From 1e374821c4fa53845c350107cec138af0e72cd44 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Mon, 21 Apr 2025 15:03:46 -0400 Subject: [PATCH 1/5] Java: remove SpringBootActuators query --- .../security/CWE-016/SpringBootActuators.java | 22 --- .../CWE-016/SpringBootActuators.qhelp | 39 ----- .../security/CWE-016/SpringBootActuators.ql | 18 -- .../security/CWE-016/SpringBootActuators.qll | 155 ------------------ .../CWE-016/SpringBootActuators.expected | 7 - .../security/CWE-016/SpringBootActuators.java | 104 ------------ .../CWE-016/SpringBootActuators.qlref | 1 - 7 files changed, 346 deletions(-) delete mode 100644 java/src/security/CWE-016/SpringBootActuators.java delete mode 100644 java/src/security/CWE-016/SpringBootActuators.qhelp delete mode 100644 java/src/security/CWE-016/SpringBootActuators.ql delete mode 100644 java/src/security/CWE-016/SpringBootActuators.qll delete mode 100644 java/test/security/CWE-016/SpringBootActuators.expected delete mode 100644 java/test/security/CWE-016/SpringBootActuators.java delete mode 100644 java/test/security/CWE-016/SpringBootActuators.qlref diff --git a/java/src/security/CWE-016/SpringBootActuators.java b/java/src/security/CWE-016/SpringBootActuators.java deleted file mode 100644 index 53862055..00000000 --- a/java/src/security/CWE-016/SpringBootActuators.java +++ /dev/null @@ -1,22 +0,0 @@ -@Configuration(proxyBeanMethods = false) -public class SpringBootActuators extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(HttpSecurity http) throws Exception { - // BAD: Unauthenticated access to Spring Boot actuator endpoints is allowed - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) -> - requests.anyRequest().permitAll()); - } -} - -@Configuration(proxyBeanMethods = false) -public class ActuatorSecurity extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(HttpSecurity http) throws Exception { - // GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) -> - requests.anyRequest().hasRole("ENDPOINT_ADMIN")); - http.httpBasic(); - } -} \ No newline at end of file diff --git a/java/src/security/CWE-016/SpringBootActuators.qhelp b/java/src/security/CWE-016/SpringBootActuators.qhelp deleted file mode 100644 index 53ee653a..00000000 --- a/java/src/security/CWE-016/SpringBootActuators.qhelp +++ /dev/null @@ -1,39 +0,0 @@ - - - -

Spring Boot includes a number of additional features called actuators that let you monitor -and interact with your web application. Exposing unprotected actuator endpoints via JXM or HTTP -can, however, lead to information disclosure or even to remote code execution vulnerability.

- - - -

Since actuator endpoints may contain sensitive information, careful consideration should be -given about when to expose them. You should take care to secure exposed HTTP endpoints in the same -way that you would any other sensitive URL. If Spring Security is present, endpoints are secured by -default using Spring Security’s content-negotiation strategy. If you wish to configure custom -security for HTTP endpoints, for example, only allow users with a certain role to access them, -Spring Boot provides some convenient RequestMatcher objects that can be used in -combination with Spring Security.

- - - -

In the first example, the custom security configuration allows unauthenticated access to all -actuator endpoints. This may lead to sensitive information disclosure and should be avoided.

-

In the second example, only users with ENDPOINT_ADMIN role are allowed to access -the actuator endpoints.

- - - - - -
  • -Spring Boot documentation: -Actuators. -
    • -
  • -Exploiting Spring Boot Actuators -
    • -     -     diff --git a/java/src/security/CWE-016/SpringBootActuators.ql b/java/src/security/CWE-016/SpringBootActuators.ql deleted file mode 100644 index cab31128..00000000 --- a/java/src/security/CWE-016/SpringBootActuators.ql +++ /dev/null @@ -1,18 +0,0 @@ -/** - * @name Exposed Spring Boot actuators - * @description Exposing Spring Boot actuators may lead to internal application's information leak - * or even to remote code execution. - * @kind problem - * @problem.severity error - * @precision high - * @id githubsecuritylab/java/spring-boot-exposed-actuators - * @tags security - * external/cwe/cwe-16 - */ - -import java -import SpringBootActuators - -from PermitAllCall permitAllCall -where permitAllCall.permitsSpringBootActuators() -select permitAllCall, "Unauthenticated access to Spring Boot actuator is allowed." diff --git a/java/src/security/CWE-016/SpringBootActuators.qll b/java/src/security/CWE-016/SpringBootActuators.qll deleted file mode 100644 index 195de7a1..00000000 --- a/java/src/security/CWE-016/SpringBootActuators.qll +++ /dev/null @@ -1,155 +0,0 @@ -import java - -/** The class `org.springframework.security.config.annotation.web.builders.HttpSecurity`. */ -class TypeHttpSecurity extends Class { - TypeHttpSecurity() { - this.hasQualifiedName("org.springframework.security.config.annotation.web.builders", - "HttpSecurity") - } -} - -/** - * The class - * `org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer`. - */ -class TypeAuthorizedUrl extends Class { - TypeAuthorizedUrl() { - this.hasQualifiedName("org.springframework.security.config.annotation.web.configurers", - "ExpressionUrlAuthorizationConfigurer$AuthorizedUrl<>") - } -} - -/** - * The class `org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry`. - */ -class TypeAbstractRequestMatcherRegistry extends Class { - TypeAbstractRequestMatcherRegistry() { - this.hasQualifiedName("org.springframework.security.config.annotation.web", - "AbstractRequestMatcherRegistry>") - } -} - -/** - * The class `org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest`. - */ -class TypeEndpointRequest extends Class { - TypeEndpointRequest() { - this.hasQualifiedName("org.springframework.boot.actuate.autoconfigure.security.servlet", - "EndpointRequest") - } -} - -/** A call to `EndpointRequest.toAnyEndpoint` method. */ -class ToAnyEndpointCall extends MethodCall { - ToAnyEndpointCall() { - this.getMethod().hasName("toAnyEndpoint") and - this.getMethod().getDeclaringType() instanceof TypeEndpointRequest - } -} - -/** - * A call to `HttpSecurity.requestMatcher` method with argument `RequestMatcher.toAnyEndpoint()`. - */ -class RequestMatcherCall extends MethodCall { - RequestMatcherCall() { - this.getMethod().hasName("requestMatcher") and - this.getMethod().getDeclaringType() instanceof TypeHttpSecurity and - this.getArgument(0) instanceof ToAnyEndpointCall - } -} - -/** - * A call to `HttpSecurity.requestMatchers` method with lambda argument - * `RequestMatcher.toAnyEndpoint()`. - */ -class RequestMatchersCall extends MethodCall { - RequestMatchersCall() { - this.getMethod().hasName("requestMatchers") and - this.getMethod().getDeclaringType() instanceof TypeHttpSecurity and - this.getArgument(0).(LambdaExpr).getExprBody() instanceof ToAnyEndpointCall - } -} - -/** A call to `HttpSecurity.authorizeRequests` method. */ -class AuthorizeRequestsCall extends MethodCall { - AuthorizeRequestsCall() { - this.getMethod().hasName("authorizeRequests") and - this.getMethod().getDeclaringType() instanceof TypeHttpSecurity - } -} - -/** A call to `AuthorizedUrl.permitAll` method. */ -class PermitAllCall extends MethodCall { - PermitAllCall() { - this.getMethod().hasName("permitAll") and - this.getMethod().getDeclaringType() instanceof TypeAuthorizedUrl - } - - /** Holds if `permitAll` is called on request(s) mapped to actuator endpoint(s). */ - predicate permitsSpringBootActuators() { - exists(AuthorizeRequestsCall authorizeRequestsCall | - // .requestMatcher(EndpointRequest).authorizeRequests([...]).[...] - authorizeRequestsCall.getQualifier() instanceof RequestMatcherCall - or - // .requestMatchers(matcher -> EndpointRequest).authorizeRequests([...]).[...] - authorizeRequestsCall.getQualifier() instanceof RequestMatchersCall - | - // [...].authorizeRequests(r -> r.anyRequest().permitAll()) or - // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll()) - authorizeRequestsCall.getArgument(0).(LambdaExpr).getExprBody() = this and - ( - this.getQualifier() instanceof AnyRequestCall or - this.getQualifier() instanceof RegistryRequestMatchersCall - ) - or - // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or - // [...].authorizeRequests().anyRequest().permitAll() - authorizeRequestsCall.getNumArgument() = 0 and - exists(RegistryRequestMatchersCall registryRequestMatchersCall | - registryRequestMatchersCall.getQualifier() = authorizeRequestsCall and - this.getQualifier() = registryRequestMatchersCall - ) - or - exists(AnyRequestCall anyRequestCall | - anyRequestCall.getQualifier() = authorizeRequestsCall and - this.getQualifier() = anyRequestCall - ) - ) - or - exists(AuthorizeRequestsCall authorizeRequestsCall | - // http.authorizeRequests([...]).[...] - authorizeRequestsCall.getQualifier() instanceof VarAccess - | - // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll()) - authorizeRequestsCall.getArgument(0).(LambdaExpr).getExprBody() = this and - this.getQualifier() instanceof RegistryRequestMatchersCall - or - // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or - authorizeRequestsCall.getNumArgument() = 0 and - exists(RegistryRequestMatchersCall registryRequestMatchersCall | - registryRequestMatchersCall.getQualifier() = authorizeRequestsCall and - this.getQualifier() = registryRequestMatchersCall - ) - ) - } -} - -/** A call to `AbstractRequestMatcherRegistry.anyRequest` method. */ -class AnyRequestCall extends MethodCall { - AnyRequestCall() { - this.getMethod().hasName("anyRequest") and - this.getMethod().getDeclaringType() instanceof TypeAbstractRequestMatcherRegistry - } -} - -/** - * A call to `AbstractRequestMatcherRegistry.requestMatchers` method with an argument - * `RequestMatcher.toAnyEndpoint()`. - */ -class RegistryRequestMatchersCall extends MethodCall { - RegistryRequestMatchersCall() { - this.getMethod().hasName("requestMatchers") and - this.getMethod().getDeclaringType() instanceof TypeAbstractRequestMatcherRegistry and - this.getAnArgument() instanceof ToAnyEndpointCall - } -} diff --git a/java/test/security/CWE-016/SpringBootActuators.expected b/java/test/security/CWE-016/SpringBootActuators.expected deleted file mode 100644 index f2874e36..00000000 --- a/java/test/security/CWE-016/SpringBootActuators.expected +++ /dev/null @@ -1,7 +0,0 @@ -| SpringBootActuators.java:6:88:6:120 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | -| SpringBootActuators.java:10:5:10:137 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | -| SpringBootActuators.java:14:5:14:149 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | -| SpringBootActuators.java:18:5:18:101 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | -| SpringBootActuators.java:22:5:22:89 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | -| SpringBootActuators.java:26:40:26:108 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | -| SpringBootActuators.java:30:5:30:113 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | diff --git a/java/test/security/CWE-016/SpringBootActuators.java b/java/test/security/CWE-016/SpringBootActuators.java deleted file mode 100644 index da59919f..00000000 --- a/java/test/security/CWE-016/SpringBootActuators.java +++ /dev/null @@ -1,104 +0,0 @@ -import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest; -import org.springframework.security.config.annotation.web.builders.HttpSecurity; - -public class SpringBootActuators { - protected void configure(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests(requests -> requests.anyRequest().permitAll()); - } - - protected void configure2(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); - } - - protected void configure3(HttpSecurity http) throws Exception { - http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); - } - - protected void configure4(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll(); - } - - protected void configure5(HttpSecurity http) throws Exception { - http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); - } - - protected void configure6(HttpSecurity http) throws Exception { - http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()); - } - - protected void configure7(HttpSecurity http) throws Exception { - http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll(); - } - - protected void configureOk1(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.toAnyEndpoint()); - } - - protected void configureOk2(HttpSecurity http) throws Exception { - http.requestMatchers().requestMatchers(EndpointRequest.toAnyEndpoint()); - } - - protected void configureOk3(HttpSecurity http) throws Exception { - http.authorizeRequests().anyRequest().permitAll(); - } - - protected void configureOk4(HttpSecurity http) throws Exception { - http.authorizeRequests(authz -> authz.anyRequest().permitAll()); - } - - protected void configureOkSafeEndpoints1(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.to("health", "info")).authorizeRequests(requests -> requests.anyRequest().permitAll()); - } - - protected void configureOkSafeEndpoints2(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.to("health")).authorizeRequests().requestMatchers(EndpointRequest.to("health")).permitAll(); - } - - protected void configureOkSafeEndpoints3(HttpSecurity http) throws Exception { - http.requestMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeRequests().requestMatchers(EndpointRequest.to("health", "info")).permitAll(); - } - - protected void configureOkSafeEndpoints4(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.to("health", "info")).authorizeRequests().anyRequest().permitAll(); - } - - protected void configureOkSafeEndpoints5(HttpSecurity http) throws Exception { - http.authorizeRequests().requestMatchers(EndpointRequest.to("health", "info")).permitAll(); - } - - protected void configureOkSafeEndpoints6(HttpSecurity http) throws Exception { - http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.to("health", "info")).permitAll()); - } - - protected void configureOkSafeEndpoints7(HttpSecurity http) throws Exception { - http.requestMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeRequests().anyRequest().permitAll(); - } - - protected void configureOkNoPermitAll1(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests(requests -> requests.anyRequest()); - } - - protected void configureOkNoPermitAll2(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()); - } - - protected void configureOkNoPermitAll3(HttpSecurity http) throws Exception { - http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()); - } - - protected void configureOkNoPermitAll4(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest(); - } - - protected void configureOkNoPermitAll5(HttpSecurity http) throws Exception { - http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()); - } - - protected void configureOkNoPermitAll6(HttpSecurity http) throws Exception { - http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint())); - } - - protected void configureOkNoPermitAll7(HttpSecurity http) throws Exception { - http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest(); - } -} diff --git a/java/test/security/CWE-016/SpringBootActuators.qlref b/java/test/security/CWE-016/SpringBootActuators.qlref deleted file mode 100644 index b62d155c..00000000 --- a/java/test/security/CWE-016/SpringBootActuators.qlref +++ /dev/null @@ -1 +0,0 @@ -security/CWE-016/SpringBootActuators.ql From a7e5b55b4411792111eab03ddeaa6bff8f27a3f5 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Tue, 22 Apr 2025 17:50:59 -0400 Subject: [PATCH 2/5] Bump dependency versions to packs shipped with 2.21.1 --- cpp/lib/codeql-pack.lock.yml | 20 ++++++++++---------- cpp/src/codeql-pack.lock.yml | 24 ++++++++++++------------ cpp/test/codeql-pack.lock.yml | 24 ++++++++++++------------ csharp/lib/codeql-pack.lock.yml | 20 ++++++++++---------- csharp/src/codeql-pack.lock.yml | 24 ++++++++++++------------ csharp/test/codeql-pack.lock.yml | 24 ++++++++++++------------ go/lib/codeql-pack.lock.yml | 16 ++++++++-------- go/src/codeql-pack.lock.yml | 16 ++++++++-------- go/test/codeql-pack.lock.yml | 16 ++++++++-------- java/lib/codeql-pack.lock.yml | 24 ++++++++++++------------ java/src/codeql-pack.lock.yml | 24 ++++++++++++------------ java/test/codeql-pack.lock.yml | 24 ++++++++++++------------ javascript/lib/codeql-pack.lock.yml | 22 +++++++++++----------- javascript/src/codeql-pack.lock.yml | 22 +++++++++++----------- javascript/test/codeql-pack.lock.yml | 22 +++++++++++----------- python/lib/codeql-pack.lock.yml | 22 +++++++++++----------- python/src/codeql-pack.lock.yml | 22 +++++++++++----------- python/test/codeql-pack.lock.yml | 26 +++++++++++++------------- ruby/lib/codeql-pack.lock.yml | 18 +++++++++--------- ruby/src/codeql-pack.lock.yml | 18 +++++++++--------- ruby/test/codeql-pack.lock.yml | 22 +++++++++++----------- 21 files changed, 225 insertions(+), 225 deletions(-) diff --git a/cpp/lib/codeql-pack.lock.yml b/cpp/lib/codeql-pack.lock.yml index 1836bdf0..9eae5ae0 100644 --- a/cpp/lib/codeql-pack.lock.yml +++ b/cpp/lib/codeql-pack.lock.yml @@ -2,23 +2,23 @@ lockVersion: 1.0.0 dependencies: codeql/cpp-all: - version: 3.1.0 + version: 4.2.0 codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/rangeanalysis: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typeflow: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/cpp/src/codeql-pack.lock.yml b/cpp/src/codeql-pack.lock.yml index 122516db..f82f33c6 100644 --- a/cpp/src/codeql-pack.lock.yml +++ b/cpp/src/codeql-pack.lock.yml @@ -2,27 +2,27 @@ lockVersion: 1.0.0 dependencies: codeql/cpp-all: - version: 3.1.0 + version: 4.2.0 codeql/cpp-queries: - version: 1.3.1 + version: 1.3.8 codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/rangeanalysis: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/suite-helpers: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typeflow: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/cpp/test/codeql-pack.lock.yml b/cpp/test/codeql-pack.lock.yml index 122516db..f82f33c6 100644 --- a/cpp/test/codeql-pack.lock.yml +++ b/cpp/test/codeql-pack.lock.yml @@ -2,27 +2,27 @@ lockVersion: 1.0.0 dependencies: codeql/cpp-all: - version: 3.1.0 + version: 4.2.0 codeql/cpp-queries: - version: 1.3.1 + version: 1.3.8 codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/rangeanalysis: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/suite-helpers: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typeflow: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/csharp/lib/codeql-pack.lock.yml b/csharp/lib/codeql-pack.lock.yml index 59224418..c881b6fc 100644 --- a/csharp/lib/codeql-pack.lock.yml +++ b/csharp/lib/codeql-pack.lock.yml @@ -2,23 +2,23 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.14 + version: 2.0.5 codeql/csharp-all: - version: 4.0.1 + version: 5.1.4 codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/csharp/src/codeql-pack.lock.yml b/csharp/src/codeql-pack.lock.yml index 1cf89a4d..a4a82e27 100644 --- a/csharp/src/codeql-pack.lock.yml +++ b/csharp/src/codeql-pack.lock.yml @@ -2,27 +2,27 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.14 + version: 2.0.5 codeql/csharp-all: - version: 4.0.1 + version: 5.1.4 codeql/csharp-queries: - version: 1.0.14 + version: 1.1.1 codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/suite-helpers: - version: 1.0.14 + version: 1.0.21 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/csharp/test/codeql-pack.lock.yml b/csharp/test/codeql-pack.lock.yml index 1cf89a4d..a4a82e27 100644 --- a/csharp/test/codeql-pack.lock.yml +++ b/csharp/test/codeql-pack.lock.yml @@ -2,27 +2,27 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.14 + version: 2.0.5 codeql/csharp-all: - version: 4.0.1 + version: 5.1.4 codeql/csharp-queries: - version: 1.0.14 + version: 1.1.1 codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/suite-helpers: - version: 1.0.14 + version: 1.0.21 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/go/lib/codeql-pack.lock.yml b/go/lib/codeql-pack.lock.yml index cc844e57..8b83cae2 100644 --- a/go/lib/codeql-pack.lock.yml +++ b/go/lib/codeql-pack.lock.yml @@ -2,19 +2,19 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 2.0.4 + version: 2.0.5 codeql/go-all: - version: 4.2.2 + version: 4.2.3 codeql/mad: - version: 1.0.20 + version: 1.0.21 codeql/ssa: - version: 1.0.20 + version: 1.1.0 codeql/threat-models: - version: 1.0.20 + version: 1.0.21 codeql/tutorial: - version: 1.0.20 + version: 1.0.21 codeql/typetracking: - version: 2.0.4 + version: 2.0.5 codeql/util: - version: 2.0.7 + version: 2.0.8 compiled: false diff --git a/go/src/codeql-pack.lock.yml b/go/src/codeql-pack.lock.yml index e54c0957..8b83cae2 100644 --- a/go/src/codeql-pack.lock.yml +++ b/go/src/codeql-pack.lock.yml @@ -2,19 +2,19 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/go-all: - version: 3.0.1 + version: 4.2.3 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 compiled: false diff --git a/go/test/codeql-pack.lock.yml b/go/test/codeql-pack.lock.yml index e54c0957..8b83cae2 100644 --- a/go/test/codeql-pack.lock.yml +++ b/go/test/codeql-pack.lock.yml @@ -2,19 +2,19 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/go-all: - version: 3.0.1 + version: 4.2.3 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 compiled: false diff --git a/java/lib/codeql-pack.lock.yml b/java/lib/codeql-pack.lock.yml index b8f35e61..708d4020 100644 --- a/java/lib/codeql-pack.lock.yml +++ b/java/lib/codeql-pack.lock.yml @@ -2,27 +2,27 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/java-all: - version: 6.0.0 + version: 7.1.3 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/rangeanalysis: - version: 1.0.14 + version: 1.0.21 codeql/regex: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typeflow: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/java/src/codeql-pack.lock.yml b/java/src/codeql-pack.lock.yml index b8f35e61..708d4020 100644 --- a/java/src/codeql-pack.lock.yml +++ b/java/src/codeql-pack.lock.yml @@ -2,27 +2,27 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/java-all: - version: 6.0.0 + version: 7.1.3 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/rangeanalysis: - version: 1.0.14 + version: 1.0.21 codeql/regex: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typeflow: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/java/test/codeql-pack.lock.yml b/java/test/codeql-pack.lock.yml index b8f35e61..708d4020 100644 --- a/java/test/codeql-pack.lock.yml +++ b/java/test/codeql-pack.lock.yml @@ -2,27 +2,27 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/java-all: - version: 6.0.0 + version: 7.1.3 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/rangeanalysis: - version: 1.0.14 + version: 1.0.21 codeql/regex: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typeflow: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/javascript/lib/codeql-pack.lock.yml b/javascript/lib/codeql-pack.lock.yml index 3a11520c..e9f70de3 100644 --- a/javascript/lib/codeql-pack.lock.yml +++ b/javascript/lib/codeql-pack.lock.yml @@ -2,25 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/javascript-all: - version: 2.2.1 + version: 2.6.1 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/regex: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 codeql/yaml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/javascript/src/codeql-pack.lock.yml b/javascript/src/codeql-pack.lock.yml index 3a11520c..e9f70de3 100644 --- a/javascript/src/codeql-pack.lock.yml +++ b/javascript/src/codeql-pack.lock.yml @@ -2,25 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/javascript-all: - version: 2.2.1 + version: 2.6.1 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/regex: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 codeql/yaml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/javascript/test/codeql-pack.lock.yml b/javascript/test/codeql-pack.lock.yml index 3a11520c..e9f70de3 100644 --- a/javascript/test/codeql-pack.lock.yml +++ b/javascript/test/codeql-pack.lock.yml @@ -2,25 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/javascript-all: - version: 2.2.1 + version: 2.6.1 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/regex: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 codeql/yaml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/python/lib/codeql-pack.lock.yml b/python/lib/codeql-pack.lock.yml index dbcc41af..ce687ca2 100644 --- a/python/lib/codeql-pack.lock.yml +++ b/python/lib/codeql-pack.lock.yml @@ -2,25 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 2.0.4 + version: 2.0.5 codeql/mad: - version: 1.0.20 + version: 1.0.21 codeql/python-all: - version: 4.0.4 + version: 4.0.5 codeql/regex: - version: 1.0.20 + version: 1.0.21 codeql/ssa: - version: 1.0.20 + version: 1.1.0 codeql/threat-models: - version: 1.0.20 + version: 1.0.21 codeql/tutorial: - version: 1.0.20 + version: 1.0.21 codeql/typetracking: - version: 2.0.4 + version: 2.0.5 codeql/util: - version: 2.0.7 + version: 2.0.8 codeql/xml: - version: 1.0.20 + version: 1.0.21 codeql/yaml: - version: 1.0.20 + version: 1.0.21 compiled: false diff --git a/python/src/codeql-pack.lock.yml b/python/src/codeql-pack.lock.yml index c265ea79..ce687ca2 100644 --- a/python/src/codeql-pack.lock.yml +++ b/python/src/codeql-pack.lock.yml @@ -2,25 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/python-all: - version: 3.1.0 + version: 4.0.5 codeql/regex: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 codeql/yaml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/python/test/codeql-pack.lock.yml b/python/test/codeql-pack.lock.yml index 134d75c3..5f1f66d3 100644 --- a/python/test/codeql-pack.lock.yml +++ b/python/test/codeql-pack.lock.yml @@ -2,29 +2,29 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/python-all: - version: 3.1.0 + version: 4.0.5 codeql/python-queries: - version: 1.4.0 + version: 1.4.7 codeql/regex: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/suite-helpers: - version: 1.0.14 + version: 1.0.21 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 codeql/yaml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/ruby/lib/codeql-pack.lock.yml b/ruby/lib/codeql-pack.lock.yml index c22d69e5..fc285fe4 100644 --- a/ruby/lib/codeql-pack.lock.yml +++ b/ruby/lib/codeql-pack.lock.yml @@ -2,21 +2,21 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.14 + version: 2.0.5 codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/regex: - version: 1.0.14 + version: 1.0.21 codeql/ruby-all: - version: 3.0.1 + version: 4.1.4 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 compiled: false diff --git a/ruby/src/codeql-pack.lock.yml b/ruby/src/codeql-pack.lock.yml index c22d69e5..fc285fe4 100644 --- a/ruby/src/codeql-pack.lock.yml +++ b/ruby/src/codeql-pack.lock.yml @@ -2,21 +2,21 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.14 + version: 2.0.5 codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/regex: - version: 1.0.14 + version: 1.0.21 codeql/ruby-all: - version: 3.0.1 + version: 4.1.4 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 compiled: false diff --git a/ruby/test/codeql-pack.lock.yml b/ruby/test/codeql-pack.lock.yml index d37c8e43..ccb3b340 100644 --- a/ruby/test/codeql-pack.lock.yml +++ b/ruby/test/codeql-pack.lock.yml @@ -2,25 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.14 + version: 2.0.5 codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/regex: - version: 1.0.14 + version: 1.0.21 codeql/ruby-all: - version: 3.0.1 + version: 4.1.4 codeql/ruby-queries: - version: 1.1.9 + version: 1.2.0 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/suite-helpers: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 compiled: false From 99ca4b350021c657c6c866768e5037c0fefa8c46 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Tue, 29 Apr 2025 12:26:53 -0400 Subject: [PATCH 3/5] Update codeql version to 2.21.1 --- .codeqlversion | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.codeqlversion b/.codeqlversion index 0352eb17..bd9c5599 100644 --- a/.codeqlversion +++ b/.codeqlversion @@ -1 +1 @@ -2.20.1 \ No newline at end of file +2.21.1 \ No newline at end of file From 7800ee51b32b665f54468beb2d3e69038989c726 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Mon, 28 Apr 2025 18:53:45 -0400 Subject: [PATCH 4/5] Fix compilation errors --- .../src/security/CWE-089/MyBatisCommonLib.qll | 1 - .../CWE-089/MyBatisMapperXmlSqlInjection.ql | 2 +- .../MyBatisMapperXmlSqlInjectionLib.qll | 2 +- .../BothSidesRequestForgeryQuery.qll | 17 +++-- .../BrowserInjectionFieldCustomizations.qll | 3 +- .../BrowserInjectionFieldQuery.qll | 47 ++++++++++++++ .../BrowserInjectionObjectCustomizations.qll | 3 +- .../browserextension/CodeInjectionQuery.qll | 17 +++-- javascript/lib/ghsl/InsecureIV.qll | 62 +++++++++---------- .../CWE-094/BrowserExtensionCodeInjection.ql | 6 +- .../audit/CWE-918/BrowserRequestForgery.ql | 6 +- .../browserAPI/BrowserInjectionFieldQuery.ql | 58 ++--------------- .../browserAPI/BrowserInjectionObjectQuery.ql | 47 +++++++------- .../src/audit/templates/BackwardsDataFlow.ql | 17 +++-- .../src/audit/templates/ForwardDataFlow.ql | 19 +++--- javascript/src/security/CWE-079/XSSReact.ql | 21 +++---- javascript/src/security/CWE-329/InsecureIV.ql | 12 ++-- 17 files changed, 162 insertions(+), 178 deletions(-) create mode 100644 javascript/lib/browserextension/BrowserInjectionFieldQuery.qll diff --git a/java/src/security/CWE-089/MyBatisCommonLib.qll b/java/src/security/CWE-089/MyBatisCommonLib.qll index 9a0a8232..dd24b872 100644 --- a/java/src/security/CWE-089/MyBatisCommonLib.qll +++ b/java/src/security/CWE-089/MyBatisCommonLib.qll @@ -3,7 +3,6 @@ */ import java -import semmle.code.xml.MyBatisMapperXML import semmle.code.java.dataflow.FlowSources import semmle.code.java.frameworks.MyBatis import semmle.code.java.frameworks.Properties diff --git a/java/src/security/CWE-089/MyBatisMapperXmlSqlInjection.ql b/java/src/security/CWE-089/MyBatisMapperXmlSqlInjection.ql index 5d4802a3..e347b40f 100644 --- a/java/src/security/CWE-089/MyBatisMapperXmlSqlInjection.ql +++ b/java/src/security/CWE-089/MyBatisMapperXmlSqlInjection.ql @@ -14,7 +14,7 @@ import java import MyBatisCommonLib import MyBatisMapperXmlSqlInjectionLib -import semmle.code.xml.MyBatisMapperXML +import semmle.code.java.frameworks.MyBatis import semmle.code.java.dataflow.FlowSources private import semmle.code.java.security.Sanitizers import MyBatisMapperXmlSqlInjectionFlow::PathGraph diff --git a/java/src/security/CWE-089/MyBatisMapperXmlSqlInjectionLib.qll b/java/src/security/CWE-089/MyBatisMapperXmlSqlInjectionLib.qll index a6852a5c..e0986261 100644 --- a/java/src/security/CWE-089/MyBatisMapperXmlSqlInjectionLib.qll +++ b/java/src/security/CWE-089/MyBatisMapperXmlSqlInjectionLib.qll @@ -3,7 +3,7 @@ */ import java -import semmle.code.xml.MyBatisMapperXML +import semmle.code.java.frameworks.MyBatis import semmle.code.java.dataflow.FlowSources import semmle.code.java.frameworks.Properties diff --git a/javascript/lib/browserextension/BothSidesRequestForgeryQuery.qll b/javascript/lib/browserextension/BothSidesRequestForgeryQuery.qll index b0685e22..96de624c 100644 --- a/javascript/lib/browserextension/BothSidesRequestForgeryQuery.qll +++ b/javascript/lib/browserextension/BothSidesRequestForgeryQuery.qll @@ -16,10 +16,8 @@ * A taint tracking configuration for client-side request forgery. * Server side is disabled since this is in the browser, but the extra models can be enabled for extra coverage */ - class Configuration extends TaintTracking::Configuration { - Configuration() { this = "ClientSideRequestForgery" } - - override predicate isSource(DataFlow::Node source) { + module Config implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { exists(Source src | source = src and not src.isServerSide() @@ -27,20 +25,21 @@ source instanceof OnMessageExternal or source instanceof OnConnectExternal } - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or + predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } - override predicate isSanitizerOut(DataFlow::Node node) { sanitizingPrefixEdge(node, _) } + predicate isBarrierOut(DataFlow::Node node) { sanitizingPrefixEdge(node, _) } - override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { isAdditionalRequestForgeryStep(pred, succ) } } + module ConfigFlow = TaintTracking::Global; + class BrowserStep extends DataFlow::SharedFlowStep { override predicate step(DataFlow::Node pred, DataFlow::Node succ) { (exists (DataFlow::ParameterNode p | diff --git a/javascript/lib/browserextension/BrowserInjectionFieldCustomizations.qll b/javascript/lib/browserextension/BrowserInjectionFieldCustomizations.qll index 3ccab77d..103a8459 100644 --- a/javascript/lib/browserextension/BrowserInjectionFieldCustomizations.qll +++ b/javascript/lib/browserextension/BrowserInjectionFieldCustomizations.qll @@ -9,7 +9,6 @@ private import semmle.javascript.security.dataflow.XssThroughDomCustomizations:: module BrowserInjection { - private import DataFlow::FlowLabel /** * A data flow source for Chrome API injection vulnerabilities. */ @@ -17,7 +16,7 @@ module BrowserInjection { - DataFlow::FlowLabel getFlowLabel() { result = "BrowserSource" } + string getFlowLabel() { result = "BrowserSource" } } /** diff --git a/javascript/lib/browserextension/BrowserInjectionFieldQuery.qll b/javascript/lib/browserextension/BrowserInjectionFieldQuery.qll new file mode 100644 index 00000000..34e84004 --- /dev/null +++ b/javascript/lib/browserextension/BrowserInjectionFieldQuery.qll @@ -0,0 +1,47 @@ + import javascript + private import browserextension.BrowserInjectionFieldCustomizations::BrowserInjection + private import semmle.javascript.security.dataflow.XssThroughDomCustomizations::XssThroughDom as XssThroughDom + + //private import semmle.javascript.security.dataflow.DomBasedXssCustomizations + //private import semmle.javascript.security.dataflow.XssThroughDomCustomizations::XssThroughDom as XssThroughDom + + //private import semmle.javascript.security.dataflow.CodeInjectionCustomizations + + module Config implements DataFlow::ConfigSig { + + predicate isSource(DataFlow::Node source) { + source instanceof Source + } + + predicate isSink(DataFlow::Node sink) { + sink instanceof Sink + } + + additional predicate isAdditionalLoadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) { + (pred = succ) and + ((pred instanceof Update and prop = ["url", "openerTabId"]) + or + (pred instanceof DownloadsDangerous and prop = ["body", "conflictAction","filename", "url", "method"]) + or + (pred instanceof Delete and prop = ["startTime", "endTime", "url"]) + //or + //(pred instanceof SetContentSettings and succ instanceof SetContentSettings and prop = any(string s)) + //or + //(pred instanceof GetContentSettings and succ instanceof GetContentSettings and prop = any(string s)) + //(pred instanceof StorageSet and succ instanceof StorageSet and prop = any(string s)) + //or + //(pred instanceof SearchHistory and prop = any(string s)) + or + (pred instanceof GetCookie and prop = ["domain", "firstPartyDomain", "name", "url", "session", "path", "storeId"]) + or + (pred instanceof UpdateBookmarks and prop= ["title", "url"]) + or + (pred = succ and pred instanceof RemoveBrowsingData and prop = ["cookieStoreId", "hostnames", "originTypes", "since"]) + or + (pred = succ and pred instanceof AddHistory and prop = ["url"]) + or + (pred = succ and pred instanceof CreateWindows and prop = ["url"])) + } + } + + module ConfigFlow = TaintTracking::Global; diff --git a/javascript/lib/browserextension/BrowserInjectionObjectCustomizations.qll b/javascript/lib/browserextension/BrowserInjectionObjectCustomizations.qll index db4302a8..65091204 100644 --- a/javascript/lib/browserextension/BrowserInjectionObjectCustomizations.qll +++ b/javascript/lib/browserextension/BrowserInjectionObjectCustomizations.qll @@ -8,7 +8,6 @@ private import browserextension.BrowserAPI module BrowserInjection { - private import DataFlow::FlowLabel /** * A data flow source for Chrome API injection vulnerabilities. */ @@ -16,7 +15,7 @@ module BrowserInjection { - DataFlow::FlowLabel getFlowLabel() { result = "BrowserSource" } + string getFlowLabel() { result = "BrowserSource" } } /** diff --git a/javascript/lib/browserextension/CodeInjectionQuery.qll b/javascript/lib/browserextension/CodeInjectionQuery.qll index 9f0e2677..4e760d9b 100644 --- a/javascript/lib/browserextension/CodeInjectionQuery.qll +++ b/javascript/lib/browserextension/CodeInjectionQuery.qll @@ -17,30 +17,29 @@ /** * A taint-tracking configuration for reasoning about code injection vulnerabilities. */ - class Configuration extends TaintTracking::Configuration { - Configuration() { this = "CodeInjection" } + module Config implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof XssThroughDom::Source} - override predicate isSource(DataFlow::Node source) { source instanceof XssThroughDom::Source} + predicate isSink(DataFlow::Node sink) { sink instanceof Sink} - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink} - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or + predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } - override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) { + predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) { // HTML sanitizers are insufficient protection against code injection src = trg.(HtmlSanitizerCall).getInput() } - override predicate isAdditionalLoadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) { + additional predicate isAdditionalLoadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) { exists(ExecuteScript ess | ess = pred and ess = succ and prop = ["file", "code"]) } } + module ConfigFlow = TaintTracking::Global; + //Browser Extension Models class ExecuteScriptSink extends Sink instanceof ExecuteScript{} class ExternalConnect1 extends Source instanceof OnConnectExternal{} diff --git a/javascript/lib/ghsl/InsecureIV.qll b/javascript/lib/ghsl/InsecureIV.qll index bd9c6320..891941d8 100644 --- a/javascript/lib/ghsl/InsecureIV.qll +++ b/javascript/lib/ghsl/InsecureIV.qll @@ -2,47 +2,41 @@ import semmle.javascript.dataflow.TaintTracking import ghsl.CommandLine -class RandomTaintsSourceConfiguration extends TaintTracking::Configuration { - RandomTaintsSourceConfiguration() { this = "RandomTaintsSourceConfiguration" } +module RandomTaintsSourceConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { isSecureRandom(source) } - override predicate isSource(DataFlow::Node source) { - isSecureRandom(source) - } - - override predicate isSink(DataFlow::Node sink) { - not isSecureRandom(sink) - } + predicate isSink(DataFlow::Node sink) { not isSecureRandom(sink) } } -class InsecureIVConfiguration extends TaintTracking::Configuration { - InsecureIVConfiguration() { this = "InsecureIVConfiguration" } +module RandomTaintsSourceFlow = TaintTracking::Global; - override predicate isSource(DataFlow::Node source) { - exists(Literal literal|literal.flow() = source) - or - source instanceof DataFlow::ArrayLiteralNode - or - source instanceof RemoteFlowSource - or - source instanceof FileSystemReadAccess - or - source instanceof DatabaseAccess - or - source instanceof CommandLineArgument - or - // an external function that is not a known source of randomness - ( - source instanceof ExternalCallWithOutput - and not source instanceof CreateIVArgument - and not source instanceof SecureRandomSource - ) - } +module InsecureIVConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + exists(Literal literal | literal.flow() = source) + or + source instanceof DataFlow::ArrayLiteralNode + or + source instanceof RemoteFlowSource + or + source instanceof FileSystemReadAccess + or + source instanceof DatabaseAccess + or + source instanceof CommandLineArgument + or + // an external function that is not a known source of randomness + ( + source instanceof ExternalCallWithOutput + and not source instanceof CreateIVArgument + and not source instanceof SecureRandomSource + ) + } - override predicate isSink(DataFlow::Node sink) { - sink instanceof CreateIVArgument - } + predicate isSink(DataFlow::Node sink) { sink instanceof CreateIVArgument } } +module InsecureIVFlow = TaintTracking::Global; + class ExternalCallWithOutput extends DataFlow::Node { CallExpr call; diff --git a/javascript/src/audit/CWE-094/BrowserExtensionCodeInjection.ql b/javascript/src/audit/CWE-094/BrowserExtensionCodeInjection.ql index 09bbe1a8..f3320a0b 100644 --- a/javascript/src/audit/CWE-094/BrowserExtensionCodeInjection.ql +++ b/javascript/src/audit/CWE-094/BrowserExtensionCodeInjection.ql @@ -16,9 +16,9 @@ import javascript import browserextension.CodeInjectionQuery - import DataFlow::PathGraph + import ConfigFlow::PathGraph - from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink - where cfg.hasFlowPath(source, sink) + from ConfigFlow::PathNode source, ConfigFlow::PathNode sink + where ConfigFlow::flowPath(source, sink) select sink.getNode(), source, sink, sink.getNode().(Sink).getMessagePrefix() + " depends on a $@.", source.getNode(), "user-provided value" \ No newline at end of file diff --git a/javascript/src/audit/CWE-918/BrowserRequestForgery.ql b/javascript/src/audit/CWE-918/BrowserRequestForgery.ql index c804635a..9c5590ec 100644 --- a/javascript/src/audit/CWE-918/BrowserRequestForgery.ql +++ b/javascript/src/audit/CWE-918/BrowserRequestForgery.ql @@ -13,11 +13,11 @@ import javascript import browserextension.BothSidesRequestForgeryQuery - import DataFlow::PathGraph + import ConfigFlow::PathGraph - from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node request + from ConfigFlow::PathNode source, ConfigFlow::PathNode sink, DataFlow::Node request where - cfg.hasFlowPath(source, sink) and + ConfigFlow::flowPath(source, sink) and request = sink.getNode().(Sink).getARequest() select request, source, sink, "The $@ of this request depends on a $@.", sink.getNode(), sink.getNode().(Sink).getKind(), source, "user-provided value" \ No newline at end of file diff --git a/javascript/src/audit/browserAPI/BrowserInjectionFieldQuery.ql b/javascript/src/audit/browserAPI/BrowserInjectionFieldQuery.ql index 4d028cfe..ffec5e54 100644 --- a/javascript/src/audit/browserAPI/BrowserInjectionFieldQuery.ql +++ b/javascript/src/audit/browserAPI/BrowserInjectionFieldQuery.ql @@ -11,58 +11,10 @@ import javascript - import DataFlow::PathGraph - import DataFlow - import browserextension.BrowserInjectionFieldCustomizations::BrowserInjection - private import semmle.javascript.security.dataflow.XssThroughDomCustomizations::XssThroughDom as XssThroughDom - - //private import semmle.javascript.security.dataflow.DomBasedXssCustomizations - //private import semmle.javascript.security.dataflow.XssThroughDomCustomizations::XssThroughDom as XssThroughDom - - //private import semmle.javascript.security.dataflow.CodeInjectionCustomizations - - class Configuration extends TaintTracking::Configuration { - Configuration() { this = "BrowserInjection" } - - override predicate isSource(DataFlow::Node source) { - source instanceof Source - } - - override predicate isSink(DataFlow::Node sink) { - sink instanceof Sink - } - - override predicate isAdditionalLoadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) { - (pred = succ) and - ((pred instanceof Update and prop = ["url", "openerTabId"]) - or - (pred instanceof DownloadsDangerous and prop = ["body", "conflictAction","filename", "url", "method"]) - or - (pred instanceof Delete and prop = ["startTime", "endTime", "url"]) - //or - //(pred instanceof SetContentSettings and succ instanceof SetContentSettings and prop = any(string s)) - //or - //(pred instanceof GetContentSettings and succ instanceof GetContentSettings and prop = any(string s)) - //(pred instanceof StorageSet and succ instanceof StorageSet and prop = any(string s)) - //or - //(pred instanceof SearchHistory and prop = any(string s)) - or - (pred instanceof GetCookie and prop = ["domain", "firstPartyDomain", "name", "url", "session", "path", "storeId"]) - or - (pred instanceof UpdateBookmarks and prop= ["title", "url"]) - or - (pred = succ and pred instanceof RemoveBrowsingData and prop = ["cookieStoreId", "hostnames", "originTypes", "since"]) - or - (pred = succ and pred instanceof AddHistory and prop = ["url"]) - or - (pred = succ and pred instanceof CreateWindows and prop = ["url"])) - } - } - - - from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink - where cfg.hasFlowPath(source, sink) + import ConfigFlow::PathGraph + import browserextension.BrowserInjectionFieldQuery + + from ConfigFlow::PathNode source, ConfigFlow::PathNode sink + where ConfigFlow::flowPath(source, sink) select sink.getNode(), source, sink, sink.getNode() + " depends on a $@.", source.getNode(), "user-provided value" - - \ No newline at end of file diff --git a/javascript/src/audit/browserAPI/BrowserInjectionObjectQuery.ql b/javascript/src/audit/browserAPI/BrowserInjectionObjectQuery.ql index b355999e..66292b73 100644 --- a/javascript/src/audit/browserAPI/BrowserInjectionObjectQuery.ql +++ b/javascript/src/audit/browserAPI/BrowserInjectionObjectQuery.ql @@ -9,55 +9,58 @@ * @tags security */ - import javascript - import DataFlow::PathGraph + import ConfigFlow::PathGraph import browserextension.BrowserInjectionObjectCustomizations::BrowserInjection import DataFlow private import semmle.javascript.security.dataflow.XssThroughDomCustomizations::XssThroughDom as XssThroughDom - class ObjectLabel extends DataFlow::FlowLabel { - ObjectLabel() { - this = "Object" - } + class ObjectState extends string { + ObjectState() { this = "Object" } } /** * Gets either a standard flow label or the partial-taint label. */ - DataFlow::FlowLabel anyLabel() { - result.isDataOrTaint() - } + string anyLabel() { result = ["data", "taint"] } - class Configuration extends TaintTracking::Configuration { - Configuration() { this = "BrowserInjection" } - - override predicate isSource(DataFlow::Node source) { - source instanceof Source // optional: or source instanceof XssThroughDom::Source + module Config implements DataFlow::StateConfigSig { + class FlowState extends string { + FlowState() { this = anyLabel() or this instanceof ObjectState } + } + + predicate isSource(DataFlow::Node source, FlowState state) { + source instanceof Source and // optional: or source instanceof XssThroughDom::Source + ( + state = anyLabel() + or + state instanceof ObjectState + ) } - override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel lbl) { - sink instanceof Sink and lbl instanceof ObjectLabel + predicate isSink(DataFlow::Node sink, FlowState state) { + sink instanceof Sink and state instanceof ObjectState } - override predicate isAdditionalFlowStep( - DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl + predicate isAdditionalFlowStep( + DataFlow::Node src, FlowState inState, DataFlow::Node trg, FlowState outState ) { // writing a tainted value to an object property makes the object tainted with ObjectLabel exists(DataFlow::PropWrite write | write.getRhs() = src and - inlbl = anyLabel() and + inState = anyLabel() and trg.(DataFlow::SourceNode).flowsTo(write.getBase()) and - outlbl instanceof ObjectLabel + outState instanceof ObjectState ) } } + module ConfigFlow = TaintTracking::GlobalWithState; - from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink - where cfg.hasFlowPath(source, sink) + from ConfigFlow::PathNode source, ConfigFlow::PathNode sink + where ConfigFlow::flowPath(source, sink) select sink.getNode(), source, sink, sink.getNode() + " depends on a $@.", source.getNode(), "user-provided value" diff --git a/javascript/src/audit/templates/BackwardsDataFlow.ql b/javascript/src/audit/templates/BackwardsDataFlow.ql index bbdaaaf6..24da0e03 100644 --- a/javascript/src/audit/templates/BackwardsDataFlow.ql +++ b/javascript/src/audit/templates/BackwardsDataFlow.ql @@ -9,23 +9,22 @@ */ import javascript - import DataFlow::PathGraph - import semmle.javascript.explore.BackwardDataFlow + import BackwardDataFlow::PathGraph - class BackwardDataFlowConfig extends TaintTracking::Configuration { - BackwardDataFlowConfig() { this = "BackwardDataFlowConfig" } + module BackwardDataFlowConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { any() } - // `isSource` is ignored when `semmle.javascript.explore.BackwardDataFlow` is imported. - - override predicate isSink(DataFlow::Node sink) { + predicate isSink(DataFlow::Node sink) { // Define the sink to run the backwards dataflow from. Eg: // sink = API::moduleImport("module").getMember("method").getParameter(0).asSink() none() } } + + module BackwardDataFlow = TaintTracking::Global; - from BackwardDataFlowConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink - where cfg.hasFlowPath(source, sink) + from BackwardDataFlow::PathNode source, BackwardDataFlow::PathNode sink + where BackwardDataFlow::flowPath(source, sink) select sink.getNode(), source, sink, "This node receives taint from $@.", source.getNode(), "this source" \ No newline at end of file diff --git a/javascript/src/audit/templates/ForwardDataFlow.ql b/javascript/src/audit/templates/ForwardDataFlow.ql index f8e622ba..e466e5af 100644 --- a/javascript/src/audit/templates/ForwardDataFlow.ql +++ b/javascript/src/audit/templates/ForwardDataFlow.ql @@ -9,23 +9,22 @@ */ import javascript - import DataFlow::PathGraph - import semmle.javascript.explore.ForwardDataFlow + import ForwardDataFlow::PathGraph - class ForwardDataFlowConfig extends TaintTracking::Configuration { - ForwardDataFlowConfig() { this = "ForwardDataFlowConfig" } - - override predicate isSource(DataFlow::Node source) { + module ForwardDataFlowConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { // Define the source to run the forward dataflow from. Eg: // source = API::moduleImport(_).getMember("method").getReturn().asSource() none() } - - // `isSink` is ignored when `semmle.javascript.explore.ForwardDataFlow` is imported. + + predicate isSink(DataFlow::Node sink) { any() } } + + module ForwardDataFlow = TaintTracking::Global; - from ForwardDataFlowConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink - where cfg.hasFlowPath(source, sink) + from ForwardDataFlow::PathNode source, ForwardDataFlow::PathNode sink + where ForwardDataFlow::flowPath(source, sink) select sink.getNode(), source, sink, "This node receives taint from $@.", source.getNode(), "this source" \ No newline at end of file diff --git a/javascript/src/security/CWE-079/XSSReact.ql b/javascript/src/security/CWE-079/XSSReact.ql index cff5547a..3db669a6 100644 --- a/javascript/src/security/CWE-079/XSSReact.ql +++ b/javascript/src/security/CWE-079/XSSReact.ql @@ -16,24 +16,21 @@ import javascript private import semmle.javascript.security.dataflow.XssThroughDomCustomizations private import semmle.javascript.security.dataflow.DomBasedXssCustomizations private import semmle.javascript.security.dataflow.Xss::Shared as Shared -import DataFlow::PathGraph +import XssFlow::PathGraph /** * A taint-tracking configuration for reasoning about XSS. */ -class XssConfiguration extends TaintTracking::Configuration { - XssConfiguration() { this = "XssReact" } +module XssConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof XssThroughDom::Source } - override predicate isSource(DataFlow::Node source) { source instanceof XssThroughDom::Source } + predicate isSink(DataFlow::Node sink) { sink instanceof DomBasedXss::Sink } - override predicate isSink(DataFlow::Node sink) { sink instanceof DomBasedXss::Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof DomBasedXss::Sanitizer - } + predicate isBarrier(DataFlow::Node node) { node instanceof DomBasedXss::Sanitizer } } +module XssFlow = TaintTracking::Global; + // Additional Source class ReactUseQueryParams extends XssThroughDom::Source { ReactUseQueryParams() { @@ -42,7 +39,7 @@ class ReactUseQueryParams extends XssThroughDom::Source { } } -from XssConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasFlowPath(source, sink) +from XssFlow::PathNode source, XssFlow::PathNode sink +where XssFlow::flowPath(source, sink) select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.", source.getNode(), "user-provided value" diff --git a/javascript/src/security/CWE-329/InsecureIV.ql b/javascript/src/security/CWE-329/InsecureIV.ql index 95aa442e..e4b50216 100644 --- a/javascript/src/security/CWE-329/InsecureIV.ql +++ b/javascript/src/security/CWE-329/InsecureIV.ql @@ -15,16 +15,14 @@ import javascript import semmle.javascript.dataflow.TaintTracking -import DataFlow::PathGraph +import InsecureIVFlow::PathGraph import ghsl.InsecureIV -from InsecureIVConfiguration insecurecfg, DataFlow::PathNode source, DataFlow::PathNode sink +from InsecureIVFlow::PathNode source, InsecureIVFlow::PathNode sink where - insecurecfg.hasFlowPath(source, sink) and - not exists(DataFlow::Node randomSource, RandomTaintsSourceConfiguration randomConfig | - randomSource instanceof SecureRandomSource - | - randomConfig.hasFlow(randomSource, source.getNode()) + InsecureIVFlow::flowPath(source, sink) and + not exists(DataFlow::Node randomSource | randomSource instanceof SecureRandomSource | + RandomTaintsSourceFlow::flow(randomSource, source.getNode()) ) and not knownCryptTest(sink.getNode()) select sink, source, sink, From 0d767fd995d2614a56e67862760402920355487e Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Tue, 29 Apr 2025 13:34:21 -0400 Subject: [PATCH 5/5] Fix test errors --- go/test/security/CWE-078/cmdi.expected | 4 +- java/test/security/CWE-016/options | 2 +- java/test/security/CWE-022/options | 2 +- java/test/security/CWE-089/src/main/options | 2 +- java/test/security/CWE-094/options | 2 +- java/test/security/CWE-1004/options | 2 +- .../InsecureWebResourceResponse.expected | 29 +++--- java/test/security/CWE-348/options | 2 +- java/test/security/CWE-352/options | 2 +- java/test/security/CWE-470/options | 2 +- java/test/security/CWE-502/options | 2 +- java/test/security/CWE-601/options | 2 +- java/test/security/CWE-625/options | 2 +- java/test/security/CWE-652/options | 2 +- .../test/security/CWE-079/XSSReact.expected | 37 +++----- .../test/security/CWE-329/InsecureIV.expected | 92 ++++--------------- 16 files changed, 60 insertions(+), 126 deletions(-) diff --git a/go/test/security/CWE-078/cmdi.expected b/go/test/security/CWE-078/cmdi.expected index 1f936541..93224d71 100644 --- a/go/test/security/CWE-078/cmdi.expected +++ b/go/test/security/CWE-078/cmdi.expected @@ -1,6 +1,6 @@ edges -| main.go:20:14:20:20 | selection of URL | main.go:20:14:20:28 | call to Query | provenance | Src:MaD:1639 MaD:1700 | -| main.go:20:14:20:28 | call to Query | main.go:27:22:27:28 | cmdName | provenance | Sink:MaD:1710 | +| main.go:20:14:20:20 | selection of URL | main.go:20:14:20:28 | call to Query | provenance | Src:MaD:1925 MaD:1986 | +| main.go:20:14:20:28 | call to Query | main.go:27:22:27:28 | cmdName | provenance | Sink:MaD:1996 | nodes | main.go:20:14:20:20 | selection of URL | semmle.label | selection of URL | | main.go:20:14:20:28 | call to Query | semmle.label | call to Query | diff --git a/java/test/security/CWE-016/options b/java/test/security/CWE-016/options index a7b146da..a7b10cd2 100644 --- a/java/test/security/CWE-016/options +++ b/java/test/security/CWE-016/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.3.8 +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.8.x diff --git a/java/test/security/CWE-022/options b/java/test/security/CWE-022/options index e3a00f86..aa84e7c9 100644 --- a/java/test/security/CWE-022/options +++ b/java/test/security/CWE-022/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../stubs/lingala-zip4j-2.11.5:${testdir}/../../stubs/software-amazon-awssdk-crt-0.20.3:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.3.8:${testdir}/../../stubs/reactivestreams-1.0.4:${testdir}/../../../../codeql/java/ql/test/stubs/slf4j-2.0.0 +//semmle-extractor-options: --javac-args -cp ${testdir}/../../stubs/lingala-zip4j-2.11.5:${testdir}/../../stubs/software-amazon-awssdk-crt-0.20.3:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.8.x:${testdir}/../../stubs/reactivestreams-1.0.4:${testdir}/../../../../codeql/java/ql/test/stubs/slf4j-2.0.0 diff --git a/java/test/security/CWE-089/src/main/options b/java/test/security/CWE-089/src/main/options index 8988d45a..ab1cf4d0 100644 --- a/java/test/security/CWE-089/src/main/options +++ b/java/test/security/CWE-089/src/main/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../../codeql/java/ql/test/stubs/springframework-5.3.8/:${testdir}/../../../../../../codeql/java/ql/test/stubs/org.mybatis-3.5.4/ +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../../codeql/java/ql/test/stubs/springframework-5.8.x/:${testdir}/../../../../../../codeql/java/ql/test/stubs/org.mybatis-3.5.4/ diff --git a/java/test/security/CWE-094/options b/java/test/security/CWE-094/options index 35ec6a59..15533006 100644 --- a/java/test/security/CWE-094/options +++ b/java/test/security/CWE-094/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.3.8:${testdir}/../../../../codeql/java/ql/test/stubs/jsr223-api:${testdir}/../../../../codeql/java/ql/test/stubs/scriptengine:${testdir}/../../../../codeql/java/ql/test/stubs/java-ee-el:${testdir}/../../../../codeql/java/ql/test/stubs/juel-2.2:${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/jython-2.7.2:${testdir}/../../stubs/rhino-1.7.13:${testdir}/../../../../codeql/java/ql/test/stubs/bsh-2.0b5:${testdir}/../../stubs/jshell:${testdir}/../../stubs/apache-freemarker-2.3.31:${testdir}/../../stubs/jinjava-2.6.0:${testdir}/../../stubs/pebble-3.1.5:${testdir}/../../stubs/thymeleaf-3.0.14:${testdir}/../../stubs/apache-velocity-2.3 \ No newline at end of file +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.8.x:${testdir}/../../../../codeql/java/ql/test/stubs/jsr223-api:${testdir}/../../../../codeql/java/ql/test/stubs/scriptengine:${testdir}/../../../../codeql/java/ql/test/stubs/java-ee-el:${testdir}/../../../../codeql/java/ql/test/stubs/juel-2.2:${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/jython-2.7.2:${testdir}/../../stubs/rhino-1.7.13:${testdir}/../../../../codeql/java/ql/test/stubs/bsh-2.0b5:${testdir}/../../stubs/jshell:${testdir}/../../stubs/apache-freemarker-2.3.31:${testdir}/../../stubs/jinjava-2.6.0:${testdir}/../../stubs/pebble-3.1.5:${testdir}/../../stubs/thymeleaf-3.0.14:${testdir}/../../stubs/apache-velocity-2.3 \ No newline at end of file diff --git a/java/test/security/CWE-1004/options b/java/test/security/CWE-1004/options index 477fd963..3ce9f99d 100644 --- a/java/test/security/CWE-1004/options +++ b/java/test/security/CWE-1004/options @@ -1 +1 @@ -// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/jsr311-api-1.1.1:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.3.8 \ No newline at end of file +// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/jsr311-api-1.1.1:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.8.x \ No newline at end of file diff --git a/java/test/security/CWE-200/InsecureWebResourceResponse.expected b/java/test/security/CWE-200/InsecureWebResourceResponse.expected index 7d140ab3..0b97edbe 100644 --- a/java/test/security/CWE-200/InsecureWebResourceResponse.expected +++ b/java/test/security/CWE-200/InsecureWebResourceResponse.expected @@ -29,7 +29,7 @@ edges | InsecureWebResourceResponse.java:65:41:65:43 | url : String | InsecureWebResourceResponse.java:65:31:65:44 | parse(...) : Uri | provenance | MaD:2 | | InsecureWebResourceResponse.java:66:51:66:84 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:68:71:68:81 | inputStream | provenance | | | InsecureWebResourceResponse.java:66:71:66:73 | uri : Uri | InsecureWebResourceResponse.java:66:71:66:83 | getPath(...) : String | provenance | MaD:4 | -| InsecureWebResourceResponse.java:66:71:66:83 | getPath(...) : String | InsecureWebResourceResponse.java:66:51:66:84 | new FileInputStream(...) : FileInputStream | provenance | MaD:7 | +| InsecureWebResourceResponse.java:66:71:66:83 | getPath(...) : String | InsecureWebResourceResponse.java:66:51:66:84 | new FileInputStream(...) : FileInputStream | provenance | MaD:6 | | InsecureWebResourceResponse.java:75:20:75:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String | provenance | AdditionalTaintStep | | InsecureWebResourceResponse.java:75:20:75:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String | provenance | AdditionalTaintStep | | InsecureWebResourceResponse.java:75:20:75:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String | provenance | AdditionalTaintStep | @@ -39,11 +39,10 @@ edges | InsecureWebResourceResponse.java:84:77:84:86 | url : String | InsecureWebResourceResponse.java:86:41:86:43 | url : String | provenance | | | InsecureWebResourceResponse.java:86:31:86:44 | parse(...) : Uri | InsecureWebResourceResponse.java:88:66:88:68 | uri : Uri | provenance | | | InsecureWebResourceResponse.java:86:41:86:43 | url : String | InsecureWebResourceResponse.java:86:31:86:44 | parse(...) : Uri | provenance | MaD:2 | -| InsecureWebResourceResponse.java:88:42:88:90 | new File(...) : File | InsecureWebResourceResponse.java:89:75:89:83 | cacheFile : File | provenance | | | InsecureWebResourceResponse.java:88:66:88:68 | uri : Uri | InsecureWebResourceResponse.java:88:66:88:89 | getLastPathSegment(...) : String | provenance | MaD:3 | -| InsecureWebResourceResponse.java:88:66:88:89 | getLastPathSegment(...) : String | InsecureWebResourceResponse.java:88:42:88:90 | new File(...) : File | provenance | MaD:6 | +| InsecureWebResourceResponse.java:88:66:88:89 | getLastPathSegment(...) : String | InsecureWebResourceResponse.java:89:75:89:83 | cacheFile : File | provenance | AdditionalTaintStep | | InsecureWebResourceResponse.java:89:55:89:84 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:91:75:91:85 | inputStream | provenance | | -| InsecureWebResourceResponse.java:89:75:89:83 | cacheFile : File | InsecureWebResourceResponse.java:89:55:89:84 | new FileInputStream(...) : FileInputStream | provenance | MaD:7 | +| InsecureWebResourceResponse.java:89:75:89:83 | cacheFile : File | InsecureWebResourceResponse.java:89:55:89:84 | new FileInputStream(...) : FileInputStream | provenance | MaD:6 | | InsecureWebResourceResponse.java:101:20:101:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String | provenance | AdditionalTaintStep | | InsecureWebResourceResponse.java:101:20:101:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String | provenance | AdditionalTaintStep | | InsecureWebResourceResponse.java:101:20:101:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String | provenance | AdditionalTaintStep | @@ -54,11 +53,11 @@ edges | InsecureWebResourceResponse.java:112:31:112:44 | parse(...) : Uri | InsecureWebResourceResponse.java:113:35:113:37 | uri : Uri | provenance | | | InsecureWebResourceResponse.java:112:41:112:43 | url : String | InsecureWebResourceResponse.java:112:31:112:44 | parse(...) : Uri | provenance | MaD:2 | | InsecureWebResourceResponse.java:113:35:113:37 | uri : Uri | InsecureWebResourceResponse.java:113:35:113:47 | getPath(...) : String | provenance | MaD:4 | -| InsecureWebResourceResponse.java:113:35:113:47 | getPath(...) : String | InsecureWebResourceResponse.java:113:35:113:60 | substring(...) : String | provenance | MaD:8 | +| InsecureWebResourceResponse.java:113:35:113:47 | getPath(...) : String | InsecureWebResourceResponse.java:113:35:113:60 | substring(...) : String | provenance | MaD:7 | | InsecureWebResourceResponse.java:113:35:113:60 | substring(...) : String | InsecureWebResourceResponse.java:115:75:115:78 | path : String | provenance | | | InsecureWebResourceResponse.java:115:55:115:108 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:117:75:117:85 | inputStream | provenance | | -| InsecureWebResourceResponse.java:115:75:115:78 | path : String | InsecureWebResourceResponse.java:115:75:115:107 | substring(...) : String | provenance | MaD:8 | -| InsecureWebResourceResponse.java:115:75:115:107 | substring(...) : String | InsecureWebResourceResponse.java:115:55:115:108 | new FileInputStream(...) : FileInputStream | provenance | MaD:7 | +| InsecureWebResourceResponse.java:115:75:115:78 | path : String | InsecureWebResourceResponse.java:115:75:115:107 | substring(...) : String | provenance | MaD:7 | +| InsecureWebResourceResponse.java:115:75:115:107 | substring(...) : String | InsecureWebResourceResponse.java:115:55:115:108 | new FileInputStream(...) : FileInputStream | provenance | MaD:6 | | InsecureWebResourceResponse.java:127:20:127:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String | provenance | AdditionalTaintStep | | InsecureWebResourceResponse.java:127:20:127:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String | provenance | AdditionalTaintStep | | InsecureWebResourceResponse.java:127:20:127:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String | provenance | AdditionalTaintStep | @@ -86,11 +85,10 @@ edges | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest | InsecureWebResourceResponse.java:194:31:194:37 | request : WebResourceRequest | provenance | | | InsecureWebResourceResponse.java:194:31:194:37 | request : WebResourceRequest | InsecureWebResourceResponse.java:194:31:194:46 | getUrl(...) : Uri | provenance | MaD:5 | | InsecureWebResourceResponse.java:194:31:194:46 | getUrl(...) : Uri | InsecureWebResourceResponse.java:196:66:196:68 | uri : Uri | provenance | | -| InsecureWebResourceResponse.java:196:42:196:90 | new File(...) : File | InsecureWebResourceResponse.java:197:75:197:83 | cacheFile : File | provenance | | | InsecureWebResourceResponse.java:196:66:196:68 | uri : Uri | InsecureWebResourceResponse.java:196:66:196:89 | getLastPathSegment(...) : String | provenance | MaD:3 | -| InsecureWebResourceResponse.java:196:66:196:89 | getLastPathSegment(...) : String | InsecureWebResourceResponse.java:196:42:196:90 | new File(...) : File | provenance | MaD:6 | +| InsecureWebResourceResponse.java:196:66:196:89 | getLastPathSegment(...) : String | InsecureWebResourceResponse.java:197:75:197:83 | cacheFile : File | provenance | AdditionalTaintStep | | InsecureWebResourceResponse.java:197:55:197:84 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:199:75:199:85 | inputStream | provenance | | -| InsecureWebResourceResponse.java:197:75:197:83 | cacheFile : File | InsecureWebResourceResponse.java:197:55:197:84 | new FileInputStream(...) : FileInputStream | provenance | MaD:7 | +| InsecureWebResourceResponse.java:197:75:197:83 | cacheFile : File | InsecureWebResourceResponse.java:197:55:197:84 | new FileInputStream(...) : FileInputStream | provenance | MaD:6 | | InsecureWebResourceResponse.java:209:20:209:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String | provenance | AdditionalTaintStep | | InsecureWebResourceResponse.java:209:20:209:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String | provenance | AdditionalTaintStep | | InsecureWebResourceResponse.java:209:20:209:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String | provenance | AdditionalTaintStep | @@ -107,7 +105,7 @@ edges | InsecureWebResourceResponse.java:234:33:234:35 | url : String | InsecureWebResourceResponse.java:234:23:234:36 | parse(...) : Uri | provenance | MaD:2 | | InsecureWebResourceResponse.java:235:43:235:76 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:237:63:237:73 | inputStream | provenance | | | InsecureWebResourceResponse.java:235:63:235:65 | uri : Uri | InsecureWebResourceResponse.java:235:63:235:75 | getPath(...) : String | provenance | MaD:4 | -| InsecureWebResourceResponse.java:235:63:235:75 | getPath(...) : String | InsecureWebResourceResponse.java:235:43:235:76 | new FileInputStream(...) : FileInputStream | provenance | MaD:7 | +| InsecureWebResourceResponse.java:235:63:235:75 | getPath(...) : String | InsecureWebResourceResponse.java:235:43:235:76 | new FileInputStream(...) : FileInputStream | provenance | MaD:6 | | InsecureWebViewActivity.java:27:27:27:37 | getIntent(...) : Intent | InsecureWebViewActivity.java:27:27:27:64 | getStringExtra(...) : String | provenance | MaD:1 | | InsecureWebViewActivity.java:27:27:27:64 | getStringExtra(...) : String | InsecureWebViewActivity.java:28:20:28:27 | inputUrl : String | provenance | | | InsecureWebViewActivity.java:28:20:28:27 | inputUrl : String | InsecureWebViewActivity.java:42:28:42:37 | url : String | provenance | | @@ -118,16 +116,15 @@ edges | InsecureWebViewActivity.java:55:41:55:43 | url : String | InsecureWebViewActivity.java:55:31:55:44 | parse(...) : Uri | provenance | MaD:2 | | InsecureWebViewActivity.java:56:51:56:84 | new FileInputStream(...) : FileInputStream | InsecureWebViewActivity.java:58:71:58:81 | inputStream | provenance | | | InsecureWebViewActivity.java:56:71:56:73 | uri : Uri | InsecureWebViewActivity.java:56:71:56:83 | getPath(...) : String | provenance | MaD:4 | -| InsecureWebViewActivity.java:56:71:56:83 | getPath(...) : String | InsecureWebViewActivity.java:56:51:56:84 | new FileInputStream(...) : FileInputStream | provenance | MaD:7 | +| InsecureWebViewActivity.java:56:71:56:83 | getPath(...) : String | InsecureWebViewActivity.java:56:51:56:84 | new FileInputStream(...) : FileInputStream | provenance | MaD:6 | models | 1 | Summary: android.content; Intent; true; getStringExtra; (String); ; Argument[this].SyntheticField[android.content.Intent.extras].MapValue; ReturnValue; value; manual | | 2 | Summary: android.net; Uri; false; parse; ; ; Argument[0]; ReturnValue; taint; manual | | 3 | Summary: android.net; Uri; true; getLastPathSegment; ; ; Argument[this]; ReturnValue; taint; manual | | 4 | Summary: android.net; Uri; true; getPath; ; ; Argument[this]; ReturnValue; taint; manual | | 5 | Summary: android.webkit; WebResourceRequest; false; getUrl; ; ; Argument[this]; ReturnValue; taint; manual | -| 6 | Summary: java.io; File; false; File; ; ; Argument[1]; Argument[this]; taint; manual | -| 7 | Summary: java.io; FileInputStream; true; FileInputStream; ; ; Argument[0]; Argument[this]; taint; manual | -| 8 | Summary: java.lang; String; false; substring; ; ; Argument[this]; ReturnValue; taint; manual | +| 6 | Summary: java.io; FileInputStream; true; FileInputStream; ; ; Argument[0]; Argument[this]; taint; manual | +| 7 | Summary: java.lang; String; false; substring; ; ; Argument[this]; ReturnValue; taint; manual | nodes | InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent | | InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String | @@ -152,7 +149,6 @@ nodes | InsecureWebResourceResponse.java:84:77:84:86 | url : String | semmle.label | url : String | | InsecureWebResourceResponse.java:86:31:86:44 | parse(...) : Uri | semmle.label | parse(...) : Uri | | InsecureWebResourceResponse.java:86:41:86:43 | url : String | semmle.label | url : String | -| InsecureWebResourceResponse.java:88:42:88:90 | new File(...) : File | semmle.label | new File(...) : File | | InsecureWebResourceResponse.java:88:66:88:68 | uri : Uri | semmle.label | uri : Uri | | InsecureWebResourceResponse.java:88:66:88:89 | getLastPathSegment(...) : String | semmle.label | getLastPathSegment(...) : String | | InsecureWebResourceResponse.java:89:55:89:84 | new FileInputStream(...) : FileInputStream | semmle.label | new FileInputStream(...) : FileInputStream | @@ -181,7 +177,6 @@ nodes | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest | semmle.label | request : WebResourceRequest | | InsecureWebResourceResponse.java:194:31:194:37 | request : WebResourceRequest | semmle.label | request : WebResourceRequest | | InsecureWebResourceResponse.java:194:31:194:46 | getUrl(...) : Uri | semmle.label | getUrl(...) : Uri | -| InsecureWebResourceResponse.java:196:42:196:90 | new File(...) : File | semmle.label | new File(...) : File | | InsecureWebResourceResponse.java:196:66:196:68 | uri : Uri | semmle.label | uri : Uri | | InsecureWebResourceResponse.java:196:66:196:89 | getLastPathSegment(...) : String | semmle.label | getLastPathSegment(...) : String | | InsecureWebResourceResponse.java:197:55:197:84 | new FileInputStream(...) : FileInputStream | semmle.label | new FileInputStream(...) : FileInputStream | diff --git a/java/test/security/CWE-348/options b/java/test/security/CWE-348/options index a2b281ca..2bae3903 100644 --- a/java/test/security/CWE-348/options +++ b/java/test/security/CWE-348/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.3.8/:${testdir}/../../../../codeql/java/ql/test/stubs/apache-commons-lang3-3.7/ \ No newline at end of file +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.8.x/:${testdir}/../../../../codeql/java/ql/test/stubs/apache-commons-lang3-3.7/ \ No newline at end of file diff --git a/java/test/security/CWE-352/options b/java/test/security/CWE-352/options index 3adf1e81..bdd3b318 100644 --- a/java/test/security/CWE-352/options +++ b/java/test/security/CWE-352/options @@ -1 +1 @@ - //semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/apache-http-4.4.13/:${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/fastjson-1.2.74/:${testdir}/../../../../codeql/java/ql/test/stubs/gson-2.8.6/:${testdir}/../../../../codeql/java/ql/test/stubs/jackson-databind-2.12/:${testdir}/../../../../codeql/java/ql/test/stubs/jackson-core-2.12:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.3.8/ + //semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/apache-http-4.4.13/:${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/fastjson-1.2.74/:${testdir}/../../../../codeql/java/ql/test/stubs/gson-2.8.6/:${testdir}/../../../../codeql/java/ql/test/stubs/jackson-databind-2.12/:${testdir}/../../../../codeql/java/ql/test/stubs/jackson-core-2.12:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.8.x/ diff --git a/java/test/security/CWE-470/options b/java/test/security/CWE-470/options index 6c74a861..aadf4605 100644 --- a/java/test/security/CWE-470/options +++ b/java/test/security/CWE-470/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.3.8/:${testdir}/../../../../codeql/java/ql/test/stubs/google-android-9.0.0 +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.8.x/:${testdir}/../../../../codeql/java/ql/test/stubs/google-android-9.0.0 diff --git a/java/test/security/CWE-502/options b/java/test/security/CWE-502/options index 8b0f023a..7f996cec 100644 --- a/java/test/security/CWE-502/options +++ b/java/test/security/CWE-502/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.3.8 \ No newline at end of file +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.8.x \ No newline at end of file diff --git a/java/test/security/CWE-601/options b/java/test/security/CWE-601/options index 9dc2f824..f0e9dd09 100644 --- a/java/test/security/CWE-601/options +++ b/java/test/security/CWE-601/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.3.8/ \ No newline at end of file +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.8.x/ \ No newline at end of file diff --git a/java/test/security/CWE-625/options b/java/test/security/CWE-625/options index 1cd16d11..2f13ddd8 100644 --- a/java/test/security/CWE-625/options +++ b/java/test/security/CWE-625/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.3.8 +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.8.x diff --git a/java/test/security/CWE-652/options b/java/test/security/CWE-652/options index 7819ef1e..72717907 100644 --- a/java/test/security/CWE-652/options +++ b/java/test/security/CWE-652/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/apache-http-4.4.13/:${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/saxon-xqj-9.x/:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.3.8/ +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/apache-http-4.4.13/:${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/saxon-xqj-9.x/:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.8.x/ diff --git a/javascript/test/security/CWE-079/XSSReact.expected b/javascript/test/security/CWE-079/XSSReact.expected index 51d8beb5..adafef39 100644 --- a/javascript/test/security/CWE-079/XSSReact.expected +++ b/javascript/test/security/CWE-079/XSSReact.expected @@ -1,25 +1,18 @@ -nodes -| app.jsx:12:11:12:27 | [query, setQuery] | -| app.jsx:12:11:16:6 | query | -| app.jsx:12:12:12:16 | query | -| app.jsx:12:31:16:6 | useQuer ... \\n }) | -| app.jsx:12:31:16:6 | useQuer ... \\n }) | -| app.jsx:17:11:17:45 | { x: nu ... lters } | -| app.jsx:17:11:17:53 | searchQuery | -| app.jsx:17:21:17:34 | q: searchQuery | -| app.jsx:17:49:17:53 | query | -| app.jsx:26:52:26:62 | searchQuery | -| app.jsx:26:52:26:62 | searchQuery | edges -| app.jsx:12:11:12:27 | [query, setQuery] | app.jsx:12:12:12:16 | query | -| app.jsx:12:11:16:6 | query | app.jsx:17:49:17:53 | query | -| app.jsx:12:12:12:16 | query | app.jsx:12:11:16:6 | query | -| app.jsx:12:31:16:6 | useQuer ... \\n }) | app.jsx:12:11:12:27 | [query, setQuery] | -| app.jsx:12:31:16:6 | useQuer ... \\n }) | app.jsx:12:11:12:27 | [query, setQuery] | -| app.jsx:17:11:17:45 | { x: nu ... lters } | app.jsx:17:21:17:34 | q: searchQuery | -| app.jsx:17:11:17:53 | searchQuery | app.jsx:26:52:26:62 | searchQuery | -| app.jsx:17:11:17:53 | searchQuery | app.jsx:26:52:26:62 | searchQuery | -| app.jsx:17:21:17:34 | q: searchQuery | app.jsx:17:11:17:53 | searchQuery | -| app.jsx:17:49:17:53 | query | app.jsx:17:11:17:45 | { x: nu ... lters } | +| app.jsx:12:11:12:27 | [query, setQuery] | app.jsx:12:11:16:6 | query | provenance | | +| app.jsx:12:11:16:6 | query | app.jsx:17:49:17:53 | query | provenance | | +| app.jsx:12:31:16:6 | useQuer ... \\n }) | app.jsx:12:11:12:27 | [query, setQuery] | provenance | | +| app.jsx:17:11:17:45 | { x: nu ... lters } | app.jsx:17:11:17:53 | searchQuery | provenance | | +| app.jsx:17:11:17:53 | searchQuery | app.jsx:26:52:26:62 | searchQuery | provenance | | +| app.jsx:17:49:17:53 | query | app.jsx:17:11:17:45 | { x: nu ... lters } | provenance | | +nodes +| app.jsx:12:11:12:27 | [query, setQuery] | semmle.label | [query, setQuery] | +| app.jsx:12:11:16:6 | query | semmle.label | query | +| app.jsx:12:31:16:6 | useQuer ... \\n }) | semmle.label | useQuer ... \\n }) | +| app.jsx:17:11:17:45 | { x: nu ... lters } | semmle.label | { x: nu ... lters } | +| app.jsx:17:11:17:53 | searchQuery | semmle.label | searchQuery | +| app.jsx:17:49:17:53 | query | semmle.label | query | +| app.jsx:26:52:26:62 | searchQuery | semmle.label | searchQuery | +subpaths #select | app.jsx:26:52:26:62 | searchQuery | app.jsx:12:31:16:6 | useQuer ... \\n }) | app.jsx:26:52:26:62 | searchQuery | Cross-site scripting vulnerability due to $@. | app.jsx:12:31:16:6 | useQuer ... \\n }) | user-provided value | diff --git a/javascript/test/security/CWE-329/InsecureIV.expected b/javascript/test/security/CWE-329/InsecureIV.expected index 7499ec4e..5cc47dd3 100644 --- a/javascript/test/security/CWE-329/InsecureIV.expected +++ b/javascript/test/security/CWE-329/InsecureIV.expected @@ -1,76 +1,22 @@ -nodes -| examples/secure_iv.js:11:7:11:14 | randomIV | -| examples/secure_iv.js:11:7:11:44 | randomIV | -| examples/secure_iv.js:11:7:11:44 | randomIV | -| examples/secure_iv.js:11:18:11:44 | crypto. ... eysize) | -| examples/secure_iv.js:11:18:11:44 | crypto. ... eysize) | -| examples/secure_iv.js:13:63:13:62 | randomIV | -| examples/secure_iv.js:14:54:14:61 | randomIV | -| examples/secure_iv.js:14:54:14:61 | randomIV | -| examples/secure_iv_tainted.js:11:7:11:14 | randomIV | -| examples/secure_iv_tainted.js:11:7:11:76 | randomIV | -| examples/secure_iv_tainted.js:11:7:11:76 | randomIV | -| examples/secure_iv_tainted.js:11:7:11:76 | randomIV | -| examples/secure_iv_tainted.js:11:18:11:39 | crypto. ... tes(32) | -| examples/secure_iv_tainted.js:11:18:11:39 | crypto. ... tes(32) | -| examples/secure_iv_tainted.js:11:18:11:48 | crypto. ... oString | -| examples/secure_iv_tainted.js:11:18:11:48 | crypto. ... oString | -| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | -| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | -| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | -| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | -| examples/secure_iv_tainted.js:11:18:11:64 | crypto. ... ).slice | -| examples/secure_iv_tainted.js:11:18:11:64 | crypto. ... ).slice | -| examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | -| examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | -| examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | -| examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | -| examples/secure_iv_tainted.js:13:63:13:62 | randomIV | -| examples/secure_iv_tainted.js:14:54:14:61 | randomIV | -| examples/secure_iv_tainted.js:14:54:14:61 | randomIV | -| examples/secure_iv_tainted.js:14:54:14:61 | randomIV | -| examples/secure_iv_tainted.js:14:54:14:61 | randomIV | -| examples/static_iv.js:11:7:11:34 | fixedIV | -| examples/static_iv.js:11:17:11:34 | "0123456789abcdef" | -| examples/static_iv.js:11:17:11:34 | "0123456789abcdef" | -| examples/static_iv.js:14:54:14:60 | fixedIV | -| examples/static_iv.js:14:54:14:60 | fixedIV | edges -| examples/secure_iv.js:11:7:11:44 | randomIV | examples/secure_iv.js:11:7:11:14 | randomIV | -| examples/secure_iv.js:11:7:11:44 | randomIV | examples/secure_iv.js:13:63:13:62 | randomIV | -| examples/secure_iv.js:11:7:11:44 | randomIV | examples/secure_iv.js:14:54:14:61 | randomIV | -| examples/secure_iv.js:11:7:11:44 | randomIV | examples/secure_iv.js:14:54:14:61 | randomIV | -| examples/secure_iv.js:11:18:11:44 | crypto. ... eysize) | examples/secure_iv.js:11:7:11:44 | randomIV | -| examples/secure_iv.js:11:18:11:44 | crypto. ... eysize) | examples/secure_iv.js:11:7:11:44 | randomIV | -| examples/secure_iv.js:11:18:11:44 | crypto. ... eysize) | examples/secure_iv.js:11:7:11:44 | randomIV | -| examples/secure_iv.js:11:18:11:44 | crypto. ... eysize) | examples/secure_iv.js:11:7:11:44 | randomIV | -| examples/secure_iv_tainted.js:11:7:11:76 | randomIV | examples/secure_iv_tainted.js:11:7:11:14 | randomIV | -| examples/secure_iv_tainted.js:11:7:11:76 | randomIV | examples/secure_iv_tainted.js:13:63:13:62 | randomIV | -| examples/secure_iv_tainted.js:11:7:11:76 | randomIV | examples/secure_iv_tainted.js:14:54:14:61 | randomIV | -| examples/secure_iv_tainted.js:11:7:11:76 | randomIV | examples/secure_iv_tainted.js:14:54:14:61 | randomIV | -| examples/secure_iv_tainted.js:11:7:11:76 | randomIV | examples/secure_iv_tainted.js:14:54:14:61 | randomIV | -| examples/secure_iv_tainted.js:11:7:11:76 | randomIV | examples/secure_iv_tainted.js:14:54:14:61 | randomIV | -| examples/secure_iv_tainted.js:11:18:11:39 | crypto. ... tes(32) | examples/secure_iv_tainted.js:11:18:11:48 | crypto. ... oString | -| examples/secure_iv_tainted.js:11:18:11:39 | crypto. ... tes(32) | examples/secure_iv_tainted.js:11:18:11:48 | crypto. ... oString | -| examples/secure_iv_tainted.js:11:18:11:39 | crypto. ... tes(32) | examples/secure_iv_tainted.js:11:18:11:48 | crypto. ... oString | -| examples/secure_iv_tainted.js:11:18:11:39 | crypto. ... tes(32) | examples/secure_iv_tainted.js:11:18:11:48 | crypto. ... oString | -| examples/secure_iv_tainted.js:11:18:11:39 | crypto. ... tes(32) | examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | -| examples/secure_iv_tainted.js:11:18:11:39 | crypto. ... tes(32) | examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | -| examples/secure_iv_tainted.js:11:18:11:39 | crypto. ... tes(32) | examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | -| examples/secure_iv_tainted.js:11:18:11:39 | crypto. ... tes(32) | examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | -| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | examples/secure_iv_tainted.js:11:18:11:64 | crypto. ... ).slice | -| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | examples/secure_iv_tainted.js:11:18:11:64 | crypto. ... ).slice | -| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | -| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | -| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | -| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | -| examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | examples/secure_iv_tainted.js:11:7:11:76 | randomIV | -| examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | examples/secure_iv_tainted.js:11:7:11:76 | randomIV | -| examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | examples/secure_iv_tainted.js:11:7:11:76 | randomIV | -| examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | examples/secure_iv_tainted.js:11:7:11:76 | randomIV | -| examples/static_iv.js:11:7:11:34 | fixedIV | examples/static_iv.js:14:54:14:60 | fixedIV | -| examples/static_iv.js:11:7:11:34 | fixedIV | examples/static_iv.js:14:54:14:60 | fixedIV | -| examples/static_iv.js:11:17:11:34 | "0123456789abcdef" | examples/static_iv.js:11:7:11:34 | fixedIV | -| examples/static_iv.js:11:17:11:34 | "0123456789abcdef" | examples/static_iv.js:11:7:11:34 | fixedIV | +| examples/secure_iv_tainted.js:11:7:11:76 | randomIV | examples/secure_iv_tainted.js:14:54:14:61 | randomIV | provenance | | +| examples/secure_iv_tainted.js:11:7:11:76 | randomIV [ArrayElement] | examples/secure_iv_tainted.js:14:54:14:61 | randomIV | provenance | | +| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | provenance | | +| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) [ArrayElement] | provenance | | +| examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | examples/secure_iv_tainted.js:11:7:11:76 | randomIV | provenance | | +| examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) [ArrayElement] | examples/secure_iv_tainted.js:11:7:11:76 | randomIV [ArrayElement] | provenance | | +| examples/static_iv.js:11:7:11:34 | fixedIV | examples/static_iv.js:14:54:14:60 | fixedIV | provenance | | +| examples/static_iv.js:11:17:11:34 | "0123456789abcdef" | examples/static_iv.js:11:7:11:34 | fixedIV | provenance | | +nodes +| examples/secure_iv_tainted.js:11:7:11:76 | randomIV | semmle.label | randomIV | +| examples/secure_iv_tainted.js:11:7:11:76 | randomIV [ArrayElement] | semmle.label | randomIV [ArrayElement] | +| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | semmle.label | crypto. ... ase64') | +| examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | semmle.label | crypto. ... eysize) | +| examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) [ArrayElement] | semmle.label | crypto. ... eysize) [ArrayElement] | +| examples/secure_iv_tainted.js:14:54:14:61 | randomIV | semmle.label | randomIV | +| examples/static_iv.js:11:7:11:34 | fixedIV | semmle.label | fixedIV | +| examples/static_iv.js:11:17:11:34 | "0123456789abcdef" | semmle.label | "0123456789abcdef" | +| examples/static_iv.js:14:54:14:60 | fixedIV | semmle.label | fixedIV | +subpaths #select | examples/static_iv.js:14:54:14:60 | fixedIV | examples/static_iv.js:11:17:11:34 | "0123456789abcdef" | examples/static_iv.js:14:54:14:60 | fixedIV | Insecure Initialization Vector (IV) used for cryptographic function. With a few exceptions, it is best to use a secure random source for IVs. |