diff --git a/ql/lib/codeql/bicep/Frameworks.qll b/ql/lib/codeql/bicep/Frameworks.qll index eef3ac9..d15354c 100644 --- a/ql/lib/codeql/bicep/Frameworks.qll +++ b/ql/lib/codeql/bicep/Frameworks.qll @@ -4,6 +4,7 @@ import frameworks.Microsoft.Containers import frameworks.Microsoft.Dashboards import frameworks.Microsoft.General import frameworks.Microsoft.AKS +import frameworks.Microsoft.Authorization import frameworks.Microsoft.Profiles import frameworks.Microsoft.Network import frameworks.Microsoft.Storage diff --git a/ql/lib/codeql/bicep/frameworks/Microsoft/Authorization.qll b/ql/lib/codeql/bicep/frameworks/Microsoft/Authorization.qll new file mode 100644 index 0000000..441340b --- /dev/null +++ b/ql/lib/codeql/bicep/frameworks/Microsoft/Authorization.qll @@ -0,0 +1,196 @@ +/** + * Authorization resource framework for Microsoft.Authorization resources in Bicep. + * + * Provides classes for working with Azure role assignments and other authorization resources. + * + * Classes: + * - RoleAssignmentResource: Represents Microsoft.Authorization/roleAssignments resources. + * - RoleAssignmentProperties: Properties object for role assignments. + */ + +private import bicep +private import codeql.bicep.frameworks.Microsoft.General + +module Authorization { + private import RoleAssignmentProperties + + /** + * Represents a Microsoft.Authorization/roleAssignments resource in a Bicep file. + * See: https://learn.microsoft.com/en-us/azure/templates/microsoft.authorization/roleassignments + */ + class RoleAssignmentResource extends AzureResource { + /** + * Constructs a RoleAssignmentResource for Microsoft.Authorization/roleAssignments resources. + */ + RoleAssignmentResource() { + this.getResourceType().regexpMatch("^Microsoft.Authorization/roleAssignments@.*") + } + + /** + * Returns the properties object for the role assignment resource. + */ + Properties getProperties() { result = this.getProperty("properties") } + + /** + * Returns the scope property of the role assignment. + * This can be a reference to a subscription, resource group, or specific resource. + */ + Expr getScope() { result = this.getProperty("scope") } + + /** + * Returns the name property of the role assignment (typically a GUID). + */ + override string getName() { + exists(StringLiteral name | + name = this.getProperty("name") and + result = name.getValue() + ) + } + + /** + * Gets the role definition ID from the properties. + * This identifies which Azure built-in or custom role is being assigned. + * It may be a direct string literal or extracted from a function call. + */ + string getRoleDefinitionId() { + result = this.getProperties().getRoleDefinitionId() + } + + /** + * Gets the principal ID from the properties. + * This identifies the user, group, or service principal receiving the role assignment. + */ + string getPrincipalId() { result = this.getProperties().getPrincipalId() } + + /** + * Gets the principal type from the properties. + * This indicates whether the principal is a User, Group, or ServicePrincipal. + */ + string getPrincipalType() { result = this.getProperties().getPrincipalType() } + + /** + * Determines if this is a subscription-scoped role assignment. + */ + predicate isSubscriptionScoped() { + exists(CallExpression call | + call = this.getScope() and + call.getName() = "subscription" + ) + } + + /** + * Determines if this is a resource group-scoped role assignment. + */ + predicate isResourceGroupScoped() { + exists(CallExpression call | + call = this.getScope() and + call.getName() = "resourceGroup" + ) + } + + /** + * Determines if this role assignment has a broad scope (subscription or resource group). + */ + predicate hasBroadScope() { + this.isSubscriptionScoped() or this.isResourceGroupScoped() + } + + /** + * Determines if this role assignment grants a powerful built-in role. + * Checks for common powerful roles like Owner and Contributor. + */ + predicate grantsPrivilegedRole() { + exists(string roleId | roleId = this.getRoleDefinitionId() | + // Owner role + roleId = "8e3af657-a8ff-443c-a75c-2fe8c4bcb635" or + // Contributor role + roleId = "b24988ac-6180-42a0-ab88-20f7382dd24c" or + // User Access Administrator role + roleId = "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" + ) + } + + /** + * Determines if this role assignment is overly permissive. + * This checks for privileged roles assigned at broad scopes. + */ + predicate isOverlyPermissive() { + this.hasBroadScope() and this.grantsPrivilegedRole() + } + } + + /** + * Module containing property classes for role assignment resources. + */ + private module RoleAssignmentProperties { + /** + * Represents the properties object of a role assignment resource. + */ + class Properties extends ResourceProperties { + private RoleAssignmentResource parent; + + /** + * Constructor for the Properties class. + */ + Properties() { this = parent.getProperty("properties") } + + /** + * Gets the role definition ID property. + */ + Expr getRoleDefinitionIdProperty() { result = this.getProperty("roleDefinitionId") } + + /** + * Returns the role definition ID as a string. + * This handles both direct string literals and subscriptionResourceId function calls. + */ + string getRoleDefinitionId() { + // Direct string literal + result = this.getRoleDefinitionIdProperty().(StringLiteral).getValue() + or + // Extract from subscriptionResourceId function call + exists(CallExpression call | + call = this.getRoleDefinitionIdProperty() and + call.getName() = "subscriptionResourceId" and + result = call.getArgument(1).(StringLiteral).getValue() + ) + } + + /** + * Determines if the role definition ID property exists. + */ + predicate hasRoleDefinitionId() { exists(this.getRoleDefinitionIdProperty()) } + + /** + * Gets the principal ID property. + */ + Expr getPrincipalIdProperty() { result = this.getProperty("principalId") } + + /** + * Returns the principal ID as a string. + */ + string getPrincipalId() { result = this.getPrincipalIdProperty().(StringLiteral).getValue() } + + /** + * Determines if the principal ID property exists. + */ + predicate hasPrincipalId() { exists(this.getPrincipalIdProperty()) } + + /** + * Gets the principal type property. + */ + Expr getPrincipalTypeProperty() { result = this.getProperty("principalType") } + + /** + * Returns the principal type as a string. + */ + string getPrincipalType() { result = this.getPrincipalTypeProperty().(StringLiteral).getValue() } + + /** + * Determines if the principal type property exists. + */ + predicate hasPrincipalType() { exists(this.getPrincipalTypeProperty()) } + + override string toString() { result = "RoleAssignmentProperties" } + } + } +} \ No newline at end of file diff --git a/ql/lib/codeql/bicep/security/OverlyPermissiveAccessControl.qll b/ql/lib/codeql/bicep/security/OverlyPermissiveAccessControl.qll new file mode 100644 index 0000000..08bbfe1 --- /dev/null +++ b/ql/lib/codeql/bicep/security/OverlyPermissiveAccessControl.qll @@ -0,0 +1,56 @@ +/** + * Security library for detecting overly permissive access control in Bicep templates. + * + * This module provides classes and predicates to identify role assignments that grant + * excessive privileges, particularly broad roles assigned at large scopes. + */ + +private import bicep +private import codeql.bicep.frameworks.Microsoft.Authorization + +module OverlyPermissiveAccessControl { + /** + * Predicate to identify role assignments with overly broad scope. + */ + predicate hasOverlyBroadScope(Authorization::RoleAssignmentResource roleAssignment) { + roleAssignment.hasBroadScope() + } + + /** + * Predicate to identify role assignments with privileged roles. + */ + predicate grantsPrivilegedRole(Authorization::RoleAssignmentResource roleAssignment) { + roleAssignment.grantsPrivilegedRole() + } + + /** + * Predicate to identify role assignments that are overly permissive. + */ + predicate isOverlyPermissive(Authorization::RoleAssignmentResource roleAssignment) { + roleAssignment.isOverlyPermissive() + } + + /** + * Gets a description of why a role assignment is overly permissive. + */ + string getPermissiveDescription(Authorization::RoleAssignmentResource roleAssignment) { + exists(string role, string scope | + ( + roleAssignment.getRoleDefinitionId() = "8e3af657-a8ff-443c-a75c-2fe8c4bcb635" and + role = "Owner" + or + roleAssignment.getRoleDefinitionId() = "b24988ac-6180-42a0-ab88-20f7382dd24c" and + role = "Contributor" + or + roleAssignment.getRoleDefinitionId() = "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" and + role = "User Access Administrator" + ) and + ( + roleAssignment.isSubscriptionScoped() and scope = "subscription" + or + roleAssignment.isResourceGroupScoped() and scope = "resource group" + ) and + result = role + " role assigned at " + scope + " scope" + ) + } +} \ No newline at end of file diff --git a/ql/src/security/CWE-284/CWE-284.testproj/codeql-database.yml b/ql/src/security/CWE-284/CWE-284.testproj/codeql-database.yml new file mode 100644 index 0000000..c372528 --- /dev/null +++ b/ql/src/security/CWE-284/CWE-284.testproj/codeql-database.yml @@ -0,0 +1,12 @@ +--- +sourceLocationPrefix: /home/runner/work/codeql-extractor-bicep/codeql-extractor-bicep/ql/src/security/CWE-284 +baselineLinesOfCode: 0 +unicodeNewlines: false +columnKind: utf8 +primaryLanguage: bicep +creationMetadata: + cliVersion: 2.23.0 + creationTime: 2025-09-08T16:23:27.847657834Z +finalised: true +overlayBaseDatabase: false +overlayDatabase: false diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/bicep.dbscheme b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/bicep.dbscheme new file mode 100644 index 0000000..97c2a04 --- /dev/null +++ b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/bicep.dbscheme @@ -0,0 +1,676 @@ +// CodeQL database schema for BICEP +// Automatically generated from the tree-sitter grammar; do not edit + +/*- Files and folders -*/ + +/** + * The location of an element. + * The location spans column `startcolumn` of line `startline` to + * column `endcolumn` of line `endline` in file `file`. + * For more information, see + * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). + */ +locations_default( + unique int id: @location_default, + int file: @file ref, + int beginLine: int ref, + int beginColumn: int ref, + int endLine: int ref, + int endColumn: int ref +); + +files( + unique int id: @file, + string name: string ref +); + +folders( + unique int id: @folder, + string name: string ref +); + +@container = @file | @folder + +containerparent( + int parent: @container ref, + unique int child: @container ref +); + +/*- Empty location -*/ + +empty_location( + int location: @location_default ref +); + +/*- Source location prefix -*/ + +/** + * The source location of the snapshot. + */ +sourceLocationPrefix(string prefix : string ref); + +/*- Diagnostic messages -*/ + +diagnostics( + unique int id: @diagnostic, + int severity: int ref, + string error_tag: string ref, + string error_message: string ref, + string full_error_message: string ref, + int location: @location_default ref +); + +/*- Diagnostic messages: severity -*/ + +case @diagnostic.severity of + 10 = @diagnostic_debug +| 20 = @diagnostic_info +| 30 = @diagnostic_warning +| 40 = @diagnostic_error +; + +/*- YAML -*/ + +#keyset[parent, idx] +yaml (unique int id: @yaml_node, + int kind: int ref, + int parent: @yaml_node_parent ref, + int idx: int ref, + string tag: string ref, + string tostring: string ref); + +case @yaml_node.kind of + 0 = @yaml_scalar_node +| 1 = @yaml_mapping_node +| 2 = @yaml_sequence_node +| 3 = @yaml_alias_node +; + +@yaml_collection_node = @yaml_mapping_node | @yaml_sequence_node; + +@yaml_node_parent = @yaml_collection_node | @file; + +yaml_anchors (unique int node: @yaml_node ref, + string anchor: string ref); + +yaml_aliases (unique int alias: @yaml_alias_node ref, + string target: string ref); + +yaml_scalars (unique int scalar: @yaml_scalar_node ref, + int style: int ref, + string value: string ref); + +yaml_errors (unique int id: @yaml_error, + string message: string ref); + +yaml_locations(unique int locatable: @yaml_locatable ref, + int location: @location_default ref); + +@yaml_locatable = @yaml_node | @yaml_error; + +/*- BICEP dbscheme -*/ +@bicep_underscore_declaration = @bicep_assert_statement | @bicep_metadata_declaration | @bicep_module_declaration | @bicep_output_declaration | @bicep_parameter_declaration | @bicep_resource_declaration | @bicep_test_block | @bicep_type_declaration | @bicep_user_defined_function | @bicep_variable_declaration + +@bicep_underscore_expression = @bicep_assignment_expression | @bicep_binary_expression | @bicep_lambda_expression | @bicep_ternary_expression | @bicep_unary_expression | @bicep_underscore_primary_expression + +@bicep_underscore_primary_expression = @bicep_array | @bicep_call_expression | @bicep_for_statement | @bicep_member_expression | @bicep_object | @bicep_parenthesized_expression | @bicep_resource_expression | @bicep_string__ | @bicep_subscript_expression | @bicep_token_boolean | @bicep_token_identifier | @bicep_token_null | @bicep_token_number + +@bicep_underscore_statement = @bicep_decorators | @bicep_import_functionality | @bicep_import_statement | @bicep_import_with_statement | @bicep_target_scope_assignment | @bicep_underscore_declaration | @bicep_using_statement + +#keyset[bicep_arguments, index] +bicep_arguments_child( + int bicep_arguments: @bicep_arguments ref, + int index: int ref, + unique int child: @bicep_underscore_expression ref +); + +bicep_arguments_def( + unique int id: @bicep_arguments +); + +@bicep_array_child_type = @bicep_decorators | @bicep_underscore_expression + +#keyset[bicep_array, index] +bicep_array_child( + int bicep_array: @bicep_array ref, + int index: int ref, + unique int child: @bicep_array_child_type ref +); + +bicep_array_def( + unique int id: @bicep_array +); + +bicep_array_type_def( + unique int id: @bicep_array_type, + int child: @bicep_type__ ref +); + +bicep_assert_statement_def( + unique int id: @bicep_assert_statement, + int name: @bicep_token_identifier ref, + int child: @bicep_underscore_expression ref +); + +@bicep_assignment_expression_left_type = @bicep_member_expression | @bicep_parenthesized_expression | @bicep_resource_expression | @bicep_subscript_expression | @bicep_token_identifier + +bicep_assignment_expression_def( + unique int id: @bicep_assignment_expression, + int left: @bicep_assignment_expression_left_type ref, + int right: @bicep_underscore_expression ref +); + +case @bicep_binary_expression.operator of + 0 = @bicep_binary_expression_bangequal +| 1 = @bicep_binary_expression_bangtilde +| 2 = @bicep_binary_expression_percent +| 3 = @bicep_binary_expression_ampersandampersand +| 4 = @bicep_binary_expression_star +| 5 = @bicep_binary_expression_plus +| 6 = @bicep_binary_expression_minus +| 7 = @bicep_binary_expression_slash +| 8 = @bicep_binary_expression_langle +| 9 = @bicep_binary_expression_langleequal +| 10 = @bicep_binary_expression_equalequal +| 11 = @bicep_binary_expression_equaltilde +| 12 = @bicep_binary_expression_rangle +| 13 = @bicep_binary_expression_rangleequal +| 14 = @bicep_binary_expression_questionquestion +| 15 = @bicep_binary_expression_pipe +| 16 = @bicep_binary_expression_pipepipe +; + + +bicep_binary_expression_def( + unique int id: @bicep_binary_expression, + int left: @bicep_underscore_expression ref, + int operator: int ref, + int right: @bicep_underscore_expression ref +); + +bicep_call_expression_child( + unique int bicep_call_expression: @bicep_call_expression ref, + unique int child: @bicep_token_nullable_return_type ref +); + +bicep_call_expression_def( + unique int id: @bicep_call_expression, + int arguments: @bicep_arguments ref, + int function: @bicep_underscore_expression ref +); + +bicep_compatible_identifier_def( + unique int id: @bicep_compatible_identifier, + int child: @bicep_token_identifier ref +); + +bicep_decorator_def( + unique int id: @bicep_decorator, + int child: @bicep_call_expression ref +); + +#keyset[bicep_decorators, index] +bicep_decorators_child( + int bicep_decorators: @bicep_decorators ref, + int index: int ref, + unique int child: @bicep_decorator ref +); + +bicep_decorators_def( + unique int id: @bicep_decorators +); + +@bicep_for_loop_parameters_child_type = @bicep_token_loop_enumerator | @bicep_token_loop_variable + +#keyset[bicep_for_loop_parameters, index] +bicep_for_loop_parameters_child( + int bicep_for_loop_parameters: @bicep_for_loop_parameters ref, + int index: int ref, + unique int child: @bicep_for_loop_parameters_child_type ref +); + +bicep_for_loop_parameters_def( + unique int id: @bicep_for_loop_parameters +); + +@bicep_for_statement_body_type = @bicep_if_statement | @bicep_underscore_expression + +bicep_for_statement_initializer( + unique int bicep_for_statement: @bicep_for_statement ref, + unique int initializer: @bicep_token_identifier ref +); + +@bicep_for_statement_child_type = @bicep_for_loop_parameters | @bicep_underscore_expression + +#keyset[bicep_for_statement, index] +bicep_for_statement_child( + int bicep_for_statement: @bicep_for_statement ref, + int index: int ref, + unique int child: @bicep_for_statement_child_type ref +); + +bicep_for_statement_def( + unique int id: @bicep_for_statement, + int body: @bicep_for_statement_body_type ref +); + +@bicep_if_statement_child_type = @bicep_object | @bicep_parenthesized_expression + +#keyset[bicep_if_statement, index] +bicep_if_statement_child( + int bicep_if_statement: @bicep_if_statement ref, + int index: int ref, + unique int child: @bicep_if_statement_child_type ref +); + +bicep_if_statement_def( + unique int id: @bicep_if_statement +); + +@bicep_import_functionality_child_type = @bicep_string__ | @bicep_token_identifier + +#keyset[bicep_import_functionality, index] +bicep_import_functionality_child( + int bicep_import_functionality: @bicep_import_functionality ref, + int index: int ref, + unique int child: @bicep_import_functionality_child_type ref +); + +bicep_import_functionality_def( + unique int id: @bicep_import_functionality +); + +@bicep_import_statement_child_type = @bicep_string__ | @bicep_token_identifier + +#keyset[bicep_import_statement, index] +bicep_import_statement_child( + int bicep_import_statement: @bicep_import_statement ref, + int index: int ref, + unique int child: @bicep_import_statement_child_type ref +); + +bicep_import_statement_def( + unique int id: @bicep_import_statement +); + +@bicep_import_with_statement_child_type = @bicep_string__ | @bicep_token_identifier | @bicep_underscore_expression + +#keyset[bicep_import_with_statement, index] +bicep_import_with_statement_child( + int bicep_import_with_statement: @bicep_import_with_statement ref, + int index: int ref, + unique int child: @bicep_import_with_statement_child_type ref +); + +bicep_import_with_statement_def( + unique int id: @bicep_import_with_statement +); + +#keyset[bicep_infrastructure, index] +bicep_infrastructure_child( + int bicep_infrastructure: @bicep_infrastructure ref, + int index: int ref, + unique int child: @bicep_underscore_statement ref +); + +bicep_infrastructure_def( + unique int id: @bicep_infrastructure +); + +bicep_interpolation_def( + unique int id: @bicep_interpolation, + int child: @bicep_underscore_expression ref +); + +#keyset[bicep_lambda_expression, index] +bicep_lambda_expression_child( + int bicep_lambda_expression: @bicep_lambda_expression ref, + int index: int ref, + unique int child: @bicep_underscore_expression ref +); + +bicep_lambda_expression_def( + unique int id: @bicep_lambda_expression +); + +@bicep_member_expression_object_type = @bicep_parameterized_type | @bicep_underscore_expression + +bicep_member_expression_def( + unique int id: @bicep_member_expression, + int object: @bicep_member_expression_object_type ref, + int property: @bicep_token_property_identifier ref +); + +@bicep_metadata_declaration_child_type = @bicep_token_identifier | @bicep_underscore_expression + +#keyset[bicep_metadata_declaration, index] +bicep_metadata_declaration_child( + int bicep_metadata_declaration: @bicep_metadata_declaration ref, + int index: int ref, + unique int child: @bicep_metadata_declaration_child_type ref +); + +bicep_metadata_declaration_def( + unique int id: @bicep_metadata_declaration +); + +@bicep_module_declaration_child_type = @bicep_for_statement | @bicep_if_statement | @bicep_object | @bicep_string__ | @bicep_token_identifier + +#keyset[bicep_module_declaration, index] +bicep_module_declaration_child( + int bicep_module_declaration: @bicep_module_declaration ref, + int index: int ref, + unique int child: @bicep_module_declaration_child_type ref +); + +bicep_module_declaration_def( + unique int id: @bicep_module_declaration +); + +bicep_negated_type_def( + unique int id: @bicep_negated_type, + int child: @bicep_type__ ref +); + +@bicep_nullable_type_child_type = @bicep_array_type | @bicep_parenthesized_type | @bicep_token_primitive_type | @bicep_underscore_expression + +bicep_nullable_type_def( + unique int id: @bicep_nullable_type, + int child: @bicep_nullable_type_child_type ref +); + +@bicep_object_child_type = @bicep_decorators | @bicep_object_property + +#keyset[bicep_object, index] +bicep_object_child( + int bicep_object: @bicep_object ref, + int index: int ref, + unique int child: @bicep_object_child_type ref +); + +bicep_object_def( + unique int id: @bicep_object +); + +@bicep_object_property_child_type = @bicep_array_type | @bicep_compatible_identifier | @bicep_nullable_type | @bicep_parameterized_type | @bicep_resource_declaration | @bicep_string__ | @bicep_token_identifier | @bicep_token_primitive_type | @bicep_underscore_expression | @bicep_union_type + +#keyset[bicep_object_property, index] +bicep_object_property_child( + int bicep_object_property: @bicep_object_property ref, + int index: int ref, + unique int child: @bicep_object_property_child_type ref +); + +bicep_object_property_def( + unique int id: @bicep_object_property +); + +@bicep_output_declaration_child_type = @bicep_token_identifier | @bicep_type__ | @bicep_underscore_expression + +#keyset[bicep_output_declaration, index] +bicep_output_declaration_child( + int bicep_output_declaration: @bicep_output_declaration ref, + int index: int ref, + unique int child: @bicep_output_declaration_child_type ref +); + +bicep_output_declaration_def( + unique int id: @bicep_output_declaration +); + +@bicep_parameter_child_type = @bicep_token_identifier | @bicep_type__ + +#keyset[bicep_parameter, index] +bicep_parameter_child( + int bicep_parameter: @bicep_parameter ref, + int index: int ref, + unique int child: @bicep_parameter_child_type ref +); + +bicep_parameter_def( + unique int id: @bicep_parameter +); + +@bicep_parameter_declaration_child_type = @bicep_token_identifier | @bicep_type__ | @bicep_underscore_expression + +#keyset[bicep_parameter_declaration, index] +bicep_parameter_declaration_child( + int bicep_parameter_declaration: @bicep_parameter_declaration ref, + int index: int ref, + unique int child: @bicep_parameter_declaration_child_type ref +); + +bicep_parameter_declaration_def( + unique int id: @bicep_parameter_declaration +); + +@bicep_parameterized_type_child_type = @bicep_token_identifier | @bicep_type_arguments + +#keyset[bicep_parameterized_type, index] +bicep_parameterized_type_child( + int bicep_parameterized_type: @bicep_parameterized_type ref, + int index: int ref, + unique int child: @bicep_parameterized_type_child_type ref +); + +bicep_parameterized_type_def( + unique int id: @bicep_parameterized_type +); + +#keyset[bicep_parameters, index] +bicep_parameters_child( + int bicep_parameters: @bicep_parameters ref, + int index: int ref, + unique int child: @bicep_parameter ref +); + +bicep_parameters_def( + unique int id: @bicep_parameters +); + +#keyset[bicep_parenthesized_expression, index] +bicep_parenthesized_expression_child( + int bicep_parenthesized_expression: @bicep_parenthesized_expression ref, + int index: int ref, + unique int child: @bicep_underscore_expression ref +); + +bicep_parenthesized_expression_def( + unique int id: @bicep_parenthesized_expression +); + +bicep_parenthesized_type_def( + unique int id: @bicep_parenthesized_type, + int child: @bicep_type__ ref +); + +@bicep_resource_declaration_child_type = @bicep_for_statement | @bicep_if_statement | @bicep_object | @bicep_string__ | @bicep_token_identifier + +#keyset[bicep_resource_declaration, index] +bicep_resource_declaration_child( + int bicep_resource_declaration: @bicep_resource_declaration ref, + int index: int ref, + unique int child: @bicep_resource_declaration_child_type ref +); + +bicep_resource_declaration_def( + unique int id: @bicep_resource_declaration +); + +bicep_resource_expression_def( + unique int id: @bicep_resource_expression, + int object: @bicep_underscore_expression ref, + int resource: @bicep_token_identifier ref +); + +@bicep_string_child_type = @bicep_interpolation | @bicep_token_escape_sequence | @bicep_token_string_content + +#keyset[bicep_string__, index] +bicep_string_child( + int bicep_string__: @bicep_string__ ref, + int index: int ref, + unique int child: @bicep_string_child_type ref +); + +bicep_string_def( + unique int id: @bicep_string__ +); + +bicep_subscript_expression_def( + unique int id: @bicep_subscript_expression, + int index: @bicep_underscore_expression ref, + int object: @bicep_underscore_expression ref +); + +bicep_target_scope_assignment_def( + unique int id: @bicep_target_scope_assignment, + int child: @bicep_string__ ref +); + +bicep_ternary_expression_def( + unique int id: @bicep_ternary_expression, + int alternative: @bicep_underscore_expression ref, + int condition: @bicep_underscore_expression ref, + int consequence: @bicep_underscore_expression ref +); + +@bicep_test_block_child_type = @bicep_object | @bicep_string__ | @bicep_token_identifier + +#keyset[bicep_test_block, index] +bicep_test_block_child( + int bicep_test_block: @bicep_test_block ref, + int index: int ref, + unique int child: @bicep_test_block_child_type ref +); + +bicep_test_block_def( + unique int id: @bicep_test_block +); + +@bicep_type_child_type = @bicep_array_type | @bicep_member_expression | @bicep_negated_type | @bicep_nullable_type | @bicep_object | @bicep_parameterized_type | @bicep_parenthesized_type | @bicep_string__ | @bicep_token_boolean | @bicep_token_identifier | @bicep_token_null | @bicep_token_number | @bicep_token_primitive_type | @bicep_union_type + +bicep_type_def( + unique int id: @bicep_type__, + int child: @bicep_type_child_type ref +); + +#keyset[bicep_type_arguments, index] +bicep_type_arguments_child( + int bicep_type_arguments: @bicep_type_arguments ref, + int index: int ref, + unique int child: @bicep_string__ ref +); + +bicep_type_arguments_def( + unique int id: @bicep_type_arguments +); + +@bicep_type_declaration_child_type = @bicep_array_type | @bicep_nullable_type | @bicep_parameterized_type | @bicep_token_identifier | @bicep_underscore_expression | @bicep_union_type + +#keyset[bicep_type_declaration, index] +bicep_type_declaration_child( + int bicep_type_declaration: @bicep_type_declaration ref, + int index: int ref, + unique int child: @bicep_type_declaration_child_type ref +); + +bicep_type_declaration_def( + unique int id: @bicep_type_declaration +); + +case @bicep_unary_expression.operator of + 0 = @bicep_unary_expression_bang +| 1 = @bicep_unary_expression_minus +; + + +bicep_unary_expression_def( + unique int id: @bicep_unary_expression, + int argument: @bicep_underscore_expression ref, + int operator: int ref +); + +@bicep_union_type_child_type = @bicep_array_type | @bicep_member_expression | @bicep_negated_type | @bicep_nullable_type | @bicep_object | @bicep_parameterized_type | @bicep_parenthesized_type | @bicep_string__ | @bicep_token_boolean | @bicep_token_identifier | @bicep_token_null | @bicep_token_number | @bicep_token_primitive_type | @bicep_underscore_expression + +#keyset[bicep_union_type, index] +bicep_union_type_child( + int bicep_union_type: @bicep_union_type ref, + int index: int ref, + unique int child: @bicep_union_type_child_type ref +); + +bicep_union_type_def( + unique int id: @bicep_union_type +); + +@bicep_user_defined_function_child_type = @bicep_parameters | @bicep_underscore_expression + +#keyset[bicep_user_defined_function, index] +bicep_user_defined_function_child( + int bicep_user_defined_function: @bicep_user_defined_function ref, + int index: int ref, + unique int child: @bicep_user_defined_function_child_type ref +); + +bicep_user_defined_function_def( + unique int id: @bicep_user_defined_function, + int name: @bicep_token_identifier ref, + int returns: @bicep_type__ ref +); + +bicep_using_statement_def( + unique int id: @bicep_using_statement, + int child: @bicep_string__ ref +); + +@bicep_variable_declaration_child_type = @bicep_token_identifier | @bicep_underscore_expression + +#keyset[bicep_variable_declaration, index] +bicep_variable_declaration_child( + int bicep_variable_declaration: @bicep_variable_declaration ref, + int index: int ref, + unique int child: @bicep_variable_declaration_child_type ref +); + +bicep_variable_declaration_def( + unique int id: @bicep_variable_declaration +); + +bicep_tokeninfo( + unique int id: @bicep_token, + int kind: int ref, + string value: string ref +); + +case @bicep_token.kind of + 0 = @bicep_reserved_word +| 1 = @bicep_token_boolean +| 2 = @bicep_token_comment +| 3 = @bicep_token_diagnostic_comment +| 4 = @bicep_token_escape_sequence +| 5 = @bicep_token_identifier +| 6 = @bicep_token_loop_enumerator +| 7 = @bicep_token_loop_variable +| 8 = @bicep_token_null +| 9 = @bicep_token_nullable_return_type +| 10 = @bicep_token_number +| 11 = @bicep_token_primitive_type +| 12 = @bicep_token_property_identifier +| 13 = @bicep_token_string_content +; + + +@bicep_ast_node = @bicep_arguments | @bicep_array | @bicep_array_type | @bicep_assert_statement | @bicep_assignment_expression | @bicep_binary_expression | @bicep_call_expression | @bicep_compatible_identifier | @bicep_decorator | @bicep_decorators | @bicep_for_loop_parameters | @bicep_for_statement | @bicep_if_statement | @bicep_import_functionality | @bicep_import_statement | @bicep_import_with_statement | @bicep_infrastructure | @bicep_interpolation | @bicep_lambda_expression | @bicep_member_expression | @bicep_metadata_declaration | @bicep_module_declaration | @bicep_negated_type | @bicep_nullable_type | @bicep_object | @bicep_object_property | @bicep_output_declaration | @bicep_parameter | @bicep_parameter_declaration | @bicep_parameterized_type | @bicep_parameters | @bicep_parenthesized_expression | @bicep_parenthesized_type | @bicep_resource_declaration | @bicep_resource_expression | @bicep_string__ | @bicep_subscript_expression | @bicep_target_scope_assignment | @bicep_ternary_expression | @bicep_test_block | @bicep_token | @bicep_type__ | @bicep_type_arguments | @bicep_type_declaration | @bicep_unary_expression | @bicep_union_type | @bicep_user_defined_function | @bicep_using_statement | @bicep_variable_declaration + +bicep_ast_node_location( + unique int node: @bicep_ast_node ref, + int loc: @location_default ref +); + +#keyset[parent, parent_index] +bicep_ast_node_parent( + unique int node: @bicep_ast_node ref, + int parent: @bicep_ast_node ref, + int parent_index: int ref +); + diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/bicep.dbscheme.stats b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/bicep.dbscheme.stats new file mode 100644 index 0000000..a9aacbc --- /dev/null +++ b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/bicep.dbscheme.stats @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/.lock b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/.lock new file mode 100644 index 0000000..e69de29 diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/buckets/info b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/buckets/info new file mode 100644 index 0000000..0111728 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/buckets/info differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/buckets/page-000000 b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/buckets/page-000000 new file mode 100644 index 0000000..6d17cf9 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/buckets/page-000000 differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/ids1/info b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/ids1/info new file mode 100644 index 0000000..799471f Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/ids1/info differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/ids1/page-000000 b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/ids1/page-000000 new file mode 100644 index 0000000..6d17cf9 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/ids1/page-000000 differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/indices1/info b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/indices1/info new file mode 100644 index 0000000..799471f Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/indices1/info differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/indices1/page-000000 b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/indices1/page-000000 new file mode 100644 index 0000000..6d17cf9 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/indices1/page-000000 differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/info b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/info new file mode 100644 index 0000000..9c1ea6c Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/info differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/metadata/info b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/metadata/info new file mode 100644 index 0000000..9cdb710 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/metadata/info differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/metadata/page-000000 b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/metadata/page-000000 new file mode 100644 index 0000000..6d17cf9 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/metadata/page-000000 differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/pageDump/page-000000000 b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/pageDump/page-000000000 new file mode 100644 index 0000000..7bccaeb Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/0/pageDump/page-000000000 differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/poolInfo b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/poolInfo new file mode 100644 index 0000000..d14fdc5 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/pools/poolInfo differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/tuple-pool/header b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/tuple-pool/header new file mode 100644 index 0000000..3b6fc84 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/cached-strings/tuple-pool/header differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/02.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/02.pack new file mode 100644 index 0000000..dc5fdc2 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/02.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/0e.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/0e.pack new file mode 100644 index 0000000..942dacc Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/0e.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/11.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/11.pack new file mode 100644 index 0000000..cd8f35b Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/11.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/16.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/16.pack new file mode 100644 index 0000000..3d8cf8a Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/16.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/17.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/17.pack new file mode 100644 index 0000000..4113bfc Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/17.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/1f.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/1f.pack new file mode 100644 index 0000000..e5781a6 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/1f.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/21.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/21.pack new file mode 100644 index 0000000..56529a0 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/21.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/24.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/24.pack new file mode 100644 index 0000000..b98e048 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/24.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/25.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/25.pack new file mode 100644 index 0000000..503f2f9 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/25.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/2c.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/2c.pack new file mode 100644 index 0000000..8df4696 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/2c.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/30.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/30.pack new file mode 100644 index 0000000..f4c99f0 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/30.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/32.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/32.pack new file mode 100644 index 0000000..14b8d8e Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/32.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/40.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/40.pack new file mode 100644 index 0000000..89f6446 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/40.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/42.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/42.pack new file mode 100644 index 0000000..83bf22b Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/42.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/44.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/44.pack new file mode 100644 index 0000000..5d1b3e3 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/44.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/50.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/50.pack new file mode 100644 index 0000000..b1e5c64 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/50.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/5b.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/5b.pack new file mode 100644 index 0000000..710ddec Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/5b.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/5c.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/5c.pack new file mode 100644 index 0000000..9618eb1 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/5c.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/5f.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/5f.pack new file mode 100644 index 0000000..dc6c01c Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/5f.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/64.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/64.pack new file mode 100644 index 0000000..bcb7edc Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/64.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/67.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/67.pack new file mode 100644 index 0000000..c10a823 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/67.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/6a.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/6a.pack new file mode 100644 index 0000000..ad5876e Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/6a.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/6c.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/6c.pack new file mode 100644 index 0000000..3ba1607 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/6c.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/6d.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/6d.pack new file mode 100644 index 0000000..59de872 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/6d.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/6e.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/6e.pack new file mode 100644 index 0000000..f95600e Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/6e.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/73.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/73.pack new file mode 100644 index 0000000..d769fbc Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/73.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/78.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/78.pack new file mode 100644 index 0000000..f33d7b4 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/78.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/7c.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/7c.pack new file mode 100644 index 0000000..c731c97 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/7c.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/82.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/82.pack new file mode 100644 index 0000000..b232549 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/82.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/83.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/83.pack new file mode 100644 index 0000000..bb4c5bb Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/83.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/86.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/86.pack new file mode 100644 index 0000000..ffaef4e Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/86.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/87.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/87.pack new file mode 100644 index 0000000..041b6ce Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/87.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/89.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/89.pack new file mode 100644 index 0000000..4f324a9 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/89.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/90.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/90.pack new file mode 100644 index 0000000..c9ec7d6 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/90.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/93.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/93.pack new file mode 100644 index 0000000..2bba57f Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/93.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/99.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/99.pack new file mode 100644 index 0000000..cf0ca68 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/99.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/9d.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/9d.pack new file mode 100644 index 0000000..a978db7 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/9d.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/ac.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/ac.pack new file mode 100644 index 0000000..36d2004 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/ac.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/af.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/af.pack new file mode 100644 index 0000000..02dcab6 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/af.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/b1.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/b1.pack new file mode 100644 index 0000000..c2bf3ed Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/b1.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/b3.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/b3.pack new file mode 100644 index 0000000..001b742 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/b3.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/b5.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/b5.pack new file mode 100644 index 0000000..6232972 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/b5.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/b6.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/b6.pack new file mode 100644 index 0000000..96e163c Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/b6.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/b8.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/b8.pack new file mode 100644 index 0000000..f3b690c Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/b8.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/b9.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/b9.pack new file mode 100644 index 0000000..7d3ae6f Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/b9.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/c3.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/c3.pack new file mode 100644 index 0000000..95b421e Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/c3.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/c4.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/c4.pack new file mode 100644 index 0000000..065546a Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/c4.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/c7.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/c7.pack new file mode 100644 index 0000000..fdcdfe9 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/c7.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/c8.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/c8.pack new file mode 100644 index 0000000..af75a53 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/c8.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/cb.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/cb.pack new file mode 100644 index 0000000..496583a Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/cb.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/d1.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/d1.pack new file mode 100644 index 0000000..76b4707 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/d1.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/d2.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/d2.pack new file mode 100644 index 0000000..e29cb01 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/d2.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/d8.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/d8.pack new file mode 100644 index 0000000..4038a7c Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/d8.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/dc.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/dc.pack new file mode 100644 index 0000000..f6131b2 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/dc.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/df.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/df.pack new file mode 100644 index 0000000..4cce895 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/df.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/e3.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/e3.pack new file mode 100644 index 0000000..535ddb3 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/e3.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/e5.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/e5.pack new file mode 100644 index 0000000..d62b38a Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/e5.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/e7.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/e7.pack new file mode 100644 index 0000000..3776240 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/e7.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/ec.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/ec.pack new file mode 100644 index 0000000..20b1b40 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/ec.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/ed.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/ed.pack new file mode 100644 index 0000000..4f6c275 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/ed.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/ee.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/ee.pack new file mode 100644 index 0000000..db81391 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/ee.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/f0.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/f0.pack new file mode 100644 index 0000000..ad6bbff Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/f0.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/f4.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/f4.pack new file mode 100644 index 0000000..969eea8 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/f4.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/f5.pack b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/f5.pack new file mode 100644 index 0000000..ad18520 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/predicates/f5.pack differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/version b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/version new file mode 100644 index 0000000..d28dfa0 --- /dev/null +++ b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/cache/version @@ -0,0 +1 @@ +20190805:20220702:20240828:20241116 diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/idPool/buckets/info b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/idPool/buckets/info new file mode 100644 index 0000000..0111728 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/idPool/buckets/info differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/idPool/buckets/page-000000 b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/idPool/buckets/page-000000 new file mode 100644 index 0000000..6d17cf9 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/idPool/buckets/page-000000 differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/idPool/info b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/idPool/info new file mode 100644 index 0000000..049942f Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/idPool/info differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/idPool/metadata/info b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/idPool/metadata/info new file mode 100644 index 0000000..9cdb710 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/idPool/metadata/info differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/idPool/metadata/page-000000 b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/idPool/metadata/page-000000 new file mode 100644 index 0000000..6d17cf9 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/idPool/metadata/page-000000 differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/idPool/pageDump/page-000000000 b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/idPool/pageDump/page-000000000 new file mode 100644 index 0000000..7bccaeb Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/idPool/pageDump/page-000000000 differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/0/buckets/info b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/0/buckets/info new file mode 100644 index 0000000..75aaa88 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/0/buckets/info differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/0/buckets/page-000000 b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/0/buckets/page-000000 new file mode 100644 index 0000000..35bd8a0 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/0/buckets/page-000000 differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/0/info b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/0/info new file mode 100644 index 0000000..1556e22 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/0/info differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/0/metadata/info b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/0/metadata/info new file mode 100644 index 0000000..9255144 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/0/metadata/info differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/0/metadata/page-000000 b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/0/metadata/page-000000 new file mode 100644 index 0000000..5b16817 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/0/metadata/page-000000 differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/0/pageDump/page-000000000 b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/0/pageDump/page-000000000 new file mode 100644 index 0000000..64fec74 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/0/pageDump/page-000000000 differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/buckets/info b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/buckets/info new file mode 100644 index 0000000..0111728 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/buckets/info differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/buckets/page-000000 b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/buckets/page-000000 new file mode 100644 index 0000000..6d17cf9 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/buckets/page-000000 differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/ids1/info b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/ids1/info new file mode 100644 index 0000000..799471f Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/ids1/info differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/ids1/page-000000 b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/ids1/page-000000 new file mode 100644 index 0000000..6d17cf9 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/ids1/page-000000 differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/indices1/info b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/indices1/info new file mode 100644 index 0000000..799471f Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/indices1/info differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/indices1/page-000000 b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/indices1/page-000000 new file mode 100644 index 0000000..6d17cf9 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/indices1/page-000000 differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/info b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/info new file mode 100644 index 0000000..3ab9aa1 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/info differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/metadata/info b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/metadata/info new file mode 100644 index 0000000..9cdb710 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/metadata/info differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/metadata/page-000000 b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/metadata/page-000000 new file mode 100644 index 0000000..6d17cf9 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/metadata/page-000000 differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/pageDump/page-000000000 b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/pageDump/page-000000000 new file mode 100644 index 0000000..7bccaeb Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/1/pageDump/page-000000000 differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/max-id#Dynamic-New-Entities b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/max-id#Dynamic-New-Entities new file mode 100644 index 0000000..c415bff Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/max-id#Dynamic-New-Entities differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/poolInfo b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/poolInfo new file mode 100644 index 0000000..da09a0c Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/poolInfo differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/tuples#Dynamic-New-Entities b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/tuples#Dynamic-New-Entities new file mode 100644 index 0000000..98318f4 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/pools/tuples#Dynamic-New-Entities differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/sourceLocationPrefix.rel b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/sourceLocationPrefix.rel new file mode 100644 index 0000000..8cbaa63 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/sourceLocationPrefix.rel differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/sourceLocationPrefix.rel.meta b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/sourceLocationPrefix.rel.meta new file mode 100644 index 0000000..8b07ef8 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/db-bicep/default/sourceLocationPrefix.rel.meta differ diff --git a/ql/src/security/CWE-284/CWE-284.testproj/diagnostic/cli-diagnostics-add-20250908T162327.814Z.json b/ql/src/security/CWE-284/CWE-284.testproj/diagnostic/cli-diagnostics-add-20250908T162327.814Z.json new file mode 100644 index 0000000..e28e717 --- /dev/null +++ b/ql/src/security/CWE-284/CWE-284.testproj/diagnostic/cli-diagnostics-add-20250908T162327.814Z.json @@ -0,0 +1 @@ +{"timestamp":"2025-09-08T16:23:27.81278798Z","source":{"id":"cli/platform","name":"Platform"},"markdownMessage":"On the Linux (amd64; 6.11.0-1018-azure) platform.","visibility":{"cliSummaryTable":false,"statusPage":false,"telemetry":true},"attributes":{"name":"Linux","arch":"amd64","version":"6.11.0-1018-azure"}} diff --git a/ql/src/security/CWE-284/CWE-284.testproj/diagnostic/cli-diagnostics-add-20250908T162328.730Z.json b/ql/src/security/CWE-284/CWE-284.testproj/diagnostic/cli-diagnostics-add-20250908T162328.730Z.json new file mode 100644 index 0000000..e69de29 diff --git a/ql/src/security/CWE-284/CWE-284.testproj/diagnostic/cli-diagnostics-add-20250908T162329.605Z.json b/ql/src/security/CWE-284/CWE-284.testproj/diagnostic/cli-diagnostics-add-20250908T162329.605Z.json new file mode 100644 index 0000000..e69de29 diff --git a/ql/src/security/CWE-284/CWE-284.testproj/log/database-index-files-20250908.162328.607.log b/ql/src/security/CWE-284/CWE-284.testproj/log/database-index-files-20250908.162328.607.log new file mode 100644 index 0000000..a3e3ae3 --- /dev/null +++ b/ql/src/security/CWE-284/CWE-284.testproj/log/database-index-files-20250908.162328.607.log @@ -0,0 +1,10 @@ +[2025-09-08 16:23:28] This is codeql database index-files --prune=**/*.testproj --include-extension=.bicep --size-limit=5m --language=bicep --working-dir=. /home/runner/work/codeql-extractor-bicep/codeql-extractor-bicep/ql/src/security/CWE-284/CWE-284.testproj +[2025-09-08 16:23:28] Log file was started late. +[2025-09-08 16:23:28] Using index-files script /home/runner/work/codeql-extractor-bicep/codeql-extractor-bicep/extractor-pack/tools/index-files.sh. +[2025-09-08 16:23:28] [PROGRESS] database index-files> Scanning for files in /home/runner/work/codeql-extractor-bicep/codeql-extractor-bicep/ql/src/security/CWE-284... +[2025-09-08 16:23:28] Calling plumbing command: codeql resolve files --include-extension=.bicep --prune=**/*.testproj --size-limit=5m /home/runner/work/codeql-extractor-bicep/codeql-extractor-bicep/ql/src/security/CWE-284 --format=json +[2025-09-08 16:23:28] [PROGRESS] resolve files> Scanning /home/runner/work/codeql-extractor-bicep/codeql-extractor-bicep/ql/src/security/CWE-284... +[2025-09-08 16:23:28] Plumbing command codeql resolve files completed: + [ ] +[2025-09-08 16:23:28] [DETAILS] database index-files> Found 0 files. +[2025-09-08 16:23:28] Terminating normally. diff --git a/ql/src/security/CWE-284/CWE-284.testproj/log/database-index-files-20250908.162329.478.log b/ql/src/security/CWE-284/CWE-284.testproj/log/database-index-files-20250908.162329.478.log new file mode 100644 index 0000000..8d0ddfa --- /dev/null +++ b/ql/src/security/CWE-284/CWE-284.testproj/log/database-index-files-20250908.162329.478.log @@ -0,0 +1,10 @@ +[2025-09-08 16:23:29] This is codeql database index-files --prune=**/*.testproj --include-extension=.yml --include-extension=.yaml --include-extension=.json --size-limit=5m --language=yaml --working-dir=. /home/runner/work/codeql-extractor-bicep/codeql-extractor-bicep/ql/src/security/CWE-284/CWE-284.testproj +[2025-09-08 16:23:29] Log file was started late. +[2025-09-08 16:23:29] Using index-files script /home/runner/.local/share/gh/extensions/gh-codeql/dist/release/v2.23.0/yaml/tools/index-files.sh. +[2025-09-08 16:23:29] [PROGRESS] database index-files> Scanning for files in /home/runner/work/codeql-extractor-bicep/codeql-extractor-bicep/ql/src/security/CWE-284... +[2025-09-08 16:23:29] Calling plumbing command: codeql resolve files --include-extension=.yml --include-extension=.yaml --include-extension=.json --prune=**/*.testproj --size-limit=5m /home/runner/work/codeql-extractor-bicep/codeql-extractor-bicep/ql/src/security/CWE-284 --format=json +[2025-09-08 16:23:29] [PROGRESS] resolve files> Scanning /home/runner/work/codeql-extractor-bicep/codeql-extractor-bicep/ql/src/security/CWE-284... +[2025-09-08 16:23:29] Plumbing command codeql resolve files completed: + [ ] +[2025-09-08 16:23:29] [DETAILS] database index-files> Found 0 files. +[2025-09-08 16:23:29] Terminating normally. diff --git a/ql/src/security/CWE-284/CWE-284.testproj/trap/bicep/metadata.trap.gz b/ql/src/security/CWE-284/CWE-284.testproj/trap/bicep/metadata.trap.gz new file mode 100644 index 0000000..aa08829 Binary files /dev/null and b/ql/src/security/CWE-284/CWE-284.testproj/trap/bicep/metadata.trap.gz differ diff --git a/ql/src/security/CWE-284/OverlyPermissiveRoleAssignment.actual b/ql/src/security/CWE-284/OverlyPermissiveRoleAssignment.actual new file mode 100644 index 0000000..e69de29 diff --git a/ql/src/security/CWE-284/OverlyPermissiveRoleAssignment.md b/ql/src/security/CWE-284/OverlyPermissiveRoleAssignment.md new file mode 100644 index 0000000..1c8db87 --- /dev/null +++ b/ql/src/security/CWE-284/OverlyPermissiveRoleAssignment.md @@ -0,0 +1,143 @@ +# Overly Permissive Role Assignment + +## Description + +This query identifies Azure role assignments in Bicep templates that grant excessive privileges by assigning privileged roles (Owner, Contributor, User Access Administrator) at broad scopes (subscription or resource group level). Such assignments violate the principle of least privilege and can lead to security risks. + +## Query Logic + +The query works by: + +1. **Identifying Role Assignment Resources**: Finds all `Microsoft.Authorization/roleAssignments` resources in the Bicep template +2. **Checking Role Privileges**: Determines if the assigned role is a privileged built-in role: + - Owner (`8e3af657-a8ff-443c-a75c-2fe8c4bcb635`) + - Contributor (`b24988ac-6180-42a0-ab88-20f7382dd24c`) + - User Access Administrator (`18d7d88d-d35e-4fb5-a5c3-7773c20a72d9`) +3. **Analyzing Scope**: Checks if the role assignment scope is broad: + - Subscription-level scope (using `subscription()` function) + - Resource group-level scope (using `resourceGroup()` function) +4. **Flagging Issues**: Reports role assignments that combine privileged roles with broad scopes + +## Insecure Code Examples + +### Contributor Role at Subscription Scope +```bicep +// INSECURE: Broad "Contributor" at subscription scope +resource subRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(subscription().id, spObjectId, 'contributor-assignment') + scope: subscription() + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor + principalId: spObjectId + principalType: 'ServicePrincipal' + } +} +``` + +### Owner Role at Resource Group Scope +```bicep +// INSECURE: Owner role at resource group level +resource rgOwnerRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(resourceGroup().id, userObjectId, 'owner-assignment') + scope: resourceGroup() + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') // Owner + principalId: userObjectId + principalType: 'User' + } +} +``` + +## Secure Coding Recommendations + +### 1. Use Least-Privilege Built-in Roles +Instead of broad roles like Contributor, use specific roles that grant only the necessary permissions: + +```bicep +// SECURE: Specific role for storage operations +resource scopedRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(stg.id, spObjectId, 'storage-blob-reader') + scope: stg + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe') // Storage Blob Data Reader + principalId: spObjectId + principalType: 'ServicePrincipal' + } +} +``` + +### 2. Narrow the Scope to Specific Resources +Assign roles at the resource level rather than subscription or resource group level: + +```bicep +// SECURE: Role assignment scoped to specific storage account +resource storageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' = { + name: 'app${uniqueString(resourceGroup().id)}' + location: resourceGroup().location + // ... other properties +} + +resource scopedRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(storageAccount.id, spObjectId, roleDefinitionId) + scope: storageAccount // Scoped to specific resource + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId) + principalId: spObjectId + principalType: 'ServicePrincipal' + } +} +``` + +### 3. Use Parameter Constraints +When role assignment is parameterized, restrict the allowed roles using the `@allowed` decorator: + +```bicep +@allowed([ + 'ba92f5b4-2d11-453d-a403-e96b0029c9fe', // Storage Blob Data Reader + '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' // Storage Blob Data Contributor +]) +@description('Role definition ID to assign (restricted to approved least-privilege roles)') +param roleDefinitionId string +``` + +### 4. Create Custom Roles for Specific Use Cases +Define custom roles with exactly the permissions needed: + +```bicep +resource customRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' = { + name: guid(resourceGroup().id, 'custom-limited-role') + scope: resourceGroup() + properties: { + roleName: 'Custom Limited Role' + description: 'Custom role with limited permissions' + permissions: [ + { + actions: [ + 'Microsoft.Resources/subscriptions/resourceGroups/read' + 'Microsoft.Storage/storageAccounts/read' + ] + notActions: [] + } + ] + assignableScopes: [ + resourceGroup().id + ] + } +} +``` + +## Security Impact + +Overly permissive role assignments can lead to: + +- **Privilege Escalation**: Compromised principals can create additional resources or modify permissions +- **Lateral Movement**: Broad scope allows access to more resources than necessary +- **Compliance Violations**: Violates principle of least privilege required by security frameworks +- **Audit Complexity**: Makes it harder to track and audit access patterns + +## References + +- [CWE-284: Improper Access Control](https://cwe.mitre.org/data/definitions/284.html) +- [Azure RBAC Best Practices](https://docs.microsoft.com/en-us/azure/role-based-access-control/best-practices) +- [Azure Built-in Roles](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles) +- [MITRE ATT&CK T1098: Account Manipulation](https://attack.mitre.org/techniques/T1098/) \ No newline at end of file diff --git a/ql/src/security/CWE-284/OverlyPermissiveRoleAssignment.ql b/ql/src/security/CWE-284/OverlyPermissiveRoleAssignment.ql new file mode 100644 index 0000000..9253771 --- /dev/null +++ b/ql/src/security/CWE-284/OverlyPermissiveRoleAssignment.ql @@ -0,0 +1,38 @@ +/** + * @name Overly permissive role assignment + * @description Detects role assignments that grant privileged roles (Owner, Contributor) at broad scopes (subscription, resource group) which can lead to excessive privileges and potential security risks. + * @kind problem + * @problem.severity warning + * @security-severity 7.5 + * @precision high + * @id bicep/overly-permissive-role-assignment + * @tags security + * bicep + * azure + * CWE-284 + */ + +import bicep + +from Authorization::RoleAssignmentResource roleAssignment, string roleType, string scopeType +where + roleAssignment.isOverlyPermissive() and + ( + // Identify the role type + exists(string roleId | roleId = roleAssignment.getRoleDefinitionId() | + roleId = "8e3af657-a8ff-443c-a75c-2fe8c4bcb635" and roleType = "Owner" + or + roleId = "b24988ac-6180-42a0-ab88-20f7382dd24c" and roleType = "Contributor" + or + roleId = "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" and roleType = "User Access Administrator" + ) + ) and + ( + // Identify the scope type + roleAssignment.isSubscriptionScoped() and scopeType = "subscription" + or + roleAssignment.isResourceGroupScoped() and scopeType = "resource group" + ) +select roleAssignment, + "This role assignment grants excessive privileges: " + roleType + " role assigned at " + scopeType + + " scope. Consider using a more restrictive role or narrowing the scope to specific resources." \ No newline at end of file diff --git a/ql/test/queries-tests/security/CWE-284/OverlyPermissiveRoleAssignment/OverlyPermissiveRoleAssignment.expected b/ql/test/queries-tests/security/CWE-284/OverlyPermissiveRoleAssignment/OverlyPermissiveRoleAssignment.expected new file mode 100644 index 0000000..c30b737 --- /dev/null +++ b/ql/test/queries-tests/security/CWE-284/OverlyPermissiveRoleAssignment/OverlyPermissiveRoleAssignment.expected @@ -0,0 +1,4 @@ +| app.bicep:16:1:24:1 | ResourceDeclaration | This role assignment grants excessive privileges: Contributor role assigned at subscription scope. Consider using a more restrictive role or narrowing the scope to specific resources. | +| app.bicep:27:1:35:1 | ResourceDeclaration | This role assignment grants excessive privileges: Owner role assigned at subscription scope. Consider using a more restrictive role or narrowing the scope to specific resources. | +| app.bicep:38:1:46:1 | ResourceDeclaration | This role assignment grants excessive privileges: Contributor role assigned at resource group scope. Consider using a more restrictive role or narrowing the scope to specific resources. | +| app.bicep:49:1:57:1 | ResourceDeclaration | This role assignment grants excessive privileges: User Access Administrator role assigned at resource group scope. Consider using a more restrictive role or narrowing the scope to specific resources. | \ No newline at end of file diff --git a/ql/test/queries-tests/security/CWE-284/OverlyPermissiveRoleAssignment/OverlyPermissiveRoleAssignment.qlref b/ql/test/queries-tests/security/CWE-284/OverlyPermissiveRoleAssignment/OverlyPermissiveRoleAssignment.qlref new file mode 100644 index 0000000..1dc7018 --- /dev/null +++ b/ql/test/queries-tests/security/CWE-284/OverlyPermissiveRoleAssignment/OverlyPermissiveRoleAssignment.qlref @@ -0,0 +1 @@ +security/CWE-284/OverlyPermissiveRoleAssignment.ql \ No newline at end of file diff --git a/ql/test/queries-tests/security/CWE-284/OverlyPermissiveRoleAssignment/app.bicep b/ql/test/queries-tests/security/CWE-284/OverlyPermissiveRoleAssignment/app.bicep new file mode 100644 index 0000000..40251e2 --- /dev/null +++ b/ql/test/queries-tests/security/CWE-284/OverlyPermissiveRoleAssignment/app.bicep @@ -0,0 +1,146 @@ +// Test cases for overly permissive role assignments + +@description('Service principal object ID') +param spObjectId string + +@description('User object ID for testing') +param userObjectId string + +@description('Role definition ID parameter for secure pattern') +@allowed([ + 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' // Storage Blob Data Reader +]) +param restrictedRoleDefinitionId string = 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' + +// VULNERABLE PATTERN 1: Contributor role at subscription scope +resource vulnerableSubContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(subscription().id, spObjectId, 'contributor-assignment') + scope: subscription() + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor + principalId: spObjectId + principalType: 'ServicePrincipal' + } +} + +// VULNERABLE PATTERN 2: Owner role at subscription scope +resource vulnerableSubOwner 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(subscription().id, userObjectId, 'owner-assignment') + scope: subscription() + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') // Owner + principalId: userObjectId + principalType: 'User' + } +} + +// VULNERABLE PATTERN 3: Contributor role at resource group scope +resource vulnerableRgContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(resourceGroup().id, spObjectId, 'rg-contributor') + scope: resourceGroup() + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor + principalId: spObjectId + principalType: 'ServicePrincipal' + } +} + +// VULNERABLE PATTERN 4: User Access Administrator role at resource group scope +resource vulnerableRgUserAccessAdmin 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(resourceGroup().id, userObjectId, 'rg-user-access-admin') + scope: resourceGroup() + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') // User Access Administrator + principalId: userObjectId + principalType: 'User' + } +} + +// SECURE PATTERN 1: Least privilege role at resource scope +resource storageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' = { + name: 'securestorage${uniqueString(resourceGroup().id)}' + location: resourceGroup().location + kind: 'StorageV2' + sku: { name: 'Standard_LRS' } + properties: { + allowBlobPublicAccess: false + minimumTlsVersion: 'TLS1_2' + supportsHttpsTrafficOnly: true + } +} + +resource secureStorageRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(storageAccount.id, spObjectId, 'storage-blob-reader') + scope: storageAccount + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe') // Storage Blob Data Reader + principalId: spObjectId + principalType: 'ServicePrincipal' + } +} + +// SECURE PATTERN 2: Using parameter-restricted role at resource scope +resource anotherStorageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' = { + name: 'securestorage2${uniqueString(resourceGroup().id)}' + location: resourceGroup().location + kind: 'StorageV2' + sku: { name: 'Standard_LRS' } + properties: { + allowBlobPublicAccess: false + minimumTlsVersion: 'TLS1_2' + supportsHttpsTrafficOnly: true + } +} + +resource secureParameterizedRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(anotherStorageAccount.id, spObjectId, 'parameterized-role') + scope: anotherStorageAccount + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', restrictedRoleDefinitionId) + principalId: spObjectId + principalType: 'ServicePrincipal' + } +} + +// SECURE PATTERN 3: Less privileged built-in role at subscription scope (acceptable for monitoring) +resource secureMonitoringRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(subscription().id, spObjectId, 'monitoring-reader') + scope: subscription() + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') // Monitoring Reader + principalId: spObjectId + principalType: 'ServicePrincipal' + } +} + +// SECURE PATTERN 4: Custom role with limited permissions at resource group scope +resource customRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' = { + name: guid(resourceGroup().id, 'custom-limited-role') + scope: resourceGroup() + properties: { + roleName: 'Custom Limited Role' + description: 'Custom role with limited permissions' + permissions: [ + { + actions: [ + 'Microsoft.Resources/subscriptions/resourceGroups/read' + 'Microsoft.Storage/storageAccounts/read' + ] + notActions: [] + } + ] + assignableScopes: [ + resourceGroup().id + ] + } +} + +resource secureCustomRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(resourceGroup().id, spObjectId, 'custom-role-assignment') + scope: resourceGroup() + properties: { + roleDefinitionId: customRole.id + principalId: spObjectId + principalType: 'ServicePrincipal' + } +} \ No newline at end of file