Skip to content

Commit 592ce3e

Browse files
authored
Merge branch 'main' into add-activerecord-annotate
2 parents 8ca7d7d + 21066d2 commit 592ce3e

File tree

21 files changed

+385
-63
lines changed

21 files changed

+385
-63
lines changed

.github/workflows/ql-for-ql-build.yml

Lines changed: 20 additions & 57 deletions
Original file line numberDiff line numberDiff line change
@@ -10,9 +10,10 @@ env:
1010
CARGO_TERM_COLOR: always
1111

1212
jobs:
13-
queries:
14-
runs-on: ubuntu-latest
13+
analyze:
14+
runs-on: ubuntu-latest-xl
1515
steps:
16+
### Build the queries ###
1617
- uses: actions/checkout@v3
1718
- name: Find codeql
1819
id: find-codeql
@@ -48,11 +49,7 @@ jobs:
4849
name: query-pack-zip
4950
path: ${{ runner.temp }}/query-pack.zip
5051

51-
extractors:
52-
runs-on: ubuntu-latest
53-
54-
steps:
55-
- uses: actions/checkout@v3
52+
### Build the extractor ###
5653
- name: Cache entire extractor
5754
id: cache-extractor
5855
uses: actions/cache@v3
@@ -96,15 +93,8 @@ jobs:
9693
ql/target/release/ql-extractor
9794
ql/target/release/ql-extractor.exe
9895
retention-days: 1
99-
package:
100-
runs-on: ubuntu-latest
101-
102-
needs:
103-
- extractors
104-
- queries
10596

106-
steps:
107-
- uses: actions/checkout@v3
97+
### Package the queries and extractor ###
10898
- uses: actions/download-artifact@v3
10999
with:
110100
name: query-pack-zip
@@ -132,16 +122,8 @@ jobs:
132122
name: codeql-ql-pack
133123
path: codeql-ql.zip
134124
retention-days: 1
135-
analyze:
136-
runs-on: ubuntu-latest
137-
strategy:
138-
matrix:
139-
folder: [cpp, csharp, java, javascript, python, ql, ruby, swift, go]
140-
141-
needs:
142-
- package
143125

144-
steps:
126+
### Run the analysis ###
145127
- name: Download pack
146128
uses: actions/download-artifact@v3
147129
with:
@@ -161,22 +143,18 @@ jobs:
161143
env:
162144
PACK: ${{ runner.temp }}/pack
163145

164-
- name: Checkout repository
165-
uses: actions/checkout@v3
166146
- name: Create CodeQL config file
167147
run: |
168-
echo "paths:" > ${CONF}
169-
echo " - ${FOLDER}" >> ${CONF}
170148
echo "paths-ignore:" >> ${CONF}
171149
echo " - ql/ql/test" >> ${CONF}
150+
echo " - \"*/ql/lib/upgrades/\"" >> ${CONF}
172151
echo "disable-default-queries: true" >> ${CONF}
173152
echo "packs:" >> ${CONF}
174153
echo " - codeql/ql" >> ${CONF}
175154
echo "Config file: "
176155
cat ${CONF}
177156
env:
178157
CONF: ./ql-for-ql-config.yml
179-
FOLDER: ${{ matrix.folder }}
180158
- name: Initialize CodeQL
181159
uses: github/codeql-action/init@aa93aea877e5fb8841bcb1193f672abf6e9f2980
182160
with:
@@ -187,39 +165,24 @@ jobs:
187165
- name: Perform CodeQL Analysis
188166
uses: github/codeql-action/analyze@aa93aea877e5fb8841bcb1193f672abf6e9f2980
189167
with:
190-
category: "ql-for-ql-${{ matrix.folder }}"
168+
category: "ql-for-ql"
191169
- name: Copy sarif file to CWD
192-
run: cp ../results/ql.sarif ./${{ matrix.folder }}.sarif
170+
run: cp ../results/ql.sarif ./ql-for-ql.sarif
193171
- name: Fixup the $scema in sarif # Until https://github.com/microsoft/sarif-vscode-extension/pull/436/ is part in a stable release
194172
run: |
195-
sed -i 's/\$schema.*/\$schema": "https:\/\/raw.githubusercontent.com\/oasis-tcs\/sarif-spec\/master\/Schemata\/sarif-schema-2.1.0",/' ${{ matrix.folder }}.sarif
173+
sed -i 's/\$schema.*/\$schema": "https:\/\/raw.githubusercontent.com\/oasis-tcs\/sarif-spec\/master\/Schemata\/sarif-schema-2.1.0",/' ql-for-ql.sarif
196174
- name: Sarif as artifact
197175
uses: actions/upload-artifact@v3
198176
with:
199-
name: ${{ matrix.folder }}.sarif
200-
path: ${{ matrix.folder }}.sarif
201-
202-
combine:
203-
runs-on: ubuntu-latest
204-
needs:
205-
- analyze
206-
207-
steps:
208-
- uses: actions/checkout@v3
209-
- name: Make a folder for artifacts.
210-
run: mkdir -p results
211-
- name: Download all sarif files
212-
uses: actions/download-artifact@v3
213-
with:
214-
path: results
215-
- uses: actions/setup-node@v3
216-
with:
217-
node-version: 16
218-
- name: Combine all sarif files
219-
run: |
220-
node ./ql/scripts/merge-sarif.js results/**/*.sarif combined.sarif
221-
- name: Upload combined sarif file
177+
name: ql-for-ql.sarif
178+
path: ql-for-ql.sarif
179+
- name: Split out the sarif file into langs
180+
run: |
181+
mkdir split-sarif
182+
node ./ql/scripts/split-sarif.js ql-for-ql.sarif split-sarif
183+
- name: Upload langs as artifacts
222184
uses: actions/upload-artifact@v3
223185
with:
224-
name: combined.sarif
225-
path: combined.sarif
186+
name: ql-for-ql-langs
187+
path: split-sarif
188+
retention-days: 1

java/documentation/library-coverage/coverage.csv

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ java.lang,13,,58,,,,,,,,,,,8,,,,,4,,,1,,,,,,,,,,,,,,,46,12
3636
java.net,10,3,7,,,,,,,,,,,,,,10,,,,,,,,,,,,,,,,,,,3,7,
3737
java.nio,15,,6,,13,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,6,
3838
java.sql,11,,,,,,,,,4,,,,,,,,,,,,,,,,7,,,,,,,,,,,,
39-
java.util,44,,438,,,,,,,,,,,34,,,,,,5,2,,1,2,,,,,,,,,,,,,24,414
39+
java.util,44,,441,,,,,,,,,,,34,,,,,,5,2,,1,2,,,,,,,,,,,,,24,417
4040
javax.faces.context,2,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,7,,
4141
javax.jms,,9,57,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,57,
4242
javax.json,,,123,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,23

java/documentation/library-coverage/coverage.rst

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,9 +15,9 @@ Java framework & library support
1515
`Apache HttpComponents <https://hc.apache.org/>`_,"``org.apache.hc.core5.*``, ``org.apache.http``",5,136,28,,,3,,,,25
1616
`Google Guava <https://guava.dev/>`_,``com.google.common.*``,,728,39,,6,,,,,
1717
`JSON-java <https://github.com/stleary/JSON-java>`_,``org.json``,,236,,,,,,,,
18-
Java Standard Library,``java.*``,3,549,130,28,,,7,,,10
18+
Java Standard Library,``java.*``,3,552,130,28,,,7,,,10
1919
Java extensions,"``javax.*``, ``jakarta.*``",63,609,32,,,4,,1,1,2
2020
`Spring <https://spring.io/>`_,``org.springframework.*``,29,476,101,,,,19,14,,29
2121
Others,"``androidx.slice``, ``cn.hutool.core.codec``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.opensymphony.xwork2.ognl``, ``com.rabbitmq.client``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``groovy.lang``, ``groovy.util``, ``jodd.json``, ``kotlin.jvm.internal``, ``net.sf.saxon.s9api``, ``ognl``, ``okhttp3``, ``org.apache.commons.codec``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.logging``, ``org.apache.commons.ognl``, ``org.apache.directory.ldap.client.api``, ``org.apache.ibatis.jdbc``, ``org.apache.log4j``, ``org.apache.logging.log4j``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.hibernate``, ``org.jboss.logging``, ``org.jdbi.v3.core``, ``org.jooq``, ``org.mvel2``, ``org.scijava.log``, ``org.slf4j``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``retrofit2``",65,395,932,,,,14,18,,3
22-
Totals,,217,6410,1474,117,6,10,107,33,1,84
22+
Totals,,217,6413,1474,117,6,10,107,33,1,84
2323

javascript/ql/lib/semmle/javascript/Routing.qll

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -148,6 +148,18 @@ module Routing {
148148
this instanceof MkRouter
149149
}
150150

151+
/**
152+
* Like `mayResumeDispatch` but without the assumption that functions with an unknown
153+
* implementation invoke their continuation.
154+
*/
155+
predicate definitelyResumesDispatch() {
156+
this.getLastChild().definitelyResumesDispatch()
157+
or
158+
exists(this.(RouteHandler).getAContinuationInvocation())
159+
or
160+
this instanceof MkRouter
161+
}
162+
151163
/** Gets the parent of this node, provided that this node may invoke its continuation. */
152164
private Node getContinuationParent() {
153165
result = this.getParent() and

javascript/ql/lib/semmle/javascript/dataflow/TypeTracking.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -312,7 +312,7 @@ class TypeBackTracker extends TTypeBackTracker {
312312
* result = < some API call >.getArgument(< n >)
313313
* or
314314
* exists (DataFlow::TypeBackTracker t2 |
315-
* t = t2.smallstep(result, myType(t2))
315+
* t2 = t.smallstep(result, myType(t2))
316316
* )
317317
* }
318318
*

javascript/ql/lib/semmle/javascript/frameworks/Express.qll

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,11 @@ module Express {
3333
or
3434
// `app = [new] express.Router()`
3535
result = DataFlow::moduleMember("express", "Router").getAnInvocation()
36+
or
37+
exists(DataFlow::SourceNode app |
38+
app.hasUnderlyingType("probot/lib/application", "Application") and
39+
result = app.getAMethodCall("route")
40+
)
3641
}
3742

3843
/**
@@ -1043,4 +1048,22 @@ module Express {
10431048

10441049
override DataFlow::SourceNode getOutput() { result = this.getCallback(2).getParameter(1) }
10451050
}
1051+
1052+
private class ResumeDispatchRefinement extends Routing::RouteHandler {
1053+
ResumeDispatchRefinement() { this.getFunction() instanceof RouteHandler }
1054+
1055+
override predicate mayResumeDispatch() { this.getAParameter().getName() = "next" }
1056+
1057+
override predicate definitelyResumesDispatch() { this.getAParameter().getName() = "next" }
1058+
}
1059+
1060+
private class ExpressStaticResumeDispatchRefinement extends Routing::Node {
1061+
ExpressStaticResumeDispatchRefinement() {
1062+
this = Routing::getNode(DataFlow::moduleMember("express", "static").getACall())
1063+
}
1064+
1065+
override predicate mayResumeDispatch() { none() }
1066+
1067+
override predicate definitelyResumesDispatch() { none() }
1068+
}
10461069
}

javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -80,7 +80,7 @@ module UnsafeHtmlConstruction {
8080
t.start() and
8181
result = sink
8282
or
83-
exists(DataFlow::TypeBackTracker t2 | t = t2.smallstep(result, isUsedInXssSink(t2, sink)))
83+
exists(DataFlow::TypeBackTracker t2 | t2 = t.smallstep(result, isUsedInXssSink(t2, sink)))
8484
or
8585
exists(DataFlow::TypeBackTracker t2 |
8686
t.continue() = t2 and

javascript/ql/src/Declarations/UnusedVariable.ql

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -144,6 +144,9 @@ predicate whitelisted(UnusedLocal v) {
144144
// exclude variables mentioned in JSDoc comments in externs
145145
mentionedInJSDocComment(v)
146146
or
147+
// the attributes in .vue files are not extracted, so we can get false positives in those.
148+
v.getADeclaration().getFile().getExtension() = "vue"
149+
or
147150
// exclude variables used to filter out unwanted properties
148151
isPropertyFilter(v)
149152
or

javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ private DataFlow::Node endsInCodeInjectionSink(DataFlow::TypeBackTracker t) {
5050
not result instanceof StringOps::ConcatenationRoot // the heuristic CodeInjection sink looks for string-concats, we are not interrested in those here.
5151
)
5252
or
53-
exists(DataFlow::TypeBackTracker t2 | t = t2.smallstep(result, endsInCodeInjectionSink(t2)))
53+
exists(DataFlow::TypeBackTracker t2 | t2 = t.smallstep(result, endsInCodeInjectionSink(t2)))
5454
}
5555

5656
/**
Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
<!DOCTYPE qhelp PUBLIC
2+
"-//Semmle//qhelp//EN"
3+
"qhelp.dtd">
4+
<qhelp>
5+
6+
<overview>
7+
<p>
8+
Using a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware
9+
when accessing an endpoint with a case-insensitive path.
10+
Paths specified using a string are case-insensitive, whereas regular expressions are case-sensitive by default.
11+
</p>
12+
</overview>
13+
14+
<recommendation>
15+
<p>
16+
When using a regular expression as a middleware path, make sure the regular expression is
17+
case-insensitive by adding the <code>i</code> flag.
18+
</p>
19+
</recommendation>
20+
21+
<example>
22+
<p>
23+
The following example restricts access to paths in the <code>/admin</code> path to users logged in as
24+
administrators:
25+
</p>
26+
<sample src="examples/CaseSensitiveMiddlewarePath.js" />
27+
<p>
28+
A path such as <code>/admin/users/45</code> can only be accessed by an administrator. However, the path
29+
<code>/ADMIN/USERS/45</code> can be accessed by anyone because the upper-case path doesn't match the case-sensitive regular expression, whereas
30+
Express considers it to match the path string <code>/admin/users</code>.
31+
</p>
32+
<p>
33+
The issue can be fixed by adding the <code>i</code> flag to the regular expression:
34+
</p>
35+
<sample src="examples/CaseSensitiveMiddlewarePathGood.js" />
36+
</example>
37+
38+
<references>
39+
<li>
40+
MDN
41+
<a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#advanced_searching_with_flags">Regular Expression Flags</a>.
42+
</li>
43+
</references>
44+
</qhelp>

0 commit comments

Comments
 (0)