diff --git a/.codeqlversion b/.codeqlversion index 0352eb17..bd9c5599 100644 --- a/.codeqlversion +++ b/.codeqlversion @@ -1 +1 @@ -2.20.1 \ No newline at end of file +2.21.1 \ No newline at end of file diff --git a/cpp/lib/codeql-pack.lock.yml b/cpp/lib/codeql-pack.lock.yml index 1836bdf0..9eae5ae0 100644 --- a/cpp/lib/codeql-pack.lock.yml +++ b/cpp/lib/codeql-pack.lock.yml @@ -2,23 +2,23 @@ lockVersion: 1.0.0 dependencies: codeql/cpp-all: - version: 3.1.0 + version: 4.2.0 codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/rangeanalysis: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typeflow: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/cpp/src/codeql-pack.lock.yml b/cpp/src/codeql-pack.lock.yml index 122516db..f82f33c6 100644 --- a/cpp/src/codeql-pack.lock.yml +++ b/cpp/src/codeql-pack.lock.yml @@ -2,27 +2,27 @@ lockVersion: 1.0.0 dependencies: codeql/cpp-all: - version: 3.1.0 + version: 4.2.0 codeql/cpp-queries: - version: 1.3.1 + version: 1.3.8 codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/rangeanalysis: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/suite-helpers: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typeflow: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/cpp/test/codeql-pack.lock.yml b/cpp/test/codeql-pack.lock.yml index 122516db..f82f33c6 100644 --- a/cpp/test/codeql-pack.lock.yml +++ b/cpp/test/codeql-pack.lock.yml @@ -2,27 +2,27 @@ lockVersion: 1.0.0 dependencies: codeql/cpp-all: - version: 3.1.0 + version: 4.2.0 codeql/cpp-queries: - version: 1.3.1 + version: 1.3.8 codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/rangeanalysis: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/suite-helpers: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typeflow: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/csharp/lib/codeql-pack.lock.yml b/csharp/lib/codeql-pack.lock.yml index 59224418..c881b6fc 100644 --- a/csharp/lib/codeql-pack.lock.yml +++ b/csharp/lib/codeql-pack.lock.yml @@ -2,23 +2,23 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.14 + version: 2.0.5 codeql/csharp-all: - version: 4.0.1 + version: 5.1.4 codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/csharp/src/codeql-pack.lock.yml b/csharp/src/codeql-pack.lock.yml index 1cf89a4d..a4a82e27 100644 --- a/csharp/src/codeql-pack.lock.yml +++ b/csharp/src/codeql-pack.lock.yml @@ -2,27 +2,27 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.14 + version: 2.0.5 codeql/csharp-all: - version: 4.0.1 + version: 5.1.4 codeql/csharp-queries: - version: 1.0.14 + version: 1.1.1 codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/suite-helpers: - version: 1.0.14 + version: 1.0.21 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/csharp/test/codeql-pack.lock.yml b/csharp/test/codeql-pack.lock.yml index 1cf89a4d..a4a82e27 100644 --- a/csharp/test/codeql-pack.lock.yml +++ b/csharp/test/codeql-pack.lock.yml @@ -2,27 +2,27 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.14 + version: 2.0.5 codeql/csharp-all: - version: 4.0.1 + version: 5.1.4 codeql/csharp-queries: - version: 1.0.14 + version: 1.1.1 codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/suite-helpers: - version: 1.0.14 + version: 1.0.21 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/go/lib/codeql-pack.lock.yml b/go/lib/codeql-pack.lock.yml index cc844e57..8b83cae2 100644 --- a/go/lib/codeql-pack.lock.yml +++ b/go/lib/codeql-pack.lock.yml @@ -2,19 +2,19 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 2.0.4 + version: 2.0.5 codeql/go-all: - version: 4.2.2 + version: 4.2.3 codeql/mad: - version: 1.0.20 + version: 1.0.21 codeql/ssa: - version: 1.0.20 + version: 1.1.0 codeql/threat-models: - version: 1.0.20 + version: 1.0.21 codeql/tutorial: - version: 1.0.20 + version: 1.0.21 codeql/typetracking: - version: 2.0.4 + version: 2.0.5 codeql/util: - version: 2.0.7 + version: 2.0.8 compiled: false diff --git a/go/src/codeql-pack.lock.yml b/go/src/codeql-pack.lock.yml index e54c0957..8b83cae2 100644 --- a/go/src/codeql-pack.lock.yml +++ b/go/src/codeql-pack.lock.yml @@ -2,19 +2,19 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/go-all: - version: 3.0.1 + version: 4.2.3 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 compiled: false diff --git a/go/test/codeql-pack.lock.yml b/go/test/codeql-pack.lock.yml index e54c0957..8b83cae2 100644 --- a/go/test/codeql-pack.lock.yml +++ b/go/test/codeql-pack.lock.yml @@ -2,19 +2,19 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/go-all: - version: 3.0.1 + version: 4.2.3 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 compiled: false diff --git a/go/test/security/CWE-078/cmdi.expected b/go/test/security/CWE-078/cmdi.expected index 1f936541..93224d71 100644 --- a/go/test/security/CWE-078/cmdi.expected +++ b/go/test/security/CWE-078/cmdi.expected @@ -1,6 +1,6 @@ edges -| main.go:20:14:20:20 | selection of URL | main.go:20:14:20:28 | call to Query | provenance | Src:MaD:1639 MaD:1700 | -| main.go:20:14:20:28 | call to Query | main.go:27:22:27:28 | cmdName | provenance | Sink:MaD:1710 | +| main.go:20:14:20:20 | selection of URL | main.go:20:14:20:28 | call to Query | provenance | Src:MaD:1925 MaD:1986 | +| main.go:20:14:20:28 | call to Query | main.go:27:22:27:28 | cmdName | provenance | Sink:MaD:1996 | nodes | main.go:20:14:20:20 | selection of URL | semmle.label | selection of URL | | main.go:20:14:20:28 | call to Query | semmle.label | call to Query | diff --git a/java/lib/codeql-pack.lock.yml b/java/lib/codeql-pack.lock.yml index b8f35e61..708d4020 100644 --- a/java/lib/codeql-pack.lock.yml +++ b/java/lib/codeql-pack.lock.yml @@ -2,27 +2,27 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/java-all: - version: 6.0.0 + version: 7.1.3 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/rangeanalysis: - version: 1.0.14 + version: 1.0.21 codeql/regex: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typeflow: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/java/src/codeql-pack.lock.yml b/java/src/codeql-pack.lock.yml index b8f35e61..708d4020 100644 --- a/java/src/codeql-pack.lock.yml +++ b/java/src/codeql-pack.lock.yml @@ -2,27 +2,27 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/java-all: - version: 6.0.0 + version: 7.1.3 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/rangeanalysis: - version: 1.0.14 + version: 1.0.21 codeql/regex: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typeflow: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/java/src/security/CWE-089/MyBatisCommonLib.qll b/java/src/security/CWE-089/MyBatisCommonLib.qll index 9a0a8232..dd24b872 100644 --- a/java/src/security/CWE-089/MyBatisCommonLib.qll +++ b/java/src/security/CWE-089/MyBatisCommonLib.qll @@ -3,7 +3,6 @@ */ import java -import semmle.code.xml.MyBatisMapperXML import semmle.code.java.dataflow.FlowSources import semmle.code.java.frameworks.MyBatis import semmle.code.java.frameworks.Properties diff --git a/java/src/security/CWE-089/MyBatisMapperXmlSqlInjection.ql b/java/src/security/CWE-089/MyBatisMapperXmlSqlInjection.ql index 5d4802a3..e347b40f 100644 --- a/java/src/security/CWE-089/MyBatisMapperXmlSqlInjection.ql +++ b/java/src/security/CWE-089/MyBatisMapperXmlSqlInjection.ql @@ -14,7 +14,7 @@ import java import MyBatisCommonLib import MyBatisMapperXmlSqlInjectionLib -import semmle.code.xml.MyBatisMapperXML +import semmle.code.java.frameworks.MyBatis import semmle.code.java.dataflow.FlowSources private import semmle.code.java.security.Sanitizers import MyBatisMapperXmlSqlInjectionFlow::PathGraph diff --git a/java/src/security/CWE-089/MyBatisMapperXmlSqlInjectionLib.qll b/java/src/security/CWE-089/MyBatisMapperXmlSqlInjectionLib.qll index a6852a5c..e0986261 100644 --- a/java/src/security/CWE-089/MyBatisMapperXmlSqlInjectionLib.qll +++ b/java/src/security/CWE-089/MyBatisMapperXmlSqlInjectionLib.qll @@ -3,7 +3,7 @@ */ import java -import semmle.code.xml.MyBatisMapperXML +import semmle.code.java.frameworks.MyBatis import semmle.code.java.dataflow.FlowSources import semmle.code.java.frameworks.Properties diff --git a/java/test/codeql-pack.lock.yml b/java/test/codeql-pack.lock.yml index b8f35e61..708d4020 100644 --- a/java/test/codeql-pack.lock.yml +++ b/java/test/codeql-pack.lock.yml @@ -2,27 +2,27 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/java-all: - version: 6.0.0 + version: 7.1.3 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/rangeanalysis: - version: 1.0.14 + version: 1.0.21 codeql/regex: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typeflow: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/java/test/security/CWE-016/options b/java/test/security/CWE-016/options index a7b146da..a7b10cd2 100644 --- a/java/test/security/CWE-016/options +++ b/java/test/security/CWE-016/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.3.8 +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.8.x diff --git a/java/test/security/CWE-022/options b/java/test/security/CWE-022/options index e3a00f86..aa84e7c9 100644 --- a/java/test/security/CWE-022/options +++ b/java/test/security/CWE-022/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../stubs/lingala-zip4j-2.11.5:${testdir}/../../stubs/software-amazon-awssdk-crt-0.20.3:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.3.8:${testdir}/../../stubs/reactivestreams-1.0.4:${testdir}/../../../../codeql/java/ql/test/stubs/slf4j-2.0.0 +//semmle-extractor-options: --javac-args -cp ${testdir}/../../stubs/lingala-zip4j-2.11.5:${testdir}/../../stubs/software-amazon-awssdk-crt-0.20.3:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.8.x:${testdir}/../../stubs/reactivestreams-1.0.4:${testdir}/../../../../codeql/java/ql/test/stubs/slf4j-2.0.0 diff --git a/java/test/security/CWE-089/src/main/options b/java/test/security/CWE-089/src/main/options index 8988d45a..ab1cf4d0 100644 --- a/java/test/security/CWE-089/src/main/options +++ b/java/test/security/CWE-089/src/main/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../../codeql/java/ql/test/stubs/springframework-5.3.8/:${testdir}/../../../../../../codeql/java/ql/test/stubs/org.mybatis-3.5.4/ +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../../codeql/java/ql/test/stubs/springframework-5.8.x/:${testdir}/../../../../../../codeql/java/ql/test/stubs/org.mybatis-3.5.4/ diff --git a/java/test/security/CWE-094/options b/java/test/security/CWE-094/options index 35ec6a59..15533006 100644 --- a/java/test/security/CWE-094/options +++ b/java/test/security/CWE-094/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.3.8:${testdir}/../../../../codeql/java/ql/test/stubs/jsr223-api:${testdir}/../../../../codeql/java/ql/test/stubs/scriptengine:${testdir}/../../../../codeql/java/ql/test/stubs/java-ee-el:${testdir}/../../../../codeql/java/ql/test/stubs/juel-2.2:${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/jython-2.7.2:${testdir}/../../stubs/rhino-1.7.13:${testdir}/../../../../codeql/java/ql/test/stubs/bsh-2.0b5:${testdir}/../../stubs/jshell:${testdir}/../../stubs/apache-freemarker-2.3.31:${testdir}/../../stubs/jinjava-2.6.0:${testdir}/../../stubs/pebble-3.1.5:${testdir}/../../stubs/thymeleaf-3.0.14:${testdir}/../../stubs/apache-velocity-2.3 \ No newline at end of file +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.8.x:${testdir}/../../../../codeql/java/ql/test/stubs/jsr223-api:${testdir}/../../../../codeql/java/ql/test/stubs/scriptengine:${testdir}/../../../../codeql/java/ql/test/stubs/java-ee-el:${testdir}/../../../../codeql/java/ql/test/stubs/juel-2.2:${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/jython-2.7.2:${testdir}/../../stubs/rhino-1.7.13:${testdir}/../../../../codeql/java/ql/test/stubs/bsh-2.0b5:${testdir}/../../stubs/jshell:${testdir}/../../stubs/apache-freemarker-2.3.31:${testdir}/../../stubs/jinjava-2.6.0:${testdir}/../../stubs/pebble-3.1.5:${testdir}/../../stubs/thymeleaf-3.0.14:${testdir}/../../stubs/apache-velocity-2.3 \ No newline at end of file diff --git a/java/test/security/CWE-1004/options b/java/test/security/CWE-1004/options index 477fd963..3ce9f99d 100644 --- a/java/test/security/CWE-1004/options +++ b/java/test/security/CWE-1004/options @@ -1 +1 @@ -// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/jsr311-api-1.1.1:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.3.8 \ No newline at end of file +// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/jsr311-api-1.1.1:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.8.x \ No newline at end of file diff --git a/java/test/security/CWE-200/InsecureWebResourceResponse.expected b/java/test/security/CWE-200/InsecureWebResourceResponse.expected index 7d140ab3..0b97edbe 100644 --- a/java/test/security/CWE-200/InsecureWebResourceResponse.expected +++ b/java/test/security/CWE-200/InsecureWebResourceResponse.expected @@ -29,7 +29,7 @@ edges | InsecureWebResourceResponse.java:65:41:65:43 | url : String | InsecureWebResourceResponse.java:65:31:65:44 | parse(...) : Uri | provenance | MaD:2 | | InsecureWebResourceResponse.java:66:51:66:84 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:68:71:68:81 | inputStream | provenance | | | InsecureWebResourceResponse.java:66:71:66:73 | uri : Uri | InsecureWebResourceResponse.java:66:71:66:83 | getPath(...) : String | provenance | MaD:4 | -| InsecureWebResourceResponse.java:66:71:66:83 | getPath(...) : String | InsecureWebResourceResponse.java:66:51:66:84 | new FileInputStream(...) : FileInputStream | provenance | MaD:7 | +| InsecureWebResourceResponse.java:66:71:66:83 | getPath(...) : String | InsecureWebResourceResponse.java:66:51:66:84 | new FileInputStream(...) : FileInputStream | provenance | MaD:6 | | InsecureWebResourceResponse.java:75:20:75:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String | provenance | AdditionalTaintStep | | InsecureWebResourceResponse.java:75:20:75:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String | provenance | AdditionalTaintStep | | InsecureWebResourceResponse.java:75:20:75:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String | provenance | AdditionalTaintStep | @@ -39,11 +39,10 @@ edges | InsecureWebResourceResponse.java:84:77:84:86 | url : String | InsecureWebResourceResponse.java:86:41:86:43 | url : String | provenance | | | InsecureWebResourceResponse.java:86:31:86:44 | parse(...) : Uri | InsecureWebResourceResponse.java:88:66:88:68 | uri : Uri | provenance | | | InsecureWebResourceResponse.java:86:41:86:43 | url : String | InsecureWebResourceResponse.java:86:31:86:44 | parse(...) : Uri | provenance | MaD:2 | -| InsecureWebResourceResponse.java:88:42:88:90 | new File(...) : File | InsecureWebResourceResponse.java:89:75:89:83 | cacheFile : File | provenance | | | InsecureWebResourceResponse.java:88:66:88:68 | uri : Uri | InsecureWebResourceResponse.java:88:66:88:89 | getLastPathSegment(...) : String | provenance | MaD:3 | -| InsecureWebResourceResponse.java:88:66:88:89 | getLastPathSegment(...) : String | InsecureWebResourceResponse.java:88:42:88:90 | new File(...) : File | provenance | MaD:6 | +| InsecureWebResourceResponse.java:88:66:88:89 | getLastPathSegment(...) : String | InsecureWebResourceResponse.java:89:75:89:83 | cacheFile : File | provenance | AdditionalTaintStep | | InsecureWebResourceResponse.java:89:55:89:84 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:91:75:91:85 | inputStream | provenance | | -| InsecureWebResourceResponse.java:89:75:89:83 | cacheFile : File | InsecureWebResourceResponse.java:89:55:89:84 | new FileInputStream(...) : FileInputStream | provenance | MaD:7 | +| InsecureWebResourceResponse.java:89:75:89:83 | cacheFile : File | InsecureWebResourceResponse.java:89:55:89:84 | new FileInputStream(...) : FileInputStream | provenance | MaD:6 | | InsecureWebResourceResponse.java:101:20:101:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String | provenance | AdditionalTaintStep | | InsecureWebResourceResponse.java:101:20:101:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String | provenance | AdditionalTaintStep | | InsecureWebResourceResponse.java:101:20:101:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String | provenance | AdditionalTaintStep | @@ -54,11 +53,11 @@ edges | InsecureWebResourceResponse.java:112:31:112:44 | parse(...) : Uri | InsecureWebResourceResponse.java:113:35:113:37 | uri : Uri | provenance | | | InsecureWebResourceResponse.java:112:41:112:43 | url : String | InsecureWebResourceResponse.java:112:31:112:44 | parse(...) : Uri | provenance | MaD:2 | | InsecureWebResourceResponse.java:113:35:113:37 | uri : Uri | InsecureWebResourceResponse.java:113:35:113:47 | getPath(...) : String | provenance | MaD:4 | -| InsecureWebResourceResponse.java:113:35:113:47 | getPath(...) : String | InsecureWebResourceResponse.java:113:35:113:60 | substring(...) : String | provenance | MaD:8 | +| InsecureWebResourceResponse.java:113:35:113:47 | getPath(...) : String | InsecureWebResourceResponse.java:113:35:113:60 | substring(...) : String | provenance | MaD:7 | | InsecureWebResourceResponse.java:113:35:113:60 | substring(...) : String | InsecureWebResourceResponse.java:115:75:115:78 | path : String | provenance | | | InsecureWebResourceResponse.java:115:55:115:108 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:117:75:117:85 | inputStream | provenance | | -| InsecureWebResourceResponse.java:115:75:115:78 | path : String | InsecureWebResourceResponse.java:115:75:115:107 | substring(...) : String | provenance | MaD:8 | -| InsecureWebResourceResponse.java:115:75:115:107 | substring(...) : String | InsecureWebResourceResponse.java:115:55:115:108 | new FileInputStream(...) : FileInputStream | provenance | MaD:7 | +| InsecureWebResourceResponse.java:115:75:115:78 | path : String | InsecureWebResourceResponse.java:115:75:115:107 | substring(...) : String | provenance | MaD:7 | +| InsecureWebResourceResponse.java:115:75:115:107 | substring(...) : String | InsecureWebResourceResponse.java:115:55:115:108 | new FileInputStream(...) : FileInputStream | provenance | MaD:6 | | InsecureWebResourceResponse.java:127:20:127:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String | provenance | AdditionalTaintStep | | InsecureWebResourceResponse.java:127:20:127:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String | provenance | AdditionalTaintStep | | InsecureWebResourceResponse.java:127:20:127:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String | provenance | AdditionalTaintStep | @@ -86,11 +85,10 @@ edges | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest | InsecureWebResourceResponse.java:194:31:194:37 | request : WebResourceRequest | provenance | | | InsecureWebResourceResponse.java:194:31:194:37 | request : WebResourceRequest | InsecureWebResourceResponse.java:194:31:194:46 | getUrl(...) : Uri | provenance | MaD:5 | | InsecureWebResourceResponse.java:194:31:194:46 | getUrl(...) : Uri | InsecureWebResourceResponse.java:196:66:196:68 | uri : Uri | provenance | | -| InsecureWebResourceResponse.java:196:42:196:90 | new File(...) : File | InsecureWebResourceResponse.java:197:75:197:83 | cacheFile : File | provenance | | | InsecureWebResourceResponse.java:196:66:196:68 | uri : Uri | InsecureWebResourceResponse.java:196:66:196:89 | getLastPathSegment(...) : String | provenance | MaD:3 | -| InsecureWebResourceResponse.java:196:66:196:89 | getLastPathSegment(...) : String | InsecureWebResourceResponse.java:196:42:196:90 | new File(...) : File | provenance | MaD:6 | +| InsecureWebResourceResponse.java:196:66:196:89 | getLastPathSegment(...) : String | InsecureWebResourceResponse.java:197:75:197:83 | cacheFile : File | provenance | AdditionalTaintStep | | InsecureWebResourceResponse.java:197:55:197:84 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:199:75:199:85 | inputStream | provenance | | -| InsecureWebResourceResponse.java:197:75:197:83 | cacheFile : File | InsecureWebResourceResponse.java:197:55:197:84 | new FileInputStream(...) : FileInputStream | provenance | MaD:7 | +| InsecureWebResourceResponse.java:197:75:197:83 | cacheFile : File | InsecureWebResourceResponse.java:197:55:197:84 | new FileInputStream(...) : FileInputStream | provenance | MaD:6 | | InsecureWebResourceResponse.java:209:20:209:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String | provenance | AdditionalTaintStep | | InsecureWebResourceResponse.java:209:20:209:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String | provenance | AdditionalTaintStep | | InsecureWebResourceResponse.java:209:20:209:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String | provenance | AdditionalTaintStep | @@ -107,7 +105,7 @@ edges | InsecureWebResourceResponse.java:234:33:234:35 | url : String | InsecureWebResourceResponse.java:234:23:234:36 | parse(...) : Uri | provenance | MaD:2 | | InsecureWebResourceResponse.java:235:43:235:76 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:237:63:237:73 | inputStream | provenance | | | InsecureWebResourceResponse.java:235:63:235:65 | uri : Uri | InsecureWebResourceResponse.java:235:63:235:75 | getPath(...) : String | provenance | MaD:4 | -| InsecureWebResourceResponse.java:235:63:235:75 | getPath(...) : String | InsecureWebResourceResponse.java:235:43:235:76 | new FileInputStream(...) : FileInputStream | provenance | MaD:7 | +| InsecureWebResourceResponse.java:235:63:235:75 | getPath(...) : String | InsecureWebResourceResponse.java:235:43:235:76 | new FileInputStream(...) : FileInputStream | provenance | MaD:6 | | InsecureWebViewActivity.java:27:27:27:37 | getIntent(...) : Intent | InsecureWebViewActivity.java:27:27:27:64 | getStringExtra(...) : String | provenance | MaD:1 | | InsecureWebViewActivity.java:27:27:27:64 | getStringExtra(...) : String | InsecureWebViewActivity.java:28:20:28:27 | inputUrl : String | provenance | | | InsecureWebViewActivity.java:28:20:28:27 | inputUrl : String | InsecureWebViewActivity.java:42:28:42:37 | url : String | provenance | | @@ -118,16 +116,15 @@ edges | InsecureWebViewActivity.java:55:41:55:43 | url : String | InsecureWebViewActivity.java:55:31:55:44 | parse(...) : Uri | provenance | MaD:2 | | InsecureWebViewActivity.java:56:51:56:84 | new FileInputStream(...) : FileInputStream | InsecureWebViewActivity.java:58:71:58:81 | inputStream | provenance | | | InsecureWebViewActivity.java:56:71:56:73 | uri : Uri | InsecureWebViewActivity.java:56:71:56:83 | getPath(...) : String | provenance | MaD:4 | -| InsecureWebViewActivity.java:56:71:56:83 | getPath(...) : String | InsecureWebViewActivity.java:56:51:56:84 | new FileInputStream(...) : FileInputStream | provenance | MaD:7 | +| InsecureWebViewActivity.java:56:71:56:83 | getPath(...) : String | InsecureWebViewActivity.java:56:51:56:84 | new FileInputStream(...) : FileInputStream | provenance | MaD:6 | models | 1 | Summary: android.content; Intent; true; getStringExtra; (String); ; Argument[this].SyntheticField[android.content.Intent.extras].MapValue; ReturnValue; value; manual | | 2 | Summary: android.net; Uri; false; parse; ; ; Argument[0]; ReturnValue; taint; manual | | 3 | Summary: android.net; Uri; true; getLastPathSegment; ; ; Argument[this]; ReturnValue; taint; manual | | 4 | Summary: android.net; Uri; true; getPath; ; ; Argument[this]; ReturnValue; taint; manual | | 5 | Summary: android.webkit; WebResourceRequest; false; getUrl; ; ; Argument[this]; ReturnValue; taint; manual | -| 6 | Summary: java.io; File; false; File; ; ; Argument[1]; Argument[this]; taint; manual | -| 7 | Summary: java.io; FileInputStream; true; FileInputStream; ; ; Argument[0]; Argument[this]; taint; manual | -| 8 | Summary: java.lang; String; false; substring; ; ; Argument[this]; ReturnValue; taint; manual | +| 6 | Summary: java.io; FileInputStream; true; FileInputStream; ; ; Argument[0]; Argument[this]; taint; manual | +| 7 | Summary: java.lang; String; false; substring; ; ; Argument[this]; ReturnValue; taint; manual | nodes | InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent | | InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String | @@ -152,7 +149,6 @@ nodes | InsecureWebResourceResponse.java:84:77:84:86 | url : String | semmle.label | url : String | | InsecureWebResourceResponse.java:86:31:86:44 | parse(...) : Uri | semmle.label | parse(...) : Uri | | InsecureWebResourceResponse.java:86:41:86:43 | url : String | semmle.label | url : String | -| InsecureWebResourceResponse.java:88:42:88:90 | new File(...) : File | semmle.label | new File(...) : File | | InsecureWebResourceResponse.java:88:66:88:68 | uri : Uri | semmle.label | uri : Uri | | InsecureWebResourceResponse.java:88:66:88:89 | getLastPathSegment(...) : String | semmle.label | getLastPathSegment(...) : String | | InsecureWebResourceResponse.java:89:55:89:84 | new FileInputStream(...) : FileInputStream | semmle.label | new FileInputStream(...) : FileInputStream | @@ -181,7 +177,6 @@ nodes | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest | semmle.label | request : WebResourceRequest | | InsecureWebResourceResponse.java:194:31:194:37 | request : WebResourceRequest | semmle.label | request : WebResourceRequest | | InsecureWebResourceResponse.java:194:31:194:46 | getUrl(...) : Uri | semmle.label | getUrl(...) : Uri | -| InsecureWebResourceResponse.java:196:42:196:90 | new File(...) : File | semmle.label | new File(...) : File | | InsecureWebResourceResponse.java:196:66:196:68 | uri : Uri | semmle.label | uri : Uri | | InsecureWebResourceResponse.java:196:66:196:89 | getLastPathSegment(...) : String | semmle.label | getLastPathSegment(...) : String | | InsecureWebResourceResponse.java:197:55:197:84 | new FileInputStream(...) : FileInputStream | semmle.label | new FileInputStream(...) : FileInputStream | diff --git a/java/test/security/CWE-348/options b/java/test/security/CWE-348/options index a2b281ca..2bae3903 100644 --- a/java/test/security/CWE-348/options +++ b/java/test/security/CWE-348/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.3.8/:${testdir}/../../../../codeql/java/ql/test/stubs/apache-commons-lang3-3.7/ \ No newline at end of file +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.8.x/:${testdir}/../../../../codeql/java/ql/test/stubs/apache-commons-lang3-3.7/ \ No newline at end of file diff --git a/java/test/security/CWE-352/options b/java/test/security/CWE-352/options index 3adf1e81..bdd3b318 100644 --- a/java/test/security/CWE-352/options +++ b/java/test/security/CWE-352/options @@ -1 +1 @@ - //semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/apache-http-4.4.13/:${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/fastjson-1.2.74/:${testdir}/../../../../codeql/java/ql/test/stubs/gson-2.8.6/:${testdir}/../../../../codeql/java/ql/test/stubs/jackson-databind-2.12/:${testdir}/../../../../codeql/java/ql/test/stubs/jackson-core-2.12:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.3.8/ + //semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/apache-http-4.4.13/:${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/fastjson-1.2.74/:${testdir}/../../../../codeql/java/ql/test/stubs/gson-2.8.6/:${testdir}/../../../../codeql/java/ql/test/stubs/jackson-databind-2.12/:${testdir}/../../../../codeql/java/ql/test/stubs/jackson-core-2.12:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.8.x/ diff --git a/java/test/security/CWE-470/options b/java/test/security/CWE-470/options index 6c74a861..aadf4605 100644 --- a/java/test/security/CWE-470/options +++ b/java/test/security/CWE-470/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.3.8/:${testdir}/../../../../codeql/java/ql/test/stubs/google-android-9.0.0 +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.8.x/:${testdir}/../../../../codeql/java/ql/test/stubs/google-android-9.0.0 diff --git a/java/test/security/CWE-502/options b/java/test/security/CWE-502/options index 8b0f023a..7f996cec 100644 --- a/java/test/security/CWE-502/options +++ b/java/test/security/CWE-502/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.3.8 \ No newline at end of file +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.8.x \ No newline at end of file diff --git a/java/test/security/CWE-601/options b/java/test/security/CWE-601/options index 9dc2f824..f0e9dd09 100644 --- a/java/test/security/CWE-601/options +++ b/java/test/security/CWE-601/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.3.8/ \ No newline at end of file +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.8.x/ \ No newline at end of file diff --git a/java/test/security/CWE-625/options b/java/test/security/CWE-625/options index 1cd16d11..2f13ddd8 100644 --- a/java/test/security/CWE-625/options +++ b/java/test/security/CWE-625/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.3.8 +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.8.x diff --git a/java/test/security/CWE-652/options b/java/test/security/CWE-652/options index 7819ef1e..72717907 100644 --- a/java/test/security/CWE-652/options +++ b/java/test/security/CWE-652/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/apache-http-4.4.13/:${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/saxon-xqj-9.x/:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.3.8/ +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/apache-http-4.4.13/:${testdir}/../../../../codeql/java/ql/test/stubs/servlet-api-2.4:${testdir}/../../../../codeql/java/ql/test/stubs/saxon-xqj-9.x/:${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.8.x/ diff --git a/javascript/lib/browserextension/BothSidesRequestForgeryQuery.qll b/javascript/lib/browserextension/BothSidesRequestForgeryQuery.qll index b0685e22..96de624c 100644 --- a/javascript/lib/browserextension/BothSidesRequestForgeryQuery.qll +++ b/javascript/lib/browserextension/BothSidesRequestForgeryQuery.qll @@ -16,10 +16,8 @@ * A taint tracking configuration for client-side request forgery. * Server side is disabled since this is in the browser, but the extra models can be enabled for extra coverage */ - class Configuration extends TaintTracking::Configuration { - Configuration() { this = "ClientSideRequestForgery" } - - override predicate isSource(DataFlow::Node source) { + module Config implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { exists(Source src | source = src and not src.isServerSide() @@ -27,20 +25,21 @@ source instanceof OnMessageExternal or source instanceof OnConnectExternal } - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or + predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } - override predicate isSanitizerOut(DataFlow::Node node) { sanitizingPrefixEdge(node, _) } + predicate isBarrierOut(DataFlow::Node node) { sanitizingPrefixEdge(node, _) } - override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { isAdditionalRequestForgeryStep(pred, succ) } } + module ConfigFlow = TaintTracking::Global; + class BrowserStep extends DataFlow::SharedFlowStep { override predicate step(DataFlow::Node pred, DataFlow::Node succ) { (exists (DataFlow::ParameterNode p | diff --git a/javascript/lib/browserextension/BrowserInjectionFieldCustomizations.qll b/javascript/lib/browserextension/BrowserInjectionFieldCustomizations.qll index 3ccab77d..103a8459 100644 --- a/javascript/lib/browserextension/BrowserInjectionFieldCustomizations.qll +++ b/javascript/lib/browserextension/BrowserInjectionFieldCustomizations.qll @@ -9,7 +9,6 @@ private import semmle.javascript.security.dataflow.XssThroughDomCustomizations:: module BrowserInjection { - private import DataFlow::FlowLabel /** * A data flow source for Chrome API injection vulnerabilities. */ @@ -17,7 +16,7 @@ module BrowserInjection { - DataFlow::FlowLabel getFlowLabel() { result = "BrowserSource" } + string getFlowLabel() { result = "BrowserSource" } } /** diff --git a/javascript/lib/browserextension/BrowserInjectionFieldQuery.qll b/javascript/lib/browserextension/BrowserInjectionFieldQuery.qll new file mode 100644 index 00000000..34e84004 --- /dev/null +++ b/javascript/lib/browserextension/BrowserInjectionFieldQuery.qll @@ -0,0 +1,47 @@ + import javascript + private import browserextension.BrowserInjectionFieldCustomizations::BrowserInjection + private import semmle.javascript.security.dataflow.XssThroughDomCustomizations::XssThroughDom as XssThroughDom + + //private import semmle.javascript.security.dataflow.DomBasedXssCustomizations + //private import semmle.javascript.security.dataflow.XssThroughDomCustomizations::XssThroughDom as XssThroughDom + + //private import semmle.javascript.security.dataflow.CodeInjectionCustomizations + + module Config implements DataFlow::ConfigSig { + + predicate isSource(DataFlow::Node source) { + source instanceof Source + } + + predicate isSink(DataFlow::Node sink) { + sink instanceof Sink + } + + additional predicate isAdditionalLoadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) { + (pred = succ) and + ((pred instanceof Update and prop = ["url", "openerTabId"]) + or + (pred instanceof DownloadsDangerous and prop = ["body", "conflictAction","filename", "url", "method"]) + or + (pred instanceof Delete and prop = ["startTime", "endTime", "url"]) + //or + //(pred instanceof SetContentSettings and succ instanceof SetContentSettings and prop = any(string s)) + //or + //(pred instanceof GetContentSettings and succ instanceof GetContentSettings and prop = any(string s)) + //(pred instanceof StorageSet and succ instanceof StorageSet and prop = any(string s)) + //or + //(pred instanceof SearchHistory and prop = any(string s)) + or + (pred instanceof GetCookie and prop = ["domain", "firstPartyDomain", "name", "url", "session", "path", "storeId"]) + or + (pred instanceof UpdateBookmarks and prop= ["title", "url"]) + or + (pred = succ and pred instanceof RemoveBrowsingData and prop = ["cookieStoreId", "hostnames", "originTypes", "since"]) + or + (pred = succ and pred instanceof AddHistory and prop = ["url"]) + or + (pred = succ and pred instanceof CreateWindows and prop = ["url"])) + } + } + + module ConfigFlow = TaintTracking::Global; diff --git a/javascript/lib/browserextension/BrowserInjectionObjectCustomizations.qll b/javascript/lib/browserextension/BrowserInjectionObjectCustomizations.qll index db4302a8..65091204 100644 --- a/javascript/lib/browserextension/BrowserInjectionObjectCustomizations.qll +++ b/javascript/lib/browserextension/BrowserInjectionObjectCustomizations.qll @@ -8,7 +8,6 @@ private import browserextension.BrowserAPI module BrowserInjection { - private import DataFlow::FlowLabel /** * A data flow source for Chrome API injection vulnerabilities. */ @@ -16,7 +15,7 @@ module BrowserInjection { - DataFlow::FlowLabel getFlowLabel() { result = "BrowserSource" } + string getFlowLabel() { result = "BrowserSource" } } /** diff --git a/javascript/lib/browserextension/CodeInjectionQuery.qll b/javascript/lib/browserextension/CodeInjectionQuery.qll index 9f0e2677..4e760d9b 100644 --- a/javascript/lib/browserextension/CodeInjectionQuery.qll +++ b/javascript/lib/browserextension/CodeInjectionQuery.qll @@ -17,30 +17,29 @@ /** * A taint-tracking configuration for reasoning about code injection vulnerabilities. */ - class Configuration extends TaintTracking::Configuration { - Configuration() { this = "CodeInjection" } + module Config implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof XssThroughDom::Source} - override predicate isSource(DataFlow::Node source) { source instanceof XssThroughDom::Source} + predicate isSink(DataFlow::Node sink) { sink instanceof Sink} - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink} - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or + predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } - override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) { + predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) { // HTML sanitizers are insufficient protection against code injection src = trg.(HtmlSanitizerCall).getInput() } - override predicate isAdditionalLoadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) { + additional predicate isAdditionalLoadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) { exists(ExecuteScript ess | ess = pred and ess = succ and prop = ["file", "code"]) } } + module ConfigFlow = TaintTracking::Global; + //Browser Extension Models class ExecuteScriptSink extends Sink instanceof ExecuteScript{} class ExternalConnect1 extends Source instanceof OnConnectExternal{} diff --git a/javascript/lib/codeql-pack.lock.yml b/javascript/lib/codeql-pack.lock.yml index 3a11520c..e9f70de3 100644 --- a/javascript/lib/codeql-pack.lock.yml +++ b/javascript/lib/codeql-pack.lock.yml @@ -2,25 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/javascript-all: - version: 2.2.1 + version: 2.6.1 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/regex: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 codeql/yaml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/javascript/lib/ghsl/InsecureIV.qll b/javascript/lib/ghsl/InsecureIV.qll index bd9c6320..891941d8 100644 --- a/javascript/lib/ghsl/InsecureIV.qll +++ b/javascript/lib/ghsl/InsecureIV.qll @@ -2,47 +2,41 @@ import semmle.javascript.dataflow.TaintTracking import ghsl.CommandLine -class RandomTaintsSourceConfiguration extends TaintTracking::Configuration { - RandomTaintsSourceConfiguration() { this = "RandomTaintsSourceConfiguration" } +module RandomTaintsSourceConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { isSecureRandom(source) } - override predicate isSource(DataFlow::Node source) { - isSecureRandom(source) - } - - override predicate isSink(DataFlow::Node sink) { - not isSecureRandom(sink) - } + predicate isSink(DataFlow::Node sink) { not isSecureRandom(sink) } } -class InsecureIVConfiguration extends TaintTracking::Configuration { - InsecureIVConfiguration() { this = "InsecureIVConfiguration" } +module RandomTaintsSourceFlow = TaintTracking::Global; - override predicate isSource(DataFlow::Node source) { - exists(Literal literal|literal.flow() = source) - or - source instanceof DataFlow::ArrayLiteralNode - or - source instanceof RemoteFlowSource - or - source instanceof FileSystemReadAccess - or - source instanceof DatabaseAccess - or - source instanceof CommandLineArgument - or - // an external function that is not a known source of randomness - ( - source instanceof ExternalCallWithOutput - and not source instanceof CreateIVArgument - and not source instanceof SecureRandomSource - ) - } +module InsecureIVConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + exists(Literal literal | literal.flow() = source) + or + source instanceof DataFlow::ArrayLiteralNode + or + source instanceof RemoteFlowSource + or + source instanceof FileSystemReadAccess + or + source instanceof DatabaseAccess + or + source instanceof CommandLineArgument + or + // an external function that is not a known source of randomness + ( + source instanceof ExternalCallWithOutput + and not source instanceof CreateIVArgument + and not source instanceof SecureRandomSource + ) + } - override predicate isSink(DataFlow::Node sink) { - sink instanceof CreateIVArgument - } + predicate isSink(DataFlow::Node sink) { sink instanceof CreateIVArgument } } +module InsecureIVFlow = TaintTracking::Global; + class ExternalCallWithOutput extends DataFlow::Node { CallExpr call; diff --git a/javascript/src/audit/CWE-094/BrowserExtensionCodeInjection.ql b/javascript/src/audit/CWE-094/BrowserExtensionCodeInjection.ql index 09bbe1a8..f3320a0b 100644 --- a/javascript/src/audit/CWE-094/BrowserExtensionCodeInjection.ql +++ b/javascript/src/audit/CWE-094/BrowserExtensionCodeInjection.ql @@ -16,9 +16,9 @@ import javascript import browserextension.CodeInjectionQuery - import DataFlow::PathGraph + import ConfigFlow::PathGraph - from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink - where cfg.hasFlowPath(source, sink) + from ConfigFlow::PathNode source, ConfigFlow::PathNode sink + where ConfigFlow::flowPath(source, sink) select sink.getNode(), source, sink, sink.getNode().(Sink).getMessagePrefix() + " depends on a $@.", source.getNode(), "user-provided value" \ No newline at end of file diff --git a/javascript/src/audit/CWE-918/BrowserRequestForgery.ql b/javascript/src/audit/CWE-918/BrowserRequestForgery.ql index c804635a..9c5590ec 100644 --- a/javascript/src/audit/CWE-918/BrowserRequestForgery.ql +++ b/javascript/src/audit/CWE-918/BrowserRequestForgery.ql @@ -13,11 +13,11 @@ import javascript import browserextension.BothSidesRequestForgeryQuery - import DataFlow::PathGraph + import ConfigFlow::PathGraph - from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node request + from ConfigFlow::PathNode source, ConfigFlow::PathNode sink, DataFlow::Node request where - cfg.hasFlowPath(source, sink) and + ConfigFlow::flowPath(source, sink) and request = sink.getNode().(Sink).getARequest() select request, source, sink, "The $@ of this request depends on a $@.", sink.getNode(), sink.getNode().(Sink).getKind(), source, "user-provided value" \ No newline at end of file diff --git a/javascript/src/audit/browserAPI/BrowserInjectionFieldQuery.ql b/javascript/src/audit/browserAPI/BrowserInjectionFieldQuery.ql index 4d028cfe..ffec5e54 100644 --- a/javascript/src/audit/browserAPI/BrowserInjectionFieldQuery.ql +++ b/javascript/src/audit/browserAPI/BrowserInjectionFieldQuery.ql @@ -11,58 +11,10 @@ import javascript - import DataFlow::PathGraph - import DataFlow - import browserextension.BrowserInjectionFieldCustomizations::BrowserInjection - private import semmle.javascript.security.dataflow.XssThroughDomCustomizations::XssThroughDom as XssThroughDom - - //private import semmle.javascript.security.dataflow.DomBasedXssCustomizations - //private import semmle.javascript.security.dataflow.XssThroughDomCustomizations::XssThroughDom as XssThroughDom - - //private import semmle.javascript.security.dataflow.CodeInjectionCustomizations - - class Configuration extends TaintTracking::Configuration { - Configuration() { this = "BrowserInjection" } - - override predicate isSource(DataFlow::Node source) { - source instanceof Source - } - - override predicate isSink(DataFlow::Node sink) { - sink instanceof Sink - } - - override predicate isAdditionalLoadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) { - (pred = succ) and - ((pred instanceof Update and prop = ["url", "openerTabId"]) - or - (pred instanceof DownloadsDangerous and prop = ["body", "conflictAction","filename", "url", "method"]) - or - (pred instanceof Delete and prop = ["startTime", "endTime", "url"]) - //or - //(pred instanceof SetContentSettings and succ instanceof SetContentSettings and prop = any(string s)) - //or - //(pred instanceof GetContentSettings and succ instanceof GetContentSettings and prop = any(string s)) - //(pred instanceof StorageSet and succ instanceof StorageSet and prop = any(string s)) - //or - //(pred instanceof SearchHistory and prop = any(string s)) - or - (pred instanceof GetCookie and prop = ["domain", "firstPartyDomain", "name", "url", "session", "path", "storeId"]) - or - (pred instanceof UpdateBookmarks and prop= ["title", "url"]) - or - (pred = succ and pred instanceof RemoveBrowsingData and prop = ["cookieStoreId", "hostnames", "originTypes", "since"]) - or - (pred = succ and pred instanceof AddHistory and prop = ["url"]) - or - (pred = succ and pred instanceof CreateWindows and prop = ["url"])) - } - } - - - from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink - where cfg.hasFlowPath(source, sink) + import ConfigFlow::PathGraph + import browserextension.BrowserInjectionFieldQuery + + from ConfigFlow::PathNode source, ConfigFlow::PathNode sink + where ConfigFlow::flowPath(source, sink) select sink.getNode(), source, sink, sink.getNode() + " depends on a $@.", source.getNode(), "user-provided value" - - \ No newline at end of file diff --git a/javascript/src/audit/browserAPI/BrowserInjectionObjectQuery.ql b/javascript/src/audit/browserAPI/BrowserInjectionObjectQuery.ql index b355999e..66292b73 100644 --- a/javascript/src/audit/browserAPI/BrowserInjectionObjectQuery.ql +++ b/javascript/src/audit/browserAPI/BrowserInjectionObjectQuery.ql @@ -9,55 +9,58 @@ * @tags security */ - import javascript - import DataFlow::PathGraph + import ConfigFlow::PathGraph import browserextension.BrowserInjectionObjectCustomizations::BrowserInjection import DataFlow private import semmle.javascript.security.dataflow.XssThroughDomCustomizations::XssThroughDom as XssThroughDom - class ObjectLabel extends DataFlow::FlowLabel { - ObjectLabel() { - this = "Object" - } + class ObjectState extends string { + ObjectState() { this = "Object" } } /** * Gets either a standard flow label or the partial-taint label. */ - DataFlow::FlowLabel anyLabel() { - result.isDataOrTaint() - } + string anyLabel() { result = ["data", "taint"] } - class Configuration extends TaintTracking::Configuration { - Configuration() { this = "BrowserInjection" } - - override predicate isSource(DataFlow::Node source) { - source instanceof Source // optional: or source instanceof XssThroughDom::Source + module Config implements DataFlow::StateConfigSig { + class FlowState extends string { + FlowState() { this = anyLabel() or this instanceof ObjectState } + } + + predicate isSource(DataFlow::Node source, FlowState state) { + source instanceof Source and // optional: or source instanceof XssThroughDom::Source + ( + state = anyLabel() + or + state instanceof ObjectState + ) } - override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel lbl) { - sink instanceof Sink and lbl instanceof ObjectLabel + predicate isSink(DataFlow::Node sink, FlowState state) { + sink instanceof Sink and state instanceof ObjectState } - override predicate isAdditionalFlowStep( - DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl + predicate isAdditionalFlowStep( + DataFlow::Node src, FlowState inState, DataFlow::Node trg, FlowState outState ) { // writing a tainted value to an object property makes the object tainted with ObjectLabel exists(DataFlow::PropWrite write | write.getRhs() = src and - inlbl = anyLabel() and + inState = anyLabel() and trg.(DataFlow::SourceNode).flowsTo(write.getBase()) and - outlbl instanceof ObjectLabel + outState instanceof ObjectState ) } } + module ConfigFlow = TaintTracking::GlobalWithState; - from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink - where cfg.hasFlowPath(source, sink) + from ConfigFlow::PathNode source, ConfigFlow::PathNode sink + where ConfigFlow::flowPath(source, sink) select sink.getNode(), source, sink, sink.getNode() + " depends on a $@.", source.getNode(), "user-provided value" diff --git a/javascript/src/audit/templates/BackwardsDataFlow.ql b/javascript/src/audit/templates/BackwardsDataFlow.ql index bbdaaaf6..24da0e03 100644 --- a/javascript/src/audit/templates/BackwardsDataFlow.ql +++ b/javascript/src/audit/templates/BackwardsDataFlow.ql @@ -9,23 +9,22 @@ */ import javascript - import DataFlow::PathGraph - import semmle.javascript.explore.BackwardDataFlow + import BackwardDataFlow::PathGraph - class BackwardDataFlowConfig extends TaintTracking::Configuration { - BackwardDataFlowConfig() { this = "BackwardDataFlowConfig" } + module BackwardDataFlowConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { any() } - // `isSource` is ignored when `semmle.javascript.explore.BackwardDataFlow` is imported. - - override predicate isSink(DataFlow::Node sink) { + predicate isSink(DataFlow::Node sink) { // Define the sink to run the backwards dataflow from. Eg: // sink = API::moduleImport("module").getMember("method").getParameter(0).asSink() none() } } + + module BackwardDataFlow = TaintTracking::Global; - from BackwardDataFlowConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink - where cfg.hasFlowPath(source, sink) + from BackwardDataFlow::PathNode source, BackwardDataFlow::PathNode sink + where BackwardDataFlow::flowPath(source, sink) select sink.getNode(), source, sink, "This node receives taint from $@.", source.getNode(), "this source" \ No newline at end of file diff --git a/javascript/src/audit/templates/ForwardDataFlow.ql b/javascript/src/audit/templates/ForwardDataFlow.ql index f8e622ba..e466e5af 100644 --- a/javascript/src/audit/templates/ForwardDataFlow.ql +++ b/javascript/src/audit/templates/ForwardDataFlow.ql @@ -9,23 +9,22 @@ */ import javascript - import DataFlow::PathGraph - import semmle.javascript.explore.ForwardDataFlow + import ForwardDataFlow::PathGraph - class ForwardDataFlowConfig extends TaintTracking::Configuration { - ForwardDataFlowConfig() { this = "ForwardDataFlowConfig" } - - override predicate isSource(DataFlow::Node source) { + module ForwardDataFlowConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { // Define the source to run the forward dataflow from. Eg: // source = API::moduleImport(_).getMember("method").getReturn().asSource() none() } - - // `isSink` is ignored when `semmle.javascript.explore.ForwardDataFlow` is imported. + + predicate isSink(DataFlow::Node sink) { any() } } + + module ForwardDataFlow = TaintTracking::Global; - from ForwardDataFlowConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink - where cfg.hasFlowPath(source, sink) + from ForwardDataFlow::PathNode source, ForwardDataFlow::PathNode sink + where ForwardDataFlow::flowPath(source, sink) select sink.getNode(), source, sink, "This node receives taint from $@.", source.getNode(), "this source" \ No newline at end of file diff --git a/javascript/src/codeql-pack.lock.yml b/javascript/src/codeql-pack.lock.yml index 3a11520c..e9f70de3 100644 --- a/javascript/src/codeql-pack.lock.yml +++ b/javascript/src/codeql-pack.lock.yml @@ -2,25 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/javascript-all: - version: 2.2.1 + version: 2.6.1 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/regex: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 codeql/yaml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/javascript/src/security/CWE-079/XSSReact.ql b/javascript/src/security/CWE-079/XSSReact.ql index cff5547a..3db669a6 100644 --- a/javascript/src/security/CWE-079/XSSReact.ql +++ b/javascript/src/security/CWE-079/XSSReact.ql @@ -16,24 +16,21 @@ import javascript private import semmle.javascript.security.dataflow.XssThroughDomCustomizations private import semmle.javascript.security.dataflow.DomBasedXssCustomizations private import semmle.javascript.security.dataflow.Xss::Shared as Shared -import DataFlow::PathGraph +import XssFlow::PathGraph /** * A taint-tracking configuration for reasoning about XSS. */ -class XssConfiguration extends TaintTracking::Configuration { - XssConfiguration() { this = "XssReact" } +module XssConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof XssThroughDom::Source } - override predicate isSource(DataFlow::Node source) { source instanceof XssThroughDom::Source } + predicate isSink(DataFlow::Node sink) { sink instanceof DomBasedXss::Sink } - override predicate isSink(DataFlow::Node sink) { sink instanceof DomBasedXss::Sink } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - node instanceof DomBasedXss::Sanitizer - } + predicate isBarrier(DataFlow::Node node) { node instanceof DomBasedXss::Sanitizer } } +module XssFlow = TaintTracking::Global; + // Additional Source class ReactUseQueryParams extends XssThroughDom::Source { ReactUseQueryParams() { @@ -42,7 +39,7 @@ class ReactUseQueryParams extends XssThroughDom::Source { } } -from XssConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasFlowPath(source, sink) +from XssFlow::PathNode source, XssFlow::PathNode sink +where XssFlow::flowPath(source, sink) select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.", source.getNode(), "user-provided value" diff --git a/javascript/src/security/CWE-329/InsecureIV.ql b/javascript/src/security/CWE-329/InsecureIV.ql index 95aa442e..e4b50216 100644 --- a/javascript/src/security/CWE-329/InsecureIV.ql +++ b/javascript/src/security/CWE-329/InsecureIV.ql @@ -15,16 +15,14 @@ import javascript import semmle.javascript.dataflow.TaintTracking -import DataFlow::PathGraph +import InsecureIVFlow::PathGraph import ghsl.InsecureIV -from InsecureIVConfiguration insecurecfg, DataFlow::PathNode source, DataFlow::PathNode sink +from InsecureIVFlow::PathNode source, InsecureIVFlow::PathNode sink where - insecurecfg.hasFlowPath(source, sink) and - not exists(DataFlow::Node randomSource, RandomTaintsSourceConfiguration randomConfig | - randomSource instanceof SecureRandomSource - | - randomConfig.hasFlow(randomSource, source.getNode()) + InsecureIVFlow::flowPath(source, sink) and + not exists(DataFlow::Node randomSource | randomSource instanceof SecureRandomSource | + RandomTaintsSourceFlow::flow(randomSource, source.getNode()) ) and not knownCryptTest(sink.getNode()) select sink, source, sink, diff --git a/javascript/test/codeql-pack.lock.yml b/javascript/test/codeql-pack.lock.yml index 3a11520c..e9f70de3 100644 --- a/javascript/test/codeql-pack.lock.yml +++ b/javascript/test/codeql-pack.lock.yml @@ -2,25 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/javascript-all: - version: 2.2.1 + version: 2.6.1 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/regex: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 codeql/yaml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/javascript/test/security/CWE-079/XSSReact.expected b/javascript/test/security/CWE-079/XSSReact.expected index 51d8beb5..adafef39 100644 --- a/javascript/test/security/CWE-079/XSSReact.expected +++ b/javascript/test/security/CWE-079/XSSReact.expected @@ -1,25 +1,18 @@ -nodes -| app.jsx:12:11:12:27 | [query, setQuery] | -| app.jsx:12:11:16:6 | query | -| app.jsx:12:12:12:16 | query | -| app.jsx:12:31:16:6 | useQuer ... \\n }) | -| app.jsx:12:31:16:6 | useQuer ... \\n }) | -| app.jsx:17:11:17:45 | { x: nu ... lters } | -| app.jsx:17:11:17:53 | searchQuery | -| app.jsx:17:21:17:34 | q: searchQuery | -| app.jsx:17:49:17:53 | query | -| app.jsx:26:52:26:62 | searchQuery | -| app.jsx:26:52:26:62 | searchQuery | edges -| app.jsx:12:11:12:27 | [query, setQuery] | app.jsx:12:12:12:16 | query | -| app.jsx:12:11:16:6 | query | app.jsx:17:49:17:53 | query | -| app.jsx:12:12:12:16 | query | app.jsx:12:11:16:6 | query | -| app.jsx:12:31:16:6 | useQuer ... \\n }) | app.jsx:12:11:12:27 | [query, setQuery] | -| app.jsx:12:31:16:6 | useQuer ... \\n }) | app.jsx:12:11:12:27 | [query, setQuery] | -| app.jsx:17:11:17:45 | { x: nu ... lters } | app.jsx:17:21:17:34 | q: searchQuery | -| app.jsx:17:11:17:53 | searchQuery | app.jsx:26:52:26:62 | searchQuery | -| app.jsx:17:11:17:53 | searchQuery | app.jsx:26:52:26:62 | searchQuery | -| app.jsx:17:21:17:34 | q: searchQuery | app.jsx:17:11:17:53 | searchQuery | -| app.jsx:17:49:17:53 | query | app.jsx:17:11:17:45 | { x: nu ... lters } | +| app.jsx:12:11:12:27 | [query, setQuery] | app.jsx:12:11:16:6 | query | provenance | | +| app.jsx:12:11:16:6 | query | app.jsx:17:49:17:53 | query | provenance | | +| app.jsx:12:31:16:6 | useQuer ... \\n }) | app.jsx:12:11:12:27 | [query, setQuery] | provenance | | +| app.jsx:17:11:17:45 | { x: nu ... lters } | app.jsx:17:11:17:53 | searchQuery | provenance | | +| app.jsx:17:11:17:53 | searchQuery | app.jsx:26:52:26:62 | searchQuery | provenance | | +| app.jsx:17:49:17:53 | query | app.jsx:17:11:17:45 | { x: nu ... lters } | provenance | | +nodes +| app.jsx:12:11:12:27 | [query, setQuery] | semmle.label | [query, setQuery] | +| app.jsx:12:11:16:6 | query | semmle.label | query | +| app.jsx:12:31:16:6 | useQuer ... \\n }) | semmle.label | useQuer ... \\n }) | +| app.jsx:17:11:17:45 | { x: nu ... lters } | semmle.label | { x: nu ... lters } | +| app.jsx:17:11:17:53 | searchQuery | semmle.label | searchQuery | +| app.jsx:17:49:17:53 | query | semmle.label | query | +| app.jsx:26:52:26:62 | searchQuery | semmle.label | searchQuery | +subpaths #select | app.jsx:26:52:26:62 | searchQuery | app.jsx:12:31:16:6 | useQuer ... \\n }) | app.jsx:26:52:26:62 | searchQuery | Cross-site scripting vulnerability due to $@. | app.jsx:12:31:16:6 | useQuer ... \\n }) | user-provided value | diff --git a/javascript/test/security/CWE-329/InsecureIV.expected b/javascript/test/security/CWE-329/InsecureIV.expected index 7499ec4e..5cc47dd3 100644 --- a/javascript/test/security/CWE-329/InsecureIV.expected +++ b/javascript/test/security/CWE-329/InsecureIV.expected @@ -1,76 +1,22 @@ -nodes -| examples/secure_iv.js:11:7:11:14 | randomIV | -| examples/secure_iv.js:11:7:11:44 | randomIV | -| examples/secure_iv.js:11:7:11:44 | randomIV | -| examples/secure_iv.js:11:18:11:44 | crypto. ... eysize) | -| examples/secure_iv.js:11:18:11:44 | crypto. ... eysize) | -| examples/secure_iv.js:13:63:13:62 | randomIV | -| examples/secure_iv.js:14:54:14:61 | randomIV | -| examples/secure_iv.js:14:54:14:61 | randomIV | -| examples/secure_iv_tainted.js:11:7:11:14 | randomIV | -| examples/secure_iv_tainted.js:11:7:11:76 | randomIV | -| examples/secure_iv_tainted.js:11:7:11:76 | randomIV | -| examples/secure_iv_tainted.js:11:7:11:76 | randomIV | -| examples/secure_iv_tainted.js:11:18:11:39 | crypto. ... tes(32) | -| examples/secure_iv_tainted.js:11:18:11:39 | crypto. ... tes(32) | -| examples/secure_iv_tainted.js:11:18:11:48 | crypto. ... oString | -| examples/secure_iv_tainted.js:11:18:11:48 | crypto. ... oString | -| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | -| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | -| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | -| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | -| examples/secure_iv_tainted.js:11:18:11:64 | crypto. ... ).slice | -| examples/secure_iv_tainted.js:11:18:11:64 | crypto. ... ).slice | -| examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | -| examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | -| examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | -| examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | -| examples/secure_iv_tainted.js:13:63:13:62 | randomIV | -| examples/secure_iv_tainted.js:14:54:14:61 | randomIV | -| examples/secure_iv_tainted.js:14:54:14:61 | randomIV | -| examples/secure_iv_tainted.js:14:54:14:61 | randomIV | -| examples/secure_iv_tainted.js:14:54:14:61 | randomIV | -| examples/static_iv.js:11:7:11:34 | fixedIV | -| examples/static_iv.js:11:17:11:34 | "0123456789abcdef" | -| examples/static_iv.js:11:17:11:34 | "0123456789abcdef" | -| examples/static_iv.js:14:54:14:60 | fixedIV | -| examples/static_iv.js:14:54:14:60 | fixedIV | edges -| examples/secure_iv.js:11:7:11:44 | randomIV | examples/secure_iv.js:11:7:11:14 | randomIV | -| examples/secure_iv.js:11:7:11:44 | randomIV | examples/secure_iv.js:13:63:13:62 | randomIV | -| examples/secure_iv.js:11:7:11:44 | randomIV | examples/secure_iv.js:14:54:14:61 | randomIV | -| examples/secure_iv.js:11:7:11:44 | randomIV | examples/secure_iv.js:14:54:14:61 | randomIV | -| examples/secure_iv.js:11:18:11:44 | crypto. ... eysize) | examples/secure_iv.js:11:7:11:44 | randomIV | -| examples/secure_iv.js:11:18:11:44 | crypto. ... eysize) | examples/secure_iv.js:11:7:11:44 | randomIV | -| examples/secure_iv.js:11:18:11:44 | crypto. ... eysize) | examples/secure_iv.js:11:7:11:44 | randomIV | -| examples/secure_iv.js:11:18:11:44 | crypto. ... eysize) | examples/secure_iv.js:11:7:11:44 | randomIV | -| examples/secure_iv_tainted.js:11:7:11:76 | randomIV | examples/secure_iv_tainted.js:11:7:11:14 | randomIV | -| examples/secure_iv_tainted.js:11:7:11:76 | randomIV | examples/secure_iv_tainted.js:13:63:13:62 | randomIV | -| examples/secure_iv_tainted.js:11:7:11:76 | randomIV | examples/secure_iv_tainted.js:14:54:14:61 | randomIV | -| examples/secure_iv_tainted.js:11:7:11:76 | randomIV | examples/secure_iv_tainted.js:14:54:14:61 | randomIV | -| examples/secure_iv_tainted.js:11:7:11:76 | randomIV | examples/secure_iv_tainted.js:14:54:14:61 | randomIV | -| examples/secure_iv_tainted.js:11:7:11:76 | randomIV | examples/secure_iv_tainted.js:14:54:14:61 | randomIV | -| examples/secure_iv_tainted.js:11:18:11:39 | crypto. ... tes(32) | examples/secure_iv_tainted.js:11:18:11:48 | crypto. ... oString | -| examples/secure_iv_tainted.js:11:18:11:39 | crypto. ... tes(32) | examples/secure_iv_tainted.js:11:18:11:48 | crypto. ... oString | -| examples/secure_iv_tainted.js:11:18:11:39 | crypto. ... tes(32) | examples/secure_iv_tainted.js:11:18:11:48 | crypto. ... oString | -| examples/secure_iv_tainted.js:11:18:11:39 | crypto. ... tes(32) | examples/secure_iv_tainted.js:11:18:11:48 | crypto. ... oString | -| examples/secure_iv_tainted.js:11:18:11:39 | crypto. ... tes(32) | examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | -| examples/secure_iv_tainted.js:11:18:11:39 | crypto. ... tes(32) | examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | -| examples/secure_iv_tainted.js:11:18:11:39 | crypto. ... tes(32) | examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | -| examples/secure_iv_tainted.js:11:18:11:39 | crypto. ... tes(32) | examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | -| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | examples/secure_iv_tainted.js:11:18:11:64 | crypto. ... ).slice | -| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | examples/secure_iv_tainted.js:11:18:11:64 | crypto. ... ).slice | -| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | -| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | -| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | -| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | -| examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | examples/secure_iv_tainted.js:11:7:11:76 | randomIV | -| examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | examples/secure_iv_tainted.js:11:7:11:76 | randomIV | -| examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | examples/secure_iv_tainted.js:11:7:11:76 | randomIV | -| examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | examples/secure_iv_tainted.js:11:7:11:76 | randomIV | -| examples/static_iv.js:11:7:11:34 | fixedIV | examples/static_iv.js:14:54:14:60 | fixedIV | -| examples/static_iv.js:11:7:11:34 | fixedIV | examples/static_iv.js:14:54:14:60 | fixedIV | -| examples/static_iv.js:11:17:11:34 | "0123456789abcdef" | examples/static_iv.js:11:7:11:34 | fixedIV | -| examples/static_iv.js:11:17:11:34 | "0123456789abcdef" | examples/static_iv.js:11:7:11:34 | fixedIV | +| examples/secure_iv_tainted.js:11:7:11:76 | randomIV | examples/secure_iv_tainted.js:14:54:14:61 | randomIV | provenance | | +| examples/secure_iv_tainted.js:11:7:11:76 | randomIV [ArrayElement] | examples/secure_iv_tainted.js:14:54:14:61 | randomIV | provenance | | +| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | provenance | | +| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) [ArrayElement] | provenance | | +| examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | examples/secure_iv_tainted.js:11:7:11:76 | randomIV | provenance | | +| examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) [ArrayElement] | examples/secure_iv_tainted.js:11:7:11:76 | randomIV [ArrayElement] | provenance | | +| examples/static_iv.js:11:7:11:34 | fixedIV | examples/static_iv.js:14:54:14:60 | fixedIV | provenance | | +| examples/static_iv.js:11:17:11:34 | "0123456789abcdef" | examples/static_iv.js:11:7:11:34 | fixedIV | provenance | | +nodes +| examples/secure_iv_tainted.js:11:7:11:76 | randomIV | semmle.label | randomIV | +| examples/secure_iv_tainted.js:11:7:11:76 | randomIV [ArrayElement] | semmle.label | randomIV [ArrayElement] | +| examples/secure_iv_tainted.js:11:18:11:58 | crypto. ... ase64') | semmle.label | crypto. ... ase64') | +| examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) | semmle.label | crypto. ... eysize) | +| examples/secure_iv_tainted.js:11:18:11:76 | crypto. ... eysize) [ArrayElement] | semmle.label | crypto. ... eysize) [ArrayElement] | +| examples/secure_iv_tainted.js:14:54:14:61 | randomIV | semmle.label | randomIV | +| examples/static_iv.js:11:7:11:34 | fixedIV | semmle.label | fixedIV | +| examples/static_iv.js:11:17:11:34 | "0123456789abcdef" | semmle.label | "0123456789abcdef" | +| examples/static_iv.js:14:54:14:60 | fixedIV | semmle.label | fixedIV | +subpaths #select | examples/static_iv.js:14:54:14:60 | fixedIV | examples/static_iv.js:11:17:11:34 | "0123456789abcdef" | examples/static_iv.js:14:54:14:60 | fixedIV | Insecure Initialization Vector (IV) used for cryptographic function. With a few exceptions, it is best to use a secure random source for IVs. | diff --git a/python/lib/codeql-pack.lock.yml b/python/lib/codeql-pack.lock.yml index dbcc41af..ce687ca2 100644 --- a/python/lib/codeql-pack.lock.yml +++ b/python/lib/codeql-pack.lock.yml @@ -2,25 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 2.0.4 + version: 2.0.5 codeql/mad: - version: 1.0.20 + version: 1.0.21 codeql/python-all: - version: 4.0.4 + version: 4.0.5 codeql/regex: - version: 1.0.20 + version: 1.0.21 codeql/ssa: - version: 1.0.20 + version: 1.1.0 codeql/threat-models: - version: 1.0.20 + version: 1.0.21 codeql/tutorial: - version: 1.0.20 + version: 1.0.21 codeql/typetracking: - version: 2.0.4 + version: 2.0.5 codeql/util: - version: 2.0.7 + version: 2.0.8 codeql/xml: - version: 1.0.20 + version: 1.0.21 codeql/yaml: - version: 1.0.20 + version: 1.0.21 compiled: false diff --git a/python/src/codeql-pack.lock.yml b/python/src/codeql-pack.lock.yml index c265ea79..ce687ca2 100644 --- a/python/src/codeql-pack.lock.yml +++ b/python/src/codeql-pack.lock.yml @@ -2,25 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/python-all: - version: 3.1.0 + version: 4.0.5 codeql/regex: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 codeql/yaml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/python/test/codeql-pack.lock.yml b/python/test/codeql-pack.lock.yml index 134d75c3..5f1f66d3 100644 --- a/python/test/codeql-pack.lock.yml +++ b/python/test/codeql-pack.lock.yml @@ -2,29 +2,29 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/python-all: - version: 3.1.0 + version: 4.0.5 codeql/python-queries: - version: 1.4.0 + version: 1.4.7 codeql/regex: - version: 1.0.14 + version: 1.0.21 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/suite-helpers: - version: 1.0.14 + version: 1.0.21 codeql/threat-models: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 codeql/xml: - version: 1.0.14 + version: 1.0.21 codeql/yaml: - version: 1.0.14 + version: 1.0.21 compiled: false diff --git a/ruby/lib/codeql-pack.lock.yml b/ruby/lib/codeql-pack.lock.yml index c22d69e5..fc285fe4 100644 --- a/ruby/lib/codeql-pack.lock.yml +++ b/ruby/lib/codeql-pack.lock.yml @@ -2,21 +2,21 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.14 + version: 2.0.5 codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/regex: - version: 1.0.14 + version: 1.0.21 codeql/ruby-all: - version: 3.0.1 + version: 4.1.4 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 compiled: false diff --git a/ruby/src/codeql-pack.lock.yml b/ruby/src/codeql-pack.lock.yml index c22d69e5..fc285fe4 100644 --- a/ruby/src/codeql-pack.lock.yml +++ b/ruby/src/codeql-pack.lock.yml @@ -2,21 +2,21 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.14 + version: 2.0.5 codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/regex: - version: 1.0.14 + version: 1.0.21 codeql/ruby-all: - version: 3.0.1 + version: 4.1.4 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 compiled: false diff --git a/ruby/test/codeql-pack.lock.yml b/ruby/test/codeql-pack.lock.yml index d37c8e43..ccb3b340 100644 --- a/ruby/test/codeql-pack.lock.yml +++ b/ruby/test/codeql-pack.lock.yml @@ -2,25 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/controlflow: - version: 1.0.14 + version: 2.0.5 codeql/dataflow: - version: 1.1.8 + version: 2.0.5 codeql/mad: - version: 1.0.14 + version: 1.0.21 codeql/regex: - version: 1.0.14 + version: 1.0.21 codeql/ruby-all: - version: 3.0.1 + version: 4.1.4 codeql/ruby-queries: - version: 1.1.9 + version: 1.2.0 codeql/ssa: - version: 1.0.14 + version: 1.1.0 codeql/suite-helpers: - version: 1.0.14 + version: 1.0.21 codeql/tutorial: - version: 1.0.14 + version: 1.0.21 codeql/typetracking: - version: 1.0.14 + version: 2.0.5 codeql/util: - version: 2.0.1 + version: 2.0.8 compiled: false