Skip to content

Commit 00ea65f

Browse files
michaelnebelmichaelnebel
authored
Merge pull request #80 from GitHubSecurityLab/java/addexperimentalqueries
Java: Add experimental queries
2 parents 046dfe7 + 2856834 commit 00ea65f

File tree

1,170 files changed

+50851
-64
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

1,170 files changed

+50851
-64
lines changed

java/ext-library-sources/qlpack.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,3 +8,4 @@ dataExtensions:
88
- 'manual/**/*.yml'
99
- 'generated/*.yml'
1010
- 'generated/**/*.yml'
11+
- 'experimental/*.yml'

java/ext/experimental/android.webkit.model.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
extensions:
2+
- addsTo:
3+
pack: codeql/java-all
4+
extensible: experimentalSummaryModel
5+
data:
6+
- ["android.webkit", "WebResourceRequest", False, "getUrl", "", "", "Argument[this]", "ReturnValue", "taint", "manual", "android-web-resource-response"]

java/ext/experimental/com.google.common.io.model.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
extensions:
2+
- addsTo:
3+
pack: codeql/java-all
4+
extensible: experimentalSinkModel
5+
data:
6+
- ["com.google.common.io", "Resources", False, "asByteSource", "(URL)", "", "Argument[0]", "url-open-stream", "manual", "openstream-called-on-tainted-url"]
7+
- ["com.google.common.io", "Resources", False, "asCharSource", "(URL,Charset)", "", "Argument[0]", "url-open-stream", "manual", "openstream-called-on-tainted-url"]
8+
- ["com.google.common.io", "Resources", False, "copy", "(URL,OutputStream)", "", "Argument[0]", "url-open-stream", "manual", "openstream-called-on-tainted-url"]
9+
- ["com.google.common.io", "Resources", False, "readLines", "", "", "Argument[0]", "url-open-stream", "manual", "openstream-called-on-tainted-url"]
10+
- ["com.google.common.io", "Resources", False, "toByteArray", "(URL)", "", "Argument[0]", "url-open-stream", "manual", "openstream-called-on-tainted-url"]
11+
- ["com.google.common.io", "Resources", False, "toString", "(URL,Charset)", "", "Argument[0]", "url-open-stream", "manual", "openstream-called-on-tainted-url"]

java/ext/experimental/com.jcraft.jsch.model.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
extensions:
2+
- addsTo:
3+
pack: codeql/java-all
4+
extensible: experimentalSinkModel
5+
data:
6+
- ["com.jcraft.jsch", "ChannelExec", True, "setCommand", "", "", "Argument[0]", "command-injection", "manual", "jsch-os-injection"]

java/ext/experimental/com.jfinal.core.model.yml

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
extensions:
2+
- addsTo:
3+
pack: codeql/java-all
4+
extensible: experimentalSourceModel
5+
data:
6+
- ["com.jfinal.core", "Controller", True, "get", "", "", "ReturnValue", "remote", "manual", "file-path-injection"]
7+
- ["com.jfinal.core", "Controller", True, "getBoolean", "", "", "ReturnValue", "remote", "manual", "file-path-injection"]
8+
- ["com.jfinal.core", "Controller", True, "getCookie", "", "", "ReturnValue", "remote", "manual", "file-path-injection"]
9+
- ["com.jfinal.core", "Controller", True, "getCookieObject", "", "", "ReturnValue", "remote", "manual", "file-path-injection"]
10+
- ["com.jfinal.core", "Controller", True, "getCookieObjects", "", "", "ReturnValue", "remote", "manual", "file-path-injection"]
11+
- ["com.jfinal.core", "Controller", True, "getCookieToInt", "", "", "ReturnValue", "remote", "manual", "file-path-injection"]
12+
- ["com.jfinal.core", "Controller", True, "getCookieToLong", "", "", "ReturnValue", "remote", "manual", "file-path-injection"]
13+
- ["com.jfinal.core", "Controller", True, "getDate", "", "", "ReturnValue", "remote", "manual", "file-path-injection"]
14+
- ["com.jfinal.core", "Controller", True, "getFile", "", "", "ReturnValue", "remote", "manual", "file-path-injection"]
15+
- ["com.jfinal.core", "Controller", True, "getFiles", "", "", "ReturnValue", "remote", "manual", "file-path-injection"]
16+
- ["com.jfinal.core", "Controller", True, "getHeader", "", "", "ReturnValue", "remote", "manual", "file-path-injection"]
17+
- ["com.jfinal.core", "Controller", True, "getInt", "", "", "ReturnValue", "remote", "manual", "file-path-injection"]
18+
- ["com.jfinal.core", "Controller", True, "getKv", "", "", "ReturnValue", "remote", "manual", "file-path-injection"]
19+
- ["com.jfinal.core", "Controller", True, "getLong", "", "", "ReturnValue", "remote", "manual", "file-path-injection"]
20+
- ["com.jfinal.core", "Controller", True, "getPara", "", "", "ReturnValue", "remote", "manual", "file-path-injection"]
21+
- ["com.jfinal.core", "Controller", True, "getParaMap", "", "", "ReturnValue", "remote", "manual", "file-path-injection"]
22+
- ["com.jfinal.core", "Controller", True, "getParaToBoolean", "", "", "ReturnValue", "remote", "manual", "file-path-injection"]
23+
- ["com.jfinal.core", "Controller", True, "getParaToDate", "", "", "ReturnValue", "remote", "manual", "file-path-injection"]
24+
- ["com.jfinal.core", "Controller", True, "getParaToInt", "", "", "ReturnValue", "remote", "manual", "file-path-injection"]
25+
- ["com.jfinal.core", "Controller", True, "getParaToLong", "", "", "ReturnValue", "remote", "manual", "file-path-injection"]
26+
- ["com.jfinal.core", "Controller", True, "getParaValues", "", "", "ReturnValue", "remote", "manual", "file-path-injection"]
27+
- ["com.jfinal.core", "Controller", True, "getParaValuesToInt", "", "", "ReturnValue", "remote", "manual", "file-path-injection"]
28+
- ["com.jfinal.core", "Controller", True, "getParaValuesToLong", "", "", "ReturnValue", "remote", "manual", "file-path-injection"]

java/ext/experimental/empty.model.yml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
extensions:
2+
# Make sure that the extensible model predicates have at least one definition
3+
# to avoid errors about undefined extensionals.
4+
- addsTo:
5+
pack: codeql/java-all
6+
extensible: experimentalSourceModel
7+
data: []
8+
- addsTo:
9+
pack: codeql/java-all
10+
extensible: experimentalSinkModel
11+
data: []
12+
- addsTo:
13+
pack: codeql/java-all
14+
extensible: experimentalSummaryModel
15+
data: []

java/ext/experimental/java.io.model.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
extensions:
2+
- addsTo:
3+
pack: codeql/java-all
4+
extensible: experimentalSummaryModel
5+
data:
6+
- ["java.io", "FileInputStream", True, "FileInputStream", "", "", "Argument[0]", "Argument[this]", "taint", "manual", "android-web-resource-response"]

java/ext/experimental/java.lang.model.yml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
extensions:
2+
- addsTo:
3+
pack: codeql/java-all
4+
extensible: experimentalSinkModel
5+
data:
6+
- ["java.lang", "Thread", True, "sleep", "", "", "Argument[0]", "thread-pause", "manual", "thread-resource-abuse"]
7+
- addsTo:
8+
pack: codeql/java-all
9+
extensible: experimentalSummaryModel
10+
data:
11+
- ["java.lang", "Math", False, "max", "", "", "Argument[0..1]", "ReturnValue", "value", "manual", "thread-resource-abuse"]
12+
- ["java.lang", "Math", False, "min", "", "", "Argument[0..1]", "ReturnValue", "value", "manual", "thread-resource-abuse"]

java/ext/experimental/java.util.concurrent.model.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
extensions:
2+
- addsTo:
3+
pack: codeql/java-all
4+
extensible: experimentalSinkModel
5+
data:
6+
- ["java.util.concurrent", "TimeUnit", True, "sleep", "", "", "Argument[0]", "thread-pause", "manual", "thread-resource-abuse"]

java/ext/experimental/javax.servlet.http.model.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
extensions:
2+
- addsTo:
3+
pack: codeql/java-all
4+
extensible: experimentalSourceModel
5+
data:
6+
- ["javax.servlet.http", "HttpServletRequest", False, "getPathInfo", "()", "", "ReturnValue", "uri-path", "manual", "permissive-dot-regex-query"]
7+
- ["javax.servlet.http", "HttpServletRequest", False, "getPathTranslated", "()", "", "ReturnValue", "uri-path", "manual", "permissive-dot-regex-query"]
8+
- ["javax.servlet.http", "HttpServletRequest", False, "getRequestURI", "()", "", "ReturnValue", "uri-path", "manual", "permissive-dot-regex-query"]
9+
- ["javax.servlet.http", "HttpServletRequest", False, "getRequestURL", "()", "", "ReturnValue", "uri-path", "manual", "permissive-dot-regex-query"]
10+
- ["javax.servlet.http", "HttpServletRequest", False, "getServletPath", "()", "", "ReturnValue", "uri-path", "manual", "permissive-dot-regex-query"]

java/ext/experimental/org.apache.logging.log4j.message.model.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
extensions:
2+
- addsTo:
3+
pack: codeql/java-all
4+
extensible: experimentalSummaryModel
5+
data:
6+
- ["org.apache.logging.log4j.message", "MapMessage", True, "put", "", "", "Argument[1]", "Argument[this]", "taint", "manual", "log4j-injection"]
7+
- ["org.apache.logging.log4j.message", "MapMessage", True, "putAll", "", "", "Argument[0].MapValue", "Argument[this]", "taint", "manual", "log4j-injection"]
8+
- ["org.apache.logging.log4j.message", "MapMessage", True, "with", "", "", "Argument[this]", "ReturnValue", "value", "manual", "log4j-injection"]
9+
- ["org.apache.logging.log4j.message", "MapMessage", True, "with", "", "", "Argument[1]", "Argument[this]", "taint", "manual", "log4j-injection"]

0 commit comments

Comments
 (0)