Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
category: majorAnalysis
---
* Added sink model for `sql-injection` for: `com.google.cloud.bigquery` and `org.apache.commons.dbutils`.
* Added a source model for: `spark` and `io.javalin.http`.
* Added a taint summary model for: `spark`.
9 changes: 9 additions & 0 deletions java/ql/lib/ext/com.google.cloud.bigquery.model.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["com.google.cloud.bigquery", "QueryJobConfiguration", true, "newBuilder", "", "", "Argument[0]", "sql-injection", "manual"]
Comment thread
knewbury01 marked this conversation as resolved.
- ["com.google.cloud.bigquery", "QueryJobConfiguration", true, "of", "", "", "Argument[0]", "sql-injection", "manual"]
- ["com.google.cloud.bigquery", "QueryJobConfiguration$Builder", true, "setQuery", "", "", "Argument[0]", "sql-injection", "manual"]

25 changes: 25 additions & 0 deletions java/ql/lib/ext/io.javalin.http.model.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sourceModel
data:
- ["io.javalin.http", "Context", true, "basicAuthCredentials", "", "", "ReturnValue", "remote", "manual"]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is correct, but as there are no summary models for BasicAuthCredentials.getUsername or BasicAuthCredentials.getPassword we may well not be able to follow any taint paths starting here. (Unless java automatically models getters, but I don't think it does, since we don't even model reads of fields from tainted classes as tainted.) Please add those models.

- ["io.javalin.http", "Context", true, "body", "", "", "ReturnValue", "remote", "manual"]
- ["io.javalin.http", "Context", true, "bodyAsClass", "", "", "ReturnValue", "remote", "manual"]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we also model bodyAsBytes, bodyStreamAsClass and bodyInputStream?

- ["io.javalin.http", "Context", true, "cookie", "", "", "ReturnValue", "remote", "manual"]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only one overload is a source.

Suggested change
- ["io.javalin.http", "Context", true, "cookie", "", "", "ReturnValue", "remote", "manual"]
- ["io.javalin.http", "Context", true, "cookie", "(String)", "", "ReturnValue", "remote", "manual"]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also model cookieMap.

- ["io.javalin.http", "Context", true, "header", "", "", "ReturnValue", "remote", "manual"]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again, only one overload.

Suggested change
- ["io.javalin.http", "Context", true, "header", "", "", "ReturnValue", "remote", "manual"]
- ["io.javalin.http", "Context", true, "header", "(String)", "", "ReturnValue", "remote", "manual"]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also model headerMap.

- ["io.javalin.http", "Context", true, "formParam", "", "", "ReturnValue", "remote", "manual"]
- ["io.javalin.http", "Context", true, "formParams", "", "", "ReturnValue", "remote", "manual"]
- ["io.javalin.http", "Context", true, "formParamMap", "", "", "ReturnValue", "remote", "manual"]
- ["io.javalin.http", "Context", true, "formParamAsClass", "", "", "ReturnValue", "remote", "manual"]
- ["io.javalin.http", "Context", true, "formParamsAsClass", "", "", "ReturnValue", "remote", "manual"]
Comment on lines +14 to +15

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also need summary models for get, getOrNull, getOrDefault, getOrThrow on Validator.

- ["io.javalin.http", "Context", true, "pathParam", "", "", "ReturnValue", "remote", "manual"]
- ["io.javalin.http", "Context", true, "pathParamAsClass", "", "", "ReturnValue", "remote", "manual"]
- ["io.javalin.http", "Context", true, "pathParamMap", "", "", "ReturnValue", "remote", "manual"]
- ["io.javalin.http", "Context", true, "queryParam", "", "", "ReturnValue", "remote", "manual"]
- ["io.javalin.http", "Context", true, "queryParams", "", "", "ReturnValue", "remote", "manual"]
- ["io.javalin.http", "Context", true, "queryParamAsClass", "", "", "ReturnValue", "remote", "manual"]
- ["io.javalin.http", "Context", true, "queryParamsAsClass", "", "", "ReturnValue", "remote", "manual"]
- ["io.javalin.http", "Context", true, "queryParamMap", "", "", "ReturnValue", "remote", "manual"]
- ["io.javalin.http", "Context", true, "queryString", "", "", "ReturnValue", "remote", "manual"]
- ["io.javalin.http", "Context", true, "sessionAttribute", "", "", "ReturnValue", "remote", "manual"]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This shouldn't be a remote source. Session attributes seem to be things that the code can set and get, but not things which come from the user. (Well, they can be, but in general they aren't.)

Suggested change
- ["io.javalin.http", "Context", true, "sessionAttribute", "", "", "ReturnValue", "remote", "manual"]

33 changes: 33 additions & 0 deletions java/ql/lib/ext/org.apache.commons.dbutils.model.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "insert", "(Connection,String,ResultSetHandler)", "", "Argument[1]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "insert", "(Connection,String,ResultSetHandler,Object[])", "", "Argument[1]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "insert", "(String,ResultSetHandler)", "", "Argument[0]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "insert", "(String,ResultSetHandler,Object[])", "", "Argument[0]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "query", "(Connection,String,ResultSetHandler)", "", "Argument[1]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "query", "(Connection,String,ResultSetHandler,Object[])", "", "Argument[1]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "query", "(String,ResultSetHandler)", "", "Argument[0]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "query", "(String,ResultSetHandler,Object[])", "", "Argument[0]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "update", "(Connection,String)", "", "Argument[1]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "update", "(Connection,String,Object[])", "", "Argument[1]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "update", "(Connection,String,Object)", "", "Argument[1]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "update", "(String)", "", "Argument[0]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "update", "(String,Object[])", "", "Argument[0]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "update", "(String,Object)", "", "Argument[0]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "QueryRunner", true, "insert", "(Connection,String,ResultSetHandler)", "", "Argument[1]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "QueryRunner", true, "insert", "(Connection,String,ResultSetHandler,Object[])", "", "Argument[1]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "QueryRunner", true, "insert", "(String,ResultSetHandler)", "", "Argument[0]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "QueryRunner", true, "insert", "(String,ResultSetHandler,Object[])", "", "Argument[0]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "QueryRunner", true, "query", "(Connection,String,ResultSetHandler)", "", "Argument[1]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "QueryRunner", true, "query", "(Connection,String,ResultSetHandler,Object[])", "", "Argument[1]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "QueryRunner", true, "query", "(String,ResultSetHandler)", "", "Argument[0]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "QueryRunner", true, "query", "(String,ResultSetHandler,Object[])", "", "Argument[0]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "QueryRunner", true, "update", "(Connection,String)", "", "Argument[1]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "QueryRunner", true, "update", "(Connection,String,Object[])", "", "Argument[1]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "QueryRunner", true, "update", "(Connection,String,Object)", "", "Argument[1]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "QueryRunner", true, "update", "(String)", "", "Argument[0]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "QueryRunner", true, "update", "(String,Object[])", "", "Argument[0]", "sql-injection", "manual"]
- ["org.apache.commons.dbutils", "QueryRunner", true, "update", "(String,Object)", "", "Argument[0]", "sql-injection", "manual"]
27 changes: 27 additions & 0 deletions java/ql/lib/ext/spark.model.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sourceModel
data:
- ["spark", "Request", true, "body", "", "", "ReturnValue", "remote", "manual"]
- ["spark", "Request", true, "bodyAsBytes", "", "", "ReturnValue", "remote", "manual"]
- ["spark", "Request", true, "cookie", "", "", "ReturnValue", "remote", "manual"]
- ["spark", "Request", true, "cookies", "", "", "ReturnValue", "remote", "manual"]
- ["spark", "Request", true, "headers", "", "", "ReturnValue", "remote", "manual"]
- ["spark", "Request", true, "params", "", "", "ReturnValue", "remote", "manual"]
- ["spark", "Request", true, "queryMap", "", "", "ReturnValue", "remote", "manual"]
- ["spark", "Request", true, "queryParams", "", "", "ReturnValue", "remote", "manual"]
- ["spark", "Request", true, "queryParamsSafe", "", "", "ReturnValue", "remote", "manual"]
- ["spark", "Request", true, "queryParamOrDefault", "", "", "ReturnValue", "remote", "manual"]
- ["spark", "Request", true, "queryParamsValues", "", "", "ReturnValue", "remote", "manual"]
- ["spark", "Request", true, "queryString", "", "", "ReturnValue", "remote", "manual"]
- ["spark", "Request", true, "uri", "", "", "ReturnValue", "remote", "manual"]
- ["spark", "Request", true, "url", "", "", "ReturnValue", "remote", "manual"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["spark", "QueryParamsMap", True, "get", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["spark", "QueryParamsMap", True, "toMap", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["spark", "QueryParamsMap", True, "value", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["spark", "QueryParamsMap", True, "values", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
Loading