From 437b2c15033db925f2a3022c0b44e44512334928 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Wed, 14 Nov 2018 13:18:54 +0100 Subject: [PATCH 1/4] Java: Cosmetic changes and missing overrides. --- .../src/Security/CWE/CWE-129/ArraySizing.qll | 35 ++++++++----------- 1 file changed, 14 insertions(+), 21 deletions(-) diff --git a/java/ql/src/Security/CWE/CWE-129/ArraySizing.qll b/java/ql/src/Security/CWE/CWE-129/ArraySizing.qll index f6c519c32d4a..59db7d4f87f5 100644 --- a/java/ql/src/Security/CWE/CWE-129/ArraySizing.qll +++ b/java/ql/src/Security/CWE/CWE-129/ArraySizing.qll @@ -7,32 +7,25 @@ private import BoundingChecks * If the `Array` accessed by the `ArrayAccess` is a fixed size, return the array size. */ int fixedArraySize(ArrayAccess arrayAccess) { - result = arrayAccess - .getArray() - .(VarAccess) - .getVariable() - .getAnAssignedValue() - .(ArrayCreationExpr) - .getFirstDimensionSize() + exists(Variable v | + v.getAnAccess() = arrayAccess.getArray() and + result = v.getAnAssignedValue().(ArrayCreationExpr).getFirstDimensionSize() + ) } /** * Holds if an `ArrayIndexOutOfBoundsException` is ever caught. */ private predicate arrayIndexOutOfBoundExceptionCaught(ArrayAccess arrayAccess) { - exists(TryStmt ts, CatchClause cc | + exists(TryStmt ts, CatchClause cc, RefType exc | ( ts.getBlock().getAChild*() = arrayAccess.getEnclosingStmt() or ts.getAResourceDecl().getAChild*() = arrayAccess.getEnclosingStmt() or ts.getAResourceExpr().getAChildExpr*() = arrayAccess ) and - cc = ts.getACatchClause() - | - cc - .getVariable() - .getType() - .(RefType) - .hasQualifiedName("java.lang", "ArrayIndexOutOfBoundsException") + cc = ts.getACatchClause() and + exc = cc.getVariable().getType() and + exc.hasQualifiedName("java.lang", "ArrayIndexOutOfBoundsException") ) } @@ -144,14 +137,14 @@ class RandomValueFlowSource extends BoundedFlowSource { ) } - int lowerBound() { + override int lowerBound() { // If this call is to `nextInt()`, the lower bound is zero. this.asExpr().(MethodAccess).getCallee().hasName("nextInt") and this.asExpr().(MethodAccess).getNumArgument() = 1 and result = 0 } - int upperBound() { + override int upperBound() { // If this call specified an argument to `nextInt()`, and that argument is a compile time constant, // it forms the upper bound. this.asExpr().(MethodAccess).getCallee().hasName("nextInt") and @@ -159,7 +152,7 @@ class RandomValueFlowSource extends BoundedFlowSource { result = this.asExpr().(MethodAccess).getArgument(0).(CompileTimeConstantExpr).getIntValue() } - string getDescription() { result = "Random value" } + override string getDescription() { result = "Random value" } } /** @@ -168,11 +161,11 @@ class RandomValueFlowSource extends BoundedFlowSource { class NumericLiteralFlowSource extends BoundedFlowSource { NumericLiteralFlowSource() { exists(this.asExpr().(CompileTimeConstantExpr).getIntValue()) } - int lowerBound() { result = this.asExpr().(CompileTimeConstantExpr).getIntValue() } + override int lowerBound() { result = this.asExpr().(CompileTimeConstantExpr).getIntValue() } - int upperBound() { result = this.asExpr().(CompileTimeConstantExpr).getIntValue() } + override int upperBound() { result = this.asExpr().(CompileTimeConstantExpr).getIntValue() } - string getDescription() { + override string getDescription() { result = "Literal value " + this.asExpr().(CompileTimeConstantExpr).getIntValue() } } From 5e03b6f681b778d7ace79e0175c7ee4fbdc15f2b Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Wed, 14 Nov 2018 13:11:47 +0100 Subject: [PATCH 2/4] Java: Convert security queries to path-problems. --- .../src/Security/CWE/CWE-022/TaintedPath.ql | 12 ++++--- .../Security/CWE/CWE-022/TaintedPathLocal.ql | 13 +++++--- java/ql/src/Security/CWE/CWE-022/ZipSlip.ql | 10 +++--- .../src/Security/CWE/CWE-078/ExecCommon.qll | 4 +-- .../src/Security/CWE/CWE-078/ExecTainted.ql | 10 +++--- .../Security/CWE/CWE-078/ExecTaintedLocal.ql | 11 ++++--- .../src/Security/CWE/CWE-078/ExecUnescaped.ql | 2 +- java/ql/src/Security/CWE/CWE-079/XSS.ql | 10 +++--- java/ql/src/Security/CWE/CWE-079/XSSLocal.ql | 10 +++--- .../Security/CWE/CWE-089/SqlInjectionLib.qll | 6 ++-- .../ql/src/Security/CWE/CWE-089/SqlTainted.ql | 9 +++--- .../Security/CWE/CWE-089/SqlTaintedLocal.ql | 11 ++++--- .../src/Security/CWE/CWE-089/SqlUnescaped.ql | 2 +- .../Security/CWE/CWE-113/ResponseSplitting.ql | 10 +++--- .../CWE/CWE-113/ResponseSplittingLocal.ql | 10 +++--- .../ImproperValidationOfArrayConstruction.ql | 14 +++++---- ...idationOfArrayConstructionCodeSpecified.ql | 15 +++++---- ...roperValidationOfArrayConstructionLocal.ql | 14 +++++---- .../CWE-129/ImproperValidationOfArrayIndex.ql | 15 ++++----- ...operValidationOfArrayIndexCodeSpecified.ql | 31 ++++++++++--------- .../ImproperValidationOfArrayIndexLocal.ql | 15 ++++----- .../ExternallyControlledFormatString.ql | 13 +++++--- .../Security/CWE/CWE-190/ArithmeticTainted.ql | 14 +++++---- .../CWE/CWE-190/ArithmeticTaintedLocal.ql | 14 +++++---- .../CWE/CWE-190/ArithmeticUncontrolled.ql | 14 +++++---- .../CWE-190/ArithmeticWithExtremeValues.ql | 18 ++++++----- java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql | 13 +++++--- .../CWE/CWE-327/BrokenCryptoAlgorithm.ql | 15 ++++++--- .../CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql | 15 ++++++--- .../CWE/CWE-502/UnsafeDeserialization.ql | 10 +++--- .../src/Security/CWE/CWE-601/UrlRedirect.ql | 10 +++--- .../Security/CWE/CWE-601/UrlRedirectLocal.ql | 10 +++--- java/ql/src/Security/CWE/CWE-611/XXE.ql | 10 +++--- .../CWE/CWE-681/NumericCastTainted.ql | 15 +++++---- .../CWE/CWE-681/NumericCastTaintedLocal.ql | 14 ++++++--- .../CWE-798/HardcodedCredentialsApiCall.ql | 11 ++++--- .../CWE-798/HardcodedCredentialsSourceCall.ql | 10 +++--- .../Security/CWE/CWE-807/ConditionalBypass.ql | 15 ++++++--- .../CWE/CWE-807/TaintedPermissionsCheck.ql | 11 ++++--- 39 files changed, 279 insertions(+), 187 deletions(-) diff --git a/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql b/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql index fef3fa65e853..0aef239d264c 100644 --- a/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql +++ b/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql @@ -1,7 +1,7 @@ /** * @name Uncontrolled data used in path expression * @description Accessing paths influenced by users can allow an attacker to access unexpected resources. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id java/path-injection @@ -15,6 +15,7 @@ import java import semmle.code.java.dataflow.FlowSources import PathsCommon +import DataFlow::PathGraph class TaintedPathConfig extends TaintTracking::Configuration { TaintedPathConfig() { this = "TaintedPathConfig" } @@ -30,8 +31,9 @@ class TaintedPathConfig extends TaintTracking::Configuration { } } -from RemoteUserInput u, PathCreation p, Expr e, TaintedPathConfig conf +from DataFlow::PathNode source, DataFlow::PathNode sink, PathCreation p, TaintedPathConfig conf where - e = p.getInput() and - conf.hasFlow(u, DataFlow::exprNode(e)) -select p, "$@ flows to here and is used in a path.", u, "User-provided value" + sink.getNode().asExpr() = p.getInput() and + conf.hasFlowPath(source, sink) +select p, source, sink, "$@ flows to here and is used in a path.", source.getNode(), + "User-provided value" diff --git a/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql b/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql index e1e6b3e53fc8..4d1c20f923e4 100644 --- a/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql +++ b/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql @@ -1,7 +1,7 @@ /** * @name Local-user-controlled data in path expression * @description Accessing paths influenced by users can allow an attacker to access unexpected resources. - * @kind problem + * @kind path-problem * @problem.severity recommendation * @precision medium * @id java/path-injection-local @@ -15,6 +15,7 @@ import java import semmle.code.java.dataflow.FlowSources import PathsCommon +import DataFlow::PathGraph class TaintedPathLocalConfig extends TaintTracking::Configuration { TaintedPathLocalConfig() { this = "TaintedPathLocalConfig" } @@ -24,9 +25,13 @@ class TaintedPathLocalConfig extends TaintTracking::Configuration { override predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(PathCreation p).getInput() } } -from LocalUserInput u, PathCreation p, Expr e, TaintedPathLocalConfig conf +from + DataFlow::PathNode source, DataFlow::PathNode sink, PathCreation p, Expr e, + TaintedPathLocalConfig conf where + e = sink.getNode().asExpr() and e = p.getInput() and - conf.hasFlow(u, DataFlow::exprNode(e)) and + conf.hasFlowPath(source, sink) and not guarded(e) -select p, "$@ flows to here and is used in a path.", u, "User-provided value" +select p, source, sink, "$@ flows to here and is used in a path.", source.getNode(), + "User-provided value" diff --git a/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql b/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql index ff4a39af80ad..f23167eed24e 100644 --- a/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql +++ b/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql @@ -3,7 +3,7 @@ * @description Extracting files from a malicious archive without validating that the * destination file path is within the destination directory can cause files outside * the destination directory to be overwritten. - * @kind problem + * @kind path-problem * @id java/zipslip * @problem.severity error * @precision high @@ -16,6 +16,7 @@ import semmle.code.java.controlflow.Guards import semmle.code.java.dataflow.SSA import semmle.code.java.dataflow.TaintTracking import DataFlow +import PathGraph /** * A method that returns the name of an archive entry. @@ -170,7 +171,8 @@ class ZipSlipConfiguration extends TaintTracking::Configuration { } } -from Node source, Node sink -where any(ZipSlipConfiguration c).hasFlow(source, sink) -select source, "Unsanitized archive entry, which may contain '..', is used in a $@.", sink, +from PathNode source, PathNode sink +where any(ZipSlipConfiguration c).hasFlowPath(source, sink) +select source.getNode(), source, sink, + "Unsanitized archive entry, which may contain '..', is used in a $@.", sink.getNode(), "file system operation" diff --git a/java/ql/src/Security/CWE/CWE-078/ExecCommon.qll b/java/ql/src/Security/CWE/CWE-078/ExecCommon.qll index 1900b081dfd7..00c7fea3e02b 100644 --- a/java/ql/src/Security/CWE/CWE-078/ExecCommon.qll +++ b/java/ql/src/Security/CWE/CWE-078/ExecCommon.qll @@ -20,8 +20,8 @@ private class RemoteUserInputToArgumentToExecFlowConfig extends TaintTracking::C * so that it can be excluded from `ExecUnescaped.ql` to avoid * reporting overlapping results. */ -predicate execTainted(RemoteUserInput source, ArgumentToExec execArg) { +predicate execTainted(DataFlow::PathNode source, DataFlow::PathNode sink, ArgumentToExec execArg) { exists(RemoteUserInputToArgumentToExecFlowConfig conf | - conf.hasFlow(source, DataFlow::exprNode(execArg)) + conf.hasFlowPath(source, sink) and sink.getNode() = DataFlow::exprNode(execArg) ) } diff --git a/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql b/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql index f86c6ca917f9..8774de339b6c 100644 --- a/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql +++ b/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql @@ -2,7 +2,7 @@ * @name Uncontrolled command line * @description Using externally controlled strings in a command line is vulnerable to malicious * changes in the strings. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id java/command-line-injection @@ -15,7 +15,9 @@ import semmle.code.java.Expr import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.ExternalProcess import ExecCommon +import DataFlow::PathGraph -from StringArgumentToExec execArg, RemoteUserInput origin -where execTainted(origin, execArg) -select execArg, "$@ flows to here and is used in a command.", origin, "User-provided value" +from DataFlow::PathNode source, DataFlow::PathNode sink, StringArgumentToExec execArg +where execTainted(source, sink, execArg) +select execArg, source, sink, "$@ flows to here and is used in a command.", source.getNode(), + "User-provided value" diff --git a/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql b/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql index bff0956b9da0..d809f1bb5dd0 100644 --- a/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql +++ b/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql @@ -2,7 +2,7 @@ * @name Local-user-controlled command line * @description Using externally controlled strings in a command line is vulnerable to malicious * changes in the strings. - * @kind problem + * @kind path-problem * @problem.severity recommendation * @precision medium * @id java/command-line-injection-local @@ -14,6 +14,7 @@ import semmle.code.java.Expr import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.ExternalProcess +import DataFlow::PathGraph class LocalUserInputToArgumentToExecFlowConfig extends TaintTracking::Configuration { LocalUserInputToArgumentToExecFlowConfig() { this = "LocalUserInputToArgumentToExecFlowConfig" } @@ -28,6 +29,8 @@ class LocalUserInputToArgumentToExecFlowConfig extends TaintTracking::Configurat } from - StringArgumentToExec execArg, LocalUserInput origin, LocalUserInputToArgumentToExecFlowConfig conf -where conf.hasFlow(origin, DataFlow::exprNode(execArg)) -select execArg, "$@ flows to here and is used in a command.", origin, "User-provided value" + DataFlow::PathNode source, DataFlow::PathNode sink, StringArgumentToExec execArg, + LocalUserInputToArgumentToExecFlowConfig conf +where conf.hasFlowPath(source, sink) and sink.getNode().asExpr() = execArg +select execArg, source, sink, "$@ flows to here and is used in a command.", source.getNode(), + "User-provided value" diff --git a/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql b/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql index afc4fafe4dca..e80afa7f6ebd 100644 --- a/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql +++ b/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql @@ -47,5 +47,5 @@ predicate builtFromUncontrolledConcat(Expr expr) { from StringArgumentToExec argument where builtFromUncontrolledConcat(argument) and - not execTainted(_, argument) + not execTainted(_, _, argument) select argument, "Command line is built with string concatenation." diff --git a/java/ql/src/Security/CWE/CWE-079/XSS.ql b/java/ql/src/Security/CWE/CWE-079/XSS.ql index 75eaa38cb327..dc4c7f606bca 100644 --- a/java/ql/src/Security/CWE/CWE-079/XSS.ql +++ b/java/ql/src/Security/CWE/CWE-079/XSS.ql @@ -2,7 +2,7 @@ * @name Cross-site scripting * @description Writing user input directly to a web page * allows for a cross-site scripting vulnerability. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id java/xss @@ -13,6 +13,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.XSS +import DataFlow2::PathGraph class XSSConfig extends TaintTracking::Configuration2 { XSSConfig() { this = "XSSConfig" } @@ -26,6 +27,7 @@ class XSSConfig extends TaintTracking::Configuration2 { } } -from XssSink sink, RemoteUserInput source, XSSConfig conf -where conf.hasFlow(source, sink) -select sink, "Cross-site scripting vulnerability due to $@.", source, "user-provided value" +from DataFlow2::PathNode source, DataFlow2::PathNode sink, XSSConfig conf +where conf.hasFlowPath(source, sink) +select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.", + source.getNode(), "user-provided value" diff --git a/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql b/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql index 58ac779bea84..d0e2a04b681c 100644 --- a/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql +++ b/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql @@ -2,7 +2,7 @@ * @name Cross-site scripting from local source * @description Writing user input directly to a web page * allows for a cross-site scripting vulnerability. - * @kind problem + * @kind path-problem * @problem.severity recommendation * @precision medium * @id java/xss-local @@ -13,6 +13,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.XSS +import DataFlow2::PathGraph class XSSLocalConfig extends TaintTracking::Configuration2 { XSSLocalConfig() { this = "XSSLocalConfig" } @@ -22,6 +23,7 @@ class XSSLocalConfig extends TaintTracking::Configuration2 { override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink } } -from XssSink sink, LocalUserInput source, XSSLocalConfig conf -where conf.hasFlow(source, sink) -select sink, "Cross-site scripting vulnerability due to $@.", source, "user-provided value" +from DataFlow2::PathNode source, DataFlow2::PathNode sink, XSSLocalConfig conf +where conf.hasFlowPath(source, sink) +select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.", + source.getNode(), "user-provided value" diff --git a/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll b/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll index 74288aec5e5f..09da2e6de2a6 100644 --- a/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll +++ b/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll @@ -62,6 +62,8 @@ private class QueryInjectionFlowConfig extends TaintTracking::Configuration { * Implementation of `SqlTainted.ql`. This is extracted to a QLL so that it * can be excluded from `SqlUnescaped.ql` to avoid overlapping results. */ -predicate queryTaintedBy(QueryInjectionSink query, RemoteUserInput source) { - exists(QueryInjectionFlowConfig conf | conf.hasFlow(source, query)) +predicate queryTaintedBy( + QueryInjectionSink query, DataFlow::PathNode source, DataFlow::PathNode sink +) { + exists(QueryInjectionFlowConfig conf | conf.hasFlowPath(source, sink) and sink.getNode() = query) } diff --git a/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql b/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql index 8ae4b466db89..5b79c56a83c9 100644 --- a/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql +++ b/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql @@ -2,7 +2,7 @@ * @name Query built from user-controlled sources * @description Building a SQL or Java Persistence query from user-controlled sources is vulnerable to insertion of * malicious code by the user. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id java/sql-injection @@ -13,7 +13,8 @@ import semmle.code.java.Expr import semmle.code.java.dataflow.FlowSources import SqlInjectionLib +import DataFlow::PathGraph -from QueryInjectionSink query, RemoteUserInput source -where queryTaintedBy(query, source) -select query, "Query might include code from $@.", source, "this user input" +from QueryInjectionSink query, DataFlow::PathNode source, DataFlow::PathNode sink +where queryTaintedBy(query, source, sink) +select query, source, sink, "Query might include code from $@.", source.getNode(), "this user input" diff --git a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql index 5a69e48d9a90..f5cb9ca4aae2 100644 --- a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql +++ b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql @@ -2,7 +2,7 @@ * @name Query built from local-user-controlled sources * @description Building a SQL or Java Persistence query from user-controlled sources is vulnerable to insertion of * malicious code by the user. - * @kind problem + * @kind path-problem * @problem.severity recommendation * @precision medium * @id java/sql-injection-local @@ -13,6 +13,7 @@ import semmle.code.java.Expr import semmle.code.java.dataflow.FlowSources import SqlInjectionLib +import DataFlow::PathGraph class LocalUserInputToQueryInjectionFlowConfig extends TaintTracking::Configuration { LocalUserInputToQueryInjectionFlowConfig() { this = "LocalUserInputToQueryInjectionFlowConfig" } @@ -26,6 +27,8 @@ class LocalUserInputToQueryInjectionFlowConfig extends TaintTracking::Configurat } } -from QueryInjectionSink query, LocalUserInput source, LocalUserInputToQueryInjectionFlowConfig conf -where conf.hasFlow(source, query) -select query, "Query might include code from $@.", source, "this user input" +from + DataFlow::PathNode source, DataFlow::PathNode sink, LocalUserInputToQueryInjectionFlowConfig conf +where conf.hasFlowPath(source, sink) +select sink.getNode(), source, sink, "Query might include code from $@.", source.getNode(), + "this user input" diff --git a/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql b/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql index a974725a2fb0..83eaa50ea2c0 100644 --- a/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql +++ b/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql @@ -46,6 +46,6 @@ where conf.hasFlow(DataFlow::exprNode(sbv.getToStringCall()), query) ) ) and - not queryTaintedBy(query, _) + not queryTaintedBy(query, _, _) select query, "Query might not neutralize special characters in $@.", uncontrolled, "this expression" diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql index d6a6f74dcbf3..c2a6e0363a0f 100644 --- a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql +++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql @@ -2,7 +2,7 @@ * @name HTTP response splitting * @description Writing user input directly to an HTTP header * makes code vulnerable to attack by header splitting. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id java/http-response-splitting @@ -12,6 +12,7 @@ import java import ResponseSplitting +import DataFlow::PathGraph class ResponseSplittingConfig extends TaintTracking::Configuration { ResponseSplittingConfig() { this = "ResponseSplittingConfig" } @@ -24,6 +25,7 @@ class ResponseSplittingConfig extends TaintTracking::Configuration { override predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink } } -from HeaderSplittingSink sink, RemoteUserInput source, ResponseSplittingConfig conf -where conf.hasFlow(source, sink) -select sink, "Response-splitting vulnerability due to this $@.", source, "user-provided value" +from DataFlow::PathNode source, DataFlow::PathNode sink, ResponseSplittingConfig conf +where conf.hasFlowPath(source, sink) +select sink.getNode(), source, sink, "Response-splitting vulnerability due to this $@.", + source.getNode(), "user-provided value" diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql index a3205298190a..fb17d709b928 100644 --- a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql +++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql @@ -2,7 +2,7 @@ * @name HTTP response splitting from local source * @description Writing user input directly to an HTTP header * makes code vulnerable to attack by header splitting. - * @kind problem + * @kind path-problem * @problem.severity recommendation * @precision medium * @id java/http-response-splitting-local @@ -13,6 +13,7 @@ import java import semmle.code.java.dataflow.FlowSources import ResponseSplitting +import DataFlow::PathGraph class ResponseSplittingLocalConfig extends TaintTracking::Configuration { ResponseSplittingLocalConfig() { this = "ResponseSplittingLocalConfig" } @@ -22,6 +23,7 @@ class ResponseSplittingLocalConfig extends TaintTracking::Configuration { override predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink } } -from HeaderSplittingSink sink, LocalUserInput source, ResponseSplittingLocalConfig conf -where conf.hasFlow(source, sink) -select sink, "Response-splitting vulnerability due to this $@.", source, "user-provided value" +from DataFlow::PathNode source, DataFlow::PathNode sink, ResponseSplittingLocalConfig conf +where conf.hasFlowPath(source, sink) +select sink.getNode(), source, sink, "Response-splitting vulnerability due to this $@.", + source.getNode(), "user-provided value" diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql index 6589d4e60db0..3d9c6b0e4830 100644 --- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql +++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql @@ -1,7 +1,7 @@ /** * @name Improper validation of user-provided size used for array construction * @description Using unvalidated external input as the argument to a construction of an array can lead to index out of bound exceptions. - * @kind problem + * @kind path-problem * @problem.severity warning * @precision medium * @id java/improper-validation-of-array-construction @@ -12,6 +12,7 @@ import java import ArraySizing import semmle.code.java.dataflow.FlowSources +import DataFlow::PathGraph class Conf extends TaintTracking::Configuration { Conf() { this = "RemoteUserInputTocanThrowOutOfBoundsDueToEmptyArrayConfig" } @@ -24,11 +25,12 @@ class Conf extends TaintTracking::Configuration { } from - RemoteUserInput source, Expr sizeExpr, ArrayCreationExpr arrayCreation, - CheckableArrayAccess arrayAccess + DataFlow::PathNode source, DataFlow::PathNode sink, Expr sizeExpr, + ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess where arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sizeExpr, arrayCreation) and - any(Conf conf).hasFlow(source, DataFlow::exprNode(sizeExpr)) -select arrayAccess.getIndexExpr(), + sizeExpr = sink.getNode().asExpr() and + any(Conf conf).hasFlowPath(source, sink) +select arrayAccess.getIndexExpr(), source, sink, "The $@ is accessed here, but the array is initialized using $@ which may be zero.", - arrayCreation, "array", source, "User-provided value" + arrayCreation, "array", source.getNode(), "User-provided value" diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql index 8eee3e41c3b5..16519955c6dd 100644 --- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql +++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql @@ -2,7 +2,7 @@ * @name Improper validation of code-specified size used for array construction * @description Using a code-specified value that may be zero as the argument to * a construction of an array can lead to index out of bound exceptions. - * @kind problem + * @kind path-problem * @problem.severity recommendation * @precision medium * @id java/improper-validation-of-array-construction-code-specified @@ -12,6 +12,7 @@ import java import ArraySizing +import DataFlow::PathGraph class BoundedFlowSourceConf extends DataFlow::Configuration { BoundedFlowSourceConf() { this = "BoundedFlowSource" } @@ -28,11 +29,13 @@ class BoundedFlowSourceConf extends DataFlow::Configuration { } from - BoundedFlowSource source, Expr sizeExpr, ArrayCreationExpr arrayCreation, - CheckableArrayAccess arrayAccess + DataFlow::PathNode source, DataFlow::PathNode sink, BoundedFlowSource boundedsource, + Expr sizeExpr, ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess where arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sizeExpr, arrayCreation) and - any(BoundedFlowSourceConf conf).hasFlow(source, DataFlow::exprNode(sizeExpr)) -select arrayAccess.getIndexExpr(), + sizeExpr = sink.getNode().asExpr() and + boundedsource = source.getNode() and + any(BoundedFlowSourceConf conf).hasFlowPath(source, sink) +select arrayAccess.getIndexExpr(), source, sink, "The $@ is accessed here, but the array is initialized using $@ which may be zero.", - arrayCreation, "array", source, source.getDescription().toLowerCase() + arrayCreation, "array", boundedsource, boundedsource.getDescription().toLowerCase() diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql index c182ca0eeeba..6938946ce0cd 100644 --- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql +++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql @@ -2,7 +2,7 @@ * @name Improper validation of local user-provided size used for array construction * @description Using unvalidated local input as the argument to * a construction of an array can lead to index out of bound exceptions. - * @kind problem + * @kind path-problem * @problem.severity recommendation * @precision medium * @id java/improper-validation-of-array-construction-local @@ -13,6 +13,7 @@ import java import ArraySizing import semmle.code.java.dataflow.FlowSources +import DataFlow::PathGraph class Conf extends TaintTracking::Configuration { Conf() { this = "LocalUserInputTocanThrowOutOfBoundsDueToEmptyArrayConfig" } @@ -25,11 +26,12 @@ class Conf extends TaintTracking::Configuration { } from - LocalUserInput source, Expr sizeExpr, ArrayCreationExpr arrayCreation, - CheckableArrayAccess arrayAccess + DataFlow::PathNode source, DataFlow::PathNode sink, Expr sizeExpr, + ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess where arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sizeExpr, arrayCreation) and - any(Conf conf).hasFlow(source, DataFlow::exprNode(sizeExpr)) -select arrayAccess.getIndexExpr(), + sizeExpr = sink.getNode().asExpr() and + any(Conf conf).hasFlowPath(source, sink) +select arrayAccess.getIndexExpr(), source, sink, "The $@ is accessed here, but the array is initialized using $@ which may be zero.", - arrayCreation, "array", source, "User-provided value" + arrayCreation, "array", source.getNode(), "User-provided value" diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql index e81181d8c4f3..32571c7f5408 100644 --- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql +++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql @@ -1,7 +1,7 @@ /** * @name Improper validation of user-provided array index * @description Using external input as an index to an array, without proper validation, can lead to index out of bound exceptions. - * @kind problem + * @kind path-problem * @problem.severity warning * @precision medium * @id java/improper-validation-of-array-index @@ -12,6 +12,7 @@ import java import ArraySizing import semmle.code.java.dataflow.FlowSources +import DataFlow::PathGraph class Conf extends TaintTracking::Configuration { Conf() { this = "RemoteUserInputTocanThrowOutOfBoundsDueToEmptyArrayConfig" } @@ -25,10 +26,10 @@ class Conf extends TaintTracking::Configuration { override predicate isSanitizer(DataFlow::Node node) { node.getType() instanceof BooleanType } } -from RemoteUserInput source, Expr index, CheckableArrayAccess arrayAccess +from DataFlow::PathNode source, DataFlow::PathNode sink, CheckableArrayAccess arrayAccess where - arrayAccess.canThrowOutOfBounds(index) and - any(Conf conf).hasFlow(source, DataFlow::exprNode(index)) -select arrayAccess.getIndexExpr(), - "$@ flows to here and is used as an index causing an ArrayIndexOutOfBoundsException.", source, - "User-provided value" + arrayAccess.canThrowOutOfBounds(sink.getNode().asExpr()) and + any(Conf conf).hasFlowPath(source, sink) +select arrayAccess.getIndexExpr(), source, sink, + "$@ flows to here and is used as an index causing an ArrayIndexOutOfBoundsException.", + source.getNode(), "User-provided value" diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql index 02099fafae04..9d0098cab637 100644 --- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql +++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql @@ -2,7 +2,7 @@ * @name Improper validation of code-specified array index * @description Using a code-specified value as an index to an array, without * proper validation, can lead to index out of bound exceptions. - * @kind problem + * @kind path-problem * @problem.severity recommendation * @precision medium * @id java/improper-validation-of-array-index-code-specified @@ -13,6 +13,7 @@ import java import ArraySizing import BoundingChecks +import DataFlow::PathGraph class BoundedFlowSourceConf extends DataFlow::Configuration { BoundedFlowSourceConf() { this = "BoundedFlowSource" } @@ -24,34 +25,34 @@ class BoundedFlowSourceConf extends DataFlow::Configuration { } } -from BoundedFlowSource source, Expr index, CheckableArrayAccess arrayAccess +from + DataFlow::PathNode source, DataFlow::PathNode sink, BoundedFlowSource boundedsource, + CheckableArrayAccess arrayAccess where - arrayAccess.canThrowOutOfBounds(index) and - any(BoundedFlowSourceConf conf).hasFlow(source, DataFlow::exprNode(index)) and - source != DataFlow::exprNode(index) and + arrayAccess.canThrowOutOfBounds(sink.getNode().asExpr()) and + boundedsource = source.getNode() and + any(BoundedFlowSourceConf conf).hasFlowPath(source, sink) and + boundedsource != sink.getNode() and not ( ( // The input has a lower bound. - source.lowerBound() >= 0 + boundedsource.lowerBound() >= 0 or // There is a condition dominating this expression ensuring that the index is >= 0. lowerBound(arrayAccess.getIndexExpr()) >= 0 ) and ( // The input has an upper bound, and the array has a fixed size, and that fixed size is less. - source.upperBound() < fixedArraySize(arrayAccess) + boundedsource.upperBound() < fixedArraySize(arrayAccess) or // There is a condition dominating this expression that ensures the index is less than the length. lessthanLength(arrayAccess) ) ) and - /* - * Exclude cases where the array is assigned multiple times. The checks for bounded flow sources - * can use fixed sizes for arrays, but this doesn't work well when the array is initialized to zero - * and subsequently reassigned or grown. - */ - + // Exclude cases where the array is assigned multiple times. The checks for bounded flow sources + // can use fixed sizes for arrays, but this doesn't work well when the array is initialized to zero + // and subsequently reassigned or grown. count(arrayAccess.getArray().(VarAccess).getVariable().getAnAssignedValue()) = 1 -select arrayAccess.getIndexExpr(), +select arrayAccess.getIndexExpr(), source, sink, "$@ flows to the index used in this array access, and may cause the operation to throw an ArrayIndexOutOfBoundsException.", - source, source.getDescription() + boundedsource, boundedsource.getDescription() diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql index df5977031915..37e68292f66a 100644 --- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql +++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql @@ -2,7 +2,7 @@ * @name Improper validation of local user-provided array index * @description Using local user input as an index to an array, without * proper validation, can lead to index out of bound exceptions. - * @kind problem + * @kind path-problem * @problem.severity recommendation * @precision medium * @id java/improper-validation-of-array-index-local @@ -13,6 +13,7 @@ import java import ArraySizing import semmle.code.java.dataflow.FlowSources +import DataFlow::PathGraph class Conf extends TaintTracking::Configuration { Conf() { this = "LocalUserInputTocanThrowOutOfBoundsDueToEmptyArrayConfig" } @@ -24,10 +25,10 @@ class Conf extends TaintTracking::Configuration { } } -from LocalUserInput source, Expr index, CheckableArrayAccess arrayAccess +from DataFlow::PathNode source, DataFlow::PathNode sink, CheckableArrayAccess arrayAccess where - arrayAccess.canThrowOutOfBounds(index) and - any(Conf conf).hasFlow(source, DataFlow::exprNode(index)) -select arrayAccess.getIndexExpr(), - "$@ flows to here and is used as an index causing an ArrayIndexOutOfBoundsException.", source, - "User-provided value" + arrayAccess.canThrowOutOfBounds(sink.getNode().asExpr()) and + any(Conf conf).hasFlowPath(source, sink) +select arrayAccess.getIndexExpr(), source, sink, + "$@ flows to here and is used as an index causing an ArrayIndexOutOfBoundsException.", + source.getNode(), "User-provided value" diff --git a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql index 06d680854af1..4251e275e0d4 100644 --- a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql +++ b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql @@ -1,7 +1,7 @@ /** * @name Use of externally-controlled format string * @description Using external input in format strings can lead to exceptions or information leaks. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id java/tainted-format-string @@ -12,6 +12,7 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.StringFormat +import DataFlow::PathGraph class ExternallyControlledFormatStringConfig extends TaintTracking::Configuration { ExternallyControlledFormatStringConfig() { this = "ExternallyControlledFormatStringConfig" } @@ -27,7 +28,9 @@ class ExternallyControlledFormatStringConfig extends TaintTracking::Configuratio } } -from RemoteUserInput source, StringFormat formatCall, ExternallyControlledFormatStringConfig conf -where conf.hasFlow(source, DataFlow::exprNode(formatCall.getFormatArgument())) -select formatCall.getFormatArgument(), "$@ flows to here and is used in a format string.", source, - "User-provided value" +from + DataFlow::PathNode source, DataFlow::PathNode sink, StringFormat formatCall, + ExternallyControlledFormatStringConfig conf +where conf.hasFlowPath(source, sink) and sink.getNode().asExpr() = formatCall.getFormatArgument() +select formatCall.getFormatArgument(), source, sink, + "$@ flows to here and is used in a format string.", source.getNode(), "User-provided value" diff --git a/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql b/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql index 4fa8cc9e6b02..b607b0fcad59 100644 --- a/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql +++ b/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql @@ -2,7 +2,7 @@ * @name User-controlled data in arithmetic expression * @description Arithmetic operations on user-controlled data that is not validated can cause * overflows. - * @kind problem + * @kind path-problem * @problem.severity warning * @precision medium * @id java/tainted-arithmetic @@ -14,6 +14,7 @@ import java import semmle.code.java.dataflow.FlowSources import ArithmeticCommon +import DataFlow::PathGraph predicate sink(ArithExpr exp, VarAccess tainted, string effect) { exp.getAnOperand() = tainted and @@ -39,10 +40,11 @@ class RemoteUserInputConfig extends TaintTracking::Configuration { } from - ArithExpr exp, VarAccess tainted, RemoteUserInput origin, string effect, + DataFlow::PathNode source, DataFlow::PathNode sink, ArithExpr exp, string effect, RemoteUserInputConfig conf where - conf.hasFlow(origin, DataFlow::exprNode(tainted)) and - sink(exp, tainted, effect) -select exp, "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", - origin, "User-provided value" + conf.hasFlowPath(source, sink) and + sink(exp, sink.getNode().asExpr(), effect) +select exp, source, sink, + "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", + source.getNode(), "User-provided value" diff --git a/java/ql/src/Security/CWE/CWE-190/ArithmeticTaintedLocal.ql b/java/ql/src/Security/CWE/CWE-190/ArithmeticTaintedLocal.ql index f4658b9ed140..dfd79c1abb4b 100644 --- a/java/ql/src/Security/CWE/CWE-190/ArithmeticTaintedLocal.ql +++ b/java/ql/src/Security/CWE/CWE-190/ArithmeticTaintedLocal.ql @@ -2,7 +2,7 @@ * @name Local-user-controlled data in arithmetic expression * @description Arithmetic operations on user-controlled data that is not validated can cause * overflows. - * @kind problem + * @kind path-problem * @problem.severity recommendation * @precision medium * @id java/tainted-arithmetic-local @@ -14,6 +14,7 @@ import java import semmle.code.java.dataflow.FlowSources import ArithmeticCommon +import DataFlow::PathGraph predicate sink(ArithExpr exp, VarAccess tainted, string effect) { exp.getAnOperand() = tainted and @@ -38,9 +39,10 @@ class ArithmeticTaintedLocalFlowConfig extends TaintTracking::Configuration { override predicate isSanitizer(DataFlow::Node n) { n.getType() instanceof BooleanType } } -from ArithExpr exp, VarAccess tainted, LocalUserInput origin, string effect +from DataFlow::PathNode source, DataFlow::PathNode sink, ArithExpr exp, string effect where - any(ArithmeticTaintedLocalFlowConfig conf).hasFlow(origin, DataFlow::exprNode(tainted)) and - sink(exp, tainted, effect) -select exp, "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", - origin, "User-provided value" + any(ArithmeticTaintedLocalFlowConfig conf).hasFlowPath(source, sink) and + sink(exp, sink.getNode().asExpr(), effect) +select exp, source, sink, + "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", + source.getNode(), "User-provided value" diff --git a/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql b/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql index b91bc8921343..41ea9b6faf34 100644 --- a/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql +++ b/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql @@ -2,7 +2,7 @@ * @name Uncontrolled data in arithmetic expression * @description Arithmetic operations on uncontrolled data that is not validated can cause * overflows. - * @kind problem + * @kind path-problem * @problem.severity warning * @precision medium * @id java/uncontrolled-arithmetic @@ -15,6 +15,7 @@ import java import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.SecurityTests import ArithmeticCommon +import DataFlow::PathGraph class TaintSource extends DataFlow::ExprNode { TaintSource() { @@ -68,10 +69,11 @@ class ArithmeticUncontrolledFlowConfig extends TaintTracking::Configuration { } from - ArithExpr exp, VarAccess tainted, TaintSource origin, string effect, + DataFlow::PathNode source, DataFlow::PathNode sink, ArithExpr exp, string effect, ArithmeticUncontrolledFlowConfig conf where - conf.hasFlow(origin, DataFlow::exprNode(tainted)) and - sink(exp, tainted, effect) -select exp, "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", - origin, "Uncontrolled value" + conf.hasFlowPath(source, sink) and + sink(exp, sink.getNode().asExpr(), effect) +select exp, source, sink, + "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", + source.getNode(), "Uncontrolled value" diff --git a/java/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql b/java/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql index e418b107918d..b32c04f0078e 100644 --- a/java/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql +++ b/java/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql @@ -2,7 +2,7 @@ * @name Use of extreme values in arithmetic expression * @description If a variable is assigned the maximum or minimum value for that variable's type and * is then used in an arithmetic expression, this may result in an overflow. - * @kind problem + * @kind path-problem * @problem.severity recommendation * @precision medium * @id java/extreme-value-arithmetic @@ -15,6 +15,7 @@ import java import semmle.code.java.dataflow.DataFlow import ArithmeticCommon +import DataFlow::PathGraph abstract class ExtremeValueField extends Field { ExtremeValueField() { getType() instanceof IntegralType } @@ -53,24 +54,27 @@ predicate sink(ArithExpr exp, VarAccess use) { } predicate query( - ArithExpr exp, Variable v, ExtremeValueField f, VarAccess use, ExtremeSource s, Type t + DataFlow::PathNode source, DataFlow::PathNode sink, ArithExpr exp, Variable v, + ExtremeValueField f, VarAccess use, ExtremeSource s, Type t ) { // `use` is the use of `v` in `exp`. use = exp.getAnOperand() and use = v.getAnAccess() and // An extreme field flows to `use`. f = s.getVariable() and - any(ExtremeSourceFlowConfig conf).hasFlow(DataFlow::exprNode(s), DataFlow::exprNode(use)) and + any(ExtremeSourceFlowConfig conf).hasFlowPath(source, sink) and + s = source.getNode().asExpr() and + use = sink.getNode().asExpr() and t = s.getType() and // Division isn't a problem in this case. not exp instanceof DivExpr } from - ArithExpr exp, Variable v, ExtremeValueField f, VarAccess use, ExtremeSource s, string effect, - Type t + DataFlow::PathNode source, DataFlow::PathNode sink, ArithExpr exp, Variable v, + ExtremeValueField f, VarAccess use, ExtremeSource s, string effect, Type t where - query(exp, v, f, use, s, t) and + query(source, sink, exp, v, f, use, s, t) and // We're not guarded against the appropriate kind of flow error. ( f instanceof MinValueField and not guardedAgainstUnderflow(exp, use) and effect = "underflow" @@ -81,6 +85,6 @@ where // unless there is an enclosing cast down to a narrower type. narrowerThanOrEqualTo(exp, t) and not overflowIrrelevant(exp) -select exp, +select exp, source, sink, "Variable " + v.getName() + " is assigned an extreme value $@, and may cause an " + effect + ".", s, f.getName() diff --git a/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql b/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql index 3dbfd6081971..799ebdbe1593 100644 --- a/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql +++ b/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql @@ -1,7 +1,7 @@ /** * @name Failure to use HTTPS URLs * @description Non-HTTPS connections can be intercepted by third parties. - * @kind problem + * @kind path-problem * @problem.severity recommendation * @precision medium * @id java/non-https-url @@ -11,6 +11,7 @@ import java import semmle.code.java.dataflow.TaintTracking +import DataFlow::PathGraph class HTTPString extends StringLiteral { HTTPString() { @@ -73,8 +74,10 @@ class HTTPStringToURLOpenMethodFlowConfig extends TaintTracking::Configuration { } } -from MethodAccess m, HTTPString s +from DataFlow::PathNode source, DataFlow::PathNode sink, MethodAccess m, HTTPString s where - any(HTTPStringToURLOpenMethodFlowConfig c) - .hasFlow(DataFlow::exprNode(s), DataFlow::exprNode(m.getQualifier())) -select m, "URL may have been constructed with HTTP protocol, using $@.", s, "this source" + source.getNode().asExpr() = s and + sink.getNode().asExpr() = m.getQualifier() and + any(HTTPStringToURLOpenMethodFlowConfig c).hasFlowPath(source, sink) +select m, source, sink, "URL may have been constructed with HTTP protocol, using $@.", s, + "this source" diff --git a/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql b/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql index 53767eb8115f..384c24752cc7 100644 --- a/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql +++ b/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql @@ -1,7 +1,7 @@ /** * @name Use of a broken or risky cryptographic algorithm * @description Using broken or weak cryptographic algorithms can allow an attacker to compromise security. - * @kind problem + * @kind path-problem * @problem.severity warning * @precision medium * @id java/weak-cryptographic-algorithm @@ -13,6 +13,7 @@ import java import semmle.code.java.security.Encryption import semmle.code.java.dataflow.TaintTracking import DataFlow +import PathGraph private class ShortStringLiteral extends StringLiteral { ShortStringLiteral() { getLiteral().length() < 100 } @@ -38,8 +39,12 @@ class InsecureCryptoConfiguration extends TaintTracking::Configuration { } } -from CryptoAlgoSpec c, Expr a, BrokenAlgoLiteral s, InsecureCryptoConfiguration conf +from + PathNode source, PathNode sink, CryptoAlgoSpec c, BrokenAlgoLiteral s, + InsecureCryptoConfiguration conf where - a = c.getAlgoSpec() and - conf.hasFlow(exprNode(s), exprNode(a)) -select c, "Cryptographic algorithm $@ is weak and should not be used.", s, s.getLiteral() + sink.getNode().asExpr() = c.getAlgoSpec() and + source.getNode().asExpr() = s and + conf.hasFlowPath(source, sink) +select c, source, sink, "Cryptographic algorithm $@ is weak and should not be used.", s, + s.getLiteral() diff --git a/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql b/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql index 26289e801c22..d8d4d7e36509 100644 --- a/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql +++ b/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql @@ -1,7 +1,7 @@ /** * @name Use of a potentially broken or risky cryptographic algorithm * @description Using broken or weak cryptographic algorithms can allow an attacker to compromise security. - * @kind problem + * @kind path-problem * @problem.severity warning * @precision medium * @id java/potentially-weak-cryptographic-algorithm @@ -14,6 +14,7 @@ import semmle.code.java.security.Encryption import semmle.code.java.dataflow.TaintTracking import DataFlow import semmle.code.java.dispatch.VirtualDispatch +import PathGraph private class ShortStringLiteral extends StringLiteral { ShortStringLiteral() { getLiteral().length() < 100 } @@ -63,9 +64,13 @@ class InsecureCryptoConfiguration extends TaintTracking::Configuration { } } -from CryptoAlgoSpec c, Expr a, InsecureAlgoLiteral s, InsecureCryptoConfiguration conf +from + PathNode source, PathNode sink, CryptoAlgoSpec c, InsecureAlgoLiteral s, + InsecureCryptoConfiguration conf where - a = c.getAlgoSpec() and - conf.hasFlow(exprNode(s), exprNode(a)) -select c, "Cryptographic algorithm $@ may not be secure, consider using a different algorithm.", s, + sink.getNode().asExpr() = c.getAlgoSpec() and + source.getNode().asExpr() = s and + conf.hasFlowPath(source, sink) +select c, source, sink, + "Cryptographic algorithm $@ may not be secure, consider using a different algorithm.", s, s.getLiteral() diff --git a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql index 551bde36711f..9d857203538b 100644 --- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql +++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql @@ -2,7 +2,7 @@ * @name Deserialization of user-controlled data * @description Deserializing user-controlled data may allow attackers to * execute arbitrary code. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id java/unsafe-deserialization @@ -13,6 +13,7 @@ import java import semmle.code.java.dataflow.FlowSources import UnsafeDeserialization +import DataFlow::PathGraph class UnsafeDeserializationConfig extends TaintTracking::Configuration { UnsafeDeserializationConfig() { this = "UnsafeDeserializationConfig" } @@ -22,6 +23,7 @@ class UnsafeDeserializationConfig extends TaintTracking::Configuration { override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserializationSink } } -from UnsafeDeserializationSink sink, RemoteUserInput source, UnsafeDeserializationConfig conf -where conf.hasFlow(source, sink) -select sink.getMethodAccess(), "Unsafe deserialization of $@.", source, "user input" +from DataFlow::PathNode source, DataFlow::PathNode sink, UnsafeDeserializationConfig conf +where conf.hasFlowPath(source, sink) +select sink.getNode().(UnsafeDeserializationSink).getMethodAccess(), source, sink, + "Unsafe deserialization of $@.", source.getNode(), "user input" diff --git a/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql b/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql index b7c96e929ea0..b343ae1e8a83 100644 --- a/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql +++ b/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql @@ -2,7 +2,7 @@ * @name URL redirection from remote source * @description URL redirection based on unvalidated user-input * may cause redirection to malicious web sites. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id java/unvalidated-url-redirection @@ -13,6 +13,7 @@ import java import semmle.code.java.dataflow.FlowSources import UrlRedirect +import DataFlow::PathGraph class UrlRedirectConfig extends TaintTracking::Configuration { UrlRedirectConfig() { this = "UrlRedirectConfig" } @@ -22,6 +23,7 @@ class UrlRedirectConfig extends TaintTracking::Configuration { override predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink } } -from UrlRedirectSink sink, RemoteUserInput source, UrlRedirectConfig conf -where conf.hasFlow(source, sink) -select sink, "Potentially untrusted URL redirection due to $@.", source, "user-provided value" +from DataFlow::PathNode source, DataFlow::PathNode sink, UrlRedirectConfig conf +where conf.hasFlowPath(source, sink) +select sink.getNode(), source, sink, "Potentially untrusted URL redirection due to $@.", + source.getNode(), "user-provided value" diff --git a/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql b/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql index 8a8c78039660..5f6421145307 100644 --- a/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql +++ b/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql @@ -2,7 +2,7 @@ * @name URL redirection from local source * @description URL redirection based on unvalidated user-input * may cause redirection to malicious web sites. - * @kind problem + * @kind path-problem * @problem.severity recommendation * @precision medium * @id java/unvalidated-url-redirection-local @@ -13,6 +13,7 @@ import java import semmle.code.java.dataflow.FlowSources import UrlRedirect +import DataFlow::PathGraph class UrlRedirectLocalConfig extends TaintTracking::Configuration { UrlRedirectLocalConfig() { this = "UrlRedirectLocalConfig" } @@ -22,6 +23,7 @@ class UrlRedirectLocalConfig extends TaintTracking::Configuration { override predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink } } -from UrlRedirectSink sink, LocalUserInput source, UrlRedirectLocalConfig conf -where conf.hasFlow(source, sink) -select sink, "Potentially untrusted URL redirection due to $@.", source, "user-provided value" +from DataFlow::PathNode source, DataFlow::PathNode sink, UrlRedirectLocalConfig conf +where conf.hasFlowPath(source, sink) +select sink.getNode(), source, sink, "Potentially untrusted URL redirection due to $@.", + source.getNode(), "user-provided value" diff --git a/java/ql/src/Security/CWE/CWE-611/XXE.ql b/java/ql/src/Security/CWE/CWE-611/XXE.ql index deb0c5108047..fba77e0640a3 100644 --- a/java/ql/src/Security/CWE/CWE-611/XXE.ql +++ b/java/ql/src/Security/CWE/CWE-611/XXE.ql @@ -2,7 +2,7 @@ * @name Resolving XML external entity in user-controlled data * @description Parsing user-controlled XML documents and allowing expansion of external entity * references may lead to disclosure of confidential data or denial of service. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id java/xxe @@ -13,6 +13,7 @@ import java import XmlParsers import semmle.code.java.dataflow.FlowSources +import DataFlow::PathGraph class SafeSAXSourceFlowConfig extends TaintTracking::Configuration2 { SafeSAXSourceFlowConfig() { this = "XmlParsers::SafeSAXSourceFlowConfig" } @@ -44,6 +45,7 @@ class XxeConfig extends TaintTracking::Configuration { override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink } } -from UnsafeXxeSink sink, RemoteUserInput source, XxeConfig conf -where conf.hasFlow(source, sink) -select sink, "Unsafe parsing of XML file from $@.", source, "user input" +from DataFlow::PathNode source, DataFlow::PathNode sink, XxeConfig conf +where conf.hasFlowPath(source, sink) +select sink.getNode(), source, sink, "Unsafe parsing of XML file from $@.", source.getNode(), + "user input" diff --git a/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql b/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql index d22b8f6bfa76..840d11730703 100644 --- a/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql +++ b/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql @@ -2,7 +2,7 @@ * @name User-controlled data in numeric cast * @description Casting user-controlled numeric data to a narrower type without validation * can cause unexpected truncation. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id java/tainted-numeric-cast @@ -14,6 +14,7 @@ import java import semmle.code.java.dataflow.FlowSources import NumericCastCommon +import DataFlow::PathGraph private class NumericCastFlowConfig extends TaintTracking::Configuration { NumericCastFlowConfig() { this = "NumericCastTainted::RemoteUserInputToNumericNarrowingCastExpr" } @@ -34,11 +35,13 @@ private class NumericCastFlowConfig extends TaintTracking::Configuration { } from - NumericNarrowingCastExpr exp, VarAccess tainted, RemoteUserInput origin, - NumericCastFlowConfig conf + DataFlow::PathNode source, DataFlow::PathNode sink, NumericNarrowingCastExpr exp, + VarAccess tainted, NumericCastFlowConfig conf where exp.getExpr() = tainted and - conf.hasFlow(origin, DataFlow::exprNode(tainted)) and + sink.getNode().asExpr() = tainted and + conf.hasFlowPath(source, sink) and not exists(RightShiftOp e | e.getShiftedVariable() = tainted.getVariable()) -select exp, "$@ flows to here and is cast to a narrower type, potentially causing truncation.", - origin, "User-provided value" +select exp, source, sink, + "$@ flows to here and is cast to a narrower type, potentially causing truncation.", + source.getNode(), "User-provided value" diff --git a/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql b/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql index 23ac0cb11844..9dadb0ae4432 100644 --- a/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql +++ b/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql @@ -2,7 +2,7 @@ * @name Local-user-controlled data in numeric cast * @description Casting user-controlled numeric data to a narrower type without validation * can cause unexpected truncation. - * @kind problem + * @kind path-problem * @problem.severity recommendation * @precision medium * @id java/tainted-numeric-cast-local @@ -14,6 +14,7 @@ import java import semmle.code.java.dataflow.FlowSources import NumericCastCommon +import DataFlow::PathGraph private class NumericCastFlowConfig extends TaintTracking::Configuration { NumericCastFlowConfig() { @@ -36,10 +37,13 @@ private class NumericCastFlowConfig extends TaintTracking::Configuration { } from - NumericNarrowingCastExpr exp, VarAccess tainted, LocalUserInput origin, NumericCastFlowConfig conf + DataFlow::PathNode source, DataFlow::PathNode sink, NumericNarrowingCastExpr exp, + VarAccess tainted, NumericCastFlowConfig conf where exp.getExpr() = tainted and - conf.hasFlow(origin, DataFlow::exprNode(tainted)) and + sink.getNode().asExpr() = tainted and + conf.hasFlowPath(source, sink) and not exists(RightShiftOp e | e.getShiftedVariable() = tainted.getVariable()) -select exp, "$@ flows to here and is cast to a narrower type, potentially causing truncation.", - origin, "User-provided value" +select exp, source, sink, + "$@ flows to here and is cast to a narrower type, potentially causing truncation.", + source.getNode(), "User-provided value" diff --git a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql index 478ee9375764..86b303750192 100644 --- a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql +++ b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql @@ -1,7 +1,7 @@ /** * @name Hard-coded credential in API call * @description Using a hard-coded credential in a call to a sensitive Java API may compromise security. - * @kind problem + * @kind path-problem * @problem.severity error * @precision medium * @id java/hardcoded-credential-api-call @@ -12,6 +12,7 @@ import java import semmle.code.java.dataflow.DataFlow import HardcodedCredentials +import DataFlow::PathGraph class HardcodedCredentialApiCallConfiguration extends DataFlow::Configuration { HardcodedCredentialApiCallConfiguration() { this = "HardcodedCredentialApiCallConfiguration" } @@ -32,6 +33,8 @@ class HardcodedCredentialApiCallConfiguration extends DataFlow::Configuration { } } -from CredentialsApiSink sink, HardcodedExpr source, HardcodedCredentialApiCallConfiguration conf -where conf.hasFlow(DataFlow::exprNode(source), DataFlow::exprNode(sink)) -select source, "Hard-coded value flows to $@.", sink, "sensitive API call" +from + DataFlow::PathNode source, DataFlow::PathNode sink, HardcodedCredentialApiCallConfiguration conf +where conf.hasFlowPath(source, sink) +select source.getNode(), source, sink, "Hard-coded value flows to $@.", sink.getNode(), + "sensitive API call" diff --git a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql index c2ec2a54dde8..93d0dde665a4 100644 --- a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql +++ b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql @@ -1,7 +1,7 @@ /** * @name Hard-coded credential in sensitive call * @description Using a hard-coded credential in a sensitive call may compromise security. - * @kind problem + * @kind path-problem * @problem.severity error * @precision low * @id java/hardcoded-credential-sensitive-call @@ -13,6 +13,7 @@ import java import semmle.code.java.dataflow.DataFlow import semmle.code.java.dataflow.DataFlow2 import HardcodedCredentials +import DataFlow::PathGraph class HardcodedCredentialSourceCallConfiguration extends DataFlow::Configuration { HardcodedCredentialSourceCallConfiguration() { @@ -45,7 +46,8 @@ class FinalCredentialsSourceSink extends CredentialsSourceSink { } from - FinalCredentialsSourceSink sink, HardcodedExpr source, + DataFlow::PathNode source, DataFlow::PathNode sink, HardcodedCredentialSourceCallConfiguration conf -where conf.hasFlow(DataFlow::exprNode(source), DataFlow::exprNode(sink)) -select source, "Hard-coded value flows to $@.", sink, "sensitive call" +where conf.hasFlowPath(source, sink) +select source.getNode(), source, sink, "Hard-coded value flows to $@.", sink.getNode(), + "sensitive call" diff --git a/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql b/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql index 5259bcc6bd83..beb40d86d718 100644 --- a/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql +++ b/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql @@ -2,7 +2,7 @@ * @name User-controlled bypass of sensitive method * @description User-controlled bypassing of sensitive methods may allow attackers to avoid * passing through authentication systems. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id java/user-controlled-bypass @@ -16,6 +16,7 @@ import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.SensitiveActions import semmle.code.java.controlflow.Dominance import semmle.code.java.controlflow.Guards +import DataFlow::PathGraph /** * Calls to a sensitive method that are controlled by a condition @@ -38,9 +39,13 @@ class ConditionalBypassFlowConfig extends TaintTracking::Configuration { override predicate isSink(DataFlow::Node sink) { conditionControlsMethod(_, sink.asExpr()) } } -from UserInput u, MethodAccess m, Expr e, ConditionalBypassFlowConfig conf +from + DataFlow::PathNode source, DataFlow::PathNode sink, MethodAccess m, Expr e, + ConditionalBypassFlowConfig conf where conditionControlsMethod(m, e) and - conf.hasFlow(u, DataFlow::exprNode(e)) -select m, "Sensitive method may not be executed depending on $@, which flows from $@.", e, - "this condition", u, "user input" + sink.getNode().asExpr() = e and + conf.hasFlowPath(source, sink) +select m, source, sink, + "Sensitive method may not be executed depending on $@, which flows from $@.", e, "this condition", + source.getNode(), "user input" diff --git a/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql b/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql index aac0f1cc4146..60dfbd6fc8c3 100644 --- a/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql +++ b/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql @@ -2,7 +2,7 @@ * @name User-controlled data used in permissions check * @description Using user-controlled data in a permissions check may result in inappropriate * permissions being granted. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id java/tainted-permissions-check @@ -13,6 +13,7 @@ import java import semmle.code.java.dataflow.FlowSources +import DataFlow::PathGraph class TypeShiroSubject extends RefType { TypeShiroSubject() { this.getQualifiedName() = "org.apache.shiro.subject.Subject" } @@ -58,6 +59,8 @@ class TaintedPermissionsCheckFlowConfig extends TaintTracking::Configuration { } } -from UserInput u, PermissionsConstruction p, TaintedPermissionsCheckFlowConfig conf -where conf.hasFlow(u, DataFlow::exprNode(p.getInput())) -select p, "Permissions check uses user-controlled $@.", u, "data" +from + DataFlow::PathNode source, DataFlow::PathNode sink, PermissionsConstruction p, + TaintedPermissionsCheckFlowConfig conf +where sink.getNode().asExpr() = p.getInput() and conf.hasFlowPath(source, sink) +select p, source, sink, "Permissions check uses user-controlled $@.", source.getNode(), "data" From deb61d6f296a6834531bf822118577d59df8d5a0 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Thu, 15 Nov 2018 14:39:46 +0100 Subject: [PATCH 3/4] Java: Update test output. --- .../CWE-022/semmle/tests/TaintedPath.expected | 11 +- .../CWE-022/semmle/tests/ZipSlip.expected | 11 +- .../CWE-079/semmle/tests/XSS.expected | 14 +- .../semmle/examples/SqlTaintedLocal.expected | 18 +- .../semmle/tests/ResponseSplitting.expected | 11 +- ...nOfArrayConstructionCodeSpecified.expected | 5 +- ...alidationOfArrayConstructionLocal.expected | 8 +- ...lidationOfArrayIndexCodeSpecified.expected | 13 +- ...properValidationOfArrayIndexLocal.expected | 5 +- .../ExternallyControlledFormatString.expected | 7 +- .../tests/ArithmeticTaintedLocal.expected | 41 ++- .../tests/ArithmeticUncontrolled.expected | 8 +- .../ArithmeticWithExtremeValues.expected | 30 +- .../tests/BrokenCryptoAlgorithm.expected | 8 +- .../tests/MaybeBrokenCryptoAlgorithm.expected | 5 +- .../CWE-502/UnsafeDeserialization.expected | 56 ++-- .../CWE-601/semmle/tests/UrlRedirect.expected | 14 +- .../query-tests/security/CWE-611/XXE.expected | 284 ++++++++++++------ .../tests/NumericCastTaintedLocal.expected | 5 +- .../HardcodedCredentialsApiCall.expected | 66 ++-- .../HardcodedCredentialsSourceCall.expected | 8 +- .../semmle/tests/ConditionalBypass.expected | 19 +- .../tests/TaintedPermissionsCheck.expected | 5 +- 23 files changed, 463 insertions(+), 189 deletions(-) diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected index bcab22f08f0c..fa1c155857b5 100644 --- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected +++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected @@ -1,3 +1,8 @@ -| Test.java:24:11:24:24 | new File(...) | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value | -| Test.java:27:11:27:25 | get(...) | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value | -| Test.java:30:11:30:48 | getPath(...) | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value | +edges +| Test.java:19:18:19:38 | getHostName(...) [String] | Test.java:24:20:24:23 | temp | +| Test.java:19:18:19:38 | getHostName(...) [String] | Test.java:27:21:27:24 | temp | +| Test.java:19:18:19:38 | getHostName(...) [String] | Test.java:30:44:30:47 | temp | +#select +| Test.java:24:11:24:24 | new File(...) | Test.java:19:18:19:38 | getHostName(...) [String] | Test.java:24:20:24:23 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value | +| Test.java:27:11:27:25 | get(...) | Test.java:19:18:19:38 | getHostName(...) [String] | Test.java:27:21:27:24 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value | +| Test.java:30:11:30:48 | getPath(...) | Test.java:19:18:19:38 | getHostName(...) [String] | Test.java:30:44:30:47 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value | diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipSlip.expected b/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipSlip.expected index 3bfa3aaebe82..8d6b9bc86084 100644 --- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipSlip.expected +++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipSlip.expected @@ -1,3 +1,8 @@ -| ZipTest.java:7:19:7:33 | getName(...) | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipTest.java:9:48:9:51 | file | file system operation | -| ZipTest.java:7:19:7:33 | getName(...) | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipTest.java:10:49:10:52 | file | file system operation | -| ZipTest.java:7:19:7:33 | getName(...) | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipTest.java:11:36:11:39 | file | file system operation | +edges +| ZipTest.java:7:19:7:33 | getName(...) [String] | ZipTest.java:9:48:9:51 | file | +| ZipTest.java:7:19:7:33 | getName(...) [String] | ZipTest.java:10:49:10:52 | file | +| ZipTest.java:7:19:7:33 | getName(...) [String] | ZipTest.java:11:36:11:39 | file | +#select +| ZipTest.java:7:19:7:33 | getName(...) | ZipTest.java:7:19:7:33 | getName(...) [String] | ZipTest.java:9:48:9:51 | file | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipTest.java:9:48:9:51 | file | file system operation | +| ZipTest.java:7:19:7:33 | getName(...) | ZipTest.java:7:19:7:33 | getName(...) [String] | ZipTest.java:10:49:10:52 | file | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipTest.java:10:49:10:52 | file | file system operation | +| ZipTest.java:7:19:7:33 | getName(...) | ZipTest.java:7:19:7:33 | getName(...) [String] | ZipTest.java:11:36:11:39 | file | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipTest.java:11:36:11:39 | file | file system operation | diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.expected b/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.expected index 293e81c6cd13..783b599c312e 100644 --- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.expected +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.expected @@ -1,4 +1,10 @@ -| XSS.java:23:5:23:70 | ... + ... | Cross-site scripting vulnerability due to $@. | XSS.java:23:21:23:48 | getParameter(...) | user-provided value | -| XSS.java:27:5:27:70 | ... + ... | Cross-site scripting vulnerability due to $@. | XSS.java:27:21:27:48 | getParameter(...) | user-provided value | -| XSS.java:38:30:38:87 | ... + ... | Cross-site scripting vulnerability due to $@. | XSS.java:38:67:38:87 | getPathInfo(...) | user-provided value | -| XSS.java:41:36:41:67 | getBytes(...) | Cross-site scripting vulnerability due to $@. | XSS.java:41:36:41:56 | getPathInfo(...) | user-provided value | +edges +| XSS.java:23:21:23:48 | getParameter(...) [String] | XSS.java:23:5:23:70 | ... + ... | +| XSS.java:27:21:27:48 | getParameter(...) [String] | XSS.java:27:5:27:70 | ... + ... | +| XSS.java:38:67:38:87 | getPathInfo(...) [String] | XSS.java:38:30:38:87 | ... + ... | +| XSS.java:41:36:41:56 | getPathInfo(...) [String] | XSS.java:41:36:41:67 | getBytes(...) | +#select +| XSS.java:23:5:23:70 | ... + ... | XSS.java:23:21:23:48 | getParameter(...) [String] | XSS.java:23:5:23:70 | ... + ... | Cross-site scripting vulnerability due to $@. | XSS.java:23:21:23:48 | getParameter(...) | user-provided value | +| XSS.java:27:5:27:70 | ... + ... | XSS.java:27:21:27:48 | getParameter(...) [String] | XSS.java:27:5:27:70 | ... + ... | Cross-site scripting vulnerability due to $@. | XSS.java:27:21:27:48 | getParameter(...) | user-provided value | +| XSS.java:38:30:38:87 | ... + ... | XSS.java:38:67:38:87 | getPathInfo(...) [String] | XSS.java:38:30:38:87 | ... + ... | Cross-site scripting vulnerability due to $@. | XSS.java:38:67:38:87 | getPathInfo(...) | user-provided value | +| XSS.java:41:36:41:67 | getBytes(...) | XSS.java:41:36:41:56 | getPathInfo(...) [String] | XSS.java:41:36:41:67 | getBytes(...) | Cross-site scripting vulnerability due to $@. | XSS.java:41:36:41:56 | getPathInfo(...) | user-provided value | diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.expected b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.expected index 0e14f76fbec7..7fc66dfe5417 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.expected +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.expected @@ -1,4 +1,14 @@ -| Test.java:36:47:36:52 | query1 | Query might include code from $@. | Test.java:190:26:190:38 | args | this user input | -| Test.java:44:62:44:67 | query3 | Query might include code from $@. | Test.java:190:26:190:38 | args | this user input | -| Test.java:56:47:56:61 | querySbToString | Query might include code from $@. | Test.java:190:26:190:38 | args | this user input | -| Test.java:186:47:186:68 | queryWithUserTableName | Query might include code from $@. | Test.java:190:26:190:38 | args | this user input | +edges +| Test.java:29:30:29:42 | args [String[]] | Test.java:36:47:36:52 | query1 | +| Test.java:29:30:29:42 | args [String[]] | Test.java:44:62:44:67 | query3 | +| Test.java:29:30:29:42 | args [String[]] | Test.java:56:47:56:61 | querySbToString | +| Test.java:160:33:160:45 | args [String[]] | Test.java:186:47:186:68 | queryWithUserTableName | +| Test.java:190:26:190:38 | args [String[]] | Test.java:191:11:191:14 | args [String[]] | +| Test.java:190:26:190:38 | args [String[]] | Test.java:195:14:195:17 | args [String[]] | +| Test.java:191:11:191:14 | args [String[]] | Test.java:29:30:29:42 | args [String[]] | +| Test.java:195:14:195:17 | args [String[]] | Test.java:160:33:160:45 | args [String[]] | +#select +| Test.java:36:47:36:52 | query1 | Test.java:190:26:190:38 | args [String[]] | Test.java:36:47:36:52 | query1 | Query might include code from $@. | Test.java:190:26:190:38 | args | this user input | +| Test.java:44:62:44:67 | query3 | Test.java:190:26:190:38 | args [String[]] | Test.java:44:62:44:67 | query3 | Query might include code from $@. | Test.java:190:26:190:38 | args | this user input | +| Test.java:56:47:56:61 | querySbToString | Test.java:190:26:190:38 | args [String[]] | Test.java:56:47:56:61 | querySbToString | Query might include code from $@. | Test.java:190:26:190:38 | args | this user input | +| Test.java:186:47:186:68 | queryWithUserTableName | Test.java:190:26:190:38 | args [String[]] | Test.java:186:47:186:68 | queryWithUserTableName | Query might include code from $@. | Test.java:190:26:190:38 | args | this user input | diff --git a/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.expected b/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.expected index bde977b5f2ed..08860eb220a5 100644 --- a/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.expected +++ b/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.expected @@ -1,3 +1,8 @@ -| ResponseSplitting.java:23:23:23:28 | cookie | Response-splitting vulnerability due to this $@. | ResponseSplitting.java:22:39:22:66 | getParameter(...) | user-provided value | -| ResponseSplitting.java:28:38:28:72 | getParameter(...) | Response-splitting vulnerability due to this $@. | ResponseSplitting.java:28:38:28:72 | getParameter(...) | user-provided value | -| ResponseSplitting.java:29:38:29:72 | getParameter(...) | Response-splitting vulnerability due to this $@. | ResponseSplitting.java:29:38:29:72 | getParameter(...) | user-provided value | +edges +| ResponseSplitting.java:22:39:22:66 | getParameter(...) [String] | ResponseSplitting.java:23:23:23:28 | cookie | +| ResponseSplitting.java:28:38:28:72 | getParameter(...) [String] | ResponseSplitting.java:28:38:28:72 | getParameter(...) | +| ResponseSplitting.java:29:38:29:72 | getParameter(...) [String] | ResponseSplitting.java:29:38:29:72 | getParameter(...) | +#select +| ResponseSplitting.java:23:23:23:28 | cookie | ResponseSplitting.java:22:39:22:66 | getParameter(...) [String] | ResponseSplitting.java:23:23:23:28 | cookie | Response-splitting vulnerability due to this $@. | ResponseSplitting.java:22:39:22:66 | getParameter(...) | user-provided value | +| ResponseSplitting.java:28:38:28:72 | getParameter(...) | ResponseSplitting.java:28:38:28:72 | getParameter(...) [String] | ResponseSplitting.java:28:38:28:72 | getParameter(...) | Response-splitting vulnerability due to this $@. | ResponseSplitting.java:28:38:28:72 | getParameter(...) | user-provided value | +| ResponseSplitting.java:29:38:29:72 | getParameter(...) | ResponseSplitting.java:29:38:29:72 | getParameter(...) [String] | ResponseSplitting.java:29:38:29:72 | getParameter(...) | Response-splitting vulnerability due to this $@. | ResponseSplitting.java:29:38:29:72 | getParameter(...) | user-provided value | diff --git a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstructionCodeSpecified.expected b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstructionCodeSpecified.expected index 5bd722ef5cbc..e97efe4d4d3c 100644 --- a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstructionCodeSpecified.expected +++ b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstructionCodeSpecified.expected @@ -1 +1,4 @@ -| Test.java:91:30:91:30 | 0 | The $@ is accessed here, but the array is initialized using $@ which may be zero. | Test.java:88:19:88:31 | new int[] | array | Test.java:86:16:86:16 | 0 | literal value 0 | +edges +| Test.java:86:16:86:16 | 0 [Number] | Test.java:88:27:88:30 | size | +#select +| Test.java:91:30:91:30 | 0 | Test.java:86:16:86:16 | 0 [Number] | Test.java:88:27:88:30 | size | The $@ is accessed here, but the array is initialized using $@ which may be zero. | Test.java:88:19:88:31 | new int[] | array | Test.java:86:16:86:16 | 0 | literal value 0 | diff --git a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstructionLocal.expected b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstructionLocal.expected index 9f9272ac515f..250c1eeb76ed 100644 --- a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstructionLocal.expected +++ b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstructionLocal.expected @@ -1,2 +1,6 @@ -| Test.java:64:34:64:34 | 0 | The $@ is accessed here, but the array is initialized using $@ which may be zero. | Test.java:61:23:61:35 | new int[] | array | Test.java:57:27:57:60 | getProperty(...) | User-provided value | -| Test.java:70:37:70:37 | 0 | The $@ is accessed here, but the array is initialized using $@ which may be zero. | Test.java:67:26:67:38 | new int[] | array | Test.java:57:27:57:60 | getProperty(...) | User-provided value | +edges +| Test.java:57:27:57:60 | getProperty(...) [String] | Test.java:61:31:61:34 | size | +| Test.java:57:27:57:60 | getProperty(...) [String] | Test.java:67:34:67:37 | size | +#select +| Test.java:64:34:64:34 | 0 | Test.java:57:27:57:60 | getProperty(...) [String] | Test.java:61:31:61:34 | size | The $@ is accessed here, but the array is initialized using $@ which may be zero. | Test.java:61:23:61:35 | new int[] | array | Test.java:57:27:57:60 | getProperty(...) | User-provided value | +| Test.java:70:37:70:37 | 0 | Test.java:57:27:57:60 | getProperty(...) [String] | Test.java:67:34:67:37 | size | The $@ is accessed here, but the array is initialized using $@ which may be zero. | Test.java:67:26:67:38 | new int[] | array | Test.java:57:27:57:60 | getProperty(...) | User-provided value | diff --git a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndexCodeSpecified.expected b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndexCodeSpecified.expected index e1f31a5f8dc7..ab7e75ea1b61 100644 --- a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndexCodeSpecified.expected +++ b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndexCodeSpecified.expected @@ -1 +1,12 @@ -| Test.java:43:30:43:34 | index | $@ flows to the index used in this array access, and may cause the operation to throw an ArrayIndexOutOfBoundsException. | Test.java:40:17:40:48 | nextInt(...) | Random value | +edges +| Test.java:40:17:40:48 | nextInt(...) [Number] | Test.java:43:30:43:34 | index | +| Test.java:40:17:40:48 | nextInt(...) [Number] | Test.java:47:32:47:36 | index | +| Test.java:40:17:40:48 | nextInt(...) [Number] | Test.java:51:39:51:43 | index | +| Test.java:64:34:64:34 | 0 [Number] | Test.java:64:34:64:34 | 0 | +| Test.java:70:37:70:37 | 0 [Number] | Test.java:70:37:70:37 | 0 | +| Test.java:77:39:77:39 | 0 [Number] | Test.java:77:39:77:39 | 0 | +| Test.java:91:30:91:30 | 0 [Number] | Test.java:91:30:91:30 | 0 | +| Test.java:93:17:93:17 | 0 [Number] | Test.java:96:32:96:36 | index | +| Test.java:102:30:102:30 | 0 [Number] | Test.java:102:30:102:30 | 0 | +#select +| Test.java:43:30:43:34 | index | Test.java:40:17:40:48 | nextInt(...) [Number] | Test.java:43:30:43:34 | index | $@ flows to the index used in this array access, and may cause the operation to throw an ArrayIndexOutOfBoundsException. | Test.java:40:17:40:48 | nextInt(...) | Random value | diff --git a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndexLocal.expected b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndexLocal.expected index 20223404d614..0ea9b6f7d3d5 100644 --- a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndexLocal.expected +++ b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndexLocal.expected @@ -1 +1,4 @@ -| Test.java:18:34:18:38 | index | $@ flows to here and is used as an index causing an ArrayIndexOutOfBoundsException. | Test.java:13:27:13:60 | getProperty(...) | User-provided value | +edges +| Test.java:13:27:13:60 | getProperty(...) [String] | Test.java:18:34:18:38 | index | +#select +| Test.java:18:34:18:38 | index | Test.java:13:27:13:60 | getProperty(...) [String] | Test.java:18:34:18:38 | index | $@ flows to here and is used as an index causing an ArrayIndexOutOfBoundsException. | Test.java:13:27:13:60 | getProperty(...) | User-provided value | diff --git a/java/ql/test/query-tests/security/CWE-134/semmle/tests/ExternallyControlledFormatString.expected b/java/ql/test/query-tests/security/CWE-134/semmle/tests/ExternallyControlledFormatString.expected index 35b460ae9b9e..a843797fcc17 100644 --- a/java/ql/test/query-tests/security/CWE-134/semmle/tests/ExternallyControlledFormatString.expected +++ b/java/ql/test/query-tests/security/CWE-134/semmle/tests/ExternallyControlledFormatString.expected @@ -1 +1,6 @@ -| Test.java:39:25:39:30 | format | $@ flows to here and is used in a format string. | Test.java:33:30:33:74 | getParameter(...) | User-provided value | +edges +| Test.java:33:30:33:74 | getParameter(...) [String] | Test.java:34:20:34:32 | userParameter [String] | +| Test.java:34:20:34:32 | userParameter [String] | Test.java:37:31:37:43 | format [String] | +| Test.java:37:31:37:43 | format [String] | Test.java:39:25:39:30 | format | +#select +| Test.java:39:25:39:30 | format | Test.java:33:30:33:74 | getParameter(...) [String] | Test.java:39:25:39:30 | format | $@ flows to here and is used in a format string. | Test.java:33:30:33:74 | getParameter(...) | User-provided value | diff --git a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTaintedLocal.expected b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTaintedLocal.expected index 64a964a8882e..a292ffe24745 100644 --- a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTaintedLocal.expected +++ b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTaintedLocal.expected @@ -1,9 +1,32 @@ -| ArithmeticTainted.java:32:17:32:25 | ... + ... | $@ flows to here and is used in arithmetic, potentially causing an overflow. | ArithmeticTainted.java:17:46:17:54 | System.in | User-provided value | -| ArithmeticTainted.java:40:17:40:25 | ... - ... | $@ flows to here and is used in arithmetic, potentially causing an underflow. | ArithmeticTainted.java:17:46:17:54 | System.in | User-provided value | -| ArithmeticTainted.java:50:17:50:24 | ... + ... | $@ flows to here and is used in arithmetic, potentially causing an overflow. | ArithmeticTainted.java:17:46:17:54 | System.in | User-provided value | -| ArithmeticTainted.java:71:17:71:27 | ... + ... | $@ flows to here and is used in arithmetic, potentially causing an overflow. | ArithmeticTainted.java:17:46:17:54 | System.in | User-provided value | -| ArithmeticTainted.java:95:37:95:46 | ... + ... | $@ flows to here and is used in arithmetic, potentially causing an overflow. | ArithmeticTainted.java:17:46:17:54 | System.in | User-provided value | -| ArithmeticTainted.java:127:3:127:8 | ...++ | $@ flows to here and is used in arithmetic, potentially causing an overflow. | ArithmeticTainted.java:17:46:17:54 | System.in | User-provided value | -| ArithmeticTainted.java:131:3:131:8 | ++... | $@ flows to here and is used in arithmetic, potentially causing an overflow. | ArithmeticTainted.java:17:46:17:54 | System.in | User-provided value | -| ArithmeticTainted.java:135:3:135:8 | ...-- | $@ flows to here and is used in arithmetic, potentially causing an underflow. | ArithmeticTainted.java:17:46:17:54 | System.in | User-provided value | -| ArithmeticTainted.java:139:3:139:8 | --... | $@ flows to here and is used in arithmetic, potentially causing an underflow. | ArithmeticTainted.java:17:46:17:54 | System.in | User-provided value | +edges +| ArithmeticTainted.java:17:46:17:54 | System.in [InputStream] | ArithmeticTainted.java:32:17:32:20 | data | +| ArithmeticTainted.java:17:46:17:54 | System.in [InputStream] | ArithmeticTainted.java:40:17:40:20 | data | +| ArithmeticTainted.java:17:46:17:54 | System.in [InputStream] | ArithmeticTainted.java:50:17:50:20 | data | +| ArithmeticTainted.java:17:46:17:54 | System.in [InputStream] | ArithmeticTainted.java:64:20:64:23 | data [Number] | +| ArithmeticTainted.java:17:46:17:54 | System.in [InputStream] | ArithmeticTainted.java:95:37:95:40 | data | +| ArithmeticTainted.java:17:46:17:54 | System.in [InputStream] | ArithmeticTainted.java:118:9:118:12 | data [Number] | +| ArithmeticTainted.java:17:46:17:54 | System.in [InputStream] | ArithmeticTainted.java:119:10:119:13 | data [Number] | +| ArithmeticTainted.java:17:46:17:54 | System.in [InputStream] | ArithmeticTainted.java:120:10:120:13 | data [Number] | +| ArithmeticTainted.java:17:46:17:54 | System.in [InputStream] | ArithmeticTainted.java:121:10:121:13 | data [Number] | +| ArithmeticTainted.java:64:4:64:10 | tainted [post update] [dat, ... (1)] | ArithmeticTainted.java:66:18:66:24 | tainted [dat, ... (1)] | +| ArithmeticTainted.java:64:20:64:23 | data [Number] | ArithmeticTainted.java:64:4:64:10 | tainted [post update] [dat, ... (1)] | +| ArithmeticTainted.java:66:18:66:24 | tainted [dat, ... (1)] | ArithmeticTainted.java:66:18:66:34 | getData(...) [Number] | +| ArithmeticTainted.java:66:18:66:34 | getData(...) [Number] | ArithmeticTainted.java:71:17:71:23 | herring | +| ArithmeticTainted.java:118:9:118:12 | data [Number] | ArithmeticTainted.java:125:26:125:33 | data [Number] | +| ArithmeticTainted.java:119:10:119:13 | data [Number] | ArithmeticTainted.java:129:27:129:34 | data [Number] | +| ArithmeticTainted.java:120:10:120:13 | data [Number] | ArithmeticTainted.java:133:27:133:34 | data [Number] | +| ArithmeticTainted.java:121:10:121:13 | data [Number] | ArithmeticTainted.java:137:27:137:34 | data [Number] | +| ArithmeticTainted.java:125:26:125:33 | data [Number] | ArithmeticTainted.java:127:3:127:6 | data | +| ArithmeticTainted.java:129:27:129:34 | data [Number] | ArithmeticTainted.java:131:5:131:8 | data | +| ArithmeticTainted.java:133:27:133:34 | data [Number] | ArithmeticTainted.java:135:3:135:6 | data | +| ArithmeticTainted.java:137:27:137:34 | data [Number] | ArithmeticTainted.java:139:5:139:8 | data | +#select +| ArithmeticTainted.java:32:17:32:25 | ... + ... | ArithmeticTainted.java:17:46:17:54 | System.in [InputStream] | ArithmeticTainted.java:32:17:32:20 | data | $@ flows to here and is used in arithmetic, potentially causing an overflow. | ArithmeticTainted.java:17:46:17:54 | System.in | User-provided value | +| ArithmeticTainted.java:40:17:40:25 | ... - ... | ArithmeticTainted.java:17:46:17:54 | System.in [InputStream] | ArithmeticTainted.java:40:17:40:20 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | ArithmeticTainted.java:17:46:17:54 | System.in | User-provided value | +| ArithmeticTainted.java:50:17:50:24 | ... + ... | ArithmeticTainted.java:17:46:17:54 | System.in [InputStream] | ArithmeticTainted.java:50:17:50:20 | data | $@ flows to here and is used in arithmetic, potentially causing an overflow. | ArithmeticTainted.java:17:46:17:54 | System.in | User-provided value | +| ArithmeticTainted.java:71:17:71:27 | ... + ... | ArithmeticTainted.java:17:46:17:54 | System.in [InputStream] | ArithmeticTainted.java:71:17:71:23 | herring | $@ flows to here and is used in arithmetic, potentially causing an overflow. | ArithmeticTainted.java:17:46:17:54 | System.in | User-provided value | +| ArithmeticTainted.java:95:37:95:46 | ... + ... | ArithmeticTainted.java:17:46:17:54 | System.in [InputStream] | ArithmeticTainted.java:95:37:95:40 | data | $@ flows to here and is used in arithmetic, potentially causing an overflow. | ArithmeticTainted.java:17:46:17:54 | System.in | User-provided value | +| ArithmeticTainted.java:127:3:127:8 | ...++ | ArithmeticTainted.java:17:46:17:54 | System.in [InputStream] | ArithmeticTainted.java:127:3:127:6 | data | $@ flows to here and is used in arithmetic, potentially causing an overflow. | ArithmeticTainted.java:17:46:17:54 | System.in | User-provided value | +| ArithmeticTainted.java:131:3:131:8 | ++... | ArithmeticTainted.java:17:46:17:54 | System.in [InputStream] | ArithmeticTainted.java:131:5:131:8 | data | $@ flows to here and is used in arithmetic, potentially causing an overflow. | ArithmeticTainted.java:17:46:17:54 | System.in | User-provided value | +| ArithmeticTainted.java:135:3:135:8 | ...-- | ArithmeticTainted.java:17:46:17:54 | System.in [InputStream] | ArithmeticTainted.java:135:3:135:6 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | ArithmeticTainted.java:17:46:17:54 | System.in | User-provided value | +| ArithmeticTainted.java:139:3:139:8 | --... | ArithmeticTainted.java:17:46:17:54 | System.in [InputStream] | ArithmeticTainted.java:139:5:139:8 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | ArithmeticTainted.java:17:46:17:54 | System.in | User-provided value | diff --git a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticUncontrolled.expected b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticUncontrolled.expected index d43c9445d1f3..a94a48a3707a 100644 --- a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticUncontrolled.expected +++ b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticUncontrolled.expected @@ -1,2 +1,6 @@ -| Test.java:209:17:209:24 | ... + ... | $@ flows to here and is used in arithmetic, potentially causing an overflow. | Test.java:205:14:205:57 | nextInt(...) | Uncontrolled value | -| Test.java:240:37:240:46 | ... + ... | $@ flows to here and is used in arithmetic, potentially causing an overflow. | Test.java:205:14:205:57 | nextInt(...) | Uncontrolled value | +edges +| Test.java:205:14:205:57 | nextInt(...) [Number] | Test.java:209:17:209:20 | data | +| Test.java:205:14:205:57 | nextInt(...) [Number] | Test.java:240:37:240:40 | data | +#select +| Test.java:209:17:209:24 | ... + ... | Test.java:205:14:205:57 | nextInt(...) [Number] | Test.java:209:17:209:20 | data | $@ flows to here and is used in arithmetic, potentially causing an overflow. | Test.java:205:14:205:57 | nextInt(...) | Uncontrolled value | +| Test.java:240:37:240:46 | ... + ... | Test.java:205:14:205:57 | nextInt(...) [Number] | Test.java:240:37:240:40 | data | $@ flows to here and is used in arithmetic, potentially causing an overflow. | Test.java:205:14:205:57 | nextInt(...) | Uncontrolled value | diff --git a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticWithExtremeValues.expected b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticWithExtremeValues.expected index d55dbcaaf0e4..e0a8192ee294 100644 --- a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticWithExtremeValues.expected +++ b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticWithExtremeValues.expected @@ -1,8 +1,22 @@ -| Test.java:95:8:95:12 | ... + ... | Variable i is assigned an extreme value $@, and may cause an overflow. | Test.java:92:8:92:24 | Integer.MAX_VALUE | MAX_VALUE | -| Test.java:110:13:110:17 | ... - ... | Variable i is assigned an extreme value $@, and may cause an underflow. | Test.java:108:13:108:26 | Long.MIN_VALUE | MIN_VALUE | -| Test.java:138:14:138:18 | ... + ... | Variable i is assigned an extreme value $@, and may cause an overflow. | Test.java:137:9:137:25 | Integer.MAX_VALUE | MAX_VALUE | -| Test.java:146:14:146:18 | ... + ... | Variable i is assigned an extreme value $@, and may cause an overflow. | Test.java:143:12:143:28 | Integer.MAX_VALUE | MAX_VALUE | -| Test.java:155:14:155:18 | ... + ... | Variable i is assigned an extreme value $@, and may cause an overflow. | Test.java:151:12:151:28 | Integer.MAX_VALUE | MAX_VALUE | -| Test.java:187:39:187:43 | ... + ... | Variable b is assigned an extreme value $@, and may cause an overflow. | Test.java:184:13:184:26 | Byte.MAX_VALUE | MAX_VALUE | -| Test.java:194:41:194:45 | ... + ... | Variable s is assigned an extreme value $@, and may cause an overflow. | Test.java:191:14:191:28 | Short.MAX_VALUE | MAX_VALUE | -| Test.java:201:37:201:42 | ... + ... | Variable i is assigned an extreme value $@, and may cause an overflow. | Test.java:198:12:198:28 | Integer.MAX_VALUE | MAX_VALUE | +edges +| Test.java:92:8:92:24 | Integer.MAX_VALUE [Number] | Test.java:95:8:95:8 | i | +| Test.java:108:13:108:26 | Long.MIN_VALUE [Number] | Test.java:110:13:110:13 | i | +| Test.java:114:13:114:26 | Long.MAX_VALUE [Number] | Test.java:116:13:116:13 | i | +| Test.java:137:9:137:25 | Integer.MAX_VALUE [Number] | Test.java:138:14:138:14 | i | +| Test.java:143:12:143:28 | Integer.MAX_VALUE [Number] | Test.java:146:14:146:14 | i | +| Test.java:151:12:151:28 | Integer.MAX_VALUE [Number] | Test.java:155:14:155:14 | i | +| Test.java:160:13:160:26 | Byte.MAX_VALUE [Number] | Test.java:164:12:164:12 | b | +| Test.java:168:14:168:28 | Short.MAX_VALUE [Number] | Test.java:172:12:172:12 | s | +| Test.java:176:12:176:28 | Integer.MAX_VALUE [Number] | Test.java:180:13:180:13 | i | +| Test.java:184:13:184:26 | Byte.MAX_VALUE [Number] | Test.java:187:39:187:39 | b | +| Test.java:191:14:191:28 | Short.MAX_VALUE [Number] | Test.java:194:41:194:41 | s | +| Test.java:198:12:198:28 | Integer.MAX_VALUE [Number] | Test.java:201:37:201:37 | i | +#select +| Test.java:95:8:95:12 | ... + ... | Test.java:92:8:92:24 | Integer.MAX_VALUE [Number] | Test.java:95:8:95:8 | i | Variable i is assigned an extreme value $@, and may cause an overflow. | Test.java:92:8:92:24 | Integer.MAX_VALUE | MAX_VALUE | +| Test.java:110:13:110:17 | ... - ... | Test.java:108:13:108:26 | Long.MIN_VALUE [Number] | Test.java:110:13:110:13 | i | Variable i is assigned an extreme value $@, and may cause an underflow. | Test.java:108:13:108:26 | Long.MIN_VALUE | MIN_VALUE | +| Test.java:138:14:138:18 | ... + ... | Test.java:137:9:137:25 | Integer.MAX_VALUE [Number] | Test.java:138:14:138:14 | i | Variable i is assigned an extreme value $@, and may cause an overflow. | Test.java:137:9:137:25 | Integer.MAX_VALUE | MAX_VALUE | +| Test.java:146:14:146:18 | ... + ... | Test.java:143:12:143:28 | Integer.MAX_VALUE [Number] | Test.java:146:14:146:14 | i | Variable i is assigned an extreme value $@, and may cause an overflow. | Test.java:143:12:143:28 | Integer.MAX_VALUE | MAX_VALUE | +| Test.java:155:14:155:18 | ... + ... | Test.java:151:12:151:28 | Integer.MAX_VALUE [Number] | Test.java:155:14:155:14 | i | Variable i is assigned an extreme value $@, and may cause an overflow. | Test.java:151:12:151:28 | Integer.MAX_VALUE | MAX_VALUE | +| Test.java:187:39:187:43 | ... + ... | Test.java:184:13:184:26 | Byte.MAX_VALUE [Number] | Test.java:187:39:187:39 | b | Variable b is assigned an extreme value $@, and may cause an overflow. | Test.java:184:13:184:26 | Byte.MAX_VALUE | MAX_VALUE | +| Test.java:194:41:194:45 | ... + ... | Test.java:191:14:191:28 | Short.MAX_VALUE [Number] | Test.java:194:41:194:41 | s | Variable s is assigned an extreme value $@, and may cause an overflow. | Test.java:191:14:191:28 | Short.MAX_VALUE | MAX_VALUE | +| Test.java:201:37:201:42 | ... + ... | Test.java:198:12:198:28 | Integer.MAX_VALUE [Number] | Test.java:201:37:201:37 | i | Variable i is assigned an extreme value $@, and may cause an overflow. | Test.java:198:12:198:28 | Integer.MAX_VALUE | MAX_VALUE | diff --git a/java/ql/test/query-tests/security/CWE-327/semmle/tests/BrokenCryptoAlgorithm.expected b/java/ql/test/query-tests/security/CWE-327/semmle/tests/BrokenCryptoAlgorithm.expected index 42492272df0f..29dfbb3bee1b 100644 --- a/java/ql/test/query-tests/security/CWE-327/semmle/tests/BrokenCryptoAlgorithm.expected +++ b/java/ql/test/query-tests/security/CWE-327/semmle/tests/BrokenCryptoAlgorithm.expected @@ -1,2 +1,6 @@ -| Test.java:19:20:19:50 | getInstance(...) | Cryptographic algorithm $@ is weak and should not be used. | Test.java:19:45:19:49 | "DES" | "DES" | -| Test.java:42:14:42:38 | getInstance(...) | Cryptographic algorithm $@ is weak and should not be used. | Test.java:42:33:42:37 | "RC2" | "RC2" | +edges +| Test.java:19:45:19:49 | "DES" [String] | Test.java:19:45:19:49 | "DES" | +| Test.java:42:33:42:37 | "RC2" [String] | Test.java:42:33:42:37 | "RC2" | +#select +| Test.java:19:20:19:50 | getInstance(...) | Test.java:19:45:19:49 | "DES" [String] | Test.java:19:45:19:49 | "DES" | Cryptographic algorithm $@ is weak and should not be used. | Test.java:19:45:19:49 | "DES" | "DES" | +| Test.java:42:14:42:38 | getInstance(...) | Test.java:42:33:42:37 | "RC2" [String] | Test.java:42:33:42:37 | "RC2" | Cryptographic algorithm $@ is weak and should not be used. | Test.java:42:33:42:37 | "RC2" | "RC2" | diff --git a/java/ql/test/query-tests/security/CWE-327/semmle/tests/MaybeBrokenCryptoAlgorithm.expected b/java/ql/test/query-tests/security/CWE-327/semmle/tests/MaybeBrokenCryptoAlgorithm.expected index 13acd5a22bb1..b0f956155c4b 100644 --- a/java/ql/test/query-tests/security/CWE-327/semmle/tests/MaybeBrokenCryptoAlgorithm.expected +++ b/java/ql/test/query-tests/security/CWE-327/semmle/tests/MaybeBrokenCryptoAlgorithm.expected @@ -1 +1,4 @@ -| Test.java:34:21:34:53 | new SecretKeySpec(...) | Cryptographic algorithm $@ may not be secure, consider using a different algorithm. | Test.java:34:48:34:52 | "foo" | "foo" | +edges +| Test.java:34:48:34:52 | "foo" [String] | Test.java:34:48:34:52 | "foo" | +#select +| Test.java:34:21:34:53 | new SecretKeySpec(...) | Test.java:34:48:34:52 | "foo" [String] | Test.java:34:48:34:52 | "foo" | Cryptographic algorithm $@ may not be secure, consider using a different algorithm. | Test.java:34:48:34:52 | "foo" | "foo" | diff --git a/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected b/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected index b0dde770e099..545a8644ee81 100644 --- a/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected +++ b/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected @@ -1,18 +1,38 @@ -| A.java:15:12:15:26 | readObject(...) | Unsafe deserialization of $@. | A.java:13:31:13:51 | getInputStream(...) | user input | -| A.java:21:12:21:28 | readUnshared(...) | Unsafe deserialization of $@. | A.java:19:31:19:51 | getInputStream(...) | user input | -| A.java:27:12:27:25 | readObject(...) | Unsafe deserialization of $@. | A.java:25:31:25:51 | getInputStream(...) | user input | -| A.java:34:12:34:29 | fromXML(...) | Unsafe deserialization of $@. | A.java:32:31:32:51 | getInputStream(...) | user input | -| A.java:40:12:40:42 | readObject(...) | Unsafe deserialization of $@. | A.java:39:29:39:49 | getInputStream(...) | user input | -| A.java:41:12:41:48 | readObjectOrNull(...) | Unsafe deserialization of $@. | A.java:39:29:39:49 | getInputStream(...) | user input | -| A.java:42:16:42:45 | readClassAndObject(...) | Unsafe deserialization of $@. | A.java:39:29:39:49 | getInputStream(...) | user input | -| A.java:61:16:61:31 | load(...) | Unsafe deserialization of $@. | A.java:60:25:60:45 | getInputStream(...) | user input | -| A.java:62:17:62:35 | loadAll(...) | Unsafe deserialization of $@. | A.java:60:25:60:45 | getInputStream(...) | user input | -| A.java:63:17:63:56 | parse(...) | Unsafe deserialization of $@. | A.java:60:25:60:45 | getInputStream(...) | user input | -| A.java:64:12:64:38 | loadAs(...) | Unsafe deserialization of $@. | A.java:60:25:60:45 | getInputStream(...) | user input | -| A.java:65:12:65:61 | loadAs(...) | Unsafe deserialization of $@. | A.java:60:25:60:45 | getInputStream(...) | user input | -| A.java:71:16:71:31 | load(...) | Unsafe deserialization of $@. | A.java:70:25:70:45 | getInputStream(...) | user input | -| A.java:72:17:72:35 | loadAll(...) | Unsafe deserialization of $@. | A.java:70:25:70:45 | getInputStream(...) | user input | -| A.java:73:17:73:56 | parse(...) | Unsafe deserialization of $@. | A.java:70:25:70:45 | getInputStream(...) | user input | -| A.java:74:12:74:38 | loadAs(...) | Unsafe deserialization of $@. | A.java:70:25:70:45 | getInputStream(...) | user input | -| A.java:75:12:75:61 | loadAs(...) | Unsafe deserialization of $@. | A.java:70:25:70:45 | getInputStream(...) | user input | -| TestMessageBodyReader.java:22:18:22:65 | readObject(...) | Unsafe deserialization of $@. | TestMessageBodyReader.java:20:55:20:78 | entityStream | user input | +edges +| A.java:13:31:13:51 | getInputStream(...) [InputStream] | A.java:15:12:15:13 | in | +| A.java:19:31:19:51 | getInputStream(...) [InputStream] | A.java:21:12:21:13 | in | +| A.java:25:31:25:51 | getInputStream(...) [InputStream] | A.java:27:12:27:12 | d | +| A.java:32:31:32:51 | getInputStream(...) [InputStream] | A.java:34:23:34:28 | reader | +| A.java:39:29:39:49 | getInputStream(...) [InputStream] | A.java:40:28:40:32 | input | +| A.java:39:29:39:49 | getInputStream(...) [InputStream] | A.java:41:34:41:38 | input | +| A.java:39:29:39:49 | getInputStream(...) [InputStream] | A.java:42:40:42:44 | input | +| A.java:60:25:60:45 | getInputStream(...) [InputStream] | A.java:61:26:61:30 | input | +| A.java:60:25:60:45 | getInputStream(...) [InputStream] | A.java:62:30:62:34 | input | +| A.java:60:25:60:45 | getInputStream(...) [InputStream] | A.java:63:28:63:55 | new InputStreamReader(...) | +| A.java:60:25:60:45 | getInputStream(...) [InputStream] | A.java:64:24:64:28 | input | +| A.java:60:25:60:45 | getInputStream(...) [InputStream] | A.java:65:24:65:51 | new InputStreamReader(...) | +| A.java:70:25:70:45 | getInputStream(...) [InputStream] | A.java:71:26:71:30 | input | +| A.java:70:25:70:45 | getInputStream(...) [InputStream] | A.java:72:30:72:34 | input | +| A.java:70:25:70:45 | getInputStream(...) [InputStream] | A.java:73:28:73:55 | new InputStreamReader(...) | +| A.java:70:25:70:45 | getInputStream(...) [InputStream] | A.java:74:24:74:28 | input | +| A.java:70:25:70:45 | getInputStream(...) [InputStream] | A.java:75:24:75:51 | new InputStreamReader(...) | +| TestMessageBodyReader.java:20:55:20:78 | entityStream [InputStream] | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | +#select +| A.java:15:12:15:26 | readObject(...) | A.java:13:31:13:51 | getInputStream(...) [InputStream] | A.java:15:12:15:13 | in | Unsafe deserialization of $@. | A.java:13:31:13:51 | getInputStream(...) | user input | +| A.java:21:12:21:28 | readUnshared(...) | A.java:19:31:19:51 | getInputStream(...) [InputStream] | A.java:21:12:21:13 | in | Unsafe deserialization of $@. | A.java:19:31:19:51 | getInputStream(...) | user input | +| A.java:27:12:27:25 | readObject(...) | A.java:25:31:25:51 | getInputStream(...) [InputStream] | A.java:27:12:27:12 | d | Unsafe deserialization of $@. | A.java:25:31:25:51 | getInputStream(...) | user input | +| A.java:34:12:34:29 | fromXML(...) | A.java:32:31:32:51 | getInputStream(...) [InputStream] | A.java:34:23:34:28 | reader | Unsafe deserialization of $@. | A.java:32:31:32:51 | getInputStream(...) | user input | +| A.java:40:12:40:42 | readObject(...) | A.java:39:29:39:49 | getInputStream(...) [InputStream] | A.java:40:28:40:32 | input | Unsafe deserialization of $@. | A.java:39:29:39:49 | getInputStream(...) | user input | +| A.java:41:12:41:48 | readObjectOrNull(...) | A.java:39:29:39:49 | getInputStream(...) [InputStream] | A.java:41:34:41:38 | input | Unsafe deserialization of $@. | A.java:39:29:39:49 | getInputStream(...) | user input | +| A.java:42:16:42:45 | readClassAndObject(...) | A.java:39:29:39:49 | getInputStream(...) [InputStream] | A.java:42:40:42:44 | input | Unsafe deserialization of $@. | A.java:39:29:39:49 | getInputStream(...) | user input | +| A.java:61:16:61:31 | load(...) | A.java:60:25:60:45 | getInputStream(...) [InputStream] | A.java:61:26:61:30 | input | Unsafe deserialization of $@. | A.java:60:25:60:45 | getInputStream(...) | user input | +| A.java:62:17:62:35 | loadAll(...) | A.java:60:25:60:45 | getInputStream(...) [InputStream] | A.java:62:30:62:34 | input | Unsafe deserialization of $@. | A.java:60:25:60:45 | getInputStream(...) | user input | +| A.java:63:17:63:56 | parse(...) | A.java:60:25:60:45 | getInputStream(...) [InputStream] | A.java:63:28:63:55 | new InputStreamReader(...) | Unsafe deserialization of $@. | A.java:60:25:60:45 | getInputStream(...) | user input | +| A.java:64:12:64:38 | loadAs(...) | A.java:60:25:60:45 | getInputStream(...) [InputStream] | A.java:64:24:64:28 | input | Unsafe deserialization of $@. | A.java:60:25:60:45 | getInputStream(...) | user input | +| A.java:65:12:65:61 | loadAs(...) | A.java:60:25:60:45 | getInputStream(...) [InputStream] | A.java:65:24:65:51 | new InputStreamReader(...) | Unsafe deserialization of $@. | A.java:60:25:60:45 | getInputStream(...) | user input | +| A.java:71:16:71:31 | load(...) | A.java:70:25:70:45 | getInputStream(...) [InputStream] | A.java:71:26:71:30 | input | Unsafe deserialization of $@. | A.java:70:25:70:45 | getInputStream(...) | user input | +| A.java:72:17:72:35 | loadAll(...) | A.java:70:25:70:45 | getInputStream(...) [InputStream] | A.java:72:30:72:34 | input | Unsafe deserialization of $@. | A.java:70:25:70:45 | getInputStream(...) | user input | +| A.java:73:17:73:56 | parse(...) | A.java:70:25:70:45 | getInputStream(...) [InputStream] | A.java:73:28:73:55 | new InputStreamReader(...) | Unsafe deserialization of $@. | A.java:70:25:70:45 | getInputStream(...) | user input | +| A.java:74:12:74:38 | loadAs(...) | A.java:70:25:70:45 | getInputStream(...) [InputStream] | A.java:74:24:74:28 | input | Unsafe deserialization of $@. | A.java:70:25:70:45 | getInputStream(...) | user input | +| A.java:75:12:75:61 | loadAs(...) | A.java:70:25:70:45 | getInputStream(...) [InputStream] | A.java:75:24:75:51 | new InputStreamReader(...) | Unsafe deserialization of $@. | A.java:70:25:70:45 | getInputStream(...) | user input | +| TestMessageBodyReader.java:22:18:22:65 | readObject(...) | TestMessageBodyReader.java:20:55:20:78 | entityStream [InputStream] | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | Unsafe deserialization of $@. | TestMessageBodyReader.java:20:55:20:78 | entityStream | user input | diff --git a/java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect.expected b/java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect.expected index 43b1301170a4..479d7172c307 100644 --- a/java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect.expected +++ b/java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect.expected @@ -1,4 +1,10 @@ -| UrlRedirect.java:23:25:23:54 | getParameter(...) | Potentially untrusted URL redirection due to $@. | UrlRedirect.java:23:25:23:54 | getParameter(...) | user-provided value | -| UrlRedirect.java:36:25:36:89 | ... + ... | Potentially untrusted URL redirection due to $@. | UrlRedirect.java:36:58:36:89 | getParameter(...) | user-provided value | -| UrlRedirect.java:39:34:39:63 | getParameter(...) | Potentially untrusted URL redirection due to $@. | UrlRedirect.java:39:34:39:63 | getParameter(...) | user-provided value | -| UrlRedirect.java:42:43:42:72 | getParameter(...) | Potentially untrusted URL redirection due to $@. | UrlRedirect.java:42:43:42:72 | getParameter(...) | user-provided value | \ No newline at end of file +edges +| UrlRedirect.java:23:25:23:54 | getParameter(...) [String] | UrlRedirect.java:23:25:23:54 | getParameter(...) | +| UrlRedirect.java:36:58:36:89 | getParameter(...) [String] | UrlRedirect.java:36:25:36:89 | ... + ... | +| UrlRedirect.java:39:34:39:63 | getParameter(...) [String] | UrlRedirect.java:39:34:39:63 | getParameter(...) | +| UrlRedirect.java:42:43:42:72 | getParameter(...) [String] | UrlRedirect.java:42:43:42:72 | getParameter(...) | +#select +| UrlRedirect.java:23:25:23:54 | getParameter(...) | UrlRedirect.java:23:25:23:54 | getParameter(...) [String] | UrlRedirect.java:23:25:23:54 | getParameter(...) | Potentially untrusted URL redirection due to $@. | UrlRedirect.java:23:25:23:54 | getParameter(...) | user-provided value | +| UrlRedirect.java:36:25:36:89 | ... + ... | UrlRedirect.java:36:58:36:89 | getParameter(...) [String] | UrlRedirect.java:36:25:36:89 | ... + ... | Potentially untrusted URL redirection due to $@. | UrlRedirect.java:36:58:36:89 | getParameter(...) | user-provided value | +| UrlRedirect.java:39:34:39:63 | getParameter(...) | UrlRedirect.java:39:34:39:63 | getParameter(...) [String] | UrlRedirect.java:39:34:39:63 | getParameter(...) | Potentially untrusted URL redirection due to $@. | UrlRedirect.java:39:34:39:63 | getParameter(...) | user-provided value | +| UrlRedirect.java:42:43:42:72 | getParameter(...) | UrlRedirect.java:42:43:42:72 | getParameter(...) [String] | UrlRedirect.java:42:43:42:72 | getParameter(...) | Potentially untrusted URL redirection due to $@. | UrlRedirect.java:42:43:42:72 | getParameter(...) | user-provided value | diff --git a/java/ql/test/query-tests/security/CWE-611/XXE.expected b/java/ql/test/query-tests/security/CWE-611/XXE.expected index 2f754473bc40..1677c9449724 100644 --- a/java/ql/test/query-tests/security/CWE-611/XXE.expected +++ b/java/ql/test/query-tests/security/CWE-611/XXE.expected @@ -1,94 +1,190 @@ -| DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | user input | -| DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | user input | -| DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | user input | -| DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | user input | -| DocumentBuilderTests.java:71:19:71:39 | getInputStream(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:71:19:71:39 | getInputStream(...) | user input | -| DocumentBuilderTests.java:79:19:79:39 | getInputStream(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:79:19:79:39 | getInputStream(...) | user input | -| DocumentBuilderTests.java:87:19:87:39 | getInputStream(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:87:19:87:39 | getInputStream(...) | user input | -| DocumentBuilderTests.java:94:16:94:38 | getInputSource(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:93:51:93:71 | getInputStream(...) | user input | -| DocumentBuilderTests.java:101:16:101:52 | sourceToInputSource(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) | user input | -| DocumentBuilderTests.java:102:16:102:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) | user input | -| SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | user input | -| SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | user input | -| SAXParserTests.java:13:18:13:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXParserTests.java:13:18:13:38 | getInputStream(...) | user input | -| SAXParserTests.java:30:18:30:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXParserTests.java:30:18:30:38 | getInputStream(...) | user input | -| SAXParserTests.java:38:18:38:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXParserTests.java:38:18:38:38 | getInputStream(...) | user input | -| SAXParserTests.java:46:18:46:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXParserTests.java:46:18:46:38 | getInputStream(...) | user input | -| SAXParserTests.java:55:18:55:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXParserTests.java:55:18:55:38 | getInputStream(...) | user input | -| SAXParserTests.java:64:18:64:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXParserTests.java:64:18:64:38 | getInputStream(...) | user input | -| SAXParserTests.java:73:18:73:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXParserTests.java:73:18:73:38 | getInputStream(...) | user input | -| SAXReaderTests.java:8:17:8:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:8:17:8:37 | getInputStream(...) | user input | -| SAXReaderTests.java:23:17:23:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:23:17:23:37 | getInputStream(...) | user input | -| SAXReaderTests.java:30:17:30:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:30:17:30:37 | getInputStream(...) | user input | -| SAXReaderTests.java:37:17:37:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:37:17:37:37 | getInputStream(...) | user input | -| SAXReaderTests.java:45:17:45:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | user input | -| SAXReaderTests.java:53:17:53:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | user input | -| SAXReaderTests.java:61:17:61:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | user input | -| SchemaTests.java:12:39:12:77 | new StreamSource(...) | Unsafe parsing of XML file from $@. | SchemaTests.java:12:56:12:76 | getInputStream(...) | user input | -| SchemaTests.java:25:39:25:77 | new StreamSource(...) | Unsafe parsing of XML file from $@. | SchemaTests.java:25:56:25:76 | getInputStream(...) | user input | -| SchemaTests.java:31:39:31:77 | new StreamSource(...) | Unsafe parsing of XML file from $@. | SchemaTests.java:31:56:31:76 | getInputStream(...) | user input | -| SchemaTests.java:38:39:38:77 | new StreamSource(...) | Unsafe parsing of XML file from $@. | SchemaTests.java:38:56:38:76 | getInputStream(...) | user input | -| SchemaTests.java:45:39:45:77 | new StreamSource(...) | Unsafe parsing of XML file from $@. | SchemaTests.java:45:56:45:76 | getInputStream(...) | user input | -| SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | user input | -| SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | user input | -| SimpleXMLTests.java:24:41:24:84 | new InputStreamReader(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:24:63:24:83 | getInputStream(...) | user input | -| SimpleXMLTests.java:31:41:31:53 | new String(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:30:5:30:25 | getInputStream(...) | user input | -| SimpleXMLTests.java:38:41:38:53 | new String(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:37:5:37:25 | getInputStream(...) | user input | -| SimpleXMLTests.java:43:41:43:84 | new InputStreamReader(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:43:63:43:83 | getInputStream(...) | user input | -| SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | user input | -| SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | user input | -| SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | user input | -| SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | user input | -| SimpleXMLTests.java:68:37:68:80 | new InputStreamReader(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:68:59:68:79 | getInputStream(...) | user input | -| SimpleXMLTests.java:73:37:73:80 | new InputStreamReader(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:73:59:73:79 | getInputStream(...) | user input | -| SimpleXMLTests.java:78:26:78:69 | new InputStreamReader(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:78:48:78:68 | getInputStream(...) | user input | -| SimpleXMLTests.java:83:26:83:69 | new InputStreamReader(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:83:48:83:68 | getInputStream(...) | user input | -| SimpleXMLTests.java:90:37:90:49 | new String(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:89:5:89:25 | getInputStream(...) | user input | -| SimpleXMLTests.java:97:37:97:49 | new String(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:96:5:96:25 | getInputStream(...) | user input | -| SimpleXMLTests.java:104:26:104:38 | new String(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:103:5:103:25 | getInputStream(...) | user input | -| SimpleXMLTests.java:111:26:111:38 | new String(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:110:5:110:25 | getInputStream(...) | user input | -| SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | user input | -| SimpleXMLTests.java:119:22:119:65 | new InputStreamReader(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:119:44:119:64 | getInputStream(...) | user input | -| SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | user input | -| SimpleXMLTests.java:129:22:129:65 | new InputStreamReader(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:129:44:129:64 | getInputStream(...) | user input | -| SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | user input | -| SimpleXMLTests.java:139:22:139:65 | new InputStreamReader(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:139:44:139:64 | getInputStream(...) | user input | -| SimpleXMLTests.java:146:22:146:34 | new String(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:145:5:145:25 | getInputStream(...) | user input | -| SimpleXMLTests.java:153:22:153:34 | new String(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:152:5:152:25 | getInputStream(...) | user input | -| TransformerTests.java:20:27:20:65 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:20:44:20:64 | getInputStream(...) | user input | -| TransformerTests.java:21:23:21:61 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:21:40:21:60 | getInputStream(...) | user input | -| TransformerTests.java:71:27:71:65 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:71:44:71:64 | getInputStream(...) | user input | -| TransformerTests.java:72:23:72:61 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:72:40:72:60 | getInputStream(...) | user input | -| TransformerTests.java:79:27:79:65 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:79:44:79:64 | getInputStream(...) | user input | -| TransformerTests.java:80:23:80:61 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:80:40:80:60 | getInputStream(...) | user input | -| TransformerTests.java:88:27:88:65 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:88:44:88:64 | getInputStream(...) | user input | -| TransformerTests.java:89:23:89:61 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:89:40:89:60 | getInputStream(...) | user input | -| TransformerTests.java:97:27:97:65 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:97:44:97:64 | getInputStream(...) | user input | -| TransformerTests.java:98:23:98:61 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:98:40:98:60 | getInputStream(...) | user input | -| TransformerTests.java:103:21:103:59 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:103:38:103:58 | getInputStream(...) | user input | -| TransformerTests.java:116:21:116:59 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:116:38:116:58 | getInputStream(...) | user input | -| TransformerTests.java:122:21:122:59 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:122:38:122:58 | getInputStream(...) | user input | -| TransformerTests.java:129:21:129:59 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:129:38:129:58 | getInputStream(...) | user input | -| TransformerTests.java:136:21:136:59 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:136:38:136:58 | getInputStream(...) | user input | -| TransformerTests.java:141:18:141:70 | new SAXSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:141:48:141:68 | getInputStream(...) | user input | -| XMLReaderTests.java:16:18:16:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:16:34:16:54 | getInputStream(...) | user input | -| XMLReaderTests.java:56:18:56:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:56:34:56:54 | getInputStream(...) | user input | -| XMLReaderTests.java:63:18:63:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:63:34:63:54 | getInputStream(...) | user input | -| XMLReaderTests.java:70:18:70:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:70:34:70:54 | getInputStream(...) | user input | -| XMLReaderTests.java:78:18:78:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:78:34:78:54 | getInputStream(...) | user input | -| XMLReaderTests.java:86:18:86:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:86:34:86:54 | getInputStream(...) | user input | -| XMLReaderTests.java:94:18:94:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:94:34:94:54 | getInputStream(...) | user input | -| XMLReaderTests.java:100:18:100:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:100:34:100:54 | getInputStream(...) | user input | -| XPathExpressionTests.java:27:21:27:58 | new InputSource(...) | Unsafe parsing of XML file from $@. | XPathExpressionTests.java:27:37:27:57 | getInputStream(...) | user input | -| XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | Unsafe parsing of XML file from $@. | XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | user input | -| XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | Unsafe parsing of XML file from $@. | XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | user input | -| XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | Unsafe parsing of XML file from $@. | XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | user input | -| XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | Unsafe parsing of XML file from $@. | XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | user input | -| XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | Unsafe parsing of XML file from $@. | XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | user input | -| XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | Unsafe parsing of XML file from $@. | XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | user input | -| XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | Unsafe parsing of XML file from $@. | XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | user input | -| XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | Unsafe parsing of XML file from $@. | XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | user input | -| XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | Unsafe parsing of XML file from $@. | XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | user input | -| XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | Unsafe parsing of XML file from $@. | XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | user input | -| XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | Unsafe parsing of XML file from $@. | XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | user input | -| XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | Unsafe parsing of XML file from $@. | XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | user input | +edges +| DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) [InputStream] | DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | +| DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) [InputStream] | DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | +| DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) [InputStream] | DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | +| DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) [InputStream] | DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | +| DocumentBuilderTests.java:71:19:71:39 | getInputStream(...) [InputStream] | DocumentBuilderTests.java:71:19:71:39 | getInputStream(...) | +| DocumentBuilderTests.java:79:19:79:39 | getInputStream(...) [InputStream] | DocumentBuilderTests.java:79:19:79:39 | getInputStream(...) | +| DocumentBuilderTests.java:87:19:87:39 | getInputStream(...) [InputStream] | DocumentBuilderTests.java:87:19:87:39 | getInputStream(...) | +| DocumentBuilderTests.java:93:51:93:71 | getInputStream(...) [InputStream] | DocumentBuilderTests.java:94:16:94:38 | getInputSource(...) | +| DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) [InputStream] | DocumentBuilderTests.java:101:16:101:52 | sourceToInputSource(...) | +| DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) [InputStream] | DocumentBuilderTests.java:102:16:102:38 | getInputStream(...) | +| SAXBuilderTests.java:8:19:8:39 | getInputStream(...) [InputStream] | SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | +| SAXBuilderTests.java:20:19:20:39 | getInputStream(...) [InputStream] | SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | +| SAXParserTests.java:13:18:13:38 | getInputStream(...) [InputStream] | SAXParserTests.java:13:18:13:38 | getInputStream(...) | +| SAXParserTests.java:30:18:30:38 | getInputStream(...) [InputStream] | SAXParserTests.java:30:18:30:38 | getInputStream(...) | +| SAXParserTests.java:38:18:38:38 | getInputStream(...) [InputStream] | SAXParserTests.java:38:18:38:38 | getInputStream(...) | +| SAXParserTests.java:46:18:46:38 | getInputStream(...) [InputStream] | SAXParserTests.java:46:18:46:38 | getInputStream(...) | +| SAXParserTests.java:55:18:55:38 | getInputStream(...) [InputStream] | SAXParserTests.java:55:18:55:38 | getInputStream(...) | +| SAXParserTests.java:64:18:64:38 | getInputStream(...) [InputStream] | SAXParserTests.java:64:18:64:38 | getInputStream(...) | +| SAXParserTests.java:73:18:73:38 | getInputStream(...) [InputStream] | SAXParserTests.java:73:18:73:38 | getInputStream(...) | +| SAXReaderTests.java:8:17:8:37 | getInputStream(...) [InputStream] | SAXReaderTests.java:8:17:8:37 | getInputStream(...) | +| SAXReaderTests.java:23:17:23:37 | getInputStream(...) [InputStream] | SAXReaderTests.java:23:17:23:37 | getInputStream(...) | +| SAXReaderTests.java:30:17:30:37 | getInputStream(...) [InputStream] | SAXReaderTests.java:30:17:30:37 | getInputStream(...) | +| SAXReaderTests.java:37:17:37:37 | getInputStream(...) [InputStream] | SAXReaderTests.java:37:17:37:37 | getInputStream(...) | +| SAXReaderTests.java:45:17:45:37 | getInputStream(...) [InputStream] | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | +| SAXReaderTests.java:53:17:53:37 | getInputStream(...) [InputStream] | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | +| SAXReaderTests.java:61:17:61:37 | getInputStream(...) [InputStream] | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | +| SchemaTests.java:12:56:12:76 | getInputStream(...) [InputStream] | SchemaTests.java:12:39:12:77 | new StreamSource(...) | +| SchemaTests.java:25:56:25:76 | getInputStream(...) [InputStream] | SchemaTests.java:25:39:25:77 | new StreamSource(...) | +| SchemaTests.java:31:56:31:76 | getInputStream(...) [InputStream] | SchemaTests.java:31:39:31:77 | new StreamSource(...) | +| SchemaTests.java:38:56:38:76 | getInputStream(...) [InputStream] | SchemaTests.java:38:39:38:77 | new StreamSource(...) | +| SchemaTests.java:45:56:45:76 | getInputStream(...) [InputStream] | SchemaTests.java:45:39:45:77 | new StreamSource(...) | +| SimpleXMLTests.java:14:41:14:61 | getInputStream(...) [InputStream] | SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | +| SimpleXMLTests.java:19:41:19:61 | getInputStream(...) [InputStream] | SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | +| SimpleXMLTests.java:24:63:24:83 | getInputStream(...) [InputStream] | SimpleXMLTests.java:24:41:24:84 | new InputStreamReader(...) | +| SimpleXMLTests.java:30:5:30:25 | getInputStream(...) [InputStream] | SimpleXMLTests.java:31:41:31:53 | new String(...) | +| SimpleXMLTests.java:37:5:37:25 | getInputStream(...) [InputStream] | SimpleXMLTests.java:38:41:38:53 | new String(...) | +| SimpleXMLTests.java:43:63:43:83 | getInputStream(...) [InputStream] | SimpleXMLTests.java:43:41:43:84 | new InputStreamReader(...) | +| SimpleXMLTests.java:48:37:48:57 | getInputStream(...) [InputStream] | SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | +| SimpleXMLTests.java:53:37:53:57 | getInputStream(...) [InputStream] | SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | +| SimpleXMLTests.java:58:26:58:46 | getInputStream(...) [InputStream] | SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | +| SimpleXMLTests.java:63:26:63:46 | getInputStream(...) [InputStream] | SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | +| SimpleXMLTests.java:68:59:68:79 | getInputStream(...) [InputStream] | SimpleXMLTests.java:68:37:68:80 | new InputStreamReader(...) | +| SimpleXMLTests.java:73:59:73:79 | getInputStream(...) [InputStream] | SimpleXMLTests.java:73:37:73:80 | new InputStreamReader(...) | +| SimpleXMLTests.java:78:48:78:68 | getInputStream(...) [InputStream] | SimpleXMLTests.java:78:26:78:69 | new InputStreamReader(...) | +| SimpleXMLTests.java:83:48:83:68 | getInputStream(...) [InputStream] | SimpleXMLTests.java:83:26:83:69 | new InputStreamReader(...) | +| SimpleXMLTests.java:89:5:89:25 | getInputStream(...) [InputStream] | SimpleXMLTests.java:90:37:90:49 | new String(...) | +| SimpleXMLTests.java:96:5:96:25 | getInputStream(...) [InputStream] | SimpleXMLTests.java:97:37:97:49 | new String(...) | +| SimpleXMLTests.java:103:5:103:25 | getInputStream(...) [InputStream] | SimpleXMLTests.java:104:26:104:38 | new String(...) | +| SimpleXMLTests.java:110:5:110:25 | getInputStream(...) [InputStream] | SimpleXMLTests.java:111:26:111:38 | new String(...) | +| SimpleXMLTests.java:115:22:115:42 | getInputStream(...) [InputStream] | SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | +| SimpleXMLTests.java:119:44:119:64 | getInputStream(...) [InputStream] | SimpleXMLTests.java:119:22:119:65 | new InputStreamReader(...) | +| SimpleXMLTests.java:124:22:124:42 | getInputStream(...) [InputStream] | SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | +| SimpleXMLTests.java:129:44:129:64 | getInputStream(...) [InputStream] | SimpleXMLTests.java:129:22:129:65 | new InputStreamReader(...) | +| SimpleXMLTests.java:134:22:134:42 | getInputStream(...) [InputStream] | SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | +| SimpleXMLTests.java:139:44:139:64 | getInputStream(...) [InputStream] | SimpleXMLTests.java:139:22:139:65 | new InputStreamReader(...) | +| SimpleXMLTests.java:145:5:145:25 | getInputStream(...) [InputStream] | SimpleXMLTests.java:146:22:146:34 | new String(...) | +| SimpleXMLTests.java:152:5:152:25 | getInputStream(...) [InputStream] | SimpleXMLTests.java:153:22:153:34 | new String(...) | +| TransformerTests.java:20:44:20:64 | getInputStream(...) [InputStream] | TransformerTests.java:20:27:20:65 | new StreamSource(...) | +| TransformerTests.java:21:40:21:60 | getInputStream(...) [InputStream] | TransformerTests.java:21:23:21:61 | new StreamSource(...) | +| TransformerTests.java:71:44:71:64 | getInputStream(...) [InputStream] | TransformerTests.java:71:27:71:65 | new StreamSource(...) | +| TransformerTests.java:72:40:72:60 | getInputStream(...) [InputStream] | TransformerTests.java:72:23:72:61 | new StreamSource(...) | +| TransformerTests.java:79:44:79:64 | getInputStream(...) [InputStream] | TransformerTests.java:79:27:79:65 | new StreamSource(...) | +| TransformerTests.java:80:40:80:60 | getInputStream(...) [InputStream] | TransformerTests.java:80:23:80:61 | new StreamSource(...) | +| TransformerTests.java:88:44:88:64 | getInputStream(...) [InputStream] | TransformerTests.java:88:27:88:65 | new StreamSource(...) | +| TransformerTests.java:89:40:89:60 | getInputStream(...) [InputStream] | TransformerTests.java:89:23:89:61 | new StreamSource(...) | +| TransformerTests.java:97:44:97:64 | getInputStream(...) [InputStream] | TransformerTests.java:97:27:97:65 | new StreamSource(...) | +| TransformerTests.java:98:40:98:60 | getInputStream(...) [InputStream] | TransformerTests.java:98:23:98:61 | new StreamSource(...) | +| TransformerTests.java:103:38:103:58 | getInputStream(...) [InputStream] | TransformerTests.java:103:21:103:59 | new StreamSource(...) | +| TransformerTests.java:116:38:116:58 | getInputStream(...) [InputStream] | TransformerTests.java:116:21:116:59 | new StreamSource(...) | +| TransformerTests.java:122:38:122:58 | getInputStream(...) [InputStream] | TransformerTests.java:122:21:122:59 | new StreamSource(...) | +| TransformerTests.java:129:38:129:58 | getInputStream(...) [InputStream] | TransformerTests.java:129:21:129:59 | new StreamSource(...) | +| TransformerTests.java:136:38:136:58 | getInputStream(...) [InputStream] | TransformerTests.java:136:21:136:59 | new StreamSource(...) | +| TransformerTests.java:141:48:141:68 | getInputStream(...) [InputStream] | TransformerTests.java:141:18:141:70 | new SAXSource(...) | +| XMLReaderTests.java:16:34:16:54 | getInputStream(...) [InputStream] | XMLReaderTests.java:16:18:16:55 | new InputSource(...) | +| XMLReaderTests.java:56:34:56:54 | getInputStream(...) [InputStream] | XMLReaderTests.java:56:18:56:55 | new InputSource(...) | +| XMLReaderTests.java:63:34:63:54 | getInputStream(...) [InputStream] | XMLReaderTests.java:63:18:63:55 | new InputSource(...) | +| XMLReaderTests.java:70:34:70:54 | getInputStream(...) [InputStream] | XMLReaderTests.java:70:18:70:55 | new InputSource(...) | +| XMLReaderTests.java:78:34:78:54 | getInputStream(...) [InputStream] | XMLReaderTests.java:78:18:78:55 | new InputSource(...) | +| XMLReaderTests.java:86:34:86:54 | getInputStream(...) [InputStream] | XMLReaderTests.java:86:18:86:55 | new InputSource(...) | +| XMLReaderTests.java:94:34:94:54 | getInputStream(...) [InputStream] | XMLReaderTests.java:94:18:94:55 | new InputSource(...) | +| XMLReaderTests.java:100:34:100:54 | getInputStream(...) [InputStream] | XMLReaderTests.java:100:18:100:55 | new InputSource(...) | +| XPathExpressionTests.java:27:37:27:57 | getInputStream(...) [InputStream] | XPathExpressionTests.java:27:21:27:58 | new InputSource(...) | +| XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) [InputStream] | XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | +| XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) [InputStream] | XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | +| XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) [InputStream] | XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | +| XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) [InputStream] | XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | +| XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) [InputStream] | XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | +| XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) [InputStream] | XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | +| XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) [InputStream] | XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | +| XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) [InputStream] | XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | +| XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) [InputStream] | XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | +| XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) [InputStream] | XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | +| XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) [InputStream] | XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | +| XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) [InputStream] | XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | +#select +| DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) [InputStream] | DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | user input | +| DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) [InputStream] | DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | user input | +| DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) [InputStream] | DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | user input | +| DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) [InputStream] | DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | user input | +| DocumentBuilderTests.java:71:19:71:39 | getInputStream(...) | DocumentBuilderTests.java:71:19:71:39 | getInputStream(...) [InputStream] | DocumentBuilderTests.java:71:19:71:39 | getInputStream(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:71:19:71:39 | getInputStream(...) | user input | +| DocumentBuilderTests.java:79:19:79:39 | getInputStream(...) | DocumentBuilderTests.java:79:19:79:39 | getInputStream(...) [InputStream] | DocumentBuilderTests.java:79:19:79:39 | getInputStream(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:79:19:79:39 | getInputStream(...) | user input | +| DocumentBuilderTests.java:87:19:87:39 | getInputStream(...) | DocumentBuilderTests.java:87:19:87:39 | getInputStream(...) [InputStream] | DocumentBuilderTests.java:87:19:87:39 | getInputStream(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:87:19:87:39 | getInputStream(...) | user input | +| DocumentBuilderTests.java:94:16:94:38 | getInputSource(...) | DocumentBuilderTests.java:93:51:93:71 | getInputStream(...) [InputStream] | DocumentBuilderTests.java:94:16:94:38 | getInputSource(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:93:51:93:71 | getInputStream(...) | user input | +| DocumentBuilderTests.java:101:16:101:52 | sourceToInputSource(...) | DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) [InputStream] | DocumentBuilderTests.java:101:16:101:52 | sourceToInputSource(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) | user input | +| DocumentBuilderTests.java:102:16:102:38 | getInputStream(...) | DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) [InputStream] | DocumentBuilderTests.java:102:16:102:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) | user input | +| SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | SAXBuilderTests.java:8:19:8:39 | getInputStream(...) [InputStream] | SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | user input | +| SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | SAXBuilderTests.java:20:19:20:39 | getInputStream(...) [InputStream] | SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | user input | +| SAXParserTests.java:13:18:13:38 | getInputStream(...) | SAXParserTests.java:13:18:13:38 | getInputStream(...) [InputStream] | SAXParserTests.java:13:18:13:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXParserTests.java:13:18:13:38 | getInputStream(...) | user input | +| SAXParserTests.java:30:18:30:38 | getInputStream(...) | SAXParserTests.java:30:18:30:38 | getInputStream(...) [InputStream] | SAXParserTests.java:30:18:30:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXParserTests.java:30:18:30:38 | getInputStream(...) | user input | +| SAXParserTests.java:38:18:38:38 | getInputStream(...) | SAXParserTests.java:38:18:38:38 | getInputStream(...) [InputStream] | SAXParserTests.java:38:18:38:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXParserTests.java:38:18:38:38 | getInputStream(...) | user input | +| SAXParserTests.java:46:18:46:38 | getInputStream(...) | SAXParserTests.java:46:18:46:38 | getInputStream(...) [InputStream] | SAXParserTests.java:46:18:46:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXParserTests.java:46:18:46:38 | getInputStream(...) | user input | +| SAXParserTests.java:55:18:55:38 | getInputStream(...) | SAXParserTests.java:55:18:55:38 | getInputStream(...) [InputStream] | SAXParserTests.java:55:18:55:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXParserTests.java:55:18:55:38 | getInputStream(...) | user input | +| SAXParserTests.java:64:18:64:38 | getInputStream(...) | SAXParserTests.java:64:18:64:38 | getInputStream(...) [InputStream] | SAXParserTests.java:64:18:64:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXParserTests.java:64:18:64:38 | getInputStream(...) | user input | +| SAXParserTests.java:73:18:73:38 | getInputStream(...) | SAXParserTests.java:73:18:73:38 | getInputStream(...) [InputStream] | SAXParserTests.java:73:18:73:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXParserTests.java:73:18:73:38 | getInputStream(...) | user input | +| SAXReaderTests.java:8:17:8:37 | getInputStream(...) | SAXReaderTests.java:8:17:8:37 | getInputStream(...) [InputStream] | SAXReaderTests.java:8:17:8:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:8:17:8:37 | getInputStream(...) | user input | +| SAXReaderTests.java:23:17:23:37 | getInputStream(...) | SAXReaderTests.java:23:17:23:37 | getInputStream(...) [InputStream] | SAXReaderTests.java:23:17:23:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:23:17:23:37 | getInputStream(...) | user input | +| SAXReaderTests.java:30:17:30:37 | getInputStream(...) | SAXReaderTests.java:30:17:30:37 | getInputStream(...) [InputStream] | SAXReaderTests.java:30:17:30:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:30:17:30:37 | getInputStream(...) | user input | +| SAXReaderTests.java:37:17:37:37 | getInputStream(...) | SAXReaderTests.java:37:17:37:37 | getInputStream(...) [InputStream] | SAXReaderTests.java:37:17:37:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:37:17:37:37 | getInputStream(...) | user input | +| SAXReaderTests.java:45:17:45:37 | getInputStream(...) | SAXReaderTests.java:45:17:45:37 | getInputStream(...) [InputStream] | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | user input | +| SAXReaderTests.java:53:17:53:37 | getInputStream(...) | SAXReaderTests.java:53:17:53:37 | getInputStream(...) [InputStream] | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | user input | +| SAXReaderTests.java:61:17:61:37 | getInputStream(...) | SAXReaderTests.java:61:17:61:37 | getInputStream(...) [InputStream] | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | user input | +| SchemaTests.java:12:39:12:77 | new StreamSource(...) | SchemaTests.java:12:56:12:76 | getInputStream(...) [InputStream] | SchemaTests.java:12:39:12:77 | new StreamSource(...) | Unsafe parsing of XML file from $@. | SchemaTests.java:12:56:12:76 | getInputStream(...) | user input | +| SchemaTests.java:25:39:25:77 | new StreamSource(...) | SchemaTests.java:25:56:25:76 | getInputStream(...) [InputStream] | SchemaTests.java:25:39:25:77 | new StreamSource(...) | Unsafe parsing of XML file from $@. | SchemaTests.java:25:56:25:76 | getInputStream(...) | user input | +| SchemaTests.java:31:39:31:77 | new StreamSource(...) | SchemaTests.java:31:56:31:76 | getInputStream(...) [InputStream] | SchemaTests.java:31:39:31:77 | new StreamSource(...) | Unsafe parsing of XML file from $@. | SchemaTests.java:31:56:31:76 | getInputStream(...) | user input | +| SchemaTests.java:38:39:38:77 | new StreamSource(...) | SchemaTests.java:38:56:38:76 | getInputStream(...) [InputStream] | SchemaTests.java:38:39:38:77 | new StreamSource(...) | Unsafe parsing of XML file from $@. | SchemaTests.java:38:56:38:76 | getInputStream(...) | user input | +| SchemaTests.java:45:39:45:77 | new StreamSource(...) | SchemaTests.java:45:56:45:76 | getInputStream(...) [InputStream] | SchemaTests.java:45:39:45:77 | new StreamSource(...) | Unsafe parsing of XML file from $@. | SchemaTests.java:45:56:45:76 | getInputStream(...) | user input | +| SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | SimpleXMLTests.java:14:41:14:61 | getInputStream(...) [InputStream] | SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:14:41:14:61 | getInputStream(...) | user input | +| SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | SimpleXMLTests.java:19:41:19:61 | getInputStream(...) [InputStream] | SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:19:41:19:61 | getInputStream(...) | user input | +| SimpleXMLTests.java:24:41:24:84 | new InputStreamReader(...) | SimpleXMLTests.java:24:63:24:83 | getInputStream(...) [InputStream] | SimpleXMLTests.java:24:41:24:84 | new InputStreamReader(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:24:63:24:83 | getInputStream(...) | user input | +| SimpleXMLTests.java:31:41:31:53 | new String(...) | SimpleXMLTests.java:30:5:30:25 | getInputStream(...) [InputStream] | SimpleXMLTests.java:31:41:31:53 | new String(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:30:5:30:25 | getInputStream(...) | user input | +| SimpleXMLTests.java:38:41:38:53 | new String(...) | SimpleXMLTests.java:37:5:37:25 | getInputStream(...) [InputStream] | SimpleXMLTests.java:38:41:38:53 | new String(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:37:5:37:25 | getInputStream(...) | user input | +| SimpleXMLTests.java:43:41:43:84 | new InputStreamReader(...) | SimpleXMLTests.java:43:63:43:83 | getInputStream(...) [InputStream] | SimpleXMLTests.java:43:41:43:84 | new InputStreamReader(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:43:63:43:83 | getInputStream(...) | user input | +| SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | SimpleXMLTests.java:48:37:48:57 | getInputStream(...) [InputStream] | SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:48:37:48:57 | getInputStream(...) | user input | +| SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | SimpleXMLTests.java:53:37:53:57 | getInputStream(...) [InputStream] | SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:53:37:53:57 | getInputStream(...) | user input | +| SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | SimpleXMLTests.java:58:26:58:46 | getInputStream(...) [InputStream] | SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:58:26:58:46 | getInputStream(...) | user input | +| SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | SimpleXMLTests.java:63:26:63:46 | getInputStream(...) [InputStream] | SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:63:26:63:46 | getInputStream(...) | user input | +| SimpleXMLTests.java:68:37:68:80 | new InputStreamReader(...) | SimpleXMLTests.java:68:59:68:79 | getInputStream(...) [InputStream] | SimpleXMLTests.java:68:37:68:80 | new InputStreamReader(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:68:59:68:79 | getInputStream(...) | user input | +| SimpleXMLTests.java:73:37:73:80 | new InputStreamReader(...) | SimpleXMLTests.java:73:59:73:79 | getInputStream(...) [InputStream] | SimpleXMLTests.java:73:37:73:80 | new InputStreamReader(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:73:59:73:79 | getInputStream(...) | user input | +| SimpleXMLTests.java:78:26:78:69 | new InputStreamReader(...) | SimpleXMLTests.java:78:48:78:68 | getInputStream(...) [InputStream] | SimpleXMLTests.java:78:26:78:69 | new InputStreamReader(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:78:48:78:68 | getInputStream(...) | user input | +| SimpleXMLTests.java:83:26:83:69 | new InputStreamReader(...) | SimpleXMLTests.java:83:48:83:68 | getInputStream(...) [InputStream] | SimpleXMLTests.java:83:26:83:69 | new InputStreamReader(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:83:48:83:68 | getInputStream(...) | user input | +| SimpleXMLTests.java:90:37:90:49 | new String(...) | SimpleXMLTests.java:89:5:89:25 | getInputStream(...) [InputStream] | SimpleXMLTests.java:90:37:90:49 | new String(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:89:5:89:25 | getInputStream(...) | user input | +| SimpleXMLTests.java:97:37:97:49 | new String(...) | SimpleXMLTests.java:96:5:96:25 | getInputStream(...) [InputStream] | SimpleXMLTests.java:97:37:97:49 | new String(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:96:5:96:25 | getInputStream(...) | user input | +| SimpleXMLTests.java:104:26:104:38 | new String(...) | SimpleXMLTests.java:103:5:103:25 | getInputStream(...) [InputStream] | SimpleXMLTests.java:104:26:104:38 | new String(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:103:5:103:25 | getInputStream(...) | user input | +| SimpleXMLTests.java:111:26:111:38 | new String(...) | SimpleXMLTests.java:110:5:110:25 | getInputStream(...) [InputStream] | SimpleXMLTests.java:111:26:111:38 | new String(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:110:5:110:25 | getInputStream(...) | user input | +| SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | SimpleXMLTests.java:115:22:115:42 | getInputStream(...) [InputStream] | SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | user input | +| SimpleXMLTests.java:119:22:119:65 | new InputStreamReader(...) | SimpleXMLTests.java:119:44:119:64 | getInputStream(...) [InputStream] | SimpleXMLTests.java:119:22:119:65 | new InputStreamReader(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:119:44:119:64 | getInputStream(...) | user input | +| SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | SimpleXMLTests.java:124:22:124:42 | getInputStream(...) [InputStream] | SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:124:22:124:42 | getInputStream(...) | user input | +| SimpleXMLTests.java:129:22:129:65 | new InputStreamReader(...) | SimpleXMLTests.java:129:44:129:64 | getInputStream(...) [InputStream] | SimpleXMLTests.java:129:22:129:65 | new InputStreamReader(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:129:44:129:64 | getInputStream(...) | user input | +| SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | SimpleXMLTests.java:134:22:134:42 | getInputStream(...) [InputStream] | SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:134:22:134:42 | getInputStream(...) | user input | +| SimpleXMLTests.java:139:22:139:65 | new InputStreamReader(...) | SimpleXMLTests.java:139:44:139:64 | getInputStream(...) [InputStream] | SimpleXMLTests.java:139:22:139:65 | new InputStreamReader(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:139:44:139:64 | getInputStream(...) | user input | +| SimpleXMLTests.java:146:22:146:34 | new String(...) | SimpleXMLTests.java:145:5:145:25 | getInputStream(...) [InputStream] | SimpleXMLTests.java:146:22:146:34 | new String(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:145:5:145:25 | getInputStream(...) | user input | +| SimpleXMLTests.java:153:22:153:34 | new String(...) | SimpleXMLTests.java:152:5:152:25 | getInputStream(...) [InputStream] | SimpleXMLTests.java:153:22:153:34 | new String(...) | Unsafe parsing of XML file from $@. | SimpleXMLTests.java:152:5:152:25 | getInputStream(...) | user input | +| TransformerTests.java:20:27:20:65 | new StreamSource(...) | TransformerTests.java:20:44:20:64 | getInputStream(...) [InputStream] | TransformerTests.java:20:27:20:65 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:20:44:20:64 | getInputStream(...) | user input | +| TransformerTests.java:21:23:21:61 | new StreamSource(...) | TransformerTests.java:21:40:21:60 | getInputStream(...) [InputStream] | TransformerTests.java:21:23:21:61 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:21:40:21:60 | getInputStream(...) | user input | +| TransformerTests.java:71:27:71:65 | new StreamSource(...) | TransformerTests.java:71:44:71:64 | getInputStream(...) [InputStream] | TransformerTests.java:71:27:71:65 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:71:44:71:64 | getInputStream(...) | user input | +| TransformerTests.java:72:23:72:61 | new StreamSource(...) | TransformerTests.java:72:40:72:60 | getInputStream(...) [InputStream] | TransformerTests.java:72:23:72:61 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:72:40:72:60 | getInputStream(...) | user input | +| TransformerTests.java:79:27:79:65 | new StreamSource(...) | TransformerTests.java:79:44:79:64 | getInputStream(...) [InputStream] | TransformerTests.java:79:27:79:65 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:79:44:79:64 | getInputStream(...) | user input | +| TransformerTests.java:80:23:80:61 | new StreamSource(...) | TransformerTests.java:80:40:80:60 | getInputStream(...) [InputStream] | TransformerTests.java:80:23:80:61 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:80:40:80:60 | getInputStream(...) | user input | +| TransformerTests.java:88:27:88:65 | new StreamSource(...) | TransformerTests.java:88:44:88:64 | getInputStream(...) [InputStream] | TransformerTests.java:88:27:88:65 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:88:44:88:64 | getInputStream(...) | user input | +| TransformerTests.java:89:23:89:61 | new StreamSource(...) | TransformerTests.java:89:40:89:60 | getInputStream(...) [InputStream] | TransformerTests.java:89:23:89:61 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:89:40:89:60 | getInputStream(...) | user input | +| TransformerTests.java:97:27:97:65 | new StreamSource(...) | TransformerTests.java:97:44:97:64 | getInputStream(...) [InputStream] | TransformerTests.java:97:27:97:65 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:97:44:97:64 | getInputStream(...) | user input | +| TransformerTests.java:98:23:98:61 | new StreamSource(...) | TransformerTests.java:98:40:98:60 | getInputStream(...) [InputStream] | TransformerTests.java:98:23:98:61 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:98:40:98:60 | getInputStream(...) | user input | +| TransformerTests.java:103:21:103:59 | new StreamSource(...) | TransformerTests.java:103:38:103:58 | getInputStream(...) [InputStream] | TransformerTests.java:103:21:103:59 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:103:38:103:58 | getInputStream(...) | user input | +| TransformerTests.java:116:21:116:59 | new StreamSource(...) | TransformerTests.java:116:38:116:58 | getInputStream(...) [InputStream] | TransformerTests.java:116:21:116:59 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:116:38:116:58 | getInputStream(...) | user input | +| TransformerTests.java:122:21:122:59 | new StreamSource(...) | TransformerTests.java:122:38:122:58 | getInputStream(...) [InputStream] | TransformerTests.java:122:21:122:59 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:122:38:122:58 | getInputStream(...) | user input | +| TransformerTests.java:129:21:129:59 | new StreamSource(...) | TransformerTests.java:129:38:129:58 | getInputStream(...) [InputStream] | TransformerTests.java:129:21:129:59 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:129:38:129:58 | getInputStream(...) | user input | +| TransformerTests.java:136:21:136:59 | new StreamSource(...) | TransformerTests.java:136:38:136:58 | getInputStream(...) [InputStream] | TransformerTests.java:136:21:136:59 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:136:38:136:58 | getInputStream(...) | user input | +| TransformerTests.java:141:18:141:70 | new SAXSource(...) | TransformerTests.java:141:48:141:68 | getInputStream(...) [InputStream] | TransformerTests.java:141:18:141:70 | new SAXSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:141:48:141:68 | getInputStream(...) | user input | +| XMLReaderTests.java:16:18:16:55 | new InputSource(...) | XMLReaderTests.java:16:34:16:54 | getInputStream(...) [InputStream] | XMLReaderTests.java:16:18:16:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:16:34:16:54 | getInputStream(...) | user input | +| XMLReaderTests.java:56:18:56:55 | new InputSource(...) | XMLReaderTests.java:56:34:56:54 | getInputStream(...) [InputStream] | XMLReaderTests.java:56:18:56:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:56:34:56:54 | getInputStream(...) | user input | +| XMLReaderTests.java:63:18:63:55 | new InputSource(...) | XMLReaderTests.java:63:34:63:54 | getInputStream(...) [InputStream] | XMLReaderTests.java:63:18:63:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:63:34:63:54 | getInputStream(...) | user input | +| XMLReaderTests.java:70:18:70:55 | new InputSource(...) | XMLReaderTests.java:70:34:70:54 | getInputStream(...) [InputStream] | XMLReaderTests.java:70:18:70:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:70:34:70:54 | getInputStream(...) | user input | +| XMLReaderTests.java:78:18:78:55 | new InputSource(...) | XMLReaderTests.java:78:34:78:54 | getInputStream(...) [InputStream] | XMLReaderTests.java:78:18:78:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:78:34:78:54 | getInputStream(...) | user input | +| XMLReaderTests.java:86:18:86:55 | new InputSource(...) | XMLReaderTests.java:86:34:86:54 | getInputStream(...) [InputStream] | XMLReaderTests.java:86:18:86:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:86:34:86:54 | getInputStream(...) | user input | +| XMLReaderTests.java:94:18:94:55 | new InputSource(...) | XMLReaderTests.java:94:34:94:54 | getInputStream(...) [InputStream] | XMLReaderTests.java:94:18:94:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:94:34:94:54 | getInputStream(...) | user input | +| XMLReaderTests.java:100:18:100:55 | new InputSource(...) | XMLReaderTests.java:100:34:100:54 | getInputStream(...) [InputStream] | XMLReaderTests.java:100:18:100:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:100:34:100:54 | getInputStream(...) | user input | +| XPathExpressionTests.java:27:21:27:58 | new InputSource(...) | XPathExpressionTests.java:27:37:27:57 | getInputStream(...) [InputStream] | XPathExpressionTests.java:27:21:27:58 | new InputSource(...) | Unsafe parsing of XML file from $@. | XPathExpressionTests.java:27:37:27:57 | getInputStream(...) | user input | +| XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) [InputStream] | XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | Unsafe parsing of XML file from $@. | XmlInputFactoryTests.java:9:35:9:55 | getInputStream(...) | user input | +| XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) [InputStream] | XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | Unsafe parsing of XML file from $@. | XmlInputFactoryTests.java:10:34:10:54 | getInputStream(...) | user input | +| XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) [InputStream] | XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | Unsafe parsing of XML file from $@. | XmlInputFactoryTests.java:24:35:24:55 | getInputStream(...) | user input | +| XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) [InputStream] | XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | Unsafe parsing of XML file from $@. | XmlInputFactoryTests.java:25:34:25:54 | getInputStream(...) | user input | +| XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) [InputStream] | XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | Unsafe parsing of XML file from $@. | XmlInputFactoryTests.java:31:35:31:55 | getInputStream(...) | user input | +| XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) [InputStream] | XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | Unsafe parsing of XML file from $@. | XmlInputFactoryTests.java:32:34:32:54 | getInputStream(...) | user input | +| XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) [InputStream] | XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | Unsafe parsing of XML file from $@. | XmlInputFactoryTests.java:39:35:39:55 | getInputStream(...) | user input | +| XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) [InputStream] | XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | Unsafe parsing of XML file from $@. | XmlInputFactoryTests.java:40:34:40:54 | getInputStream(...) | user input | +| XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) [InputStream] | XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | Unsafe parsing of XML file from $@. | XmlInputFactoryTests.java:47:35:47:55 | getInputStream(...) | user input | +| XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) [InputStream] | XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | Unsafe parsing of XML file from $@. | XmlInputFactoryTests.java:48:34:48:54 | getInputStream(...) | user input | +| XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) [InputStream] | XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | Unsafe parsing of XML file from $@. | XmlInputFactoryTests.java:55:35:55:55 | getInputStream(...) | user input | +| XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) [InputStream] | XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | Unsafe parsing of XML file from $@. | XmlInputFactoryTests.java:56:34:56:54 | getInputStream(...) | user input | diff --git a/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTaintedLocal.expected b/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTaintedLocal.expected index 95ba9d0eb7b2..a7e41c43c578 100644 --- a/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTaintedLocal.expected +++ b/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTaintedLocal.expected @@ -1 +1,4 @@ -| Test.java:21:17:21:25 | (...)... | $@ flows to here and is cast to a narrower type, potentially causing truncation. | Test.java:11:28:11:36 | System.in | User-provided value | +edges +| Test.java:11:28:11:36 | System.in [InputStream] | Test.java:21:22:21:25 | data | +#select +| Test.java:21:17:21:25 | (...)... | Test.java:11:28:11:36 | System.in [InputStream] | Test.java:21:22:21:25 | data | $@ flows to here and is cast to a narrower type, potentially causing truncation. | Test.java:11:28:11:36 | System.in | User-provided value | diff --git a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.expected b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.expected index e11047d8dc0e..0ec980529f07 100644 --- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.expected +++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.expected @@ -1,18 +1,48 @@ -| CredentialsTest.java:7:34:7:41 | "123456" | Hard-coded value flows to $@. | CredentialsTest.java:13:39:13:39 | p | sensitive API call | -| CredentialsTest.java:7:34:7:41 | "123456" | Hard-coded value flows to $@. | CredentialsTest.java:18:39:18:39 | q | sensitive API call | -| CredentialsTest.java:11:14:11:20 | "admin" | Hard-coded value flows to $@. | CredentialsTest.java:13:36:13:36 | u | sensitive API call | -| CredentialsTest.java:11:14:11:20 | "admin" | Hard-coded value flows to $@. | CredentialsTest.java:18:36:18:36 | v | sensitive API call | -| FileCredentialTest.java:13:14:13:20 | "admin" | Hard-coded value flows to $@. | FileCredentialTest.java:23:36:23:36 | v | sensitive API call | -| FileCredentialTest.java:18:35:18:41 | "admin" | Hard-coded value flows to $@. | FileCredentialTest.java:18:35:18:41 | "admin" | sensitive API call | -| Test.java:9:16:9:22 | "admin" | Hard-coded value flows to $@. | Test.java:15:36:15:38 | usr | sensitive API call | -| Test.java:9:16:9:22 | "admin" | Hard-coded value flows to $@. | Test.java:17:39:17:41 | usr | sensitive API call | -| Test.java:9:16:9:22 | "admin" | Hard-coded value flows to $@. | Test.java:18:39:18:41 | usr | sensitive API call | -| Test.java:9:16:9:22 | "admin" | Hard-coded value flows to $@. | Test.java:30:36:30:39 | user | sensitive API call | -| Test.java:10:17:10:24 | "123456" | Hard-coded value flows to $@. | Test.java:15:41:15:44 | pass | sensitive API call | -| Test.java:10:17:10:24 | "123456" | Hard-coded value flows to $@. | Test.java:18:44:18:61 | toCharArray(...) | sensitive API call | -| Test.java:10:17:10:24 | "123456" | Hard-coded value flows to $@. | Test.java:30:42:30:49 | password | sensitive API call | -| Test.java:14:36:14:42 | "admin" | Hard-coded value flows to $@. | Test.java:14:36:14:42 | "admin" | sensitive API call | -| Test.java:14:45:14:52 | "123456" | Hard-coded value flows to $@. | Test.java:14:45:14:52 | "123456" | sensitive API call | -| Test.java:17:44:17:51 | "123456" | Hard-coded value flows to $@. | Test.java:17:44:17:65 | toCharArray(...) | sensitive API call | -| Test.java:20:16:20:39 | new byte[] | Hard-coded value flows to $@. | Test.java:21:78:21:80 | key | sensitive API call | -| Test.java:23:17:23:26 | "abcdefgh" | Hard-coded value flows to $@. | Test.java:24:79:24:82 | key2 | sensitive API call | +edges +| CredentialsTest.java:7:34:7:41 | "123456" [String] | CredentialsTest.java:13:39:13:39 | p | +| CredentialsTest.java:7:34:7:41 | "123456" [String] | CredentialsTest.java:14:16:14:16 | p [String] | +| CredentialsTest.java:11:14:11:20 | "admin" [String] | CredentialsTest.java:13:36:13:36 | u | +| CredentialsTest.java:11:14:11:20 | "admin" [String] | CredentialsTest.java:14:13:14:13 | u [String] | +| CredentialsTest.java:14:13:14:13 | u [String] | CredentialsTest.java:17:38:17:45 | v [String] | +| CredentialsTest.java:14:16:14:16 | p [String] | CredentialsTest.java:17:48:17:55 | q [String] | +| CredentialsTest.java:17:38:17:45 | v [String] | CredentialsTest.java:18:36:18:36 | v | +| CredentialsTest.java:17:48:17:55 | q [String] | CredentialsTest.java:18:39:18:39 | q | +| FileCredentialTest.java:13:14:13:20 | "admin" [String] | FileCredentialTest.java:19:13:19:13 | u [String] | +| FileCredentialTest.java:18:35:18:41 | "admin" [String] | FileCredentialTest.java:18:35:18:41 | "admin" | +| FileCredentialTest.java:19:13:19:13 | u [String] | FileCredentialTest.java:22:38:22:45 | v [String] | +| FileCredentialTest.java:22:38:22:45 | v [String] | FileCredentialTest.java:23:36:23:36 | v | +| Test.java:9:16:9:22 | "admin" [String] | Test.java:12:13:12:15 | usr [String] | +| Test.java:9:16:9:22 | "admin" [String] | Test.java:15:36:15:38 | usr | +| Test.java:9:16:9:22 | "admin" [String] | Test.java:17:39:17:41 | usr | +| Test.java:9:16:9:22 | "admin" [String] | Test.java:18:39:18:41 | usr | +| Test.java:10:17:10:24 | "123456" [String] | Test.java:12:18:12:21 | pass [String] | +| Test.java:10:17:10:24 | "123456" [String] | Test.java:15:41:15:44 | pass | +| Test.java:10:17:10:24 | "123456" [String] | Test.java:18:44:18:61 | toCharArray(...) | +| Test.java:12:13:12:15 | usr [String] | Test.java:29:38:29:48 | user [String] | +| Test.java:12:18:12:21 | pass [String] | Test.java:29:51:29:65 | password [String] | +| Test.java:14:36:14:42 | "admin" [String] | Test.java:14:36:14:42 | "admin" | +| Test.java:14:45:14:52 | "123456" [String] | Test.java:14:45:14:52 | "123456" | +| Test.java:17:44:17:51 | "123456" [String] | Test.java:17:44:17:65 | toCharArray(...) | +| Test.java:20:16:20:39 | new byte[] [byte[]] | Test.java:21:78:21:80 | key | +| Test.java:23:17:23:26 | "abcdefgh" [String] | Test.java:24:79:24:82 | key2 | +| Test.java:29:38:29:48 | user [String] | Test.java:30:36:30:39 | user | +| Test.java:29:51:29:65 | password [String] | Test.java:30:42:30:49 | password | +#select +| CredentialsTest.java:7:34:7:41 | "123456" | CredentialsTest.java:7:34:7:41 | "123456" [String] | CredentialsTest.java:13:39:13:39 | p | Hard-coded value flows to $@. | CredentialsTest.java:13:39:13:39 | p | sensitive API call | +| CredentialsTest.java:7:34:7:41 | "123456" | CredentialsTest.java:7:34:7:41 | "123456" [String] | CredentialsTest.java:18:39:18:39 | q | Hard-coded value flows to $@. | CredentialsTest.java:18:39:18:39 | q | sensitive API call | +| CredentialsTest.java:11:14:11:20 | "admin" | CredentialsTest.java:11:14:11:20 | "admin" [String] | CredentialsTest.java:13:36:13:36 | u | Hard-coded value flows to $@. | CredentialsTest.java:13:36:13:36 | u | sensitive API call | +| CredentialsTest.java:11:14:11:20 | "admin" | CredentialsTest.java:11:14:11:20 | "admin" [String] | CredentialsTest.java:18:36:18:36 | v | Hard-coded value flows to $@. | CredentialsTest.java:18:36:18:36 | v | sensitive API call | +| FileCredentialTest.java:13:14:13:20 | "admin" | FileCredentialTest.java:13:14:13:20 | "admin" [String] | FileCredentialTest.java:23:36:23:36 | v | Hard-coded value flows to $@. | FileCredentialTest.java:23:36:23:36 | v | sensitive API call | +| FileCredentialTest.java:18:35:18:41 | "admin" | FileCredentialTest.java:18:35:18:41 | "admin" [String] | FileCredentialTest.java:18:35:18:41 | "admin" | Hard-coded value flows to $@. | FileCredentialTest.java:18:35:18:41 | "admin" | sensitive API call | +| Test.java:9:16:9:22 | "admin" | Test.java:9:16:9:22 | "admin" [String] | Test.java:15:36:15:38 | usr | Hard-coded value flows to $@. | Test.java:15:36:15:38 | usr | sensitive API call | +| Test.java:9:16:9:22 | "admin" | Test.java:9:16:9:22 | "admin" [String] | Test.java:17:39:17:41 | usr | Hard-coded value flows to $@. | Test.java:17:39:17:41 | usr | sensitive API call | +| Test.java:9:16:9:22 | "admin" | Test.java:9:16:9:22 | "admin" [String] | Test.java:18:39:18:41 | usr | Hard-coded value flows to $@. | Test.java:18:39:18:41 | usr | sensitive API call | +| Test.java:9:16:9:22 | "admin" | Test.java:9:16:9:22 | "admin" [String] | Test.java:30:36:30:39 | user | Hard-coded value flows to $@. | Test.java:30:36:30:39 | user | sensitive API call | +| Test.java:10:17:10:24 | "123456" | Test.java:10:17:10:24 | "123456" [String] | Test.java:15:41:15:44 | pass | Hard-coded value flows to $@. | Test.java:15:41:15:44 | pass | sensitive API call | +| Test.java:10:17:10:24 | "123456" | Test.java:10:17:10:24 | "123456" [String] | Test.java:18:44:18:61 | toCharArray(...) | Hard-coded value flows to $@. | Test.java:18:44:18:61 | toCharArray(...) | sensitive API call | +| Test.java:10:17:10:24 | "123456" | Test.java:10:17:10:24 | "123456" [String] | Test.java:30:42:30:49 | password | Hard-coded value flows to $@. | Test.java:30:42:30:49 | password | sensitive API call | +| Test.java:14:36:14:42 | "admin" | Test.java:14:36:14:42 | "admin" [String] | Test.java:14:36:14:42 | "admin" | Hard-coded value flows to $@. | Test.java:14:36:14:42 | "admin" | sensitive API call | +| Test.java:14:45:14:52 | "123456" | Test.java:14:45:14:52 | "123456" [String] | Test.java:14:45:14:52 | "123456" | Hard-coded value flows to $@. | Test.java:14:45:14:52 | "123456" | sensitive API call | +| Test.java:17:44:17:51 | "123456" | Test.java:17:44:17:51 | "123456" [String] | Test.java:17:44:17:65 | toCharArray(...) | Hard-coded value flows to $@. | Test.java:17:44:17:65 | toCharArray(...) | sensitive API call | +| Test.java:20:16:20:39 | new byte[] | Test.java:20:16:20:39 | new byte[] [byte[]] | Test.java:21:78:21:80 | key | Hard-coded value flows to $@. | Test.java:21:78:21:80 | key | sensitive API call | +| Test.java:23:17:23:26 | "abcdefgh" | Test.java:23:17:23:26 | "abcdefgh" [String] | Test.java:24:79:24:82 | key2 | Hard-coded value flows to $@. | Test.java:24:79:24:82 | key2 | sensitive API call | diff --git a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsSourceCall.expected b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsSourceCall.expected index 3b8925425d4e..0919a5ec1fd4 100644 --- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsSourceCall.expected +++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsSourceCall.expected @@ -1,2 +1,6 @@ -| Test.java:10:17:10:24 | "123456" | Hard-coded value flows to $@. | Test.java:26:17:26:20 | pass | sensitive call | -| User.java:2:43:2:50 | "123456" | Hard-coded value flows to $@. | User.java:5:15:5:24 | DEFAULT_PW | sensitive call | +edges +| Test.java:10:17:10:24 | "123456" [String] | Test.java:26:17:26:20 | pass | +| User.java:2:43:2:50 | "123456" [String] | User.java:5:15:5:24 | DEFAULT_PW | +#select +| Test.java:10:17:10:24 | "123456" | Test.java:10:17:10:24 | "123456" [String] | Test.java:26:17:26:20 | pass | Hard-coded value flows to $@. | Test.java:26:17:26:20 | pass | sensitive call | +| User.java:2:43:2:50 | "123456" | User.java:2:43:2:50 | "123456" [String] | User.java:5:15:5:24 | DEFAULT_PW | Hard-coded value flows to $@. | User.java:5:15:5:24 | DEFAULT_PW | sensitive call | diff --git a/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypass.expected b/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypass.expected index 652ba02dbeea..eacb210ef47d 100644 --- a/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypass.expected +++ b/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypass.expected @@ -1,6 +1,13 @@ -| Test.java:26:4:26:24 | login(...) | Sensitive method may not be executed depending on $@, which flows from $@. | Test.java:25:6:25:21 | ... == ... | this condition | Test.java:17:26:17:38 | args | user input | -| Test.java:32:4:32:24 | login(...) | Sensitive method may not be executed depending on $@, which flows from $@. | Test.java:31:6:31:43 | equals(...) | this condition | Test.java:31:6:31:27 | getValue(...) | user input | -| Test.java:37:4:37:24 | login(...) | Sensitive method may not be executed depending on $@, which flows from $@. | Test.java:36:6:36:36 | ... == ... | this condition | Test.java:36:6:36:27 | getValue(...) | user input | -| Test.java:39:4:39:30 | reCheckAuth(...) | Sensitive method may not be executed depending on $@, which flows from $@. | Test.java:36:6:36:36 | ... == ... | this condition | Test.java:36:6:36:27 | getValue(...) | user input | -| Test.java:82:4:82:24 | login(...) | Sensitive method may not be executed depending on $@, which flows from $@. | Test.java:81:6:81:36 | ... == ... | this condition | Test.java:81:6:81:27 | getValue(...) | user input | -| Test.java:92:4:92:24 | login(...) | Sensitive method may not be executed depending on $@, which flows from $@. | Test.java:91:6:91:36 | ... == ... | this condition | Test.java:91:6:91:27 | getValue(...) | user input | +edges +| Test.java:17:26:17:38 | args [String[]] | Test.java:25:6:25:21 | ... == ... | +| Test.java:31:6:31:27 | getValue(...) [String] | Test.java:31:6:31:43 | equals(...) | +| Test.java:36:6:36:27 | getValue(...) [String] | Test.java:36:6:36:36 | ... == ... | +| Test.java:81:6:81:27 | getValue(...) [String] | Test.java:81:6:81:36 | ... == ... | +| Test.java:91:6:91:27 | getValue(...) [String] | Test.java:91:6:91:36 | ... == ... | +#select +| Test.java:26:4:26:24 | login(...) | Test.java:17:26:17:38 | args [String[]] | Test.java:25:6:25:21 | ... == ... | Sensitive method may not be executed depending on $@, which flows from $@. | Test.java:25:6:25:21 | ... == ... | this condition | Test.java:17:26:17:38 | args | user input | +| Test.java:32:4:32:24 | login(...) | Test.java:31:6:31:27 | getValue(...) [String] | Test.java:31:6:31:43 | equals(...) | Sensitive method may not be executed depending on $@, which flows from $@. | Test.java:31:6:31:43 | equals(...) | this condition | Test.java:31:6:31:27 | getValue(...) | user input | +| Test.java:37:4:37:24 | login(...) | Test.java:36:6:36:27 | getValue(...) [String] | Test.java:36:6:36:36 | ... == ... | Sensitive method may not be executed depending on $@, which flows from $@. | Test.java:36:6:36:36 | ... == ... | this condition | Test.java:36:6:36:27 | getValue(...) | user input | +| Test.java:39:4:39:30 | reCheckAuth(...) | Test.java:36:6:36:27 | getValue(...) [String] | Test.java:36:6:36:36 | ... == ... | Sensitive method may not be executed depending on $@, which flows from $@. | Test.java:36:6:36:36 | ... == ... | this condition | Test.java:36:6:36:27 | getValue(...) | user input | +| Test.java:82:4:82:24 | login(...) | Test.java:81:6:81:27 | getValue(...) [String] | Test.java:81:6:81:36 | ... == ... | Sensitive method may not be executed depending on $@, which flows from $@. | Test.java:81:6:81:36 | ... == ... | this condition | Test.java:81:6:81:27 | getValue(...) | user input | +| Test.java:92:4:92:24 | login(...) | Test.java:91:6:91:27 | getValue(...) [String] | Test.java:91:6:91:36 | ... == ... | Sensitive method may not be executed depending on $@, which flows from $@. | Test.java:91:6:91:36 | ... == ... | this condition | Test.java:91:6:91:27 | getValue(...) | user input | diff --git a/java/ql/test/query-tests/security/CWE-807/semmle/tests/TaintedPermissionsCheck.expected b/java/ql/test/query-tests/security/CWE-807/semmle/tests/TaintedPermissionsCheck.expected index 39e42826996d..2a5c2b961b1f 100644 --- a/java/ql/test/query-tests/security/CWE-807/semmle/tests/TaintedPermissionsCheck.expected +++ b/java/ql/test/query-tests/security/CWE-807/semmle/tests/TaintedPermissionsCheck.expected @@ -1 +1,4 @@ -| Test.java:50:6:50:65 | isPermitted(...) | Permissions check uses user-controlled $@. | Test.java:17:26:17:38 | args | data | +edges +| Test.java:17:26:17:38 | args [String[]] | Test.java:50:26:50:64 | ... + ... | +#select +| Test.java:50:6:50:65 | isPermitted(...) | Test.java:17:26:17:38 | args [String[]] | Test.java:50:26:50:64 | ... + ... | Permissions check uses user-controlled $@. | Test.java:17:26:17:38 | args | data | From 918fc90515ef8371217defb7b33930666b43a902 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Fri, 16 Nov 2018 13:38:48 +0100 Subject: [PATCH 4/4] Java: Add change note. --- change-notes/1.19/analysis-java.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/change-notes/1.19/analysis-java.md b/change-notes/1.19/analysis-java.md index d5a6d6a61b81..6458ff1d0101 100644 --- a/change-notes/1.19/analysis-java.md +++ b/change-notes/1.19/analysis-java.md @@ -2,6 +2,8 @@ ## General improvements +* Where applicable, path explanations have been added to the security queries. + ## New queries | **Query** | **Tags** | **Purpose** |