mirror of
https://github.com/github/codeql.git
synced 2026-05-21 14:47:10 +02:00
Compare commits
16 Commits
tombolton/
...
codeql-cli
| Author | SHA1 | Date | |
|---|---|---|---|
|
28fe7a7660 | ||
|
|
104ac05f49 | ||
|
|
5abb0338b9 | ||
|
|
f71807c968 | ||
|
|
2052494eee | ||
|
|
f020fdbda3 | ||
|
|
34cbc6678f | ||
|
|
5780f156d1 | ||
|
|
5e5e2646e2 | ||
|
|
8cd261af0e | ||
|
|
42f05dadc4 | ||
|
|
3d072abcff | ||
|
|
deddc52666 | ||
|
|
009ba4c280 | ||
|
|
673355df65 | ||
|
|
1f1b364feb |
2115
cpp/downgrades/19e31bf071f588bb7efd1e4d5a185ce4f6fbbd84/old.dbscheme
Normal file
2115
cpp/downgrades/19e31bf071f588bb7efd1e4d5a185ce4f6fbbd84/old.dbscheme
Normal file
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1,3 @@
|
||||
description: Add relation for tracking C++ braced initializers
|
||||
compatibility: full
|
||||
braced_initialisers.rel: delete
|
||||
@@ -1,3 +1,19 @@
|
||||
## 0.2.3
|
||||
|
||||
### New Features
|
||||
|
||||
* An `isBraced` predicate was added to the `Initializer` class which holds when a C++ braced initializer was used in the initialization.
|
||||
|
||||
## 0.2.2
|
||||
|
||||
### Deprecated APIs
|
||||
|
||||
* The `AnalysedString` class in the `StringAnalysis` module has been replaced with `AnalyzedString`, to follow our style guide. The old name still exists as a deprecated alias.
|
||||
|
||||
### New Features
|
||||
|
||||
* A `getInitialization` predicate was added to the `ConstexprIfStmt`, `IfStmt`, and `SwitchStmt` classes that yields the C++17-style initializer of the `if` or `switch` statement when it exists.
|
||||
|
||||
## 0.2.1
|
||||
|
||||
## 0.2.0
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* A `getInitialization` predicate was added to the `ConstexprIfStmt`, `IfStmt`, and `SwitchStmt` classes that yields the C++17-style initializer of the `if` or `switch` statement when it exists.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: deprecated
|
||||
---
|
||||
* The `AnalysedString` class in the `StringAnalysis` module has been replaced with `AnalyzedString`, to follow our style guide. The old name still exists as a deprecated alias.
|
||||
9
cpp/ql/lib/change-notes/released/0.2.2.md
Normal file
9
cpp/ql/lib/change-notes/released/0.2.2.md
Normal file
@@ -0,0 +1,9 @@
|
||||
## 0.2.2
|
||||
|
||||
### Deprecated APIs
|
||||
|
||||
* The `AnalysedString` class in the `StringAnalysis` module has been replaced with `AnalyzedString`, to follow our style guide. The old name still exists as a deprecated alias.
|
||||
|
||||
### New Features
|
||||
|
||||
* A `getInitialization` predicate was added to the `ConstexprIfStmt`, `IfStmt`, and `SwitchStmt` classes that yields the C++17-style initializer of the `if` or `switch` statement when it exists.
|
||||
5
cpp/ql/lib/change-notes/released/0.2.3.md
Normal file
5
cpp/ql/lib/change-notes/released/0.2.3.md
Normal file
@@ -0,0 +1,5 @@
|
||||
## 0.2.3
|
||||
|
||||
### New Features
|
||||
|
||||
* An `isBraced` predicate was added to the `Initializer` class which holds when a C++ braced initializer was used in the initialization.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.2.1
|
||||
lastReleaseVersion: 0.2.3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-all
|
||||
version: 0.2.2-dev
|
||||
version: 0.2.3
|
||||
groups: cpp
|
||||
dbscheme: semmlecode.cpp.dbscheme
|
||||
extractor: cpp
|
||||
|
||||
@@ -51,4 +51,7 @@ class Initializer extends ControlFlowNode, @initialiser {
|
||||
override Function getControlFlowScope() { result = this.getExpr().getEnclosingFunction() }
|
||||
|
||||
override Stmt getEnclosingStmt() { result = this.getExpr().getEnclosingStmt() }
|
||||
|
||||
/** Holds if the initializer used the C++ braced initializer notation. */
|
||||
predicate isBraced() { braced_initialisers(underlyingElement(this)) }
|
||||
}
|
||||
|
||||
@@ -1436,6 +1436,10 @@ initialisers(
|
||||
int location: @location_expr ref
|
||||
);
|
||||
|
||||
braced_initialisers(
|
||||
int init: @initialiser ref
|
||||
);
|
||||
|
||||
/**
|
||||
* An ancestor for the expression, for cases in which we cannot
|
||||
* otherwise find the expression's parent.
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1,2 @@
|
||||
description: Add relation for tracking C++ braced initializers
|
||||
compatibility: backwards
|
||||
@@ -1,3 +1,12 @@
|
||||
## 0.1.4
|
||||
|
||||
## 0.1.3
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The "XML external entity expansion" (`cpp/external-entity-expansion`) query precision has been increased to `high`.
|
||||
* The `cpp/unused-local-variable` no longer ignores functions that include `if` and `switch` statements with C++17-style initializers.
|
||||
|
||||
## 0.1.2
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The `cpp/unused-local-variable` no longer ignores functions that include `if` and `switch` statements with C++17-style initializers.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The "XML external entity expansion" (`cpp/external-entity-expansion`) query precision has been increased to `high`.
|
||||
6
cpp/ql/src/change-notes/released/0.1.3.md
Normal file
6
cpp/ql/src/change-notes/released/0.1.3.md
Normal file
@@ -0,0 +1,6 @@
|
||||
## 0.1.3
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The "XML external entity expansion" (`cpp/external-entity-expansion`) query precision has been increased to `high`.
|
||||
* The `cpp/unused-local-variable` no longer ignores functions that include `if` and `switch` statements with C++17-style initializers.
|
||||
1
cpp/ql/src/change-notes/released/0.1.4.md
Normal file
1
cpp/ql/src/change-notes/released/0.1.4.md
Normal file
@@ -0,0 +1 @@
|
||||
## 0.1.4
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.1.2
|
||||
lastReleaseVersion: 0.1.4
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-queries
|
||||
version: 0.1.3-dev
|
||||
version: 0.1.4
|
||||
groups:
|
||||
- cpp
|
||||
- queries
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
## 1.1.4
|
||||
|
||||
## 1.1.3
|
||||
|
||||
## 1.1.2
|
||||
|
||||
## 1.1.1
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
## 1.1.3
|
||||
@@ -0,0 +1 @@
|
||||
## 1.1.4
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.1.2
|
||||
lastReleaseVersion: 1.1.4
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-all
|
||||
version: 1.1.3-dev
|
||||
version: 1.1.4
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
## 1.1.4
|
||||
|
||||
## 1.1.3
|
||||
|
||||
## 1.1.2
|
||||
|
||||
## 1.1.1
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
## 1.1.3
|
||||
@@ -0,0 +1 @@
|
||||
## 1.1.4
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.1.2
|
||||
lastReleaseVersion: 1.1.4
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-queries
|
||||
version: 1.1.3-dev
|
||||
version: 1.1.4
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
## 0.2.3
|
||||
|
||||
## 0.2.2
|
||||
|
||||
## 0.2.1
|
||||
|
||||
## 0.2.0
|
||||
|
||||
1
csharp/ql/lib/change-notes/released/0.2.2.md
Normal file
1
csharp/ql/lib/change-notes/released/0.2.2.md
Normal file
@@ -0,0 +1 @@
|
||||
## 0.2.2
|
||||
1
csharp/ql/lib/change-notes/released/0.2.3.md
Normal file
1
csharp/ql/lib/change-notes/released/0.2.3.md
Normal file
@@ -0,0 +1 @@
|
||||
## 0.2.3
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.2.1
|
||||
lastReleaseVersion: 0.2.3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-all
|
||||
version: 0.2.2-dev
|
||||
version: 0.2.3
|
||||
groups: csharp
|
||||
dbscheme: semmlecode.csharp.dbscheme
|
||||
extractor: csharp
|
||||
|
||||
@@ -86,7 +86,6 @@ private import internal.FlowSummaryImplSpecific
|
||||
*/
|
||||
private module Frameworks {
|
||||
private import semmle.code.csharp.frameworks.EntityFramework
|
||||
private import semmle.code.csharp.frameworks.Generated
|
||||
private import semmle.code.csharp.frameworks.JsonNET
|
||||
private import semmle.code.csharp.frameworks.microsoft.extensions.Primitives
|
||||
private import semmle.code.csharp.frameworks.microsoft.VisualBasic
|
||||
|
||||
@@ -777,10 +777,10 @@ module Private {
|
||||
predicate prohibitsUseUseFlow(ArgNode arg, SummarizedCallable sc) {
|
||||
exists(ParamNode p, Node mid, ParameterPosition ppos, Node ret |
|
||||
p = summaryArgParam0(_, arg, sc) and
|
||||
p.isParameterOf(_, ppos) and
|
||||
p.isParameterOf(_, pragma[only_bind_into](ppos)) and
|
||||
summaryLocalStep(p, mid, true) and
|
||||
summaryLocalStep(mid, ret, true) and
|
||||
isParameterPostUpdate(ret, _, ppos)
|
||||
isParameterPostUpdate(ret, _, pragma[only_bind_into](ppos))
|
||||
|
|
||||
summaryClearsContent(mid, _) or
|
||||
summaryExpectsContent(mid, _)
|
||||
|
||||
@@ -1,9 +0,0 @@
|
||||
/**
|
||||
* A module importing all generated Models as Data models.
|
||||
*/
|
||||
|
||||
import csharp
|
||||
|
||||
private module GeneratedFrameworks {
|
||||
private import generated.dotnet.Runtime
|
||||
}
|
||||
File diff suppressed because it is too large
Load Diff
@@ -1,3 +1,7 @@
|
||||
## 0.1.4
|
||||
|
||||
## 0.1.3
|
||||
|
||||
## 0.1.2
|
||||
|
||||
## 0.1.1
|
||||
|
||||
@@ -28,6 +28,13 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
|
||||
exists(Expr exceptionExpr |
|
||||
// Writing an exception directly is bad
|
||||
source.asExpr() = exceptionExpr
|
||||
or
|
||||
// Writing an exception property is bad
|
||||
source.asExpr().(PropertyAccess).getQualifier() = exceptionExpr
|
||||
or
|
||||
// Writing the result of ToString is bad
|
||||
source.asExpr() =
|
||||
any(MethodCall mc | mc.getQualifier() = exceptionExpr and mc.getTarget().hasName("ToString"))
|
||||
|
|
||||
// Expr has type `System.Exception`.
|
||||
exceptionExpr.getType().(RefType).getABaseType*() instanceof SystemExceptionClass and
|
||||
@@ -40,26 +47,12 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node source, DataFlow::Node sink) {
|
||||
sink.asExpr() =
|
||||
any(MethodCall mc |
|
||||
source.asExpr() = mc.getQualifier() and
|
||||
mc.getTarget().hasName("ToString") and
|
||||
mc.getQualifier().getType().(RefType).getABaseType*() instanceof SystemExceptionClass
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof RemoteFlowSink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node sanitizer) {
|
||||
// Do not flow through Message
|
||||
sanitizer.asExpr() = any(SystemExceptionClass se).getProperty("Message").getAnAccess()
|
||||
}
|
||||
|
||||
override predicate isSanitizerIn(DataFlow::Node sanitizer) {
|
||||
// Do not flow through Message
|
||||
sanitizer.asExpr().getType().(RefType).getABaseType*() instanceof SystemExceptionClass
|
||||
}
|
||||
}
|
||||
|
||||
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
1
csharp/ql/src/change-notes/released/0.1.3.md
Normal file
1
csharp/ql/src/change-notes/released/0.1.3.md
Normal file
@@ -0,0 +1 @@
|
||||
## 0.1.3
|
||||
1
csharp/ql/src/change-notes/released/0.1.4.md
Normal file
1
csharp/ql/src/change-notes/released/0.1.4.md
Normal file
@@ -0,0 +1 @@
|
||||
## 0.1.4
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.1.2
|
||||
lastReleaseVersion: 0.1.4
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-queries
|
||||
version: 0.1.3-dev
|
||||
version: 0.1.4
|
||||
groups:
|
||||
- csharp
|
||||
- queries
|
||||
|
||||
@@ -206,9 +206,7 @@
|
||||
| CSharp7.cs:283:13:283:62 | SSA def(list) | CSharp7.cs:285:39:285:42 | access to local variable list |
|
||||
| CSharp7.cs:283:20:283:62 | call to method Select<KeyValuePair<Int32,String>,(Int32,String)> | CSharp7.cs:283:13:283:62 | SSA def(list) |
|
||||
| CSharp7.cs:283:32:283:35 | item | CSharp7.cs:283:41:283:44 | access to parameter item |
|
||||
| CSharp7.cs:283:41:283:44 | access to parameter item | CSharp7.cs:283:41:283:48 | access to property Key |
|
||||
| CSharp7.cs:283:41:283:44 | access to parameter item | CSharp7.cs:283:51:283:54 | access to parameter item |
|
||||
| CSharp7.cs:283:51:283:54 | access to parameter item | CSharp7.cs:283:51:283:60 | access to property Value |
|
||||
| CSharp7.cs:285:39:285:42 | access to local variable list | CSharp7.cs:287:36:287:39 | access to local variable list |
|
||||
| CSharp7.cs:287:36:287:39 | access to local variable list | CSharp7.cs:289:32:289:35 | access to local variable list |
|
||||
| CSharp7.cs:297:18:297:22 | SSA def(x) | CSharp7.cs:297:25:297:25 | SSA phi(x) |
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -1,2 +1,3 @@
|
||||
| System.Collections.Specialized.NameValueCollection.get_Item(string) [qualifier] | 1 | 1 |
|
||||
| System.Web.HttpRequest.get_QueryString() [qualifier] | 1 | 1 |
|
||||
| System.Web.HttpResponse.Write(string) [param 0] | 1 | 1 |
|
||||
|
||||
@@ -1,13 +1,12 @@
|
||||
edges
|
||||
| UntrustedData.cs:9:20:9:42 | access to property QueryString : NameValueCollection | UntrustedData.cs:9:20:9:50 | access to indexer : String |
|
||||
| UntrustedData.cs:9:20:9:42 | access to property QueryString : NameValueCollection | UntrustedData.cs:13:28:13:31 | access to local variable name |
|
||||
| UntrustedData.cs:9:20:9:50 | access to indexer : String | UntrustedData.cs:13:28:13:31 | access to local variable name |
|
||||
nodes
|
||||
| UntrustedData.cs:9:20:9:30 | access to property Request | semmle.label | access to property Request |
|
||||
| UntrustedData.cs:9:20:9:42 | access to property QueryString | semmle.label | access to property QueryString |
|
||||
| UntrustedData.cs:9:20:9:42 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
| UntrustedData.cs:9:20:9:50 | access to indexer : String | semmle.label | access to indexer : String |
|
||||
| UntrustedData.cs:13:28:13:31 | access to local variable name | semmle.label | access to local variable name |
|
||||
subpaths
|
||||
#select
|
||||
| UntrustedData.cs:9:20:9:30 | access to property Request | UntrustedData.cs:9:20:9:30 | access to property Request | UntrustedData.cs:9:20:9:30 | access to property Request | Call to System.Web.HttpRequest.get_QueryString with untrusted data from $@. | UntrustedData.cs:9:20:9:30 | access to property Request | access to property Request |
|
||||
| UntrustedData.cs:9:20:9:42 | access to property QueryString | UntrustedData.cs:9:20:9:42 | access to property QueryString | UntrustedData.cs:9:20:9:42 | access to property QueryString | Call to System.Collections.Specialized.NameValueCollection.get_Item with untrusted data from $@. | UntrustedData.cs:9:20:9:42 | access to property QueryString | access to property QueryString |
|
||||
| UntrustedData.cs:13:28:13:31 | access to local variable name | UntrustedData.cs:9:20:9:42 | access to property QueryString : NameValueCollection | UntrustedData.cs:13:28:13:31 | access to local variable name | Call to System.Web.HttpResponse.Write with untrusted data from $@. | UntrustedData.cs:9:20:9:42 | access to property QueryString : NameValueCollection | access to property QueryString : NameValueCollection |
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
edges
|
||||
| TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:10:23:10:53 | access to indexer : String |
|
||||
| TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:12:50:12:53 | access to local variable path |
|
||||
| TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:17:51:17:54 | access to local variable path |
|
||||
| TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:25:30:25:33 | access to local variable path |
|
||||
@@ -7,16 +6,8 @@ edges
|
||||
| TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:36:25:36:31 | access to local variable badPath |
|
||||
| TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:38:49:38:55 | access to local variable badPath |
|
||||
| TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:51:26:51:29 | access to local variable path |
|
||||
| TaintedPath.cs:10:23:10:53 | access to indexer : String | TaintedPath.cs:12:50:12:53 | access to local variable path |
|
||||
| TaintedPath.cs:10:23:10:53 | access to indexer : String | TaintedPath.cs:17:51:17:54 | access to local variable path |
|
||||
| TaintedPath.cs:10:23:10:53 | access to indexer : String | TaintedPath.cs:25:30:25:33 | access to local variable path |
|
||||
| TaintedPath.cs:10:23:10:53 | access to indexer : String | TaintedPath.cs:31:30:31:33 | access to local variable path |
|
||||
| TaintedPath.cs:10:23:10:53 | access to indexer : String | TaintedPath.cs:36:25:36:31 | access to local variable badPath |
|
||||
| TaintedPath.cs:10:23:10:53 | access to indexer : String | TaintedPath.cs:38:49:38:55 | access to local variable badPath |
|
||||
| TaintedPath.cs:10:23:10:53 | access to indexer : String | TaintedPath.cs:51:26:51:29 | access to local variable path |
|
||||
nodes
|
||||
| TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
| TaintedPath.cs:10:23:10:53 | access to indexer : String | semmle.label | access to indexer : String |
|
||||
| TaintedPath.cs:12:50:12:53 | access to local variable path | semmle.label | access to local variable path |
|
||||
| TaintedPath.cs:17:51:17:54 | access to local variable path | semmle.label | access to local variable path |
|
||||
| TaintedPath.cs:25:30:25:33 | access to local variable path | semmle.label | access to local variable path |
|
||||
|
||||
@@ -3,53 +3,26 @@ edges
|
||||
| CommandInjection.cs:25:32:25:51 | access to property Text : String | CommandInjection.cs:26:27:26:47 | ... + ... |
|
||||
| CommandInjection.cs:25:32:25:51 | access to property Text : String | CommandInjection.cs:26:50:26:66 | ... + ... |
|
||||
| CommandInjection.cs:25:32:25:51 | access to property Text : String | CommandInjection.cs:28:63:28:71 | access to local variable userInput |
|
||||
| CommandInjection.cs:25:32:25:51 | access to property Text : String | CommandInjection.cs:28:63:28:71 | access to local variable userInput : String |
|
||||
| CommandInjection.cs:25:32:25:51 | access to property Text : String | CommandInjection.cs:28:74:28:82 | access to local variable userInput |
|
||||
| CommandInjection.cs:25:32:25:51 | access to property Text : String | CommandInjection.cs:28:74:28:82 | access to local variable userInput : String |
|
||||
| CommandInjection.cs:25:32:25:51 | access to property Text : String | CommandInjection.cs:32:39:32:47 | access to local variable userInput |
|
||||
| CommandInjection.cs:25:32:25:51 | access to property Text : String | CommandInjection.cs:32:39:32:47 | access to local variable userInput : String |
|
||||
| CommandInjection.cs:25:32:25:51 | access to property Text : String | CommandInjection.cs:33:40:33:48 | access to local variable userInput |
|
||||
| CommandInjection.cs:25:32:25:51 | access to property Text : String | CommandInjection.cs:33:40:33:48 | access to local variable userInput : String |
|
||||
| CommandInjection.cs:25:32:25:51 | access to property Text : String | CommandInjection.cs:34:47:34:55 | access to local variable userInput |
|
||||
| CommandInjection.cs:25:32:25:51 | access to property Text : String | CommandInjection.cs:34:47:34:55 | access to local variable userInput : String |
|
||||
| CommandInjection.cs:28:42:28:83 | object creation of type ProcessStartInfo : ProcessStartInfo | CommandInjection.cs:29:27:29:35 | access to local variable startInfo |
|
||||
| CommandInjection.cs:28:63:28:71 | access to local variable userInput : String | CommandInjection.cs:28:42:28:83 | object creation of type ProcessStartInfo : ProcessStartInfo |
|
||||
| CommandInjection.cs:28:74:28:82 | access to local variable userInput : String | CommandInjection.cs:28:42:28:83 | object creation of type ProcessStartInfo : ProcessStartInfo |
|
||||
| CommandInjection.cs:32:13:32:26 | [post] access to local variable startInfoProps : ProcessStartInfo | CommandInjection.cs:35:27:35:40 | access to local variable startInfoProps |
|
||||
| CommandInjection.cs:32:39:32:47 | access to local variable userInput : String | CommandInjection.cs:32:13:32:26 | [post] access to local variable startInfoProps : ProcessStartInfo |
|
||||
| CommandInjection.cs:33:13:33:26 | [post] access to local variable startInfoProps : ProcessStartInfo | CommandInjection.cs:35:27:35:40 | access to local variable startInfoProps |
|
||||
| CommandInjection.cs:33:40:33:48 | access to local variable userInput : String | CommandInjection.cs:33:13:33:26 | [post] access to local variable startInfoProps : ProcessStartInfo |
|
||||
| CommandInjection.cs:34:13:34:26 | [post] access to local variable startInfoProps : ProcessStartInfo | CommandInjection.cs:35:27:35:40 | access to local variable startInfoProps |
|
||||
| CommandInjection.cs:34:47:34:55 | access to local variable userInput : String | CommandInjection.cs:34:13:34:26 | [post] access to local variable startInfoProps : ProcessStartInfo |
|
||||
nodes
|
||||
| CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | semmle.label | access to field categoryTextBox : TextBox |
|
||||
| CommandInjection.cs:25:32:25:51 | access to property Text : String | semmle.label | access to property Text : String |
|
||||
| CommandInjection.cs:26:27:26:47 | ... + ... | semmle.label | ... + ... |
|
||||
| CommandInjection.cs:26:50:26:66 | ... + ... | semmle.label | ... + ... |
|
||||
| CommandInjection.cs:28:42:28:83 | object creation of type ProcessStartInfo : ProcessStartInfo | semmle.label | object creation of type ProcessStartInfo : ProcessStartInfo |
|
||||
| CommandInjection.cs:28:63:28:71 | access to local variable userInput | semmle.label | access to local variable userInput |
|
||||
| CommandInjection.cs:28:63:28:71 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
|
||||
| CommandInjection.cs:28:74:28:82 | access to local variable userInput | semmle.label | access to local variable userInput |
|
||||
| CommandInjection.cs:28:74:28:82 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
|
||||
| CommandInjection.cs:29:27:29:35 | access to local variable startInfo | semmle.label | access to local variable startInfo |
|
||||
| CommandInjection.cs:32:13:32:26 | [post] access to local variable startInfoProps : ProcessStartInfo | semmle.label | [post] access to local variable startInfoProps : ProcessStartInfo |
|
||||
| CommandInjection.cs:32:39:32:47 | access to local variable userInput | semmle.label | access to local variable userInput |
|
||||
| CommandInjection.cs:32:39:32:47 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
|
||||
| CommandInjection.cs:33:13:33:26 | [post] access to local variable startInfoProps : ProcessStartInfo | semmle.label | [post] access to local variable startInfoProps : ProcessStartInfo |
|
||||
| CommandInjection.cs:33:40:33:48 | access to local variable userInput | semmle.label | access to local variable userInput |
|
||||
| CommandInjection.cs:33:40:33:48 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
|
||||
| CommandInjection.cs:34:13:34:26 | [post] access to local variable startInfoProps : ProcessStartInfo | semmle.label | [post] access to local variable startInfoProps : ProcessStartInfo |
|
||||
| CommandInjection.cs:34:47:34:55 | access to local variable userInput | semmle.label | access to local variable userInput |
|
||||
| CommandInjection.cs:34:47:34:55 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
|
||||
| CommandInjection.cs:35:27:35:40 | access to local variable startInfoProps | semmle.label | access to local variable startInfoProps |
|
||||
subpaths
|
||||
#select
|
||||
| CommandInjection.cs:26:27:26:47 | ... + ... | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:26:27:26:47 | ... + ... | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |
|
||||
| CommandInjection.cs:26:50:26:66 | ... + ... | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:26:50:26:66 | ... + ... | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |
|
||||
| CommandInjection.cs:28:63:28:71 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:28:63:28:71 | access to local variable userInput | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |
|
||||
| CommandInjection.cs:28:74:28:82 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:28:74:28:82 | access to local variable userInput | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |
|
||||
| CommandInjection.cs:29:27:29:35 | access to local variable startInfo | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:29:27:29:35 | access to local variable startInfo | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |
|
||||
| CommandInjection.cs:32:39:32:47 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:32:39:32:47 | access to local variable userInput | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |
|
||||
| CommandInjection.cs:33:40:33:48 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:33:40:33:48 | access to local variable userInput | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |
|
||||
| CommandInjection.cs:34:47:34:55 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:34:47:34:55 | access to local variable userInput | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |
|
||||
| CommandInjection.cs:35:27:35:40 | access to local variable startInfoProps | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:35:27:35:40 | access to local variable startInfoProps | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |
|
||||
|
||||
@@ -7,24 +7,13 @@ edges
|
||||
| XSS.cs:26:32:26:40 | access to local variable userInput [element] : String | XSS.cs:26:32:26:51 | call to method ToString |
|
||||
| XSS.cs:27:29:27:37 | access to local variable userInput [element] : String | XSS.cs:27:29:27:48 | call to method ToString |
|
||||
| XSS.cs:28:26:28:34 | access to local variable userInput [element] : String | XSS.cs:28:26:28:45 | call to method ToString |
|
||||
| XSS.cs:37:27:37:53 | access to property QueryString : NameValueCollection | XSS.cs:37:27:37:61 | access to indexer : String |
|
||||
| XSS.cs:37:27:37:53 | access to property QueryString : NameValueCollection | XSS.cs:38:36:38:39 | access to local variable name |
|
||||
| XSS.cs:37:27:37:61 | access to indexer : String | XSS.cs:38:36:38:39 | access to local variable name |
|
||||
| XSS.cs:57:27:57:65 | access to property QueryString : NameValueCollection | XSS.cs:57:27:57:73 | access to indexer : String |
|
||||
| XSS.cs:57:27:57:65 | access to property QueryString : NameValueCollection | XSS.cs:59:22:59:25 | access to local variable name |
|
||||
| XSS.cs:57:27:57:73 | access to indexer : String | XSS.cs:59:22:59:25 | access to local variable name |
|
||||
| XSS.cs:75:27:75:53 | access to property QueryString : NameValueCollection | XSS.cs:75:27:75:61 | access to indexer : String |
|
||||
| XSS.cs:75:27:75:53 | access to property QueryString : NameValueCollection | XSS.cs:76:36:76:39 | access to local variable name |
|
||||
| XSS.cs:75:27:75:61 | access to indexer : String | XSS.cs:76:36:76:39 | access to local variable name |
|
||||
| XSS.cs:78:28:78:42 | access to property Request : HttpRequestBase | XSS.cs:79:36:79:40 | access to local variable name2 |
|
||||
| XSS.cs:85:27:85:53 | access to property QueryString : NameValueCollection | XSS.cs:85:27:85:61 | access to indexer : String |
|
||||
| XSS.cs:85:27:85:53 | access to property QueryString : NameValueCollection | XSS.cs:86:28:86:31 | access to local variable name |
|
||||
| XSS.cs:85:27:85:53 | access to property QueryString : NameValueCollection | XSS.cs:87:31:87:34 | access to local variable name |
|
||||
| XSS.cs:85:27:85:61 | access to indexer : String | XSS.cs:86:28:86:31 | access to local variable name |
|
||||
| XSS.cs:85:27:85:61 | access to indexer : String | XSS.cs:87:31:87:34 | access to local variable name |
|
||||
| XSS.cs:94:27:94:53 | access to property QueryString : NameValueCollection | XSS.cs:94:27:94:61 | access to indexer : String |
|
||||
| XSS.cs:94:27:94:53 | access to property QueryString : NameValueCollection | XSS.cs:95:31:95:34 | access to local variable name |
|
||||
| XSS.cs:94:27:94:61 | access to indexer : String | XSS.cs:95:31:95:34 | access to local variable name |
|
||||
| script.aspx:12:1:12:14 | <%= ... %> | script.aspx:12:1:12:14 | <%= ... %> |
|
||||
| script.aspx:16:1:16:34 | <%= ... %> | script.aspx:16:1:16:34 | <%= ... %> |
|
||||
| script.aspx:20:1:20:41 | <%= ... %> | script.aspx:20:1:20:41 | <%= ... %> |
|
||||
@@ -39,22 +28,17 @@ nodes
|
||||
| XSS.cs:28:26:28:34 | access to local variable userInput [element] : String | semmle.label | access to local variable userInput [element] : String |
|
||||
| XSS.cs:28:26:28:45 | call to method ToString | semmle.label | call to method ToString |
|
||||
| XSS.cs:37:27:37:53 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
| XSS.cs:37:27:37:61 | access to indexer : String | semmle.label | access to indexer : String |
|
||||
| XSS.cs:38:36:38:39 | access to local variable name | semmle.label | access to local variable name |
|
||||
| XSS.cs:57:27:57:65 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
| XSS.cs:57:27:57:73 | access to indexer : String | semmle.label | access to indexer : String |
|
||||
| XSS.cs:59:22:59:25 | access to local variable name | semmle.label | access to local variable name |
|
||||
| XSS.cs:75:27:75:53 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
| XSS.cs:75:27:75:61 | access to indexer : String | semmle.label | access to indexer : String |
|
||||
| XSS.cs:76:36:76:39 | access to local variable name | semmle.label | access to local variable name |
|
||||
| XSS.cs:78:28:78:42 | access to property Request : HttpRequestBase | semmle.label | access to property Request : HttpRequestBase |
|
||||
| XSS.cs:79:36:79:40 | access to local variable name2 | semmle.label | access to local variable name2 |
|
||||
| XSS.cs:85:27:85:53 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
| XSS.cs:85:27:85:61 | access to indexer : String | semmle.label | access to indexer : String |
|
||||
| XSS.cs:86:28:86:31 | access to local variable name | semmle.label | access to local variable name |
|
||||
| XSS.cs:87:31:87:34 | access to local variable name | semmle.label | access to local variable name |
|
||||
| XSS.cs:94:27:94:53 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
| XSS.cs:94:27:94:61 | access to indexer : String | semmle.label | access to indexer : String |
|
||||
| XSS.cs:95:31:95:34 | access to local variable name | semmle.label | access to local variable name |
|
||||
| XSS.cs:134:20:134:33 | access to property RawUrl | semmle.label | access to property RawUrl |
|
||||
| script.aspx:12:1:12:14 | <%= ... %> | semmle.label | <%= ... %> |
|
||||
|
||||
@@ -1,9 +1,6 @@
|
||||
edges
|
||||
| XSSAspNet.cs:19:25:19:43 | access to property QueryString : NameValueCollection | XSSAspNet.cs:19:25:19:52 | access to indexer : String |
|
||||
| XSSAspNet.cs:19:25:19:43 | access to property QueryString : NameValueCollection | XSSAspNet.cs:26:30:26:34 | access to local variable sayHi |
|
||||
| XSSAspNet.cs:19:25:19:43 | access to property QueryString : NameValueCollection | XSSAspNet.cs:36:40:36:44 | access to local variable sayHi |
|
||||
| XSSAspNet.cs:19:25:19:52 | access to indexer : String | XSSAspNet.cs:26:30:26:34 | access to local variable sayHi |
|
||||
| XSSAspNet.cs:19:25:19:52 | access to indexer : String | XSSAspNet.cs:36:40:36:44 | access to local variable sayHi |
|
||||
| XSSAspNet.cs:43:28:43:46 | access to property QueryString : NameValueCollection | XSSAspNet.cs:43:28:43:55 | access to indexer |
|
||||
| XSSAspNetCore.cs:21:52:21:64 | access to property Query : IQueryCollection | XSSAspNetCore.cs:21:52:21:76 | call to operator implicit conversion |
|
||||
| XSSAspNetCore.cs:40:56:40:58 | foo : String | XSSAspNetCore.cs:44:51:44:53 | access to parameter foo |
|
||||
@@ -15,7 +12,6 @@ edges
|
||||
| XSSAspNetCore.cs:72:51:72:65 | access to property Headers : IHeaderDictionary | XSSAspNetCore.cs:72:51:72:72 | call to operator implicit conversion |
|
||||
nodes
|
||||
| XSSAspNet.cs:19:25:19:43 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
| XSSAspNet.cs:19:25:19:52 | access to indexer : String | semmle.label | access to indexer : String |
|
||||
| XSSAspNet.cs:26:30:26:34 | access to local variable sayHi | semmle.label | access to local variable sayHi |
|
||||
| XSSAspNet.cs:36:40:36:44 | access to local variable sayHi | semmle.label | access to local variable sayHi |
|
||||
| XSSAspNet.cs:43:28:43:46 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
|
||||
@@ -1,20 +1,12 @@
|
||||
edges
|
||||
| LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:11:27:11:61 | access to indexer : String |
|
||||
| LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:14:54:14:78 | ... + ... |
|
||||
| LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:16:21:16:45 | ... + ... |
|
||||
| LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:23:21:23:45 | ... + ... |
|
||||
| LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:24:53:24:77 | ... + ... |
|
||||
| LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:27:48:27:70 | ... + ... |
|
||||
| LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:29:20:29:42 | ... + ... |
|
||||
| LDAPInjection.cs:11:27:11:61 | access to indexer : String | LDAPInjection.cs:14:54:14:78 | ... + ... |
|
||||
| LDAPInjection.cs:11:27:11:61 | access to indexer : String | LDAPInjection.cs:16:21:16:45 | ... + ... |
|
||||
| LDAPInjection.cs:11:27:11:61 | access to indexer : String | LDAPInjection.cs:23:21:23:45 | ... + ... |
|
||||
| LDAPInjection.cs:11:27:11:61 | access to indexer : String | LDAPInjection.cs:24:53:24:77 | ... + ... |
|
||||
| LDAPInjection.cs:11:27:11:61 | access to indexer : String | LDAPInjection.cs:27:48:27:70 | ... + ... |
|
||||
| LDAPInjection.cs:11:27:11:61 | access to indexer : String | LDAPInjection.cs:29:20:29:42 | ... + ... |
|
||||
nodes
|
||||
| LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
| LDAPInjection.cs:11:27:11:61 | access to indexer : String | semmle.label | access to indexer : String |
|
||||
| LDAPInjection.cs:14:54:14:78 | ... + ... | semmle.label | ... + ... |
|
||||
| LDAPInjection.cs:16:21:16:45 | ... + ... | semmle.label | ... + ... |
|
||||
| LDAPInjection.cs:23:21:23:45 | ... + ... | semmle.label | ... + ... |
|
||||
|
||||
@@ -1,10 +1,7 @@
|
||||
edges
|
||||
| Test.cs:8:27:8:49 | access to property QueryString : NameValueCollection | Test.cs:8:27:8:65 | access to indexer : String |
|
||||
| Test.cs:8:27:8:49 | access to property QueryString : NameValueCollection | Test.cs:15:25:15:80 | ... + ... |
|
||||
| Test.cs:8:27:8:65 | access to indexer : String | Test.cs:15:25:15:80 | ... + ... |
|
||||
nodes
|
||||
| Test.cs:8:27:8:49 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
| Test.cs:8:27:8:65 | access to indexer : String | semmle.label | access to indexer : String |
|
||||
| Test.cs:15:25:15:80 | ... + ... | semmle.label | ... + ... |
|
||||
subpaths
|
||||
#select
|
||||
|
||||
@@ -1,12 +1,8 @@
|
||||
edges
|
||||
| CodeInjection.cs:23:23:23:45 | access to property QueryString : NameValueCollection | CodeInjection.cs:23:23:23:53 | access to indexer : String |
|
||||
| CodeInjection.cs:23:23:23:45 | access to property QueryString : NameValueCollection | CodeInjection.cs:29:64:29:67 | access to local variable code |
|
||||
| CodeInjection.cs:23:23:23:45 | access to property QueryString : NameValueCollection | CodeInjection.cs:40:36:40:39 | access to local variable code |
|
||||
| CodeInjection.cs:23:23:23:53 | access to indexer : String | CodeInjection.cs:29:64:29:67 | access to local variable code |
|
||||
| CodeInjection.cs:23:23:23:53 | access to indexer : String | CodeInjection.cs:40:36:40:39 | access to local variable code |
|
||||
nodes
|
||||
| CodeInjection.cs:23:23:23:45 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
| CodeInjection.cs:23:23:23:53 | access to indexer : String | semmle.label | access to indexer : String |
|
||||
| CodeInjection.cs:29:64:29:67 | access to local variable code | semmle.label | access to local variable code |
|
||||
| CodeInjection.cs:40:36:40:39 | access to local variable code | semmle.label | access to local variable code |
|
||||
| CodeInjection.cs:56:36:56:44 | access to property Text | semmle.label | access to property Text |
|
||||
|
||||
@@ -1,12 +1,8 @@
|
||||
edges
|
||||
| ResourceInjection.cs:8:27:8:49 | access to property QueryString : NameValueCollection | ResourceInjection.cs:8:27:8:61 | access to indexer : String |
|
||||
| ResourceInjection.cs:8:27:8:49 | access to property QueryString : NameValueCollection | ResourceInjection.cs:11:57:11:72 | access to local variable connectionString |
|
||||
| ResourceInjection.cs:8:27:8:49 | access to property QueryString : NameValueCollection | ResourceInjection.cs:13:42:13:57 | access to local variable connectionString |
|
||||
| ResourceInjection.cs:8:27:8:61 | access to indexer : String | ResourceInjection.cs:11:57:11:72 | access to local variable connectionString |
|
||||
| ResourceInjection.cs:8:27:8:61 | access to indexer : String | ResourceInjection.cs:13:42:13:57 | access to local variable connectionString |
|
||||
nodes
|
||||
| ResourceInjection.cs:8:27:8:49 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
| ResourceInjection.cs:8:27:8:61 | access to indexer : String | semmle.label | access to indexer : String |
|
||||
| ResourceInjection.cs:11:57:11:72 | access to local variable connectionString | semmle.label | access to local variable connectionString |
|
||||
| ResourceInjection.cs:13:42:13:57 | access to local variable connectionString | semmle.label | access to local variable connectionString |
|
||||
subpaths
|
||||
|
||||
@@ -1,15 +1,9 @@
|
||||
edges
|
||||
| MissingXMLValidation.cs:12:34:12:56 | access to property QueryString : NameValueCollection | MissingXMLValidation.cs:12:34:12:75 | access to indexer : String |
|
||||
| MissingXMLValidation.cs:12:34:12:56 | access to property QueryString : NameValueCollection | MissingXMLValidation.cs:16:43:16:57 | access to local variable userProvidedXml : String |
|
||||
| MissingXMLValidation.cs:12:34:12:56 | access to property QueryString : NameValueCollection | MissingXMLValidation.cs:21:43:21:57 | access to local variable userProvidedXml : String |
|
||||
| MissingXMLValidation.cs:12:34:12:56 | access to property QueryString : NameValueCollection | MissingXMLValidation.cs:27:43:27:57 | access to local variable userProvidedXml : String |
|
||||
| MissingXMLValidation.cs:12:34:12:56 | access to property QueryString : NameValueCollection | MissingXMLValidation.cs:35:43:35:57 | access to local variable userProvidedXml : String |
|
||||
| MissingXMLValidation.cs:12:34:12:56 | access to property QueryString : NameValueCollection | MissingXMLValidation.cs:45:43:45:57 | access to local variable userProvidedXml : String |
|
||||
| MissingXMLValidation.cs:12:34:12:75 | access to indexer : String | MissingXMLValidation.cs:16:43:16:57 | access to local variable userProvidedXml : String |
|
||||
| MissingXMLValidation.cs:12:34:12:75 | access to indexer : String | MissingXMLValidation.cs:21:43:21:57 | access to local variable userProvidedXml : String |
|
||||
| MissingXMLValidation.cs:12:34:12:75 | access to indexer : String | MissingXMLValidation.cs:27:43:27:57 | access to local variable userProvidedXml : String |
|
||||
| MissingXMLValidation.cs:12:34:12:75 | access to indexer : String | MissingXMLValidation.cs:35:43:35:57 | access to local variable userProvidedXml : String |
|
||||
| MissingXMLValidation.cs:12:34:12:75 | access to indexer : String | MissingXMLValidation.cs:45:43:45:57 | access to local variable userProvidedXml : String |
|
||||
| MissingXMLValidation.cs:16:43:16:57 | access to local variable userProvidedXml : String | MissingXMLValidation.cs:16:26:16:58 | object creation of type StringReader |
|
||||
| MissingXMLValidation.cs:21:43:21:57 | access to local variable userProvidedXml : String | MissingXMLValidation.cs:21:26:21:58 | object creation of type StringReader |
|
||||
| MissingXMLValidation.cs:27:43:27:57 | access to local variable userProvidedXml : String | MissingXMLValidation.cs:27:26:27:58 | object creation of type StringReader |
|
||||
@@ -17,7 +11,6 @@ edges
|
||||
| MissingXMLValidation.cs:45:43:45:57 | access to local variable userProvidedXml : String | MissingXMLValidation.cs:45:26:45:58 | object creation of type StringReader |
|
||||
nodes
|
||||
| MissingXMLValidation.cs:12:34:12:56 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
| MissingXMLValidation.cs:12:34:12:75 | access to indexer : String | semmle.label | access to indexer : String |
|
||||
| MissingXMLValidation.cs:16:26:16:58 | object creation of type StringReader | semmle.label | object creation of type StringReader |
|
||||
| MissingXMLValidation.cs:16:43:16:57 | access to local variable userProvidedXml : String | semmle.label | access to local variable userProvidedXml : String |
|
||||
| MissingXMLValidation.cs:21:26:21:58 | object creation of type StringReader | semmle.label | object creation of type StringReader |
|
||||
|
||||
@@ -1,12 +1,8 @@
|
||||
edges
|
||||
| LogForging.cs:17:27:17:49 | access to property QueryString : NameValueCollection | LogForging.cs:17:27:17:61 | access to indexer : String |
|
||||
| LogForging.cs:17:27:17:49 | access to property QueryString : NameValueCollection | LogForging.cs:20:21:20:43 | ... + ... |
|
||||
| LogForging.cs:17:27:17:49 | access to property QueryString : NameValueCollection | LogForging.cs:26:50:26:72 | ... + ... |
|
||||
| LogForging.cs:17:27:17:61 | access to indexer : String | LogForging.cs:20:21:20:43 | ... + ... |
|
||||
| LogForging.cs:17:27:17:61 | access to indexer : String | LogForging.cs:26:50:26:72 | ... + ... |
|
||||
nodes
|
||||
| LogForging.cs:17:27:17:49 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
| LogForging.cs:17:27:17:61 | access to indexer : String | semmle.label | access to indexer : String |
|
||||
| LogForging.cs:20:21:20:43 | ... + ... | semmle.label | ... + ... |
|
||||
| LogForging.cs:26:50:26:72 | ... + ... | semmle.label | ... + ... |
|
||||
subpaths
|
||||
|
||||
@@ -1,23 +1,16 @@
|
||||
edges
|
||||
| ConsoleUncontrolledFormatString.cs:8:22:8:39 | call to method ReadLine : String | ConsoleUncontrolledFormatString.cs:11:31:11:36 | access to local variable format |
|
||||
| UncontrolledFormatString.cs:9:23:9:45 | access to property QueryString : NameValueCollection | UncontrolledFormatString.cs:9:23:9:53 | access to indexer : String |
|
||||
| UncontrolledFormatString.cs:9:23:9:45 | access to property QueryString : NameValueCollection | UncontrolledFormatString.cs:12:23:12:26 | access to local variable path |
|
||||
| UncontrolledFormatString.cs:9:23:9:45 | access to property QueryString : NameValueCollection | UncontrolledFormatString.cs:15:46:15:49 | access to local variable path |
|
||||
| UncontrolledFormatString.cs:9:23:9:53 | access to indexer : String | UncontrolledFormatString.cs:12:23:12:26 | access to local variable path |
|
||||
| UncontrolledFormatString.cs:9:23:9:53 | access to indexer : String | UncontrolledFormatString.cs:15:46:15:49 | access to local variable path |
|
||||
| UncontrolledFormatStringBad.cs:9:25:9:47 | access to property QueryString : NameValueCollection | UncontrolledFormatStringBad.cs:9:25:9:61 | access to indexer : String |
|
||||
| UncontrolledFormatStringBad.cs:9:25:9:47 | access to property QueryString : NameValueCollection | UncontrolledFormatStringBad.cs:12:39:12:44 | access to local variable format |
|
||||
| UncontrolledFormatStringBad.cs:9:25:9:61 | access to indexer : String | UncontrolledFormatStringBad.cs:12:39:12:44 | access to local variable format |
|
||||
nodes
|
||||
| ConsoleUncontrolledFormatString.cs:8:22:8:39 | call to method ReadLine : String | semmle.label | call to method ReadLine : String |
|
||||
| ConsoleUncontrolledFormatString.cs:11:31:11:36 | access to local variable format | semmle.label | access to local variable format |
|
||||
| UncontrolledFormatString.cs:9:23:9:45 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
| UncontrolledFormatString.cs:9:23:9:53 | access to indexer : String | semmle.label | access to indexer : String |
|
||||
| UncontrolledFormatString.cs:12:23:12:26 | access to local variable path | semmle.label | access to local variable path |
|
||||
| UncontrolledFormatString.cs:15:46:15:49 | access to local variable path | semmle.label | access to local variable path |
|
||||
| UncontrolledFormatString.cs:32:23:32:31 | access to property Text | semmle.label | access to property Text |
|
||||
| UncontrolledFormatStringBad.cs:9:25:9:47 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
| UncontrolledFormatStringBad.cs:9:25:9:61 | access to indexer : String | semmle.label | access to indexer : String |
|
||||
| UncontrolledFormatStringBad.cs:12:39:12:44 | access to local variable format | semmle.label | access to local variable format |
|
||||
subpaths
|
||||
#select
|
||||
|
||||
@@ -1,30 +1,21 @@
|
||||
edges
|
||||
| ExceptionInformationExposure.cs:19:32:19:33 | access to local variable ex : Exception | ExceptionInformationExposure.cs:19:32:19:44 | call to method ToString |
|
||||
| ExceptionInformationExposure.cs:23:32:23:33 | access to local variable ex : Exception | ExceptionInformationExposure.cs:23:32:23:44 | access to property StackTrace |
|
||||
| ExceptionInformationExposure.cs:39:28:39:44 | access to property InnerException : Exception | ExceptionInformationExposure.cs:39:28:39:55 | access to property StackTrace |
|
||||
| ExceptionInformationExposure.cs:40:28:40:29 | access to local variable ex : Exception | ExceptionInformationExposure.cs:40:28:40:40 | access to property StackTrace |
|
||||
| ExceptionInformationExposure.cs:41:28:41:29 | access to local variable ex : Exception | ExceptionInformationExposure.cs:41:28:41:40 | call to method ToString |
|
||||
| ExceptionInformationExposure.cs:47:28:47:44 | object creation of type MyException : MyException | ExceptionInformationExposure.cs:47:28:47:55 | call to method ToString |
|
||||
| ExceptionInformationExposure.cs:19:32:19:33 | access to local variable ex : Exception | ExceptionInformationExposure.cs:21:32:21:33 | access to local variable ex |
|
||||
nodes
|
||||
| ExceptionInformationExposure.cs:19:32:19:33 | access to local variable ex : Exception | semmle.label | access to local variable ex : Exception |
|
||||
| ExceptionInformationExposure.cs:19:32:19:44 | call to method ToString | semmle.label | call to method ToString |
|
||||
| ExceptionInformationExposure.cs:21:32:21:33 | access to local variable ex | semmle.label | access to local variable ex |
|
||||
| ExceptionInformationExposure.cs:23:32:23:33 | access to local variable ex : Exception | semmle.label | access to local variable ex : Exception |
|
||||
| ExceptionInformationExposure.cs:23:32:23:44 | access to property StackTrace | semmle.label | access to property StackTrace |
|
||||
| ExceptionInformationExposure.cs:39:28:39:44 | access to property InnerException : Exception | semmle.label | access to property InnerException : Exception |
|
||||
| ExceptionInformationExposure.cs:39:28:39:55 | access to property StackTrace | semmle.label | access to property StackTrace |
|
||||
| ExceptionInformationExposure.cs:40:28:40:29 | access to local variable ex : Exception | semmle.label | access to local variable ex : Exception |
|
||||
| ExceptionInformationExposure.cs:40:28:40:40 | access to property StackTrace | semmle.label | access to property StackTrace |
|
||||
| ExceptionInformationExposure.cs:41:28:41:29 | access to local variable ex : Exception | semmle.label | access to local variable ex : Exception |
|
||||
| ExceptionInformationExposure.cs:41:28:41:40 | call to method ToString | semmle.label | call to method ToString |
|
||||
| ExceptionInformationExposure.cs:47:28:47:44 | object creation of type MyException : MyException | semmle.label | object creation of type MyException : MyException |
|
||||
| ExceptionInformationExposure.cs:47:28:47:55 | call to method ToString | semmle.label | call to method ToString |
|
||||
subpaths
|
||||
#select
|
||||
| ExceptionInformationExposure.cs:19:32:19:44 | call to method ToString | ExceptionInformationExposure.cs:19:32:19:33 | access to local variable ex : Exception | ExceptionInformationExposure.cs:19:32:19:44 | call to method ToString | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:19:32:19:33 | access to local variable ex | access to local variable ex : Exception |
|
||||
| ExceptionInformationExposure.cs:19:32:19:44 | call to method ToString | ExceptionInformationExposure.cs:19:32:19:44 | call to method ToString | ExceptionInformationExposure.cs:19:32:19:44 | call to method ToString | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:19:32:19:44 | call to method ToString | call to method ToString |
|
||||
| ExceptionInformationExposure.cs:21:32:21:33 | access to local variable ex | ExceptionInformationExposure.cs:19:32:19:33 | access to local variable ex : Exception | ExceptionInformationExposure.cs:21:32:21:33 | access to local variable ex | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:19:32:19:33 | access to local variable ex | access to local variable ex : Exception |
|
||||
| ExceptionInformationExposure.cs:21:32:21:33 | access to local variable ex | ExceptionInformationExposure.cs:21:32:21:33 | access to local variable ex | ExceptionInformationExposure.cs:21:32:21:33 | access to local variable ex | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:21:32:21:33 | access to local variable ex | access to local variable ex |
|
||||
| ExceptionInformationExposure.cs:23:32:23:44 | access to property StackTrace | ExceptionInformationExposure.cs:23:32:23:33 | access to local variable ex : Exception | ExceptionInformationExposure.cs:23:32:23:44 | access to property StackTrace | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:23:32:23:33 | access to local variable ex | access to local variable ex : Exception |
|
||||
| ExceptionInformationExposure.cs:39:28:39:55 | access to property StackTrace | ExceptionInformationExposure.cs:39:28:39:44 | access to property InnerException : Exception | ExceptionInformationExposure.cs:39:28:39:55 | access to property StackTrace | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:39:28:39:44 | access to property InnerException | access to property InnerException : Exception |
|
||||
| ExceptionInformationExposure.cs:40:28:40:40 | access to property StackTrace | ExceptionInformationExposure.cs:40:28:40:29 | access to local variable ex : Exception | ExceptionInformationExposure.cs:40:28:40:40 | access to property StackTrace | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:40:28:40:29 | access to local variable ex | access to local variable ex : Exception |
|
||||
| ExceptionInformationExposure.cs:41:28:41:40 | call to method ToString | ExceptionInformationExposure.cs:41:28:41:29 | access to local variable ex : Exception | ExceptionInformationExposure.cs:41:28:41:40 | call to method ToString | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:41:28:41:29 | access to local variable ex | access to local variable ex : Exception |
|
||||
| ExceptionInformationExposure.cs:47:28:47:55 | call to method ToString | ExceptionInformationExposure.cs:47:28:47:44 | object creation of type MyException : MyException | ExceptionInformationExposure.cs:47:28:47:55 | call to method ToString | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:47:28:47:44 | object creation of type MyException | object creation of type MyException : MyException |
|
||||
| ExceptionInformationExposure.cs:23:32:23:44 | access to property StackTrace | ExceptionInformationExposure.cs:23:32:23:44 | access to property StackTrace | ExceptionInformationExposure.cs:23:32:23:44 | access to property StackTrace | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:23:32:23:44 | access to property StackTrace | access to property StackTrace |
|
||||
| ExceptionInformationExposure.cs:39:28:39:55 | access to property StackTrace | ExceptionInformationExposure.cs:39:28:39:55 | access to property StackTrace | ExceptionInformationExposure.cs:39:28:39:55 | access to property StackTrace | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:39:28:39:55 | access to property StackTrace | access to property StackTrace |
|
||||
| ExceptionInformationExposure.cs:40:28:40:40 | access to property StackTrace | ExceptionInformationExposure.cs:40:28:40:40 | access to property StackTrace | ExceptionInformationExposure.cs:40:28:40:40 | access to property StackTrace | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:40:28:40:40 | access to property StackTrace | access to property StackTrace |
|
||||
| ExceptionInformationExposure.cs:41:28:41:40 | call to method ToString | ExceptionInformationExposure.cs:41:28:41:40 | call to method ToString | ExceptionInformationExposure.cs:41:28:41:40 | call to method ToString | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:41:28:41:40 | call to method ToString | call to method ToString |
|
||||
| ExceptionInformationExposure.cs:47:28:47:55 | call to method ToString | ExceptionInformationExposure.cs:47:28:47:55 | call to method ToString | ExceptionInformationExposure.cs:47:28:47:55 | call to method ToString | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:47:28:47:55 | call to method ToString | call to method ToString |
|
||||
|
||||
@@ -1,8 +1,6 @@
|
||||
edges
|
||||
| UrlRedirect.cs:12:31:12:53 | access to property QueryString : NameValueCollection | UrlRedirect.cs:12:31:12:61 | access to indexer |
|
||||
| UrlRedirect.cs:22:22:22:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:22:22:22:52 | access to indexer : String |
|
||||
| UrlRedirect.cs:22:22:22:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:47:29:47:31 | access to local variable url |
|
||||
| UrlRedirect.cs:22:22:22:52 | access to indexer : String | UrlRedirect.cs:47:29:47:31 | access to local variable url |
|
||||
| UrlRedirect.cs:37:44:37:66 | access to property QueryString : NameValueCollection | UrlRedirect.cs:37:44:37:74 | access to indexer |
|
||||
| UrlRedirect.cs:38:47:38:69 | access to property QueryString : NameValueCollection | UrlRedirect.cs:38:47:38:77 | access to indexer |
|
||||
| UrlRedirectCore.cs:13:44:13:48 | value : String | UrlRedirectCore.cs:16:22:16:26 | access to parameter value |
|
||||
@@ -20,7 +18,6 @@ nodes
|
||||
| UrlRedirect.cs:12:31:12:53 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
| UrlRedirect.cs:12:31:12:61 | access to indexer | semmle.label | access to indexer |
|
||||
| UrlRedirect.cs:22:22:22:44 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
| UrlRedirect.cs:22:22:22:52 | access to indexer : String | semmle.label | access to indexer : String |
|
||||
| UrlRedirect.cs:37:44:37:66 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
| UrlRedirect.cs:37:44:37:74 | access to indexer | semmle.label | access to indexer |
|
||||
| UrlRedirect.cs:38:47:38:69 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
edges
|
||||
| XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:10:27:10:61 | access to indexer : String |
|
||||
| XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:16:33:16:33 | access to local variable s |
|
||||
| XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:19:29:19:29 | access to local variable s |
|
||||
| XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:28:20:28:20 | access to local variable s |
|
||||
@@ -7,14 +6,6 @@ edges
|
||||
| XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:40:21:40:21 | access to local variable s |
|
||||
| XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:46:22:46:22 | access to local variable s |
|
||||
| XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:52:21:52:21 | access to local variable s |
|
||||
| XPathInjection.cs:10:27:10:61 | access to indexer : String | XPathInjection.cs:16:33:16:33 | access to local variable s |
|
||||
| XPathInjection.cs:10:27:10:61 | access to indexer : String | XPathInjection.cs:19:29:19:29 | access to local variable s |
|
||||
| XPathInjection.cs:10:27:10:61 | access to indexer : String | XPathInjection.cs:28:20:28:20 | access to local variable s |
|
||||
| XPathInjection.cs:10:27:10:61 | access to indexer : String | XPathInjection.cs:34:30:34:30 | access to local variable s |
|
||||
| XPathInjection.cs:10:27:10:61 | access to indexer : String | XPathInjection.cs:40:21:40:21 | access to local variable s |
|
||||
| XPathInjection.cs:10:27:10:61 | access to indexer : String | XPathInjection.cs:46:22:46:22 | access to local variable s |
|
||||
| XPathInjection.cs:10:27:10:61 | access to indexer : String | XPathInjection.cs:52:21:52:21 | access to local variable s |
|
||||
| XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:11:27:11:61 | access to indexer : String |
|
||||
| XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:16:33:16:33 | access to local variable s |
|
||||
| XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:19:29:19:29 | access to local variable s |
|
||||
| XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:28:20:28:20 | access to local variable s |
|
||||
@@ -22,18 +13,9 @@ edges
|
||||
| XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:40:21:40:21 | access to local variable s |
|
||||
| XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:46:22:46:22 | access to local variable s |
|
||||
| XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:52:21:52:21 | access to local variable s |
|
||||
| XPathInjection.cs:11:27:11:61 | access to indexer : String | XPathInjection.cs:16:33:16:33 | access to local variable s |
|
||||
| XPathInjection.cs:11:27:11:61 | access to indexer : String | XPathInjection.cs:19:29:19:29 | access to local variable s |
|
||||
| XPathInjection.cs:11:27:11:61 | access to indexer : String | XPathInjection.cs:28:20:28:20 | access to local variable s |
|
||||
| XPathInjection.cs:11:27:11:61 | access to indexer : String | XPathInjection.cs:34:30:34:30 | access to local variable s |
|
||||
| XPathInjection.cs:11:27:11:61 | access to indexer : String | XPathInjection.cs:40:21:40:21 | access to local variable s |
|
||||
| XPathInjection.cs:11:27:11:61 | access to indexer : String | XPathInjection.cs:46:22:46:22 | access to local variable s |
|
||||
| XPathInjection.cs:11:27:11:61 | access to indexer : String | XPathInjection.cs:52:21:52:21 | access to local variable s |
|
||||
nodes
|
||||
| XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
| XPathInjection.cs:10:27:10:61 | access to indexer : String | semmle.label | access to indexer : String |
|
||||
| XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
| XPathInjection.cs:11:27:11:61 | access to indexer : String | semmle.label | access to indexer : String |
|
||||
| XPathInjection.cs:16:33:16:33 | access to local variable s | semmle.label | access to local variable s |
|
||||
| XPathInjection.cs:19:29:19:29 | access to local variable s | semmle.label | access to local variable s |
|
||||
| XPathInjection.cs:28:20:28:20 | access to local variable s | semmle.label | access to local variable s |
|
||||
|
||||
@@ -1,18 +1,11 @@
|
||||
edges
|
||||
| ExponentialRegex.cs:11:28:11:50 | access to property QueryString : NameValueCollection | ExponentialRegex.cs:11:28:11:63 | access to indexer : String |
|
||||
| ExponentialRegex.cs:11:28:11:50 | access to property QueryString : NameValueCollection | ExponentialRegex.cs:15:40:15:48 | access to local variable userInput |
|
||||
| ExponentialRegex.cs:11:28:11:50 | access to property QueryString : NameValueCollection | ExponentialRegex.cs:16:42:16:50 | access to local variable userInput |
|
||||
| ExponentialRegex.cs:11:28:11:50 | access to property QueryString : NameValueCollection | ExponentialRegex.cs:19:139:19:147 | access to local variable userInput |
|
||||
| ExponentialRegex.cs:11:28:11:50 | access to property QueryString : NameValueCollection | ExponentialRegex.cs:22:43:22:51 | access to local variable userInput |
|
||||
| ExponentialRegex.cs:11:28:11:50 | access to property QueryString : NameValueCollection | ExponentialRegex.cs:24:21:24:29 | access to local variable userInput |
|
||||
| ExponentialRegex.cs:11:28:11:63 | access to indexer : String | ExponentialRegex.cs:15:40:15:48 | access to local variable userInput |
|
||||
| ExponentialRegex.cs:11:28:11:63 | access to indexer : String | ExponentialRegex.cs:16:42:16:50 | access to local variable userInput |
|
||||
| ExponentialRegex.cs:11:28:11:63 | access to indexer : String | ExponentialRegex.cs:19:139:19:147 | access to local variable userInput |
|
||||
| ExponentialRegex.cs:11:28:11:63 | access to indexer : String | ExponentialRegex.cs:22:43:22:51 | access to local variable userInput |
|
||||
| ExponentialRegex.cs:11:28:11:63 | access to indexer : String | ExponentialRegex.cs:24:21:24:29 | access to local variable userInput |
|
||||
nodes
|
||||
| ExponentialRegex.cs:11:28:11:50 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
| ExponentialRegex.cs:11:28:11:63 | access to indexer : String | semmle.label | access to indexer : String |
|
||||
| ExponentialRegex.cs:15:40:15:48 | access to local variable userInput | semmle.label | access to local variable userInput |
|
||||
| ExponentialRegex.cs:16:42:16:50 | access to local variable userInput | semmle.label | access to local variable userInput |
|
||||
| ExponentialRegex.cs:19:139:19:147 | access to local variable userInput | semmle.label | access to local variable userInput |
|
||||
|
||||
@@ -1,10 +1,7 @@
|
||||
edges
|
||||
| ExponentialRegex.cs:13:28:13:50 | access to property QueryString : NameValueCollection | ExponentialRegex.cs:13:28:13:63 | access to indexer : String |
|
||||
| ExponentialRegex.cs:13:28:13:50 | access to property QueryString : NameValueCollection | ExponentialRegex.cs:16:40:16:48 | access to local variable userInput |
|
||||
| ExponentialRegex.cs:13:28:13:63 | access to indexer : String | ExponentialRegex.cs:16:40:16:48 | access to local variable userInput |
|
||||
nodes
|
||||
| ExponentialRegex.cs:13:28:13:50 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
| ExponentialRegex.cs:13:28:13:63 | access to indexer : String | semmle.label | access to indexer : String |
|
||||
| ExponentialRegex.cs:16:40:16:48 | access to local variable userInput | semmle.label | access to local variable userInput |
|
||||
subpaths
|
||||
#select
|
||||
|
||||
@@ -1,10 +1,7 @@
|
||||
edges
|
||||
| RegexInjection.cs:10:24:10:46 | access to property QueryString : NameValueCollection | RegexInjection.cs:10:24:10:55 | access to indexer : String |
|
||||
| RegexInjection.cs:10:24:10:46 | access to property QueryString : NameValueCollection | RegexInjection.cs:14:19:14:23 | access to local variable regex |
|
||||
| RegexInjection.cs:10:24:10:55 | access to indexer : String | RegexInjection.cs:14:19:14:23 | access to local variable regex |
|
||||
nodes
|
||||
| RegexInjection.cs:10:24:10:46 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
| RegexInjection.cs:10:24:10:55 | access to indexer : String | semmle.label | access to indexer : String |
|
||||
| RegexInjection.cs:14:19:14:23 | access to local variable regex | semmle.label | access to local variable regex |
|
||||
subpaths
|
||||
#select
|
||||
|
||||
@@ -1,7 +1,5 @@
|
||||
edges
|
||||
| ConditionalBypass.cs:12:26:12:48 | access to property QueryString : NameValueCollection | ConditionalBypass.cs:12:26:12:59 | access to indexer : String |
|
||||
| ConditionalBypass.cs:12:26:12:48 | access to property QueryString : NameValueCollection | ConditionalBypass.cs:16:13:16:30 | ... == ... |
|
||||
| ConditionalBypass.cs:12:26:12:59 | access to indexer : String | ConditionalBypass.cs:16:13:16:30 | ... == ... |
|
||||
| ConditionalBypass.cs:19:34:19:52 | access to property Cookies : HttpCookieCollection | ConditionalBypass.cs:22:13:22:23 | access to local variable adminCookie : HttpCookie |
|
||||
| ConditionalBypass.cs:19:34:19:52 | access to property Cookies : HttpCookieCollection | ConditionalBypass.cs:27:13:27:23 | access to local variable adminCookie : HttpCookie |
|
||||
| ConditionalBypass.cs:22:13:22:23 | access to local variable adminCookie : HttpCookie | ConditionalBypass.cs:22:13:22:29 | access to property Value : String |
|
||||
@@ -21,7 +19,6 @@ edges
|
||||
| ConditionalBypass.cs:84:13:84:29 | access to property Value : String | ConditionalBypass.cs:84:13:84:40 | ... == ... |
|
||||
nodes
|
||||
| ConditionalBypass.cs:12:26:12:48 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
|
||||
| ConditionalBypass.cs:12:26:12:59 | access to indexer : String | semmle.label | access to indexer : String |
|
||||
| ConditionalBypass.cs:16:13:16:30 | ... == ... | semmle.label | ... == ... |
|
||||
| ConditionalBypass.cs:19:34:19:52 | access to property Cookies : HttpCookieCollection | semmle.label | access to property Cookies : HttpCookieCollection |
|
||||
| ConditionalBypass.cs:22:13:22:23 | access to local variable adminCookie : HttpCookie | semmle.label | access to local variable adminCookie : HttpCookie |
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
## 0.1.4
|
||||
|
||||
## 0.1.3
|
||||
|
||||
## 0.1.2
|
||||
|
||||
### New Features
|
||||
|
||||
1
go/ql/lib/change-notes/released/0.1.3.md
Normal file
1
go/ql/lib/change-notes/released/0.1.3.md
Normal file
@@ -0,0 +1 @@
|
||||
## 0.1.3
|
||||
1
go/ql/lib/change-notes/released/0.1.4.md
Normal file
1
go/ql/lib/change-notes/released/0.1.4.md
Normal file
@@ -0,0 +1 @@
|
||||
## 0.1.4
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.1.2
|
||||
lastReleaseVersion: 0.1.4
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/go-all
|
||||
version: 0.1.3-dev
|
||||
version: 0.1.4
|
||||
groups: go
|
||||
dbscheme: go.dbscheme
|
||||
extractor: go
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
## 0.1.4
|
||||
|
||||
## 0.1.3
|
||||
|
||||
## 0.1.2
|
||||
|
||||
## 0.1.1
|
||||
|
||||
1
go/ql/src/change-notes/released/0.1.3.md
Normal file
1
go/ql/src/change-notes/released/0.1.3.md
Normal file
@@ -0,0 +1 @@
|
||||
## 0.1.3
|
||||
1
go/ql/src/change-notes/released/0.1.4.md
Normal file
1
go/ql/src/change-notes/released/0.1.4.md
Normal file
@@ -0,0 +1 @@
|
||||
## 0.1.4
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.1.2
|
||||
lastReleaseVersion: 0.1.4
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/go-queries
|
||||
version: 0.1.3-dev
|
||||
version: 0.1.4
|
||||
groups:
|
||||
- go
|
||||
- queries
|
||||
@@ -8,4 +8,4 @@ extractor: go
|
||||
defaultSuiteFile: codeql-suites/go-code-scanning.qls
|
||||
dependencies:
|
||||
codeql/go-all: "*"
|
||||
codeql/suite-helpers: ~0.0.2
|
||||
codeql/suite-helpers: "*"
|
||||
|
||||
@@ -1,3 +1,16 @@
|
||||
## 0.2.3
|
||||
|
||||
## 0.2.2
|
||||
|
||||
### Deprecated APIs
|
||||
|
||||
* The QL class `FloatingPointLiteral` has been renamed to `FloatLiteral`.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Fixed a sanitizer of the query `java/android/intent-redirection`. Now, for an intent to be considered
|
||||
safe against intent redirection, both its package name and class name must be checked.
|
||||
|
||||
## 0.2.1
|
||||
|
||||
### New Features
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
Fixed a sanitizer of the query `java/android/intent-redirection`. Now, for an intent to be considered
|
||||
safe against intent redirection, both its package name and class name must be checked.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: deprecated
|
||||
---
|
||||
* The QL class `FloatingPointLiteral` has been renamed to `FloatLiteral`.
|
||||
10
java/ql/lib/change-notes/released/0.2.2.md
Normal file
10
java/ql/lib/change-notes/released/0.2.2.md
Normal file
@@ -0,0 +1,10 @@
|
||||
## 0.2.2
|
||||
|
||||
### Deprecated APIs
|
||||
|
||||
* The QL class `FloatingPointLiteral` has been renamed to `FloatLiteral`.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Fixed a sanitizer of the query `java/android/intent-redirection`. Now, for an intent to be considered
|
||||
safe against intent redirection, both its package name and class name must be checked.
|
||||
1
java/ql/lib/change-notes/released/0.2.3.md
Normal file
1
java/ql/lib/change-notes/released/0.2.3.md
Normal file
@@ -0,0 +1 @@
|
||||
## 0.2.3
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.2.1
|
||||
lastReleaseVersion: 0.2.3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/java-all
|
||||
version: 0.2.2-dev
|
||||
version: 0.2.3
|
||||
groups: java
|
||||
dbscheme: config/semmlecode.dbscheme
|
||||
extractor: java
|
||||
|
||||
@@ -777,10 +777,10 @@ module Private {
|
||||
predicate prohibitsUseUseFlow(ArgNode arg, SummarizedCallable sc) {
|
||||
exists(ParamNode p, Node mid, ParameterPosition ppos, Node ret |
|
||||
p = summaryArgParam0(_, arg, sc) and
|
||||
p.isParameterOf(_, ppos) and
|
||||
p.isParameterOf(_, pragma[only_bind_into](ppos)) and
|
||||
summaryLocalStep(p, mid, true) and
|
||||
summaryLocalStep(mid, ret, true) and
|
||||
isParameterPostUpdate(ret, _, ppos)
|
||||
isParameterPostUpdate(ret, _, pragma[only_bind_into](ppos))
|
||||
|
|
||||
summaryClearsContent(mid, _) or
|
||||
summaryExpectsContent(mid, _)
|
||||
|
||||
@@ -1,3 +1,19 @@
|
||||
## 0.1.4
|
||||
|
||||
## 0.1.3
|
||||
|
||||
### New Queries
|
||||
|
||||
* Two new queries "Inefficient regular expression" (`java/redos`) and "Polynomial regular expression used on uncontrolled data" (`java/polynomial-redos`) have been added.
|
||||
These queries help find instances of Regular Expression Denial of Service vulnerabilities.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Query `java/sensitive-log` has received several improvements.
|
||||
* It no longer considers usernames as sensitive information.
|
||||
* The conditions to consider a variable a constant (and therefore exclude it as user-provided sensitive information) have been tightened.
|
||||
* A sanitizer has been added to handle certain elements introduced by a Kotlin compiler plugin that have deceptive names.
|
||||
|
||||
## 0.1.2
|
||||
|
||||
### Query Metadata Changes
|
||||
@@ -39,7 +55,7 @@ this respect.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Updated "Local information disclosure in a temporary directory" (`java/local-temp-file-or-directory-information-disclosure`) to remove false-positives when OS is properly used as logical guard.
|
||||
* Updated "Local information disclosure in a temporary directory" (`java/local-temp-file-or-directory-information-disclosure`) to remove false-positives when OS is properly used as logical guard.
|
||||
|
||||
## 0.0.11
|
||||
|
||||
|
||||
@@ -1,6 +0,0 @@
|
||||
---
|
||||
category: newQuery
|
||||
---
|
||||
|
||||
* Two new queries "Inefficient regular expression" (`java/redos`) and "Polynomial regular expression used on uncontrolled data" (`java/polynomial-redos`) have been added.
|
||||
These queries help find instances of Regular Expression Denial of Service vulnerabilities.
|
||||
@@ -1,6 +1,12 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
## 0.1.3
|
||||
|
||||
### New Queries
|
||||
|
||||
* Two new queries "Inefficient regular expression" (`java/redos`) and "Polynomial regular expression used on uncontrolled data" (`java/polynomial-redos`) have been added.
|
||||
These queries help find instances of Regular Expression Denial of Service vulnerabilities.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Query `java/sensitive-log` has received several improvements.
|
||||
* It no longer considers usernames as sensitive information.
|
||||
* The conditions to consider a variable a constant (and therefore exclude it as user-provided sensitive information) have been tightened.
|
||||
1
java/ql/src/change-notes/released/0.1.4.md
Normal file
1
java/ql/src/change-notes/released/0.1.4.md
Normal file
@@ -0,0 +1 @@
|
||||
## 0.1.4
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.1.2
|
||||
lastReleaseVersion: 0.1.4
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/java-queries
|
||||
version: 0.1.3-dev
|
||||
version: 0.1.4
|
||||
groups:
|
||||
- java
|
||||
- queries
|
||||
|
||||
@@ -1,22 +1,22 @@
|
||||
/**
|
||||
* Provides a taint-tracking configuration for reasoning about
|
||||
* cross-site scripting vulnerabilities through the DOM.
|
||||
* Is boosted by ATM.
|
||||
* For internal use only.
|
||||
*
|
||||
* Defines shared code used by the XSS boosted query.
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import AdaptiveThreatModeling
|
||||
import StandardEndpointFilters as StandardEndpointFilters
|
||||
private import semmle.javascript.dataflow.InferredTypes
|
||||
private import semmle.javascript.heuristics.SyntacticHeuristics
|
||||
private import semmle.javascript.security.dataflow.XssThroughDomCustomizations::XssThroughDom
|
||||
private import semmle.javascript.security.dataflow.DomBasedXssCustomizations
|
||||
private import semmle.javascript.security.dataflow.UnsafeJQueryPluginCustomizations::UnsafeJQueryPlugin as UnsafeJQuery
|
||||
import AdaptiveThreatModeling
|
||||
import CoreKnowledge as CoreKnowledge
|
||||
import StandardEndpointFilters as StandardEndpointFilters
|
||||
|
||||
/**
|
||||
* This module provides logic to filter candidate sinks to those which are likely XSS sinks.
|
||||
*/
|
||||
module SinkEndpointFilter {
|
||||
private import javascript
|
||||
private import DomBasedXss
|
||||
|
||||
/**
|
||||
* Provides a set of reasons why a given data flow node should be excluded as a sink candidate.
|
||||
*
|
||||
@@ -60,10 +60,10 @@ module SinkEndpointFilter {
|
||||
}
|
||||
}
|
||||
|
||||
class XssThroughDomAtmConfig extends ATMConfig {
|
||||
XssThroughDomAtmConfig() { this = "XssThroughDomAtmConfig" }
|
||||
class DomBasedXssAtmConfig extends AtmConfig {
|
||||
DomBasedXssAtmConfig() { this = "DomBasedXssATMConfig" }
|
||||
|
||||
override predicate isKnownSource(DataFlow::Node source) { source instanceof Source }
|
||||
override predicate isKnownSource(DataFlow::Node source) { source instanceof DomBasedXss::Source }
|
||||
|
||||
override predicate isKnownSink(DataFlow::Node sink) { sink instanceof DomBasedXss::Sink }
|
||||
|
||||
@@ -74,16 +74,23 @@ class XssThroughDomAtmConfig extends ATMConfig {
|
||||
override EndpointType getASinkEndpointType() { result instanceof XssSinkType }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for DomBasedXssAtmConfig */
|
||||
deprecated class DomBasedXssATMConfig = DomBasedXssAtmConfig;
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about XSS through the DOM.
|
||||
* A taint-tracking configuration for reasoning about XSS vulnerabilities.
|
||||
*
|
||||
* This is largely a copy of the taint tracking configuration for the standard XSSThroughDom query,
|
||||
* except additional ATM sinks have been added to the `isSink` predicate.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "XssThroughDomAtmConfig" }
|
||||
Configuration() { this = "DomBasedXssATMConfiguration" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof DomBasedXss::Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
(sink instanceof DomBasedXss::Sink or any(XssThroughDomAtmConfig cfg).isEffectiveSink(sink))
|
||||
sink instanceof DomBasedXss::Sink or
|
||||
any(DomBasedXssAtmConfig cfg).isEffectiveSink(sink)
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
@@ -92,10 +99,7 @@ class Configuration extends TaintTracking::Configuration {
|
||||
}
|
||||
|
||||
override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
|
||||
guard instanceof TypeTestGuard or
|
||||
guard instanceof UnsafeJQuery::PropertyPresenceSanitizer or
|
||||
guard instanceof UnsafeJQuery::NumberGuard or
|
||||
guard instanceof PrefixStringSanitizer or
|
||||
guard instanceof PrefixStringSanitizerActivated or
|
||||
guard instanceof QuoteGuard or
|
||||
guard instanceof ContainsHtmlGuard
|
||||
}
|
||||
@@ -105,43 +109,15 @@ class Configuration extends TaintTracking::Configuration {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A test of form `typeof x === "something"`, preventing `x` from being a string in some cases.
|
||||
*
|
||||
* This sanitizer helps prune infeasible paths in type-overloaded functions.
|
||||
*/
|
||||
class TypeTestGuard extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNode {
|
||||
override EqualityTest astNode;
|
||||
Expr operand;
|
||||
boolean polarity;
|
||||
|
||||
TypeTestGuard() {
|
||||
exists(TypeofTag tag | TaintTracking::isTypeofGuard(astNode, operand, tag) |
|
||||
// typeof x === "string" sanitizes `x` when it evaluates to false
|
||||
tag = "string" and
|
||||
polarity = astNode.getPolarity().booleanNot()
|
||||
or
|
||||
// typeof x === "object" sanitizes `x` when it evaluates to true
|
||||
tag != "string" and
|
||||
polarity = astNode.getPolarity()
|
||||
)
|
||||
}
|
||||
|
||||
override predicate sanitizes(boolean outcome, Expr e) {
|
||||
polarity = outcome and
|
||||
e = operand
|
||||
}
|
||||
}
|
||||
|
||||
private import semmle.javascript.security.dataflow.Xss::Shared as Shared
|
||||
|
||||
private class PrefixStringSanitizer extends TaintTracking::SanitizerGuardNode,
|
||||
private class PrefixStringSanitizerActivated extends TaintTracking::SanitizerGuardNode,
|
||||
DomBasedXss::PrefixStringSanitizer {
|
||||
PrefixStringSanitizer() { this = this }
|
||||
PrefixStringSanitizerActivated() { this = this }
|
||||
}
|
||||
|
||||
private class PrefixString extends DataFlow::FlowLabel, DomBasedXss::PrefixString {
|
||||
PrefixString() { this = this }
|
||||
private class PrefixStringActivated extends DataFlow::FlowLabel, DomBasedXss::PrefixString {
|
||||
PrefixStringActivated() { this = this }
|
||||
}
|
||||
|
||||
private class QuoteGuard extends TaintTracking::SanitizerGuardNode, Shared::QuoteGuard {
|
||||
@@ -1,20 +0,0 @@
|
||||
/*
|
||||
* For internal use only.
|
||||
*
|
||||
*
|
||||
* Count the number of sinks and alerts for a particular dataflow config.
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import evaluation.EndToEndEvaluation
|
||||
|
||||
query predicate countAlertsAndSinks(int numAlerts, int numSinks) {
|
||||
numAlerts =
|
||||
count(DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink |
|
||||
cfg.hasFlow(source, sink) and not isFlowExcluded(source, sink)
|
||||
) and
|
||||
numSinks =
|
||||
count(DataFlow::Node sink |
|
||||
exists(DataFlow::Configuration cfg | cfg.isSink(sink) or cfg.isSink(sink, _))
|
||||
)
|
||||
}
|
||||
@@ -1,9 +0,0 @@
|
||||
/*
|
||||
* For internal use only.
|
||||
*
|
||||
*
|
||||
* Count the number of sinks and alerts for the `CodeInjection` security query.
|
||||
*/
|
||||
|
||||
import semmle.javascript.security.dataflow.CodeInjectionQuery
|
||||
import CountAlertsAndSinks
|
||||
@@ -1,9 +0,0 @@
|
||||
/*
|
||||
* For internal use only.
|
||||
*
|
||||
*
|
||||
* Count the number of sinks and alerts for the `NosqlInection` security query.
|
||||
*/
|
||||
|
||||
import semmle.javascript.security.dataflow.NosqlInjectionQuery
|
||||
import CountAlertsAndSinks
|
||||
@@ -1,9 +0,0 @@
|
||||
/*
|
||||
* For internal use only.
|
||||
*
|
||||
*
|
||||
* Count the number of sinks and alerts for the `SqlInection` security query.
|
||||
*/
|
||||
|
||||
import semmle.javascript.security.dataflow.SqlInjectionQuery
|
||||
import CountAlertsAndSinks
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user