hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-14 19:29:28 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
8d22ee550896fd7864d5df7637fb80e87caf6784
codeql/java/ql/lib/ext/com.google.common.io.model.yml
MarkLee131 c336a1595d Java: split read-only path sinks into path-injection[read] 
Introduce a new Models-as-Data sink sub-kind path-injection[read] for
models that only read from or inspect a path. The general
java/path-injection query and its PathInjectionSanitizer barrier
continue to consider both path-injection and path-injection[read]
sinks, so no alerts are lost. The java/zipslip query deliberately
selects only path-injection sinks, since read-only accesses such as
ClassLoader.getResource or FileInputStream are outside the archive
extraction threat model.

Addresses https://github.com/github/codeql/issues/21606 along the lines
proposed on the issue thread: prefer path-injection[read] over a
[create] sub-kind so that miscategorizing a sink causes a false
positive (easy to spot) rather than a false negative.

- shared/mad/codeql/mad/ModelValidation.qll: allow path-injection[...]
  as a valid sink kind.
- java/ql/lib/ext/*.model.yml: relabel the models that PR #12916
  migrated from the historical read-file kind (plus the newer
  ClassLoader resource-lookup variants that share the same read-only
  semantics).
- java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll and
  PathSanitizer.qll: select both path-injection and
  path-injection[read] sinks/barriers.
- java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll: keep only
  path-injection, with a comment explaining why path-injection[read]
  is excluded.
- java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipTest.java:
  add m7 regression covering the Dubbo-style classpath lookup from
  issue #21606 and assert no alert is produced.
- Update TaintedPath.expected for the renamed kinds in the models list.
- Add change-notes under java/ql/lib/change-notes and
  java/ql/src/change-notes.
2026-04-21 09:17:36 +10:00

93 lines
11 KiB
YAML
Raw Blame History

extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["com.google.common.io", "Files", False, "asByteSink", "(File,FileWriteMode[])", "", "Argument[0]", "path-injection", "ai-manual"]
- ["com.google.common.io", "Files", False, "asCharSink", "(File,Charset,FileWriteMode[])", "", "Argument[0]", "path-injection", "ai-manual"]
- ["com.google.common.io", "Files", False, "asCharSource", "(File,Charset)", "", "Argument[0]", "path-injection[read]", "ai-manual"]
- ["com.google.common.io", "Files", False, "copy", "(File,OutputStream)", "", "Argument[0]", "path-injection[read]", "ai-manual"]
- ["com.google.common.io", "Files", False, "newWriter", "(File,Charset)", "", "Argument[0]", "path-injection", "ai-manual"]
- ["com.google.common.io", "Files", False, "readLines", "(File,Charset)", "", "Argument[0]", "path-injection[read]", "ai-manual"]
- ["com.google.common.io", "Files", False, "toByteArray", "(File)", "", "Argument[0]", "path-injection[read]", "ai-manual"]
- ["com.google.common.io", "Files", False, "toString", "(File,Charset)", "", "Argument[0]", "path-injection[read]", "ai-manual"]
- ["com.google.common.io", "Files", False, "write", "(byte[],File)", "", "Argument[0]", "file-content-store", "ai-manual"]
- ["com.google.common.io", "Files", False, "write", "(byte[],File)", "", "Argument[1]", "path-injection", "manual"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["com.google.common.io", "BaseEncoding", True, "decode", "(CharSequence)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "BaseEncoding", True, "decode", "(CharSequence)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "BaseEncoding", True, "decodingSource", "(CharSource)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "BaseEncoding", True, "decodingSource", "(CharSource)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "BaseEncoding", True, "decodingStream", "(Reader)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "BaseEncoding", True, "decodingStream", "(Reader)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "BaseEncoding", True, "encode", "(byte[])", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "BaseEncoding", True, "encode", "(byte[])", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "BaseEncoding", True, "encode", "(byte[],int,int)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "BaseEncoding", True, "encode", "(byte[],int,int)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "BaseEncoding", True, "lowerCase", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "BaseEncoding", True, "omitPadding", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "BaseEncoding", True, "upperCase", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "BaseEncoding", True, "withPadChar", "(char)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "BaseEncoding", True, "withSeparator", "(String,int)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "ByteArrayDataOutput", True, "toByteArray", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "ByteArrayDataOutput", True, "write", "(byte[])", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["com.google.common.io", "ByteArrayDataOutput", True, "write", "(byte[],int,int)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["com.google.common.io", "ByteArrayDataOutput", True, "write", "(int)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["com.google.common.io", "ByteArrayDataOutput", True, "writeByte", "(int)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["com.google.common.io", "ByteArrayDataOutput", True, "writeBytes", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["com.google.common.io", "ByteArrayDataOutput", True, "writeChar", "(int)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["com.google.common.io", "ByteArrayDataOutput", True, "writeChars", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["com.google.common.io", "ByteArrayDataOutput", True, "writeDouble", "(double)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["com.google.common.io", "ByteArrayDataOutput", True, "writeFloat", "(float)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["com.google.common.io", "ByteArrayDataOutput", True, "writeInt", "(int)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["com.google.common.io", "ByteArrayDataOutput", True, "writeLong", "(long)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["com.google.common.io", "ByteArrayDataOutput", True, "writeShort", "(int)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["com.google.common.io", "ByteArrayDataOutput", True, "writeUTF", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["com.google.common.io", "ByteSource", True, "asCharSource", "(Charset)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "ByteSource", True, "concat", "(ByteSource[])", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "ByteSource", True, "concat", "(Iterable)", "", "Argument[0].Element", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "ByteSource", True, "concat", "(Iterator)", "", "Argument[0].Element", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "ByteSource", True, "copyTo", "(OutputStream)", "", "Argument[this]", "Argument[0]", "taint", "manual"]
- ["com.google.common.io", "ByteSource", True, "openBufferedStream", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "ByteSource", True, "openStream", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "ByteSource", True, "read", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "ByteSource", True, "slice", "(long,long)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "ByteSource", True, "wrap", "(byte[])", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "ByteStreams", False, "copy", "(InputStream,OutputStream)", "", "Argument[0]", "Argument[1]", "taint", "manual"]
- ["com.google.common.io", "ByteStreams", False, "copy", "(ReadableByteChannel,WritableByteChannel)", "", "Argument[0]", "Argument[1]", "taint", "manual"]
- ["com.google.common.io", "ByteStreams", False, "limit", "(InputStream,long)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "ByteStreams", False, "newDataInput", "(ByteArrayInputStream)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "ByteStreams", False, "newDataInput", "(byte[])", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "ByteStreams", False, "newDataInput", "(byte[],int)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "ByteStreams", False, "newDataOutput", "(ByteArrayOutputStream)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "ByteStreams", False, "read", "(InputStream,byte[],int,int)", "", "Argument[0]", "Argument[1]", "taint", "manual"]
- ["com.google.common.io", "ByteStreams", False, "readFully", "(InputStream,byte[])", "", "Argument[0]", "Argument[1]", "taint", "manual"]
- ["com.google.common.io", "ByteStreams", False, "readFully", "(InputStream,byte[],int,int)", "", "Argument[0]", "Argument[1]", "taint", "manual"]
- ["com.google.common.io", "ByteStreams", False, "toByteArray", "(InputStream)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "CharSource", True, "asByteSource", "(Charset)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "CharSource", True, "concat", "(CharSource[])", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "CharSource", True, "concat", "(Iterable)", "", "Argument[0].Element", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "CharSource", True, "concat", "(Iterator)", "", "Argument[0].Element", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "CharSource", True, "copyTo", "(Appendable)", "", "Argument[this]", "Argument[0]", "taint", "manual"]
- ["com.google.common.io", "CharSource", True, "lines", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "CharSource", True, "openBufferedStream", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "CharSource", True, "openStream", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "CharSource", True, "read", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "CharSource", True, "readFirstLine", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "CharSource", True, "readLines", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "CharSource", True, "wrap", "(CharSequence)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "CharStreams", False, "copy", "(Readable,Appendable)", "", "Argument[0]", "Argument[1]", "taint", "manual"]
- ["com.google.common.io", "CharStreams", False, "readLines", "(Readable)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "CharStreams", False, "toString", "(Readable)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "Closer", True, "register", "", "", "Argument[0]", "ReturnValue", "value", "manual"]
- ["com.google.common.io", "Files", False, "getFileExtension", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "Files", False, "getNameWithoutExtension", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "Files", False, "simplifyPath", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "LineReader", False, "LineReader", "(Readable)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["com.google.common.io", "LineReader", True, "readLine", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "MoreFiles", False, "getFileExtension", "(Path)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.google.common.io", "MoreFiles", False, "getNameWithoutExtension", "(Path)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
Reference in New Issue View Git Blame Copy Permalink