├── .all-contributorsrc
├── .codeqlmanifest.json
├── .devcontainer
└── devcontainer.json
├── .github
├── CODEOWNERS
├── scripts
│ ├── generate-coverage.py
│ ├── pr-compile.sh
│ ├── pr-config.sh
│ ├── pr-suites-packs.sh
│ ├── pr-tests.sh
│ └── update-pack.sh
└── workflows
│ ├── build.yml
│ ├── extensions-manual.yml
│ ├── release-create-pr.yml
│ ├── release-main.yml
│ ├── scorecard.yml
│ ├── tailor-pr-checks.yml
│ ├── tailor-publish.yml
│ └── update-submodules.yml
├── .gitignore
├── .gitmodules
├── .vimignore
├── .vscode
├── settings.json
└── tasks.json
├── CODE_OF_CONDUCT.md
├── LICENSE
├── README.md
├── SECURITY.md
├── SUPPORT.md
├── codeql-queries.code-workspace
├── config
├── codeql-audit.yml
├── codeql-external-api.yml
├── codeql.yml
├── config-local.yml
└── disable-default-queries.yml
├── cpp
├── .data
│ └── queries.json
├── README.md
├── codeql-pack.lock.yml
├── qlpack.yml
├── queries.xml
└── suites
│ ├── codeql-cpp.qls
│ └── codeql-external-api.qls
├── csharp
├── .data
│ └── queries.json
├── CWE-078
│ ├── CommandInjectionAudit.md
│ └── CommandInjectionAudit.ql
├── CWE-094
│ ├── CodeInjectionAudit.md
│ └── CodeInjectionAudit.ql
├── CWE-328
│ ├── WeakHashingAlgorithms.md
│ ├── WeakHashingAlgorithms.ql
│ ├── WeakPasswordHashing.qhelp
│ ├── WeakPasswordHashing.ql
│ ├── WeakPasswordHashingBad.csharp
│ ├── WeakPasswordHashingGood.csharp
│ ├── WeakPasswordHashingQuery.qll
│ ├── WeakSensitiveDataHashing.qhelp
│ ├── WeakSensitiveDataHashing.ql
│ ├── WeakSensitiveDataHashingBad.csharp
│ ├── WeakSensitiveDataHashingGood.csharp
│ └── WeakSensitiveDataHashingQuery.qll
├── CWE-502
│ ├── UnsafeDeserializationAudit.md
│ └── UnsafeDeserializationAudit.ql
├── CWE-611
│ ├── UnsafeXMLResolverAudit.md
│ └── UnsafeXMLResolverAudit.ql
├── CWE-760
│ ├── HardcodedSalt.md
│ └── HardcodedSalt.ql
├── CWE-798
│ ├── HardcodedCredentials.cs
│ ├── HardcodedCredentialsSymmetricSecurityKey.qhelp
│ └── HardcodedCredentialsSymmetricSecurityKey.ql
├── README.md
├── codeql-pack.lock.yml
├── github
│ ├── Cryptography.qll
│ ├── Hardcoded.qll
│ └── HardcodedCredentials.qll
├── qlpack.yml
├── queries.xml
└── suites
│ ├── codeql-csharp-audit.qls
│ ├── codeql-csharp.qls
│ └── codeql-debugging.qls
├── extensions
├── README.md
├── codeql-csharp-extensions
│ ├── codeql-pack.lock.yml
│ ├── generated
│ │ ├── JamesNK
│ │ │ └── Newtonsoft.Json.yml
│ │ ├── abpframework
│ │ │ └── abp.yml
│ │ ├── apache
│ │ │ └── logging-log4net.yml
│ │ ├── aws
│ │ │ └── aws-lambda-dotnet.yml
│ │ ├── dotnet
│ │ │ └── efcore.yml
│ │ ├── googleapis
│ │ │ └── google-cloud-dotnet.yml
│ │ └── ravendb
│ │ │ └── ravendb.yml
│ ├── models
│ │ ├── Amazon.Lambda.yml
│ │ ├── AspNetCoreMvc.yml
│ │ ├── Azure.yml
│ │ └── README.md
│ └── qlpack.yml
├── codeql-java-extensions
│ ├── codeql-pack.lock.yml
│ ├── generated
│ │ ├── Activiti
│ │ │ └── Activiti.yml
│ │ ├── ESAPI
│ │ │ └── esapi-java-legacy.yml
│ │ ├── FasterXML
│ │ │ ├── jackson-core.yml
│ │ │ └── jackson-databind.yml
│ │ ├── JetBrains
│ │ │ └── kotlin.yml
│ │ ├── JodaOrg
│ │ │ └── joda-time.yml
│ │ ├── Kotlin
│ │ │ └── kotlinx.coroutines.yml
│ │ ├── LMAX-Exchange
│ │ │ └── disruptor.yml
│ │ ├── OpenAPITools
│ │ │ └── openapi-generator.yml
│ │ ├── OpenFeign
│ │ │ └── feign.yml
│ │ ├── ReactiveX
│ │ │ └── RxJava.yml
│ │ ├── Wechat-Group
│ │ │ └── WxJava.yml
│ │ ├── abel533
│ │ │ └── Mapper.yml
│ │ ├── alibaba
│ │ │ ├── Sentinel.yml
│ │ │ ├── canal.yml
│ │ │ ├── easyexcel.yml
│ │ │ ├── nacos.yml
│ │ │ └── spring-cloud-alibaba.yml
│ │ ├── antlr
│ │ │ └── antlr4.yml
│ │ ├── apache
│ │ │ ├── activemq.yml
│ │ │ ├── beam.yml
│ │ │ ├── cloudstack.yml
│ │ │ ├── commons-io.yml
│ │ │ ├── commons-lang.yml
│ │ │ ├── directory-ldap-api.yml
│ │ │ ├── dubbo.yml
│ │ │ ├── flink.yml
│ │ │ ├── hadoop.yml
│ │ │ ├── hbase.yml
│ │ │ ├── httpcomponents-client.yml
│ │ │ ├── iceberg.yml
│ │ │ ├── iotdb.yml
│ │ │ ├── kafka.yml
│ │ │ ├── logging-log4j2.yml
│ │ │ ├── maven.yml
│ │ │ ├── ozone.yml
│ │ │ ├── poi.yml
│ │ │ ├── pulsar.yml
│ │ │ ├── rocketmq.yml
│ │ │ ├── shardingsphere.yml
│ │ │ ├── shiro.yml
│ │ │ ├── skywalking.yml
│ │ │ ├── storm.yml
│ │ │ ├── tomcat.yml
│ │ │ └── zookeeper.yml
│ │ ├── auth0
│ │ │ └── java-jwt.yml
│ │ ├── ben-manes
│ │ │ └── caffeine.yml
│ │ ├── bonigarcia
│ │ │ └── webdrivermanager.yml
│ │ ├── brettwooldridge
│ │ │ └── HikariCP.yml
│ │ ├── cbeust
│ │ │ └── testng.yml
│ │ ├── cglib
│ │ │ └── cglib.yml
│ │ ├── checkstyle
│ │ │ └── checkstyle.yml
│ │ ├── code4craft
│ │ │ └── webmagic.yml
│ │ ├── codecentric
│ │ │ └── spring-boot-admin.yml
│ │ ├── cucumber
│ │ │ └── cucumber-jvm.yml
│ │ ├── deeplearning4j
│ │ │ └── deeplearning4j.yml
│ │ ├── dropwizard
│ │ │ ├── dropwizard.yml
│ │ │ └── metrics.yml
│ │ ├── eclipse-vertx
│ │ │ └── vert.x.yml
│ │ ├── eclipse
│ │ │ └── jetty.project.yml
│ │ ├── flyway
│ │ │ └── flyway.yml
│ │ ├── google
│ │ │ ├── gson.yml
│ │ │ ├── guava.yml
│ │ │ └── guice.yml
│ │ ├── h2database
│ │ │ └── h2database.yml
│ │ ├── hibernate
│ │ │ └── hibernate-orm.yml
│ │ ├── java-native-access
│ │ │ └── jna.yml
│ │ ├── jboss-javassist
│ │ │ └── javassist.yml
│ │ ├── jeecgboot
│ │ │ └── jeecg-boot.yml
│ │ ├── jhy
│ │ │ └── jsoup.yml
│ │ ├── junit-team
│ │ │ └── junit5.yml
│ │ ├── jwtk
│ │ │ └── jjwt.yml
│ │ ├── keycloak
│ │ │ └── keycloak.yml
│ │ ├── kiegroup
│ │ │ └── drools.yml
│ │ ├── liquibase
│ │ │ └── liquibase.yml
│ │ ├── mapstruct
│ │ │ └── mapstruct.yml
│ │ ├── micrometer-metrics
│ │ │ └── micrometer.yml
│ │ ├── mockito
│ │ │ └── mockito.yml
│ │ ├── mybatis
│ │ │ ├── mybatis-3.yml
│ │ │ ├── spring-boot-starter.yml
│ │ │ └── spring.yml
│ │ ├── neo4j
│ │ │ └── neo4j.yml
│ │ ├── netty
│ │ │ └── netty.yml
│ │ ├── pagehelper
│ │ │ └── Mybatis-PageHelper.yml
│ │ ├── perwendel
│ │ │ └── spark.yml
│ │ ├── pgjdbc
│ │ │ └── pgjdbc.yml
│ │ ├── prestodb
│ │ │ └── presto.yml
│ │ ├── projectlombok
│ │ │ └── lombok.yml
│ │ ├── qos-ch
│ │ │ ├── logback.yml
│ │ │ └── slf4j.yml
│ │ ├── quarkusio
│ │ │ └── quarkus.yml
│ │ ├── quartz-scheduler
│ │ │ └── quartz.yml
│ │ ├── redis
│ │ │ └── jedis.yml
│ │ ├── redisson
│ │ │ └── redisson.yml
│ │ ├── resilience4j
│ │ │ └── resilience4j.yml
│ │ ├── rest-assured
│ │ │ └── rest-assured.yml
│ │ ├── seata
│ │ │ └── seata.yml
│ │ ├── spring-projects
│ │ │ └── spring-data-jpa.yml
│ │ ├── square
│ │ │ ├── okhttp.yml
│ │ │ └── retrofit.yml
│ │ ├── stleary
│ │ │ └── JSON-java.yml
│ │ ├── swagger-api
│ │ │ └── swagger-core.yml
│ │ ├── testcontainers
│ │ │ └── testcontainers-java.yml
│ │ ├── xuxueli
│ │ │ └── xxl-job.yml
│ │ └── zxing
│ │ │ └── zxing.yml
│ ├── models
│ │ └── README.md
│ └── qlpack.yml
├── codeql-javascript-extensions
│ ├── codeql-pack.lock.yml
│ ├── models
│ │ └── README.md
│ └── qlpack.yml
└── projects.json
├── go
├── .data
│ └── queries.json
├── CWE-078
│ └── CommandInjection.ql
├── CWE-089
│ ├── SqlInjectionAudit.md
│ └── SqlInjectionAudit.ql
├── CWE-117
│ └── LogInjection.ql
├── README.md
├── codeql-pack.lock.yml
├── github
│ ├── LocalSources.qll
│ └── Utils.qll
├── qlpack.yml
├── queries.xml
└── suites
│ └── codeql-go.qls
├── java
├── .data
│ └── queries.json
├── CWE-078
│ ├── CommandInjectionRuntimeExec.java
│ ├── CommandInjectionRuntimeExec.md
│ ├── CommandInjectionRuntimeExec.qhelp
│ ├── CommandInjectionRuntimeExec.ql
│ ├── CommandInjectionRuntimeExecLocal.md
│ ├── CommandInjectionRuntimeExecLocal.qhelp
│ ├── CommandInjectionRuntimeExecLocal.ql
│ ├── CommandInjectionRuntimeExecTest.ql
│ └── CommandInjectionRuntimeExecTestPath.ql
├── CWE-079
│ ├── JSPLocations.qll
│ ├── XSSJSP.md
│ ├── XSSJSP.ql
│ ├── XSSJSPLenient.md
│ └── XSSJSPLenient.ql
├── CWE-326
│ └── Base64Encryption.ql
├── CWE-338
│ └── WeakPRNG.ql
├── CWE-532
│ └── SensitiveInformation.ql
├── CWE-611
│ └── XXELocal.ql
├── CWE-798
│ ├── HardcodedBase64Usage.ql
│ └── HardcodedPasswordsInProperties.ql
├── README.md
├── codeql-pack.lock.yml
├── examples
│ └── XSSCustomSanitizer.ql
├── github
│ ├── CommandInjectionRuntimeExec.qll
│ ├── Encoding.qll
│ ├── Hardcoded.qll
│ ├── LocalSources.qll
│ ├── Logging.qll
│ └── SensitiveInformation.qll
├── qlpack.yml
├── queries.xml
└── suites
│ ├── codeql-external-api.qls
│ ├── codeql-java-audit.qls
│ ├── codeql-java-local.qls
│ ├── codeql-java.qls
│ └── java-security-experimental.qls
├── javascript
├── .data
│ └── queries.json
├── CVE-2022-23631
│ └── SuperJson.ql
├── CWE-078
│ ├── CommandInjectionAudit.md
│ └── CommandInjectionAudit.ql
├── CWE-079
│ ├── XSSAudit.md
│ ├── XSSAudit.ql
│ └── XSSReact.ql
├── CWE-094
│ ├── CodeInjectionAudit.md
│ └── CodeInjectionAudit.ql
├── CWE-328
│ ├── WeakHashingAlgorithm.md
│ └── WeakHashingAlgorithm.ql
├── CWE-329
│ ├── InsecureIV.md
│ ├── InsecureIV.qhelp
│ ├── InsecureIV.ql
│ └── examples
│ │ ├── secure_iv.js
│ │ └── static_iv.js
├── CWE-502
│ ├── UnsafeDeserializationAudit.md
│ └── UnsafeDeserializationAudit.ql
├── CWE-611
│ ├── XXEAudit.md
│ └── XXEAudit.ql
├── CWE-676
│ ├── UseOfEval.md
│ └── UseOfEval.ql
├── CWE-829
│ ├── UnpinnedActionsTag.md
│ ├── UnpinnedActionsTag.qhelp
│ ├── UnpinnedActionsTag.ql
│ └── examples
│ │ └── .github
│ │ └── workflows
│ │ ├── pinned-action.yml
│ │ ├── trusted-action.yml
│ │ ├── unpinned-action.yml
│ │ └── unpinned-unnamed-action.yml
├── README.md
├── codeql-pack.lock.yml
├── github
│ ├── CommandLine.qll
│ └── InsecureIV.qll
├── qlpack.yml
├── queries.xml
└── suites
│ ├── codeql-debugging.qls
│ ├── codeql-javascript-audit.qls
│ └── codeql-javascript.qls
├── python
├── .data
│ └── queries.json
├── CWE-078
│ ├── CommandInjectionAudit.md
│ ├── CommandInjectionAudit.ql
│ ├── CommandInjectionLocal.ql
│ └── examples
│ │ ├── source-argvs.py
│ │ ├── source-file.py
│ │ ├── sources-envs.py
│ │ └── sources-input.py
├── CWE-079
│ ├── XssFlaskAudit.md
│ └── XssFlaskAudit.ql
├── CWE-089
│ ├── SqlInjectionAudit.md
│ ├── SqlInjectionAudit.ql
│ ├── SqlInjectionHeuristic.ql
│ └── SqlInjectionLocal.ql
├── CWE-094
│ ├── CodeInjectionAudit.md
│ ├── CodeInjectionAudit.ql
│ └── CodeInjectionLocal.ql
├── CWE-133
│ ├── format_string.ql
│ └── format_string.qll
├── CWE-1393
│ ├── DefaultPasswordDB.md
│ ├── DefaultPasswordDB.qhelp
│ └── DefaultPasswordDB.ql
├── CWE-327
│ ├── WeakHMacAlgorithms.ql
│ └── WeakHashingAlgorithms.ql
├── CWE-338
│ └── WeakPRNG.ql
├── CWE-502
│ ├── UnsafeDeserializationAudit.md
│ ├── UnsafeDeserializationAudit.ql
│ ├── UnsafeDeserializationLocal.ql
│ ├── XMLLocalFileAudit.md
│ ├── XMLLocalFileAudit.ql
│ ├── XMLLocalFileTaint.ql
│ └── XMLLocalStringTaint.ql
├── CWE-522
│ ├── InsecurelyStoredPassword.md
│ ├── InsecurelyStoredPassword.qhelp
│ └── InsecurelyStoredPassword.ql
├── CWE-676
│ ├── DangerousFunctions.md
│ └── DangerousFunctions.ql
├── CWE-778
│ └── InsufficientLogging.ql
├── CWE-798
│ ├── HardcodedFrameworkSecrets.ql
│ └── examples
│ │ ├── flask-tests.py
│ │ ├── flask_settings.py
│ │ └── requests-tests.py
├── CWE-915
│ ├── MassAssignment.ql
│ ├── MassAssignmentLocal.ql
│ ├── MassAssignmentLocalProblem.ql
│ └── MassAssignmentProblem.ql
├── README.md
├── codeql-pack.lock.yml
├── debugging
│ ├── PartialPathsFromSink.ql
│ └── PartialPathsFromSource.ql
├── github
│ ├── DefaultPasswordDB.qll
│ ├── HardcodedSecretSinks.qll
│ ├── Helpers.qll
│ ├── InsecurelyStoredPassword.qll
│ ├── LocalSources.qll
│ ├── Logging.qll
│ ├── MassAssignment.qll
│ ├── Utils.qll
│ └── XMLLocalLib.qll
├── qlpack.yml
├── queries.xml
└── suites
│ ├── codeql-python-audit.qls
│ ├── codeql-python-local.qls
│ ├── codeql-python.qls
│ └── python-security-experimental.qls
├── ruby
├── .data
│ └── queries.json
├── README.md
├── codeql-pack.lock.yml
├── qlpack.yml
├── queries.xml
└── suites
│ └── codeql-ruby.qls
├── swift
├── .data
│ └── queries.json
├── README.md
├── codeql-pack.lock.yml
├── qlpack.yml
├── queries.xml
└── suites
│ └── codeql-swift.qls
├── tailor-packs
└── java-poc
│ ├── Makefile
│ ├── customize
│ ├── suites
│ └── java-security-experimental.qls
│ ├── tailor
│ ├── Customizations.qll
│ └── models
│ │ ├── ApacheCommonsExecGenerated.qll
│ │ ├── AsciidoctorAsciidoctorjGenerated.qll
│ │ ├── FlywayFlywayGenerated.qll
│ │ ├── JdkManual.qll
│ │ ├── JhyJsoupGenerated.qll
│ │ ├── Models.qll
│ │ ├── SpringProjectsSpringDataCommonsGenerated.qll
│ │ ├── SpringProjectsSpringDataJpaGenerated.qll
│ │ └── SpringProjectsSpringDataJpaManual.qll
│ └── unit-tests
│ ├── local_is_remote
│ ├── Test.java
│ ├── query.expected
│ └── query.qlref
│ ├── qlpack.yml
│ ├── taint_through_crudrepository_save
│ ├── Test.java
│ ├── org
│ │ └── springframework
│ │ │ └── data
│ │ │ └── repository
│ │ │ └── CrudRepository.java
│ ├── query.expected
│ └── query.qlref
│ └── taint_through_string_replace
│ ├── Test.java
│ ├── query.expected
│ └── query.qlref
└── tests
├── csharp-tests
├── CWE-328
│ ├── WeakHashingAlgorithms.cs
│ ├── WeakHashingAlgorithms.expected
│ ├── WeakHashingAlgorithms.qlref
│ ├── WeakPasswordHashing.expected
│ ├── WeakPasswordHashing.qlref
│ ├── WeakSensitiveDataHashing.expected
│ ├── WeakSensitiveDataHashing.qlref
│ └── options
├── CWE-760
│ ├── HardcodedSalt.expected
│ ├── HardcodedSalt.qlref
│ ├── StaticSalt.cs
│ └── options
├── CWE-798
│ ├── HardcodedCredentialsSymmetricSecurityKey.cs
│ ├── HardcodedCredentialsSymmetricSecurityKey.qlref.bak
│ └── options
├── qlpack.lock.yml
└── qlpack.yml
├── go-tests
├── CWE-078
│ ├── cmdi.expected
│ ├── cmdi.qlref
│ ├── go.mod
│ └── main.go
├── CWE-089
│ └── audit
│ │ ├── .gitignore
│ │ ├── SQLInjectionAudit.expected
│ │ ├── SQLInjectionAudit.ql
│ │ ├── go.mod
│ │ ├── go.sum
│ │ └── main.go
├── qlpack.lock.yml
└── qlpack.yml
├── java-tests
├── CWE-078
│ ├── CommandInjectionRuntimeExec.expected
│ ├── CommandInjectionRuntimeExec.qlref
│ ├── pom.xml
│ └── src
│ │ └── main
│ │ └── java
│ │ └── com
│ │ └── github
│ │ └── advanced_security
│ │ └── command_injection_test
│ │ └── Main.java
├── CWE-326
│ ├── Base64Encryption.expected
│ ├── Base64Encryption.java
│ ├── Base64Encryption.qlref
│ └── options
├── CWE-532
│ ├── SensitiveInformation.expected
│ ├── SensitiveInformation.java
│ ├── SensitiveInformation.qlref
│ └── options
├── CWE-611
│ ├── XXELocal.expected
│ ├── XXELocal.java
│ └── XXELocal.qlref
├── CWE-798
│ └── base64
│ │ ├── HardcodedBase64Usage.expected
│ │ ├── HardcodedBase64Usage.java
│ │ └── HardcodedBase64Usage.ql
├── qlpack.lock.yml
└── qlpack.yml
├── javascript-tests
├── CWE-078
│ └── audit
│ │ ├── XSSReactAudit.expected
│ │ ├── XSSReactAudit.qlref
│ │ └── cmdi.js
├── CWE-079
│ ├── audit
│ │ ├── XSSAudit.expected
│ │ ├── XSSAudit.qlref
│ │ └── app.jsx
│ └── react
│ │ ├── XSSReact.expected
│ │ ├── XSSReact.qlref
│ │ └── app.jsx
├── CWE-094
│ └── audit
│ │ ├── CodeInjectionAudit.expected
│ │ ├── CodeInjectionAudit.qlref
│ │ └── app.js
├── CWE-328
│ ├── WeakHashingAlgorithm.expected
│ ├── WeakHashingAlgorithm.qlref
│ └── weakcrypto.ts
├── CWE-329
│ ├── InsecureIV.expected
│ ├── InsecureIV.qlref
│ └── examples
│ │ ├── secure_iv.js
│ │ ├── secure_iv_tainted.js
│ │ └── static_iv.js
├── CWE-502
│ └── audit
│ │ ├── UnsafeDeserializationAudit.expected
│ │ ├── UnsafeDeserializationAudit.qlref
│ │ └── deserialization.js
├── CWE-611
│ └── audit
│ │ ├── XXEAudit.expected
│ │ ├── XXEAudit.qlref
│ │ └── xxe.js
├── CWE-676
│ ├── UseOfEval.expected
│ ├── UseOfEval.qlref
│ └── app.js
├── CWE-829
│ ├── .github
│ │ └── workflows
│ │ │ ├── pinned-action.yml
│ │ │ ├── trusted-action.yml
│ │ │ ├── unpinned-action.yml
│ │ │ └── unpinned-unnamed-action.yml
│ ├── UnpinnedActionsTag.expected
│ └── UnpinnedActionsTag.qlref
├── qlpack.lock.yml
└── qlpack.yml
└── python-tests
├── CWE-078
├── audit
│ ├── CommandInjectionAudit.expected
│ ├── CommandInjectionAudit.qlref
│ ├── cmdi.py
│ └── options
└── local
│ ├── CommandInjectionLocal.expected
│ ├── CommandInjectionLocal.qlref
│ ├── cmdi.py
│ └── options
├── CWE-079
└── audit
│ ├── XssFlaskAudit.expected
│ ├── XssFlaskAudit.qlref
│ ├── app.py
│ └── options
├── CWE-089
└── audit
│ ├── SqlInjectionAudit.expected
│ ├── SqlInjectionAudit.qlref
│ ├── options
│ └── sqli.py
├── CWE-094
└── local
│ ├── CodeInjectionLocal.expected
│ ├── CodeInjectionLocal.qlref
│ ├── codei.py
│ └── options
├── CWE-1393
├── DefaultPasswordDB.expected
├── DefaultPasswordDB.qlref
└── default_password.py
├── CWE-502
├── audit
│ ├── UnsafeDeserializationAudit.expected
│ ├── UnsafeDeserializationAudit.qlref
│ ├── options
│ └── unsafe.py
└── local
│ ├── UnsafeDeserializationLocal.expected
│ ├── UnsafeDeserializationLocal.qlref
│ ├── options
│ └── unsafe.py
├── CWE-522
├── InsecurelyStoredPassword.expected
├── InsecurelyStoredPassword.qlref
└── insecure_pw_test.py
├── CWE-798
├── HardcodedFrameworkSecrets.expected
├── HardcodedFrameworkSecrets.ql
├── hardcoded_secrets.py
├── options
└── settings.py
├── CWE-915
├── local
│ ├── MassAssignment.expected
│ ├── MassAssignment.qlref
│ ├── massassignment.py
│ └── options
└── remote
│ ├── MassAssignment.expected
│ ├── MassAssignment.qlref
│ ├── massassignment.py
│ └── options
├── codeql-pack.lock.yml
├── libraries
├── localsources
│ ├── LocalSourcesTest.expected
│ ├── LocalSourcesTest.ql
│ └── app.py
└── logging
│ ├── LoggingTest.expected
│ ├── LoggingTest.ql
│ └── app.py
├── qlpack.lock.yml
└── qlpack.yml
/.codeqlmanifest.json:
--------------------------------------------------------------------------------
1 | {
2 | "provide": [
3 | "codeql/*/ql/src/qlpack.yml",
4 | "codeql/*/ql/lib/qlpack.yml",
5 | "*/qlpack.yml",
6 | "extensions/*/qlpack.yml",
7 | "tests/*/qlpack.yml"
8 | ],
9 | "versionPolicies": {
10 | "default": {
11 | "requireChangeNotes": true,
12 | "committedPrereleaseSuffix": "dev",
13 | "committedVersion": "nextPatchRelease"
14 | }
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/.devcontainer/devcontainer.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "advanced-security/codeql-queries",
3 | "extensions": [
4 | "github.vscode-codeql",
5 | "github.copilot",
6 | "ms-sarifvscode.sarif-viewer"
7 | ],
8 | "settings": {
9 | "codeQL.canary": true,
10 | "codeQL.runningQueries.autoSave": true,
11 | "codeQL.runningQueries.numberOfThreads": 4,
12 | "codeQL.runningQueries.debug": true,
13 | "codeQL.telemetry.enableTelemetry": false,
14 | "editor.formatOnSave": true
15 | },
16 | "postCreateCommand": "git submodule init && git submodule update --recursive",
17 | "remoteUser": "root"
18 | }
--------------------------------------------------------------------------------
/.github/CODEOWNERS:
--------------------------------------------------------------------------------
1 | # CodeQL Queries
2 |
3 | config/* @geekmasher @aegilops
4 | cpp/* @aegilops
5 | csharp/* @geekmasher @aegilops @felickz
6 | java/* @geekmasher @aegilops
7 | javascript/* @geekmasher @aegilops
8 | python/* @geekmasher @aegilops
9 | ruby/* @geekmasher @aegilops
10 |
11 | extensions/* @geekmasher @aegilops
12 |
13 | # CI / Scripts
14 | .github/workflows/* @geekmasher @aegilops @nickliffen
15 | .github/scripts/* @geekmasher @aegilops @nickliffen
16 |
17 | # Misc for Owner
18 | * @geekmasher
19 |
--------------------------------------------------------------------------------
/.github/scripts/pr-config.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | set -euo pipefail
3 |
4 | PR_NUMBER=${1}
5 |
6 | codeql_db="/tmp/codeql-test-database"
7 |
8 | for file in $(gh pr view $PR_NUMBER --json files --jq '.files.[].path'); do
9 | if [[ ! -f "$file" ]]; then
10 | continue
11 | fi
12 |
13 | # config file
14 | if [[ "$file" == config/*.yml ]]; then
15 | echo "[+] Compiling Config :: $file"
16 |
17 | if [[ -d "$codeql_db" ]]; then
18 | rm -rf "$codeql_db"
19 | fi
20 |
21 | gh codeql database create \
22 | --source-root=./.github/scripts \
23 | --language=python \
24 | --codescanning-config=$file \
25 | "$codeql_db"
26 |
27 | fi
28 | done
29 |
--------------------------------------------------------------------------------
/.github/workflows/tailor-pr-checks.yml:
--------------------------------------------------------------------------------
1 | name: "Tailor Pull Request Checks"
2 |
3 | on:
4 | push:
5 | branches: [ main ]
6 | paths:
7 | - 'tailor-packs/**'
8 | pull_request:
9 | branches: [ main ]
10 | paths:
11 | - 'tailor-packs/**'
12 |
13 | jobs:
14 | build-test:
15 | name: Build and Test CodeQL Packs
16 | runs-on: ubuntu-latest
17 |
18 | strategy:
19 | fail-fast: false
20 | matrix:
21 | pack: [ 'java-poc' ]
22 |
23 | steps:
24 | - name: Checkout repository
25 | uses: actions/checkout@v2
26 |
27 | - name: Build and Test
28 | env:
29 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
30 | run: |
31 | gh extensions install github/gh-codeql
32 | gh extensions install zbazztian/gh-tailor
33 | gh codeql set-version "v$(gh tailor actions-cli-version)"
34 | cd "tailor-packs/${{ matrix.pack }}"
35 | make test
36 |
--------------------------------------------------------------------------------
/.github/workflows/tailor-publish.yml:
--------------------------------------------------------------------------------
1 | name: "Periodically Publish Tailor Packs"
2 |
3 | on:
4 | schedule:
5 | - cron: '0 20 * * 1-5'
6 | workflow_dispatch:
7 |
8 | jobs:
9 | build-test-publish:
10 | name: Build, Test and Publish CodeQL Packs
11 | runs-on: ubuntu-latest
12 |
13 | strategy:
14 | fail-fast: false
15 | matrix:
16 | pack: [ 'java-poc' ]
17 |
18 | steps:
19 | - name: Checkout repository
20 | uses: actions/checkout@v2
21 |
22 | - name: Build, Test and Publish
23 | env:
24 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
25 | run: |
26 | gh extensions install github/gh-codeql
27 | gh extensions install zbazztian/gh-tailor
28 | gh codeql set-version "v$(gh tailor actions-cli-version)"
29 | cd "tailor-packs/${{ matrix.pack }}"
30 | make publish
31 |
--------------------------------------------------------------------------------
/.github/workflows/update-submodules.yml:
--------------------------------------------------------------------------------
1 | name: Update Submodules
2 |
3 | on:
4 | push:
5 | branches:
6 | - main
7 | schedule:
8 | - cron: '0 8 * * *'
9 | workflow_dispatch:
10 |
11 | jobs:
12 | update-submodules:
13 | runs-on: ubuntu-latest
14 |
15 | steps:
16 | # Checkout the repository to the GitHub Actions runner
17 | - name: Checkout
18 | uses: actions/checkout@v2
19 | with:
20 | submodules: true
21 |
22 | # Update references
23 | - name: Git Submodule Update
24 | run: |
25 | git pull --recurse-submodules
26 | git submodule update --remote --recursive
27 |
28 | - name: Commit update
29 | run: |
30 | git config --global user.name 'Mathew Payne'
31 | git config --global user.email '2772944+GeekMasher@users.noreply.github.com'
32 | git remote set-url origin https://${{ github.GITHUB_REPOSITORY_OWNER }}:${{ secrets.ACTIONS_SECRET }}@github.com/${{ github.repository }}
33 | git commit -am "Auto-updated submodule references" && git push || echo "No changes to commit"
34 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Env's
2 | .env
3 | .venv
4 |
5 | # CodeQL related
6 | .codeql
7 | .cache
8 | *.testproj/
9 | *.actual
10 | *.class
11 | */*.class
12 |
13 | # Test files / folders
14 | test.ql
15 | test-*.ql
16 | **/testing/**
17 | **/*.testproj/*
18 | */test-output.txt
19 |
--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "codeql"]
2 | path = codeql
3 | url = https://github.com/github/codeql
4 |
--------------------------------------------------------------------------------
/.vimignore:
--------------------------------------------------------------------------------
1 |
2 | codeql/
3 | codeql-go/
4 | .cache/
5 | tests/
6 | tailor-packs/
7 | extensions/
8 |
9 |
10 |
--------------------------------------------------------------------------------
/.vscode/settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "python.formatting.provider": "black",
3 | "sarif-viewer.connectToGithubCodeScanning": "off"
4 | }
--------------------------------------------------------------------------------
/.vscode/tasks.json:
--------------------------------------------------------------------------------
1 | {
2 | // See https://go.microsoft.com/fwlink/?LinkId=733558
3 | // for the documentation about the tasks.json format
4 | "version": "2.0.0",
5 | "tasks": [
6 | {
7 | "label": "Generate Coverage Reports",
8 | "type": "shell",
9 | "command": "python3 ./.github/scripts/generate-coverage.py -l ${input:language} --disable-cache",
10 | "problemMatcher": [],
11 | "group": {
12 | "kind": "build",
13 | "isDefault": true
14 | }
15 | }
16 | ],
17 | "inputs": [
18 | {
19 | "id": "language",
20 | "description": "Language",
21 | "default": "all",
22 | "type": "promptString"
23 | },
24 | ]
25 | }
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2022 GitHub Advanced Security
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/SUPPORT.md:
--------------------------------------------------------------------------------
1 |
2 | # Support
3 |
4 | ## How to file issues and get help
5 |
6 | This project uses GitHub issues to track bugs and feature requests.
7 | Please search the existing issues before filing new issues to avoid duplicates.
8 | For new issues, file your bug or feature request as a new issue.
9 |
10 | For help or questions about using this project, please use the GitHub Discussions.
11 |
12 |
13 | This repository is under active development and maintained by GitHub staff and the community.
14 | We will do our best to respond to support, feature requests, and community questions in a timely manner.
15 |
16 |
17 | ## GitHub Support Policy
18 |
19 | Support for this project is limited to the resources listed above.
20 |
21 |
--------------------------------------------------------------------------------
/config/codeql-audit.yml:
--------------------------------------------------------------------------------
1 | name: "GitHub Field CodeQL Audit Configuration"
2 |
3 | packs:
4 | # > C#
5 | - advanced-security/codeql-csharp:suites/codeql-csharp-audit.qls
6 |
7 | # > JavaScript/TypeScript
8 | - advanced-security/codeql-javascript:suites/codeql-javascript-audit.qls
9 |
10 | # > Python
11 | - advanced-security/codeql-python:suites/codeql-python-audit.qls
12 |
13 | # > Java
14 | #- advanced-security/codeql-java:suites/codeql-java-audit.qls
15 |
--------------------------------------------------------------------------------
/config/codeql-external-api.yml:
--------------------------------------------------------------------------------
1 | name: "GitHub Field CodeQL External API Configuration"
2 |
3 | disable-default-queries: true
4 |
5 | queries:
6 | # C/CPP
7 | - uses: advanced-security/codeql-queries/cpp/suites/codeql-external-api.qls@main
8 | # Java
9 | - uses: advanced-security/codeql-queries/java/suites/codeql-external-api.qls@main
10 | # JavaScript/TypeScript
11 | - uses: advanced-security/codeql-queries/javascript/suites/codeql-external-api.qls@main
12 | # Python
13 | - uses: advanced-security/codeql-queries/python/suites/codeql-external-api.qls@main
14 |
--------------------------------------------------------------------------------
/config/config-local.yml:
--------------------------------------------------------------------------------
1 | name: "GitHub Field CodeQL Local Threat Model Configuration"
2 |
3 | disable-default-queries: true
4 |
5 | # expand thread model - https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models
6 | threat-models: local
7 |
8 | queries:
9 | # Java local queries
10 | - uses: advanced-security/codeql-queries/java/suites/codeql-java-local.qls@main
11 |
12 | # Python local queries
13 | - uses: advanced-security/codeql-queries/python/suites/codeql-python-local.qls@main
14 |
--------------------------------------------------------------------------------
/config/disable-default-queries.yml:
--------------------------------------------------------------------------------
1 | name: "Don't run the default language query packs"
2 | disable-default-queries: true
3 |
--------------------------------------------------------------------------------
/cpp/README.md:
--------------------------------------------------------------------------------
1 | # C / CPP
2 |
3 | ## Query Suites
4 |
5 | | Name | Queries Count | Description | Path |
6 | | :--- | :---- | :--- | :--- |
7 | | `default` | 47 | Default Query Suite | `codeql/cpp/ql/src/codeql-suites/code-scanning` |
8 | | `extended` | 80 | Security Extended Suite | `codeql/cpp/ql/src/codeql-suites/security-extended` |
9 | | `quality` | 163 | Security and Quality Extended Suite | `codeql/cpp/ql/src/codeql-suites/security-and-quality` |
10 | | `super-extended` | 90 | Security Extended with Experimental and Custom Queries Suite | `advanced-security/codeql-queries/cpp/suites/codeql-cpp.qls@main` |
11 |
12 |
13 |
14 |
--------------------------------------------------------------------------------
/cpp/codeql-pack.lock.yml:
--------------------------------------------------------------------------------
1 | ---
2 | lockVersion: 1.0.0
3 | dependencies:
4 | codeql/cpp-all:
5 | version: 0.7.2
6 | codeql/ssa:
7 | version: 0.0.17
8 | codeql/tutorial:
9 | version: 0.0.10
10 | codeql/util:
11 | version: 0.0.10
12 | compiled: false
13 |
--------------------------------------------------------------------------------
/cpp/qlpack.yml:
--------------------------------------------------------------------------------
1 | library: false
2 | name: advanced-security/codeql-cpp
3 | version: 0.2.0
4 | defaultSuiteFile: suites/codeql-cpp.qls
5 | dependencies:
6 | codeql/cpp-all: 0.9.0
7 |
--------------------------------------------------------------------------------
/cpp/queries.xml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/cpp/suites/codeql-external-api.qls:
--------------------------------------------------------------------------------
1 |
2 | - description: "GitHub's Field Team C/CPP External API Suite"
3 |
4 | - import: codeql-suites/cpp-security-extended.qls
5 | from: codeql/cpp-queries
6 |
7 | - queries: '.'
8 | from: codeql/cpp-queries
9 | - include:
10 | id:
11 | - cpp/untrusted-data-to-external-api
12 |
--------------------------------------------------------------------------------
/csharp/CWE-078/CommandInjectionAudit.md:
--------------------------------------------------------------------------------
1 | # Audit: Usage of Command Injection sink
2 |
3 | This query detects the use of command injection sinks in your C# code. Command injection sinks are methods that execute a command in a subprocess and if they use unsanitized input, they can be used to execute arbitrary commands.
4 |
--------------------------------------------------------------------------------
/csharp/CWE-078/CommandInjectionAudit.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Audit: Usage of Command Injection sink
3 | * @description Using externally controlled strings in a command line may allow a malicious
4 | * user to change the meaning of the command.
5 | * @kind problem
6 | * @problem.severity error
7 | * @security-severity 2.0
8 | * @precision low
9 | * @id cs/audit/command-line-injection
10 | * @tags security
11 | * external/cwe/cwe-078
12 | * external/cwe/cwe-088
13 | * audit
14 | */
15 |
16 | import csharp
17 | import semmle.code.csharp.security.dataflow.CommandInjectionQuery
18 |
19 | from DataFlow::Node sink
20 | where sink instanceof Sink
21 | select sink, "Usage of Command Injection sink"
22 |
--------------------------------------------------------------------------------
/csharp/CWE-094/CodeInjectionAudit.md:
--------------------------------------------------------------------------------
1 | # Audit: Use of Code Injection sink
2 |
3 | This query detects the use of code injection sinks in your C# code. Code injection sinks are methods that execute code in a subprocess and if they use unsanitized input, they can be used to execute arbitrary code.
4 |
--------------------------------------------------------------------------------
/csharp/CWE-094/CodeInjectionAudit.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Audit: Use of Code Injection sink
3 | * @description Treating externally controlled strings as code can allow an attacker to execute
4 | * malicious code.
5 | * @kind problem
6 | * @problem.severity warning
7 | * @security-severity 2.0
8 | * @precision low
9 | * @id cs/audit/code-injection
10 | * @tags security
11 | * external/cwe/cwe-094
12 | * external/cwe/cwe-095
13 | * external/cwe/cwe-096
14 | * audit
15 | */
16 |
17 | import csharp
18 | import semmle.code.csharp.security.dataflow.CodeInjectionQuery
19 |
20 | from DataFlow::Node sink
21 | where sink instanceof Sink
22 | select sink, "Usage of Code Injection sink"
23 |
--------------------------------------------------------------------------------
/csharp/CWE-328/WeakHashingAlgorithms.md:
--------------------------------------------------------------------------------
1 | ## Use of Cryptographically Weak Hash Algorithms
2 |
3 | Detects use of MD5, which is [insecure](https://eprint.iacr.org/2013/170.pdf) when used in a security context.
4 |
--------------------------------------------------------------------------------
/csharp/CWE-328/WeakPasswordHashing.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Use of an inappropriate cryptographic hashing algorithm on passwords
3 | * @description Using inappropriate cryptographic hashing algorithms with passwords can compromise security.
4 | * @kind path-problem
5 | * @problem.severity warning
6 | * @security-severity 7.5
7 | * @precision high
8 | * @id csharp/weak-password-hashing
9 | * @tags security
10 | * external/cwe/cwe-327
11 | * external/cwe/cwe-328
12 | * external/cwe/cwe-916
13 | */
14 |
15 | import csharp
16 | import WeakPasswordHashingQuery
17 | import WeakHashingFlow::PathGraph
18 |
19 | from
20 | WeakHashingFlow::PathNode source, WeakHashingFlow::PathNode sink, string algorithm,
21 | PasswordExpr expr
22 | where
23 | WeakHashingFlow::flowPath(source, sink) and
24 | algorithm = sink.getNode().(WeakPasswordHashingSink).getAlgorithm() and
25 | expr = source.getNode().asExpr()
26 | select sink.getNode(), source, sink,
27 | "Insecure hashing algorithm (" + algorithm + ") depends on $@.", source.getNode(),
28 | "password (" + expr + ")"
29 |
--------------------------------------------------------------------------------
/csharp/CWE-328/WeakPasswordHashingBad.csharp:
--------------------------------------------------------------------------------
1 | using var sha512 = System.Security.Cryptography.SHA512.Create();
2 |
3 | var data = sha512.ComputeHash(Encoding.UTF8.GetBytes(content)); // BAD
--------------------------------------------------------------------------------
/csharp/CWE-328/WeakSensitiveDataHashing.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Use of a broken or weak cryptographic hashing algorithm on sensitive data
3 | * @description Using broken or weak cryptographic hashing algorithms can compromise security.
4 | * @kind path-problem
5 | * @problem.severity warning
6 | * @security-severity 7.5
7 | * @precision high
8 | * @id csharp/weak-sensitive-data-hashing
9 | * @tags security
10 | * external/cwe/cwe-327
11 | * external/cwe/cwe-328
12 | */
13 |
14 | import csharp
15 | import WeakSensitiveDataHashingQuery
16 | import WeakHashingFlow::PathGraph
17 |
18 | from
19 | WeakHashingFlow::PathNode source, WeakHashingFlow::PathNode sink, string algorithm,
20 | SensitiveExpr expr
21 | where
22 | WeakHashingFlow::flowPath(source, sink) and
23 | algorithm = sink.getNode().(WeakSensitiveDataHashingSink).getAlgorithm() and
24 | expr = source.getNode().asExpr()
25 | select sink.getNode(), source, sink,
26 | "Insecure hashing algorithm (" + algorithm + ") depends on $@.", source.getNode(),
27 | "sensitive data (" + expr + ")"
28 |
--------------------------------------------------------------------------------
/csharp/CWE-328/WeakSensitiveDataHashingBad.csharp:
--------------------------------------------------------------------------------
1 | using var md5 = System.Security.Cryptography.MD5.Create();
2 |
3 | var data = md5.ComputeHash(Encoding.UTF8.GetBytes(content)); // BAD
--------------------------------------------------------------------------------
/csharp/CWE-328/WeakSensitiveDataHashingGood.csharp:
--------------------------------------------------------------------------------
1 | using var sha256 = System.Security.Cryptography.SHA256.Create();
2 |
3 | var data = sha256.ComputeHash(Encoding.UTF8.GetBytes(content)); // GOOD - but **not** for certificate integrity, nor password hashing!
--------------------------------------------------------------------------------
/csharp/CWE-502/UnsafeDeserializationAudit.md:
--------------------------------------------------------------------------------
1 | # Audit: Usage of Unsafe Deserialize sink
2 |
3 | This query detects the use of unsafe deserialize sinks in your C# code. Unsafe deserialize sinks are methods that deserialize data and if that data is unsanitized user controlled input, they can be used to execute arbitrary code.
4 |
--------------------------------------------------------------------------------
/csharp/CWE-502/UnsafeDeserializationAudit.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Audit: Usage of Unsafe Deserialize sink
3 | * @description Calling an unsafe deserializer with data controlled by an attacker
4 | * can lead to denial of service and other security problems.
5 | * @kind problem
6 | * @id cs/audit/unsafe-deserialization
7 | * @problem.severity warning
8 | * @security-severity 2.0
9 | * @precision low
10 | * @tags security
11 | * external/cwe/cwe-502
12 | * audit
13 | */
14 |
15 | // https://github.com/advanced-security/codeql-queries/blob/audit-csharp/codeql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql
16 | import csharp
17 | import semmle.code.csharp.security.dataflow.UnsafeDeserializationQuery
18 |
19 | from DataFlow::Node sink
20 | where sink instanceof Sink
21 | select sink, "Usage of Unsafe Deserialize sink"
22 |
--------------------------------------------------------------------------------
/csharp/CWE-611/UnsafeXMLResolverAudit.md:
--------------------------------------------------------------------------------
1 | # Audit: Usage of Insecure XML Parser
2 |
3 | This query detects the use of insecure XML parsers in your C# code. Insecure XML parsers are parsers that do not have a secure configuration. If they are used to parse unsanitized user controlled input, they can be used to execute arbitrary code.
4 |
--------------------------------------------------------------------------------
/csharp/CWE-611/UnsafeXMLResolverAudit.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Audit: Usage of Insecure XML Parser
3 | * @description XML may include dangerous external references, which should
4 | * be restricted using a secure resolver or disabling DTD processing.
5 | * @kind problem
6 | * @problem.severity warning
7 | * @security-severity 2.0
8 | * @precision low
9 | * @id cs/audit/insecure-xml-read
10 | * @tags security
11 | * external/cwe/cwe-611
12 | * external/cwe/cwe-827
13 | * external/cwe/cwe-776
14 | * audit
15 | */
16 |
17 | // https://github.com/advanced-security/codeql-queries/blob/c8cfb6a0cc44da3d2baae4b985262a84652f71ee/csharp/ql/src/Security Features/CWE-611/UseXmlSecureResolver.ql#L22s
18 | import csharp
19 | import semmle.code.csharp.security.xml.InsecureXMLQuery
20 |
21 | from InsecureXmlProcessing xmlProcessing, string reason
22 | where xmlProcessing.isUnsafe(reason)
23 | select xmlProcessing, "Insecure XML processing: " + reason
24 |
--------------------------------------------------------------------------------
/csharp/CWE-760/HardcodedSalt.md:
--------------------------------------------------------------------------------
1 | # Hardcoded Salt
2 |
3 | ## Summary
4 |
5 | Hardcoding a salt value in a cryptographic algorithm can make it easier for an attacker to crack the passwords. Even when using a strong algorithm, a salt should be randomly generated and stored with the password.
6 |
7 | ## Example
8 |
9 | ```csharp
10 | public static string HashPassword(string password)
11 | {
12 | byte[] salt = new byte[16];
13 | using (var rng = RandomNumberGenerator.Create())
14 | {
15 | rng.GetBytes(salt);
16 | }
17 |
18 | var pbkdf2 = new Rfc2898DeriveBytes(password, salt, 10000);
19 | byte[] hash = pbkdf2.GetBytes(20);
20 |
21 | byte[] hashBytes = new byte[36];
22 | Array.Copy(salt, 0, hashBytes, 0, 16);
23 | Array.Copy(hash, 0, hashBytes, 16, 20);
24 |
25 | string savedPasswordHash = Convert.ToBase64String(hashBytes);
26 |
27 | return savedPasswordHash;
28 | }
29 | ```
30 |
--------------------------------------------------------------------------------
/csharp/CWE-798/HardcodedCredentials.cs:
--------------------------------------------------------------------------------
1 | using Microsoft.AspNet.Identity;
2 | using System;
3 | using System.Web;
4 | using System.Web.Security;
5 |
6 | public class HardCodedCredentialHandler : IHttpHandler
7 | {
8 |
9 | public void ProcessRequest(HttpContext ctx)
10 | {
11 | string password = ctx.Request.QueryString["password"];
12 |
13 | // BAD: Inbound authentication made by comparison to string literal
14 | if (password == "myPa55word")
15 | {
16 | ctx.Response.Redirect("login");
17 | }
18 |
19 | string hashedPassword = loadPasswordFromSecretConfig();
20 |
21 | // GOOD: Inbound authentication made by comparing to a hash password from a config
22 | if (PasswordHasher.VerifyHashedPassword(hashedPassword, password))
23 | {
24 | ctx.Response.Redirect(VALID_REDIRECT);
25 | }
26 |
27 | // BAD: Set the password to a hardcoded string literal
28 | MembershipUser user = loadMembershipUser();
29 | user.ChangePassword(password, "myNewPa55word");
30 | }
31 | }
32 |
--------------------------------------------------------------------------------
/csharp/CWE-798/HardcodedCredentialsSymmetricSecurityKey.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Hard-coded credentials
3 | * @description Credentials are hard coded in the source code of the application.
4 | * @kind path-problem
5 | * @problem.severity error
6 | * @security-severity 9.8
7 | * @precision high
8 | * @id cs/hardcoded-credentials-symmetricsecuritykey
9 | * @tags security
10 | * external/cwe/cwe-259
11 | * external/cwe/cwe-321
12 | * external/cwe/cwe-798
13 | */
14 |
15 | import csharp
16 |
17 | private import DataFlow::PathGraph
18 |
19 | private import github.HardcodedCredentials
20 |
21 |
22 | from DataFlow::PathNode source, DataFlow::PathNode sink, LiteralToSecurityKeyConfig config
23 | where config.hasFlowPath(source, sink)
24 | select source, sink, source, "Hard-coded credential $@ used as SymmetricSecurityKey $@",
25 | source.getNode().asExpr(), source.getNode().toString(), sink.getNode().asExpr(), "here"
26 |
--------------------------------------------------------------------------------
/csharp/codeql-pack.lock.yml:
--------------------------------------------------------------------------------
1 | ---
2 | lockVersion: 1.0.0
3 | dependencies:
4 | codeql/csharp-all:
5 | version: 0.6.4
6 | codeql/ssa:
7 | version: 0.0.19
8 | codeql/tutorial:
9 | version: 0.0.12
10 | codeql/util:
11 | version: 0.0.12
12 | compiled: false
13 |
--------------------------------------------------------------------------------
/csharp/github/Hardcoded.qll:
--------------------------------------------------------------------------------
1 | import csharp
2 |
3 | abstract class HardcodedValues extends DataFlow::ExprNode { }
4 |
5 | class NonEmptyStringLiteral extends HardcodedValues {
6 | NonEmptyStringLiteral() { this.getExpr().(StringLiteral).getValue().length() > 1 }
7 | }
8 |
9 | class ByteArrayLiteral extends HardcodedValues {
10 | ByteArrayLiteral() {
11 | this.getExpr() =
12 | any(ArrayCreation ac |
13 | ac.getArrayType().getElementType() instanceof ByteType and
14 | ac.hasInitializer()
15 | )
16 | }
17 | }
18 |
19 | class CharArrayLiteral extends HardcodedValues {
20 | CharArrayLiteral() {
21 | this.getExpr() =
22 | any(ArrayCreation ac |
23 | ac.getArrayType().getElementType() instanceof CharType and
24 | ac.hasInitializer()
25 | )
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/csharp/qlpack.yml:
--------------------------------------------------------------------------------
1 | library: false
2 | name: advanced-security/codeql-csharp
3 | version: 0.4.0
4 | defaultSuiteFile: suites/codeql-csharp.qls
5 | dependencies:
6 | codeql/csharp-all: 0.7.2
7 | advanced-security/codeql-csharp-extensions: 0.3.0
8 |
--------------------------------------------------------------------------------
/csharp/queries.xml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/csharp/suites/codeql-csharp-audit.qls:
--------------------------------------------------------------------------------
1 | # This is the field security specialist audit pack
2 |
3 | - description: "CSharp Audit Pack"
4 |
5 | # Field query pack with some audit queries
6 | - queries: '.'
7 | from: advanced-security/codeql-csharp
8 |
9 | - include:
10 | kind:
11 | - problem
12 | - path-problem
13 | - metric
14 | - diagnostic
15 | tags contain:
16 | - audit
17 |
18 | # External API query
19 | - queries: '.'
20 | from: codeql/csharp-queries
21 | - include:
22 | id:
23 | - cs/untrusted-data-to-external-api
24 |
--------------------------------------------------------------------------------
/csharp/suites/codeql-csharp.qls:
--------------------------------------------------------------------------------
1 | # https://codeql.github.com/docs/codeql-cli/creating-codeql-query-suites/
2 |
3 | - description: "GitHub's Field Team CSharp Extended Suite"
4 |
5 | # GitHub's Field Team CSharp Suite
6 | - queries: '.'
7 | from: advanced-security/codeql-csharp
8 |
9 | - include:
10 | kind:
11 | - problem
12 | - path-problem
13 | - metric
14 | - diagnostic
15 | precision:
16 | - very-high
17 | - high
18 | - medium
19 | - low
20 |
21 | # Remove debugging, and audit queries
22 | - exclude:
23 | tags contain:
24 | - debugging
25 | - audit
26 | # Remove local testing folders
27 | - exclude:
28 | query path:
29 | - /testing\/.*/
30 |
--------------------------------------------------------------------------------
/csharp/suites/codeql-debugging.qls:
--------------------------------------------------------------------------------
1 | - description: "GitHub's Field Team CSharp Debugging Suite"
2 |
3 | - import: codeql-suites/csharp-security-extended.qls
4 | from: codeql/csharp-queries
5 |
6 | - queries: '.'
7 | from: codeql/csharp-queries
8 | - include:
9 | id:
10 | # https://github.com/github/codeql/blob/main/csharp/ql/src/Security%20Features/CWE-020/UntrustedDataToExternalAPI.ql
11 | - cs/untrusted-data-to-external-api
12 |
--------------------------------------------------------------------------------
/extensions/README.md:
--------------------------------------------------------------------------------
1 | # Field Data Extensions
2 |
3 | ## Usage
4 |
5 | ```yaml
6 | packs: advanced-security/codeql-${{ matrix.language }}-extensions
7 | ```
8 |
9 | #### Actions Step Example
10 |
11 | ```yaml
12 | - name: Initialize CodeQL
13 | uses: github/codeql-action/init@v2
14 | with:
15 | languages: ${{ matrix.language }}
16 | packs: advanced-security/codeql-${{ matrix.language }}-extensions
17 | ```
18 |
19 | #### CodeQL CLI
20 |
21 | **Install the latest pack**
22 |
23 | ```bash
24 | codeql pack download advanced-security/codeql-$LANGUAGE-extensions@latest
25 | ```
26 |
27 | **Use pack in analysis:**
28 |
29 | ```bash
30 | # ... init / setup
31 | codeql database analyze \
32 | --extension-packs advanced-security/codeql-$LANGUAGE-extensions \
33 | $CODEQL_DATABASE \
34 | codeql/$LANGUAGE-queries
35 | ```
36 |
37 | The `LANGUAGE` variable must be set to use the correct extension pack, point to the correct database, and add any other additional parameters to the command.
38 |
39 |
40 | ## Extension Summary
41 |
42 | | Language | Projects |
43 | | :------------------------------------------- | :---------------------------------------: |
44 | | [java](./codeql-java-extensions) | [104](./codeql-java-extensions/generated) |
45 | | [csharp](./codeql-csharp-extensions) | [6](./codeql-java-extensions/generated) |
46 | | [javascript](./codeql-javascript-extensions) | [0](./codeql-java-extensions/generated) |
47 |
--------------------------------------------------------------------------------
/extensions/codeql-csharp-extensions/codeql-pack.lock.yml:
--------------------------------------------------------------------------------
1 | ---
2 | lockVersion: 1.0.0
3 | dependencies: {}
4 | compiled: false
5 |
--------------------------------------------------------------------------------
/extensions/codeql-csharp-extensions/generated/JamesNK/Newtonsoft.Json.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 |
--------------------------------------------------------------------------------
/extensions/codeql-csharp-extensions/generated/abpframework/abp.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/csharp-queries
4 | extensible: sinkModel
5 | data:
6 | - ["Volo.Abp.Cli.ProjectBuilding.Analyticses", "CliAnalyticsCollect", false, "CollectAsync", "(Volo.Abp.Cli.ProjectBuilding.Analyticses.CliAnalyticsCollectInputDto)", "", "Argument[0]", "xss", "generated"]
7 |
8 |
--------------------------------------------------------------------------------
/extensions/codeql-csharp-extensions/generated/apache/logging-log4net.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 |
--------------------------------------------------------------------------------
/extensions/codeql-csharp-extensions/generated/aws/aws-lambda-dotnet.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 |
--------------------------------------------------------------------------------
/extensions/codeql-csharp-extensions/generated/googleapis/google-cloud-dotnet.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/csharp-queries
4 | extensible: sinkModel
5 | data:
6 | - ["Google.Cloud.ClientTesting", "ReplayingMessageHandler", false, "ExpectRequest", "(System.Uri,System.String,System.String)", "", "Argument[2]", "xss", "df-generated"]
7 |
8 |
--------------------------------------------------------------------------------
/extensions/codeql-csharp-extensions/generated/ravendb/ravendb.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/csharp-queries
4 | extensible: sinkModel
5 | data:
6 | - ["Raven.Server.Commercial", "FeedbackSender", false, "SendFeedback", "(Raven.Server.Documents.Studio.FeedbackForm)", "", "Argument[0]", "xss", "generated"]
7 | - ["Raven.Server.Smuggler.Migration.ApiKey", "FipsEncryptor+FipsSymmetricalEncryptor", false, "CreateDecryptor", "(System.Byte[],System.Byte[])", "", "Argument[0]", "encryption-decryptor", "generated"]
8 | - ["Raven.Server.Smuggler.Migration.ApiKey", "FipsEncryptor+FipsSymmetricalEncryptor", false, "set_Key", "(System.Byte[])", "", "Argument[0]", "encryption-keyprop", "generated"]
9 | - ["SlowTests.Server.Documents.Migration", "SqlAwareTestBase", false, "ExecuteSqlQuery", "(Raven.Server.SqlMigration.MigrationProvider,System.String,System.String)", "", "Argument[2]", "sql", "generated"]
10 |
11 |
--------------------------------------------------------------------------------
/extensions/codeql-csharp-extensions/models/AspNetCoreMvc.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/csharp-queries
4 | extensible: sinkModel
5 | data:
6 | # XSS Requires the ContentType set to 'text/html'
7 | - ["Microsoft.AspNetCore.Mvc", "ContentResult", False, "Content", "", "", "", "xss", "manual"]
8 | - ["Microsoft.AspNetCore.Mvc", "ContentResult", False, "ContentType", "", "", "", "xss", "manual"]
9 | # Returned with a ContentType of 'plain/text'
10 | - ["Microsoft.AspNetCore.Mvc", "OkObjectResult", False, "OkObjectResult", "", "", "", "xss", "manual"]
11 |
--------------------------------------------------------------------------------
/extensions/codeql-csharp-extensions/models/README.md:
--------------------------------------------------------------------------------
1 | # CSharp Models
2 |
--------------------------------------------------------------------------------
/extensions/codeql-csharp-extensions/qlpack.yml:
--------------------------------------------------------------------------------
1 | ---
2 | library: true
3 | name: advanced-security/codeql-csharp-extensions
4 | version: 0.3.0
5 | extensionTargets:
6 | codeql/csharp-all: ^0.6.0
7 | codeql/csharp-queries: ^0.6.0
8 | dataExtensions:
9 | # manually curated / reviewed models
10 | - 'models/*.yml'
11 | - 'models/**/*.yml'
12 | # generated models
13 | - 'generated/*.yml'
14 | - 'generated/**/*.yml'
15 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/codeql-pack.lock.yml:
--------------------------------------------------------------------------------
1 | ---
2 | lockVersion: 1.0.0
3 | dependencies: {}
4 | compiled: false
5 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/Activiti/Activiti.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/java-queries
4 | extensible: sinkModel
5 | data:
6 | - ["org.activiti.bpmn.converter.util", "InputStreamProvider", true, "getInputStream", "()", "", "Argument[-1]", "open-url", "generated"]
7 | - ["org.activiti.engine.impl.cfg", "ProcessEngineConfigurationImpl", true, "initDataSource", "()", "", "Argument[-1]", "jndi-injection", "generated"]
8 | - ["org.activiti.engine.impl.cfg", "ProcessEngineConfigurationImpl", true, "initIdGenerator", "()", "", "Argument[-1]", "jndi-injection", "generated"]
9 | - ["org.activiti.engine.impl.persistence.entity", "TableDataManager", true, "getTableMetaData", "(String)", "", "Argument[0]", "sql", "generated"]
10 | - ["org.activiti.engine", "ProcessEngines", true, "retry", "(String)", "", "Argument[0]", "open-url", "generated"]
11 |
12 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/FasterXML/jackson-core.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/java-queries
4 | extensible: sinkModel
5 | data:
6 | - ["com.fasterxml.jackson.core", "JsonFactory", true, "createJsonParser", "(File)", "", "Argument[0]", "read-file", "generated"]
7 | - ["com.fasterxml.jackson.core", "JsonFactory", true, "createJsonParser", "(URL)", "", "Argument[0]", "open-url", "generated"]
8 | - ["com.fasterxml.jackson.core", "TokenStreamFactory", true, "createParser", "(File)", "", "Argument[0]", "read-file", "generated"]
9 | - ["com.fasterxml.jackson.core", "TokenStreamFactory", true, "createParser", "(URL)", "", "Argument[0]", "open-url", "generated"]
10 |
11 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/FasterXML/jackson-databind.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/java-queries
4 | extensible: sinkModel
5 | data:
6 | - ["com.fasterxml.jackson.databind", "ObjectReader", true, "readValue", "(File)", "", "Argument[0]", "read-file", "generated"]
7 | - ["com.fasterxml.jackson.databind", "ObjectReader", true, "readValue", "(File,Class)", "", "Argument[0]", "read-file", "generated"]
8 | - ["com.fasterxml.jackson.databind", "ObjectReader", true, "readValue", "(URL)", "", "Argument[0]", "open-url", "generated"]
9 | - ["com.fasterxml.jackson.databind", "ObjectReader", true, "readValue", "(URL,Class)", "", "Argument[0]", "open-url", "generated"]
10 | - ["com.fasterxml.jackson.databind", "ObjectReader", true, "readValues", "(File)", "", "Argument[0]", "read-file", "generated"]
11 | - ["com.fasterxml.jackson.databind", "ObjectReader", true, "readValues", "(URL)", "", "Argument[0]", "open-url", "generated"]
12 |
13 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/JetBrains/kotlin.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/java-queries
4 | extensible: sinkModel
5 | data:
6 | - ["org.jetbrains.kotlin.cli.jvm.compiler", "CompileEnvironmentUtil", true, "writeToJar", "(File,boolean,boolean,boolean,FqName,OutputFileCollection,MessageCollector)", "", "Argument[0]", "create-file", "generated"]
7 | - ["org.jetbrains.kotlin.codegen", "GeneratedClassLoader", true, "GeneratedClassLoader", "(ClassFileFactory,ClassLoader,URL[])", "", "Argument[2]", "open-url", "generated"]
8 | - ["org.jetbrains.kotlin.preloading", "ClassPreloadingUtils", true, "preloadClasses", "(Collection,int,ClassLoader,ClassCondition)", "", "Argument[0]", "open-url", "generated"]
9 | - ["org.jetbrains.kotlin.preloading", "ClassPreloadingUtils", true, "preloadClasses", "(Collection,int,ClassLoader,ClassCondition)", "", "Argument[0]", "read-file", "generated"]
10 | - ["org.jetbrains.kotlin.preloading", "ClassPreloadingUtils", true, "preloadClasses", "(Collection,int,ClassLoader,ClassCondition,ClassHandler)", "", "Argument[0]", "open-url", "generated"]
11 | - ["org.jetbrains.kotlin.preloading", "ClassPreloadingUtils", true, "preloadClasses", "(Collection,int,ClassLoader,ClassCondition,ClassHandler)", "", "Argument[0]", "read-file", "generated"]
12 |
13 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/Kotlin/kotlinx.coroutines.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/LMAX-Exchange/disruptor.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/OpenFeign/feign.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/java-queries
4 | extensible: sinkModel
5 | data:
6 | - ["feign", "Client$Default", true, "getConnection", "(URL)", "", "Argument[0]", "open-url", "generated"]
7 |
8 | - addsTo:
9 | pack: codeql/java-queries
10 | extensible: sourceModel
11 | data:
12 | - ["feign.codec", "Decoder", true, "decode", "(Response,Type)", "", "ReturnValue", "remote", "generated"]
13 | - ["feign.codec", "ErrorDecoder", true, "decode", "(String,Response)", "", "ReturnValue", "remote", "generated"]
14 | - ["feign", "InvocationContext", true, "proceed", "()", "", "ReturnValue", "remote", "generated"]
15 | - ["feign", "InvocationHandlerFactory$MethodHandler", true, "invoke", "(Object[])", "", "ReturnValue", "remote", "generated"]
16 | - ["feign", "Response$Body", true, "asInputStream", "()", "", "ReturnValue", "remote", "generated"]
17 | - ["feign", "Response$Body", true, "asReader", "()", "", "ReturnValue", "remote", "generated"]
18 | - ["feign", "Response$Body", true, "asReader", "(Charset)", "", "ReturnValue", "remote", "generated"]
19 | - ["feign", "ResponseHandler", true, "handleResponse", "(String,Response,Type,long)", "", "ReturnValue", "remote", "generated"]
20 |
21 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/ReactiveX/RxJava.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/abel533/Mapper.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/java-queries
4 | extensible: sinkModel
5 | data:
6 | - ["tk.mybatis.mapper.generator.formatter", "FreemarkerTemplateFormatter", true, "process", "(String,String,Map)", "", "Argument[1]", "ssti", "generated"]
7 | - ["tk.mybatis.mapper.generator.formatter", "ListTemplateFormatter", true, "getFormattedContent", "(Set,Properties,String,String)", "", "Argument[3]", "ssti", "generated"]
8 | - ["tk.mybatis.mapper.generator.formatter", "TemplateFormatter", true, "getFormattedContent", "(TableClass,Properties,String,String)", "", "Argument[3]", "ssti", "generated"]
9 |
10 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/alibaba/easyexcel.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/java-queries
4 | extensible: sinkModel
5 | data:
6 | - ["com.alibaba.excel.util", "FileUtils", true, "openInputStream", "(File)", "", "Argument[0]", "read-file", "generated"]
7 | - ["com.alibaba.excel.util", "FileUtils", true, "readFileToByteArray", "(File)", "", "Argument[0]", "read-file", "generated"]
8 | - ["com.alibaba.excel.util", "FileUtils", true, "setTempFilePrefix", "(String)", "", "Argument[0]", "create-file", "generated"]
9 | - ["com.alibaba.excel.util", "FileUtils", true, "writeToFile", "(File,InputStream)", "", "Argument[0]", "create-file", "generated"]
10 | - ["com.alibaba.excel.util", "FileUtils", true, "writeToFile", "(File,InputStream,boolean)", "", "Argument[0]", "create-file", "generated"]
11 |
12 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/alibaba/spring-cloud-alibaba.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/java-queries
4 | extensible: sinkModel
5 | data:
6 | - ["com.alibaba.cloud.commons.io", "FileUtils", false, "openInputStream", "(File)", "", "Argument[0]", "read-file", "generated"]
7 | - ["com.alibaba.cloud.commons.io", "FileUtils", false, "readFileToString", "(File)", "", "Argument[0]", "read-file", "generated"]
8 | - ["com.alibaba.cloud.commons.io", "FileUtils", false, "readFileToString", "(File,Charset)", "", "Argument[0]", "read-file", "generated"]
9 | - ["com.alibaba.cloud.commons.io", "FileUtils", false, "readFileToString", "(File,String)", "", "Argument[0]", "read-file", "generated"]
10 |
11 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/apache/beam.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/java-queries
4 | extensible: sinkModel
5 | data:
6 | - ["org.apache.beam.examples.complete.kafkatopubsub.kafka.consumer", "Utils", true, "getKafkaCredentialsFromVault", "(String,String)", "", "Argument[0]", "open-url", "generated"]
7 | - ["org.apache.beam.runners.dataflow.worker.logging", "DataflowWorkerLoggingHandler", true, "DataflowWorkerLoggingHandler", "(String,long)", "", "Argument[0]", "create-file", "generated"]
8 | - ["org.apache.beam.sdk.io.clickhouse", "ClickHouseIO", true, "getTableSchema", "(String,String)", "", "Argument[1]", "sql", "generated"]
9 | - ["org.apache.beam.sdk.jmh.io", "TextSourceBenchmark$Data", true, "createFile", "()", "", "Argument[-1]", "create-file", "generated"]
10 | - ["org.apache.beam.sdk.metrics", "MetricsSink", true, "writeMetrics", "(MetricQueryResults)", "", "Argument[-1]", "open-url", "generated"]
11 | - ["org.apache.beam.sdk.util", "ZipFiles", false, "zipDirectory", "(File,File)", "", "Argument[1]", "create-file", "generated"]
12 | - ["org.apache.beam.sdk.util", "ZipFiles", false, "zipDirectoryOverwrite", "(File,File)", "", "Argument[1]", "create-file", "generated"]
13 |
14 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/apache/commons-lang.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/apache/shardingsphere.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/java-queries
4 | extensible: sinkModel
5 | data:
6 | - ["org.apache.shardingsphere.data.pipeline.spi.ddlgenerator", "CreateTableSQLGenerator", true, "generate", "(DataSource,String,String)", "", "Argument[1]", "sql", "generated"]
7 | - ["org.apache.shardingsphere.data.pipeline.spi.ddlgenerator", "CreateTableSQLGenerator", true, "generate", "(DataSource,String,String)", "", "Argument[2]", "sql", "generated"]
8 | - ["org.apache.shardingsphere.globalclock.core.executor", "GlobalClockTransactionExecutor", true, "sendCommitTimestamp", "(Collection,long)", "", "Argument[1]", "sql", "generated"]
9 | - ["org.apache.shardingsphere.globalclock.core.executor", "GlobalClockTransactionExecutor", true, "sendSnapshotTimestamp", "(Collection,long)", "", "Argument[1]", "sql", "generated"]
10 | - ["org.apache.shardingsphere.infra.metadata.data.collector", "ShardingSphereTableDataCollectorUtils", false, "collectRowData", "(ShardingSphereDatabase,String,ShardingSphereTable,Collection)", "", "Argument[1]", "sql", "generated"]
11 | - ["org.apache.shardingsphere.infra.metadata.database.schema.loader.metadata", "DialectSchemaMetaDataLoader", true, "load", "(DataSource,Collection,String)", "", "Argument[1]", "sql", "generated"]
12 | - ["org.apache.shardingsphere.sqltranslator.spi", "SQLTranslator", true, "translate", "(String,SQLStatement,DatabaseType,DatabaseType)", "", "Argument[0]", "sql", "generated"]
13 |
14 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/apache/skywalking.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/java-queries
4 | extensible: sinkModel
5 | data:
6 | - ["org.apache.skywalking.oap.meter.analyzer.dsl", "DSL", false, "parse", "(String)", "", "Argument[0]", "groovy", "generated"]
7 |
8 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/auth0/java-jwt.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/ben-manes/caffeine.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/brettwooldridge/HikariCP.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/java-queries
4 | extensible: sinkModel
5 | data:
6 | - ["com.zaxxer.hikari.hibernate", "HikariConfigurationUtil", true, "loadConfiguration", "(Map)", "", "Argument[0]", "jdbc-url", "generated"]
7 | - ["com.zaxxer.hikari.util", "DriverDataSource", false, "DriverDataSource", "(String,String,Properties,String,String)", "", "Argument[1]", "read-file", "generated"]
8 | - ["com.zaxxer.hikari.util", "UtilityElf", false, "createInstance", "(String,Class,Object[])", "", "Argument[0]", "read-file", "generated"]
9 | - ["com.zaxxer.hikari", "HikariConfig", true, "HikariConfig", "(String)", "", "Argument[0]", "read-file", "generated"]
10 | - ["com.zaxxer.hikari", "HikariConfig", true, "setDriverClassName", "(String)", "", "Argument[0]", "read-file", "generated"]
11 | - ["com.zaxxer.hikari", "HikariConfig", true, "setExceptionOverrideClassName", "(String)", "", "Argument[0]", "read-file", "generated"]
12 | - ["com.zaxxer.hikari", "HikariConfig", true, "setHealthCheckRegistry", "(Object)", "", "Argument[0]", "jndi-injection", "generated"]
13 | - ["com.zaxxer.hikari", "HikariConfig", true, "setMetricRegistry", "(Object)", "", "Argument[0]", "jndi-injection", "generated"]
14 |
15 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/cglib/cglib.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/codecentric/spring-boot-admin.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/java-queries
4 | extensible: sinkModel
5 | data:
6 | - ["de.codecentric.boot.admin.client.registration", "ApplicationRegistrator", true, "deregister", "()", "", "Argument[-1]", "open-url", "generated"]
7 | - ["de.codecentric.boot.admin.client.registration", "ApplicationRegistrator", true, "register", "()", "", "Argument[-1]", "open-url", "generated"]
8 | - ["de.codecentric.boot.admin.client.registration", "RegistrationClient", true, "deregister", "(String,String)", "", "Argument[0]", "open-url", "generated"]
9 | - ["de.codecentric.boot.admin.client.registration", "RegistrationClient", true, "deregister", "(String,String)", "", "Argument[1]", "open-url", "generated"]
10 | - ["de.codecentric.boot.admin.client.registration", "RegistrationClient", true, "register", "(String,Application)", "", "Argument[0]", "open-url", "generated"]
11 |
12 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/cucumber/cucumber-jvm.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/java-queries
4 | extensible: sinkModel
5 | data:
6 | - ["io.cucumber.core.plugin", "TimelineFormatter", false, "TimelineFormatter", "(File)", "", "Argument[0]", "create-file", "generated"]
7 |
8 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/dropwizard/dropwizard.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/java-queries
4 | extensible: sinkModel
5 | data:
6 | - ["io.dropwizard.configuration", "ConfigurationFactory", true, "build", "(File)", "", "Argument[0]", "read-file", "generated"]
7 | - ["io.dropwizard.configuration", "ConfigurationSourceProvider", true, "open", "(String)", "", "Argument[0]", "open-url", "generated"]
8 | - ["io.dropwizard.configuration", "ConfigurationSourceProvider", true, "open", "(String)", "", "Argument[0]", "read-file", "generated"]
9 | - ["io.dropwizard.servlets.assets", "ResourceURL", true, "getLastModified", "(URL)", "", "Argument[0]", "open-url", "generated"]
10 | - ["io.dropwizard.servlets.assets", "ResourceURL", true, "isDirectory", "(URL)", "", "Argument[0]", "open-url", "generated"]
11 |
12 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/dropwizard/metrics.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/java-queries
4 | extensible: sinkModel
5 | data:
6 | - ["com.codahale.metrics", "ScheduledReporter", true, "report", "(SortedMap,SortedMap,SortedMap,SortedMap,SortedMap)", "", "Argument[0]", "create-file", "generated"]
7 | - ["com.codahale.metrics", "ScheduledReporter", true, "report", "(SortedMap,SortedMap,SortedMap,SortedMap,SortedMap)", "", "Argument[1]", "create-file", "generated"]
8 | - ["com.codahale.metrics", "ScheduledReporter", true, "report", "(SortedMap,SortedMap,SortedMap,SortedMap,SortedMap)", "", "Argument[2]", "create-file", "generated"]
9 | - ["com.codahale.metrics", "ScheduledReporter", true, "report", "(SortedMap,SortedMap,SortedMap,SortedMap,SortedMap)", "", "Argument[3]", "create-file", "generated"]
10 | - ["com.codahale.metrics", "ScheduledReporter", true, "report", "(SortedMap,SortedMap,SortedMap,SortedMap,SortedMap)", "", "Argument[4]", "create-file", "generated"]
11 |
12 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/google/gson.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/google/guice.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/java-native-access/jna.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/jhy/jsoup.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/java-queries
4 | extensible: sinkModel
5 | data:
6 | - ["org.jsoup.helper", "DataUtil", false, "load", "(File,String,String)", "", "Argument[0]", "read-file", "generated"]
7 | - ["org.jsoup.helper", "DataUtil", false, "load", "(File,String,String,Parser)", "", "Argument[0]", "read-file", "generated"]
8 | - ["org.jsoup.helper", "W3CDom", true, "selectXpath", "(String,Document)", "", "Argument[0]", "xpath", "generated"]
9 | - ["org.jsoup.helper", "W3CDom", true, "selectXpath", "(String,Node)", "", "Argument[0]", "xpath", "generated"]
10 | - ["org.jsoup.nodes", "Element", true, "selectXpath", "(String)", "", "Argument[0]", "xpath", "generated"]
11 | - ["org.jsoup.nodes", "Element", true, "selectXpath", "(String,Class)", "", "Argument[0]", "xpath", "generated"]
12 | - ["org.jsoup", "Jsoup", true, "parse", "(File)", "", "Argument[0]", "read-file", "generated"]
13 | - ["org.jsoup", "Jsoup", true, "parse", "(File,String)", "", "Argument[0]", "read-file", "generated"]
14 | - ["org.jsoup", "Jsoup", true, "parse", "(File,String,String)", "", "Argument[0]", "read-file", "generated"]
15 | - ["org.jsoup", "Jsoup", true, "parse", "(File,String,String,Parser)", "", "Argument[0]", "read-file", "generated"]
16 | - ["org.jsoup", "Jsoup", true, "parse", "(URL,int)", "", "Argument[0]", "open-url", "generated"]
17 |
18 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/junit-team/junit5.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/java-queries
4 | extensible: sinkModel
5 | data:
6 | - ["example.util", "ListWriter", true, "write", "(String[])", "", "Argument[-1]", "create-file", "generated"]
7 | - ["org.junit.platform.launcher.listeners", "OutputDir", true, "create", "(Optional)", "", "Argument[0]", "create-file", "generated"]
8 | - ["org.junit.platform.launcher.listeners", "OutputDir", true, "createFile", "(String,String)", "", "Argument[-1]", "create-file", "generated"]
9 | - ["org.junit.platform.launcher.listeners", "OutputDir", true, "createFile", "(String,String)", "", "Argument[0]", "create-file", "generated"]
10 | - ["org.junit.platform.launcher.listeners", "OutputDir", true, "createFile", "(String,String)", "", "Argument[1]", "create-file", "generated"]
11 | - ["org.junit.platform.launcher", "TestExecutionListener", true, "testPlanExecutionStarted", "(TestPlan)", "", "Argument[-1]", "create-file", "generated"]
12 | - ["platform.tooling.support", "Helper", true, "loadAllJUnitModules", "(Path)", "", "Argument[0]", "create-file", "generated"]
13 | - ["platform.tooling.support", "ThirdPartyJars", true, "copy", "(Path,String,String)", "", "Argument[0]", "create-file", "generated"]
14 |
15 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/jwtk/jjwt.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/mapstruct/mapstruct.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/micrometer-metrics/micrometer.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/java-queries
4 | extensible: sinkModel
5 | data:
6 | - ["io.micrometer.core.ipc.http", "HttpSender$Request$Builder", true, "send", "()", "", "Argument[-1]", "open-url", "generated"]
7 | - ["io.micrometer.core.samples.utils", "SampleRegistries", true, "stackdriver", "(String,String)", "", "Argument[0]", "read-file", "generated"]
8 |
9 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/mockito/mockito.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/java-queries
4 | extensible: sinkModel
5 | data:
6 | - ["org.mockito.internal.util.io", "IOUtil", false, "writeText", "(String,File)", "", "Argument[1]", "create-file", "generated"]
7 |
8 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/mybatis/spring-boot-starter.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/mybatis/spring.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/pagehelper/Mybatis-PageHelper.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/pgjdbc/pgjdbc.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/java-queries
4 | extensible: sinkModel
5 | data:
6 | - ["org.postgresql.replication", "PGReplicationConnection", true, "dropReplicationSlot", "(String)", "", "Argument[0]", "sql", "generated"]
7 |
8 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/qos-ch/slf4j.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/java-queries
4 | extensible: sinkModel
5 | data:
6 | - ["org.slf4j.migrator", "ProjectConverter", true, "convertProject", "(File)", "", "Argument[0]", "create-file", "generated"]
7 | - ["org.slf4j.migrator", "ProjectConverter", true, "convertProject", "(File)", "", "Argument[0]", "read-file", "generated"]
8 |
9 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/redis/jedis.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/resilience4j/resilience4j.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/spring-projects/spring-data-jpa.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/square/retrofit.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/stleary/JSON-java.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/swagger-api/swagger-core.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/java-queries
4 | extensible: sinkModel
5 | data:
6 | - ["io.swagger.v3.oas.integration.api", "OpenApiConfigurationLoader", true, "exists", "(String)", "", "Argument[0]", "read-file", "generated"]
7 | - ["io.swagger.v3.oas.integration.api", "OpenApiConfigurationLoader", true, "load", "(String)", "", "Argument[0]", "read-file", "generated"]
8 |
9 | - addsTo:
10 | pack: codeql/java-queries
11 | extensible: sourceModel
12 | data:
13 | - ["io.swagger.v3.jaxrs2.util", "ServletUtils", true, "getCookies", "(Cookie[])", "", "ReturnValue", "remote", "generated"]
14 |
15 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/testcontainers/testcontainers-java.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 | - addsTo:
3 | pack: codeql/java-queries
4 | extensible: sinkModel
5 | data:
6 | - ["org.testcontainers.containers", "SolrClientUtils", true, "createCollection", "(String,int,String,String)", "", "Argument[0]", "open-url", "generated"]
7 | - ["org.testcontainers.containers", "SolrClientUtils", true, "createCollection", "(String,int,String,String)", "", "Argument[1]", "open-url", "generated"]
8 | - ["org.testcontainers.containers", "SolrClientUtils", true, "uploadConfiguration", "(String,int,String,URL,URL)", "", "Argument[0]", "open-url", "generated"]
9 | - ["org.testcontainers.containers", "SolrClientUtils", true, "uploadConfiguration", "(String,int,String,URL,URL)", "", "Argument[1]", "open-url", "generated"]
10 | - ["org.testcontainers.containers", "SolrClientUtils", true, "uploadConfiguration", "(String,int,String,URL,URL)", "", "Argument[3]", "open-url", "generated"]
11 | - ["org.testcontainers.containers", "SolrClientUtils", true, "uploadConfiguration", "(String,int,String,URL,URL)", "", "Argument[4]", "open-url", "generated"]
12 |
13 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/generated/zxing/zxing.yml:
--------------------------------------------------------------------------------
1 | extensions:
2 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/models/README.md:
--------------------------------------------------------------------------------
1 | # Java Models
2 |
--------------------------------------------------------------------------------
/extensions/codeql-java-extensions/qlpack.yml:
--------------------------------------------------------------------------------
1 | ---
2 | library: true
3 | name: advanced-security/codeql-java-extensions
4 | version: 0.3.2
5 | extensionTargets:
6 | codeql/java-all: ^0.5.0
7 | codeql/java-queries: ^0.5.0
8 | dataExtensions:
9 | # manually curated / reviewed models
10 | - 'models/*.yml'
11 | - 'models/**/*.yml'
12 | # generated models
13 | - 'generated/*.yml'
14 | - 'generated/**/*.yml'
15 |
--------------------------------------------------------------------------------
/extensions/codeql-javascript-extensions/codeql-pack.lock.yml:
--------------------------------------------------------------------------------
1 | ---
2 | lockVersion: 1.0.0
3 | dependencies: {}
4 | compiled: false
5 |
--------------------------------------------------------------------------------
/extensions/codeql-javascript-extensions/models/README.md:
--------------------------------------------------------------------------------
1 | # JavaScript / TypeScript Models
2 |
--------------------------------------------------------------------------------
/extensions/codeql-javascript-extensions/qlpack.yml:
--------------------------------------------------------------------------------
1 | ---
2 | library: true
3 | name: advanced-security/codeql-javascript-extensions
4 | version: 0.0.1
5 | extensionTargets:
6 | codeql/javascript-queries: 0.5.5
7 | dataExtensions:
8 | - models/*.yml
9 |
--------------------------------------------------------------------------------
/go/CWE-089/SqlInjectionAudit.md:
--------------------------------------------------------------------------------
1 | # Audit - SQL Injection using format strings
2 |
3 | This query checks for SQL injection vulnerabilities in the code. It looks for the use of format strings in SQL queries. Format strings are a common source of SQL injection vulnerabilities.
4 |
--------------------------------------------------------------------------------
/go/CWE-089/SqlInjectionAudit.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Audit - SQL Injection using format strings
3 | * @kind path-problem
4 | * @problem.severity warning
5 | * @security-severity 2.5
6 | * @sub-severity low
7 | * @precision very-low
8 | * @id go/audit/sql-injection
9 | * @tags security
10 | * external/cwe/cwe-089
11 | * audit
12 | */
13 | import go
14 | import semmle.go.security.SqlInjection
15 | import DataFlow::PathGraph
16 | import github.Utils
17 |
18 | /**
19 | * A taint-tracking configuration for detecting SQL injection vulnerabilities.
20 | */
21 | class SqlInjectionAudit extends TaintTracking::Configuration {
22 | SqlInjectionAudit() { this = "SqlInjectionAudit" }
23 |
24 | override predicate isSource(DataFlow::Node source) { source instanceof DynamicStrings }
25 |
26 | override predicate isSink(DataFlow::Node sink) { sink instanceof SqlInjection::Sink }
27 |
28 | override predicate isSanitizer(DataFlow::Node node) { node instanceof SqlInjection::Sanitizer }
29 | }
30 |
31 | from SqlInjectionAudit config, DataFlow::PathNode source, DataFlow::PathNode sink
32 | where config.hasFlowPath(source, sink)
33 | select sink.getNode(), source, sink, "This SQL query depends on $@.", source.getNode(),
34 | "a user-provided value"
35 |
--------------------------------------------------------------------------------
/go/CWE-117/LogInjection.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Log entries created from user input
3 | * @description Building log entries from user-controlled sources is vulnerable to
4 | * insertion of forged log entries by a malicious user.
5 | * @kind path-problem
6 | * @problem.severity error
7 | * @security-severity 7.8
8 | * @precision high
9 | * @id go/log-injection
10 | * @tags security
11 | * external/cwe/cwe-117
12 | */
13 |
14 | import go
15 | import semmle.go.security.LogInjection
16 | import DataFlow::PathGraph
17 |
18 | class RegexpSanitizer extends LogInjection::Sanitizer {
19 | RegexpSanitizer() {
20 | exists(DataFlow::CallNode call |
21 | this = call and
22 | call.getTarget().getName() = ["ReplaceAllString", "ReplaceAllLiteralString"] and
23 | call.getReceiver() =
24 | any(RegexpPattern rp | rp.getPattern().matches("%" + ["\\r", "\\n"] + "%")).getAUse()
25 | )
26 | }
27 | }
28 |
29 | from LogInjection::Configuration c, DataFlow::PathNode source, DataFlow::PathNode sink
30 | where c.hasFlowPath(source, sink)
31 | select sink, source, sink, "This log write receives unsanitized user input from $@.",
32 | source.getNode(), "here"
33 |
--------------------------------------------------------------------------------
/go/README.md:
--------------------------------------------------------------------------------
1 | # Python
2 |
3 | ## Query Suites
4 |
5 | | Name | Queries Count | Description | Path |
6 | | :--- | :---- | :--- | :--- |
7 | | `default` | 29 | Default Query Suite | `codeql/queries:codeql-suites/go-code-scanning` |
8 | | `extended` | 31 | Security Extended Suite | `codeql/queries:codeql-suites/go-security-extended` |
9 | | `experimental` | 46 | Security Experimental Suite | `codeql/queries:codeql-suites/go-security-experimental` |
10 | | `quality` | 53 | Security and Quality Extended Suite | `codeql/queries:codeql-suites/go-security-and-quality` |
11 | | `super-extended` | 2 | Security Extended with Experimental and Custom Queries Suite | `advanced-security/codeql-queries/go/suites/codeql-go.qls@main` |
12 |
13 |
14 |
15 |
16 | ## Queries
17 |
18 | | Name | Severity | Path |
19 | | :--- | :------- | :--- |
20 | | `Command built from user-controlled sources` | Unknown / 9.8 | `go/CWE-078/CommandInjection.ql` |
21 | | `Log entries created from user input` | Unknown / 7.8 | `go/CWE-117/LogInjection.ql` |
22 |
23 |
24 |
25 |
--------------------------------------------------------------------------------
/go/codeql-pack.lock.yml:
--------------------------------------------------------------------------------
1 | ---
2 | lockVersion: 1.0.0
3 | dependencies:
4 | codeql/go-all:
5 | version: 0.5.2
6 | codeql/tutorial:
7 | version: 0.0.10
8 | codeql/util:
9 | version: 0.0.10
10 | compiled: false
11 |
--------------------------------------------------------------------------------
/go/github/Utils.qll:
--------------------------------------------------------------------------------
1 | import go
2 | import semmle.go.frameworks.stdlib.Fmt
3 |
4 | class DynamicStrings extends DataFlow::Node {
5 | DynamicStrings() {
6 | // fmt format string
7 | exists(Fmt::Sprinter formatter |
8 | this = formatter.getACall()
9 | )
10 | or
11 | // binary expression
12 | exists(BinaryExpr expr |
13 | this.asExpr() = expr.getLeftOperand() and
14 | expr.getOperator() = "+"
15 | )
16 | }
17 | }
--------------------------------------------------------------------------------
/go/qlpack.yml:
--------------------------------------------------------------------------------
1 | library: false
2 | name: advanced-security/codeql-go
3 | version: 0.2.0
4 | defaultSuiteFile: suites/codeql-go.qls
5 | dependencies:
6 | codeql/go-all: 0.6.2
7 |
--------------------------------------------------------------------------------
/go/queries.xml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/go/suites/codeql-go.qls:
--------------------------------------------------------------------------------
1 | # https://codeql.github.com/docs/codeql-cli/creating-codeql-query-suites/
2 |
3 | - description: "GitHub's Field Team GoLang Extended Suite"
4 |
5 | # GitHub's Field Team GoLang Suite
6 | - queries: '.'
7 | from: advanced-security/codeql-go
8 |
9 | - include:
10 | kind:
11 | - problem
12 | - path-problem
13 | precision:
14 | - very-high
15 | - high
16 | - medium
17 | - low
18 |
19 | # Remove debugging, and audit queries
20 | - exclude:
21 | tags contain:
22 | - debugging
23 | - audit
24 | # Remove local testing folders
25 | - exclude:
26 | query path:
27 | - /testing\/.*/
28 |
--------------------------------------------------------------------------------
/java/CWE-078/CommandInjectionRuntimeExec.java:
--------------------------------------------------------------------------------
1 | class Test {
2 | public static void main(String[] args) {
3 | String script = System.getenv("SCRIPTNAME");
4 | if (script != null) {
5 | // BAD: The script to be executed by /bin/sh is controlled by the user.
6 | Runtime.getRuntime().exec(new String[]{"/bin/sh", script});
7 | }
8 | }
9 | }
--------------------------------------------------------------------------------
/java/CWE-078/CommandInjectionRuntimeExec.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Command Injection into Runtime.exec() with dangerous command
3 | * @description High sensitvity and precision version of java/command-line-injection, designed to find more cases of command injection in rare cases that the default query does not find
4 | * @kind path-problem
5 | * @problem.severity error
6 | * @security-severity 6.1
7 | * @precision high
8 | * @id java/command-line-injection-extra
9 | * @tags security
10 | * external/cwe/cwe-078
11 | */
12 |
13 |
14 | import DataFlow::PathGraph
15 | import github.CommandInjectionRuntimeExec
16 |
17 | class RemoteSource extends Source { RemoteSource() { this instanceof RemoteFlowSource } }
18 |
19 | from DataFlow::PathNode source, DataFlow::PathNode sink, ExecTaintConfiguration2 conf, MethodAccess call, DataFlow::Node sourceCmd, DataFlow::Node sinkCmd, ExecTaintConfiguration confCmd
20 | where call.getMethod() instanceof RuntimeExecMethod
21 | // this is a command-accepting call to exec, e.g. rt.exec(new String[]{"/bin/sh", ...})
22 | and (
23 | confCmd.hasFlow(sourceCmd, sinkCmd)
24 | and sinkCmd.asExpr() = call.getArgument(0)
25 | )
26 | // it is tainted by untrusted user input
27 | and (
28 | conf.hasFlow(source.getNode(), sink.getNode())
29 | and sink.getNode().asExpr() = call.getArgument(0)
30 | )
31 | select sink, source, sink, "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
32 | sourceCmd, sourceCmd.toString(),
33 | source.getNode(), source.toString()
34 |
--------------------------------------------------------------------------------
/java/CWE-078/CommandInjectionRuntimeExecTest.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Command Injection into Runtime.exec() with dangerous command
3 | * @description Testing query. High sensitvity and precision version of java/command-line-injection, designed to find more cases of command injection in rare cases that the default query does not find
4 | * @kind problem
5 | * @problem.severity error
6 | * @security-severity 6.1
7 | * @precision high
8 | * @id java/command-line-injection-extra-test
9 | * @tags testing
10 | * test
11 | * security
12 | * external/cwe/cwe-078
13 | */
14 |
15 |
16 | import github.CommandInjectionRuntimeExec
17 |
18 | class DataSource extends Source { DataSource() { this instanceof RemoteFlowSource or this instanceof LocalUserInput } }
19 |
20 | from DataFlow::Node source, DataFlow::Node sink, ExecTaintConfiguration2 conf, MethodAccess call, int index, DataFlow::Node sourceCmd, DataFlow::Node sinkCmd, ExecTaintConfiguration confCmd
21 | where call.getMethod() instanceof RuntimeExecMethod
22 | // this is a command-accepting call to exec, e.g. exec("/bin/sh", ...)
23 | and (
24 | confCmd.hasFlow(sourceCmd, sinkCmd)
25 | and sinkCmd.asExpr() = call.getArgument(0)
26 | )
27 | // it is tainted by untrusted user input
28 | and (
29 | conf.hasFlow(source, sink)
30 | and sink.asExpr() = call.getArgument(index)
31 | )
32 | select sink, "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
33 | sourceCmd, sourceCmd.toString(),
34 | source, source.toString()
35 |
--------------------------------------------------------------------------------
/java/CWE-079/JSPLocations.qll:
--------------------------------------------------------------------------------
1 | import semmle.code.SMAP
2 |
3 | class JSPExpr extends string {
4 | Expr javaExpr;
5 |
6 | JSPExpr() {
7 | exists(string jspPath, int jspStartLine, int jspStartChar, int jspEndLine |
8 | hasSmapLocationInfo(jspPath, jspStartLine, jspStartChar, jspEndLine, _,
9 | javaExpr.getLocation().getFile().getAbsolutePath(), javaExpr.getLocation().getStartLine(),
10 | javaExpr.getLocation().getEndLine()) and
11 | this =
12 | "file://" + jspPath + ":" + jspStartLine + ":" + jspStartChar + ":" + jspEndLine + ":" + 1
13 | )
14 | }
15 |
16 | string getURL() { result = this }
17 |
18 | Expr getJavaExpr() { result = javaExpr }
19 |
20 | predicate isClosest(Expr expr) { this = getClosestJSPExpr(expr) }
21 | }
22 |
23 | private int nestingDepth(Expr parent, Expr child) {
24 | if child = parent then result = 0 else result = nestingDepth(parent, child.getParent()) + 1
25 | }
26 |
27 | private JSPExpr getClosestJSPExpr(Expr javaExpr) {
28 | exists(
29 | min(Expr parent |
30 | result.getJavaExpr() = parent and parent = javaExpr.getParent*()
31 | |
32 | nestingDepth(parent, javaExpr)
33 | )
34 | )
35 | }
36 |
--------------------------------------------------------------------------------
/java/CWE-079/XSSJSP.md:
--------------------------------------------------------------------------------
1 | # Cross-Site Scripting (XSS) in JSP
2 |
3 | ## Summary
4 |
5 | JSP or Java Server Pages is a technology that allows embedding Java code in HTML pages. It is used to generate dynamic web pages which can be injected with malicious code. This code can be executed by the browser of the user of the web application.
6 |
7 | If the web application is vulnerable to XSS, the attacker can inject client-side scripts into the web pages and steal user cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
8 |
9 | ## Example
10 |
11 | The following example shows how a JSP page can be vulnerable to XSS:
12 |
13 | ```jsp
14 | <$ out.println(request.getParameter("name")); $>
15 | ```
16 |
17 | ## How to Prevent
18 |
19 | The following are some ways to prevent XSS in JSP:
20 |
21 | ```jsp
22 | <$ out.println(Encode.forHtml(request.getParameter("name"))); $>
23 | ```
24 |
25 | ## References
26 |
27 | * [CWE-79](https://cwe.mitre.org/data/definitions/79.html)
28 | * [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
29 |
--------------------------------------------------------------------------------
/java/CWE-079/XSSJSPLenient.md:
--------------------------------------------------------------------------------
1 | # Cross-Site Scripting (XSS) in JSP (Lenient)
2 |
3 | This query is similar to [CWE-079/XSSJSP](https://github.com/advanced-security/codeql-queries/blob/main/java/CWE-079/XSSJSP.ql) but it is lenient with the analysis leading potentially to more results (including false positives).
4 |
5 | ## Summary
6 |
7 | JSP or Java Server Pages is a technology that allows embedding Java code in HTML pages. It is used to generate dynamic web pages which can be injected with malicious code. This code can be executed by the browser of the user of the web application.
8 |
9 | If the web application is vulnerable to XSS, the attacker can inject client-side scripts into the web pages and steal user cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
10 |
11 | ## Example
12 |
13 | The following example shows how a JSP page can be vulnerable to XSS:
14 |
15 | ```jsp
16 | <$ out.println(request.getParameter("name")); $>
17 | ```
18 |
19 | ## How to Prevent
20 |
21 | The following are some ways to prevent XSS in JSP:
22 |
23 | ```jsp
24 | <$ out.println(Encode.forHtml(request.getParameter("name"))); $>
25 | ```
26 |
27 | ## References
28 |
29 | * [CWE-79](https://cwe.mitre.org/data/definitions/79.html)
30 | * [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
31 |
--------------------------------------------------------------------------------
/java/CWE-798/HardcodedBase64Usage.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Base64 Hardcoded Password
3 | * @description Static hardcoded base64 password / key
4 | * @kind path-problem
5 | * @problem.severity error
6 | * @security-severity 8.0
7 | * @precision low
8 | * @sub-severity high
9 | * @id java/hardcoded-password
10 | * @tags security
11 | * external/cwe/cwe-798
12 | */
13 |
14 | import java
15 | import semmle.code.java.dataflow.DataFlow
16 | import semmle.code.java.dataflow.FlowSources
17 | import semmle.code.java.dataflow.TaintTracking2
18 | import DataFlow::PathGraph
19 | // Internal
20 | import github.Encoding
21 | import github.Hardcoded
22 |
23 | class HardcodedPasswordBase64 extends TaintTracking::Configuration {
24 | HardcodedPasswordBase64() { this = "HardcodedPasswordBase64" }
25 |
26 | override predicate isSource(DataFlow::Node source) { source instanceof Hardcoded }
27 |
28 | override predicate isSink(DataFlow::Node sink) { sink instanceof Base64::Decoding }
29 | }
30 |
31 | // ========== Query ==========
32 | from DataFlow::PathNode source, DataFlow::PathNode sink, HardcodedPasswordBase64 config
33 | where config.hasFlowPath(source, sink)
34 | select sink.getNode(), source, sink, "Sensitive data is being logged $@.", source.getNode(),
35 | "user-provided value"
36 |
--------------------------------------------------------------------------------
/java/codeql-pack.lock.yml:
--------------------------------------------------------------------------------
1 | ---
2 | lockVersion: 1.0.0
3 | dependencies:
4 | codeql/java-all:
5 | version: 0.6.2
6 | codeql/regex:
7 | version: 0.0.13
8 | codeql/tutorial:
9 | version: 0.0.10
10 | codeql/typetracking:
11 | version: 0.0.10
12 | codeql/util:
13 | version: 0.0.10
14 | compiled: false
15 |
--------------------------------------------------------------------------------
/java/github/Hardcoded.qll:
--------------------------------------------------------------------------------
1 |
2 | private import semmle.code.java.dataflow.DataFlow
3 | private import semmle.code.java.security.HardcodedCredentials
4 |
5 |
6 | abstract class Hardcoded extends DataFlow::Node { }
7 |
8 | class HCExpr extends Hardcoded {
9 | HCExpr() {
10 | this.asExpr() instanceof HardcodedExpr and
11 | not this.asExpr().getEnclosingCallable() instanceof ToStringMethod
12 | }
13 | }
14 |
15 |
--------------------------------------------------------------------------------
/java/github/LocalSources.qll:
--------------------------------------------------------------------------------
1 | import java
2 | import semmle.code.java.dataflow.FlowSources
3 |
4 | class FileReadAccess extends LocalUserInput {
5 | FileReadAccess() {
6 | exists(MethodAccess ma |
7 | // https://docs.oracle.com/javase/8/docs/api/java/lang/Class.html#getResourceAsStream-java.lang.String-
8 | (
9 | ma.getMethod().hasQualifiedName("java.lang", "Class", "getResourceAsStream") or
10 | ma.getMethod().hasQualifiedName("java.lang", "ClassLoader", "getResourceAsStream") or
11 | // Finds any method that has the name "getResourceAsStream"
12 | ma.getMethod().hasQualifiedName(_, _, "getResourceAsStream")
13 | ) and
14 | this.asExpr() = ma.getArgument(0)
15 | )
16 | }
17 | }
18 |
--------------------------------------------------------------------------------
/java/github/SensitiveInformation.qll:
--------------------------------------------------------------------------------
1 | import java
2 | import semmle.code.java.dataflow.DataFlow
3 | import semmle.code.java.dataflow.FlowSources
4 | import semmle.code.java.dataflow.TaintTracking2
5 |
6 | abstract class SensitiveInformationSources extends DataFlow::Node { }
7 |
8 | class HttpSession extends SensitiveInformationSources {
9 | HttpSession() {
10 | exists(MethodAccess ma |
11 | // https://docs.oracle.com/javaee/5/api/javax/servlet/http/HttpSession.html
12 | // Assumption: Nothing from the Session object should be logged
13 | ma.getMethod().getDeclaringType().hasQualifiedName("javax.servlet.http", "HttpSession") and
14 | this.asExpr() = ma
15 | )
16 | }
17 | }
18 |
19 | class Properties extends SensitiveInformationSources {
20 | Properties() {
21 | exists(MethodAccess ma |
22 | ma.getMethod().hasName("getProperty") and
23 | this.asExpr() = ma
24 | )
25 | }
26 | }
27 |
28 | class SensitiveVariables extends SensitiveInformationSources {
29 | SensitiveVariables() {
30 | exists(Variable v |
31 | (
32 | // User data
33 | v.getName().toLowerCase().regexpMatch(".*(username|passport|fingerprint|dob|ssi).*")
34 | or
35 | // Creds / Secrets / Tokens
36 | v.getName().toLowerCase().regexpMatch(".*(password|pwd|hash|secret|token|session).*")
37 | or
38 | // Card Numbers
39 | v.getName().toLowerCase().regexpMatch(".*(cardnumber|cvv|sortcode|accountnumber).*")
40 | ) and
41 | this.asExpr() = v.getAnAccess()
42 | )
43 | }
44 | }
45 |
--------------------------------------------------------------------------------
/java/qlpack.yml:
--------------------------------------------------------------------------------
1 | library: false
2 | name: advanced-security/codeql-java
3 | version: 0.2.0
4 | defaultSuiteFile: suites/codeql-java.qls
5 | dependencies:
6 | codeql/java-all: 0.7.2
7 | advanced-security/codeql-java-extensions: 0.3.2
8 |
--------------------------------------------------------------------------------
/java/queries.xml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/java/suites/codeql-external-api.qls:
--------------------------------------------------------------------------------
1 |
2 | - description: "GitHub's Field Team Java External API Suite"
3 |
4 | - import: codeql-suites/java-security-extended.qls
5 | from: codeql/java-queries
6 |
7 | - queries: '.'
8 | from: codeql/java-queries
9 | - include:
10 | id:
11 | - java/untrusted-data-to-external-api
12 |
--------------------------------------------------------------------------------
/java/suites/codeql-java-audit.qls:
--------------------------------------------------------------------------------
1 | # This is the field security specialist audit pack
2 |
3 | - description: "Java Audit Pack"
4 |
5 | # Field query pack with some audit queries
6 | - queries: '.'
7 | from: advanced-security/codeql-java
8 |
9 | - include:
10 | kind:
11 | - problem
12 | - path-problem
13 | - metric
14 | - diagnostic
15 | tags contain:
16 | - audit
17 |
18 | # External API query
19 | - queries: '.'
20 | from: codeql/java-queries
21 | - include:
22 | id:
23 | - java/untrusted-data-to-external-api
--------------------------------------------------------------------------------
/java/suites/codeql-java-local.qls:
--------------------------------------------------------------------------------
1 | # See https://help.semmle.com/codeql/codeql-cli/procedures/query-suites.html#filtering-the-queries-in-a-query-suite
2 | # for additional ways to exclude queries
3 |
4 | - description: "GitHub's Field Team Java Local Variate Suite"
5 |
6 | - import: codeql-suites/java-security-extended.qls
7 | from: codeql/java-queries
8 |
9 | - queries: '.'
10 | from: advanced-security/codeql-java
11 | - include:
12 | id:
13 | - java/xxe-local
14 |
15 | - queries: '.'
16 | from: codeql/java-queries
17 | - include:
18 | id:
19 | - java/path-injection-local
20 | - java/command-line-injection-local
21 | - java/xss-local
22 | - java/sql-injection-local
23 | - java/http-response-splitting-local
24 | - java/improper-validation-of-array-construction-local
25 | - java/improper-validation-of-array-index-local
26 | - java/tainted-format-string-local
27 | - java/tainted-arithmetic-local
28 | - java/unvalidated-url-redirection-local
29 | - java/tainted-numeric-cast-local
30 |
--------------------------------------------------------------------------------
/java/suites/codeql-java.qls:
--------------------------------------------------------------------------------
1 | # https://codeql.github.com/docs/codeql-cli/creating-codeql-query-suites/
2 |
3 | - description: "GitHub's Field Team Java/Kotlin Extended Suite"
4 |
5 | # GitHub's Field Team Java/Kotlin Suite
6 | - queries: '.'
7 | from: advanced-security/codeql-java
8 |
9 | - include:
10 | kind:
11 | - problem
12 | - path-problem
13 | precision:
14 | - very-high
15 | - high
16 | - medium
17 | - low
18 |
19 | # Remove debugging, and audit queries
20 | - exclude:
21 | tags contain:
22 | - debugging
23 | - audit
24 | # Remove local testing folders
25 | - exclude:
26 | query path:
27 | - /testing\/.*/
28 |
--------------------------------------------------------------------------------
/java/suites/java-security-experimental.qls:
--------------------------------------------------------------------------------
1 | # Use with caution ⚠️ experimental queries are not assured for performance or false positives
2 |
3 | # Use in a CodeQL workflow
4 | # e.g. use from where it is or copy to `./.github/codeql/java-experimental-security.qls`
5 | # then alter the workflow to look like:
6 | #
7 | # # Initializes the CodeQL tools for scanning.
8 | # - name: Initialize CodeQL
9 | # uses: github/codeql-action/init@v2
10 | # with:
11 | # languages: [java]
12 | # queries: security-extended,advanced-security/codeql-queries/java/suites/java-security-experimental.qls
13 | # # or
14 | # queries: security-extended,./.github/codeql/java-experimental-security.qls
15 |
16 | - description: "Java experimental security queries"
17 | - qlpack: codeql/java-queries
18 |
19 | - queries: '.'
20 | from: codeql/java-queries
21 |
22 | - include:
23 | kind:
24 | - problem
25 | - path-problem
26 | - alert
27 | - path-alert
28 | tags contain:
29 | - security
30 | query path:
31 | - /experimental\/.*/
32 |
33 | - include:
34 | kind:
35 | - diagnostic
36 | - include:
37 | kind:
38 | - metric
39 | tags contain:
40 | - summary
41 |
42 | - exclude:
43 | deprecated: //
44 | - exclude:
45 | query path:
46 | - Metrics/Summaries/FrameworkCoverage.ql
47 | - /Diagnostics/.*/
48 | - exclude:
49 | tags contain:
50 | - model-generator
51 |
--------------------------------------------------------------------------------
/javascript/CVE-2022-23631/SuperJson.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Use of unsafe superjson parse or deserialize functions
3 | * @description Specific versions of the superjson library are vulnerable to prototype pollution. Avoid calling
4 | * their parse() or deserialize() functions.
5 | * @kind problem
6 | * @problem.severity error
7 | * @security-severity 10.0
8 | * @precision high
9 | * @id js/cve-2022-23631
10 | * @tags security
11 | * external/cwe/cwe-094
12 | * external/cve/cve-2022-23631
13 | */
14 |
15 | import javascript
16 | import semmle.javascript.dependencies.Dependencies
17 | import semmle.javascript.dependencies.SemVer
18 |
19 | class SuperJsonCalls extends DataFlow::CallNode {
20 | SuperJsonCalls() {
21 | // https://github.com/blitz-js/superjson/security/advisories/GHSA-5888-ffcr-r425
22 | // https://github.com/blitz-js/superjson/commit/0d68cd51a430999b848f6da7af528ee02560c883
23 | exists(NpmDependency dep |
24 | dep.getNpmPackageName() = "superjson" and
25 | dep.getVersion().(DependencySemVer).maybeBefore("1.8.1") and
26 | this = DataFlow::dependencyModuleImport(dep).getAMemberCall(["parse", "deserialize"])
27 | )
28 | }
29 | }
30 |
31 | from SuperJsonCalls calls
32 | select calls, "Potential prototype pollution via superjson parse or deserialize functions!"
33 |
--------------------------------------------------------------------------------
/javascript/CWE-078/CommandInjectionAudit.md:
--------------------------------------------------------------------------------
1 | # Audit: Usage of Command Injection sink
2 |
3 | This query detects the use of command injection sinks. Command injection sinks are functions that execute commands and if the commands are constructed using user input, it may allow an attacker to execute arbitrary commands.
4 |
--------------------------------------------------------------------------------
/javascript/CWE-078/CommandInjectionAudit.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Audit: Usage of Command Injection sink
3 | * @description A Command Injection sink is being used in your application, this can lead to remote code execution if user controled input comes into the sink
4 | * @kind problem
5 | * @problem.severity error
6 | * @security-severity 3.0
7 | * @id js/audit/command-injection
8 | * @tags security
9 | * external/cwe/cwe-078
10 | * audit
11 | */
12 |
13 | import javascript
14 | private import semmle.javascript.security.dataflow.CommandInjectionCustomizations
15 |
16 | from DataFlow::Node sink
17 | where sink instanceof CommandInjection::Sink
18 | select sink, "Command Injection sink"
19 |
--------------------------------------------------------------------------------
/javascript/CWE-079/XSSAudit.md:
--------------------------------------------------------------------------------
1 | # Audit: Possible Reflected Cross-Site Scripting
2 |
3 | This query detects the use of reflected cross-site scripting sinks. Reflected cross-site scripting sinks are functions that output user input without sanitizing it.
4 |
--------------------------------------------------------------------------------
/javascript/CWE-079/XSSAudit.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Audit: Possible Reflected Cross-Site Scripting
3 | * @description Insecure dangerouslySetInnerHTML() function can lead to reflected XSS.
4 | * @kind problem
5 | * @problem.severity error
6 | * @security-severity 3.0
7 | * @id js/audit/reflected-xss
8 | * @tags security
9 | * external/cwe/cwe-079
10 | * external/cwe/cwe-116
11 | * audit
12 | */
13 |
14 | import javascript
15 | private import semmle.javascript.security.dataflow.DomBasedXssCustomizations
16 |
17 | from DataFlow::Node sink
18 | where sink instanceof DomBasedXss::DangerouslySetInnerHtmlSink
19 | select sink, "React's dangerouslySetInnerHTML is being used."
20 |
--------------------------------------------------------------------------------
/javascript/CWE-094/CodeInjectionAudit.md:
--------------------------------------------------------------------------------
1 | # Audit: Usage of Code Injection sink
2 |
3 | This query detects the usage of code injection sinks. Code injection sinks are functions that execute arbitrary JavaScript and if the commands are constructed using user input, it may allow an attacker to execute arbitrary JavaScript in the browser (XSS) or server-side code (Remote Code Execution).
4 |
--------------------------------------------------------------------------------
/javascript/CWE-094/CodeInjectionAudit.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Audit: Usage of Code Injection sink
3 | * @description Usage of Code Injection sink
4 | * @kind problem
5 | * @problem.severity warning
6 | * @security-severity 3.0
7 | * @id js/audit/code-injection
8 | * @tags security
9 | * external/cwe/cwe-094
10 | * external/cwe/cwe-095
11 | * external/cwe/cwe-079
12 | * external/cwe/cwe-116
13 | * audit
14 | */
15 |
16 | import javascript
17 | import semmle.javascript.security.dataflow.CodeInjectionCustomizations
18 |
19 | from CodeInjection::Sink sinks
20 | select sinks, "Code Injection sink"
21 |
--------------------------------------------------------------------------------
/javascript/CWE-328/WeakHashingAlgorithm.md:
--------------------------------------------------------------------------------
1 | # Using weak hashing algorithm
2 |
3 | This query detects the use of a weak hashing algorithm in your code.
4 |
5 | ## Recommendation
6 |
7 | Use stronger algorithm when hashing data.
8 |
9 | ```ts
10 | import crypto from 'crypto';
11 |
12 | // SHA256
13 | const sha256 = crypto.createHash('sha256')
14 | .update(data);
15 | // SHA512
16 | const sha512 = crypto.createHash('sha512')
17 | .update(data);
18 | ```
19 |
--------------------------------------------------------------------------------
/javascript/CWE-328/WeakHashingAlgorithm.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Using weak hashing algorithm
3 | * @description Using weak hashing algorithm
4 | * @kind problem
5 | * @problem.severity error
6 | * @security-severity 4.0
7 | * @id js/weak-hashing
8 | * @tags security
9 | * external/cwe/cwe-328
10 | */
11 | import javascript
12 |
13 | from CryptographicOperation crypto, HashingAlgorithm hashing
14 | where crypto.getAlgorithm().isWeak() and crypto.getAlgorithm().getName() = hashing.getName()
15 | select crypto, "weak hashing algorithms"
16 |
--------------------------------------------------------------------------------
/javascript/CWE-329/InsecureIV.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Insecure or static IV used in cryptographic function with Node crypto module
3 | * @description Initialization Vectors (IV) must be generated securely and not reused, for most cryptographic algorithms (Node Crypto)
4 | * @kind path-problem
5 | * @problem.severity error
6 | * @security-severity 4.3
7 | * @precision high
8 | * @id js/crypt/insecure-iv
9 | * @tags crypt
10 | * security
11 | * experimental
12 | * external/cwe/cwe-329
13 | * external/cwe/cwe-1204
14 | */
15 |
16 | import javascript
17 | import semmle.javascript.dataflow.TaintTracking
18 | import DataFlow::PathGraph
19 | import github.InsecureIV
20 |
21 | from InsecureIVConfiguration insecurecfg, DataFlow::PathNode source, DataFlow::PathNode sink
22 | where insecurecfg.hasFlowPath(source, sink)
23 | and not exists(DataFlow::Node randomSource, RandomTaintsSourceConfiguration randomConfig | randomSource instanceof SecureRandomSource | randomConfig.hasFlow(randomSource, source.getNode()))
24 | and not knownCryptTest(sink.getNode())
25 | select sink, source, sink, "Insecure Initialization Vector (IV) used for cryptographic function. With a few exceptions, it is best to use a secure random source for IVs."
26 |
--------------------------------------------------------------------------------
/javascript/CWE-329/examples/secure_iv.js:
--------------------------------------------------------------------------------
1 | const crypto = require("crypto");
2 |
3 | const algorithm = "aes-128-cbc";
4 | const keysize = 16;
5 | const hashrounds = 5000;
6 | const hash = "blake2b512";
7 | const salt = "vhufka9bgfidhmxobpoqmckc";
8 |
9 | const password = process.argv[2];
10 |
11 | const randomIV = crypto.randomBytes(keysize); // GOOD: IV is random
12 |
13 | crypto.pbkdf2(password, salt, hashrounds, 100, keysize, hash, (err, key) => {
14 | const iv = crypto.createCipheriv(algorithm, key, randomIV);
15 | });
16 |
--------------------------------------------------------------------------------
/javascript/CWE-329/examples/static_iv.js:
--------------------------------------------------------------------------------
1 | const crypto = require("crypto");
2 |
3 | const algorithm = "aes-128-cbc";
4 | const keysize = 16;
5 | const hashrounds = 5000;
6 | const hash = "blake2b512";
7 | const salt = "vhufka9bgfidhmxobpoqmckc";
8 |
9 | const password = process.argv[2];
10 |
11 | const fixedIV = "0123456789abcdef"; // BAD: IV is static
12 |
13 | crypto.pbkdf2(password, salt, hashrounds, 100, keysize, hash, (err, key) => {
14 | const iv = crypto.createCipheriv(algorithm, key, fixedIV);
15 | });
16 |
--------------------------------------------------------------------------------
/javascript/CWE-502/UnsafeDeserializationAudit.md:
--------------------------------------------------------------------------------
1 | # Audit: Usage of Unsafe Deserialize sink
2 |
3 | This query detects the use of unsafe deserialize sinks. Unsafe deserialize sinks are functions that deserialize data and if the data is constructed using user input, it may allow an attacker to execute arbitrary code.
4 |
--------------------------------------------------------------------------------
/javascript/CWE-502/UnsafeDeserializationAudit.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Audit: Usage of Unsafe Deserialize sink
3 | * @description A Unsafe Deserialization sink is being used in your application, this can lead to remote code execution if user controled input comes into the sink
4 | * @kind problem
5 | * @problem.severity error
6 | * @security-severity 3.0
7 | * @id js/audit/unsafe-deserialization
8 | * @tags security
9 | * external/cwe/cwe-503
10 | * audit
11 | */
12 |
13 | import javascript
14 | private import semmle.javascript.security.dataflow.UnsafeDeserializationCustomizations
15 |
16 | from DataFlow::Node sink
17 | where sink instanceof UnsafeDeserialization::Sink
18 | select sink, "Unsafe Deserialization sink"
19 |
--------------------------------------------------------------------------------
/javascript/CWE-611/XXEAudit.md:
--------------------------------------------------------------------------------
1 | # Audit: XML External Entity sink used
2 |
3 | This query detects the use of XML External Entity sinks. XML External Entity sinks are functions that parse XML documents and if the XML documents are constructed using user input, it may allow an attacker to perform XML External Entity attacks.
4 |
--------------------------------------------------------------------------------
/javascript/CWE-611/XXEAudit.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Audit: XML External Entity sink used
3 | * @description A XML External Entity (XXE) sink is being used in your application
4 | * @kind problem
5 | * @problem.severity error
6 | * @security-severity 3.0
7 | * @id js/audit/xxe
8 | * @tags security
9 | * external/cwe/cwe-611
10 | * audit
11 | */
12 |
13 | import javascript
14 | private import semmle.javascript.security.dataflow.XxeCustomizations
15 |
16 | from DataFlow::Node sink
17 | where sink instanceof Xxe::Sink
18 | select sink, "XML External Entity sink"
19 |
--------------------------------------------------------------------------------
/javascript/CWE-676/UseOfEval.md:
--------------------------------------------------------------------------------
1 | # Audit: Using JS Eval
2 |
3 | This query detects the use of `eval` and `Function` in JavaScript code. `eval` and `Function` are functions that execute code and if the code is constructed using user input, it may allow an attacker to execute arbitrary code.
4 |
--------------------------------------------------------------------------------
/javascript/CWE-676/UseOfEval.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Audit: Using JS Eval
3 | * @description Usage of eval in JavaScript / TypeScript can be dangerous
4 | * @kind problem
5 | * @problem.severity recommendation
6 | * @security-severity 2.0
7 | * @id js/audit/using-eval
8 | * @tags maintainability
9 | * external/cwe/cwe-676
10 | * audit
11 | */
12 |
13 | import javascript
14 | import semmle.javascript.security.dataflow.CodeInjectionCustomizations
15 |
16 | from CodeInjection::EvalJavaScriptSink eval
17 | select eval, "Using eval"
18 |
--------------------------------------------------------------------------------
/javascript/CWE-829/examples/.github/workflows/pinned-action.yml:
--------------------------------------------------------------------------------
1 | name: "Pinned Action Example"
2 |
3 | jobs:
4 | build:
5 | steps:
6 | - name: Checkout repository
7 | uses: actions-mirror-third-party/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
8 |
9 | - run: |
10 | ./build.sh
11 |
--------------------------------------------------------------------------------
/javascript/CWE-829/examples/.github/workflows/trusted-action.yml:
--------------------------------------------------------------------------------
1 | name: "Trusted Action Example"
2 |
3 | jobs:
4 | build:
5 | steps:
6 | - name: Checkout repository
7 | uses: actions/checkout@v3
8 |
9 | - run: |
10 | ./build.sh
11 |
--------------------------------------------------------------------------------
/javascript/CWE-829/examples/.github/workflows/unpinned-action.yml:
--------------------------------------------------------------------------------
1 | name: "Unpinned Action Example"
2 |
3 | jobs:
4 | build:
5 | steps:
6 | - name: Checkout repository
7 | uses: actions-third-party-mirror/checkout@v3
8 |
9 | - run: |
10 | ./build.sh
11 |
--------------------------------------------------------------------------------
/javascript/CWE-829/examples/.github/workflows/unpinned-unnamed-action.yml:
--------------------------------------------------------------------------------
1 | jobs:
2 | build:
3 | steps:
4 | - name: Checkout repository
5 | uses: actions-third-party-mirror/checkout@v3
6 |
7 | - run: |
8 | ./build.sh
9 |
--------------------------------------------------------------------------------
/javascript/README.md:
--------------------------------------------------------------------------------
1 | # JavaScript
2 |
3 | ## Query Suites
4 |
5 | | Name | Queries Count | Description | Path |
6 | | :--- | :---- | :--- | :--- |
7 | | `default` | 88 | Default Query Suite | `codeql/javascript/ql/src/codeql-suites/code-scanning` |
8 | | `extended` | 105 | Security Extended Suite | `codeql/javascript/ql/src/codeql-suites/security-extended` |
9 | | `quality` | 203 | Security and Quality Extended Suite | `codeql/javascript/ql/src/codeql-suites/security-and-quality` |
10 | | `super-extended` | 4 | Security Extended with Experimental and Custom Queries Suite | `advanced-security/codeql-queries/javascript/suites/codeql-javascript.qls@main` |
11 | | `audit` | 1 | Security Audit Query Suite | `advanced-security/codeql-queries/javascript/suites/codeql-javascript-audit.qls@main` |
12 |
13 |
14 |
15 |
16 | ## Queries
17 |
18 | | Name | Severity | Path |
19 | | :--- | :------- | :--- |
20 | | `Insecure or static IV used in cryptographic function with Node crypto module` | Unknown / 4.3 | `javascript/CWE-329/InsecureIV.ql` |
21 | | `Use of unsafe superjson parse or deserialize functions` | Unknown / 10.0 | `javascript/CVE-2022-23631/SuperJson.ql` |
22 | | `Unpinned tag for 3rd party Action in workflow` | Unknown / 9.3 | `javascript/CWE-829/UnpinnedActionsTag.ql` |
23 | | `Reflected cross-site scripting` | Unknown / 6.1 | `javascript/CWE-079/XSSReact.ql` |
24 |
25 |
26 |
27 |
--------------------------------------------------------------------------------
/javascript/codeql-pack.lock.yml:
--------------------------------------------------------------------------------
1 | ---
2 | lockVersion: 1.0.0
3 | dependencies:
4 | codeql/javascript-all:
5 | version: 0.6.2
6 | codeql/regex:
7 | version: 0.0.13
8 | codeql/tutorial:
9 | version: 0.0.10
10 | codeql/util:
11 | version: 0.0.10
12 | codeql/yaml:
13 | version: 0.0.2
14 | compiled: false
15 |
--------------------------------------------------------------------------------
/javascript/github/CommandLine.qll:
--------------------------------------------------------------------------------
1 | import semmle.javascript.dataflow.DataFlow
2 |
3 | class CommandLineArgument extends DataFlow::Node {
4 | CommandLineArgument() {
5 | this = DataFlow::globalVarRef("process").getAPropertyRead("argv").getAPropertyReference()
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/javascript/qlpack.yml:
--------------------------------------------------------------------------------
1 | library: false
2 | name: advanced-security/codeql-javascript
3 | version: 0.4.0
4 | defaultSuiteFile: suites/codeql-javascript.qls
5 | dependencies:
6 | codeql/javascript-all: 0.7.2
7 |
--------------------------------------------------------------------------------
/javascript/queries.xml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/javascript/suites/codeql-debugging.qls:
--------------------------------------------------------------------------------
1 | - description: "GitHub's Field Team JavaScript Debugging Suite"
2 |
3 | - import: codeql-suites/javascript-security-extended.qls
4 | from: codeql/javascript-queries
5 |
6 | - queries: '.'
7 | from: codeql/javascript-queries
8 | - include:
9 | id:
10 | # https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql
11 | - js/untrusted-data-to-external-api
12 |
--------------------------------------------------------------------------------
/javascript/suites/codeql-javascript-audit.qls:
--------------------------------------------------------------------------------
1 | # This is the field security specialist audit pack
2 |
3 | - description: "JavaScript/TypeScript Audit Pack"
4 |
5 | # Field query pack with some audit queries
6 | - qlpack: advanced-security/codeql-javascript
7 |
8 | - include:
9 | kind:
10 | - problem
11 | - path-problem
12 | - metric
13 | - diagnostic
14 | tags contain:
15 | - audit
16 |
17 | # External API queries
18 | - queries: '.'
19 | from: codeql/javascript-queries
20 | - include:
21 | id:
22 | - js/untrusted-data-to-external-api
23 |
--------------------------------------------------------------------------------
/javascript/suites/codeql-javascript.qls:
--------------------------------------------------------------------------------
1 | # https://codeql.github.com/docs/codeql-cli/creating-codeql-query-suites/
2 |
3 | - description: "GitHub's Field Team JavaScript/TypeScript extended Suite"
4 |
5 | # GitHub's Field Team Python Suite
6 | - queries: '.'
7 | from: advanced-security/codeql-javascript
8 |
9 | - include:
10 | kind:
11 | - problem
12 | - path-problem
13 | - metric
14 | - diagnostic
15 | precision:
16 | - very-high
17 | - high
18 | - medium
19 | - low
20 |
21 | # Remove debugging, and audit queries
22 | - exclude:
23 | tags contain:
24 | - debugging
25 | - audit
26 | # Remove local testing folders
27 | - exclude:
28 | query path:
29 | - /testing\/.*/
30 |
--------------------------------------------------------------------------------
/python/CWE-078/CommandInjectionAudit.md:
--------------------------------------------------------------------------------
1 | # Audit: Usage of Command Injection sink
2 |
3 | This query detects the use of command injection sinks. Command injection sinks are functions that execute a command in a shell and if the command is constructed using user input, it may allow an attacker to execute arbitrary commands.
4 |
--------------------------------------------------------------------------------
/python/CWE-078/CommandInjectionAudit.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Audit: Usage of Command Injection sink
3 | * @description Using externally controlled strings in a command line may allow a malicious
4 | * user to change the meaning of the command.
5 | * @kind problem
6 | * @problem.severity warning
7 | * @security-severity 2.5
8 | * @sub-severity low
9 | * @precision very-low
10 | * @id py/audit/command-line-injection
11 | * @tags security
12 | * external/cwe/cwe-078
13 | * external/cwe/cwe-088
14 | * audit
15 | */
16 |
17 | import python
18 | import semmle.python.Concepts
19 | import semmle.python.ApiGraphs
20 | import semmle.python.dataflow.new.BarrierGuards
21 | private import semmle.python.security.dataflow.CommandInjectionCustomizations
22 |
23 | from DataFlow::Node sink
24 | where sink instanceof CommandInjection::Sink
25 | select sink, "Usage of command line"
26 |
--------------------------------------------------------------------------------
/python/CWE-078/examples/source-argvs.py:
--------------------------------------------------------------------------------
1 |
2 | import sys
3 | import subprocess
4 | import argparse
5 |
6 | myvar = sys.argv[1]
7 |
8 | subprocess.run('echo "' + myvar + '"', shell=True)
9 |
10 | parser = argparse.ArgumentParser(__name__)
11 | parser.add_argument('-t', default='test2')
12 | arguments = parser.parse_args()
13 |
14 | subprocess.run('echo "' + arguments.t + '"', shell=True)
15 |
--------------------------------------------------------------------------------
/python/CWE-078/examples/source-file.py:
--------------------------------------------------------------------------------
1 |
2 | import fileinput
3 | import subprocess
4 |
5 | fhandle = open('test.txt')
6 |
7 | subprocess.call('echo "' + fhandle.read() + '"')
8 |
9 | fhandle.close()
10 |
--------------------------------------------------------------------------------
/python/CWE-078/examples/sources-envs.py:
--------------------------------------------------------------------------------
1 |
2 | import os
3 | import subprocess
4 |
5 | myvar = os.getenv("TEST")
6 | myvar2 = os.environ.get()
7 |
8 | subprocess.run('echo "' + myvar + '"')
9 | subprocess.run('echo "' + myvar2 + '"')
10 |
--------------------------------------------------------------------------------
/python/CWE-078/examples/sources-input.py:
--------------------------------------------------------------------------------
1 | import sys
2 | import subprocess
3 |
4 | # TODO: fileinput.input()
5 |
6 | myvar = input("What is your name?")
7 |
8 | subprocess.run('echo "' + myvar + '"')
9 |
10 |
11 | def getUserInput():
12 | return input('What is your IP?')
13 |
14 |
15 | def runCommand(ip):
16 | return subprocess.call('nc ' + ip + ' 80')
17 |
18 |
19 | ip = getUserInput()
20 | runCommand(ip)
21 |
--------------------------------------------------------------------------------
/python/CWE-079/XssFlaskAudit.md:
--------------------------------------------------------------------------------
1 | # Audit: Cross-Site Scripting (XSS) sink in Flask using Jinja2 templates
2 |
3 | This query detects the use of XSS sinks in Flask using Jinja2 templates. XSS sinks are functions that render user input as HTML and if the input is not properly sanitized, it may allow an attacker to execute arbitrary JavaScript code.
4 |
5 | ## Disclaimer
6 |
7 | CodeQL does not support Jinja2 templates out of the box so it does not follow the the data to the Jinja2 sink. It is not guaranteed to find all XSS sinks in Flask applications.
8 |
--------------------------------------------------------------------------------
/python/CWE-089/SqlInjectionAudit.md:
--------------------------------------------------------------------------------
1 | # Audit - SQL Injection using format strings
2 |
3 | Dynamically generated SQL queries using format strings can cause SQL injection attacks. The following example shows how to use the `sql` package to execute a query with a format string:
4 |
5 | ## Example
6 |
7 | ```python
8 | # Format string
9 | query = f"SELECT * FROM users WHERE username = '{username}'"
10 | cursor.execute(query)
11 |
12 | # str.format()
13 | query = "SELECT * FROM users WHERE username = '{}'".format(username)
14 | cursor.execute(query)
15 |
16 | # "%s" % string
17 | query = "SELECT * FROM users WHERE username = %s" % username
18 | cursor.execute(query)
19 | ```
20 |
--------------------------------------------------------------------------------
/python/CWE-089/SqlInjectionAudit.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name SQL query built from user-controlled sources
3 | * @kind path-problem
4 | * @problem.severity warning
5 | * @security-severity 2.5
6 | * @sub-severity low
7 | * @precision very-low
8 | * @id py/audit/sql-injection
9 | * @tags security
10 | * external/cwe/cwe-089
11 | * audit
12 | */
13 |
14 | import python
15 | import semmle.python.dataflow.new.DataFlow
16 | import semmle.python.dataflow.new.TaintTracking
17 | import semmle.python.Concepts
18 | import semmle.python.dataflow.new.BarrierGuards
19 | import semmle.python.ApiGraphs
20 | import DataFlow::PathGraph
21 | private import semmle.python.security.dataflow.SqlInjectionCustomizations
22 | //
23 | import github.Utils
24 |
25 | /**
26 | * A taint-tracking configuration for detecting SQL injection vulnerabilities.
27 | */
28 | class SqlInjectionHeuristic extends TaintTracking::Configuration {
29 | SqlInjectionHeuristic() { this = "SqlInjectionHeuristic" }
30 |
31 | override predicate isSource(DataFlow::Node source) { source instanceof DynamicStrings }
32 |
33 | override predicate isSink(DataFlow::Node sink) { sink instanceof SqlInjection::Sink }
34 |
35 | override predicate isSanitizer(DataFlow::Node node) { node instanceof SqlInjection::Sanitizer }
36 | }
37 |
38 | from SqlInjectionHeuristic config, DataFlow::PathNode source, DataFlow::PathNode sink
39 | where config.hasFlowPath(source, sink)
40 | select sink.getNode(), source, sink, "This SQL query depends on $@.", source.getNode(),
41 | "a user-provided value"
42 |
--------------------------------------------------------------------------------
/python/CWE-094/CodeInjectionAudit.md:
--------------------------------------------------------------------------------
1 | # Audit: Usage of Code Injection sink
2 |
3 | This query detects the use of code injection sinks. Code injection sinks are functions that execute code and if the code is constructed using user input, it may allow an attacker to execute arbitrary code.
4 |
--------------------------------------------------------------------------------
/python/CWE-094/CodeInjectionAudit.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Audit: Usage of Code Injection sink
3 | * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary
4 | * code execution.
5 | * @kind problem
6 | * @problem.severity warning
7 | * @security-severity 2.5
8 | * @sub-severity low
9 | * @precision very-low
10 | * @id py/audit/code-injection
11 | * @tags security
12 | * external/cwe/cwe-094
13 | * external/cwe/cwe-095
14 | * external/cwe/cwe-116
15 | * audit
16 | */
17 |
18 | import python
19 | import semmle.python.Concepts
20 | import semmle.python.ApiGraphs
21 | private import semmle.python.security.dataflow.CodeInjectionCustomizations
22 |
23 | from DataFlow::Node sink
24 | where sink instanceof CodeInjection::Sink
25 | select sink, "Usage of Code Execution function"
26 |
--------------------------------------------------------------------------------
/python/CWE-133/format_string.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Python user-controlled format string
3 | * @description User-controlled format string can result in Denial-of-Service or information leaks
4 | * @kind path-problem
5 | * @problem.severity error
6 | * @id python/format-string
7 | * @precision low
8 | * @tags format-string
9 | * python
10 | * security
11 | * external/cwe/cwe-134
12 | * external/cwe/cwe-133
13 | */
14 |
15 | private import python
16 | private import semmle.python.dataflow.new.DataFlow
17 | private import DataFlow::PathGraph
18 |
19 | private import format_string
20 |
21 | from DataFlow::PathNode userdata, DataFlow::PathNode format_string, FormatStringTaintConfiguration format_string_config
22 | where format_string_config.hasFlowPath(userdata, format_string)
23 | select format_string.getNode(), userdata, format_string, "$@ used as format string: $@.", userdata.getNode(), "Untrusted data", format_string, format_string.getNode().asExpr().toString()
24 |
--------------------------------------------------------------------------------
/python/CWE-133/format_string.qll:
--------------------------------------------------------------------------------
1 | private import python
2 |
3 | private import semmle.python.dataflow.new.DataFlow
4 | private import semmle.python.dataflow.new.TaintTracking
5 | private import semmle.python.dataflow.new.RemoteFlowSources
6 |
7 | private import github.LocalSources
8 |
9 | class FormatStringTaintConfiguration extends TaintTracking::Configuration {
10 | FormatStringTaintConfiguration() { this = "FormatStringTaintConfiguration" }
11 |
12 | override predicate isSource(DataFlow::Node source) {
13 | source instanceof RemoteFlowSource
14 | or
15 | source instanceof LocalSources::Range
16 | }
17 |
18 | override predicate isSink(DataFlow::Node sink) {
19 | sink instanceof FormatString
20 | and not sink.asExpr() instanceof StrConst
21 | }
22 | }
23 |
24 | class FormatString extends DataFlow::Node {
25 | FormatString() {
26 | exists(CallNode call |
27 | call.getFunction().(AttrNode).getName() = "format"
28 | and call.getFunction().(AttrNode).getObject() = this.asCfgNode()
29 | )
30 | }
31 | }
32 |
--------------------------------------------------------------------------------
/python/CWE-1393/DefaultPasswordDB.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Python default password
3 | * @description Default password set in security sensitive database column
4 | * @kind problem
5 | * @problem.severity error
6 | * @id python/default-password-db
7 | * @precision high
8 | * @tags default-password
9 | * python
10 | * external/cwe/cwe-1393
11 | * external/cwe/cwe-1392
12 | * external/cwe/cwe-287
13 | * external/cwe/cwe-284
14 | */
15 |
16 | private import python
17 |
18 | import github.DefaultPasswordDB
19 |
20 | from DBColumn column, string varname, string dbname
21 | where column.hasStaticDefault()
22 | and (
23 | column.assignedToVariable() = varname
24 | or
25 | column.getColumnName() = varname
26 | )
27 | and column.getDbId() = dbname
28 | and varname in ["password", "secret", "key", "token", "pwd"]
29 | select column, "Default value in security-sensitive database '" + dbname + "' $@ assigned to variable '" + varname + "'",
30 | column, "column"
31 |
--------------------------------------------------------------------------------
/python/CWE-327/WeakHMacAlgorithms.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Use of Cryptographically Weak HMAC Algorithm
3 | * @description Use of Cryptographically Weak HMAC Algorithm
4 | * @kind problem
5 | * @id py/weak-cryptographic-hmac-algorithm
6 | * @problem.severity warning
7 | * @security-severity 5.0
8 | * @sub-severity medium
9 | * @precision medium
10 | * @tags security
11 | * external/cwe/cwe-327
12 | * external/cwe/cwe-330
13 | */
14 |
15 | import python
16 | import semmle.python.Concepts
17 | import semmle.python.ApiGraphs
18 | import semmle.python.concepts.internal.CryptoAlgorithmNames
19 |
20 | from DataFlow::Node digest, DataFlow::CallCfgNode calls
21 | where
22 | // https://docs.python.org/3/library/hmac.html#hmac.new
23 | // https://docs.python.org/3/library/hmac.html#hmac.digest
24 | // hmac.new(app.secret_key.encode(), data.encode(), digestmod=hashlib.md5).hexdigest()
25 | calls = API::moduleImport("hmac").getMember(["new", "digest"]).getACall() and
26 | (
27 | // new(2) and digest(2)
28 | digest = calls.getArgByName("digestmod") or
29 | digest = calls.getArgByName("digest") or
30 | digest = calls.getArg(2)
31 | ) and
32 | digest.asExpr() =
33 | API::moduleImport("hashlib").getMember(["md5", "sha1"]).getAValueReachableFromSource().asExpr()
34 | select calls.asExpr(), "Weak HMAC Algorithm"
35 |
--------------------------------------------------------------------------------
/python/CWE-327/WeakHashingAlgorithms.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Use of a broken or weak cryptographic algorithm
3 | * @description Using broken or weak cryptographic algorithms can compromise security.
4 | * @kind problem
5 | * @problem.severity warning
6 | * @security-severity 5.0
7 | * @sub-severity medium
8 | * @precision high
9 | * @id py/weak-cryptographic-algorithm
10 | * @tags security
11 | * experimental
12 | * external/cwe/cwe-327
13 | */
14 |
15 | import python
16 | import semmle.python.Concepts
17 |
18 | from Cryptography::CryptographicOperation operation, Cryptography::HashingAlgorithm algorithm
19 | where
20 | algorithm = operation.getAlgorithm() and
21 | algorithm.isWeak()
22 | select operation,
23 | "Using '" + algorithm.getName() + "' hashing algorithm can be dangerous and should not be used"
24 |
--------------------------------------------------------------------------------
/python/CWE-338/WeakPRNG.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Use of Cryptographically Weak Pseudo-Random Number Generator
3 | * @description Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG).
4 | * @kind problem
5 | * @id py/weak-cryptographic-prng
6 | * @problem.severity warning
7 | * @security-severity 6.0
8 | * @sub-severity medium
9 | * @precision low
10 | * @tags security
11 | * external/cwe/cwe-338
12 | */
13 |
14 | import python
15 | import semmle.python.ApiGraphs
16 |
17 | abstract class RandomNumberGeneratorSinks extends DataFlow::Node { }
18 |
19 | class OSRandom extends RandomNumberGeneratorSinks {
20 | OSRandom() {
21 | exists(DataFlow::Node call |
22 | // https://docs.python.org/3/library/os.html#os.getrandom
23 | call = API::moduleImport("os").getMember("getrandom").getACall() and
24 | this = call
25 | )
26 | }
27 | }
28 |
29 | class PyRandom extends RandomNumberGeneratorSinks {
30 | PyRandom() {
31 | exists(DataFlow::Node call |
32 | (
33 | // https://docs.python.org/3/library/random.html#random.random
34 | call = API::moduleImport("random").getMember("random").getACall()
35 | or
36 | // https://docs.python.org/3/library/random.html#random.randbytes
37 | call = API::moduleImport("random").getMember("randbytes").getACall()
38 | ) and
39 | this = call
40 | )
41 | }
42 | }
43 |
44 | from RandomNumberGeneratorSinks rngs
45 | select rngs.asExpr(), "Using weak PRNG"
46 |
--------------------------------------------------------------------------------
/python/CWE-502/UnsafeDeserializationAudit.md:
--------------------------------------------------------------------------------
1 | # Audit: Usage of Deserializing function
2 |
3 | This query detects the use of deserializing functions. Deserializing functions are functions that deserialize data and if the data is constructed using user input, it may allow an attacker to execute arbitrary code.
4 |
--------------------------------------------------------------------------------
/python/CWE-502/UnsafeDeserializationAudit.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Audit: Usage of Deserializing function
3 | * @description Deserializing user-controlled data may allow attackers to execute arbitrary code.
4 | * @kind problem
5 | * @problem.severity warning
6 | * @security-severity 2.5
7 | * @sub-severity low
8 | * @precision very-low
9 | * @id py/audit/unsafe-deserialization
10 | * @tags security
11 | * external/cwe/cwe-502
12 | * audit
13 | */
14 |
15 | import python
16 | import semmle.python.Concepts
17 | import semmle.python.ApiGraphs
18 | private import semmle.python.security.dataflow.UnsafeDeserializationCustomizations
19 |
20 | from DataFlow::Node sink
21 | where sink instanceof UnsafeDeserialization::Sink and sink.getScope().inSource()
22 | select sink, "Usage of Deserializing function"
23 |
--------------------------------------------------------------------------------
/python/CWE-502/XMLLocalFileAudit.md:
--------------------------------------------------------------------------------
1 | # Audit: Usage of Insecure XML Parser
2 |
3 | This query detects the use of insecure XML parsers. Insecure XML parsers are parsers that do not prevent XML External Entity (XXE) attacks. If an XML parser is used to parse untrusted user input, it may allow an attacker to perform XXE attacks.
4 |
--------------------------------------------------------------------------------
/python/CWE-502/XMLLocalFileAudit.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Audit: Usage of Insecure XML Parser
3 | * @description Parsing XML using an insecure parser can lead to security issues.
4 | * @kind problem
5 | * @problem.severity error
6 | * @security-severity 6.0
7 | * @precision high
8 | * @id python/audit/xxe-local-file
9 | * @tags security
10 | * external/cwe/cwe-611
11 | * external/cwe/cwe-776
12 | * external/cwe/cwe-827
13 | * external/cwe/cwe-502
14 | * audit
15 | */
16 |
17 | private import python
18 | private import semmle.python.dataflow.new.DataFlow
19 | private import github.XMLLocalLib
20 |
21 | from DataFlow::Node source, DataFlow::Node sink
22 | where
23 | exists(XmlParseFileCall call |
24 | source = call.getSource() and
25 | sink = call
26 | )
27 | select sink, "Unsafe parsing of XML from fixed file name $@.", source,
28 | source.asExpr().(StrConst).getLiteralValue().toString()
29 |
--------------------------------------------------------------------------------
/python/CWE-502/XMLLocalFileTaint.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Deserializing XML from user-controlled filename
3 | * @description Parsing XML data from a user-controlled filename (e.g. allowing expansion of external entity
4 | * references) may lead to disclosure of confidential data or denial of service.
5 | * @kind path-problem
6 | * @problem.severity error
7 | * @security-severity 6.0
8 | * @precision high
9 | * @id python/xxe-local-file-taint
10 | * @tags security
11 | * external/cwe/cwe-611
12 | * external/cwe/cwe-776
13 | * external/cwe/cwe-827
14 | * external/cwe/cwe-502
15 | */
16 |
17 | private import semmle.python.dataflow.new.DataFlow
18 | private import semmle.python.dataflow.new.TaintTracking
19 | private import DataFlow::PathGraph
20 | private import github.XMLLocalLib
21 |
22 | from DataFlow::PathNode source, DataFlow::PathNode sink
23 | where any(XmlFileConfig conf).hasFlowPath(source, sink)
24 | select sink.getNode(), source, sink, "Unsafe parsing of XML from locally-provided filename $@.", source.getNode(),
25 | "user input"
26 |
--------------------------------------------------------------------------------
/python/CWE-502/XMLLocalStringTaint.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Deserializing XML from user-controlled data
3 | * @description Parsing user-controlled XML data (e.g. allowing expansion of external entity
4 | * references) may lead to disclosure of confidential data or denial of service.
5 | * @kind path-problem
6 | * @problem.severity error
7 | * @security-severity 6.0
8 | * @precision high
9 | * @id python/xxe-local-string-taint
10 | * @tags security
11 | * external/cwe/cwe-611
12 | * external/cwe/cwe-776
13 | * external/cwe/cwe-827
14 | * external/cwe/cwe-502
15 | */
16 |
17 | private import semmle.python.dataflow.new.DataFlow
18 | private import semmle.python.dataflow.new.TaintTracking
19 | private import DataFlow::PathGraph
20 | private import github.XMLLocalLib
21 |
22 | from DataFlow::PathNode source, DataFlow::PathNode sink
23 | where any(XmlStringConfig conf).hasFlowPath(source, sink)
24 | select sink.getNode(), source, sink, "Unsafe parsing of XML from local $@.", source.getNode(),
25 | "user input"
26 |
--------------------------------------------------------------------------------
/python/CWE-522/InsecurelyStoredPassword.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Python insecurely stored password
3 | * @description Password stored insecurely directly in database without hashing with a secure password hash
4 | * @kind problem
5 | * @problem.severity error
6 | * @id python/insecurely-stored-pw
7 | * @precision high
8 | * @tags password
9 | * python
10 | * external/cwe/cwe-256
11 | * external/cwe/cwe-257
12 | * external/cwe/cwe-522
13 | */
14 |
15 | private import github.InsecurelyStoredPassword
16 |
17 | from User user
18 | where
19 | not user.isSecure()
20 | select user, "Insecure 'user' class $@ stores its password insecurely, without secure hashing",
21 | user, user.getName()
22 |
--------------------------------------------------------------------------------
/python/CWE-676/DangerousFunctions.md:
--------------------------------------------------------------------------------
1 | # Audit: Usage of Dangerous Functions
2 |
3 | This query detects the use of dangerous functions. Dangerous functions are functions that are known to be dangerous if used in applications.
4 |
--------------------------------------------------------------------------------
/python/CWE-778/InsufficientLogging.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Insufficient Logging
3 | * @description Insufficient Logging
4 | * @kind problem
5 | * @id py/insufficient-logging
6 | * @problem.severity warning
7 | * @security-severity 1.0
8 | * @sub-severity low
9 | * @precision low
10 | * @tags security
11 | * external/cwe/cwe-778
12 | */
13 |
14 | import python
15 |
16 | from ExceptStmt exceptBlock, Pass pass, Continue continue
17 | where
18 | pass.getParentNode() = exceptBlock or
19 | continue.getParentNode() = exceptBlock
20 | select exceptBlock, "Try-catch except, Pass/Continue detected."
21 |
--------------------------------------------------------------------------------
/python/CWE-798/examples/flask-tests.py:
--------------------------------------------------------------------------------
1 |
2 | import os
3 | from flask import Flask
4 |
5 |
6 | def application1():
7 | app = Flask(__name__)
8 | # SECURITY WARNING: Hardcoded secret key
9 | app.secret_key = "ABCDEFG"
10 |
11 | app.run()
12 |
13 |
14 | def application2():
15 | random_name = "HIJKLMN"
16 | app = Flask(__name__)
17 | # SECURITY WARNING: Hardcoded secret key
18 | app.secret_key = random_name
19 |
20 | app.run()
21 |
22 |
23 | def application3():
24 | app = Flask(__name__)
25 | # SECURITY WARNING: Hardcoded secret key
26 | app.config['SECRET_KEY'] = "OPQRSTU"
27 | app.config['TESTING'] = True
28 |
29 | app.run()
30 |
31 |
32 | def application4():
33 | app = Flask(__name__)
34 | app.config.update(
35 | TESTING=True,
36 | # SECURITY WARNING: Hardcoded secret key
37 | SECRET_KEY="WXYZ"
38 | )
39 |
40 | app.run()
41 |
42 |
43 | def application5():
44 | app = Flask(__name__)
45 | # SECURITY WARNING: Hardcoded secret key
46 | # settings file contains secrets
47 | app.config.from_object('hardcoded.flask_settings')
48 |
49 | app.run()
50 |
51 |
52 | def safeApplication1():
53 | app = Flask(__name__)
54 | # SAFE
55 | app.secret_key = os.environ.get('SECRET_KEY')
56 |
57 | app.run()
58 |
59 |
60 | if __name__ == "__main__":
61 | application1()
62 | application2()
63 | application3()
64 | application4()
65 | application5()
66 |
67 | safeApplication1()
68 |
--------------------------------------------------------------------------------
/python/CWE-798/examples/flask_settings.py:
--------------------------------------------------------------------------------
1 |
2 | class Config(object):
3 | DEBUG = False
4 | TESTING = False
5 |
6 |
7 | class ProductionConfig(Config):
8 | DATABASE_URI = 'mysql://user@localhost/foo'
9 | # SECURITY WARNING: Hardcoded secret key
10 | SECRET_TOKEN = "ThisIsASecretToken"
11 |
12 |
13 | class DevelopmentConfig(Config):
14 | DATABASE_URI = "sqlite:////tmp/foo.db"
15 |
16 |
17 | class TestingConfig(Config):
18 | DATABASE_URI = 'sqlite:///:memory:'
19 | DEBUG = True
20 |
21 | SECRET_TOKEN = "ThisIsATestToken"
22 |
--------------------------------------------------------------------------------
/python/CWE-798/examples/requests-tests.py:
--------------------------------------------------------------------------------
1 |
2 | from requests import get
3 | from requests.auth import HTTPBasicAuth
4 |
5 |
6 | def test1():
7 | r = get('https://api.github.com/user', auth=('user', 'mysecretpassword'))
8 |
9 | return r.text
10 |
11 |
12 | def test2():
13 | r = get('https://api.github.com/user', auth=HTTPBasicAuth('user', 'mysecretpassword'))
14 |
15 | return r.text
16 |
--------------------------------------------------------------------------------
/python/CWE-915/MassAssignment.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Mass assignment
3 | * @description Mass assignment is a vulnerability that allows an attacker to
4 | * modify multiple attributes of a model at once.
5 | * @kind path-problem
6 | * @problem.severity error
7 | * @security-severity 8.0
8 | * @precision high
9 | * @sub-severity high
10 | * @id py/mass-assignment
11 | * @tags security
12 | * external/cwe/cwe-2915
13 | */
14 |
15 | import python
16 | import DataFlow::PathGraph
17 | // GitHub Field lib
18 | import github.MassAssignment
19 |
20 | from MassAssignment::MassAssignmentConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
21 | where config.hasFlowPath(source, sink)
22 | select sink.getNode(), source, sink, "Use of $@.", source.getNode(), "mass assignment"
23 |
--------------------------------------------------------------------------------
/python/CWE-915/MassAssignmentLocal.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Mass assignment
3 | * @description Mass assignment is a vulnerability that allows an attacker to
4 | * modify multiple attributes of a model at once.
5 | * @kind path-problem
6 | * @problem.severity warning
7 | * @security-severity 2.0
8 | * @precision high
9 | * @sub-severity high
10 | * @id py/mass-assignment
11 | * @tags security
12 | * external/cwe/cwe-2915
13 | */
14 |
15 | import python
16 | import DataFlow::PathGraph
17 | // GitHub Field lib
18 | import github.MassAssignment
19 |
20 | from MassAssignment::MassAssignmentLocalConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
21 | where config.hasFlowPath(source, sink)
22 | select sink.getNode(), source, sink, "Use of $@.", source.getNode(), "mass assignment"
23 |
--------------------------------------------------------------------------------
/python/CWE-915/MassAssignmentLocalProblem.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Mass assignment
3 | * @description Mass assignment is a vulnerability that allows an attacker to
4 | * modify multiple attributes of a model at once.
5 | * @kind problem
6 | * @problem.severity warning
7 | * @security-severity 2.0
8 | * @precision high
9 | * @sub-severity high
10 | * @id py/mass-assignment-problem
11 | * @tags security
12 | * external/cwe/cwe-2915
13 | * testing
14 | */
15 |
16 | import python
17 | // GitHub Field lib
18 | import github.MassAssignment
19 |
20 | from MassAssignment::MassAssignmentLocalConfig config, DataFlow::Node source, DataFlow::Node sink
21 | where config.hasFlow(source, sink)
22 | select sink, "Use of $@.", source, "mass assignment"
23 |
--------------------------------------------------------------------------------
/python/CWE-915/MassAssignmentProblem.ql:
--------------------------------------------------------------------------------
1 | /**
2 | * @name Mass assignment
3 | * @description Mass assignment is a vulnerability that allows an attacker to
4 | * modify multiple attributes of a model at once.
5 | * @kind problem
6 | * @problem.severity error
7 | * @security-severity 8.0
8 | * @precision high
9 | * @sub-severity high
10 | * @id py/mass-assignment-problem
11 | * @tags security
12 | * external/cwe/cwe-2915
13 | * testing
14 | */
15 |
16 | import python
17 | // GitHub Field lib
18 | import github.MassAssignment
19 |
20 | from MassAssignment::MassAssignmentConfig config, DataFlow::Node source, DataFlow::Node sink
21 | where config.hasFlow(source, sink)
22 | select sink, "Use of $@.", source, "mass assignment"
23 |
--------------------------------------------------------------------------------
/python/codeql-pack.lock.yml:
--------------------------------------------------------------------------------
1 | ---
2 | lockVersion: 1.0.0
3 | dependencies:
4 | codeql/python-all:
5 | version: 0.9.4
6 | codeql/regex:
7 | version: 0.0.15
8 | codeql/tutorial:
9 | version: 0.0.12
10 | codeql/util:
11 | version: 0.0.12
12 | codeql/yaml:
13 | version: 0.0.4
14 | compiled: false
15 |
--------------------------------------------------------------------------------
/python/github/DefaultPasswordDB.qll:
--------------------------------------------------------------------------------
1 | private import python
2 |
3 | // password = db.Column(..., server_default=...)
4 |
5 | class DBColumn extends Call {
6 | CallNode call;
7 | string name;
8 | ControlFlowNode object;
9 | Name var;
10 | string id;
11 |
12 | DBColumn() {
13 | call.getFunction().(AttrNode).getObject(name) = object
14 | and name = "Column"
15 | and call = this.getAFlowNode()
16 | and object.getNode() = var.getVariable().getAnAccess()
17 | and var.getId() = id
18 | }
19 |
20 | string getDbId() {
21 | result = id
22 | }
23 |
24 | predicate hasStaticDefault() {
25 | exists(DictItem arg |
26 | arg = call.getNode().getANamedArg()
27 | and arg.(Keyword).getArg() in ["server_default", "default"]
28 | and arg.(Keyword).getValue() instanceof ImmutableLiteral
29 | )
30 | }
31 |
32 | string assignedToVariable() {
33 | exists(AssignStmt assign, Variable v|
34 | assign.defines(v)
35 | and v.getId() = result
36 | and assign.getValue() = this
37 | )
38 | }
39 |
40 | string getColumnName() {
41 | result = call.getNode().getArg(0).(StrConst).getText()
42 | }
43 | }
44 |
--------------------------------------------------------------------------------
/python/github/Logging.qll:
--------------------------------------------------------------------------------
1 | import python
2 | import semmle.python.ApiGraphs
3 |
4 | abstract class LoggingSinks extends DataFlow::Node { }
5 |
6 | class PrintMethod extends LoggingSinks {
7 | PrintMethod() {
8 | exists(DataFlow::Node call |
9 | call = API::builtin("print").getACall() and
10 | call.getScope().inSource() and
11 | this = call
12 | )
13 | }
14 | }
15 |
16 | class LoggingFramework extends LoggingSinks {
17 | LoggingFramework() {
18 | exists(DataFlow::Node call, API::Node node |
19 | (
20 | (
21 | node = API::moduleImport("logging")
22 | or
23 | node = API::moduleImport("logging").getMember("getLogger").getReturn()
24 | ) and
25 | call = node.getMember(["info", "debug", "warning", "error"]).getACall()
26 | ) and
27 | call.getScope().inSource() and
28 | this = call
29 | )
30 | }
31 | }
32 |
--------------------------------------------------------------------------------
/python/github/Utils.qll:
--------------------------------------------------------------------------------
1 | import python
2 | private import semmle.python.ApiGraphs
3 | private import semmle.python.Concepts
4 | private import semmle.python.dataflow.new.DataFlow
5 | private import semmle.python.dataflow.new.internal.TaintTrackingPrivate
6 |
7 | // List of all the format strings
8 | // - python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll
9 | class DynamicStrings extends DataFlow::Node {
10 | DynamicStrings() {
11 | (
12 | // s = f"WHERE name = '{input}'"
13 | exists(Fstring fmtstr | this.asExpr() = fmtstr)
14 | or
15 | // "SELECT * FROM users WHERE username = '{}'".format(username)
16 | exists(CallNode format, string methods, ControlFlowNode object |
17 | object = format.getFunction().(AttrNode).getObject(methods)
18 | |
19 | methods = "format" and
20 | this.asExpr() = format.getNode()
21 | )
22 | or
23 | exists(BinaryExpr expr |
24 | (
25 | // q = "WHERE name = %s" % username
26 | expr.getOp() instanceof Mod or
27 | // q = "WHERE name = " + username
28 | expr.getOp() instanceof Add
29 | )
30 | and
31 | expr.getLeft().getParent() = this.asExpr()
32 | )
33 | ) and
34 | this.getScope().inSource()
35 | }
36 | }
37 |
--------------------------------------------------------------------------------
/python/qlpack.yml:
--------------------------------------------------------------------------------
1 | library: false
2 | name: advanced-security/codeql-python
3 | version: 0.3.0
4 | defaultSuiteFile: suites/codeql-python.qls
5 | dependencies:
6 | codeql/python-all: 0.10.2
7 |
--------------------------------------------------------------------------------
/python/queries.xml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/python/suites/codeql-python-audit.qls:
--------------------------------------------------------------------------------
1 | # This is the field security specialist audit pack
2 |
3 | - description: "Python Audit Pack"
4 |
5 | # Field query pack with some audit queries
6 | - queries: '.'
7 | from: advanced-security/codeql-python
8 | - include:
9 | kind:
10 | - problem
11 | - path-problem
12 | - metric
13 | - diagnostic
14 | tags contain:
15 | - audit
16 |
17 | - queries: '.'
18 | from: codeql/python-queries
19 |
20 | - include:
21 | id:
22 | - py/untrusted-data-to-external-api
23 |
--------------------------------------------------------------------------------
/python/suites/codeql-python-local.qls:
--------------------------------------------------------------------------------
1 | # See https://help.semmle.com/codeql/codeql-cli/procedures/query-suites.html#filtering-the-queries-in-a-query-suite
2 | # for additional ways to exclude queries
3 |
4 | - description: "GitHub's Field Team Python Local Variate Suite"
5 |
6 | - queries: '.'
7 | from: advanced-security/codeql-python
8 |
9 | # include all queries tagged with local
10 | - include:
11 | tags contain: local
12 |
--------------------------------------------------------------------------------
/python/suites/codeql-python.qls:
--------------------------------------------------------------------------------
1 | # https://codeql.github.com/docs/codeql-cli/creating-codeql-query-suites/
2 |
3 | - description: "GitHub's Field Team Python Extended Suite"
4 |
5 | # GitHub's Field Team Python Suite
6 | - queries: '.'
7 | from: advanced-security/codeql-python
8 |
9 | # Include lows
10 | - include:
11 | kind:
12 | - problem
13 | - path-problem
14 | precision:
15 | - low
16 |
17 | # Remove debugging, and audit queries
18 | - exclude:
19 | tags contain:
20 | - debugging
21 | - audit
22 | # Remove local testing folders
23 | - exclude:
24 | query path:
25 | - /testing\/.*/
26 |
--------------------------------------------------------------------------------
/python/suites/python-security-experimental.qls:
--------------------------------------------------------------------------------
1 | # Use with caution ⚠️ experimental queries are not assured for performance or false positives
2 |
3 | # Use in a CodeQL workflow, e.g. copy to `./.github/codeql/python-experimental-security.qls`
4 | # then alter the workflow to look like:
5 | #
6 | # # Initializes the CodeQL tools for scanning.
7 | # - name: Initialize CodeQL
8 | # uses: github/codeql-action/init@v2
9 | # with:
10 | # languages: ${{ matrix.language }}
11 | # queries: security-extended,./.github/codeql/python-experimental-security.qls # <-- add this bit here after the comma
12 |
13 | - description: "Python experimental security queries"
14 | - qlpack: codeql/python-queries
15 |
16 | - queries: '.'
17 | from: codeql/python-queries
18 |
19 | - include:
20 | kind:
21 | - problem
22 | - path-problem
23 | - alert
24 | - path-alert
25 | tags contain:
26 | - security
27 | query path:
28 | - /experimental\/.*/
29 |
30 | - include:
31 | kind:
32 | - diagnostic
33 | - include:
34 | kind:
35 | - metric
36 | tags contain:
37 | - summary
38 |
39 | - exclude:
40 | deprecated: //
41 | - exclude:
42 | query path:
43 | - Metrics/Summaries/FrameworkCoverage.ql
44 | - /Diagnostics/Internal/.*/
45 | - exclude:
46 | tags contain:
47 | - model-generator
48 |
--------------------------------------------------------------------------------
/ruby/README.md:
--------------------------------------------------------------------------------
1 | # Python
2 |
3 | ## Queries
4 |
5 | | Name | Severity | Path |
6 | | :--- | :------- | :--- |
7 |
8 |
9 |
10 | ## Query Suites
11 |
12 | | Name | Queries Count | Description | Path |
13 | | :--- | :---- | :--- | :--- |
14 | | `default` | 39 | Default Query Suite | `codeql/ruby/ql/src/codeql-suites/code-scanning` |
15 | | `extended` | 46 | Security Extended Suite | `codeql/ruby/ql/src/codeql-suites/security-extended` |
16 | | `quality` | 46 | Security and Quality Extended Suite | `codeql/ruby/ql/src/codeql-suites/security-and-quality` |
17 | | `super-extended` | 45 | Security Extended with Experimental and Custom Queries Suite | `advanced-security/codeql-queries/ruby/suites/codeql-ruby.qls@main` |
18 |
19 |
20 |
21 |
--------------------------------------------------------------------------------
/ruby/codeql-pack.lock.yml:
--------------------------------------------------------------------------------
1 | ---
2 | lockVersion: 1.0.0
3 | dependencies:
4 | codeql/regex:
5 | version: 0.0.13
6 | codeql/ruby-all:
7 | version: 0.6.2
8 | codeql/ssa:
9 | version: 0.0.17
10 | codeql/tutorial:
11 | version: 0.0.10
12 | codeql/util:
13 | version: 0.0.10
14 | compiled: false
15 |
--------------------------------------------------------------------------------
/ruby/qlpack.yml:
--------------------------------------------------------------------------------
1 | library: false
2 | name: advanced-security/codeql-ruby
3 | version: 0.2.0
4 | defaultSuiteFile: suites/codeql-ruby.qls
5 | dependencies:
6 | codeql/ruby-all: 0.7.2
7 |
--------------------------------------------------------------------------------
/ruby/queries.xml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/ruby/suites/codeql-ruby.qls:
--------------------------------------------------------------------------------
1 | # See https://help.semmle.com/codeql/codeql-cli/procedures/query-suites.html#filtering-the-queries-in-a-query-suite
2 | # for additional ways to exclude queries
3 |
4 | - description: "GitHub's Field Team Ruby Extended Suite"
5 |
6 | - qlpack: github-queries-ruby
7 |
8 | - import: codeql-suites/ruby-security-extended.qls
9 | from: codeql/ruby-queries
10 | - exclude:
11 | id:
12 | - rb/hardcoded-credentials
13 |
--------------------------------------------------------------------------------
/swift/README.md:
--------------------------------------------------------------------------------
1 | # Python
2 |
3 | ## Query Suites
4 |
5 | | Name | Queries Count | Description | Path |
6 | | :--- | :---- | :--- | :--- |
7 | | `default` | 19 | Default Query Suite | `codeql/swift/ql/src/codeql-suites/code-scanning` |
8 | | `extended` | 21 | Security Extended Suite | `codeql/swift/ql/src/codeql-suites/security-extended` |
9 | | `quality` | 21 | Security and Quality Extended Suite | `codeql/swift/ql/src/codeql-suites/security-and-quality` |
10 |
11 |
12 |
13 |
14 | ## Queries
15 |
16 | | Name | Severity | Path |
17 | | :--- | :------- | :--- |
18 |
19 |
20 |
21 |
--------------------------------------------------------------------------------
/swift/codeql-pack.lock.yml:
--------------------------------------------------------------------------------
1 | ---
2 | lockVersion: 1.0.0
3 | dependencies:
4 | codeql/ssa:
5 | version: 0.0.17
6 | codeql/swift-all:
7 | version: 0.1.0
8 | codeql/tutorial:
9 | version: 0.0.10
10 | codeql/util:
11 | version: 0.0.10
12 | compiled: false
13 |
--------------------------------------------------------------------------------
/swift/qlpack.yml:
--------------------------------------------------------------------------------
1 | ---
2 | library: false
3 | name: advanced-security/codeql-swift
4 | version: 0.1.0
5 | dependencies:
6 | codeql/swift-all: "^0.1.0"
7 | defaultSuiteFile: suites/codeql-swift.qls
8 |
--------------------------------------------------------------------------------
/swift/queries.xml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/swift/suites/codeql-swift.qls:
--------------------------------------------------------------------------------
1 |
2 | - description: "GitHub's Field Team Swift Super Extended Suite"
3 |
4 | - import: codeql-suites/swift-security-extended.qls
5 | from: codeql/swift-queries
6 |
7 | - queries: '.'
8 | from: codeql/swift-queries
9 |
--------------------------------------------------------------------------------
/tailor-packs/java-poc/customize:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | set -eu
3 |
4 | gh tailor \
5 | set-pack-meta \
6 | --name "advanced-security/poc-java-queries" \
7 | --version "0.0.0" \
8 | --default-suite "codeql-suites/java-code-scanning.qls" \
9 | stage
10 |
11 | # inject query suites
12 | cp suites/* stage/codeql-suites/
13 |
14 | # bump the XSS query's severity
15 | gh tailor \
16 | set-ql-meta \
17 | -m "security-severity" "9.0" \
18 | "stage/Security/CWE/CWE-079/XSS.ql"
19 |
20 | # inject customizations into selected queries...
21 | cp -r tailor stage/
22 |
23 | find stage/Security -name '*.ql' -type f -print0 \
24 | | xargs -0 gh tailor ql-import -m "tailor.Customizations"
25 |
--------------------------------------------------------------------------------
/tailor-packs/java-poc/suites/java-security-experimental.qls:
--------------------------------------------------------------------------------
1 | - description: Java experimental security queries
2 | - queries: .
3 | - include:
4 | kind:
5 | - problem
6 | - path-problem
7 | - alert
8 | - path-alert
9 | tags contain:
10 | - security
11 | query path:
12 | - /experimental\/.*/
13 | - include:
14 | kind:
15 | - diagnostic
16 | - include:
17 | kind:
18 | - metric
19 | tags contain:
20 | - summary
21 | - exclude:
22 | deprecated: //
23 | - exclude:
24 | query path:
25 | - Metrics/Summaries/FrameworkCoverage.ql
26 | - /Diagnostics/Internal/.*/
27 | - exclude:
28 | tags contain:
29 | - model-generator
30 |
--------------------------------------------------------------------------------
/tailor-packs/java-poc/tailor/Customizations.qll:
--------------------------------------------------------------------------------
1 | import java
2 | import tailor.models.Models
3 | import semmle.code.java.dataflow.FlowSources
4 |
5 |
6 | // Consider local sources to be under attacker control
7 | class LocalIsRemote extends RemoteFlowSource {
8 | LocalIsRemote() {
9 | this instanceof LocalUserInput
10 | }
11 |
12 | override string getSourceType() { result = "local source type" }
13 | }
14 |
--------------------------------------------------------------------------------
/tailor-packs/java-poc/tailor/models/JdkManual.qll:
--------------------------------------------------------------------------------
1 | import java
2 | private import semmle.code.java.dataflow.ExternalFlow
3 |
4 | private class JdkManual extends SummaryModelCsv {
5 | override predicate row(string row) {
6 | row = [
7 | "java.lang;String;true;replace;;;Argument[-1];ReturnValue;taint;manual"
8 | ]
9 | }
10 | }
11 |
12 |
--------------------------------------------------------------------------------
/tailor-packs/java-poc/tailor/models/Models.qll:
--------------------------------------------------------------------------------
1 | import ApacheCommonsExecGenerated
2 | import AsciidoctorAsciidoctorjGenerated
3 | import FlywayFlywayGenerated
4 | import JdkManual
5 | import JhyJsoupGenerated
6 | import SpringProjectsSpringDataCommonsGenerated
7 | import SpringProjectsSpringDataJpaGenerated
8 | import SpringProjectsSpringDataJpaManual
9 |
--------------------------------------------------------------------------------
/tailor-packs/java-poc/tailor/models/SpringProjectsSpringDataJpaManual.qll:
--------------------------------------------------------------------------------
1 | import java
2 | private import semmle.code.java.dataflow.ExternalFlow
3 |
4 | private class SpringProjectsSpringDataJpaSummaryModelCustom extends SummaryModelCsv {
5 | override predicate row(string row) {
6 | row = [
7 | "org.springframework.data.repository;CrudRepository;true;save;;;Argument[0];ReturnValue;value;manual"
8 | ]
9 | }
10 | }
11 |
12 |
--------------------------------------------------------------------------------
/tailor-packs/java-poc/unit-tests/local_is_remote/Test.java:
--------------------------------------------------------------------------------
1 | import java.io.*;
2 | import java.net.InetAddress;
3 | import java.nio.file.Path;
4 | import java.nio.file.FileSystems;
5 |
6 | class Test {
7 | void doGet1(InetAddress address)
8 | throws IOException {
9 | String temp = address.getHostName();
10 |
11 | // BAD: construct a file path with user input
12 | File file = new File(temp);
13 |
14 | // MAYBE BAD: construct a path with local user input
15 | Path path = FileSystems.getDefault().getPath(System.getenv("PATH"));
16 | }
17 | }
18 |
--------------------------------------------------------------------------------
/tailor-packs/java-poc/unit-tests/local_is_remote/query.expected:
--------------------------------------------------------------------------------
1 | edges
2 | | Test.java:9:18:9:38 | getHostName(...) : String | Test.java:12:25:12:28 | temp |
3 | nodes
4 | | Test.java:9:18:9:38 | getHostName(...) : String | semmle.label | getHostName(...) : String |
5 | | Test.java:12:25:12:28 | temp | semmle.label | temp |
6 | | Test.java:15:49:15:69 | getenv(...) | semmle.label | getenv(...) |
7 | subpaths
8 | #select
9 | | Test.java:12:16:12:29 | new File(...) | Test.java:9:18:9:38 | getHostName(...) : String | Test.java:12:25:12:28 | temp | $@ flows to here and is used in a path. | Test.java:9:18:9:38 | getHostName(...) | User-provided value |
10 | | Test.java:15:16:15:70 | getPath(...) | Test.java:15:49:15:69 | getenv(...) | Test.java:15:49:15:69 | getenv(...) | $@ flows to here and is used in a path. | Test.java:15:49:15:69 | getenv(...) | User-provided value |
11 |
--------------------------------------------------------------------------------
/tailor-packs/java-poc/unit-tests/local_is_remote/query.qlref:
--------------------------------------------------------------------------------
1 | Security/CWE/CWE-022/TaintedPath.ql
2 |
--------------------------------------------------------------------------------
/tailor-packs/java-poc/unit-tests/qlpack.yml:
--------------------------------------------------------------------------------
1 | dependencies:
2 | advanced-security/poc-java-queries: '*'
3 | extractor: java
4 | groups:
5 | - java
6 | - test
7 | name: advanced-security/poc-java-queries-tests
8 | tests: .
9 |
--------------------------------------------------------------------------------
/tailor-packs/java-poc/unit-tests/taint_through_crudrepository_save/Test.java:
--------------------------------------------------------------------------------
1 | import java.io.IOException;
2 | import javax.servlet.ServletException;
3 | import javax.servlet.http.HttpServlet;
4 | import javax.servlet.http.HttpServletRequest;
5 | import javax.servlet.http.HttpServletResponse;
6 | import org.springframework.data.repository.CrudRepository;
7 |
8 | public class Test extends HttpServlet {
9 | public static CrudRepository cr = null;
10 |
11 | protected void doGet(HttpServletRequest request, HttpServletResponse response)
12 | throws ServletException, IOException {
13 | String taint = request.getParameter("page");
14 | taint = cr.save(taint);
15 | response.getWriter().print("a " + taint);
16 | }
17 | }
18 |
--------------------------------------------------------------------------------
/tailor-packs/java-poc/unit-tests/taint_through_crudrepository_save/org/springframework/data/repository/CrudRepository.java:
--------------------------------------------------------------------------------
1 | package org.springframework.data.repository;
2 |
3 | public interface CrudRepository {
4 | S save(S entity);
5 | }
6 |
--------------------------------------------------------------------------------
/tailor-packs/java-poc/unit-tests/taint_through_crudrepository_save/query.expected:
--------------------------------------------------------------------------------
1 | edges
2 | | Test.java:13:18:13:45 | getParameter(...) : String | Test.java:14:19:14:23 | taint : String |
3 | | Test.java:14:11:14:24 | save(...) : String | Test.java:15:30:15:41 | ... + ... |
4 | | Test.java:14:19:14:23 | taint : String | Test.java:14:11:14:24 | save(...) : String |
5 | nodes
6 | | Test.java:13:18:13:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
7 | | Test.java:14:11:14:24 | save(...) : String | semmle.label | save(...) : String |
8 | | Test.java:14:19:14:23 | taint : String | semmle.label | taint : String |
9 | | Test.java:15:30:15:41 | ... + ... | semmle.label | ... + ... |
10 | subpaths
11 | #select
12 | | Test.java:15:30:15:41 | ... + ... | Test.java:13:18:13:45 | getParameter(...) : String | Test.java:15:30:15:41 | ... + ... | Cross-site scripting vulnerability due to $@. | Test.java:13:18:13:45 | getParameter(...) | user-provided value |
13 |
--------------------------------------------------------------------------------
/tailor-packs/java-poc/unit-tests/taint_through_crudrepository_save/query.qlref:
--------------------------------------------------------------------------------
1 | Security/CWE/CWE-079/XSS.ql
2 |
--------------------------------------------------------------------------------
/tailor-packs/java-poc/unit-tests/taint_through_string_replace/Test.java:
--------------------------------------------------------------------------------
1 | import java.io.IOException;
2 | import javax.servlet.ServletException;
3 | import javax.servlet.http.HttpServlet;
4 | import javax.servlet.http.HttpServletRequest;
5 | import javax.servlet.http.HttpServletResponse;
6 |
7 | public class Test extends HttpServlet {
8 | protected void doGet(HttpServletRequest request, HttpServletResponse response)
9 | throws ServletException, IOException {
10 | String taint = request.getParameter("page");
11 | taint = taint.replace("string", "replacement"); // this is currently not a taint step in the default query pack
12 | response.getWriter().print("a " + taint);
13 | }
14 | }
15 |
--------------------------------------------------------------------------------
/tailor-packs/java-poc/unit-tests/taint_through_string_replace/query.expected:
--------------------------------------------------------------------------------
1 | edges
2 | | Test.java:10:18:10:45 | getParameter(...) : String | Test.java:11:11:11:15 | taint : String |
3 | | Test.java:11:11:11:15 | taint : String | Test.java:11:11:11:48 | replace(...) : String |
4 | | Test.java:11:11:11:48 | replace(...) : String | Test.java:12:30:12:41 | ... + ... |
5 | nodes
6 | | Test.java:10:18:10:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
7 | | Test.java:11:11:11:15 | taint : String | semmle.label | taint : String |
8 | | Test.java:11:11:11:48 | replace(...) : String | semmle.label | replace(...) : String |
9 | | Test.java:12:30:12:41 | ... + ... | semmle.label | ... + ... |
10 | subpaths
11 | #select
12 | | Test.java:12:30:12:41 | ... + ... | Test.java:10:18:10:45 | getParameter(...) : String | Test.java:12:30:12:41 | ... + ... | Cross-site scripting vulnerability due to $@. | Test.java:10:18:10:45 | getParameter(...) | user-provided value |
13 |
--------------------------------------------------------------------------------
/tailor-packs/java-poc/unit-tests/taint_through_string_replace/query.qlref:
--------------------------------------------------------------------------------
1 | Security/CWE/CWE-079/XSS.ql
2 |
--------------------------------------------------------------------------------
/tests/csharp-tests/CWE-328/WeakHashingAlgorithms.expected:
--------------------------------------------------------------------------------
1 | | WeakHashingAlgorithms.cs:12:40:12:69 | object creation of type MD5CryptoServiceProvider | This function creates a new MD5CryptoServiceProvider() object, which uses a cryptographically weak hash algorithm |
2 | | WeakHashingAlgorithms.cs:25:66:25:121 | call to method Create | This function calls the MD5.Create() or HashAlgorithm.Create() method, which uses a cryptographically weak hash algorithm |
3 | | WeakHashingAlgorithms.cs:38:48:38:88 | call to method Create | This function calls the MD5.Create() or HashAlgorithm.Create() method, which uses a cryptographically weak hash algorithm |
4 | | WeakHashingAlgorithms.cs:51:48:51:88 | call to method Create | This function calls the MD5.Create() or HashAlgorithm.Create() method, which uses a cryptographically weak hash algorithm |
5 |
--------------------------------------------------------------------------------
/tests/csharp-tests/CWE-328/WeakHashingAlgorithms.qlref:
--------------------------------------------------------------------------------
1 | CWE-328/WeakHashingAlgorithms.ql
--------------------------------------------------------------------------------
/tests/csharp-tests/CWE-328/WeakPasswordHashing.qlref:
--------------------------------------------------------------------------------
1 | CWE-328/WeakPasswordHashing.ql
--------------------------------------------------------------------------------
/tests/csharp-tests/CWE-328/WeakSensitiveDataHashing.qlref:
--------------------------------------------------------------------------------
1 | CWE-328/WeakSensitiveDataHashing.ql
--------------------------------------------------------------------------------
/tests/csharp-tests/CWE-328/options:
--------------------------------------------------------------------------------
1 | semmle-extractor-options: /r:System.Security.Cryptography.dll /r:System.Security.Cryptography.Csp.dll /r:System.Security.Cryptography.Algorithms.dll
2 |
--------------------------------------------------------------------------------
/tests/csharp-tests/CWE-760/HardcodedSalt.qlref:
--------------------------------------------------------------------------------
1 | CWE-760/HardcodedSalt.ql
--------------------------------------------------------------------------------
/tests/csharp-tests/CWE-760/StaticSalt.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.IO;
3 | using System.Text;
4 | using System.Runtime.Serialization;
5 | using System.Security.Cryptography;
6 | using System.Security.Permissions;
7 |
8 | public class StaticSalt {
9 | public void Test1() {
10 | string password = "TestPassword";
11 |
12 | // BAD: Static String
13 | var salt = Encoding.UTF8.GetBytes("Hardcoded Salt");
14 | var hash = new Rfc2898DeriveBytes(password, salt);
15 |
16 | // Good: Randomly generated byte array
17 | var randonSalt = new byte[16];
18 | RandomNumberGenerator.Create().GetBytes(randonSalt);
19 | var hash_safe = new Rfc2898DeriveBytes(password, randonSalt);
20 | }
21 |
22 | public static string generateSalt() {
23 | return "Hardcoded Salt2";
24 | }
25 | public void Test2() {
26 | string password = "TestPassword2";
27 |
28 | // BAD: Static String
29 | var salt = Encoding.UTF8.GetBytes(StaticSalt.generateSalt());
30 | var hash = new Rfc2898DeriveBytes(password, salt);
31 | }
32 | }
--------------------------------------------------------------------------------
/tests/csharp-tests/CWE-760/options:
--------------------------------------------------------------------------------
1 | semmle-extractor-options: /r:System.Security.Cryptography.dll /r:System.Security.Cryptography.Csp.dll /r:System.Security.Cryptography.Algorithms.dll
2 |
--------------------------------------------------------------------------------
/tests/csharp-tests/CWE-798/HardcodedCredentialsSymmetricSecurityKey.qlref.bak:
--------------------------------------------------------------------------------
1 | CWE-798/HardcodedCredentialsSymmetricSecurityKey.ql
--------------------------------------------------------------------------------
/tests/csharp-tests/CWE-798/options:
--------------------------------------------------------------------------------
1 | semmle-extractor-options: /r:System.Security.Claims.dll /r:Microsoft.AspNetCore.dll /r:Microsoft.IdentityModel.dll /r:System.IdentityModel.dll /r:System.dll /r:System.Security.Cryptography.dll /r:System.Security.Cryptography.Csp.dll /r:System.Security.Cryptography.Algorithms.dll
2 |
--------------------------------------------------------------------------------
/tests/csharp-tests/qlpack.lock.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies: {}
3 | compiled: false
4 | lockVersion: 1.0.0
--------------------------------------------------------------------------------
/tests/csharp-tests/qlpack.yml:
--------------------------------------------------------------------------------
1 | name: advanced-security/codeql-csharp-tests
2 | groups: [csharp, test]
3 | dependencies:
4 | codeql/csharp-all: "*"
5 | advanced-security/codeql-csharp: "*"
6 |
7 | extractor: csharp
8 | tests: .
--------------------------------------------------------------------------------
/tests/go-tests/CWE-078/cmdi.expected:
--------------------------------------------------------------------------------
1 | edges
2 | | main.go:20:14:20:20 | selection of URL | main.go:20:14:20:28 | call to Query |
3 | | main.go:20:14:20:28 | call to Query | main.go:27:22:27:28 | cmdName |
4 | nodes
5 | | main.go:20:14:20:20 | selection of URL | semmle.label | selection of URL |
6 | | main.go:20:14:20:28 | call to Query | semmle.label | call to Query |
7 | | main.go:27:22:27:28 | cmdName | semmle.label | cmdName |
8 | subpaths
9 | #select
10 | | main.go:27:22:27:28 | cmdName | main.go:20:14:20:20 | selection of URL | main.go:27:22:27:28 | cmdName | This command depends on a $@. | main.go:20:14:20:20 | selection of URL | user-provided value |
11 |
--------------------------------------------------------------------------------
/tests/go-tests/CWE-078/cmdi.qlref:
--------------------------------------------------------------------------------
1 | CWE-078/CommandInjection.ql
--------------------------------------------------------------------------------
/tests/go-tests/CWE-078/go.mod:
--------------------------------------------------------------------------------
1 | module example.com/m/v2
2 |
3 | go 1.10
--------------------------------------------------------------------------------
/tests/go-tests/CWE-078/main.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | "fmt"
5 | "net/http"
6 | "os/exec"
7 | )
8 |
9 | // func handler is unused (U1000)go-staticcheck
10 | func handler(req *http.Request) {
11 | cmdName := req.URL.Query()["cmd"][0]
12 | cmd := exec.Command(cmdName)
13 | cmd.Run()
14 | }
15 |
16 | func usedHandler(w http.ResponseWriter, req *http.Request) {
17 |
18 | fmt.Fprintf(w, "Welcome!!!")
19 |
20 | cmds, ok := req.URL.Query()["cmd"]
21 | if !ok || len(cmds) < 1 {
22 | http.Error(w, "Missing cmd parameter", http.StatusBadRequest)
23 | return
24 | }
25 |
26 | cmdName := cmds[0]
27 | cmd := exec.Command(cmdName)
28 | err := cmd.Run()
29 | if err != nil {
30 | http.Error(w, err.Error(), http.StatusInternalServerError)
31 | return
32 | }
33 |
34 | fmt.Fprintf(w, "Command '%s' executed successfully!", cmdName)
35 | }
36 |
37 | func justAFunction() {
38 | println("I'm just a function")
39 | }
40 |
41 | func main() {
42 | justAFunction()
43 |
44 | http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
45 | fmt.Fprintf(w, "Welcome to my website!")
46 | })
47 |
48 | http.HandleFunc("/execute", usedHandler)
49 |
50 | http.ListenAndServe(":8080", nil)
51 | }
--------------------------------------------------------------------------------
/tests/go-tests/CWE-089/audit/.gitignore:
--------------------------------------------------------------------------------
1 | *.db
--------------------------------------------------------------------------------
/tests/go-tests/CWE-089/audit/SQLInjectionAudit.expected:
--------------------------------------------------------------------------------
1 | | main.go:27:21:27:56 | "SELECT * FROM users WHERE name = '" |
2 | | main.go:27:21:27:64 | ...+... |
3 | | main.go:31:22:31:80 | call to Sprintf |
4 |
--------------------------------------------------------------------------------
/tests/go-tests/CWE-089/audit/SQLInjectionAudit.ql:
--------------------------------------------------------------------------------
1 | import go
2 | import github.Utils
3 |
4 | query predicate dynamicStrings(DataFlow::ExprNode node) { node instanceof DynamicStrings }
5 |
--------------------------------------------------------------------------------
/tests/go-tests/CWE-089/audit/go.mod:
--------------------------------------------------------------------------------
1 | module example.com/m/v2
2 |
3 | go 1.10
4 |
5 | require (
6 | gorm.io/driver/sqlite v1.5.2 // indirect
7 | gorm.io/gorm v1.25.2-0.20230530020048-26663ab9bf55 // indirect
8 | )
9 |
--------------------------------------------------------------------------------
/tests/go-tests/CWE-089/audit/go.sum:
--------------------------------------------------------------------------------
1 | github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
2 | github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
3 | github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
4 | github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
5 | github.com/mattn/go-sqlite3 v1.14.17 h1:mCRHCLDUBXgpKAqIKsaAaAsrAlbkeomtRFKXh2L6YIM=
6 | github.com/mattn/go-sqlite3 v1.14.17/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
7 | gorm.io/driver/sqlite v1.5.2 h1:TpQ+/dqCY4uCigCFyrfnrJnrW9zjpelWVoEVNy5qJkc=
8 | gorm.io/driver/sqlite v1.5.2/go.mod h1:qxAuCol+2r6PannQDpOP1FP6ag3mKi4esLnB/jHed+4=
9 | gorm.io/gorm v1.25.2-0.20230530020048-26663ab9bf55 h1:sC1Xj4TYrLqg1n3AN10w871An7wJM0gzgcm8jkIkECQ=
10 | gorm.io/gorm v1.25.2-0.20230530020048-26663ab9bf55/go.mod h1:L4uxeKpfBml98NYqVqwAdmV1a2nBtAec/cf3fpucW/k=
11 |
--------------------------------------------------------------------------------
/tests/go-tests/CWE-089/audit/main.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | "fmt"
5 |
6 | "gorm.io/driver/sqlite"
7 | "gorm.io/gorm"
8 | )
9 |
10 | type User struct {
11 | gorm.Model
12 | Name string
13 | Age uint
14 | }
15 |
16 | func main() {
17 | // DB
18 | db, err := gorm.Open(sqlite.Open("test.db"), &gorm.Config{})
19 | if err != nil {
20 | panic("failed to connect database")
21 | }
22 |
23 | // input
24 | var input string = "Mona"
25 |
26 | // Binary Expr
27 | var query string = "SELECT * FROM users WHERE name = '" + input + "'"
28 | db.Raw(query).Scan(&User{})
29 |
30 | // Format String
31 | var query2 string = fmt.Sprintf("SELECT * FROM users WHERE name = '%s'", input)
32 | db.Raw(query2).Scan(&User{})
33 | }
34 |
--------------------------------------------------------------------------------
/tests/go-tests/qlpack.lock.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies: {}
3 | compiled: false
4 | lockVersion: 1.0.0
--------------------------------------------------------------------------------
/tests/go-tests/qlpack.yml:
--------------------------------------------------------------------------------
1 | name: advanced-security/codeql-go-tests
2 | groups: [go, test]
3 | dependencies:
4 | codeql/go-all: "*"
5 | advanced-security/codeql-go: "*"
6 |
7 | extractor: go
8 | tests: .
--------------------------------------------------------------------------------
/tests/java-tests/CWE-078/CommandInjectionRuntimeExec.expected:
--------------------------------------------------------------------------------
1 | | src/main/java/com/github/advanced_security/command_injection_test/Main.java:22:39:22:51 | commandArray1 | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | src/main/java/com/github/advanced_security/command_injection_test/Main.java:21:51:21:59 | "/bin/sh" | "/bin/sh" | src/main/java/com/github/advanced_security/command_injection_test/Main.java:16:29:16:41 | args | args |
2 | | src/main/java/com/github/advanced_security/command_injection_test/Main.java:30:39:30:51 | commandArray2 | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | src/main/java/com/github/advanced_security/command_injection_test/Main.java:26:32:26:40 | "/bin/sh" | "/bin/sh" | src/main/java/com/github/advanced_security/command_injection_test/Main.java:16:29:16:41 | args | args |
3 | | src/main/java/com/github/advanced_security/command_injection_test/Main.java:34:17:37:40 | toArray(...) | Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@' | src/main/java/com/github/advanced_security/command_injection_test/Main.java:35:48:35:56 | "/bin/sh" | "/bin/sh" | src/main/java/com/github/advanced_security/command_injection_test/Main.java:16:29:16:41 | args | args |
4 |
--------------------------------------------------------------------------------
/tests/java-tests/CWE-078/CommandInjectionRuntimeExec.qlref:
--------------------------------------------------------------------------------
1 | CWE-078/CommandInjectionRuntimeExecTest.ql
--------------------------------------------------------------------------------
/tests/java-tests/CWE-078/pom.xml:
--------------------------------------------------------------------------------
1 |
2 | 4.0.0
3 |
4 | com.github.advanced-security
5 | command-injection
6 | 1.0.0
7 |
8 |
9 | 1.8
10 | 1.8
11 |
12 |
13 |
14 |
15 |
16 | org.apache.maven.plugins
17 | maven-jar-plugin
18 | 3.3.0
19 |
20 |
21 |
22 | true
23 | com.github.advanced_security.command_injection_test.Main
24 |
25 |
26 |
27 |
28 |
29 | org.apache.maven.plugins
30 | maven-surefire-plugin
31 | 3.0.0
32 |
33 | true
34 |
35 |
36 |
37 |
38 |
--------------------------------------------------------------------------------
/tests/java-tests/CWE-326/Base64Encryption.expected:
--------------------------------------------------------------------------------
1 | edges
2 | | Base64Encryption.java:17:23:17:62 | (...)... : String | Base64Encryption.java:18:66:18:69 | attr : String |
3 | | Base64Encryption.java:17:31:17:62 | getAttribute(...) : Object | Base64Encryption.java:17:23:17:62 | (...)... : String |
4 | | Base64Encryption.java:18:66:18:69 | attr : String | Base64Encryption.java:18:66:18:80 | getBytes(...) : byte[] |
5 | | Base64Encryption.java:18:66:18:80 | getBytes(...) : byte[] | Base64Encryption.java:18:31:18:81 | encodeToString(...) |
6 | nodes
7 | | Base64Encryption.java:17:23:17:62 | (...)... : String | semmle.label | (...)... : String |
8 | | Base64Encryption.java:17:31:17:62 | getAttribute(...) : Object | semmle.label | getAttribute(...) : Object |
9 | | Base64Encryption.java:18:31:18:81 | encodeToString(...) | semmle.label | encodeToString(...) |
10 | | Base64Encryption.java:18:66:18:69 | attr : String | semmle.label | attr : String |
11 | | Base64Encryption.java:18:66:18:80 | getBytes(...) : byte[] | semmle.label | getBytes(...) : byte[] |
12 | subpaths
13 | #select
14 | | Base64Encryption.java:18:31:18:81 | encodeToString(...) | Base64Encryption.java:17:31:17:62 | getAttribute(...) : Object | Base64Encryption.java:18:31:18:81 | encodeToString(...) | Sensitive data is being 'encrypted' with Base64 Encoding: $@ | Base64Encryption.java:17:31:17:62 | getAttribute(...) | user-provided value |
15 |
--------------------------------------------------------------------------------
/tests/java-tests/CWE-326/Base64Encryption.java:
--------------------------------------------------------------------------------
1 | import java.io.IOException;
2 | import java.io.PrintWriter;
3 | import java.util.Base64;
4 | import javax.servlet.ServletException;
5 | import javax.servlet.http.HttpServlet;
6 | import javax.servlet.http.HttpServletRequest;
7 | import javax.servlet.http.HttpServletResponse;
8 | import javax.servlet.http.HttpSession;
9 |
10 | public class Base64Encryption extends HttpServlet {
11 | @Override
12 | protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
13 | HttpSession session = request.getSession();
14 | String requestBody = request.getReader().readLine();
15 | session.setAttribute("username", requestBody);
16 | // Do something with the request body here
17 | String attr = (String)session.getAttribute("username");
18 | String responseBody = Base64.getEncoder().encodeToString(attr.getBytes());
19 | // String responseBody = "Encoded username: " + encodedUsername;
20 | response.setContentType("text/plain");
21 | response.setCharacterEncoding("UTF-8");
22 | response.setStatus(HttpServletResponse.SC_OK);
23 | PrintWriter out = response.getWriter();
24 | out.print(responseBody);
25 | out.flush();
26 | }
27 | }
--------------------------------------------------------------------------------
/tests/java-tests/CWE-326/Base64Encryption.qlref:
--------------------------------------------------------------------------------
1 | CWE-326/Base64Encryption.ql
--------------------------------------------------------------------------------
/tests/java-tests/CWE-326/options:
--------------------------------------------------------------------------------
1 | //semmle-extractor-options: --javac-args -cp ${testdir}/../../../codeql/java/ql/test/stubs/javax-servlet-2.5
--------------------------------------------------------------------------------
/tests/java-tests/CWE-532/SensitiveInformation.java:
--------------------------------------------------------------------------------
1 | import java.io.IOException;
2 | import java.io.PrintWriter;
3 | import java.util.Base64;
4 | import javax.servlet.ServletException;
5 | import javax.servlet.http.HttpServlet;
6 | import javax.servlet.http.HttpServletRequest;
7 | import javax.servlet.http.HttpServletResponse;
8 | import javax.servlet.http.HttpSession;
9 |
10 | public class SensitiveInformation extends HttpServlet {
11 | @Override
12 | protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
13 | HttpSession session = request.getSession();
14 | String requestBody = request.getReader().readLine();
15 | session.setAttribute("username", requestBody);
16 | // Do something with the request body here
17 | String attr = (String)session.getAttribute("username");
18 | System.out.print("Username is %s" + attr + "\n");
19 | System.out.println(attr);
20 | String responseBody = Base64.getEncoder().encodeToString(attr.getBytes());
21 | // String responseBody = "Encoded username: " + encodedUsername;
22 | response.setContentType("text/plain");
23 | response.setCharacterEncoding("UTF-8");
24 | response.setStatus(HttpServletResponse.SC_OK);
25 | PrintWriter out = response.getWriter();
26 | out.print(responseBody);
27 | out.flush();
28 | }
29 | }
--------------------------------------------------------------------------------
/tests/java-tests/CWE-532/SensitiveInformation.qlref:
--------------------------------------------------------------------------------
1 | CWE-532/SensitiveInformation.ql
--------------------------------------------------------------------------------
/tests/java-tests/CWE-532/options:
--------------------------------------------------------------------------------
1 | //semmle-extractor-options: --javac-args -cp ${testdir}/../../../codeql/java/ql/test/stubs/javax-servlet-2.5
--------------------------------------------------------------------------------
/tests/java-tests/CWE-611/XXELocal.expected:
--------------------------------------------------------------------------------
1 | edges
2 | | XXELocal.java:15:39:15:63 | new FileInputStream(...) : FileInputStream | XXELocal.java:16:51:16:61 | inputStream : FileInputStream |
3 | | XXELocal.java:16:35:16:62 | new InputSource(...) : InputSource | XXELocal.java:24:25:24:35 | inputSource |
4 | | XXELocal.java:16:51:16:61 | inputStream : FileInputStream | XXELocal.java:16:35:16:62 | new InputSource(...) : InputSource |
5 | nodes
6 | | XXELocal.java:15:39:15:63 | new FileInputStream(...) : FileInputStream | semmle.label | new FileInputStream(...) : FileInputStream |
7 | | XXELocal.java:16:35:16:62 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource |
8 | | XXELocal.java:16:51:16:61 | inputStream : FileInputStream | semmle.label | inputStream : FileInputStream |
9 | | XXELocal.java:24:25:24:35 | inputSource | semmle.label | inputSource |
10 | subpaths
11 | #select
12 | | XXELocal.java:24:25:24:35 | inputSource | XXELocal.java:15:39:15:63 | new FileInputStream(...) : FileInputStream | XXELocal.java:24:25:24:35 | inputSource | Unsafe parsing of XML file from $@. | XXELocal.java:15:39:15:63 | new FileInputStream(...) | user input |
13 |
--------------------------------------------------------------------------------
/tests/java-tests/CWE-611/XXELocal.qlref:
--------------------------------------------------------------------------------
1 | CWE-611/XXELocal.ql
--------------------------------------------------------------------------------
/tests/java-tests/CWE-798/base64/HardcodedBase64Usage.expected:
--------------------------------------------------------------------------------
1 | sources
2 | | HardcodedBase64Usage.java:4:32:4:49 | "VGVzdFBhc3N3b3Jk" |
3 | | HardcodedBase64Usage.java:5:33:6:17 | new byte[] |
4 | | HardcodedBase64Usage.java:39:58:39:71 | "U2VjcmV0S2V5" |
5 | sinks
6 | | HardcodedBase64Usage.java:9:58:9:66 | MyApp.KEY |
7 | | HardcodedBase64Usage.java:16:58:16:67 | MyApp.KEY2 |
8 | | HardcodedBase64Usage.java:24:58:24:60 | key |
9 | | HardcodedBase64Usage.java:32:58:32:60 | key |
10 | | HardcodedBase64Usage.java:39:58:39:71 | "U2VjcmV0S2V5" |
11 |
--------------------------------------------------------------------------------
/tests/java-tests/CWE-798/base64/HardcodedBase64Usage.ql:
--------------------------------------------------------------------------------
1 | import java
2 | import semmle.code.java.security.HardcodedCredentials
3 | import github.Encoding
4 | import github.Hardcoded
5 |
6 | query predicate sources(DataFlow::Node sources) {
7 | sources instanceof Hardcoded
8 | }
9 |
10 | query predicate sinks(DataFlow::Node sinks) {
11 | sinks instanceof Base64::Decoding
12 | }
13 |
--------------------------------------------------------------------------------
/tests/java-tests/qlpack.lock.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies: {}
3 | compiled: false
4 | lockVersion: 1.0.0
--------------------------------------------------------------------------------
/tests/java-tests/qlpack.yml:
--------------------------------------------------------------------------------
1 | name: advanced-security/codeql-java-tests
2 | groups: [java, test]
3 | dependencies:
4 | codeql/java-all: "*"
5 | advanced-security/codeql-java: "*"
6 |
7 | extractor: java
8 | tests: .
--------------------------------------------------------------------------------
/tests/javascript-tests/CWE-078/audit/XSSReactAudit.expected:
--------------------------------------------------------------------------------
1 | | cmdi.js:5:9:5:13 | "foo" | Command Injection sink |
2 | | cmdi.js:6:9:6:13 | input | Command Injection sink |
3 | | cmdi.js:7:10:7:18 | '/bin/sh' | Command Injection sink |
4 | | cmdi.js:11:6:11:10 | input | Command Injection sink |
5 |
--------------------------------------------------------------------------------
/tests/javascript-tests/CWE-078/audit/XSSReactAudit.qlref:
--------------------------------------------------------------------------------
1 | CWE-078/CommandInjectionAudit.ql
--------------------------------------------------------------------------------
/tests/javascript-tests/CWE-078/audit/cmdi.js:
--------------------------------------------------------------------------------
1 | var cp = require("child_process")
2 |
3 | var input = process.argv[1];
4 |
5 | cp.exec("foo")
6 | cp.exec(input)
7 | cp.spawn('/bin/sh', [ input ])
8 |
9 | var exec = require('child_process').exec;
10 |
11 | exec(input)
12 |
--------------------------------------------------------------------------------
/tests/javascript-tests/CWE-079/audit/XSSAudit.expected:
--------------------------------------------------------------------------------
1 | | app.jsx:26:52:26:62 | searchQuery | React's dangerouslySetInnerHTML is being used. |
2 |
--------------------------------------------------------------------------------
/tests/javascript-tests/CWE-079/audit/XSSAudit.qlref:
--------------------------------------------------------------------------------
1 | CWE-079/XSSAudit.ql
--------------------------------------------------------------------------------
/tests/javascript-tests/CWE-079/audit/app.jsx:
--------------------------------------------------------------------------------
1 | import * as React from 'react';
2 | import {
3 | useQueryParams,
4 | StringParam,
5 | NumberParam,
6 | ArrayParam,
7 | withDefault,
8 | } from 'use-query-params';
9 |
10 | const UseQueryParamsExample = () => {
11 | // something like: ?x=123&q=foo&filters=a&filters=b&filters=c in the URL
12 | const [query, setQuery] = useQueryParams({
13 | x: NumberParam,
14 | q: StringParam,
15 | filters: withDefault(ArrayParam, []),
16 | });
17 | const { x: num, q: searchQuery, filters } = query;
18 |
19 | return (
20 |
21 |
num is {num}
22 |
23 |
searchQuery is {searchQuery}
24 |
There are {filters.length} filters active.
25 |
28 |
38 |
21 |
num is {num}
22 |
23 |
searchQuery is {searchQuery}
24 |
There are {filters.length} filters active.
25 |
28 |
38 |