Merge branch 'main' into fix_csharp_asPartialModel

Author: Alvaro Muñoz

README.md

@@ -1,6 +1,6 @@
 library: false
 name: githubsecuritylab/codeql-cpp-queries
-version: 0.0.2
+version: 0.0.3
 suites: suites
 defaultSuiteFile: suites/cpp.qls
 dependencies:

cpp/lib/github/.gitkeep renamed to cpp/lib/ghsl/.gitkeep

@@ -1,9 +1,25 @@
-- description: "GitHub's Community Packs Ruby Extended Suite"
+- description: "GitHub's Community Packs C/C++ Extended Suite"
 
-- qlpack: github-queries-ruby
+- queries: '.'
+  from: githubsecuritylab/codeql-cpp-queries
 
-- import: codeql-suites/ruby-security-extended.qls
-  from: codeql/ruby-queries
+- include:
+    kind:
+    - problem
+    - path-problem
+    precision:
+    - very-high
+    - high
+    - medium
+    - low
+
+# Remove debugging, and audit queries
+- exclude:
+    tags contain:
+      - debugging
+      - audit
+
+# Remove local testing folders
 - exclude:
-    id:
-      - rb/hardcoded-credentials
+    query path:
+      - /testing\/.*/

cpp/src/qlpack.yml

@@ -0,0 +1,4 @@
+---
+lockVersion: 1.0.0
+dependencies: {}
+compiled: false

cpp/src/suites/cpp.qls

@@ -0,0 +1,4 @@
+---
+lockVersion: 1.0.0
+dependencies: {}
+compiled: false

csharp/ext-library-sources/codeql-pack.lock.yml

@@ -1,6 +1,6 @@
 library: false
 name: githubsecuritylab/codeql-csharp-queries
-version: 0.0.2
+version: 0.0.3
 suites: suites
 defaultSuiteFile: suites/csharp.qls
 dependencies:

csharp/ext/codeql-pack.lock.yml

@@ -14,8 +14,8 @@ import csharp
 private import semmle.code.csharp.frameworks.Moq
 private import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 // import semmle.code.csharp.frameworks.system.security.Cryptography
-private import github.Hardcoded
-private import github.Cryptography
+private import ghsl.Hardcoded
+private import ghsl.Cryptography
 
 module HardcodedSalt {
   abstract class Source extends DataFlow::ExprNode { }

csharp/lib/github/Cryptography.qll renamed to csharp/lib/ghsl/Cryptography.qll

@@ -14,7 +14,7 @@
 
 import csharp
 private import DataFlow::PathGraph
-private import github.HardcodedCredentials
+private import ghsl.HardcodedCredentials
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, LiteralToSecurityKeyConfig config
 where config.hasFlowPath(source, sink)

csharp/lib/github/Hardcoded.qll renamed to csharp/lib/ghsl/Hardcoded.qll

@@ -1,14 +1,12 @@
 - description: "GitHub's Community Packs CSharp Extended Suite"
 
 - queries: '.'
-  from: githubsecuritylab/codeql-csharp
+  from: githubsecuritylab/codeql-csharp-queries
 
 - include:
     kind:
     - problem
     - path-problem
-    - metric
-    - diagnostic
     precision:
     - very-high
     - high

csharp/lib/github/HardcodedCredentials.qll renamed to csharp/lib/ghsl/HardcodedCredentials.qll

@@ -14,7 +14,7 @@
 import go
 import semmle.go.security.SqlInjection
 import DataFlow::PathGraph
-import github.Utils
+import ghsl.Utils
 
 /**
  * A taint-tracking configuration for detecting SQL injection vulnerabilities.

csharp/src/qlpack.yml

@@ -1,6 +1,6 @@
 library: false
 name: githubsecuritylab/codeql-go-queries
-version: 0.0.2
+version: 0.0.3
 suites: suites
 defaultSuiteFile: suites/go.qls
 dependencies:

csharp/src/security/CWE-760/HardcodedSalt.ql

@@ -13,35 +13,27 @@
 
 import go
 import semmle.go.security.CommandInjection
-import semmle.go.security.CommandInjectionCustomizations::CommandInjection
+import DataFlow::PathGraph
+import semmle.go.security.FlowSources
 
 //Override CommandInjection::Configuration to use the in-use sources
-class InUseAsSource extends Source instanceof UntrustedFlowSource {
-  InUseAsSource() {
+class InUseCommandInjectionConfiguration extends CommandInjection::Configuration {
+  override predicate isSource(DataFlow::Node node) {
     exists(UntrustedFlowSource source, Function function, DataFlow::CallNode callNode |
-      source.asExpr() = this.asExpr() and
+      source.asExpr() = node.asExpr() and
+
       source.(DataFlow::ExprNode).asExpr().getEnclosingFunction() = function.getFuncDecl() and
       (
         // function is called directly
         callNode.getACallee() = function.getFuncDecl()
-        or
+
         // function is passed to another function to be called
-        callNode.getCall().getAnArgument().(Ident).refersTo(function) //NEW with 2.13.2: or c.getASyntacticArgument().asExpr().(Ident).refersTo(f)
-      )
+        or callNode.getCall().getAnArgument().(Ident).refersTo(function) //NEW with 2.13.2: or c.getASyntacticArgument().asExpr().(Ident).refersTo(f)
+      )      
     )
   }
 }
 
-module Flow =
-  DataFlow::MergePathGraph<CommandInjection::Flow::PathNode,
-    CommandInjection::DoubleDashSanitizingFlow::PathNode, CommandInjection::Flow::PathGraph,
-    CommandInjection::DoubleDashSanitizingFlow::PathGraph>;
-
-import Flow::PathGraph
-
-from Flow::PathNode source, Flow::PathNode sink
-where
-  CommandInjection::Flow::flowPath(source.asPathNode1(), sink.asPathNode1()) or
-  CommandInjection::DoubleDashSanitizingFlow::flowPath(source.asPathNode2(), sink.asPathNode2())
-select sink.getNode(), source, sink, "This command depends on a $@.", source.getNode(),
-  "user-provided value"
+ from InUseCommandInjectionConfiguration cfg, CommandInjection::DoubleDashSanitizingConfiguration cfg2, DataFlow::PathNode source, DataFlow::PathNode sink
+ where (cfg.hasFlowPath(source, sink) or cfg2.hasFlowPath(source, sink))
+ select sink.getNode(), source, sink, "This command depends on a $@.", source.getNode(), "user-provided value"

csharp/src/security/CWE-798/HardcodedCredentialsSymmetricSecurityKey.ql

@@ -1,4 +1,4 @@
 import go
-import github.Utils
+import ghsl.Utils
 
 query predicate dynamicStrings(DataFlow::ExprNode node) { node instanceof DynamicStrings }

csharp/src/suites/csharp.qls

@@ -0,0 +1,4 @@
+---
+lockVersion: 1.0.0
+dependencies: {}
+compiled: false

go/lib/github/LocalSources.qll renamed to go/lib/ghsl/LocalSources.qll

@@ -0,0 +1,4 @@
+---
+lockVersion: 1.0.0
+dependencies: {}
+compiled: false

go/lib/github/Utils.qll renamed to go/lib/ghsl/Utils.qll

@@ -11,7 +11,7 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import Spring4ShellFlow::PathGraph
-import github.BeanManipulation
+import ghsl.BeanManipulation
 
 private module Spring4ShellConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {

go/src/audit/CWE-089/SqlInjectionAudit.ql

@@ -1,6 +1,6 @@
 library: false
 name: githubsecuritylab/codeql-java-queries
-version: 0.0.2
+version: 0.0.3
 suites: suites
 defaultSuiteFile: suites/java.qls
 dependencies:

go/src/qlpack.yml

@@ -13,33 +13,81 @@ import java
 import semmle.code.java.dataflow.FlowSources
 import UnsafeURICheckFlow::PathGraph
 
-// Reference: https://mail-archives.apache.org/mod_mbox/ambari-user/202102.mbox/%3CCAEJYuxEQZ_aPwJdAaSxPu-Dva%3Dhc7zZUx3-pzBORbd23g%2BGH1A%40mail.gmail.com%3E
+// Example: https://mail-archives.apache.org/mod_mbox/ambari-user/202102.mbox/%3CCAEJYuxEQZ_aPwJdAaSxPu-Dva%3Dhc7zZUx3-pzBORbd23g%2BGH1A%40mail.gmail.com%3E
 class ServletFilterInterface extends Interface {
   ServletFilterInterface() { this.hasQualifiedName("javax.servlet", "Filter") }
 }
 
+class ContainerRequestFilterInterface extends Interface {
+  ContainerRequestFilterInterface() {
+    this.hasQualifiedName("javax.ws.rs.container", "ContainerRequestFilter")
+  }
+}
+
 class ServletRequestInterface extends Interface {
   ServletRequestInterface() { this.hasQualifiedName("javax.servlet.http", "HttpServletRequest") }
 }
 
-class GetRequestURIMethodAccess extends MethodAccess {
-  GetRequestURIMethodAccess() {
+class UriInfoType extends RefType {
+  UriInfoType() { this.hasQualifiedName("javax.ws.rs.core", "UriInfo") }
+}
+
+abstract class FilterMethod extends Method { }
+
+string getSecurityFilterRegexp() { result = ".*(auth|security|jwt|allow|block|login).*" }
+
+class FilterContainerRequestFilterMethod extends FilterMethod {
+  FilterContainerRequestFilterMethod() {
+    exists(Method m |
+      this.overrides*(m) and
+      m.getName() = "filter" and
+      m.getDeclaringType() instanceof ContainerRequestFilterInterface and
+      this.getDeclaringType().getName().toLowerCase().regexpMatch(getSecurityFilterRegexp())
+    )
+  }
+}
+
+class DoFilterServletRequestMethod extends FilterMethod {
+  DoFilterServletRequestMethod() {
+    exists(Method m |
+      this.overrides*(m) and
+      m.getName() = "doFilter" and
+      m.getDeclaringType() instanceof ServletFilterInterface and
+      this.getDeclaringType().getName().toLowerCase().regexpMatch(getSecurityFilterRegexp())
+    )
+  }
+}
+
+abstract class GetUriPathCall extends MethodCall { }
+
+class GetRequestURIMethodCall extends GetUriPathCall {
+  GetRequestURIMethodCall() {
     this.getMethod().getName() = "getRequestURI" and
     this.getMethod().getDeclaringType() instanceof ServletRequestInterface
   }
 }
 
+class UriInfoGetPathMethodCall extends GetUriPathCall {
+  UriInfoGetPathMethodCall() {
+    this.getMethod().getName() = "getPath" and
+    this.getMethod().getDeclaringType() instanceof UriInfoType
+  }
+}
+
 private module UnsafeURICheckConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
-    exists(GetRequestURIMethodAccess ma |
-      ma.getEnclosingCallable().getDeclaringType().getASourceSupertype*() instanceof
-        ServletFilterInterface and
-      source.asExpr() = ma
+    exists(GetUriPathCall call, FilterMethod m |
+      source.asExpr() = call and
+      (
+        m.polyCalls*(call.getEnclosingCallable()) or
+        m.polyCalls*(call.getEnclosingCallable().getEnclosingCallable()) or
+        m.polyCalls*(call.getEnclosingCallable().getEnclosingCallable().getEnclosingCallable())
+      )
     )
   }
 
   predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma |
+    exists(MethodCall ma |
       // java.util.regex.Pattern.matcher("aaaaab");
       ma.getMethod().getName() = "matcher" and
       ma.getMethod().getDeclaringType().hasQualifiedName("java.util.regex", "Pattern") and
@@ -54,7 +102,7 @@ private module UnsafeURICheckConfig implements DataFlow::ConfigSig {
       ma.getMethod().getDeclaringType() instanceof TypeString and
       sink.asExpr() = ma.getQualifier()
       or
-      ma.getMethod().getName() = ["startsWith", "endsWith"] and
+      ma.getMethod().getName() = ["contains", "startsWith", "endsWith"] and
       ma.getMethod().getDeclaringType() instanceof TypeString and
       not ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() = "/" and
       sink.asExpr() = ma.getQualifier()

go/src/security/CWE-078/CommandInjection.ql

@@ -11,7 +11,7 @@
  */
 
 import DataFlow::PathGraph
-import github.CommandInjectionRuntimeExec
+import ghsl.CommandInjectionRuntimeExec
 
 class RemoteSource extends Source {
   RemoteSource() { this instanceof RemoteFlowSource }

go/test/audit/CWE-089/SQLInjectionAudit.ql

@@ -12,7 +12,7 @@
  */
 
 import DataFlow::PathGraph
-import github.CommandInjectionRuntimeExec
+import ghsl.CommandInjectionRuntimeExec
 
 class LocalSource extends Source {
   LocalSource() { this instanceof LocalUserInput }

java/ext-library-sources/codeql-pack.lock.yml

@@ -12,7 +12,7 @@
  *       external/cwe/cwe-078
  */
 
-import github.CommandInjectionRuntimeExec
+import ghsl.CommandInjectionRuntimeExec
 
 class DataSource extends Source {
   DataSource() { this instanceof RemoteFlowSource or this instanceof LocalUserInput }

java/ext/codeql-pack.lock.yml

@@ -13,7 +13,7 @@
  */
 
 import DataFlow::PathGraph
-import github.CommandInjectionRuntimeExec
+import ghsl.CommandInjectionRuntimeExec
 
 class DataSource extends Source {
   DataSource() { this instanceof RemoteFlowSource or this instanceof LocalUserInput }

java/lib/github/BeanManipulation.qll renamed to java/lib/ghsl/BeanManipulation.qll

@@ -17,7 +17,7 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking2
 // import DataFlow::PathGraph
 // Internal
-import github.SensitiveInformation
+import ghsl.SensitiveInformation
 
 class Base64Sinks extends DataFlow::Node {
   Base64Sinks() {

java/lib/github/CommandInjectionRuntimeExec.qll renamed to java/lib/ghsl/CommandInjectionRuntimeExec.qll

@@ -13,7 +13,7 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import BeanManipulationFlow::PathGraph
-import github.BeanManipulation
+import ghsl.BeanManipulation
 
 private module BeanManipulationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

java/lib/github/Encoding.qll renamed to java/lib/ghsl/Encoding.qll

@@ -17,8 +17,8 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking2
 //import DataFlow::PathGraph
 // Internal
-import github.Logging
-import github.SensitiveInformation
+import ghsl.Logging
+import ghsl.SensitiveInformation
 
 module SensitiveInformationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof SensitiveInformationSources }

java/lib/github/Hardcoded.qll renamed to java/lib/ghsl/Hardcoded.qll

@@ -18,7 +18,7 @@ import semmle.code.java.security.XmlParsers
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking2
 //import DataFlow::PathGraph
-import github.LocalSources
+import ghsl.LocalSources
 
 module SafeSAXSourceFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxSource }

java/lib/github/LocalSources.qll renamed to java/lib/ghsl/LocalSources.qll

@@ -17,8 +17,8 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking2
 import DataFlow::PathGraph
 // Internal
-import github.Encoding
-import github.Hardcoded
+import ghsl.Encoding
+import ghsl.Hardcoded
 
 class HardcodedPasswordBase64 extends TaintTracking::Configuration {
   HardcodedPasswordBase64() { this = "HardcodedPasswordBase64" }

java/lib/github/Logging.qll renamed to java/lib/ghsl/Logging.qll

@@ -1,11 +1,8 @@
-# https://codeql.github.com/docs/codeql-cli/creating-codeql-query-suites/
-
 - description: "GitHub's Community Packs Java/Kotlin Extended Suite"
 
 - queries: '.'
-  from: githubsecuritylab/java-queries
+  from: githubsecuritylab/codeql-java-queries
 
-# GitHub's Community Packs Java/Kotlin Suite
 - include:
     kind:
     - problem