0.46.0/go.mod h1:FrD85F8l+NWL+9XWBSyVSHO6Ne4jutsfIFba7AWQ5Ys=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Arithmetic/ConstantExpAppearsNonConstant.ql
|
||||
query: Likely Bugs/Arithmetic/ConstantExpAppearsNonConstant.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -117,15 +117,18 @@ private module Ast implements AstSig<Location> {
|
||||
final private class FinalTryStmt = J::TryStmt;
|
||||
|
||||
class TryStmt extends FinalTryStmt {
|
||||
Stmt getBody() { result = super.getBlock() }
|
||||
AstNode getBody(int index) {
|
||||
result = super.getResource(index)
|
||||
or
|
||||
index = count(super.getAResource()) and
|
||||
result = super.getBlock()
|
||||
}
|
||||
|
||||
CatchClause getCatch(int index) { result = super.getCatchClause(index) }
|
||||
|
||||
Stmt getFinally() { result = super.getFinally() }
|
||||
}
|
||||
|
||||
AstNode getTryInit(TryStmt try, int index) { result = try.getResource(index) }
|
||||
|
||||
final private class FinalCatchClause = J::CatchClause;
|
||||
|
||||
class CatchClause extends FinalCatchClause {
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/Implementation Hiding/AbstractToConcreteCollection.ql
|
||||
query: Violations of Best Practice/Implementation Hiding/AbstractToConcreteCollection.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/legacy/AutoBoxing.ql
|
||||
query: Violations of Best Practice/legacy/AutoBoxing.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Resource Leaks/CloseReader.ql
|
||||
query: Likely Bugs/Resource Leaks/CloseReader.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Resource Leaks/CloseWriter.ql
|
||||
query: Likely Bugs/Resource Leaks/CloseWriter.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/Naming Conventions/ConfusingOverloading.ql
|
||||
query: Violations of Best Practice/Naming Conventions/ConfusingOverloading.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -2,21 +2,21 @@ fun fn0(f: Function0<Unit>) = f()
|
||||
|
||||
fun fn1() {
|
||||
var c = true
|
||||
while (c) { // TODO: false positive
|
||||
while (c) { // $ SPURIOUS: Alert // TODO: false positive
|
||||
fn0 {
|
||||
c = false
|
||||
}
|
||||
}
|
||||
|
||||
var d = true
|
||||
while (d) {
|
||||
while (d) { // $ Alert
|
||||
fn0 {
|
||||
println(d)
|
||||
}
|
||||
}
|
||||
|
||||
val e = true
|
||||
while (e) {
|
||||
while (e) { // $ Alert
|
||||
fn0 {
|
||||
println(e)
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Termination/ConstantLoopCondition.ql
|
||||
query: Likely Bugs/Termination/ConstantLoopCondition.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
DeadCode/DeadClass.ql
|
||||
query: DeadCode/DeadClass.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
DeadCode/DeadMethod.ql
|
||||
query: DeadCode/DeadMethod.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
| test.kt:1:1:1:20 | C1 | Unused class: C1 is not referenced within this codebase. If not used as an external API it should be removed. |
|
||||
| test.kt:1:1:1:31 | C1 | Unused class: C1 is not referenced within this codebase. If not used as an external API it should be removed. |
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/Dead Code/DeadRefTypes.ql
|
||||
query: Violations of Best Practice/Dead Code/DeadRefTypes.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
private class C1 { }
|
||||
private class C1 { } // $ Alert
|
||||
|
||||
private class C2 { }
|
||||
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Statements/EmptyBlock.ql
|
||||
query: Likely Bugs/Statements/EmptyBlock.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/Implementation Hiding/ExposeRepresentation.ql
|
||||
query: Violations of Best Practice/Implementation Hiding/ExposeRepresentation.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Performance/InnerClassCouldBeStatic.ql
|
||||
query: Performance/InnerClassCouldBeStatic.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Comparison/MissingInstanceofInEquals.ql
|
||||
query: Likely Bugs/Comparison/MissingInstanceofInEquals.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Advisory/Declarations/MissingOverrideAnnotation.ql
|
||||
query: Advisory/Declarations/MissingOverrideAnnotation.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Architecture/Dependencies/MutualDependency.ql
|
||||
query: Architecture/Dependencies/MutualDependency.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
| Test.kt:12:1:12:13 | aaaa | Class and interface names should start in uppercase. |
|
||||
| Test.kt:12:1:12:24 | aaaa | Class and interface names should start in uppercase. |
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Advisory/Naming/NamingConventionsRefTypes.ql
|
||||
query: Advisory/Naming/NamingConventionsRefTypes.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -9,4 +9,4 @@ class Foo {
|
||||
}
|
||||
}
|
||||
|
||||
class aaaa {}
|
||||
class aaaa {} // $ Alert
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Serialization/NonSerializableField.ql
|
||||
query: Likely Bugs/Serialization/NonSerializableField.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Serialization/NonSerializableInnerClass.ql
|
||||
query: Likely Bugs/Serialization/NonSerializableInnerClass.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Nullness/NullMaybe.ql
|
||||
query: Likely Bugs/Nullness/NullMaybe.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Advisory/Statements/OneStatementPerLine.ql
|
||||
query: Advisory/Statements/OneStatementPerLine.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Statements/PartiallyMaskedCatch.ql
|
||||
query: Likely Bugs/Statements/PartiallyMaskedCatch.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Statements/ReturnValueIgnored.ql
|
||||
query: Likely Bugs/Statements/ReturnValueIgnored.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/Boolean Logic/SimplifyBoolExpr.ql
|
||||
query: Violations of Best Practice/Boolean Logic/SimplifyBoolExpr.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Compatibility/JDK9/UnderscoreIdentifier.ql
|
||||
query: Compatibility/JDK9/UnderscoreIdentifier.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/Dead Code/UnreadLocal.ql
|
||||
query: Violations of Best Practice/Dead Code/UnreadLocal.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -5,13 +5,13 @@ fun fn0(size: Int) {
|
||||
}
|
||||
|
||||
fun fn1(a: Array<Int>) {
|
||||
for (e in a) {
|
||||
for (e in a) { // $ Alert
|
||||
println()
|
||||
}
|
||||
}
|
||||
|
||||
fun fn2(a: Array<Int>) {
|
||||
for ((idx, e) in a.withIndex()) {
|
||||
for ((idx, e) in a.withIndex()) { // $ Alert
|
||||
println()
|
||||
}
|
||||
}
|
||||
|
||||
@@ -12,7 +12,7 @@ fun fn(x:Any?, y: Any?) {
|
||||
|
||||
fun fn0(o: Any?) {
|
||||
if (o != null) {
|
||||
o?.toString()
|
||||
o?.toString() // $ Alert
|
||||
o.toString()
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Language Abuse/UselessNullCheck.ql
|
||||
query: Language Abuse/UselessNullCheck.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
DeadCode/UselessParameter.ql
|
||||
query: DeadCode/UselessParameter.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Arithmetic/WhitespaceContradictsPrecedence.ql
|
||||
query: Likely Bugs/Arithmetic/WhitespaceContradictsPrecedence.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/Implementation Hiding/AbstractToConcreteCollection.ql
|
||||
query: Violations of Best Practice/Implementation Hiding/AbstractToConcreteCollection.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/legacy/AutoBoxing.ql
|
||||
query: Violations of Best Practice/legacy/AutoBoxing.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Resource Leaks/CloseReader.ql
|
||||
query: Likely Bugs/Resource Leaks/CloseReader.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Resource Leaks/CloseWriter.ql
|
||||
query: Likely Bugs/Resource Leaks/CloseWriter.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/Naming Conventions/ConfusingOverloading.ql
|
||||
query: Violations of Best Practice/Naming Conventions/ConfusingOverloading.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -2,21 +2,21 @@ fun fn0(f: Function0<Unit>) = f()
|
||||
|
||||
fun fn1() {
|
||||
var c = true
|
||||
while (c) { // TODO: false positive
|
||||
while (c) { // $ SPURIOUS: Alert // TODO: false positive
|
||||
fn0 {
|
||||
c = false
|
||||
}
|
||||
}
|
||||
|
||||
var d = true
|
||||
while (d) {
|
||||
while (d) { // $ Alert
|
||||
fn0 {
|
||||
println(d)
|
||||
}
|
||||
}
|
||||
|
||||
val e = true
|
||||
while (e) {
|
||||
while (e) { // $ Alert
|
||||
fn0 {
|
||||
println(e)
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Termination/ConstantLoopCondition.ql
|
||||
query: Likely Bugs/Termination/ConstantLoopCondition.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
DeadCode/DeadClass.ql
|
||||
query: DeadCode/DeadClass.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
DeadCode/DeadMethod.ql
|
||||
query: DeadCode/DeadMethod.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
| test.kt:1:1:1:20 | C1 | Unused class: C1 is not referenced within this codebase. If not used as an external API it should be removed. |
|
||||
| test.kt:1:1:1:31 | C1 | Unused class: C1 is not referenced within this codebase. If not used as an external API it should be removed. |
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/Dead Code/DeadRefTypes.ql
|
||||
query: Violations of Best Practice/Dead Code/DeadRefTypes.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
private class C1 { }
|
||||
private class C1 { } // $ Alert
|
||||
|
||||
private class C2 { }
|
||||
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Statements/EmptyBlock.ql
|
||||
query: Likely Bugs/Statements/EmptyBlock.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/Implementation Hiding/ExposeRepresentation.ql
|
||||
query: Violations of Best Practice/Implementation Hiding/ExposeRepresentation.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Performance/InnerClassCouldBeStatic.ql
|
||||
query: Performance/InnerClassCouldBeStatic.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Comparison/MissingInstanceofInEquals.ql
|
||||
query: Likely Bugs/Comparison/MissingInstanceofInEquals.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Advisory/Declarations/MissingOverrideAnnotation.ql
|
||||
query: Advisory/Declarations/MissingOverrideAnnotation.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Architecture/Dependencies/MutualDependency.ql
|
||||
query: Architecture/Dependencies/MutualDependency.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
| Test.kt:12:1:12:13 | aaaa | Class and interface names should start in uppercase. |
|
||||
| Test.kt:12:1:12:24 | aaaa | Class and interface names should start in uppercase. |
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Advisory/Naming/NamingConventionsRefTypes.ql
|
||||
query: Advisory/Naming/NamingConventionsRefTypes.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -9,4 +9,4 @@ class Foo {
|
||||
}
|
||||
}
|
||||
|
||||
class aaaa {}
|
||||
class aaaa {} // $ Alert
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Serialization/NonSerializableField.ql
|
||||
query: Likely Bugs/Serialization/NonSerializableField.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Serialization/NonSerializableInnerClass.ql
|
||||
query: Likely Bugs/Serialization/NonSerializableInnerClass.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Nullness/NullMaybe.ql
|
||||
query: Likely Bugs/Nullness/NullMaybe.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Advisory/Statements/OneStatementPerLine.ql
|
||||
query: Advisory/Statements/OneStatementPerLine.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Statements/PartiallyMaskedCatch.ql
|
||||
query: Likely Bugs/Statements/PartiallyMaskedCatch.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Statements/ReturnValueIgnored.ql
|
||||
query: Likely Bugs/Statements/ReturnValueIgnored.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/Boolean Logic/SimplifyBoolExpr.ql
|
||||
query: Violations of Best Practice/Boolean Logic/SimplifyBoolExpr.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Compatibility/JDK9/UnderscoreIdentifier.ql
|
||||
query: Compatibility/JDK9/UnderscoreIdentifier.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Violations of Best Practice/Dead Code/UnreadLocal.ql
|
||||
query: Violations of Best Practice/Dead Code/UnreadLocal.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -5,13 +5,13 @@ fun fn0(size: Int) {
|
||||
}
|
||||
|
||||
fun fn1(a: Array<Int>) {
|
||||
for (e in a) {
|
||||
for (e in a) { // $ Alert
|
||||
println()
|
||||
}
|
||||
}
|
||||
|
||||
fun fn2(a: Array<Int>) {
|
||||
for ((idx, e) in a.withIndex()) {
|
||||
for ((idx, e) in a.withIndex()) { // $ Alert
|
||||
println()
|
||||
}
|
||||
}
|
||||
|
||||
@@ -12,7 +12,7 @@ fun fn(x:Any?, y: Any?) {
|
||||
|
||||
fun fn0(o: Any?) {
|
||||
if (o != null) {
|
||||
o?.toString()
|
||||
o?.toString() // $ Alert
|
||||
o.toString()
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Language Abuse/UselessNullCheck.ql
|
||||
query: Language Abuse/UselessNullCheck.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
DeadCode/UselessParameter.ql
|
||||
query: DeadCode/UselessParameter.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Likely Bugs/Arithmetic/WhitespaceContradictsPrecedence.ql
|
||||
query: Likely Bugs/Arithmetic/WhitespaceContradictsPrecedence.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/quantum/Examples/ReusedNonce.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -16,7 +16,7 @@ public class Test {
|
||||
|
||||
private static byte[] getRandomWrapper1() throws Exception {
|
||||
byte[] val = new byte[16];
|
||||
new SecureRandom().nextBytes(val);
|
||||
new SecureRandom().nextBytes(val); // $ Source
|
||||
return val;
|
||||
}
|
||||
|
||||
@@ -37,7 +37,7 @@ public class Test {
|
||||
IvParameterSpec ivSpec = new IvParameterSpec(iv);
|
||||
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
|
||||
SecretKey key = generateAESKey();
|
||||
cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // BAD: Reuse of `iv` in funcB1
|
||||
cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // $ Alert // BAD: Reuse of `iv` in funcB1
|
||||
byte[] ciphertext = cipher.doFinal("Simple Test Data".getBytes());
|
||||
}
|
||||
|
||||
@@ -46,7 +46,7 @@ public class Test {
|
||||
IvParameterSpec ivSpec = new IvParameterSpec(iv);
|
||||
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
|
||||
SecretKey key = generateAESKey();
|
||||
cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // BAD: Reuse of `iv` in funcA1
|
||||
cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // $ Alert // BAD: Reuse of `iv` in funcA1
|
||||
byte[] ciphertext = cipher.doFinal("Simple Test Data".getBytes());
|
||||
}
|
||||
|
||||
@@ -73,13 +73,13 @@ public class Test {
|
||||
IvParameterSpec ivSpec1 = new IvParameterSpec(iv);
|
||||
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
|
||||
SecretKey key1 = generateAESKey();
|
||||
cipher.init(Cipher.ENCRYPT_MODE, key1, ivSpec1); // BAD: reuse of `iv` below
|
||||
cipher.init(Cipher.ENCRYPT_MODE, key1, ivSpec1); // $ Alert // BAD: reuse of `iv` below
|
||||
byte[] ciphertext = cipher.doFinal("Simple Test Data".getBytes());
|
||||
|
||||
IvParameterSpec ivSpec2 = new IvParameterSpec(iv);
|
||||
Cipher cipher2 = Cipher.getInstance("AES/CBC/PKCS5Padding");
|
||||
SecretKey key2 = generateAESKey();
|
||||
cipher2.init(Cipher.ENCRYPT_MODE, key2, ivSpec2); // BAD: Reuse of `iv` above
|
||||
cipher2.init(Cipher.ENCRYPT_MODE, key2, ivSpec2); // $ Alert // BAD: Reuse of `iv` above
|
||||
byte[] ciphertext2 = cipher2.doFinal("Simple Test Data".getBytes());
|
||||
}
|
||||
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -18,12 +18,12 @@ public class FilePathInjection extends Controller {
|
||||
|
||||
// BAD: Upload file to user specified path without validation
|
||||
public void uploadFile() throws IOException {
|
||||
String savePath = getPara("dir");
|
||||
String savePath = getPara("dir"); // $ Source
|
||||
File file = getFile("fileParam").getFile();
|
||||
String finalFilePath = BASE_PATH + savePath;
|
||||
|
||||
FileInputStream fis = new FileInputStream(file);
|
||||
FileOutputStream fos = new FileOutputStream(finalFilePath);
|
||||
FileOutputStream fos = new FileOutputStream(finalFilePath); // $ Alert
|
||||
int i = 0;
|
||||
|
||||
do {
|
||||
@@ -61,7 +61,7 @@ public class FilePathInjection extends Controller {
|
||||
|
||||
// BAD: Upload file to user specified path without validation through session attribute
|
||||
public void uploadFile3() throws IOException {
|
||||
String savePath = getPara("dir");
|
||||
String savePath = getPara("dir"); // $ Source
|
||||
setSessionAttr("uploadDir", savePath);
|
||||
String sessionUploadDir = getSessionAttr("uploadDir");
|
||||
|
||||
@@ -69,7 +69,7 @@ public class FilePathInjection extends Controller {
|
||||
String finalFilePath = BASE_PATH + sessionUploadDir;
|
||||
|
||||
FileInputStream fis = new FileInputStream(file);
|
||||
FileOutputStream fos = new FileOutputStream(finalFilePath);
|
||||
FileOutputStream fos = new FileOutputStream(finalFilePath); // $ Alert
|
||||
int i = 0;
|
||||
|
||||
do {
|
||||
@@ -84,7 +84,7 @@ public class FilePathInjection extends Controller {
|
||||
|
||||
// BAD: Upload file to user specified path without validation through request attribute
|
||||
public void uploadFile4() throws IOException {
|
||||
String savePath = getPara("dir");
|
||||
String savePath = getPara("dir"); // $ Source
|
||||
setAttr("uploadDir2", savePath);
|
||||
String requestUploadDir = getAttr("uploadDir2");
|
||||
|
||||
@@ -92,7 +92,7 @@ public class FilePathInjection extends Controller {
|
||||
String finalFilePath = BASE_PATH + requestUploadDir;
|
||||
|
||||
FileInputStream fis = new FileInputStream(file);
|
||||
FileOutputStream fos = new FileOutputStream(finalFilePath);
|
||||
FileOutputStream fos = new FileOutputStream(finalFilePath); // $ Alert
|
||||
int i = 0;
|
||||
|
||||
do {
|
||||
@@ -179,7 +179,7 @@ public class FilePathInjection extends Controller {
|
||||
FileInputStream fis = null;
|
||||
try {
|
||||
os = resp.getOutputStream();
|
||||
fis = new FileInputStream(file);
|
||||
fis = new FileInputStream(file); // $ Alert
|
||||
byte fileContent[] = new byte[(int) file.length()];
|
||||
fis.read(fileContent);
|
||||
os.write(fileContent);
|
||||
@@ -202,12 +202,12 @@ public class FilePathInjection extends Controller {
|
||||
// BAD: Download file to user specified path without validation
|
||||
public void downloadFile() throws FileNotFoundException, IOException {
|
||||
HttpServletRequest request = getRequest();
|
||||
String path = request.getParameter("path");
|
||||
String path = request.getParameter("path"); // $ Source
|
||||
String filePath = BASE_PATH + path;
|
||||
|
||||
HttpServletResponse resp = getResponse();
|
||||
File file = new File(filePath);
|
||||
if (path != null && file.exists()) {
|
||||
if (path != null && file.exists()) { // $ Alert
|
||||
resp.setHeader("Content-type", "application/force-download");
|
||||
resp.setHeader("Content-Disposition", "inline;filename=\"" + filePath + "\"");
|
||||
resp.setHeader("Content-Transfer-Encoding", "Binary");
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-073/FilePathInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-078/ExecTainted.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -11,7 +11,7 @@ public class JSchOSInjectionTest extends HttpServlet {
|
||||
String host = "sshHost";
|
||||
String user = "user";
|
||||
String password = "password";
|
||||
String command = request.getParameter("command");
|
||||
String command = request.getParameter("command"); // $ Source[java/command-line-injection-experimental]
|
||||
|
||||
java.util.Properties config = new java.util.Properties();
|
||||
config.put("StrictHostKeyChecking", "no");
|
||||
@@ -24,7 +24,7 @@ public class JSchOSInjectionTest extends HttpServlet {
|
||||
session.connect();
|
||||
|
||||
Channel channel = session.openChannel("exec");
|
||||
((ChannelExec) channel).setCommand("ping " + command);
|
||||
((ChannelExec) channel).setCommand("ping " + command); // $ Alert[java/command-line-injection-experimental]
|
||||
channel.setInputStream(null);
|
||||
((ChannelExec) channel).setErrStream(System.err);
|
||||
|
||||
@@ -37,7 +37,7 @@ public class JSchOSInjectionTest extends HttpServlet {
|
||||
String host = "sshHost";
|
||||
String user = "user";
|
||||
String password = "password";
|
||||
String command = request.getParameter("command");
|
||||
String command = request.getParameter("command"); // $ Source[java/command-line-injection-experimental]
|
||||
|
||||
java.util.Properties config = new java.util.Properties();
|
||||
config.put("StrictHostKeyChecking", "no");
|
||||
@@ -50,7 +50,7 @@ public class JSchOSInjectionTest extends HttpServlet {
|
||||
session.connect();
|
||||
|
||||
ChannelExec channel = (ChannelExec)session.openChannel("exec");
|
||||
channel.setCommand("ping " + command);
|
||||
channel.setCommand("ping " + command); // $ Alert[java/command-line-injection-experimental]
|
||||
channel.setInputStream(null);
|
||||
channel.setErrStream(System.err);
|
||||
|
||||
|
||||
@@ -14,29 +14,29 @@ public class RuntimeExecTest {
|
||||
public static void test() {
|
||||
System.out.println("Command injection test");
|
||||
|
||||
String script = System.getenv("SCRIPTNAME");
|
||||
String script = System.getenv("SCRIPTNAME"); // $ Source[java/command-line-injection-extra-local]
|
||||
|
||||
if (script != null) {
|
||||
try {
|
||||
// 1. array literal in the args
|
||||
Runtime.getRuntime().exec(new String[]{"/bin/sh", script});
|
||||
Runtime.getRuntime().exec(new String[]{"/bin/sh", script}); // $ Alert[java/command-line-injection-extra-local]
|
||||
|
||||
// 2. array literal with dataflow
|
||||
String[] commandArray1 = new String[]{"/bin/sh", script};
|
||||
Runtime.getRuntime().exec(commandArray1);
|
||||
Runtime.getRuntime().exec(commandArray1); // $ Alert[java/command-line-injection-extra-local]
|
||||
|
||||
// 3. array assignment after it is created
|
||||
String[] commandArray2 = new String[4];
|
||||
commandArray2[0] = "/bin/sh";
|
||||
commandArray2[1] = script;
|
||||
Runtime.getRuntime().exec(commandArray2);
|
||||
Runtime.getRuntime().exec(commandArray2); // $ Alert[java/command-line-injection-extra-local]
|
||||
|
||||
// 4. Stream concatenation
|
||||
Runtime.getRuntime().exec(
|
||||
Stream.concat(
|
||||
Stream.concat( // $
|
||||
Arrays.stream(new String[]{"/bin/sh"}),
|
||||
Arrays.stream(new String[]{script})
|
||||
).toArray(String[]::new)
|
||||
).toArray(String[]::new) // $ Alert[java/command-line-injection-extra-local]
|
||||
);
|
||||
|
||||
} catch (Exception e) {
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -16,55 +16,55 @@ public class MybatisSqlInjection {
|
||||
private MybatisSqlInjectionService mybatisSqlInjectionService;
|
||||
|
||||
@GetMapping(value = "msi1")
|
||||
public List<Test> bad1(@RequestParam String name) {
|
||||
public List<Test> bad1(@RequestParam String name) { // $ Source[java/mybatis-xml-sql-injection]
|
||||
List<Test> result = mybatisSqlInjectionService.bad1(name);
|
||||
return result;
|
||||
}
|
||||
|
||||
@GetMapping(value = "msi2")
|
||||
public List<Test> bad2(@RequestParam String name) {
|
||||
public List<Test> bad2(@RequestParam String name) { // $ Source[java/mybatis-xml-sql-injection]
|
||||
List<Test> result = mybatisSqlInjectionService.bad2(name);
|
||||
return result;
|
||||
}
|
||||
|
||||
@GetMapping(value = "msi3")
|
||||
public List<Test> bad3(@ModelAttribute Test test) {
|
||||
public List<Test> bad3(@ModelAttribute Test test) { // $ Source[java/mybatis-xml-sql-injection]
|
||||
List<Test> result = mybatisSqlInjectionService.bad3(test);
|
||||
return result;
|
||||
}
|
||||
|
||||
@RequestMapping(value = "msi4", method = RequestMethod.POST, produces = "application/json")
|
||||
public void bad4(@RequestBody Test test) {
|
||||
public void bad4(@RequestBody Test test) { // $ Source[java/mybatis-xml-sql-injection]
|
||||
mybatisSqlInjectionService.bad4(test);
|
||||
}
|
||||
|
||||
@RequestMapping(value = "msi5", method = RequestMethod.PUT, produces = "application/json")
|
||||
public void bad5(@RequestBody Test test) {
|
||||
public void bad5(@RequestBody Test test) { // $ Source[java/mybatis-xml-sql-injection]
|
||||
mybatisSqlInjectionService.bad5(test);
|
||||
}
|
||||
|
||||
@RequestMapping(value = "msi6", method = RequestMethod.POST, produces = "application/json")
|
||||
public void bad6(@RequestBody Map<String, String> params) {
|
||||
public void bad6(@RequestBody Map<String, String> params) { // $ Source[java/mybatis-xml-sql-injection]
|
||||
mybatisSqlInjectionService.bad6(params);
|
||||
}
|
||||
|
||||
@RequestMapping(value = "msi7", method = RequestMethod.POST, produces = "application/json")
|
||||
public void bad7(@RequestBody List<String> params) {
|
||||
public void bad7(@RequestBody List<String> params) { // $ Source[java/mybatis-xml-sql-injection]
|
||||
mybatisSqlInjectionService.bad7(params);
|
||||
}
|
||||
|
||||
@RequestMapping(value = "msi8", method = RequestMethod.POST, produces = "application/json")
|
||||
public void bad8(@RequestBody String[] params) {
|
||||
public void bad8(@RequestBody String[] params) { // $ Source[java/mybatis-xml-sql-injection]
|
||||
mybatisSqlInjectionService.bad8(params);
|
||||
}
|
||||
|
||||
@GetMapping(value = "msi9")
|
||||
public void bad9(@RequestParam String name) {
|
||||
public void bad9(@RequestParam String name) { // $ Source[java/mybatis-annotation-sql-injection]
|
||||
mybatisSqlInjectionService.bad9(name);
|
||||
}
|
||||
|
||||
@GetMapping(value = "msi10")
|
||||
public void bad10(@RequestParam Integer id, @RequestParam String name) {
|
||||
public void bad10(@RequestParam Integer id, @RequestParam String name) { // $ Source[java/mybatis-annotation-sql-injection]
|
||||
mybatisSqlInjectionService.bad10(id, name);
|
||||
}
|
||||
|
||||
|
||||
@@ -11,48 +11,48 @@ public class MybatisSqlInjectionService {
|
||||
private SqlInjectionMapper sqlInjectionMapper;
|
||||
|
||||
public List<Test> bad1(String name) {
|
||||
List<Test> result = sqlInjectionMapper.bad1(name);
|
||||
List<Test> result = sqlInjectionMapper.bad1(name); // $ Alert[java/mybatis-xml-sql-injection]
|
||||
return result;
|
||||
}
|
||||
|
||||
public List<Test> bad2(String name) {
|
||||
List<Test> result = sqlInjectionMapper.bad2(name);
|
||||
List<Test> result = sqlInjectionMapper.bad2(name); // $ Alert[java/mybatis-xml-sql-injection]
|
||||
return result;
|
||||
}
|
||||
|
||||
public List<Test> bad3(Test test) {
|
||||
List<Test> result = sqlInjectionMapper.bad3(test);
|
||||
List<Test> result = sqlInjectionMapper.bad3(test); // $ Alert[java/mybatis-xml-sql-injection]
|
||||
return result;
|
||||
}
|
||||
|
||||
public void bad4(Test test) {
|
||||
sqlInjectionMapper.bad4(test);
|
||||
sqlInjectionMapper.bad4(test); // $ Alert[java/mybatis-xml-sql-injection]
|
||||
}
|
||||
|
||||
public void bad5(Test test) {
|
||||
sqlInjectionMapper.bad5(test);
|
||||
sqlInjectionMapper.bad5(test); // $ Alert[java/mybatis-xml-sql-injection]
|
||||
}
|
||||
|
||||
public void bad6(Map<String, String> params) {
|
||||
sqlInjectionMapper.bad6(params);
|
||||
sqlInjectionMapper.bad6(params); // $ Alert[java/mybatis-xml-sql-injection]
|
||||
}
|
||||
|
||||
public void bad7(List<String> params) {
|
||||
sqlInjectionMapper.bad7(params);
|
||||
sqlInjectionMapper.bad7(params); // $ Alert[java/mybatis-xml-sql-injection]
|
||||
}
|
||||
|
||||
public void bad8(String[] params) {
|
||||
sqlInjectionMapper.bad8(params);
|
||||
sqlInjectionMapper.bad8(params); // $ Alert[java/mybatis-xml-sql-injection]
|
||||
}
|
||||
|
||||
public void bad9(String name) {
|
||||
HashMap hashMap = new HashMap();
|
||||
hashMap.put("name", name);
|
||||
sqlInjectionMapper.bad9(hashMap);
|
||||
sqlInjectionMapper.bad9(hashMap); // $ Alert[java/mybatis-annotation-sql-injection]
|
||||
}
|
||||
|
||||
public void bad10(Integer id, String name) {
|
||||
sqlInjectionMapper.bad10(id, name);
|
||||
sqlInjectionMapper.bad10(id, name); // $ Alert[java/mybatis-annotation-sql-injection]
|
||||
}
|
||||
|
||||
public List<Test> good1(Integer id) {
|
||||
|
||||
@@ -10,24 +10,24 @@ public class BeanShellInjection {
|
||||
|
||||
@GetMapping(value = "bad1")
|
||||
public void bad1(HttpServletRequest request) {
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/beanshell-injection]
|
||||
BshScriptEvaluator evaluator = new BshScriptEvaluator();
|
||||
evaluator.evaluate(new StaticScriptSource(code)); //bad
|
||||
evaluator.evaluate(new StaticScriptSource(code)); // $ Alert[java/beanshell-injection] //bad
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad2")
|
||||
public void bad2(HttpServletRequest request) throws Exception {
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/beanshell-injection]
|
||||
Interpreter interpreter = new Interpreter();
|
||||
interpreter.eval(code); //bad
|
||||
interpreter.eval(code); // $ Alert[java/beanshell-injection] //bad
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad3")
|
||||
public void bad3(HttpServletRequest request) {
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/beanshell-injection]
|
||||
StaticScriptSource staticScriptSource = new StaticScriptSource("test");
|
||||
staticScriptSource.setScript(code);
|
||||
BshScriptEvaluator evaluator = new BshScriptEvaluator();
|
||||
evaluator.evaluate(staticScriptSource); //bad
|
||||
evaluator.evaluate(staticScriptSource); // $ Alert[java/beanshell-injection] //bad
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-094/BeanShellInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -9,24 +9,24 @@ public class JShellInjection {
|
||||
|
||||
@GetMapping(value = "bad1")
|
||||
public void bad1(HttpServletRequest request) {
|
||||
String input = request.getParameter("code");
|
||||
String input = request.getParameter("code"); // $ Source[java/jshell-injection]
|
||||
JShell jShell = JShell.builder().build();
|
||||
// BAD: allow execution of arbitrary Java code
|
||||
jShell.eval(input);
|
||||
jShell.eval(input); // $ Alert[java/jshell-injection]
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad2")
|
||||
public void bad2(HttpServletRequest request) {
|
||||
String input = request.getParameter("code");
|
||||
String input = request.getParameter("code"); // $ Source[java/jshell-injection]
|
||||
JShell jShell = JShell.builder().build();
|
||||
SourceCodeAnalysis sourceCodeAnalysis = jShell.sourceCodeAnalysis();
|
||||
// BAD: allow execution of arbitrary Java code
|
||||
sourceCodeAnalysis.wrappers(input);
|
||||
sourceCodeAnalysis.wrappers(input); // $ Alert[java/jshell-injection]
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad3")
|
||||
public void bad3(HttpServletRequest request) {
|
||||
String input = request.getParameter("code");
|
||||
String input = request.getParameter("code"); // $ Source[java/jshell-injection]
|
||||
JShell jShell = JShell.builder().build();
|
||||
SourceCodeAnalysis.CompletionInfo info;
|
||||
SourceCodeAnalysis sca = jShell.sourceCodeAnalysis();
|
||||
@@ -34,7 +34,7 @@ public class JShellInjection {
|
||||
info.completeness().isComplete();
|
||||
info = sca.analyzeCompletion(info.remaining())) {
|
||||
// BAD: allow execution of arbitrary Java code
|
||||
jShell.eval(info.source());
|
||||
jShell.eval(info.source()); // $ Alert[java/jshell-injection]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-094/JShellInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -20,7 +20,7 @@ public class JakartaExpressionInjection {
|
||||
try (ServerSocket serverSocket = new ServerSocket(0)) {
|
||||
try (Socket socket = serverSocket.accept()) {
|
||||
byte[] bytes = new byte[1024];
|
||||
int n = socket.getInputStream().read(bytes);
|
||||
int n = socket.getInputStream().read(bytes); // $ Source[java/javaee-expression-injection]
|
||||
String expression = new String(bytes, 0, n);
|
||||
action.accept(expression);
|
||||
}
|
||||
@@ -31,7 +31,7 @@ public class JakartaExpressionInjection {
|
||||
private static void testWithELProcessorEval() throws IOException {
|
||||
testWithSocket(expression -> {
|
||||
ELProcessor processor = new ELProcessor();
|
||||
processor.eval(expression);
|
||||
processor.eval(expression); // $ Alert[java/javaee-expression-injection]
|
||||
});
|
||||
}
|
||||
|
||||
@@ -39,7 +39,7 @@ public class JakartaExpressionInjection {
|
||||
private static void testWithELProcessorGetValue() throws IOException {
|
||||
testWithSocket(expression -> {
|
||||
ELProcessor processor = new ELProcessor();
|
||||
processor.getValue(expression, Object.class);
|
||||
processor.getValue(expression, Object.class); // $ Alert[java/javaee-expression-injection]
|
||||
});
|
||||
}
|
||||
|
||||
@@ -50,7 +50,7 @@ public class JakartaExpressionInjection {
|
||||
StandardELContext context = new StandardELContext(factory);
|
||||
ValueExpression valueExpression = factory.createValueExpression(context, expression, Object.class);
|
||||
LambdaExpression lambdaExpression = new LambdaExpression(new ArrayList<>(), valueExpression);
|
||||
lambdaExpression.invoke(context, new Object[0]);
|
||||
lambdaExpression.invoke(context, new Object[0]); // $ Alert[java/javaee-expression-injection]
|
||||
});
|
||||
}
|
||||
|
||||
@@ -58,7 +58,7 @@ public class JakartaExpressionInjection {
|
||||
private static void testWithELProcessorSetValue() throws IOException {
|
||||
testWithSocket(expression -> {
|
||||
ELProcessor processor = new ELProcessor();
|
||||
processor.setValue(expression, new Object());
|
||||
processor.setValue(expression, new Object()); // $ Alert[java/javaee-expression-injection]
|
||||
});
|
||||
}
|
||||
|
||||
@@ -66,7 +66,7 @@ public class JakartaExpressionInjection {
|
||||
private static void testWithELProcessorSetVariable() throws IOException {
|
||||
testWithSocket(expression -> {
|
||||
ELProcessor processor = new ELProcessor();
|
||||
processor.setVariable("test", expression);
|
||||
processor.setVariable("test", expression); // $ Alert[java/javaee-expression-injection]
|
||||
});
|
||||
}
|
||||
|
||||
@@ -76,7 +76,7 @@ public class JakartaExpressionInjection {
|
||||
ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl();
|
||||
ELContext context = new de.odysseus.el.util.SimpleContext();
|
||||
ValueExpression e = factory.createValueExpression(context, expression, Object.class);
|
||||
e.getValue(context);
|
||||
e.getValue(context); // $ Alert[java/javaee-expression-injection]
|
||||
});
|
||||
}
|
||||
|
||||
@@ -86,7 +86,7 @@ public class JakartaExpressionInjection {
|
||||
ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl();
|
||||
ELContext context = new de.odysseus.el.util.SimpleContext();
|
||||
ValueExpression e = factory.createValueExpression(context, expression, Object.class);
|
||||
e.setValue(context, new Object());
|
||||
e.setValue(context, new Object()); // $ Alert[java/javaee-expression-injection]
|
||||
});
|
||||
}
|
||||
|
||||
@@ -96,7 +96,7 @@ public class JakartaExpressionInjection {
|
||||
ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl();
|
||||
ELContext context = new de.odysseus.el.util.SimpleContext();
|
||||
MethodExpression e = factory.createMethodExpression(context, expression, Object.class, new Class[0]);
|
||||
e.invoke(context, new Object[0]);
|
||||
e.invoke(context, new Object[0]); // $ Alert[java/javaee-expression-injection]
|
||||
});
|
||||
}
|
||||
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -25,7 +25,7 @@ public class JythonInjection extends HttpServlet {
|
||||
// BAD: allow execution of arbitrary Python code
|
||||
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
response.setContentType("text/plain");
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/jython-injection]
|
||||
PythonInterpreter interpreter = null;
|
||||
ByteArrayOutputStream out = new ByteArrayOutputStream();
|
||||
|
||||
@@ -33,7 +33,7 @@ public class JythonInjection extends HttpServlet {
|
||||
interpreter = new PythonInterpreter();
|
||||
interpreter.setOut(out);
|
||||
interpreter.setErr(out);
|
||||
interpreter.exec(code);
|
||||
interpreter.exec(code); // $ Alert[java/jython-injection]
|
||||
out.flush();
|
||||
|
||||
response.getWriter().print(out.toString());
|
||||
@@ -50,12 +50,12 @@ public class JythonInjection extends HttpServlet {
|
||||
// BAD: allow execution of arbitrary Python code
|
||||
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
response.setContentType("text/plain");
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/jython-injection]
|
||||
PythonInterpreter interpreter = null;
|
||||
|
||||
try {
|
||||
interpreter = new PythonInterpreter();
|
||||
PyObject py = interpreter.eval(code);
|
||||
PyObject py = interpreter.eval(code); // $ Alert[java/jython-injection]
|
||||
|
||||
response.getWriter().print(py.toString());
|
||||
} catch(PyException ex) {
|
||||
@@ -70,7 +70,7 @@ public class JythonInjection extends HttpServlet {
|
||||
// BAD: allow arbitrary Jython expression to run
|
||||
protected void doPut(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
response.setContentType("text/plain");
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/jython-injection]
|
||||
InteractiveInterpreter interpreter = null;
|
||||
ByteArrayOutputStream out = new ByteArrayOutputStream();
|
||||
|
||||
@@ -78,7 +78,7 @@ public class JythonInjection extends HttpServlet {
|
||||
interpreter = new InteractiveInterpreter();
|
||||
interpreter.setOut(out);
|
||||
interpreter.setErr(out);
|
||||
interpreter.runsource(code);
|
||||
interpreter.runsource(code); // $ Alert[java/jython-injection]
|
||||
out.flush();
|
||||
|
||||
response.getWriter().print(out.toString());
|
||||
@@ -94,7 +94,7 @@ public class JythonInjection extends HttpServlet {
|
||||
// BAD: load arbitrary class file to execute
|
||||
protected void doTrace(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
|
||||
response.setContentType("text/plain");
|
||||
String code = request.getParameter("code");
|
||||
String code = request.getParameter("code"); // $ Source[java/jython-injection]
|
||||
PythonInterpreter interpreter = null;
|
||||
ByteArrayOutputStream out = new ByteArrayOutputStream();
|
||||
|
||||
@@ -103,7 +103,7 @@ public class JythonInjection extends HttpServlet {
|
||||
interpreter.setOut(out);
|
||||
interpreter.setErr(out);
|
||||
|
||||
PyCode pyCode = BytecodeLoader.makeCode("test", code.getBytes(), getServletContext().getRealPath("/com/example/test.pyc"));
|
||||
PyCode pyCode = BytecodeLoader.makeCode("test", code.getBytes(), getServletContext().getRealPath("/com/example/test.pyc")); // $ Alert[java/jython-injection]
|
||||
interpreter.exec(pyCode);
|
||||
out.flush();
|
||||
|
||||
@@ -128,7 +128,7 @@ public class JythonInjection extends HttpServlet {
|
||||
interpreter.setOut(out);
|
||||
interpreter.setErr(out);
|
||||
|
||||
PyCode pyCode = Py.compile(request.getInputStream(), "Test.py", org.python.core.CompileMode.eval);
|
||||
PyCode pyCode = Py.compile(request.getInputStream(), "Test.py", org.python.core.CompileMode.eval); // $ Alert[java/jython-injection]
|
||||
interpreter.exec(pyCode);
|
||||
out.flush();
|
||||
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: experimental/Security/CWE/CWE-094/JythonInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user